Here are some interesting updates about cybersecurity threats and new trends.
An unidentified threat actor claims to have exposed 270GB of source code allegedly taken from the New York Times. The leak was posted on a famous imageboard website, and the actor said that it contained "basically all source code" from the publisher. The leaked material apparently includes over 5,000 repositories and 3.6 million files in total.
The security research organization vx-underground initially discovered and reported the supposed leak. They observed that this incident occurred after a similar leak earlier this week involving Club Penguin material stolen from Disney's internal network. However, there is no evidence linking the two attacks, and the accuracy of the statements has not been independently verified.
The New York Times reported a security breach in January 2024 in which a credential for a "cloud-based third-party code platform" was mistakenly disclosed. The publisher indicated that they quickly identified and addressed the questionable conduct. They highlighted that there was no evidence of unauthorized access to Times-owned networks or any disruption to their operations.
The leaked data allegedly includes a database of 1,500 users from a NYT education site (with full names, email addresses, and hashed passwords), internal communications from Slack channels, secrets such as private user keys, and information about the publisher's internal IT architecture. The motivation for the theft and leak of the source code remains unknown.
Source: Infosecurity Magazine
A threat actor named 888 claimed on BreachForums that he stole data from Accenture, allegedly affecting over 32,000 current and former workers by releasing their complete names, email addresses, and "broadcast dates." Accenture first declined to comment on the event, and 888, which has previously carried out high-profile cyber attacks on Heineken and Shell, persisted in its accusations. However, Accenture later acknowledged that the accusations were untrue, noting that only three names and email addresses were detected in the disclosed data set, with no proof of system penetration.
Source: Cyber Daily
Amtrak, the National Railroad Passenger Corporation, recently warned customers about a data compromise that affected their Amtrak Guest Rewards accounts. The breach, reported to the Massachusetts Attorney General on June 14, 2024, was found on May 15, 2024, and is thought to have occurred between May 15 and May 18, 2024. In response, Amtrak reset user accounts and initiated an investigation to determine the scope of the compromise.
The breach was traced back to a credential stuffing attempt in which attackers utilized valid login credentials obtained from third-party sources. Amtrak emphasized that its information systems were not compromised, and the credentials were not obtained from them. The attackers attempted to gain complete control of the Guest Rewards accounts by changing the primary email addresses and accessing personal information such as names, contact information, account numbers, dates of birth, partial credit card numbers, expiration dates, gift card information, and other transactional data.
Although there has been no proof of misuse of the stolen information thus far, the hacked material is useful for fraud and phishing attacks. Stuart Wells, Jumio's CTO, emphasized the risks connected with travel reward schemes, adding that stolen points can be traded on the dark web or converted into tickets. He highlighted the need for improved verification technology and strong identity verification systems to resist such fraud.
This is not Amtrak's first compromise of its Guest Rewards accounts. A similar incident occurred in April 2020, with compromised usernames and passwords, but no financial data was disclosed. The lack of two-factor authentication (2FA) following the 2020 breach was regarded as a significant oversight.
In reaction to the latest compromise, Amtrak is providing 12 months of free identity theft protection with Experian IdentityWorks. Customers are advised to watch their bank and credit statements, report any unusual activity, and reset passwords for other accounts that use identical credentials. Amtrak has now enabled two-factor authentication via email or SMS and established additional internal security procedures to prevent repeat instances. The actual number of affected customers is unknown, but considering Amtrak's large passenger base, the breach's impact might be significant.
Source: CPO Magazine
A recent study conducted by academics at the University of Reading found that ChatGPT-generated exam answers can not only avoid detection but also surpass human students. The study discovered that 94% of AI-generated submissions went undetected, fitting in with human students' work.
The study included sending exam answers created by ChatGPT-4 on behalf of 33 fictitious students to the School of Psychology and Clinical Language Sciences' assessment system. In 83.4% of cases, AI-generated responses outperformed genuine students' grades. This raises questions about the accuracy of current AI detection tools, as well as the possibility of widespread academic dishonesty.
The study emulated real test settings, with a concentration on short-answer questions and essays. Short-answer tests allowed 2.5 hours to complete, however essays required eight hours. Associate Professor Peter Scarfe, who conducted the project, stated that these were unsupervised take-home tests, giving students sufficient opportunity to use AI within the time limits.
The researchers used two different ways to compare ChatGPT-generated replies to real student answers. One method directly compared all AI-generated responses to all student submissions across modules, while another used resampling techniques to compare random student submissions to AI-generated results.
The findings are critical for academic integrity and the future of education. Professor Elizabeth McCrum, Pro-Vice-Chancellor for Education and Student Experience at the University of Reading, highlighted the importance of adapting global education to the growth of artificial intelligence. The researchers advocated for a more in-depth discussion on AI's role in society, as well as the vital necessity to maintain academic and research integrity in this rapidly changing landscape.
Source: Tech Times
According to an FBI warning, victims of cryptocurrency scams have lost about $10 million in the last year to scammers acting as lawyers who claim to be able to retrieve stolen cash. The FBI published a public service announcement (PSA) warning people to be careful of predatory fraudsters who use social media and messaging platforms to contact victims. These fraudsters frequently pretend to be working with or possess information from the FBI, Consumer Financial Protection Bureau (CFPB), or other official authorities to prove their credibility.
Victims are deceived into supplying personal and financial information, paying ahead legal fees, or repaying back taxes and other expenses in order to reclaim their assets. Between February 2023 and February 2024, these scams cost $9.9 million, with total digital crimes involving cryptocurrencies totaling more than $3.8 billion last year.
Ilia Kolochenko, CEO of ImmuniWeb, has warned that generative AI (GenAI) tools may allow fraudsters to construct more convincing scams. He highlighted the importance of governments taking action to prevent misuse of GenAI by providing extra resources to law enforcement and regulating suppliers. Kolochenko also advocated for security training and awareness initiatives, in collaboration with the commercial sector, to educate potential victims. The FBI's warning emphasizes the growing sophistication of scams and the significance of remaining vigilant in protecting personal and financial information.
Source: Infosecurity Magazine