Friday, May 23, 2025

Deepfaking of Some Senior US Government Officials


Do you think AI-powered smishing and vishing are far off? Then do think again. (Smishing uses text messages to trick users; vishing relies on voice calls to do the same.)


Today, these social engineering attacking tactics might seem low-level, but the developments in AI-technology is rapidly changing that. With tools that can generate natural-sounding texts and mimic real voices, attacks are getting more sophisticated and convincing. What’s now a minor risk could soon escalate into a widespread and highly effective threat.


The FBI has warned that fraudsters are impersonating "senior US officials" using deepfakes as part of a major fraud campaign.


According to the agency, the campaign has been running since April and most of the messages target former and current US government officials. The attackers are after login details for official accounts, which they then use to compromise other government systems and try to harvest financial account information.


https://bit.ly/4ks5Jff


Headlines:

"'AI-generated content has advanced to the point that it is often difficult to identify,' the FBI advised. 'When in doubt about the authenticity of someone wishing to communicate with you, contact your relevant security officials or the FBI for help.'"


"Attackers have used this approach for over five years. The technology needed to run such attacks is so commonplace and cheap that it's an easy attack vector. Deepfake videos have been around for a similar period, although they were initially much harder and more expensive to do convincingly."

Friday, May 9, 2025

Over 19 Billion 'Lazy' Passwords Have Been Leaked

Do you think that you have strong passwords? Are you sure about it?

A new study examined more than 200 data breaches between April 2024 and 2025, and found that of the 19,030,305,929 newly exposed passwords. More that twice of the population of the whole world.


A quite interesting analysis to read and understand the password behavior of human beings and maybe to re-consider our own passwords.


https://bit.ly/3F4HVOR


Headlines:


"...Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component."


"'We’re facing a widespread epidemic of weak password reuse. Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks...'"


"Key takeaways

- Most people use 8–10 character passwords (42%), with eight being the most popular.

- Almost a third (27%) of the passwords analyzed consist of only lowercase letters and digits.

- Passwords composed of profane or offensive words might seem rare, but they're actually very common in practice.

- Despite years of being called out, default and 'lazy' passwords like 'password', 'admin', and '123456' are still a common pattern."


"The analyzed dataset contains exposed credentials from leaks or breaches that happened in a 12 month period starting with April 2024.


The data included leaked databases, combolists, and stealer logs originating from around 200 cybersecurity incidents. Only data that became publicly available was analyzed.


The leaks exposed a total of 19,030,305,929 (19 billion) passwords. Only 1,143,815,266 (6%) (1 billion) of passwords were identified as unique."


"It’s no surprise that you’ll find '1234' in almost 4% of all passwords – over 727 million passwords use this sequence. Extending it by two additional numbers, to '123456', leaves 338 million passwords using it. 'Password' and '123456' have been the most popular passwords at least since 2011."


"Many systems originally provide these defaults, such as routers with 'admin/admin' or phones with 1234 PINs. Users either never change them or even recycle these passwords elsewhere themselves."


“'Many users choose a name as part of their password. We cross-referenced the dataset with the 100 most popular names of 2025 and found that there’s a whopping 8% chance for them to be included as part of a password,' the researcher explains.


Ana was the most popular, used in almost 1%, or 178.8M passwords. This short component naturally appears in many other common words, such as 'banana' (used in 3.7M passwords).


Many users opt for passwords inspired by positive, uplifting concepts. Words like love (87M), sun (34M), dream (6.1M), joy (6.9M), and freedom (2M) dominate the positive wordlist​.


Some of the most frequently used pop culture terms in passwords include Mario (9.6M), Joker (3.1M), Batman (3.9M), Thor (6.2M), and, surprisingly, Elsa (2.9M) from Disney’s 'Frozen'.


'Positive associations, admired characters, and nostalgia make people feel familiar and are easy to recall. However, popularity becomes predictability, exploited by attackers,' the researcher explains.


Swear words are also very common in passwords. The top entry, ass (165M), can be partly explained by the use of 'pass' or 'password'. However, users often craft their passwords using fuck (16M), shit (6.5M), dick (3.2M), and bitch (3.2M)."


"Other top-most frequently used words in passwords include countries, cities, US states, food, popular brands, nature, animals, or even seasons or months.


The most popular city for passwords is Rome (13M), while 9.8M passwords include lion and 7.8M – fox. Summer (3.8M) is the most popular season, and users seem to prefer Monday (0.8M) the most to protect their accounts."





Tuesday, April 22, 2025

UK Fines Law Firm 60,000 Pounds for Ransomware Data Breach


Two things:

1) DO NOT ignore two-factor authentication for any user. Just one weak link can cause you £60,000 (or more).

2) Report breaches on time, in accordance with the law(s) you are required to obey.


The U.K. ICO (Information Commissioner's Office) fined a law firm £60,000 after a 2022 ransomware attack leaked sensitive client data, including DNA tests and information about children and victims. The investigation found that the law firm failed to protect data properly, used an outdated account without two-factor authentication, and waited too long to report the breach. The ICO said protecting personal information is a legal duty, and the firm’s mistakes led to serious risks. The firm can appeal the fine but has not commented yet.


https://bit.ly/3YFvYFO


Headlines:

"Firm Failed to Close Outdated User Account, Waited 43 Days to Notify Regulators"


"Hackers in a 2022 ransomware attack stole 32.4 gigabytes of data from the law firm and later posted on the darkweb. The breach affected 791 people and contained information about 306 clients including DNA testing data, details on children and victims of sexual offenses."

Wednesday, April 2, 2025

Legacy Medical Devices Remain Easy Targets for Cyber Threats

 

Do you think that your health data secure?


Most of the people don't really think about this question. But imagine, what would you do if your health data ended up on the internet one day? Once it's exposed, you can't undo it. That's scary and disturbing, isn't it?


Anyone who worked with medical systems knows that it is quite difficult to patch the vulnerabilities on these systems. Main reasons are: 1) Many of the systems run on outdated software that no longer supports new patches. 2) Updates are too risky because they can interrupt care or cause devices to fail during use. So, many of these devices stay unpatched and highly vulnerable to cyber attacks.


Researchers from Claroty's Team82 analyzed over 2.25 million Internet of Medical Things (IoMT) devices and more than 647,000 operational technology (OT) devices across 351 healthcare organizations. They found that 99% of these organizations had vulnerabilities with publicly available exploits, as listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. (Yes, 99%. We can say (almost) "all of them")


You can find the report in the following link:

https://bit.ly/4j1es7d


https://bit.ly/3FOYOgp


Headlines:

"...the firm was able to analyze the security state of more than 2.25 million IoMT devices and more than 647,000 OT devices across 351 healthcare organizations – and found that 99% of the organizations are vulnerable to publicly available exploits..."


Monday, March 24, 2025

Are We Ready for Post Quantum Cryptography (PQR)?

Is your organization prepared for the quantum computing era and the shift to Post-Quantum Cryptography (PQC)?

Well... What does this question mean?


Post-Quantum Cryptography (PQC) refers to cryptographic algorithms that are designed to be secure against attacks from quantum computers. Quantum computers have the potential to break widely used encryption methods (like RSA and ECC).


Our digital world heavily relies on RSA system. RSA (Rivest-Shamir-Adleman) is a widely used public-key cryptosystem that relies on the mathematical problem of factoring large prime numbers. The algorithm involves two keys: a public key, used for encryption, and a private key, used for decryption. However, the rise of quantum computers threatens this system.


Recognizing the urgency, the UK's National Cyber Security Centre (NCSC) has published specific timelines on migrating to post-quantum cryptography (PQC), dictating that critical organizations should complete migration by 2035.


https://bit.ly/4kXiZsO


Headlines:

"'Quantum computing is set to revolutionize technology, but it also poses significant risks to current encryption methods,' stated NCSC's CTO, Ollie Whitehouse."


"As quantum technology advances, upgrading our collective security is not just important – it's essential."


"The NCSC recommends adopting NIST-approved PQC algorithms for migration, which were standardized by the U.S. organization last year, and are expected to become the foundation for post-quantum security globally."


"The United States has established a similar timeline for migrating to PQC through the National Security Memorandum 10 (NSM-10), which also sets 2035 as the target year for completing the transition across federal systems."