A team has found that the Crystals-Kyber encryption algorithm is open to side-channel attacks, under certain implementations.

One of the four post-quantum computing encryption algorithm standards selected by the US National Institute of Standards and Technology (NIST) for public key encryption is open to side-channel attacks, researchers warn.

A new paper published by a team from the Royal Institute of Technology in Sweden reported that Crystal-Kyber implementations under certain masked implementation conditions could be vulnerable.

"Crystals-Kyber has been selected by the NIST as a public-key encryption and key encapsulation mechanism to be standardized," the paper's abstract explained. "It is also included in the NSA's suite of cryptographic algorithms recommended for national security systems. This makes it important to evaluate the resistance of Crystals-Kyber's implementations to side-channel attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NIST's Quantum-Proof Algorithm Has a Bug, Analysts Say

**Bethesda, MD -** SANS Institute, the global leader in cybersecurity training and certifications, is proud to announce the launch of the SANS Cloud Diversity Academy (SCDA), brought to you by SANS & Google. This academy provides unparalleled training and certifications to Black, Indigenous, and People of Color (BIPOC), women, and other underrepresented groups who are passionate about pursuing a technical career in cybersecurity. The SCDA aims to reduce the skills gap in the industry, with a particular focus on cloud security, while also creating a more diverse and inclusive workforce.

"Empowering communities that have been traditionally underrepresented to pursue a career in cybersecurity is of utmost importance to SANS and Google.," said Max Shuftan, Director of Mission Programs and Partnerships at SANS Institute. "The White House just released the National Cybersecurity Strategy to secure the full benefits of a safe and secure digital ecosystem for all Americans. SCDA directly supports the Administration’s strategic objective of developing a national strategy to strengthen our cyber workforce and tackle the lack of diversity in the field head-on. We are committed to reducing the talent shortage and driving greater diversity, equity, and inclusion, ensuring careers in cybersecurity are well within reach for all Americans.”

"As more businesses adopt cloud technology, the need for skilled professionals in cloud security becomes increasingly vital,” said Frank Kim, SANS Institute Fellow, Cloud Curriculum lead, and CISO-in-Residence at YL Ventures. “SANS Cloud Diversity Academy equips professionals with essential skills to protect businesses and their data through SANS OnDemand training & hands-on labs with industry experts."

Applicants can currently be employed in an entry-level IT or STEM role, but priority may be given to those unemployed, underemployed, or interested in a career change. In addition, applicants must demonstrate their aptitude and passion for security, and also be currently living in the U.S. and have work authorization as a U.S. citizen or permanent legal resident.

“The SANS Cloud Diversity Academy is an exciting initiative that we're proud to support,” said M.K. Palmore, Director, Office of the CISO, for Google Cloud. “By partnering with SANS, we will reduce the critical shortage of skilled talent in cybersecurity by providing individuals from diverse backgrounds with the training they need to launch a career in cloud security. The program offers an exceptional opportunity for participants to develop hands-on, practical cloud security skills and gain industry-leading certifications. We're eager to see this initiative's impact on the cybersecurity workforce!”

The academy will provide scholarship-based training of up to three SANS courses and the associated GIAC certifications, the gold standard in the industry. This accelerated SANS training and GIAC certification will launch careers in months, not years, and provide valuable, validated skills and knowledge for graduates as they launch careers in cloud security.

The SANS Cloud Diversity Academy application window opens March 1, 2023, and ends April 14, 2023. To learn more and apply today, please visit https://www.sans.org/scholarship-academies/cloud-diversity-academy/.

**About SANS Institute**

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cybersecurity events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on technical certifications in cybersecurity. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's and bachelor's degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to manage their "human" cybersecurity risk easily and effectively. SANS also delivers a wide variety of free resources to the InfoSec community, including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners representing varied global organizations, from corporations to universities, working together to support and educate the global information security community.

SANS Institute Partners With Google to Launch Cloud Diversity Academy

As digital identity verification challenges grow, organizations need to adopt a more advanced and forward-focused approach to preventing hacks.

Online authentication is a challenge for organizations of all shapes and sizes. Despite increasingly sophisticated cybersecurity tools, hackers and criminals continually find new and more nefarious ways to enter enterprise systems.

One method gaining attention for fighting account compromise attacks is verifiable credentials. The concept refers to using digital credentials that adhere to an open standard. These credentials typically include data and elements from vetted physical artifacts, like a driver's license, passport, or digital equivalent, such as a bank account.

Verifiable credentials are appealing because they use digital signatures, making them far more resistant to tampering and theft than physical identifiers. It's possible to carry these digital credentials in a digital wallet within a smartphone or on a PC, enabling trust to be established within and across organizations.

At a time when identity theft, fraud, and malware are rampant, verifiable credentials are rapidly gaining traction. Moreover, security protections multiply when these digital artifacts are combined with a verifiable data registry. Additionally, verifiable credentials allow for selective disclosure, which means individuals can choose to share only necessary information with a specific party rather than sharing all of their personal data. This helps to protect sensitive information and reduce the risk of identity theft.

**Truth or Consequences**

Verifying a person's identity is a simple task in the physical world. Birth certificates, utility bills, and government IDs demonstrate that a person is who they say they are. A trusted authority has authenticated the person and presented them with an artifact they can use to verify pieces of information. This makes it possible for a person to board a flight, apply for government benefits, or open a bank account.

Online, there's no central authority for identity. Every company, website, or account requires a specific username and password. While a few large companies like Google, Apple, and Facebook have attempted to consolidate identity using their login credentials for single sign-on (SSO), there's still no central authority to verify actual identity.

Enter verifiable credentials and verifiable data registries — an approach that transforms the security of the physical world into the digital realm.

**Resilience in Any Situation**

Verifiable credentials can improve system resilience in an identity provider outage or network interruption. For example, if a natural disaster like a hurricane occurs — and takes an identity provider offline — it's still possible to verify a user's identity. Since the user's device holds their signed credentials, it can be presented to an application that can verify the credential using a cached copy of the user's public key. For another example, consider cruise ships, which are notorious for their satellite Internet connections dropping or becoming slow. Using the previously discussed verifiable credentials flow, onboard applications could still verify a user's identity and allow users to make dinner or entertainment reservations, or book excursions.

**Making the Move**

Migrating to verified credentials with verifiable data registries involves a few challenges. Typically, it's necessary to rewrite applications to support them. One way to overcome this roadblock is by decoupling identity from applications through orchestration. This makes it possible to migrate from legacy and brittle services to distributed and resilient systems without touching the codebases of those legacy applications.

Orchestration delivers a highly flexible and secure framework. For example, a company may want to establish only essential criteria like the user's citizenship and employer, or impose any other requirements, each of which may need to be validated by different identity services or systems. All these criteria and conditions can be managed seamlessly and invisibly using orchestration.

Companies looking to adopt verifiable credentials should focus on two key areas. First, ensuring that the initial verification process is secure and that the entity issuing the credential is entirely trustworthy. Second, it's essential to establish a process to handle edge cases and issues, such as when a network outage occurs. 

As digital identity verification challenges grow, many organizations are recognizing the need to adopt a more advanced and forward-focused approach. Verifiable credentials and verifiable data registries offer a path to more robust and resilient security.

The Role of Verifiable Credentials In Preventing Account Compromise

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Why is this person lining up her gadgets as if they were dominoes? For the answer we need you! Come up with a witty cybersecurity-related caption to explain the above cartoon. Our favorite will win a $25 Amazon gift card.

The contest ends on March 29, 2023. Here are four convenient ways to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge March 2023 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Chad F., a retired software developer for the Department of Defense, came up with the imaginative (and winning) caption for February's "For the Birds" contest, below. Congratulations, Chad!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Domino Effect

The Rapid7 Cyber Threat Intelligence Laboratory at the University of South Florida will provide data on real-world threats for faculty and students to use in their research.

At the most basic level, security research happens when curious people poke around data. What makes it good security research is when these people have access to good data and the right kind of skills.

That is what Rapid7 hopes to accomplish with its new partnership with the University of South Florida to create a cyber threat intelligence laboratory. The Boston company recently made a $1.5 million donation via the Rapid7 Cybersecurity Foundation to set up the Rapid7 Cyber Threat Intelligence Laboratory at the school.

Rapid7 will provide the laboratory with access to its massive data initiatives, including Metasploit, Velociraptor, and Sonar, says Corey Thomas, Rapid7's CEO. The laboratory will support interdisciplinary research efforts by faculty experts and students and help drive a deeper understanding of the challenges defenders are currently facing.

"We are already investing in the data, and we want more people to use the data," says Thomas, noting that people with varying experiences and backgrounds bring diverse perspectives and wind up using the data differently. "Start with the same data and get different insights," Thomas says.

**Improving Research Outcomes Through Data**

The students will have the opportunity for hands-on learning and cybersecurity skills development as well as real-world experience tracking global threat actors. Laboratory projects and research based on threat intelligence data will help students better understand the challenges security practitioners face as they protect users, Thomas says. The laboratory would play a role in helping to educate and develop the next generation of security professionals, he adds.

Through the laboratory, students and faculty will have access to real world data they can use for research and training, which is an "unprecedented opportunity," Robert Bishop, dean of the USF College of Engineering, says in an email to Dark Reading. "Most importantly, this partnership is going to bring the campus together on cybersecurity research."

The laboratory will launch by establishing an interdisciplinary faculty leadership foundation with a new directorship in the USF College of Engineering and endowed faculty positions created in four USF colleges: the College of Arts and Sciences, College of Behavioral and Community Sciences, College of Engineering, and the Muma College of Business. The laboratory will also work closely with the State of Florida's Cyber Florida initiative, a program based out of the university focused on expanding and enhancing the cybersecurity workforce in the Tampa Bay region.

Rapid7 already has a history of investing in the community, Thomas says. There are many areas of collaboration in threat intelligence, incident response, and information sharing. With this partnership with the University of South Florida, the company is "escalating our commitment to open data, open research, and open threat intelligence," Thomas says.

**Real-World Security Education**

Thomas says he is not going to try to predict what kind of research projects will come out of the laboratory. Rapid7 is providing the data, but the university faculty and students will be pushing forward their own ideas and perspectives. "We aren't controlling the outcome — the professors and students have their own plans," Thomas says.

Many universities have established cybersecurity laboratories to provide students with hands-on learning opportunities to gain cybersecurity skills and real-world experience in the field. A laboratory setting makes it possible to refine techniques, get access to different resources from outside partners, and collaborate across different fields to drive research in security technology and techniques. The results of the laboratory research will help improve the industry's understanding of attacker behavior, and those insights then flows back to practitioners to apply to their jobs.

Back in 2018, the Royal Bank of Canada (RBC) opened a cybersecurity laboratory at the University of Waterloo to help build advanced cybersecurity and privacy tools. The RBC investment supported researchers in the David R. Cheriton School of Computer Science and the Department of Combinatorics and Optimization at Waterloo's Faculty of Mathematics, according to the university. Research projects included data-driven software defined security, privacy-enhancing technologies, and post-quantum cryptography. Defense contractor Northrop Grumman partnered with California Polytechnic University back in 2014 to establish the Cal Poly–Northrop Grumman Cyber Lab as a cybersecurity teaching facility. The lab gave faculty and students the opportunity to engage with experts from other higher education institutions, private businesses, defense and government agencies, and research labs.

These private sector partnerships with educational institutions also focus on developing a cybersecurity workforce. For example, IBM partnered with Historically Black College & Universities to establish Cybersecurity Leadership Centers. As part of the partnership, IBM provides a customized security curriculum and learning platform to complement the university's cybersecurity education offerings. Faculty and students also have access to IBM Security's Command Center, an immersive training experience on how to respond to cyberattacks.

The Rapid7 Cyber Threat Intelligence Laboratory fits in with ongoing cybersecurity initiatives at the University of South Florida because of the focus on developing the skills needed to enter the cybersecurity workforce. The university recently received a $3.7 million grant from the National Science Foundation (NSF) to establish the Cybersecurity Research and Education for Service in Government (CREST) program. The NSF grant would provide scholarships for over two dozen graduate and undergraduate students to prepare them for in-demand and high-paying jobs with the federal government and other public institutions, according to a university press release. The funds will also be used to bolster educational and research resources at the Florida Center for Cybersecurity, or Cyber Florida, which is housed at USF and gives students access to classroom simulations and experiential learning opportunities. There is also a program to help professionals without a computer science background enter a master's program in the field, according to Dr. Sudeep Sarkar, distinguished university professor and department chair of computer science and engineering at the University of South Florida.

"By focusing on both continuing education for professionals and enhancing current cybersecurity education efforts, USF is working to fill the talent pipeline for one of the fastest growing and most lucrative fields in the United States," Sarkar tells Dark Reading in an email exchange.

Rapid7 Brings Threat Intel Data to USF Cybersecurity Lab

Attackers have already targeted electric vehicle (EV) charging stations, and experts are calling for cybersecurity standards to protect this necessary component of the electrified future.

As electric vehicle (EV) charging infrastructure rushes to keep pace with the dramatic rise in sales of electric vehicles in the United States, cyberattackers and security researchers alike have already started focusing on security weaknesses in the infrastructure.

In February, researchers with energy-network cybersecurity firm Saiflow discovered two vulnerabilities in the Open Charge Point Protocol (OCPP) that could be used in a distributed denial-of-service (DDoS) attack and to steal sensitive information. And the Idaho National Laboratory recently found that every charger it examined — more formally known as Electric Vehicle Supply Equipment (EVSE) — was running outdated versions of Linux, had unnecessary services, and allowed many services to run as root, according to a survey of EV charging vulnerability research in the journal Energies. Other potential attacks include adversary-in-the-middle (AitM) and services exposed to the public Internet, according to the paper.

The risks are not just theoretical: A year ago, after Russia invaded Ukraine, hacktivists compromised charging stations near Moscow to disable them and display their support for Ukraine and their contempt for Russian President Vladamir Putin.

The cybersecurity concerns come as electric vehicle sales have taken off in the United States, accounting for 5.8% of all vehicles sold 2022, up from 3.2% the previous year, according to JD Power. Currently, less than 51,000 Level 2 and DC Fast charging stations are available in the US, representing the capability to charge 130,000 vehicles simultaneously, according to the US Department of Energy. With more than 1.5 million electric vehicles registered as of June 2022, that means there are 11 vehicles for every public charging port.

To keep up with demand, the major players in the EV charging sector all have significant expansion plans, and the Biden administration aims to increase the number of vehicle chargers to 500,000 by 2030.

While cybersecurity experts worry that the rush to create a comprehensive charging infrastructure could come at the expense of cybersecurity, the question of its cybersecurity preparedness is especially piquant given the connectedness of the infrastructure and the ability to potentially cause damage using access to the high voltage available, says Phil Tonkin, senior director of strategy at Dragos, a provider of industrial cybersecurity.

"Most EV chargers can be considered an Internet of Things (IoT) technology, but they are one of the first that has control over such a significant amount of electrical load," he says. He adds, "The aggregated risk of so many devices, often connected to a small number of single systems, means that devices of this type need to be implemented with care."

**EV Chargers: IoT, OT & Critical Infrastructure**

In many ways, EV charging infrastructure represents a perfect storm of technologies. The devices are connected via mobile applications and carry the same risks as other IoT devices, but they're also set to become a critical part of transportation network in the United States, like other operational technology (OT). And because EV charging stations must be connected to public networks, ensuring that their communications are encrypted will be critical to maintaining the security of the devices, says Dragos' Tonkin.

"Hacktivists will always be looking for poorly secured devices on public networks, it's important that the owners of EV put in place controls to ensure they are not easy targets," he says. "The crown jewels of the operators of EV chargers have to be their central platforms, the chargers themselves intrinsically trust the instructions pushed down from the center."

Consumer devices are also a problem. About 80% of charging takes place in the home, according to ChargePoint session data. But unfortunately, those devices may be easier to disrupt because consumers are not focused, nor should they need to be focused, on cybersecurity, Tonkin says.

"It's not practical for the average domestic customer to have to put in place the right security, therefore making sure the device itself and the methods it uses to communicate with cloud-based services should always be on the vendor," he says.

**Government's Role in EV Cybersecurity**

The US government should make standards and best practices available to companies to prevent cybersecurity weaknesses, some say. Sandia National Laboratories, for instance, has recommended a number of initiatives to strengthen cybersecurity, including improving EV owner authentication and authorization, adding more security to the cloud component of the charging infrastructure, and hardening the actual charging units against physical tampering.

"The government can say 'produce secure electric vehicle chargers,' but budget-oriented companies don't always choose the most cyber-secure implementations," Brian Wright, a Sandia cybersecurity expert working on the vulnerability project, said in a statement. "Instead, the government can directly support the industry by providing fixes, advisories, standards, and best practices."

EV Charging Infrastructure Offers an Electric Cyberattack Opportunity

Canada's largest bookseller rejected the pressure of the ransomware gang's countdown timer, despite data threats.

Indigo Books, the company behind Chapters stores and the largest bookseller in Canada, let the deadline to pay a ransomware demand expire, risking the release of employee data.

A LockBit ransomware affiliate group set a Thursday at 3:39 p.m. EST deadline to pay, but Indigo flatly rejected the notion, explaining the extortion money could "end up in the hands of terrorists," according to a statement. So far, contrary to the ransomware group's threat, the compromised Indigo employee data has not been publicly released, according to CBC News.

Indigo was first compromised on Feb. 8, shutting down the retailer's operations down for days. CBC News added that the operation is still struggling to stand up the business with as many product offerings as it had before the ransomware attack.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Indigo Books Refuses LockBit Ransomware Demand

A mayor backing Polish opposition elections in parliament has been targeted by special services with Pegasus spyware.

Polish special services reportedly used the infamous Pegasus mobile spyware to monitor the phone of a mayor backing government opposition, according to a new report.

Polish liberal news outlet Gazeta Wyborcza, characterized by Reuters as being openly against the county's ruling "PiS" nationalists, reported while Sopot mayor Jacek Karnowski was working to elect opposition candidates in Poland's upper house of Parliament between 2018 and 2019, he was targeted by Israel-based NSO Group's Pegasus spyware. The report added that Karnowski's name was also discovered on a list of targets hacked with Pegasus spyware by Poland's special services.

"We will not allow the PiS machine to further destroy democracy, lead Poland to the East and sovietise our country," Karnowski told Reuters in reaction to the report. "The politicians who inspired and commissioned these activities belong in prison."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Polish Politician's Phone Patrolled by Pegasus

Innocently or not, residential proxy networks can obscure the actual geolocation of an access point. Here's why that's not great and what you can do about it.

With so much of the world’s wealth, assets, and trade secrets existing in the cloud, fraudsters and nefarious players have ample motivation to look for new ways to break into networks. Increased VPN usage provides opportunities for threat actors to operate with nearly total anonymity, and we are seeing an uptick in breaches stemming from the widespread use of commercial or anonymous VPNs.

As a cybersecurity practitioner, I continually stress the importance of examining the context of VPN-driven data. Let's look at the top three trends I see emerging, as well as the role that IP address data will continue to play in the world of cybersecurity and ad fraud.

**1\. Residential Proxy Networks Will Keep Security and Marketing Teams Up at Night**

I am amazed by the growing number of entities offering residential proxy networks and promising a world of possibilities in scraping — search engine results pages, e-commerce sites, and webpages. Residential proxy networks use the IP addresses of consumers who sign up for any number of apps that pay them to share their bandwidth. The website or service will see requests coming from what they think are residential IP addresses and allow access to content that would have been blocked had the site been able to see the original IP address.

If I wanted to, I could access or scrape any site that restricts hosted or bot traffic by disguising myself using a legitimate residential IP address from whatever location I wanted.

Many of these apps are upfront with the users who opt to share their bandwidth, but some are more nefarious players, offering users access to a VPN without telling them that their IP addresses will be shared. In such cases, those IP addresses can be used to scrape websites, commit fraud, or launch distributed denial-of-service (DDoS) attacks.

The existence of residential proxy networks is quite troubling for organizations. Marketing teams may be paying for traffic they believe to be legitimate but is actually fraudulent.

Let's say an ad farm sets up a website for the sole purpose of selling ad space via the open-market exchanges. Your company may be led to believe it's a legitimate website that receives lots of consumer traffic in your target markets and which you verify by checking the IP address type and location. But how do you actually distinguish between real users and hosted or bot traffic hiding behind and proxy residential IDs? Without additional context around residential IPs, you can't make that distinction.

**2\. Security Teams Will Realize That WAFs Have Blind Spots**

Every organization has multiple layers of security, including Web application firewalls (WAFs).

A WAF protects your Web applications by monitoring, filtering, and blocking malicious HTTP/S traffic traveling to a Web application, preventing unauthorized data from leaving the application. It does this by adhering to a set of policies, including context around the IP address, that helps determine which traffic is malicious and which is safe. If, for instance, corporate security policy mandates that all non-residential IP addresses and addresses from a specific geolocation should be blocked, the firewall will block all traffic that matches those criteria.

Unfortunately, the proliferation of residential proxy networks means WAFs have a significant blind spot: Knowing the traffic is residential and has a geolocation that is permissible is no longer sufficient. While organizations deploy WAFs to protect against things like scraping and DDoS attacks, these tools can also be tricked into providing access when they shouldn't. Security teams need a lot more context around IP addresses to understand their incoming traffic.

**3\. Security Teams Will Find Ways to Detect Residential Proxy IPs**

In the face of these networks, context is your best defense. Security teams should ask critical questions about incoming traffic, such as:

*   Is this traffic proxied or VPN?
*   How many devices are connected to that IP address? (If you see hundreds of devices connected to an IP address, it’s probably not an individual person.)
*   Is the IP address stable? Has it been in the same location for 20 weeks?
*   Is the IP address part of a known residential proxy network that’s being used for other things?

All of this VPN-driven data and context provides vital clues that can protect marketing budgets as well as corporate networks.

IP address intelligence data isn’t the panacea for securing a network, but it can go a long way in providing the context security teams to identify when unusual activities are occurring and to investigate further. It can also help them enforce digital access rights, ensuring that users in prohibited or embargoed areas are restricted from accessing certain digital assets.

3 Ways Security Teams Can Use IP Data Context

A two-month-long automated credential-stuffing campaign exposed personal information of Chick-fil-A customers, including birthdays, phone numbers, and membership details.

Fried chicken specialist Chick-fil-A has alerted customers to an automated credential stuffing attack that ran for months, impacting more than 71,000 of its customers, according to the company.

Credential stuffing attacks employ automation, often through bots, to test numerous username-password combinations against targeted online accounts. This type of attack vector is enabled through the common practice of users reusing the same password across various online services; thus, the login info used in credential stuffing attacks is typically sourced from other data breaches and are offered for sale from various Dark Web sources. 

"Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source," the company noted in a statement sent to those affected.

The compromised personal information included customers' names, email addresses, membership numbers and mobile pay numbers, as well as masked credit or debit card number — meaning unauthorized parties could only view the last four digits of the payment card number. Phone numbers, addresses, and birthday and month were also exposed for some customers.

Chick-fil-A added that in the wake of the attacks, it has removed stored credit and debit card payment methods, temporarily frozen funds previously loaded onto customers’ Chick-fil-A One accounts, and restored any affected account balances. The fast-food chain also recommended the best practice that customers reset their passwords, and use a password that is not easy to guess and unique to the website.

Some noted that while password reuse or the use of common and weak passwords is the fault of the users, Chick-fil-A still bears some responsibility.

"This is the new frontier of information security: Attackers have gained access to these users' accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites," says Uriel Maimon, vice president of emerging products at PerimeterX. "And yet despite that fact, organizations have a legal and ethical obligation to safeguard the personal and financial information of their users."

He adds, "This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers.”

The chain offered some make goods, in case customers wanted to flee the coop after the incident: "As an additional way to say thank you for being a loyal Chick-fil-A customer, we have added rewards to your account," the statement continued. "Chick-fil-A continues to enhance its security, monitoring, and fraud controls as appropriate to minimize the risk of any similar incident in the future."

It was reported in January that Chick-fil-A had been investigating "suspicious activity" across potentially hacked customer accounts. It's unclear why it took so long to determine that the credential-stuffing event was underway. The company did not immediately respond to a request for comment from Dark Reading.

**Credential Stuffing Attacks on the Rise**

Credential stuffing has become more common lately, fueled by the legions of credentials for sale on the Dark Web. Indeed, the sale of stolen credentials dominate underground markets, with more than 775 million credentials currently for sale according to an analysis this week.

In January, nearly 35,000 PayPal user accounts fell victim to a credential-stuffing attack that exposed personal data likely to be used to fuel additional, follow-on attacks. That same month, Norton LifeLock alerted customers to their potential exposure from its own credential-stuffing attack.

The situation has also prompted a wider conversation. With nearly two-thirds of people reusing passwords to access various websites, some security experts have proposed approaches that do away with passwords altogether, including replacing them with security keys, biometrics, and FIDO (Fast Identity Online) technology.

Source

DARKReading