Web financing

24.6 billion ID pairs for sale on the dark web • The Register

In short More than half of the 24.6 billion pairs of stolen credentials available for sale on the dark web have been exposed in the past year, research team Digital Shadows has found.

Data recorded last year reflected a 64% increase from the 2020 total (Digital Shadows publishes data every two years), which represents a significant slowdown from the two years prior to 2020. Between 2018 and the he year the pandemic broke out, the number of credentials for sale increased by 300%, according to the report.

Of the 24.6 billion identifiers for sale, 6.7 billion pairs are unique, an increase of 1.7 billion over two years. This represents a 34% increase from 2020.

With all of these credentials available for sale online, account takeover attacks have also proliferated, according to the report. Seventy-five percent of passwords for sale online weren’t unique, noted Digital Shadows, which said everyone should beware.

According to the study, proactive account protection, consistent enforcement of good authentication habits, and knowledge of the organization’s digital footprint are necessary to protect against account takeover attacks. According to the report, individuals should “use multi-factor authentication, password managers, and complex and unique passwords.”

Kaiser Permanente breach yields 70,000 patient data

Nonprofit healthcare company Kaiser Permanente notified 69,589 patients of a data breach in April that compromised their records. Names, medical record numbers, dates and information about lab test results were potentially stolen.

Theft is only classified as a “maybe” [PDF] because of the way the breach occurred: an employee’s email was hacked. “We have determined that protected health information was contained in the emails and, while we have no indication that the information was viewed by the unauthorized party, we are unable to completely rule this out. possibility,” Kaiser said in his notification.

The access was reportedly detected and terminated within hours, and Kaiser said he had no evidence of impersonation or misuse of protected health information. Sensitive information such as social security numbers or credit card information was not included.

Since Kaiser Permanente was breached in April, which he reported to the Department of Health and Human Services in June, there have been 13 more reports of healthcare security breaches. Only one managed to top Kaiser – a breach at Texas Tech University Health Sciences Center that affected 1,290,104 people.

Citrix vulnerability allows remote users to reset admin passwords

Virtualization company Citrix has reported a pair of serious bugs in its Application Delivery Management (ADM) software that could lead to “system corruption”.

Specifically, the pair of bugs may allow “admin password to be reset on next device reboot, allowing an attacker with ssh access to log in with default admin credentials” , said Citrix.

The second bug allows an attacker to disrupt the Application Delivery Management service, preventing the issuance of new licenses or the renewal of existing ones.

It is unclear whether the exploitation of the first is related to the second, or if both are simply patched at the same time.

Citrix said the two bugs affect all supported versions of Citrix ADM Server and Citrix ADM Agent 13.1 and 13.0, the only supported versions. ADM 13.1-21.53 and ADM 13.0-85.19 builds contain fixes that resolve issues. Citrix ADM service, the cloud-hosted version of ADM, has been automatically updated and no customer action is required.

Besides updating to the latest version, Citrix also recommends customers to segment network traffic to Citrix ADM, either physically or logically, to reduce the attack surface.

Bugcrowd bans user for following instructions

Casey John Ellis, founder and CTO of the Bug Bounty platform, said admitted his company’s mistake in banning security researcher Soatok from his platform for, by all accounts, doing exactly what they told him to do.

Soatok, who by Bugcrowd’s own admission has earned over $2,500 reporting bugs on the platform, received feedback from Bugcrowd support after finding a cryptographic bug in JavaScript library BigNumber (JSBN).

A submission made by Soatok was deemed invalid for not including sample exploit code, which Soatok said was omitted because cryptographic exploits are complicated to develop.

Soatok eventually contacted Xfinity, which handles JSBN bugs through its open-source Bugcrowd bounty program, and was asked to contact JSBN maintainers through their GitHub repository, which he did. As the bug had already been reported on Bugcrowd, Soatok’s account was suspended for violating Bugcrowd’s code of conduct.

The incident gained momentum on Twitter, prompting Ellis to intervene. “Buggrowd certainly didn’t do their best here, and we know that,” Ellis tweeted. “I spoke with Soatok to better understand and apologize.”

Soatok said Ellis “wasn’t blowing smoke” with his tweet. “He apologized from the start and said this escalation shouldn’t have ended the way it did, while promising an investigation into what went wrong, how to fix it and how to avoid it. in the future,” Soatok said.

Soatok said Bugcrowd’s Senior Director of Security Operations, Michael Skelton, told him that Bugcrowd prioritized updates to its SecOps runbooks for crypto and was also working to fill a knowledge gap in the area.

Still, Soatok said he was unlikely to return to Bugcrowd. “Trust is easy to lose and hard to regain. Information security as an industry needs to understand this truth better than users or we will let them down,” Soatok said. ®