Now it’s Amazon’s turn to respond to growing concerns about sensitive personal conversations recorded by digital home assistants are being reviewed by third-party contractors.
The hacker who lived the high life after spreading malware via porn sites, Wipro demonstrates how to turn a cybersecurity crisis into a PR disaster, and why are humans listening in to your Alexa conversations?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Brian Honan.
5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.
A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.
Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.
It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images
Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.
The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.
Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant. The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
- BT bars Huawei's 5G kit from core of network
- Huawei's kit removed from emergency services 4G network
- What's going on with Huawei?
- Should we worry about Huawei?
- Why has the UK not blocked Huawei?
- Huawei to invest $2bn in UK security
- FBI swoops on ‘National Threat' ‘Hacks for hire’ websites
- Quora Hacked: 100 Million Users have their Personal Data Exposed
- Huawei: 'Deep concerns' over firm's role in UK 5G upgrade
- Security Firm Hijacks High-Profile Twitter Accounts
- Boomoji App Developer Leaves Customer Data exposed on Open Database
- Exposed S3 Bucket Compromises 120 million Brazilian Citizens
- Save the Children lost £795 thousand to BEC Scam
- PewDiePie Printer Hackers strike Again
- Citrix Forces Users to Change Passwords after Credential Stuffing Attacks
- NASA Servers with Employee PII Potentially Compromised
- Parliament Creates New National Data Guardian to Safeguard Health and Social Care Data
- FCA warns Banks against Over-Reliance on Third-Party Security Providers
- Facebook Photo API bug exposed 6.8 Million Users images
- EU New Cyber-Security Agency and Certification Framework
- Microsoft Patches 40 Vulnerabilities, including 9 Critical for Text-To-Speech, IE, Office Chakra, DNS, and .NET
- Adobe Releases Fixes for an Important Vulnerability for Acrobat and Acrobat Reader
- Microsoft issues out-of-band patch for Exploited Memory Corruption bug in Internet Explorer
- Mozilla Patches Vulnerabilities in Firefox and Firefox ESR
- NCSC Warns of Vulnerabilities in Office 365 being Exploited by Cyber-Criminals
- Apple releases security updates for macOS iOS, iTunes, iCloud, Safari and tvOS
- Logitech Keyboard App Patched to prevent Hackers Injecting Keystrokes
- Major Vulnerabilities found in IoT protocols MQTT and CoAP
- Virgin Media fixes multiple Security Flaws in Super Hub 3
- Second Google+ Bug Hastens Shutdown
Vision Direct reported a website compromise, which impacted users of their website between 3rd and 8th November, some 16,300 people were said to be at risk A fake Google Analytics script was placed within its website code by hackers.
Eurostar customers were notified by email to reset their passwords following presumably successful automated login attempts to Eurostar accounts with stolen credentials obtained by an unknown method.
Two of the TalkTalk hackers were sentenced to a grand total of 20 months for their involvement in the infamous 2015 blackmail hack, which was said to have cost TalkTalk £77 million. There may have been up to 10 other attackers involved according to the court transcripts when hackers attempted to blackmail TalkTalk’s then CEO Dido Harding into paying a ransom in Bitcoin to cover up the breach. Has the enterprise, and judiciary, learned anything from TalkTalk hack?
Uber was fined £385,000 by the UK Information Commissioner's Office, after hackers stole 2.7 million UK customers in October and November 2016. Uber attempted to cover up the breach by paying the hackers $100,000 (£78,400) to destroy the stolen customer data. Meanwhile stateside, Uber paid $148m to settle federal charges.
HSBC announced it had suffered a customer data breach in between 4th and 14th of October 2018 in a suspected "credential stuffing" attack. HSBC didn't state how many customers were impacted but are known to have 38 million customers worldwide. HSBC advised their customers to regularly change and use strong passwords and to monitor their accounts for unauthorised activity, sage good practice online banking advice, but I am sure their customers will want to know what has happened.
Facebook is still making the wrong kind of privacy headlines, this time it was reported that Facebook member's private message data was found for sale online, with one instance involving 257,256 stolen profiles and including 81,208 private messages. The report appears to suggest malicious browser extensions, not Facebook, may be behind the data breach.
A report from a UK parliamentary committee warned the UK government is failing to deliver on protecting the UK's critical national infrastructure (CNI) from cyber attacks. "The threat to critical infrastructure, including the power grid, is growing" the committee reported, with some states -"especially Russia" - starting to explore ways of disrupting CNI. An advisory notice also warned that UK companies connected to CNI were being targeted by cyber attackers believed to be in eastern Europe. APT28 (Russian based FancyBear) has added the "Cannon" Downloader Tool to their arsenal, according to researchers.
Amazon's showcase Black Friday sale was hit by data breach days before it started. The online retail giant said it emailed affected customers, but refused to provide any details on the extent or nature of the breach. The customer email said “Our website inadvertently disclosed your email address or name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”
There was a far more positive security announcement by Amazon about their AWS (cloud) services, with the launch of three new services to simplify and automate AWS security configuration called AWS Control Tower, AWS Security Hub, and AWS Lake Formation. McAfee released their 2019 'Cloud Adoption and Risk Report' which highlights the vital importance of configuring cloud services correctly and securely.
RiskIQ claimed that monitoring for malicious code could have stopped the recent theft of 185,000 British Airways customer records. The Magecart hacker group is believed to be responsible for injecting twenty-two lines of malicious script into the British Airway's payment page, which successfully lifted debit and credit card details, including the CVV code.
Finally, according to enSilo, European Windows users are said to be targeted by a sophisticated malware called 'DarkGate', which has an arrange of nefarious capabilities, including cryptomining, credential stealing, ransomware, and remote-access takeovers. The DarkGate malware has been found to be distributed via Torrent files disguised as popular entertainment offerings, which includes Campeones and The Walking Dead, so be careful to avoid becoming infected!
- Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!
- Facebook Users’ Data, Private Messages found up for sale Online
- Amazon hit with Major Data Breach Days before Black Friday
- HSBC Suffers Data Breach, Customer Banking Information Exposed
- Vision Direct Hack places Customers’ Money at Risk
- UK Power Grid Vulnerable as Government Failing on Cyber Security
- TalkTalk Hackers Jailed for Cyber Attack that Cost Company £77m
- Eurostar Customers Forced to Reset Passwords after Breach
- Radisson Hotel Group Member Rewards program Breached
- Uber Fined £385,000 for Losing UK Customer Data
- Amazon's AWS launches Three New Services to simplify Security Configuration
- Database Breach affects 2.6 Million Atrium Health Patients
- Monitoring file output for malicious code 'could have stopped BA attack more quickly’
- Kaspersky moves away from Moscow after allegations of Kremlin spying
- Microsoft Patches 62 Vulnerabilities, including 12 Critical for Windows, Edge\IE, Office Chakra, Flash, and .NET
- Adobe Releases Fixes for an Important Vulnerability for Acrobat and Acrobat Reader
- Cisco Fixes Two Critical Bugs, Recommends Workaround
- D-Link Router Vulnerability Detailed
- SSD Encryption Security Failures Revealed by Researchers
- Apache Struts Vulnerability would allow System Take Over
- Cisco WebEx Flaw Patched
- VMware issues Critical Security Update for Workstation and Fusion products
- Targeted Ransomware Attacks on the Rise in 2018, NCSC warns
- APT Group TA505 testing out new modular RAT
- Kaspersky: Spam and Phishing in Q3 2018
- Chinese Hackers using Russian tactics to attack UK Firms
- Phishing campaign looks like work of Russian APT 28 Cozy Bear
- ‘DarkGate’ Miner, Password-Stealer could open up a world of hurt for Windows Users
- DirtyCOW is back in Backdoor Attack targeting Drupal Web Servers
- ‘Cannon’ Downloader Tool added to Fancy Bear’s APT28 arsenal
- Trickbot’s latest Trick? POS feature