The CISA Was Pwned By Hackers… That’s Not A Good Look

Posted in Commentary with tags , on March 11, 2024 by itnerd

The CISA or The Cybersecurity and Infrastructure Security Agency is a government agency responsible for making sure that the US is prepared to defend itself against cyber threats. And I’ve posted lots of stuff about the actions that they’ve take to protect the US over the years. So when a story from The Record crossed my desk, I said to myself “that’s not a good look for them”:

Hackers breached the systems of the Cybersecurity and Infrastructure Security Agency (CISA) in February through vulnerabilities in Ivanti products, officials said.

A CISA spokesperson confirmed to Recorded Future News that the agency “identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses” about a month ago.

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”

CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline. Ivanti makes software that organizations use to manage IT, including security and system access.

In short, the CISA got pwned using exploits related to Ivanti products. Now it’s not know if it was the same Ivanti products that the CISA told government agencies to disconnect back in February. But this is absolutely not a good look because when the guys who are supposed to issue guidance and direction about not getting pwned by hackers are actually pwned by hackers, we’re all in deep trouble. And the fact that the hack was limited to a couple of systems doesn’t really matter. What matters is that it happened, and questions need to be asked as to how to ensure that it doesn’t happen again.

Leave a comment »

Novel PowerShell Backdoor Discovered By GuidePoint Security

Posted in Commentary with tags on March 10, 2024 by itnerd

GuidePoint Security has revealed its first encounter with BianLian’s PowerShell backdoor – the first encounter in 2024 to be reported publicly thus far.

GuidePoint Security’s Research and Intelligence Team (GRIT) discovered malicious activity while responding to an incident that began with the exploitation of TeamCity vulnerabilities for initial access, resulting in deploying a novel implementation of a PowerShell backdoor.

Through their analysis, GuidePoint Security ultimately identified the threat actor group behind the attack and provided highly confident attribution to the BianLian ransomware group.

In this technical blog, Drew Schmitt, Practice Lead, GRIT, breaks down BianLian’s use of a novel PowerShell backdoor following the exploitation of TeamCity vulnerabilities.

The research deep dives into BianLian’s exploitation of TeamCity vulnerabilities and post-exploitation behaviors, BianLian’s PowerShell implementation of their GO backdoor, and attribution of the PowerShell backdoor to BianLian.

You can read the details in their new blog, now live at https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/.

Leave a comment »

A Disney+ Email #Scam Is Making The Rounds

Posted in Commentary with tags on March 9, 2024 by itnerd

I’ve come across a Disney+ Email scam that you should be aware of that is pretty interesting as this is the first Disney+ scam email that I have come across.

Let’s start the email that you get:

This email by scam standards is pretty good. But I will note the following. For starters, it never mentions you by name. That’s because this email is emailed out to thousands of people hoping that someone will take the bait. Then there’s where this email is sent from:

That’s not a Disney+ email. And as far as I know, they have chat and phone resources for account and billing issues. So that’s a #Fail. Next is this:

That link clearly doesn’t go to a website that is controlled by Disney+. Thus this is clearly a scam and you should delete this email immediately if you get it. But since I work to expose these scams, I’m not going to do that. But to be clear, don’t be me as I am a trained professional.

Clicking that link takes you here:

First you go to a CAPTCHA. But it’s a demo likely “borrowed” from the company. It even says so in the top left. And that’s where you’ll also notice that these losers are using a WordPress site to pull this off. The “W” next to the words “Captcha Demo” are the big giveaway. Once you get past that, you go here:

This is a fake Disney+ login page. I typed a fake email address and password in and I got past this. That could mean that they are trying to capture credentials, or this is just a gateway to their ultimate goal. Either is possible. Next up is this:

They’re clearly trying to steal your credit card details. And they have logic built into this website to make sure that the card number is valid. Thus at the very least, these threat actors are trying to steal your credit card info. At worst, they’re also trying to snatch your login details to Disney+. It would be a shame for these threat actors if I sent this information to Disney+.

Oh wait. I did before posting this.

In any case, this email illustrates why you need to be careful and closely look at anything that hits your inbox as anything could be a scam email that could catch you out.

Leave a comment »

Guest Post: Election Officials, Poll Workers and Other Public Servants Face A Threatening Weapon: Their Own Private Info

Posted in Commentary with tags on March 9, 2024 by itnerd

Here’s what election staffers can do right now to block potential attackers from uncovering who they are

Byline: Dimitri Shelest, CEO and founder, Onerep

Jan. 6, 2021 is a day mother-and-daughter Georgia poll workers Ruby Freeman and Wandrea Moss will never live down. 

As a mob was attempting to disrupt Congress’s official declaration of Joe Biden as the winner of the 2020 presidential election, about 640 miles away, Freeman and Moss’s home was being stormed by an equally-incensed, if somewhat smaller, crowd. 

Freeman and Moss had already been through a month of harassment and menacing calls after a video falsely claiming the poll workers purposely mishandled ballots on Election Day began to be heavily circulated across the web.

The Capitol’s location is public and well known. But the Freemans’ Atlanta-area home should have been comparatively anonymous. Of course, finding even the most private, least-known individual’s’ personally identifiable information — their home and work addresses, their cell phone number, their family members, their social security information — is barely a Google search away these days.

“I’ve lost my name and I’ve lost my reputation,” said Freeman in her blistering testimony in June 2022 before a House of Representatives committee investigating the Jan. 6 unrest at the Capitol. 

While the Freemans have won their days in court — and settled with some of their other tormentors — their experience and other similar forms of harassment have raised fear among the people charged with upholding election integrity.

Thousands of election officials and staffers have endured similar hostility in the last four years. Arizona Republican State House Speaker Rusty Bowers was met with relentless protests at his home, some of whom arrived armed. Georgia’s Republican Chief of State Gabriel Sterling, who oversaw the state’s election integrity, received images of a noose and accusations of treason. His colleague, Secretary of State Brad Raffensperger, reported that protesters invaded his daughter-in-law’s home and threatened his wife.

About 11% of current election officials said they are “very or somewhat likely to leave” their posts before the 2024 general election, according to a survey from the Brennan Center, which noted that 1-in-5 poll workers know someone who left their election job due to threats against their safety. Meanwhile, women, who comprise about 80% of election administrators, are at a greater risk of attacks and harassment, according to a study by the Voting Rights Lab.

These incidents against unsung public servants show how many innocent civilians could be at risk of having their personal information weaponized by political partisans. But there are clear steps that all of us can take to diminish the threats.

How did we get here? Even the most experienced internet users are often in the dark about how seemingly “private” information can be gleaned by those with malicious intent to pressure them over otherwise innocuous, politically impartial activity. 

Specialty websites like VoterRecords.com and various data brokers expose personal and political information, allowing for easy access to comprehensive individual profiles (for a relatively nominal fee, of course). That access has simplified targeted attacks and undermined the common belief in the confidentiality of voter registration and preferences.

Partisans Are Sharpening The Weapons: Your Info

As Election Day on November 5 draws near, traditional forms of civic engagement like peaceful protests and writing to editors or legislators are considered outdated or ineffectual by a growing cohort of self-appointed “election defenders.” 

An increasing number of partisans believe that to ensure their vote counts, they must actively fight for their cause. Election workers, perceived as hostile, are targeted through the malicious use of their personal information.

Although these armchair info detectives tend to act alone, their methods can often miss the intended, if still undeserving, target and hit another. Anyone with a name and location close to matching an election staffer could find themselves in a partisan’s virtual crosshairs.

Practical Steps for Protection

It’s always possible to scrub personal information from the web, but there are several proactive steps individuals on the election frontlines can take to guard their privacy right away:

  • Opt-Out of People Search Sites: Regularly remove your data from websites like Whitepages, Spokeo, and BeenVerified to minimize your digital footprint.
  • Shine Light On The Dark Web: Use services like credit monitor Experian, which can provide a “scan” of  your information and alert you if private details about you are  being traded on the “dark web,” a common venue for doxxing and harassment.
  • Enhance Social Media Privacy Settings: Tightly control who has access to your personal information on social media platforms, sharing details sparingly.
  • Use a PO Box and Google Voice Number: Shield your real address and phone number from public records by using alternative services for mail and calls.
  • Secure Your Voter Registration Details: In some states, you can make your voter registration confidential, especially if your profession or situation demands higher privacy levels.
  • Regularly Monitor and Secure Your Online Presence: Employ tools like Google Alerts to keep tabs on mentions of your name and update your passwords and security settings frequently.

Since 2020, 14 states have introduced laws to safeguard election officials and poll workers, with measures varying across the board, a study by the National Conference of State Legislatures noted in Dec. 2023. Ten of those states now penalize intimidation and interference against these workers through potential jail time and fines. 

Maine mandates de-escalation training for election staff, while Arizona, California, Oregon, and Washington offer them inclusion in address confidentiality programs. Washington additionally takes a stand against cyber harassment, highlighting a growing recognition of the need to protect those at the forefront of upholding democratic processes.

These legal protections are encouraging. They add some sharp teeth to previously weak laws designed to curtail these kinds of cyber attacks against election administrators and staffers. But they won’t deter the most committed — and dangerous — partisans from hunting down vulnerable civil servants. When it comes to real prevention, the people who ensure  our voting rights must take on the job of protecting themselves before becoming a potential victim.

Leave a comment »

Microsoft Releases More Details On Being Pwned By Midnight Blizzard

Posted in Commentary with tags on March 8, 2024 by itnerd

Remember when Microsoft got pwned by Midnight Blizzard and Microsoft said this:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.  

The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.  

Well, Microsoft has altered their tune. Now they’re saying this:

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised. 

It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024. 

Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.  

 Shawn Loveland, COO, Resecurity had this to say:

It is well known that Microsoft expends significant resources to protect its assets. Their security posture is world-class. However, this example shows that even world-class security processes and technologies can be bypassed by threat actors ranging from opportunistic script kiddies to well-resourced state actors. Microsoft, as with most defenders, has become overly reliant on legacy technologies and processes, a digital version of the Maginot Line. Companies need to evolve to a defense in-depth strategy, which includes offensive defenses that incorporates what threat actors are doing and preparing for outside of their perimeter, which gives them visibility from the attacker’s perspective.

It will not surprise me if Microsoft changes its tune again when more information about what happened is discovered. While the ideal situation is not to get pwned in the first place, this incident illustrates why you need to really go deep into the weeds if you do get pwned.

Leave a comment »

CISA/NSA Releases Info Sheets To Help To Enhance Cloud Security

Posted in Commentary with tags , on March 8, 2024 by itnerd

The NSA and CISA released five Cybersecurity Information Sheets in an alert to enhance cloud security, providing crucial recommendations, best practices, and mitigations for securing cloud environments. 

 Matt Muir, Threat Research Lead at Cado Security had this comment:

“It’s reassuring to see these agencies highlight the differences between cloud and on-premise security practices, along with providing tailored advice for securing the cloud in particular. Hopefully, the advice will give organizations the nudge they need to recognise the wider threats and implications of cloud adoption. By taking heed of this advice and implementing appropriate controls, organizations can mitigate the pervasive threat of cloud attacks.”

The only comment that I have is whether organizations will take heed of this advice. It’s good advice. But many organizations still have the view that the cloud is safer than on-premise. That needs to change.

UPDATE: Dave Ratner, CEO, HYAS adds this:

   “As an increasing number of organizations are utilizing MSSP and MSP providers for cyber security and related functions, it’s imperative to have guidance both for the organizations utilizing them as well as the MSSP and MSP providers themselves. Since criminals and bad actors will often go after the weakest link in the chain, everyone needs to consider cyber resiliency as paramount and understand both how the MSSP/MSP providers will enable it for each client organization, as well as how the MSSP/MSP’s will enable it for themselves. Anyone without a solid cyber resiliency strategy in 2024 is putting themselves at risk.”

Leave a comment »

Women-led tech startups LyfeMD, Roga and Granularity received $230,000 CAD at DMZ’s Women Innovation Summit

Posted in Commentary with tags on March 8, 2024 by itnerd

Toronto Metropolitan University’s DMZ held its second annual Women Innovation Summit, where 10 women-led tech startups had the opportunity to pitch their businesses to angel investors from The Firehood to secure cash investments.  

DMZ hosted the Summit at its Toronto headquarters in honour of International Women’s Day. The day-long event featured curated activities to empower and celebrate women in entrepreneurship and business. These included intimate roundtables that encouraged candid discussions around women’s empowerment, the unveiling of DMZ’s 2024 Women of the Year recipients, and a pitch competition in partnership with The Firehood, an angel group committed to fueling women-led tech innovations.

The pitch competition, which received over 160 applications to participate from coast to coast, heard from 10 women-led startups and awarded a total of $100,000 CAD to: 

  • LyfeMD, a Calgary-based startup that offers an evidence-based platform transforming the management of inflammatory diseases, received $60,000 CAD.  
  • Roga, a Toronto-based startup that provides a mental healthcare platform and wearable non-invasive brain stimulation device designed to reduce employee anxiety, received $40,000 CAD. 

Following the pitch results reveal, The Firehood also announced an additional $130,000 CAD investment in DMZ alum Granularity, an AI-powered platform empowering retailers and brands to stay ahead of viral social media and search trends.

The Summit also unveiled DMZ’s 2024 Women of the Year recipients. Created to honour women in Canada’s tech and business community, the annual award recognizes an esteemed list of individuals for their outstanding accomplishments and impact. 

DMZ’s 2024 Women of the Year award recipients include: 

  • Amber Mac, President of AmberMac Media Inc. 
  • Ashley Wright, Founder and CEO of The Wright Success 
  • Fatima Zaidi, Founder and CEO of Quill  
  • Helen Ahrens, Chair of OUT at Shopify and Senior Merchant Success Manager of Key Accounts  
  • Helen Huang, Co-Founder of Co.Lab 
  • Shriya Gupta, CEO and Co-Founder of Daily Blends 
  • Stephanie Curcio, CEO and Co-Founder of NLPatent  
  • Sylvia Ng, CEO of ReturnBear 
  • Rhiannon Davies, Co-Founder and Managing Partner of Sandpiper Ventures 

For more information on DMZ Women of the Year award recipients, head over to dmz.to/woty2024

Beyond the Women Innovation Summit, DMZ’s Women Innovation Programs provide women entrepreneurs with additional opportunities and specialized support to accelerate their growth, like exclusive community events, mentorship opportunities, a peer network and connections to investors – on top of DMZ’s standard programming all members receive.  

Formally announced at the Women Innovation Summit, DMZ will now provide a $5,000 grant for women founders accepted into their Pre-Incubator program and a $10,000 grant for women founders accepted into their Incubator program. Additionally, women founders in their Incubator program can tap into a pool of $5,000 each to cover approved business expenses.

Following the Summit, DMZ is gearing up to launch an impact report showcasing the breadth and significance of the Women Innovation Summit. Crafted to encapsulate and distribute valuable insights from the event, the report will be widely shared with the ecosystem and organizations committed to empowering women innovators.

To learn more about how DMZ supports women-identifying founders to build and grow their startups, head to dmz.to/WIP.

Leave a comment »

10 Canadian women-owned businesses awarded $10,000 CAD from She’s Next Grant Program

Posted in Commentary with tags on March 8, 2024 by itnerd

Today, Visa Canada announced the recipients of its She’s Next Grant Program. Aiming to uplift women-owned small businesses, the program awards 10 winners a $10,000 CAD grant and access to an accelerated mentorship program through York University’s YSpace.

According to Visa Canada’s latest Small Business Pulse report, only 43% of Canadian small to medium enterprises (SMEs) say they are fully funded, the lowest mark since the study began in 2020. Funding continues to be an important issue among women entrepreneurs, with six in 10 women small business owners reporting they are seeking additional financial support compared to four in 10 women a year ago.

To date, the program has awarded $600,000 CAD to women-owned small businesses and countless hours of mentorship to women entrepreneurs across Canada. The recipients of this round span industries from fashion and wellness to technology and waste management, they include:

  • aGRO Systems, Calgary, AB: aGRO Systems is a waste up-cycling and livestock feed provider on a mission to produce healthy carbon-neutral food and drink and help other agri-producers and agri-processors do the same profitably. The company transforms spent grain, an unavoidable by-product created in the process of making beer and alcoholic products, into affordable livestock feed for small to medium-scale livestock ranchers.
  • Apricotton, Toronto, ON: Apricotton is a Toronto-based teen bra brand that helps girls feel confident in their first bra. The brand is the only bra brand globally that designs bras that expands and adjusts as the girl grows, lasting multiple stages of puberty.
  • Bold Helmets, Toronto, ON: Bold Helmets has developed the first safety-certified multi-sport helmet for kids aged 5 and up of the Sikh faith who have long uncut hair. Tina Singh couldn’t find a helmet to fit her kids when they started riding bikes, so she took it upon herself to create a product that worked for kids like hers.
  • Canadian Succulents, Uxbridge, ON: Canadian Succulents cultivates and distributes drought-tolerant house plants, offering creative horticultural solutions to enhance homes, businesses and events. The company prioritizes sustainable cultivation practices and hosts educational workshops and seminars to share the latest insights and knowledge in horticulture.
  • CAYA Health Centre, Vancouver, BC: CAYA (or Come As You Are) Health Centre is a multidisciplinary medical and allied health centre focused on serving all women, trans, and non-binary individuals. The first clinic of its kind in Vancouver, CAYA Health Centre offers a one-stop shop specifically for women, trans, and non-binary individuals.
  • FemTherapeutics, Montreal, QC: FemTherapeutics takes a personalized approach to treating female issues related to pelvic organ prolapse. To do this, FemTherapeutics provides a comfortable and tailor-made prosthesis for each patient, minimizing their clinical failure rate. The goal of this company is to provide effective symptomatic relief as well as to ensure a better quality of life for women.
  • Tall Size, Toronto, ON: Tall Size is the first multi-brand retailer exclusively for tall women. Customers can buy, sell and discover clothing made specifically for tall women with access to over 20 tall brands and counting.
  • Twenty One Toys, Toronto ON: Twenty One Toys, is a multi-award-winning training and development toy company using toys to teach skills like empathy, failure, and creative communication. Founder Ilana Ben-Ari was given a design challenge to create a navigational aid for the visually impaired for a university project, where she created The Empathy Toy to bridge the social and emotional gap between the visually impaired and sighted community.
  • Rootd, Vancouver, BC: Rootd is the #1 ranked mobile app for panic attack and anxiety relief. This scientifically validated app blends stigma-breaking design, on-demand accessibility, and therapist-approved lessons and exercises to help users during all stages of managing panic attacks and anxiety. 
  • Zuri & Dre, Montreal, QC: Zuri & Dre offers plush dolls, home decor, stationery and accessories, that are unique with the aim of diversifying representation in children’s toys. 

Recognizing the need for resources to secure funding, Visa recently announced a new collaboration with Fundica, North America’s leading funding search engine, to democratize access to government funding for small businesses and entrepreneurs with an emphasis on underrepresented communities. As part of Visa Canada’s commitment to supporting Canadian entrepreneurs, Visa offers several tools and resources like Visa SavingsEdge and the Visa Canada Small Business Hub, which hosts resources for small businesses to support driving efficiency, fraud mitigation and sales through the expansion of e-commerce, digital payments, marketing and more.

To learn more about the program and recipients, visit: Visa.ca/grantprogram

Leave a comment »

EU’s ‘Cyber Solidarity Act’ creates a cooperative mechanism for effective defenses

Posted in Commentary with tags on March 7, 2024 by itnerd

On Tuesday, the EU agreed to the Cyber Solidarity Act, a new set of rules intending to make the EU more resilient and reactive to cyber threats via cooperation mechanisms.

An EU-wide cybersecurity alert system will be established to rapidly share information and will comprise of national cyber hubs which will be responsible for detecting and acting on cyber threats, helping authorities respond more effectively to major incidents.

The new regulation will allow for the creation of a cybersecurity emergency mechanism that will support:

  • Preparedness actions, including testing entities in highly critical sectors, such as healthcare, transportation and energy.
  • Shared financial assistance for impacted entities.
  • A ‘cybersecurity reserve’ made up of incident response services from the private sector as well as associated partnering countries that are ready to intervene during a large-scale cybersecurity incident.

The EU Council and Parliament have also agreed to amend the 2019 Cybersecurity Act in order to establish European certification schemes for managed security services. This aims to boost the quality and comparability of these service providers and avoid fragmentation of the internal market.

Formal adoption of the provisional agreements will come once they have been endorsed by the Council and Parliament. 

Emily Phelps, VP, Cyware had this comment:

   “The Cyber Solidarity Act recognizes and addresses the critical nature for the EU to more effectively prepare, detect, and respond to cyber threats. Threat actors often work together, increasing the challenges nations and organizations face to defend against adversaries. These collaborative efforts to improve resiliency are an important step to protecting critical infrastructure, national security, and economic continuity.

Dave Ratner, CEO, HYAS follows with this comment:

   “Sharing information the way that the EU Cyber Solidarity Act does is a great start and a good initiative — too many times the right information is not shared quickly enough. However, if the goal is to make everyone, especially critical infrastructure, truly proactive and cyber resilient then they need to do more than just share information about ‘what’s happened in the past’ and ‘what’s happening now’.  They need to endorse the use of proactive threat intelligence capable of identifying what is going to happen, and mandate the implementation of cyber resiliency solutions like Protective DNS — which other governments are already recommending — that are capable of automatically identifying attacks in real-time and shutting them down.”

George McGregor, VP, Approov had this comment:

   “The EU continues to flesh out the EU Cybersecurity Strategy laid out 4 years ago.

   “The newly announced Cyber Solidarity Act is intended to drive readiness and cooperation and includes infrastructure investments and financial incentives. Because of this it will certainly prove less controversial than the Cyber Resiliency Act of 2023 which imposed strict breach reporting requirements on companies operating in the EU.

   “Key, however, will be the effective execution of the work needed to implement this Act. For example, the creation of a “state-of-the-art” European Cybersecurity Alert System is certainly aspirational but could prove quite challenging to implement. Further information and regular updates on the status of the various projects required to implement the Act will be welcome as a next stage. “

By making sure that everyone shares info and plays nice in the metaphorical sandbox, it ensures that everyone is a lot safer. Thus I see this as a very good move by the EU and one that should be copied far and wide.

Leave a comment »

PetSmart Hit With A Credential Stuffing Attack

Posted in Commentary with tags on March 7, 2024 by itnerd

PetSmart is warning customers their passwords were reset due to an ongoing credential stuffing attack.

DarkWebInformer was the first to post the company’s notice to customers on “X” (formerly Twitter) wherein the company confirmed that during a period of increased “password guessing attacks” the customers account was logged in to. 

As a precaution, PetSmart reset all passwords of accounts that had been logged in during the credential stuffing attack and now those users must reset their passwords.

As the largest Pet focused retailer in the US, PetSmart has over 60 million customers and 1,600 stores nationwide. PetSmart did not say how many customers were affected.

“We want to assure you that there is no indication that petsmart.com or any of our systems have been compromised,” the PetSmart alert said.

“In an abundance of caution to protect you and your account, we have inactivated your password petsmart.com. The next time you visit petsmart.com, simply click the “forgot password” link to reset your password.”

Ted Miracco, CEO, VP, Approov had this to say:

   “PetSmart’s reliance on password resets alone is necessary, but entirely insufficient in addressing the complexities of modern cyber threats like credential stuffing. Securing APIs requires more than just credentials and MFA, it demands a comprehensive security strategy that encompasses multiple layers of protection. 

   “The adoption of advanced security measures like token-based systems is often perceived as the domain of banks, cryptocurrency platforms, and other high-security sectors. However, the reality is that any business handling personal information – be it an eCommerce platform, a healthcare provider, or, indeed, a pet retailer – must prioritize these enhanced security measures.“

This hopefully will spur PetSmart to do better when it comes to security. Because getting pwned is never good for business.

Leave a comment »

« Older Entries
Newer Entries »