THE ILLUSION OF SECURITY: PROTECTING THE DIGITAL KINGDOM FROM INSIDERS WITH LEGITIMATE ACCESS
Dear [redacted]: For more information about the Settlement, please visit the Settlement Website at www.EquifaxBreachSettlement.com. This notice is from the Court-appointed Settlement Administrator (JND Legal Administration), not Equifax. Please do not contact Equifax with questions. You may contact JND by email at [redacted], by phone toll-free at [redacted], or by mail at [redacted]. |
Stunning incompetence with potentially disastrous and costly consequences.
National Public Data Published Its Own Passwords
New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.
In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).
NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.
Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.
A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.
The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not. <Source>
Colorado Voting Machine Passwords Posted Online by State Employee: 'The Public Deserves to Know What Happened'
Passwords to Colorado's voting machines have reportedly been online for months after state officials said that they were published accidentally.
The discovery was shared in a mass email Tuesday from Colorado Republican Party Vice Chair Hope Scheppelman. An affidavit included in the email claimed that an unidentified person downloaded a spreadsheet from the Secretary of State's website, which included the passwords, as reported by KUSA.
Secretary of State Jena Griswold said that the "partial" passwords, which are believed to have been online since June, are not enough to access voting machines on their own, as reported by CPR News.
"There are two passwords to get into any voting component, along with physical access. We have layers of security, and out of just an abundance of caution, have staff in the field changing passwords, looking at access logs and looking at the entire situation and continuing our investigation," Griswold told KUSA. <Source>
In today’s digital age, cybersecurity is paramount for organizations of all sizes.
Organizations pour vast resources into building robust defenses—firewalls, encryption, multi-factor authentication, and more—to protect their data from external threats. However, a harsh reality persists: you cannot entirely prevent data breaches from those who hold the keys to the digital kingdom. The insiders, whether they are employees, agents, or even trusted customers, represent a unique and often underestimated threat.
The Insider Threat: When Trust Becomes a Vulnerability
Most companies focus on external threats—hackers, malware, and phishing attacks. While these are certainly critical concerns, the true challenge lies within. Insiders, those with legitimate access to sensitive data, pose a risk that is difficult to mitigate. These individuals have been granted the keys to the kingdom, and with that comes the potential for intentional or accidental misuse.
Imagine a scenario where an employee, out of curiosity or malice, decides to download a massive dataset. While potentially legal and within their access rights, this act could lead to a significant breach if that data falls into the wrong hands. The question then becomes: how do you protect against those who already have access?
Beyond Traditional Defenses: Safeguarding Against Legitimate Access
While traditional cybersecurity measures are essential, they are not enough. Companies must go beyond these defenses to address the threat posed by insiders. Here are some strategies to consider:
-
Implementing Gross Download Protection: One way to prevent data breaches from legitimate users is to monitor and limit the volume of data that can be downloaded at any given time. Setting thresholds on data extraction can flag suspicious activity, such as gross downloads that deviate from normal behavior patterns. For example, if a customer service agent typically accesses a few records daily, a sudden surge to thousands of records should trigger an alert and initiate an investigation.
-
Utilizing Timed Requests to Thwart Bots: Bots can be deployed to mimic legitimate users and make numerous, rapid data requests. By implementing timed requests, where data access is throttled or paused after a certain period, companies can make it more difficult for automated processes to scrape large amounts of data undetected. This approach protects against bots and reduces the risk of internal misuse by making it harder to perform mass data extractions quickly.
-
Isolating Databases via Requester Machines: A more advanced protection method involves isolating databases using the requester’s machine as a reference point. This means that access to certain parts of the database could be restricted based on the machine’s IP address, location, or specific user credentials. By creating isolated segments within the database, companies can ensure that even if an insider has access, they are limited in what they can retrieve at any one time. This compartmentalization of data access is a key strategy in minimizing the impact of any potential breach.
-
Balancing Security with Accessibility: While these measures can significantly enhance security, it’s crucial to balance them with the need for accessibility. Overly restrictive measures can hinder legitimate work processes, leading to frustration and potential workarounds that might introduce new vulnerabilities. Therefore, the goal is not to create impenetrable walls but to design a system that intelligently monitors and controls access without stifling productivity.
Bottom line...
In the end, the mantra “trust but verify” rings true in the realm of cybersecurity. Companies must acknowledge the reality that those with legitimate access pose a unique challenge to data security. Organizations can better protect themselves from the very people who have the keys to the kingdom by implementing strategies such as gross download protection, timed requests, and database isolation.
However, it’s important to remember that no system is foolproof. Continuous monitoring, regular audits, and a culture of security awareness are essential components of any comprehensive cybersecurity strategy. After all, the best defense is one that evolves with the threat landscape, staying one step ahead of both external attackers and those on the inside.
We are so screwed.
-- Steve
“Nullius in verba”-- take nobody's word for it!
"Acta non verba" -- actions not words
“Beware of false knowledge; it is more dangerous than ignorance.”-- George Bernard Shaw
“Progressive, liberal, Socialist, Marxist, Democratic Socialist -- they are all COMMUNISTS.”
“The key to fighting the craziness of the progressives is to hold them responsible for their actions, not their intentions.” – OCS "The object in life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius “A people that elect corrupt politicians, imposters, thieves, and traitors are not victims... but accomplices” -- George Orwell “Fere libenter homines id quod volunt credunt." (The people gladly believe what they wish to.) ~Julius Caesar “Describing the problem is quite different from knowing the solution. Except in politics." ~ OCS