Early on Jan. 9, about 12,000 MongoDB database servers were compromised. Later the number rose to 28,000 servers. As many as 46,000 servers are vulnerable to this attack.
A cyber-criminal using the alias “Harak1r1” exploited a weakness in the default installation of the popular database solution, MongoDB. He demanded a 0.2BTC ransom ($220) to return the data he exfiltrated from thousands of victim systems. Older installations of MongoDB that were deployed via cloud hosting services in an insecure default configuration were ...
Continue Reading →
27
JAN
JAN
0
Share
Cybersecurity professionals are in agreement. The Russians appear to have been actively engaged in influencing the outcome of our recent Presidential election. Specifics include compromising and taking over Hilary Clinton’s chief of staff, John Podesta’s personal Gmail account. This spear phishing exploit used a “near-miss” domain name of “accounts.googlemail.com” to trick John into clicking on a link and and entering his email credentials. The real domain name is accounts.google.com.
This actually is in the “good news” department. The some security folks at Facebook are scouring the Dark Web, looking for rainbow tables of user names and passwords in order to find Facebook users who may be reusing the same password on multiple sites. As we have discussed here many times, password reuse creates a serious security vulnerability. If the cyber-crooks have your password for one site, they will try it on ...
One of the hardest types of phishing emails to defend against are those that come from the email account of a friend or trusted business associate, such as your dentist, lawyer, realtor. The sender’s email address is not spoofed, because the malefactor has tricked them into providing their email address password. The bad guys are actually logged into your friend’s email account, and now they are trying to do the same thing to ...
On Monday we attacked the utility of current password policies and standards. Today we will offer up an array of improvements.
Most corporate password policies are a waste off time and do not add anything extra to providing secure authentication. Many of these policies were put in place to meet the standards of various compliance bodies (PCI-DSS, HIPAA, etc.) But basically these policies are not keeping up with the state of the art in password cracking, as we discussed last November in our post on ...
The site Adult Friend Finder, the “world’s largest sex and swingers site” recently exposed 412 million user credentials due to poor, or in some cases, non-existent password hashing practices. The biggest group losses were:
The answer to this question is complicated, but not impossible to understand. The first thing to know is that most passwords are not cracked by guessing, or trying thousands of possibilities one at a time on a typical login screen. Most systems will lock the account after a certain small number of failed attempts, like 5 or 6. This makes the kind of ...
As we approach year-end, many small and medium sized business owners and managers are coming to the realization that their best intentions for creating a cybersecurity program in their organization have fallen short. This was the year, you promised yourself, that we get a handle on computer and network security.
On Monday we looked at the some of the primary attack vectors used by cyber-criminals. Here are the rest of the attack vectors that Kevin Thompson from FireEye shared at the Cyber Security Summit. Many of these are significant twists on old exploits, or more sophisticated exploits.