Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Data Breach Affects Over 2,000 South Australian Students

TAFE SA (South Australia's Technical and Further Education provider) has disclosed a somewhat disturbing breach affecting 2,224 students who were enrolled in classes prior to the end of 2021, and possibly going as far back as 2016.

TAFE SA only discovered the breach after SA Police informed them that they had seized devices containing scanned copies of student identification forms. These contain copies of proof-of-identity documents, including driver's licences and passports. The forms also contain student ID numbers, course details, a fill name, address and date of birth - just what is needed for identity theft.

TAFE has, of course, conducted an investigation into how the breach occurred, but a forensic investigation has, to date, found no evidence that network systems were illegally accessed or that the breach occurred from an external source - all of which suggests that this was an insider attack. Access to the system that holds the student ID forms has been further restricted, with access on a need-to-know basis.

Affected students have been contacted and are being offered advice as well as support through IDCARE. TAFE will also reimburse expenses for replacement of compromised identity documents.

You already know what we are going to say: once identity documents have been used to verify identity, they are a liability, and not an asset.

TAFE SA, Data Breach, information page, 28 March 2023. Available online at https://www.tafesa.edu.au/about-tafesa/data-breach.

FBI Seizes 'Bot Shop' Credential Store

In a coordinated multinational action, the FBI has seized several domain names associated with a site which traded in passwords, cookies and other credentials stolen from malware-infected computers, according to blogger Brian Krebs. Genesis Market has been online since 2018, under the slogan "Our store sells bots with logs, cookies, and their real fingerprints" and allowed its criminal customers to select victims by IP address or by domain names.

Early yesterday, agencies from multiple countries, including Australia, Canada, Denmark, Germany, the Netherlands, Spain, Sweden and the UK, led by the FBI, replaced the home pages on domains associated with Genesis Market and served arrest warrants on dozens of people affiliated with its operations.

The 'bots' sold by the sites provide all the original victim's authentication cookies, which can be loaded into a browser plugin, allowing access to online system accounts with no need for a password or other authentication credentials - including, in some cases, no need for second authentication factors. In general, systems will view any connection from the bot as being part of the same session the victim had established previously. The bot also provides the fingerprint - i.e. the agent type and other identifying characteristics sent in HTTP requests - of the victim's browser, so that will also look the same to targeted sites.

The FBI has made no official statement to date; but a statement is likely forthcoming.

Krebs, Brian, FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers, blog post, 4 April 2023. Available online at https://krebsonsecurity.com/2023/04/fbi-seizes-bot-shop-genesis-market-amid-arrests-targeting-operators-suppliers/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.