Another multi-million pile of stolen usernames and passwords for sale on the underground web, an instant messaging scam and a university web site problem.
Welcome to Cyber Security Today. It’s Wednesday February 20th. To hear the podcast click on the arrow below:
A third cache of stolen personal data has appeared on the dark web, apparently compiled by the same person or persons who put out the first two. The latest haul has 92 million user accounts stolen from eight web sites, including the Pizap photo editor and the Jobandtalent online job portal. Others are the Gyfcat GIF hosting service, Storybird, Legendas, Onebip, Streeteasy and Classpass. The person allegedly behind the release of this data told The Hacker News that none of these companies have known until now they were hacked. So if you are a user or subscriber to any of these services or web sites you should consider changing your passwords. And if you’ve used the existing password on any other site, think about changing that password, too. Remember, once thieves get hold of a username and password combo, they try it on other sites to catch people who are lazy about security.
There’s some speculation that after Russia was apparently caught hacking and spreading disinformation before the 2016 U.S. election that such attacks would peter out. After all, the U.S. would be target number one. Why hack a smaller country? And besides, the Trump administration recently said there was little evidence foreign actors had a material impact on last November’s mid-term elections. Well, someone thinks it’s still a good idea to go after a government. On Monday Australia said a sophisticated country recently hacked its main political parties and parliament. The next federal election is expected to be held in May. Who the attackers were is a question, but Australian experts think only a country would have the strong technical expertise to get past Australia’s cyber defences. It isn’t known how long the attackers were in the networks or whether they stole any data. Meanwhile Canada is getting ready for its next federal election, likely to be held in October.
On Monday I told you about a text scam aimed at Canadians. Here’s another one: Security vendor Avast has found a campaign to spread malware to people using instant messaging services like Facebook Messenger and Skype. There are no details of what to look out for, but typically there would be a link in the text to a document or picture the attacker hopes you’ll click on. That starts a process to download the malware So, just a reminder that malware can be sent lots of ways, not just through email.
Finally, Stanford University students may have been victimized by an old vulnerability: An insecure web site address. This particular site holds scanned applications and high school transcripts online. Students use it to access their own admission documents. But due to a flaw in the system, after someone had logged on they could look at someone else’s documents just by changing the numbers in the web address. So, if the address was stanfordu.com/ 1234, if the number was changed to 1235 another student’s file came up. A student who discovered the flaw was able to look at 81 other students’ records. The Stanford Daily student newspaper was notified, which let the university to fix the problem before it published a story this week. It isn’t known how many people discovered the trick. But it’s a lesson for web site administrators and software developers who build web applications to make sure this web site address problem is closed.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon