At a glance.
- Northern Ireland investigates abuse database leak.
- Old LiveJournal credentials surface.
- India releases Aarogya Setu source code.
- Privacy concerns persist about NHSX contact-tracing app.
Northern Ireland investigates abuse database leak.
The Belfast Telegraph reports that names and emails of some two-hundred fifty survivors of "historical institutional abuse" were revealed Friday in a newsletter circulated by the HIA (Historical Institutional Abuse) interim advocate's office. That office is charged with protection of such survivors. The government of Northern Ireland is investigating amid calls for the resignation of the interim advocate, Brendan McAllister, who has offered regrets but has said he intends to remain in office. The Historical Institutional Abuse Inquiry examines mistreatment of children in residential care facilities between 1922 and 1995.
Old LiveJournal credentials surface.
Blogging platform LiveJournal is thought to have been breached in 2014, and rumors of data loss have circulated since 2018. LiveJournal had not disclosed the incident, even after related platform DreamWidth began to sustain credential-stuffing attacks over the past few weeks. DreamWidth is a fork of LiveJournal and shares some of its user base. The credential-stuffing attacks seemed to be related to the 2014 hack. ZDNet reports that there's now little doubt that LiveJournal was in fact breached, as HaveIBeenPwned confirms that 26 million usernames and passwords traceable to LiveJournal are being offered for sale in dark web souks. They can be expected to turn up in future credential-stuffing attacks.
Javvad Malik, Security Awareness Advocate at KnowBe4, emailed comments:
"It's important that credentials like passwords are stored in a secure manner. This means using an appropriately strong hash as opposed to MD5. The problem with storing passwords insecurely is that criminals will try to use the email and password combinations to target other services in password stuffing attacks.
"It is why it's important that users not reuse the same password across multiple sites and enable 2FA wherever it is available. Any time a user is notified or becomes aware that their account details have been compromised, they should change their passwords on other services that use that password and be wary of unsolicited emails which purport to be related to the breach."
Chris Clements, VP of Solutions Architecture, Cerberus Sentinel, offered these thoughts:
"The LiveJournal is a case study in security failure from start to finish. The breach has been well known since late 2018 and the dataset suggests it began 4 years earlier in 2014. Even worse, LiveJournal apparently didn’t follow even the most basic security best practices such as securely hashing user’s passwords. This put their users at enormous risk of immediate compromise should there ever be a problem that exposed the LiveJournal database. Attackers can use the cleartext passwords to log in directly to the compromised user’s account and try the same password on other services as often people will reuse the same password for many or all their accounts. The worst failure however is that LiveJournal is still either unaware or willfully ignorant of the breach and has left its users at risk by failing to notify them or encouraging them to change their passwords. This is completely inexcusable behavior for any organization that is entrusted with data from users. Unless LiveJournal provides a prompt response to this breach and transparent accounting of how it is now conforming to security best practices, I’d encourage any LiveJournal users to abandon the service. They’ve lost any benefit of the doubt now.
"Due to the time that has passed since the breached data was actively circulated and exploited it is likely anyone with a LiveJournal account that reused their passwords on other services has already been compromised. Even so it’s still a good idea for anyone affected by this breach to change the passwords for any accounts they may have reused their LiveJournal password on and enable multifactor authentication everywhere possible. In addition, they should be on the lookout for fake extortion emails where cybercriminals try to appear to have compromising information about them and attempt to “prove” their claims by showing that they have a password the user chose in the past. These are almost unfailingly fake with the cybercriminal not actually in possession of any sensitive information about the user."
India releases Aarogya Setu source code.
India's government has announced that it's making the source code of its Aarogya Setu contact-tracing app available for inspection and testing, a decision that Reuters says is generally being well-received by "digital rights activists" as likely to increase the system's security.
Privacy concerns persist about NHSX contact-tracing app.
Privacy concerns continue to surround the contact-tracing technology being trialed by Britain's NHSX. Fears that the app will outlive the pandemic and become are permanent part of a national surveillance system are now familiar, and the "war rhetoric" that C4ISRNet sees surrounding national responses to the pandemic have probably helped provoke that sort of backlash in public opinion. ComputerWeekly reports that centralized data collection has also aroused worry that contact-tracing databases will themselves prove to be insecure, and that, if breached, they would provide cybercriminals with resources for identity theft and other crimes.