Author Archives: Dave Whitelegg

Cyber Security Roundup for October 2017

Posted on by
State-orchestrated cyber attacks have dominated the media headlines in October, with rogue state North Korea and its alleged 6,800 strong cyber force blamed for several cyber attacks. International intelligence scholars believe the North Korean leadership are using cyber warfare to up the political ante with their ongoing dispute with the United States. The North Koreans, as well as terrible security practices, were directly blamed by the UK National Audit Office for the recent NHS WannaCry attack (despite North Korea denying it). North Korea was also reported to be implicated in the stealing US War Plans from South Korea, and for a spear phishing campaign against the US Power Grid. The possible Russian manipulation of the US election with cyber attacks and rogue social media campaigns is still a story not going away, while the Chinese are alleged to be behind the data theft of Australian F-35 fighter jet, in what is described as an ‘extensive’ Cyberattack. The finger was pointed at Iran for the recent Parliamentary Emails cyber attacks in the UK, meanwhile, EU governments venting their cyber concern, warning that Cyber Attacks can be an Act of War.

Stephen Hawking caused controversy in both the science and tech industry last year when he said Artificial Intelligence could be a serious threat to human existence, could the plot of The Terminator really come to fruition? Perhaps so, as it was reported that AI had already defeated the Captcha Security Check system. Personally, I believe both AI and Quantum Computing will pose significant new threats to cybersecurity space in the next decade.
A far higher number of personal records were compromised in the Equifax data breach than was previously thought, with millions of UK citizens confirmed to be impacted by the US-based credit checking agency hack. Equifax’s now ex-CEO provided an interesting blow-by-blow account of the cyber-attack at a US government hearing, even though Equifax technical staff were specifically warned about a critical Apache Struts (web server) patch, it was ignored and not applied, which in turn allowed hackers to take full advantage of vulnerability to steal the Equifax data on mass. To make matters even worse, the Equifax consumer breach help website was found to be infecting visitors with spyware.

Yahoo revealed all 3 Billion of its user accounts had in fact been breached, in what is truly an astonishing mammoth sized hack, biggest in all history, so far. Elsewhere on the commercial hacking front, Pizza Hut’s website was reported to be hacked with customer financial information taken, and Disqus said a 2012 breach it discovered in October exposed the information of 17.5 million its users from as far back as 2007.
It was a super busy month for security vulnerability notifications and patch releases, with Microsoft, Netgear, Oracle, Google, and Apple all releasing rafts of critical level patches. A serious weakness in the wireless networking WPA2 protocol was made public to great fanfare after researchers suggested all Wifi devices using WPA2 on the planet were vulnerable to an attack called Krack, which exploited the WPA2 weakness. Krack is a man-in-the-middle attack which allows an attacker to eavesdrop or redirect users to fake websites over Wifi networks secured using the WPA2 protocol. At the time of writing most wireless access point vendors and operating system providers had released patches to close the WPA2 vulnerability, and there have been no known exploits of the vulnerability reported in the wild.

BadRabbit is a new strain of ransomware which is emerging and is reported to be infecting systems and networks in Russia and the Ukraine at the moment. BadRabbit is the latest network self-propagating malware, like NotPeyta and WannaCry, to use the NSA EternalRomance hacking tool. A massive new IoT botnet was discovered, its continued growth is fuelled by malware said to be more sophisticated than previous IoT botnet king, Mirai. Russian based threat actor group APT28 is said to be targeting the exploitation of a recently patched Adobe vulnerability (CVE-2017-11292), in using malicious Microsoft Word attachment, so ensure you keep on top of your system patching and always be careful when opening email attachments. 

 Finally, the UK National Cyber Security Centre (NCSC) released its first annual report, as it seeks to improve cybersecurity across the UK. Among NCSC achievements cited in the report are:

  • The launch of Active Cyber Defence, credited with reducing average time a phishing site is online from 27 hours to 1 hour
  • Led UK response to WannaCry
  • Advice website with up to 100,000 visitors per month
  • Three-day Cyber UK Conference in Liverpool
  • 43% increase in visits to the Cyber Security Information Sharing Partnership (CiSP)
  • Produced 200,000 physical items for 190 customer departments via UK Key Production authority to secure and protect communications of Armed Forces and national security
  • 1,000 youngsters on CyberFirst courses and 8,000 young women on CyberFirst Girls competition.
  • Worked with 50 countries, including signing Nato’s MoU

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

The post Cyber Security Roundup for October 2017 appeared first on Security Boulevard.

Continue reading Cyber Security Roundup for October 2017

Cyber Security Roundup for August 2017

Posted on by
TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner’s Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information.

 Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here http://blog.itsecurityexpert.co.uk/2017/08/up-to-2-million-cex-customer-account.html

 Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram’s API.

In what looks like a follow on from the UK’s Parliament’s email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let’s hope the Welsh Assembly have taken note and have learned the password security lessons.

A massive ‘spambot’ holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.

On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.

On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Continue reading Cyber Security Roundup for August 2017

Up to 2 Million CeX Customer Accounts Compromised by Security Breach

Posted on by
If you are a CeX online customer, change your account password now, as the second hand UK goods chain has been informing over two million of its customers their personal details have been hacked. In a customer email CeX discloses they have been the subject of a security breach by a third party, and that’s about as much detail as CeX are presently admitting about the cyber attack at the moment.

Despite the CeX email referring to a “sophisticated breach of security” without any further detail about what happened it is impossible to judge whether it was actually a sophisticated cyber attack or not. Rather oddly CeX have not forced a password change on their compromised customer accounts despite admitting account passwords were at risk.  My strong advice is to change your CeX password straight away. And if you use the same password on any other websites, change those account passwords as well. Also be vigilant for personalised scam emails given cyber criminals might have your email address and know you are a CeX customer.

Data Compromised
CeX have not been too clear on detailing the customer account data that is at risk, stating  “The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied”. And “In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.”   

It is concerning that CeX were storing debit/credit card details past their expiry dates (why?), and that CeX appear to be glossing over the significance of compromised customer debit/credit card details in stating “ We would like to make it clear that any payment card information that may have been taken, has long since expired“.  A rather misleading statement given some payment card issuers use the debit/credit card number when reissuing new cards, and the new expiry date is guessable. Given that statement you wonder if CeX were PCI DSS compliant? Payment Card Industry Data Security Standard compliance is required for all organisations which process, store and/or transmit debit/credit card details, no PCI DSS compliant organisation ever been successfully breached.

CeX also state the account passwords were not been stored in plain text, but have not advised how the passwords were protected. For instance, whether stored using a unique value (salt) together with the password before being scrambled with an industry recognised one way hashing algorithm (adequate security protection), or by just using the hashing algorithm on the password (inadequate security protection). T

Recovered and  Fixed?
CeX say “Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.”, however, without any detail about the hack and the new measures put in place, this statement provides little assurance to CeX customers. The following statement also skirts what customers want to know  “additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening “. If this cyber attack turns out not to be sophisticated, CeX can expect heavy criticism by a more cyber entitled media, and interest from the Information Commissioner’s Office for violating the Data Protection Act.
CeX Email
Dear Customer,
We are writing to inform you that unfortunately we have recently been subject to an online security breach. We are taking this extremely seriously and want to provide you with details of the situation and how it might affect you. We also want to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.
The situation
As a result of a breach of security in which an unauthorised third party accessed our computer systems, we believe that some customer data has been compromised. This includes personal information, and, for a small number of customers, it also includes encrypted data from expired credit or debit cards. As a customer of CeX, there is a possibility this might affect you.
Please note, we did not have any card data stored for your account. We ceased storing customer card details in 2009.
What we’ve done about it
This was a sophisticated breach of security and we are working closely with the relevant authorities to help establish who was responsible. Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.
What we suggest you do?
  • Although we have put in place additional security measures, we recommend that you change the password for your webuy online account.
  • If you used the same password elsewhere, we also suggest that you change your password for those accounts.
Further details on this issue are provided in a Q&A below. If you have additional questions, please email us at: guidance@webuy.com where we will be compiling the most frequently asked questions, which will then be updated via uk.webuy.com/guidance
We apologise for inconvenience this may cause.
Yours sincerely,
David Mullins
Managing Director


Questions & Answers
How much data has been compromised?
As a precautionary measure we are contacting up to two million of our registered website customers who could potentially be affected.
Does this affect in-store membership personal information?
We have no indication that in-store personal membership information has been compromised.
What does the data include?
The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.
What about financial data?
A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.
What has happened to the data that has been compromised?
We are aware that an unauthorised third party has accessed this data. We are working closely with the relevant authorities, including the police, with their investigation.
What should I do?
We advise that you change your webuy.com password, as well as any other online accounts where you may share the same password, as a precautionary measure.
Why do I need to change my passwords?
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.
Can customers find out exactly what data has been shared about them?
At this stage, it is not possible for us to share this information as we are still undergoing an investigation. At this stage, we are alerting all customers who might have been affected as a precaution.
What security do you have in place to protect this data?
We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.

Continue reading Up to 2 Million CeX Customer Accounts Compromised by Security Breach

Cyber Security Roundup for July 2017

Posted on by
Apologises for the delay in this month’s Cyber Security Roundup release, I been away on holiday and taking a breach for monitor screens and keyboards for a couple of weeks.

 The insider threat danger manifested at Bupa where an employee stole and shared 108,000 customer health insurance records. Bupa dismissed the employee and is planning to take legal action. The Bupa data breach was reported both to the FCA and the ICO, it remains to be seen if the UK government bodies will apportion any blame onto Bupa for the data loss. 


The AA was heavily criticised after it attempted to downplay a data compromise of over 13 gigabytes of its data, which included 117,000 customer records. The AA’s huge data cache was incorrectly made available online after an AA online shop server was “misconfigured” to share confidential data backup files.

A customer databreach for the World Wrestling Entertainment (WWE) should serve as a stark warning for businesses to adequately assure third parties and to secure hosted cloud systems. Three million WWE fan records were compromised after a third party misconfigured a cloud hosted Amazon server used by the WWE online shop.

The aftershock of Peyta \ NotPeyta rumbles on with, with malware still reported as disrupting firms weeks after the attack. There there are claims the mass media coverage of the attack have improved overall staff cyber security awareness.

It was found that over 1.6 million NHS patient records were illegally provided to Google’s artificial intelligence arm, DeepMind, without patient concern meant the NHS and Google have breached the Data Protection Act.

A 29 year old British hacker named as Daniel K, but better known by his hacker handle “BestBuy” or “Popopret” admitted to hijack of 900,000 Deutsche Telekom routers in Germany after he was arrested at Luton airport in February. He said he made “the worst mistake of my life” when he carried out a failed attack in November for a Liberian client who paid him 8,500 Euros to attack the Liberian’s business competitors. BestBuy used a variant of the Mirai malware to take advantage of a security vulnerability in Zyxel and Speedport model routers which were used by Germany Internet Service provider, with his intention to increase his botnet, and so the scale of DDoS attacks he could perform on behalf of clients.

A document from the National Cyber Security Centre (NCSC) was obtained by Motherboard and was verified by the BBC with NCSC as being legitimate. The document states some industrial software companies in the UK are “likely to have been compromised” by hackers, which is reportedly produced by the British spy agency GCHQ. The NCSC report discusses the threat to the energy and manufacturing sectors. It also cites connections from multiple UK internet addresses to systems associated with “advanced state-sponsored hostile threat actors” as evidence of hackers targeting energy and manufacturing organisations.

UniCredit Bank had over 400,000 customer loan accounts accessed through a third party. This is the second security breach at the Italian bank in a year.

Finally this blog was awarded with the Best Technology Blogs of 2017 by Market Inspector and by Feedspot this month.


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Continue reading Cyber Security Roundup for July 2017

New Awards

Posted on by

I’ve been away on holiday in sunny Bulgaria for the last couple of weeks and working on a few articles for IBM, delaying my monthly security roundup post this month. While away I was proud to learn the blog and website had been given a couple of awards… Continue reading New Awards

Posted in SBN

New Awards

Posted on by

I’ve been away on holiday in sunny Bulgaria for the last couple of weeks and working on a few articles for IBM, delaying my monthly security roundup post this month. While away I was proud to learn the blog and website had been given a couple of awards… Continue reading New Awards

Posted in SBN

Cyber Security Roundup for June 2017

Posted on by
Another large scale ransomware cyber attack caused chaos and dominated the media headlines around the world this month. The Petya ransomware, a copycat of WannaCry, caused major operational impact to organisations neglecting to apply Microsoft Windows critical security updates. There were reports of the malware significantly impacting British marketing firm WPP, a Jewson hardware store, Ukrainian national infrastructure associated firms, and even halting production at a Cadbury chocolate factory in Australia.
Aside from the Peyta ransomware outbreak, it was another busy month of significant cyber security attacks and data compromises across the UK. The UK Parliament’s email system was hacked with around 90 email accounts compromised due to the usage of weak passwords by parliament staff, it is not certain how many of 90 were MPs or not, but I wouldn’t surprised if there were more than a few using weak passwords. There were further cyber troubles for the UK government after its Digital Service website data.gov.uk data was compromised. Virgin media told 800,000 of its users to change their router passwords after it was discovered that hackers could access Virgin’s Super Hub 2 routers. And there was yet more critical security patches released this month, as Microsoft and application vendors fight to stay ahead of cyber criminals and nation-state actors software exploits.

Over in the United States, a US Health Insurer forked out £90 million to cover compensation and legal costs after hackers stolen customer records in its care. We could well see these types of large payouts in the UK soon after the General Data Protection Regulation (GDPR) kicks in May 2018. The GDPR gives the Information Commissioners Office (ICO) new powers to fine up to 10 Million Euros or 2% the previous year global turnover of the company, for any cyber security breaches. Data subjects will also have the right to take companies to court to seek damages as well. The ICO will get double those penalty rates for privacy rights breaches, ouch! Under the GDPR companies are forced to fess up to all security incidents which compromises or places personal data at risk, both to the ICO and to each data subject impacted, so there will be no hiding place for security breaches in the UK after next May.

Finally, US Cert and Incapsula released an interesting advisory about ‘Hidden Cobra’, a North Korean Cyber Threat group. This nation-state group is seemingly ramping up their capabilities at the moment, and are behind the DeltaCharlie campaign and linked with the WannaCry ransomware outbreak last month, well worth a read.


 NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Continue reading Cyber Security Roundup for June 2017

Posted in SBN

Cyber Security Roundup for June 2017

Posted on by
Another large scale ransomware cyber attack caused chaos and dominated the media headlines around the world this month. The Petya ransomware, a copycat of WannaCry, caused major operational impact to organisations neglecting to apply Microsoft Windows critical security updates. There were reports of the malware significantly impacting British marketing firm WPP, a Jewson hardware store, Ukrainian national infrastructure associated firms, and even halting production at a Cadbury chocolate factory in Australia.
Aside from the Peyta ransomware outbreak, it was another busy month of significant cyber security attacks and data compromises across the UK. The UK Parliament’s email system was hacked with around 90 email accounts compromised due to the usage of weak passwords by parliament staff, it is not certain how many of 90 were MPs or not, but I wouldn’t surprised if there were more than a few using weak passwords. There were further cyber troubles for the UK government after its Digital Service website data.gov.uk data was compromised. Virgin media told 800,000 of its users to change their router passwords after it was discovered that hackers could access Virgin’s Super Hub 2 routers. And there was yet more critical security patches released this month, as Microsoft and application vendors fight to stay ahead of cyber criminals and nation-state actors software exploits.

Over in the United States, a US Health Insurer forked out £90 million to cover compensation and legal costs after hackers stolen customer records in its care. We could well see these types of large payouts in the UK soon after the General Data Protection Regulation (GDPR) kicks in May 2018. The GDPR gives the Information Commissioners Office (ICO) new powers to fine up to 10 Million Euros or 2% the previous year global turnover of the company, for any cyber security breaches. Data subjects will also have the right to take companies to court to seek damages as well. The ICO will get double those penalty rates for privacy rights breaches, ouch! Under the GDPR companies are forced to fess up to all security incidents which compromises or places personal data at risk, both to the ICO and to each data subject impacted, so there will be no hiding place for security breaches in the UK after next May.

Finally, US Cert and Incapsula released an interesting advisory about ‘Hidden Cobra’, a North Korean Cyber Threat group. This nation-state group is seemingly ramping up their capabilities at the moment, and are behind the DeltaCharlie campaign and linked with the WannaCry ransomware outbreak last month, well worth a read.


 NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Continue reading Cyber Security Roundup for June 2017

Posted in SBN

Cyber Security Roundup for June 2017

Posted on by
Another large scale ransomware cyber attack caused chaos and dominated the media headlines around the world this month. The Petya ransomware, a copycat of WannaCry, caused major operational impact to organisations neglecting to apply Microsoft Windows critical security updates. There were reports of the malware significantly impacting British marketing firm WPP, a Jewson hardware store, Ukrainian national infrastructure associated firms, and even halting production at a Cadbury chocolate factory in Australia.
Aside from the Peyta ransomware outbreak, it was another busy month of significant cyber security attacks and data compromises across the UK. The UK Parliament’s email system was hacked with around 90 email accounts compromised due to the usage of weak passwords by parliament staff, it is not certain how many of 90 were MPs or not, but I wouldn’t surprised if there were more than a few using weak passwords. There were further cyber troubles for the UK government after its Digital Service website data.gov.uk data was compromised. Virgin media told 800,000 of its users to change their router passwords after it was discovered that hackers could access Virgin’s Super Hub 2 routers. And there was yet more critical security patches released this month, as Microsoft and application vendors fight to stay ahead of cyber criminals and nation-state actors software exploits.

Over in the United States, a US Health Insurer forked out £90 million to cover compensation and legal costs after hackers stolen customer records in its care. We could well see these types of large payouts in the UK soon after the General Data Protection Regulation (GDPR) kicks in May 2018. The GDPR gives the Information Commissioners Office (ICO) new powers to fine up to 10 Million Euros or 2% the previous year global turnover of the company, for any cyber security breaches. Data subjects will also have the right to take companies to court to seek damages as well. The ICO will get double those penalty rates for privacy rights breaches, ouch! Under the GDPR companies are forced to fess up to all security incidents which compromises or places personal data at risk, both to the ICO and to each data subject impacted, so there will be no hiding place for security breaches in the UK after next May.

Finally, US Cert and Incapsula released an interesting advisory about ‘Hidden Cobra’, a North Korean Cyber Threat group. This nation-state group is seemingly ramping up their capabilities at the moment, and are behind the DeltaCharlie campaign and linked with the WannaCry ransomware outbreak last month, well worth a read.


 NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Continue reading Cyber Security Roundup for June 2017

Posted in SBN

Peyta / WannaCry2 Ransomware Advice

Posted on by

Here we go again, another large scale ransomware attack is causing chaos across the globe, including at British marketing firm WPP and several Ukrainian national infrastructure firms.

The ransomware in question is a new strain of the Petya ransomware family, modded to take advantage of the same EternalBlue SMB vulnerability as the WannaCry ransomware, to rapidly spread within local area networks. Petya has been around since early 2016, instead of encrypting files it goes after locking out the operating system, by attacking the operation system’s Master File Table (MFT), which is far quicker than encrypting each file on the system individually. 

 Malware delivery is reported to be via a Phishing Email, often with an email subject of ‘Hi’ along with a .zip or .scr attachment with the title of ‘gone’. 

 So the same protection advice applies as with WannaCry.

  1. Carry out regular Staff Phishing Email Awareness, teach staff how to spot dodgy emails and not to open attachments or click any links within them.
  2. Ensure the Microsoft MS17-010 security update is applied to all Windows systems, as it prevents Peyta from rapidly spreading within the network.
  3. Adopt a robust Patch Management Process, ensure all Critical Security updates are quickly applied, they are marked as critical for a reason! 
  4. Have Anti-Virus running on all Microsoft Windows systems, with AV definitions kept up-to-date. Most anti-virus solutions are now detecting and preventing the latest Peyta strain – see https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/.  However, be aware that your anti-virus product may not be able to detect and prevent new versions of the malware for a period of time, that is until the AV vendors are able to update their products to detect, which is why it is essential to keep your anti-virus solutions updated daily.

Continue reading Peyta / WannaCry2 Ransomware Advice

Posted in SBN