Hackers Abused Microsoft’s “Verified Publisher” OAuth Apps to Hack Corporate Email Accounts

Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations’ cloud environments and steal email.
“The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting

from The Hacker News https://ift.tt/SDqzCe4
via IFTTT

How to get a Cyber Security job

Introduction

Cyber Security is a booming field, but it can be difficult to break into. Cyber Security salaries are great right now. If you’re looking for a Cyber Security job, here are some tips:

Look for jobs with “entry-level” in the title.

As you search for jobs, look for the term “entry level” in the title or description of a position. This will let you know that the company is looking for people with little to no experience.

You can get a Cyber Security job, but it may take some extra hustle and creativity

You can get a Cyber Security job, but it may take some extra hustle and creativity.

The first step is to be proactive about your search. Don’t expect to find a job if you’re not looking for one! You need to keep an eye out for openings and reach out when they come up, even if they aren’t exactly what you want at first glance (but are still related). If you don’t see any good opportunities on LinkedIn or Monster or other sites like that, try searching for companies in your area directly–you never know where someone might post something interesting!

It’s also important not to give up when things don’t go according to plan; sometimes the right opportunity will come along when least expected (and sometimes when most expected). Just remember: if someone says “no” today doesn’t mean they won’t say “yes” tomorrow (or next week).

If a company won’t hire you, ask if they’ll mentor you – even if it’s for free.

If a company won’t hire you, ask if they’ll mentor you – even if it’s for free.

I know what you’re thinking: “A mentor? But I don’t need a mentor.” And yes, maybe that’s true now. But it’s better to have someone who can help guide your career than not have one at all (or worse yet – end up with the wrong one). A good mentor knows how the market works and can help with everything from resume writing to interview prep to finding jobs in their network when they’re not hiring themselves!

Get real-world experience – even if it means starting your own business.

One of the best ways to get real-world experience is by starting a business. While it may be tempting to just jump into the workforce, there are many benefits to starting your own side project or freelance business first:

  • You’ll learn how to run a company and gain valuable insight into what works and doesn’t work when it comes to running an organization.
  • You’ll have more control over your schedule and workload than you would if you were working for someone else (and potentially earn more money).
  • It’s easier than ever before–thanks largely in part thanks technology–to turn an idea into reality; there are even free resources available online if all else fails!

Use Twitter to network and find jobs.

Twitter is a great way to connect with people in the industry, find out what’s trending and get a feel for what it’s like working as a cyber security professional. You can also use hashtags to search for jobs that are relevant to your background.

Keep improving your skills

Look for Cyber Security or Computer Security training online. Sites like https://www.udemy.com and https://www.pluralsight.com are great places to learn skills that can land you that job you are looking for.

Get a Certification

Look into the Securty+ Certification from CompTIA. This is a great entry level certification and will give you the foundation needed to look for more challenging opportunities.

Most importantly, sign up for job alerts!

Sign up for job alerts. Job alerts are a great way to keep up with the latest opportunities in your field and make sure you don’t miss out on any opportunities. This is especially true if you’re looking for cyber security jobs, since there are so many of them out there!

To set up a job alert:

  • Go to Indeed.com or CareerBuilder.com and search for “Cyber Security Jobs” in your area (or wherever else you want). You can also search by state/city/zipcode if you want more targeted results that way too!
  • Click on “Create Job Alert” at the bottom right corner of any job listing page

Conclusion

If you’re passionate about Cyber Security, don’t let these challenges stop you from pursuing a job in the field. Cyber Security is an exciting and rewarding career path that can lead to many different opportunities. One thing is certain: if you want to get hired, you will have to work hard at it! But if you keep hustling and keep your eye on what matters most—your passion for this industry—you’ll find success sooner than expected.

288-Privacy, Security, & OSINT Updates

In this episode, I discuss the latest Privacy & Security news, and present several new OSINT Techniques.

Direct support for this podcast comes from our privacy services, online training, and new book for 2023  Open Source Intelligence Techniques (10th Edition). More details can be found at IntelTechniques.com. Thank you for keeping this show ad-free.

Listen to PAST episodes at https://ift.tt/kX6JNwD

SHOW NOTES:

INTRO:

None

NEWS & UPDATES:

Mint Mobile > T-Mobile
T-Mobile “Breach”
URL Manipulation

OSINT:

https://ift.tt/no6CrYm
https://filmot.com/
https://ift.tt/LtZdjkf
https://ift.tt/ua2OQIF

Free Guides: https://ift.tt/bqcVdaE

Affiliate Links:
OSINT Techniques (10th): https://amzn.to/3VIlP74
Extreme Privacy (4th): https://amzn.to/3D6aiXp
Proton Mail: https://ift.tt/U0GHAMN
Proton VPN: https://ift.tt/bv0Oq6S

from The Privacy, Security, & OSINT Show https://ift.tt/tPkR1nW
via https://ift.tt/mgFTpQ5

Experian Glitch Exposing Credit Files Lasted 47 Days

On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

The tip about the Experian weakness came from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to cybercrime.

Normally, Experian’s website will ask a series of multiple-choice questions about one’s financial history, as a way of validating the identity of the person requesting the credit report. But Kushnir said the crooks learned they could bypass those questions and trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

When I tested Kushnir’s instructions on my own identity at Experian, I found I was able to see my report even though Experian’s website told me it didn’t have enough information to validate my identity. A security researcher friend who tested it at Experian found she also could bypass Experian’s four or five multiple-choice security questions and go straight to her full credit report at Experian.

Experian acknowledged receipt of my Dec. 23 report four days later on Dec. 27, a day after Kushnir’s method stopped working on Experian’s website (the exploit worked as long as you came to Experian’s website via annualcreditreport.com — the site mandated to provide a free copy of your credit report from each of the major bureaus once a year).

Experian never did respond to official requests for comment on that story. But earlier this week, I received an otherwise unhelpful letter via snail mail from Experian (see image above), which stated that the weakness we reported persisted between Nov. 9, 2022 and Dec. 26, 2022.

“During this time period, we experienced an isolated technical issue where a security feature may not have functioned,” Experian explained.

It’s not entirely clear whether Experian sent me this paper notice because they legally had to, or if they felt I deserved a response in writing and thought maybe they’d kill two birds with one stone. But it’s pretty crazy that it took them a full month to notify me about the potential impact of a security failure that I notified them about.

It’s also a little nuts that Experian didn’t simply include a copy of my current credit report along with this letter, which is confusingly worded and reads like they suspect someone other than me may have been granted access to my credit report without any kind of screening or authorization.

After all, if I hadn’t authorized the request for my credit file that apparently prompted this letter (I had), that would mean the thieves already had my report. Shouldn’t I be granted the same visibility into my own credit file as them?

Instead, their woefully inadequate letter once again puts the onus on me to wait endlessly on hold for an Experian representative over the phone, or sign up for a free year’s worth of Experian monitoring my credit report.

As it stands, using Kushnir’s exploit was the only time I’ve ever been able to get Experian’s website to cough up a copy of my credit report. To make matters worse, a majority of the information in that credit report is not mine. So I’ve got that to look forward to.

If there is a silver lining here, I suppose that if I were Experian, I probably wouldn’t want to show Brian Krebs his credit file either. Because it’s clear this company has no idea who I really am. And in a weird, kind of sad way I guess, that makes me happy.

For thoughts on what you can do to minimize your victimization by and overall worth to the credit bureaus, see this section of the most recent Experian story.

from Krebs on Security https://ift.tt/FbmCtJd

Administrator of RSOCKS Proxy Botnet Pleads Guilty

Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, “America is looking for me because I have enormous information and they need it.”

A copy of the passport for Denis Emelyantsev, a.k.a. Denis Kloster, as posted to his Vkontakte page in 2019.

First advertised in the cybercrime underground in 2014, RSOCKS was the web-based storefront for hacked computers that were sold as “proxies” to cybercriminals looking for ways to route their Web traffic through someone else’s device.

Customers could pay to rent access to a pool of proxies for a specified period, with costs ranging from $30 per day for access to 2,000 proxies, to $200 daily for up to 90,000 proxies.

Many of the infected systems were Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers. Later in its existence, the RSOCKS botnet expanded into compromising Android devices and conventional computers.

In June 2022, authorities in the United States, Germany, the Netherlands and the United Kingdom announced a joint operation to dismantle the RSOCKS botnet. But that action did not name any defendants.

Inspired by that takedown, KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Emelyantsev’s personal blog, where he went by the name Denis Kloster. The blog featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world,” and even included a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

But by the time that investigation was published, Emelyantsev had already been captured by Bulgarian authorities responding to an American arrest warrant. At his extradition hearing, Emelyantsev claimed he would prove his innocence in an U.S. courtroom.

“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Emelyantsev told the Bulgarian court. “I am not a criminal and I will prove it in an American court.”

RSOCKS, circa 2016. At that time, RSOCKS was advertising more than 80,000 proxies. Image: archive.org.

Emelyantsev was far more than just an administrator of a large botnet. Behind the facade of his Internet advertising company based in Omsk, Russia, the RSOCKS botmaster was a major player in the Russian email spam industry for more than a decade.

Some of the top Russian cybercrime forums have been hacked over the years, and leaked private messages from those forums show the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted community where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the forum imploded in 2010.

A Google-translated version of the Rusdot spam forum.

Indeed, the very first mentions of RSOCKS on any Russian-language cybercrime forums refer to the service by its full name as the “RUSdot Socks Server.”

Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, Emelyantsev probably knows quite a bit about other top players in the botnet spam and malware community.

It remains unclear whether Emelyantsev made good on his promise to spill that knowledge to American investigators as part of his plea deal. The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of California, which has not responded to a request for comment.

Emelyantsev pleaded guilty on Monday to two counts, including damage to protected computers and conspiracy to damage protected computers. He faces a maximum of 20 years in prison, and is currently scheduled to be sentenced on April 27, 2023.

from Krebs on Security https://ift.tt/90qSN3C

New T-Mobile Breach Affects 37 Million Accounts

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.

Image: customink.com

In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a “bad actor” abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.

APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.

The company said it first learned of the incident on Jan. 5, 2022, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022.

T-Mobile says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver’s license or other government ID numbers were exposed.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.

In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.

“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” the filing reads. “We have made substantial progress to date, and protecting our customers’ data remains a top priority.”

Despite this being the second major customer data spill in as many years, T-Mobile told the SEC the company does not expect this latest breach to have a material impact on its operations.

While that may seem like a daring thing to say in a data breach disclosure affecting a significant portion of your active customer base, consider that T-Mobile reported revenues of nearly $20 billion in the third quarter of 2022 alone. In that context, a few hundred million dollars every couple of years to make the class action lawyers go away is a drop in the bucket.

The settlement related to the 2021 breach says T-Mobile will make $350 million available to customers who file a claim. But here’s the catch: If you were affected by that 2021 breach and you haven’t filed a claim yet, please know that you have only three more days to do that.

If you were a T-Mobile customer affected by the 2021 incident, it is likely that T-Mobile has already made several efforts to notify you of your eligibility to file a claim, which includes a payout of at least $25, with the possibility of more for those who can document direct costs associated with the breach. OpenClassActions.com says the filing deadline is Jan. 23, 2023.

“If you opt for a cash payment you will receive an estimated $25.00,” the site explains. “If you reside in California, you will receive an estimated $100.00. Out of pocket losses can be reimbursed for up to $25,000.00. The amount that you claim from T-Mobile will be determined by the class action administrator based on how many people file a legitimate and timely claim form.”

There are currently no signs that hackers are selling this latest data haul from T-Mobile, but if the past is any teacher much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.

T-Mobile customers should fully expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even send messages that include the recipient’s compromised account details to make the communications look more legitimate.

Data stolen and exposed in this breach may also be used for identity theft. Credit monitoring and ID theft protection services can help you recover from having your identity stolen, but most will do nothing to stop the ID theft from happening. If you want the maximum control over who should be able to view your credit or grant new lines of credit in your name, then a security freeze is your best option.

Regardless of which mobile provider you patronize, please consider removing your phone number from as many online accounts as you can. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.

Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.

from Krebs on Security https://ift.tt/3DLmBQM