In a time of security insanity, this is the most insane thing I have seen in a while. Hackers claim to breach TransUnion South Africa with 'Password' password.
If an investigation determines that this is true, the CEO and whoever is responsible for Security (CIO, CISO, whoever) should be flogged fired, and they should never work in any business that keeps sensitive information on consumers or their business partners.
The "N4ughtysecTu" threat actor also told us they didn't steal any user credentials but performed a brute force attack on the SFTP server. The account they ultimately breached was allegedly using the password "Password", so it was quick and straightforward to brute-force.
A NordVPN report places "password" as the fifth most commonly used password in 2021, taking less than a second to brute-force.
Look, I don't care what password you use to secure your Twitter account, or your F*c*book page. I do care what you use to secure your banking and your email - because your banking is tied to your email. It costs all of us in the fees for insurance financial institutions pay when your banking gets hacked. And companies like TransUnion...
TransUnion is a company that has financial data on pretty much every adult in countries where they work. That list of countries includes the USA. They have information on me, and probably on you too. If companies like this do stupid stuff around security, they are not the ones who pay the price. Oh, they will give you one or two years of "credit monitoring service" if your data gets stolen, but the risk doesn't end in a year or two. Depending on the data stolen, it can go on for the rest of your life.
Use. A. Password. Manager. They are easy, and convenient. I need to remember exactly 1 PW for all of my internet access, that is the password to my password manager. The rest of my passwords are 20 characters or more of meaningless gibberish that includes special characters, numbers, as well as upper and lower case letters. No one is going to brute force any of those passwords in a few seconds. Or a few decades.
As for the companies that are tempted to pay the ransoms... "If you give a mouse a cookie, he's going to want a glass of milk."
For companies considering paying an extortion demand, ransomware negotiation firm Coveware says it is not uncommon for threat actors to leak stolen data after a ransom was paid or even re-extort a victim using the same data in the future.
Or, do you trust the Bad Guys™? They are Bad Guys.
As I said, they are Bad Guys, so I don't trust them 100%. But I do believe that people do stupid things with computer security every day because it's hard. Or it's the way we've always done things. Or whatever stupid reason that they have.
You think security is impossible, or impossibly hard. It isn't. But you're sure it is hard, so you do NOTHING. It will never be perfect, at least not in my lifetime, but this level of "I can't be perfect so I'll do nothing" should be illegal and should be punished. For a company like TransUnion, even in its South African division, to allow the use a password of "Password" is horseshit of the highest magnitude.
No comments:
Post a Comment
Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.
Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.