back to article Stolen university credentials up for sale by Russian crooks, FBI warns

Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI. According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and …

  1. WolfFan Silver badge

    Bah, humbug

    I am currently an adjunct instructor at a local community college. The IT people there are, umm, somewhat anal-retentive. Us faculty and staff must change passwords every 90 days; hashes for old passwords are kept for 36 password changes, or 9 years. Passwords must be at least 10 characters, at least one of which must be a lower case letter, an upper case letter, a number, and a symbol. Students must change passwords at the start of a new semester. Multi Factor Authentication is provided using the MS Authenticator app on smartphones, tablets, Win10 boxes, or Macs. If I log into Canvas (the Learning Management System) on any browser, on Mac, Windows, phone or tablet, I must authenticate. If I log into Workday, I must authenticate… even if I use a tab on the same browser as the Canvas login. If I log into webmail, again I must authenticate. The authentication lasts for 8 hours, or until I log in with a different browser, including a different browser on the same machine, whichever is the shorter. I must then authenticate again. For each service. Logging in to a school computer on the school network does NOT log you into services, you must authenticate for each. Now, the password is the same for all services, but not for anything external; logging into the textbook site uses the school ID, but a completely different password. If someone got my credentials they would also have to get my MFA stuff, and school passwords would be useless for non-school logins.

    Meanwhile, I used to do adjunct work for a different community college. I haven’t been there for six years. My credentials still work. I had a truly amazing amount of email.

    Some school IT people are BOFH level. Some are Boss level. Or lower.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah, humbug

      We changed our internal policies on password lifetimes to be practically the complete opposite of what you suggest. Frequent changes are usually pretty predictable. Old password +1 or similar.

      The theory espoused by correct battery horse staple is is a good one; and we back up the VPN with MFA.

      Single sign on is implemented for the more common systems; though there is a long way to go to get the rest into that space; reducing the number of passwords one needs to juggle (and preferably avoid writing them down).

      I'd say passwords are dead but alternatives aren't exactly readily available.

      1. MiguelC Silver badge

        Frequent change ≠ sound security

        Some word, a symbol (usually "-"), month and year numbers is, probably, the most common combination used for passwords that must be frequently changed.

        In those cases, if an old password is eventually obtained, the current one will be easily deducted.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Capital One: Convicted techie got in via 'misconfigured' AWS buckets
    Assistant US attorney: 'She wanted data, she wanted money, and she wanted to brag'

    Updated A former Seattle tech worker has been convicted of wire fraud and computer intrusions in a US federal district court.

    The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured cloud-based storage.

    Paige Thompson (aka "erratic") was arrested in July 2019 after data was leaked between March and July of that year. The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One's AWS storage thanks to a "misconfigured web application firewall."

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Walmart accused of turning blind eye to transfer fraud totaling millions of dollars
    Store giant brands watchdog's lawsuit 'factually misguided, legally flawed'

    America's Federal Trade Commission has sued Walmart, claiming it turned a blind eye to fraudsters using its money transfer services to con folks out of "hundreds of millions of dollars."

    In a lawsuit [PDF] filed Tuesday, the regulator claimed the superstore giant is "well aware" of telemarketing fraudsters and other scammers convincing victims to part with their hard-earned cash via its services, with the money being funneled to domestic and international crime rings.

    Walmart is accused of allowing these fraudulent money transfers to continue, failing to warn people to be on their guard, and failing to adopt policies and train employees on how to prevent these types of hustles.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022