New training from NSC – "practical course for novice hackers".
The US National Safety Council (NSC) has leaked data from 2,000 US companies and government organizations. About 10,000 email addresses and passwords of employees were almost publicly available .
The non-profit organization NSC not only works on safety issues on a global level, but also provides training on occupational health and safe driving. Its online materials are available to almost 55,000 representatives of the business sector, government agencies and educational institutions.
The Cybernews team found that the NSC site remained vulnerable for five months. Employees affected by the leak:
This kind of sensitive information could be used, for example, for attacks on corporate networks and personnel management systems. It would also allow cybercriminals to access internal networks, documents, and other sensitive materials to conduct ransomware campaigns.
The credentials were encrypted using the SHA-512 algorithm, which is generally considered secure. However, "salts", extra characters to strengthen encryption, were stored right next to password hashes and were encoded in base64 format, which is not intended for this purpose. The loophole significantly simplifies the task for potential attackers.
Depending on the complexity of the password and the methods used, it could take up to 6 hours to compromise one person's account. This does not mean that all accounts can be hacked, but studies have shown that approximately 80% of hashes can be extracted from such databases. Consequently, much of the information was compromised.
Customers of the service are advised to immediately change their passwords on the NSC website and other resources where the same password was used. This leak is a good lesson for all government agencies that cyber defense issues should not be treated negligently.
After contacting Cybernews, the company quickly fixed the problem.
The US National Safety Council (NSC) has leaked data from 2,000 US companies and government organizations. About 10,000 email addresses and passwords of employees were almost publicly available .
The non-profit organization NSC not only works on safety issues on a global level, but also provides training on occupational health and safe driving. Its online materials are available to almost 55,000 representatives of the business sector, government agencies and educational institutions.
The Cybernews team found that the NSC site remained vulnerable for five months. Employees affected by the leak:
- Organizations in the field of mining: Shell, BP, Exxon, Chevron
- Electronics Manufacturers: Siemens, Intel, HP, Dell, IBM, AMD
- Aerospace companies: Boeing, Federal Aviation Administration (FAA)
- Pharmaceutical companies: Pfizer, Eli Lilly
- Automotive giants: Ford, Toyota, Volkswagen, General Motors, Rolls Royce, Tesla
- Government agencies: US Department of Justice, US Navy, FBI, Pentagon, NASA, Occupational Safety and Health Administration (OSHA)
- Internet Service Providers: Verizon, Cingular, Vodafone, ATT, Sprint, Comcast
- Other major companies: Amazon, Home Depot, Honeywell, Coca Cola, UPS
This kind of sensitive information could be used, for example, for attacks on corporate networks and personnel management systems. It would also allow cybercriminals to access internal networks, documents, and other sensitive materials to conduct ransomware campaigns.
The credentials were encrypted using the SHA-512 algorithm, which is generally considered secure. However, "salts", extra characters to strengthen encryption, were stored right next to password hashes and were encoded in base64 format, which is not intended for this purpose. The loophole significantly simplifies the task for potential attackers.
Depending on the complexity of the password and the methods used, it could take up to 6 hours to compromise one person's account. This does not mean that all accounts can be hacked, but studies have shown that approximately 80% of hashes can be extracted from such databases. Consequently, much of the information was compromised.
Customers of the service are advised to immediately change their passwords on the NSC website and other resources where the same password was used. This leak is a good lesson for all government agencies that cyber defense issues should not be treated negligently.
After contacting Cybernews, the company quickly fixed the problem.
