26 Billion Records Combined in ‘Mother of All Breaches’ Data Leak
Over the past few months, concerns arose when the vast “Naz.API” dataset became public, raising the possibility of a consolidated “combo file” containing searchable information from past breaches. However, new findings have uncovered the existence of the “Mother of All Breaches” (MOAB), a massive 1.2 terabyte file discovered in an online repository by security researchers. The MOAB is divided into more than 3,800 folders, each representing a previous data breach that exposed sensitive personal information or credentials online.
Security researcher Bob Dyachenko from SecurityDiscovery.com and Cybernews, which hosts a searchable list of the breaches, has uncovered the “Mother of All Breaches” (MOAB). This massive archive, spanning approximately the last 10 to 15 years, contains a combination of breaches including approximately 1.5 billion records from Tencent’s services, the 538 million Weibo leak, a 2016 Myspace leak, a 2023 Twitter leak, and numerous others.
Doriel Abrahams, Principal Technologist at Forter, warns that large-scale data breaches like these pose significant risks. Malicious actors can exploit this data to verify users’ passwords across platforms, increasing the likelihood of successful Account Takeover (ATO) attacks. Consumers should use unique passwords for each site and exercise caution when sharing personal information online or by phone.
Read: https://www.cpomagazine.com/cyber-security/mother-of-all-breaches-data-leak-pulls-together-26-billion-records-from-thousands-of-prior-breaches/
NSA Admits Buying American Citizens’ Internet Data Without Warrants
Despite the exposure of some of its activities by whistleblower Edward Snowden over a decade ago, the NSA’s controversial mass surveillance practices persist. In a response to inquiries from a senator, the National Security Agency has been forced to disclose that it is bypassing the requirement for warrants when purchasing individuals’ information from data brokers. This revelation has raised concerns about the agency’s methods of obtaining data without proper legal oversight.
The revelation emerged through a correspondence between Senator Ron Wyden and high-ranking security officials. In this particular instance, due to the NSA’s vested interest, Senator Wyden was able to disclose the information he had acquired. In his letter dated January 25, addressed to Director of National Intelligence Avril Haines, Senator Wyden made a straightforward request, urging intelligence agencies to exclusively procure American citizens’ data that has been lawfully obtained.
Nakasone acknowledged the existence of this practice and proceeded to provide justification by emphasizing that it solely pertains to the “records” of online traffic, excluding “emails and documents.” He clarified that the NSA’s acquisitions are limited to “netflow data” originating from devices where either one or both ends of the connection are located within the United States. According to Nakasone, this measure is deemed “critical” in safeguarding US defense contractors against cyber threats.
Read: https://reclaimthenet.org/nsa-confirms-purchasing-data-on-american-citizens-internet-behavior-circumventing-the-need-for-warrants
The Cobblers Children (almost) Had No Shoes! DMARC Enforcement Went Live This Week…
After spending the last couple weeks writing up an overview on the coming DMARC policy enforcement at Google and Yahoo, even personally reaching out to some large list owners, internet communities and online marketers – I’m sitting here the day before this all goes into effect for Gmail and I realize… “We may not have enabled DMARC for axisofeasy.com.“
Checking it out I realize we don’t even have SPF enabled.
So… “Do as we say, not as we do” – (or used to not do, until a couple days ago), make sure you have SPF and DMARC enabled:
Read: https://easydns.com/blog/2024/01/19/new-email-policies-at-gmail-yahoo-et-al-will-require-dmarc-enabled-domains/
Privacy-Oriented Nitter Project Shuts Down Following Changes to Guest Accounts
Zed, the developer behind the free and open-source Nitter project, has announced that the project is discontinued and not working anymore. Nitter was a privacy-oriented alternative front-end for X/Twitter, enabling users to access the social media content without JavaScript or a user account. This provided a level of anonymity and privacy for users.
Zed made the announcement simply stating “Nitter is dead.” on GitHub, without providing a detailed explanation. However, it appears the project’s termination is linked to X/Twitter’s decision to disable the creation of guest accounts. Nitter was heavily reliant on these anonymous accounts, which were only supported by older versions of the Twitter app.
The most straightforward alternative now seems to be creating a verified X/Twitter account. For users uncomfortable with this, there are other X/Twitter alternatives available, such as Mastodon, Threads, and Bluesky, but this involves switching to another social network.
Read: https://alternativeto.net/news/2024/1/privacy-oriented-x-front-end-nitter-is-shutting-down-following-changes-to-guest-accounts/
Google still tracks you in incognito mode (as per latest wording update)
Users of Chrome Canary have noticed some slight changes in the wording that Google uses for Incognito mode. Designed primarily for developers, Chrome Canary receives frequent updates, almost daily, introducing new features. Since it is compatible with other versions of the standard Chrome browser, collectively referred to as Chrome’s “Stable channel,” it’s a valuable tool for testing and development.
Chrome’s Incognito mode aims to protect your privacy from others using the same device. It mitigates the risk of a spouse, roommate, or anyone on a public computer spying on your browsing habits. Private browsing mode does so by stopping your browser from saving your browsing information on your computer.
The new warning seen in Chrome Canary when you open an incognito window says: “You’ve gone Incognito. Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google.”
It’s clear that Google has put more emphasis on users of the same device while moving away from the websites you visit. It’s generally assumed that the changes are tied to the fact that Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over the Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to “track, collect, and identify [users’] browsing data in real time” even when they had opened a new Incognito window.
Read: https://www.malwarebytes.com/blog/news/2024/01/google-changes-wording-for-incognito-browsing-in-chrome
Florida Man Key Suspect in Oktapus, Scattered Spider Hacker Groups
On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency. Sources close to the investigation tell KrebsOnSecurity the accused was a key member of a criminal hacking group blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.
Prosecutors say Noah Michael Urban of Palm Coast, Fla., stole at least $800,000 from at least five victims between August 2022 and March 2023. In each attack, the victims saw their email and financial accounts compromised after suffering an unauthorized SIM-swap, wherein attackers transferred each victim’s mobile phone number to a new device that they controlled.
The government says Urban went by the aliases “Sosa” and “King Bob,” among others. Multiple trusted sources told KrebsOnSecurity that Sosa/King Bob was a core member of a hacking group behind the 2022 breach at Twilio, a company that provides services for making and receiving text messages and phone calls. Twilio disclosed in Aug. 2022 that an intrusion had exposed a “limited number” of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.
Shortly after that disclosure, the security firm Group-IB published a report linking the attackers behind the Twilio intrusion to separate breaches at more than 130 organizations, including LastPass, DoorDash, Mailchimp, and Plex. Multiple security firms soon assigned the hacking group the nickname “Scattered Spider.”
Read: https://krebsonsecurity.com/2024/01/fla-man-charged-in-sim-swapping-spree-is-key-suspect-in-hacker-groups-oktapus-scattered-spider/
Elsewhere Online:
Alpha Ransomware launches data breach attack
Read: https://www.infosecurity-magazine.com/news/alpha-ransomware-launches-data/
The Closure of the Hobbes OS/2 Archive Marks the End of an Era in Operating System History
Read: https://www.wired.com/story/hobbes-os2-archive-shutting-down/
Italy Accuses OpenAI’s ChatGPT of Violating European Privacy Laws
Read: https://www.securityweek.com/chatgpt-violated-european-privacy-laws-italy-tells-chatbot-maker-openai/
US Government Works to Disrupt China-linked “Volt Typhoon” Threat Actor
Read: https://www.darkreading.com/cybersecurity-operations/us-govt-reportedly-trying-to-disrupt-volt-typhoon-attack-infrastructure
Brazilian Law Enforcement Serves Warrants Against Grandoreiro Malware Operators
Read: https://thehackernews.com/2024/01/brazilian-feds-dismantle-grandoreiro.html
First Neurolink Human Implant
Read: https://ca.news.yahoo.com/first-human-receive-neuralink-brain-131659386.html
Previously on #AxisOfEasy
Larry Brock
Some of the Cobblers Children’s Children still barefoot
I’ve had a tagging rule in my email client to flag SPF issues found in the message source(X-Spam-Status codes) for a couple of years, so I was surprised at the claim of not having SPF in place. It looks like you have had it for at least some of your infrastructure for a while. You had me checking the relevant parts of a sampling of emails from you.
A) mail from your systems to EasyMail mailboxes, does go through your spam checker. Good
B) X-Spam-Status: having a test for SPF_PASS since about 2016 is Good
C) Received-SPF: showing details is a much newer thing, 2022ish., A good thing
Running that tag flagging on my entire mailbox, I only see one instance of a fail, and that was a subdomain/host I hadn’t seen mail from before, nor see anything about it now. Relates to one of your migrations, so may well have been a host name that doesn’t exist anymore. Classic simple Unix/linux mail command does send from user@hostFQD much to my own frustration.
Clearly some of the cobbler’s grandchildren got shoes before the children.
Historic DMARC isn’t something we can readily see, but we can look up now.
Some, but not all of your subdomains do have SPF records (for years) but not a DMARC
** Time to check them all! **
I thought it was Mark Twain with that quote.