Feb 232019

Ron Zeitlinger reports:

Four Jersey City high school students have been charged after authorities say they accessed the public school district’s computer system and changed grades for some students, The Jersey Journal has learned.

According to a source in the school district, board of education members were notified by email Friday afternoon that four Dickinson High School students had been arrested earlier in the day. Jersey City school officials and a spokeswoman for the police department did not return requests for more information.

The email said school officials “do not believe any personal information was accessed.”

Read more on NJ.com

Feb 222019

AP reports:

Federal prosecutors have recommended a sentence of nearly three years in prison for a former Virginia high school teacher convicted of hacking into private digital accounts of celebrities and others.

Christopher Brannan pleaded guilty in October to aggravated identity theft and unauthorized access to a protected computer. He was the fifth person charged in the 2014 “celebgate” scandal in which hackers obtained nude photographs and other private information from more than 200 people.

Read more on CBS.
Feb 222019

Bob  Diachenko writes:

On Feb 19, 2019, I have discovered a MongoDB that required no password. The database was located in an India region which (along with other data) also contained highly sensitive information collected on 458,388 individuals located in Delhi. A 4.1GB-sized database had been indexed by Shodan and was left unattended for public access.

The database was named “GNCTD” which also stands for Government of National Capital Territory of Delhi and contained the following collections and records:

  • EB* Registers
  • EB Users (14,861)
  • Households (102,863)
  • Individuals (458,388)
  • Registered Users (399)
  • Users (2,983)

Read more on Security Discovery.

Feb 222019

Seen at Meritalk:

Katie Nickels, a threat intelligence expert for MITRE, released a grassroots compiled list of recent cybersecurity indictments of state-sponsored hackers earlier this week. The list, which is compiled in a Google Doc, includes 30 indictments at the current moment, spanning from June 2011 to Feb. 2019. “When I tweeted that I wanted a list of “cyber” indictments, I found that a bunch of other people were interested in this topic as well,” Nickels wrote in a blog post. “For days, I got replies and DMs with people adding new indictments to the list and giving me suggestions, which was an awesome example of why I adore this community.” Nickels noted in the blog post that she plans to continue to update the list and hopes to expand the content covered. Additionally, she said she is “happy to add trusted, verified people as editors.”

Feb 222019

Sergiu Gatlan reports:

Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack.

A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site.

Read more on BleepingComputer.
It’s 2019.  Why is this still a thing?
Here is Intuit’s notification to Vermont: