Category Archives: Data Breach

PHP PEAR official site hacked, tainted package manager distributed for 6 months

PHP PEAR official site hacked, attackers replaced legitimate version of the package manager with a tainted version in the past 6 months.

Bad news for users that have downloaded the PHP PEAR package manager from the official website in the past 6 months because hackers have replaced it with a tainted version.

The PHP Extension and Application Repository (PEAR) is a framework and distribution system that allows anyone to search and download free
packages written in PHP programming language.

Last week, the maintainers at PEAR took down the official website because hackers have replaced the legitimate PHP PEAR package manager (go-pear.phar) with a malicious version in the core PEAR file system.
Maintainers pointed out that the GitHub copy of go-pear.phar is not compromised.

“A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it’s back online.” reads a security alert published by the admins last week.

“If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If different, you may have the infected file.”

Hackers compromised the website at least six months ago, the investigation is still ongoing. PEAR maintainers are working to determine how hackers breached the server and how many users have been impacted.

The PEAR download manager (go-pear.phar) is pre-installed for Unix/Linux/BSD systems, meanwhile Windows and Mac OS X users need to manually install it.

The hack could have a significant impact on a large number of websites because many web hosting providers allow running PEAR.

php pear logo

PEAR maintainers have released a clean version 1.10.10 of pearweb_phars on Github.

“This is a fresh release to assist in clearing up the issue with tainted file go-pear.phar that was discovered on the pear.php.net server. There were no code changes between v1.10.9 and v1.10.10.” reads the release note.

“Beginning with v1.10.10, the GitHub repository will now contain GPG signature files for each phar file. This release’s files are signed by Chuck Burgess (C245F175).”

Pierluigi Paganini

(SecurityAffairs – hacking, PHP PEAR)

The post PHP PEAR official site hacked, tainted package manager distributed for 6 months appeared first on Security Affairs.

Podcast Episode 130: Troy Hunt on Collection 1 and Tailit’s Tale of IoT Security Redemption

In this week’s episode (#130): we speak with security researcher Troy Hunt, founder of HaveIBeenPwned.com about his latest disclosure: a trove of more than 700 million online account credentials he’s calling “Collection #1.” Also we speak to Martin Hagen of the Norwegian device firm Tailit about how failing a security audit of...

Read the whole entry... »

Related Stories

Collection #1 Data Breach Exposes Nearly 733 Million Records, Highlighting Need for Multifactor Authentication

The theft of nearly 733 million unique email messages and 21 million passwords underscores the urgent need for multifactor authentication in the enterprise.

First discovered by security researcher Troy Hunt, records from the data breach were published to a hacker forum as well as the cloud-based service MEGA, though they have since been removed.

Dubbed Collection #1, the perpetrators behind the theft remain unknown, but the volume of 12,000 files suggests that it may have involved multiple incidents and actors. Cleaned-up versions of the files have been loaded into Have I Been Pwned, which users can leverage to check whether their data was compromised in the breach.

Why Collection #1 Data Is Particularly Dangerous

While any data breach of this magnitude would raise concerns, the files included in Collection #1 include login credentials that have been dehashed. In other words, the threat actors who stole the information were able to convert it into plain text.

This could make it a lot easier for attackers to use those credentials to break into various email servers and other online systems. By using bots, for instance, threat actors could launch credential-stuffing attacks to access multiple accounts with the same stolen password, as Forbes pointed out.

Use Multifactor Authentication Where It Counts

The Collection #1 breach serves as a reminder that a password alone is not enough to protect data from theft or misuse. When emails, login credentials or other files belonging to a business or government organization are compromised, the risk of financial or reputational damage is even greater.

Obviously, the sensitivity of this data necessitates stronger protection for individual workstations and business applications, but IT professionals should also consider the security of the mainframes that keep so many operations and processes running within the enterprise. Multifactor authentication adds layers of defense that credential-stealing threat actors will need to penetrate to access the mainframes, devices and IT infrastructure that holds valuable enterprise data.

The post Collection #1 Data Breach Exposes Nearly 733 Million Records, Highlighting Need for Multifactor Authentication appeared first on Security Intelligence.

Did you win at online casinos? Watch out, your data might have had exposed online

Data belonging to online casinos found exposed online on unprotected Elastic search instance, it includes info on 108 million bets and user details

Data breaches are an ordinary issue, this time an online casino group leaked information about 108 million bets including user details.

Leaked data includes personal information and payment card details, including real names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information, and a list of played games, deposits, and withdrawals.

online casinos-player-info
Source ZDNet

According to ZDNet, that first reported the news, data was stored in an ElasticSearch server exposed online without a password.

ElasticSearch instances are normally installed on internal networks, but sometimes misconfigured systems are exposed online.

The leaked data were discovered by the security researcher Justin Paine that spotted the unsecured ElasticSearch server that was containing data apparently from an online betting portal.

The data appears to be the result of aggregation from multiple web domains.

“Despite being one server, the ElasticSearch instance handled a huge swathe of information that was aggregated from multiple web domains, most likely from some sort of affiliate scheme, or a larger company operating multiple betting portals.states ZDNet.

“After an analysis of the URLs spotted in the server’s data, Paine and ZDNet concluded that all domains were running online casinos where users could place bets on classic cards and slot games, but also other non-standard betting games.”

All the domains present in the data leak belong to online casinos (i.e.
kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net), some of them were no standard betting games.

All the companies involved in the data leak are located in the same building in Limassol, Cyprus, or were operating under the same eGaming license number issued by the government of Curacao, a circumstance that suggest they were operated by the same entity.

According to the expert, the huge archive was not containing full financial details, but ZDNet pointed out anyone who found the database would have known the personal information of players who recently won large sums of money and could use them to carry out malicious activities against these users, including scams or extortion attempts.

“It’s down finally. Unclear if the customer took it down or if OVH firewalled it off for them,” Paine told ZDNet.

Pierluigi Paganini

(SecurityAffairs – data leak, online casinos)


The post Did you win at online casinos? Watch out, your data might have had exposed online appeared first on Security Affairs.

Google fined $57 million by France for lack of transparency and consent

The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union's new General Data Protection Regulation (GDPR) law that came into force in May last year. The fine has been levied on Google for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization," the CNIL (National Data

Data breach following vulnerabilities in RupeeReedee’s data stack on Amazon

“A potential isolated vulnerability in one of our data storage block (Amazon) was brought to our attention by a data

Data breach following vulnerabilities in RupeeReedee’s data stack on Amazon on Latest Hacking News.

Security Affairs newsletter Round 197 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal
Computers at the City Hall of Del Rio were infected by ransomware
German Watchdog will request Facebook changes
Unsecured MongoDB archive exposed 202 Million private resumes
Which is the link between Ryuk ransomware and TrickBot?
Zurich refuses to pay Mondelez for NotPetya damages because its ‘an act of war
A flaw in vCard processing could allow hackers to compromise a Win PC
Cranes, drills and other industrial machines exposed to hack by RF protocols
Mozilla will disable Adobe Flash by default starting from Firefox 69
Too many issues in Pentagon networks expose it to cybersecurity risks
Critical bug in Amadeus flight booking system affects 141 airlines
Experts link attack on Chilean interbank network Redbanc NK Lazarus APT
GreyEnergy: Welcome to 2019
I swiped right, Viewing sensitive data cached in your Safari browser.
Multiple Fortnite flaws allowed experts to takeover players accounts
Collection #1 dump, 773 million emails, 21 million passwords
Drupal fixes 2 critical code execution issues flaws in Drupal 7, 8.5 and 8.6
South Korea: hackers compromised Defense Acquisition Program Administration PCs
Unprotected server of Oklahoma Department of Securities exposes millions of government files
Android apps use the motion sensor to evade detection and deliver Anubis malware
Attacks in the wild leverage flaw in ThinkPHP Framework
Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day
Oracle critical patch advisory addresses 284 flaws, 33 critical
Twitter fixed a bug in its Android App that exposed Protected Tweets
6 Reasons We Need to Boost Cybersecurity Focus in 2019
A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners
ES File Explorer vulnerabilities potentially impact 100 Million Users

Pierluigi Paganini

(SecurityAffairs – Microsoft partner portal, data leak)

The post Security Affairs newsletter Round 197 – News of the week appeared first on Security Affairs.

“Collection #1” Data Breach Analysis – Part 1

Cybersecurity expert Marco Ramilli has analyzed the huge trove of data, called Collection #1, that was first disclosed by Troy Hunt.

Few weeks ago I wrote about “How Data Breaches Happen“, where I shared some public available “pasties” within apparently (not tested) SQLi vulnerable websites. One of the most famous data breaches in the past few years is happening in these days. I am not saying that the two events are linked, but I have fun in thinking that events happen in bursts. Many magazines all around the world wrote about the data breach (Collection #1) published by Troy Hunt on 773 Millions of new Records (here). Today I’d like to write a quick partial analysis that I’ve been able to extract from those records (I grabbed data from public available pasties website). First of all, let me say that the work done has been super difficult (at least to me) since it required a huge amount of computational power and very high-speed internet access because of the humongous collected data. In order to make analysis over such a humongous data breach, I used a powerful Elastic Search Cloud instance and I wrote a tiny python script to import super dirty data into a common format. Some records were unable to load since the format type, the charset or whatever it had, so please consider a relative error about 4 to 5 % (circa) in the following data analyses.

PARTIAL Analysis of Collection #1

One of the first questions I wanted to answer was: “What are the most used passwords ?“. I am aware that many researches wrote about the most used passwords, but now I do have the opportunity to measure it. To get real used passwords and to evaluate the reality. So let’s see what are the most used passwords out there!

Collection #1 PARTIAL Analysis on used passwords

So far the most used passwords are: “123456”, “q1w2e3r4t5y6”, “123456789”, “1qaz2wsx3edc”, followed by most common passwords like “12345678” and “qwerty”. By observing the current graph and comparing it to common researches on frequently used passwords such as herehere, and here we might appreciate a significative difference: the pattern complexity! In fact, while years ago the most used passwords were about names, dates or simple patters such as “qwerty”, today we observe a significative increase in pattern complexity, but still too easy to be brute-forced.

A second question came by looking at leaked emails. “What are the domain names of the most leaked emails ?” Those domains are not the most vulnerable domains but rather the most used ones. So I’m not saying that those domains are/or have been vulnerable or Pwned, but I am trying to find what are the most leaked email providers. In other words if you receive an email from “@gmail.com” what is the probability that it has been leaked and potentially compromised ? Again I cannot answer to such a question since I do not have the total amount of “@gmail.com” accounts all around the word, but I think it might be a nice indicator to find out what are the most leaked email domain names.

PARTIAL Analysis on most leaked domain

The most leaked emails come from “yahoo.com”, “gmail.com”, “aol.com” and “hotmail.com”. This is quite interesting since we are mostly facing personal emails providers (domains) rather then professional emails providers (such as company.com). So apparently, attackers are mostly focused in targeting people rather then companies (maybe attacking not professional websites and/or distributing malware to people rather then companies domain names). Another interesting data to know is about the unique leaked email domain names: 4426, so far !

Finally, it would be great to know from what sources data is coming from ! At such a point I have no evidences of what I am going to write about, but I made some deductions from the data leaked structure. The following image shows collection-1 structure.

PARTIAL Analysis Collection#1 Structure

Each folder holds .TXT files which have names that look like domain names. Some of those are really domain names (tested), some other are on-sale right now, and many other seem to just look like a domain, but I had no evidence of them. Anyway, I decided to assume that the file names looking like domain names are the domain from which the attacker leaked information. So, having such in mind we might deduce where the attacker extracted the data (username and passwords) and perform a personal evaluation about the leaked information.

Are you interested in Marco Ramilli’ conclusions? Give a look at his post:
https://marcoramilli.com/2019/01/19/collection-i-data-breach-analysis-part-1/

Pierluigi Paganini

(SecurityAffairs – hacking, collection #1)

The post “Collection #1” Data Breach Analysis – Part 1 appeared first on Security Affairs.

McAfee Blogs: Artificial Intelligence & Your Family: The Wows & the Risks

artificial intelligenceAm I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.

But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.

AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.

Just a few everyday examples of AI:

  • Cell phones with built-in smart assistants
  • Toys that listen and respond to children
  • Social networks that determine what content you see
  • Social networking apps with fun filters
  • GPS apps that help you get where you need to go
  • Movie apps that predict what show you’d enjoy next
  • Music apps that curate playlists that echo your taste
  • Video games that deploy bots to play against you
  • Advertisers who follow you online with targeted ads
  • Refrigerators that alert you when food is about to expire
  • Home assistants that carry out voice commands
  • Flights you take that operate via an AI autopilot

The Technology

While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.

AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.

An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.

No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.

Still, there are concerns. The self-driving cars. The robots that malfunction. The potential jobs lost to AI robots.

So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.

Talking points for families

Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.

Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.

Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.

IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.

The post Artificial Intelligence & Your Family: The Wows & the Risks appeared first on McAfee Blogs.



McAfee Blogs

AI & Your Family: The Wows and Potential Risks

artificial intelligenceAm I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.

But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.

AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.

Just a few everyday examples of AI:

  • Cell phones with built-in smart assistants
  • Toys that listen and respond to children
  • Social networks that determine what content you see
  • Social networking apps with fun filters
  • GPS apps that help you get where you need to go
  • Movie apps that predict what show you’d enjoy next
  • Music apps that curate playlists that echo your taste
  • Video games that deploy bots to play against you
  • Advertisers who follow you online with targeted ads
  • Refrigerators that alert you when food is about to expire
  • Home assistants that carry out voice commands
  • Flights you take that operate via an AI autopilot

The Technology

While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.

AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.

An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.

No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.

Still, there are concerns. The self-driving cars. The robots that malfunction. The potential jobs lost to AI robots.

So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.

Talking points for families

Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.

Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.

Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.

IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.

The post AI & Your Family: The Wows and Potential Risks appeared first on McAfee Blogs.

Security Affairs 2019-01-19 05:57:28

A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners, fortunately, no customer data was exposed.

The Register in exclusive reported that Microsoft partner portal ‘exposed ‘every’ support request filed worldwide.’ Tickets submitted from all over the world were exposed to all Microsoft support partners due to the glitch.

“At the moment in the Microsoft Partner Portal you can see every ticket title for every support request worldwide!” Stuart Crane of IT biz Everon told The Register.

Microsoft partner

“Another Microsoft small biz specialist contacted us to say “Logged on to my Microsoft Partner portal to check status of a ticket I have open with them only to see lots of tickets which are not ours”.” reported The Register.

According to another Microsoft partner quoted by The Register, the bug exposed case number and title of the tickers, but not their content. This means that the problem will not cause Microsoft big problems with data protection laws or watchdogs.

Microsoft quickly addressed the flaw and downplayed the issue explaining that only a limited number of features in the Partner Centre portal were affected.

“We’ve addressed an issue that impacted a small subset of functions on our Partner Centre portal and we’re working to restore normal operation.”
said a spokesperson for Microsoft.

Pierluigi Paganini

(SecurityAffairs – Microsoft partner portal, data leak)

The post appeared first on Security Affairs.

Troy Hunt: the largest data leak in history

The Details of at Least 773 Million People Surfaced on a Free Cloud Storage Service

The details of at least 773 million people surfaced on free cloud storage service last week, reported Troy Hunt, Australian web security expert, and administrator of Have I Been Pwned (HIBP) website. As you might already know, Troy has been collecting data from many data breaches over the last five years. He has been compiling it into a single database, so people have the opportunity to search across multiple data breaches and find out if their details have been compromised at some point in the past. The website allows searches by password and email.

When we heard the news about what Gizmodo calls the ‘mother of all breaches,’ we initially thought that Troy Hunt and his database had been hacked. However, this was quickly debunked as Troy himself confirmed that he is the one who actually found the pile of stolen data. He called the breach ‘Collection #1’ and highlighted that this is the ‘single largest breach ever to be loaded into HIBP.’

This incident shows that Troy Hunt was not the only one who has been piling up information from past data breaches. An anonymous hacker uploaded approximately 12,000 files containing 772,904,99 emails and 21,222,975 unique passwords into a single large database. Troy reported that the 87GB worth of stolen data was published on a free cloud service called MEGA. What makes this breach particularly interesting is that this is the first part of a much bigger database of stolen data. Troy Hunt reported that he is in possession of four more collections, and he is currently reviewing them. He will be making a call on what to do with them after investigating them further. MEGA has since deleted the database.

While most of the data included in ‘Collection #1’ was already in HIBP, the data in collections #2 through #5 may end up making this one of the biggest data breaches ever seen. It is currently unknown if collections #2 to #5 are as big as ‘Collection #1’. If the remaining four collections are as significant as the first one, this may end up exposing details of billions of people.

What should you do?

The database is compiled of old data breaches, so if the data comes from known breaches, you most likely have been notified either by the service or by HIBP to change your password a long time ago. However, quite often data breaches sometimes take years to be discovered, so regular password changes are strongly recommended. Avoid using the same password on multiple platforms. The cybersecurity budgets of some companies are significantly lower when compared to others – we are confident JP Morgan Chase spends more on developing stronger security when compared to a t-shirt store. But if the passwords you use at both organizations are the same, hackers can steal your details from the weak organization and use the login credentials to get unauthorized access to services such as your internet banking.

You can easily check if your passwords or email addresses have been part of ‘Collection #1’ or if they have been pwned in the pat. You can search if your emails have been pwned here https://haveibeenpwned.com/, and learn if your passwords are part of the breach by testing them here https://haveibeenpwned.com/Passwords.

Last but not least, have anti-virus software installed on all your connected devices. Most of the times high-quality anti-virus software comes with a password manager that will help you always know your password. Apart from the password management options, such software could also prevent hackers from stealing the missing piece from the puzzle that would allow them to make you a victim of cybercrime.

Download your Antivirus

The post Troy Hunt: the largest data leak in history appeared first on Panda Security Mediacenter.

The Collection #1 Data Breach: Insights and Tips on This Cyberthreat

As the cybersecurity landscape evolves to match new trends in technology, it’s important for consumers to prioritize the protection of their online presence. That means remaining aware of the internet’s more common cyberthreats, including malware, phishing, and data breaches, and how they could potentially affect you. And while most of us already know about the Equifax data breach, a new monster breach now has to become top of mind for us all. Say hello to Collection #1, a data set exposing 772,904,991 unique email addresses and over 21 million unique passwords.

Discovered by security researcher Troy Hunt, Collection #1 first appeared on the popular cloud service called MEGA. The Collection #1 folder held over 12,000 files that weigh in at over 87 gigabytes. When the storage site was taken down, the folder was then transferred to a public hacking site. What’s truly astonishing about this is that the data was not for sale; it was simply available for anyone to take.

You may be wondering, how was all this data collected? It appears that this data was comprised of a breach of breaches, aggregating over 2,000 leaked databases containing cracked passwords, in order to achieve maximum exposure. The sheer volume of this breach makes Collection #1 the second largest in size to Yahoo, and the largest public breach ever (given the data was openly exposed on the internet).

It appears that this data set is designed for use in credential-stuffing attacks, where cybercriminals will use email and password combinations to hack into consumers’ online accounts. The risks could be even greater for those who reuse credentials across multiple accounts. In order to help protect yourself from this threat, it’s vital that users act fast and use the following tips to help protect their data:

  • Use strong, unique passwords. In addition to making sure all of your passwords are strong and unique, never reuse passwords across multiple accounts. You can also enable a password manager to help keep track of your credentials.
  • Change your passwords. Even if it doesn’t appear that your data was breached, it’s better to err on the side of caution and change all of your passwords to better protect yourself.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Collection #1 Data Breach: Insights and Tips on This Cyberthreat appeared first on McAfee Blogs.

Collection 1 data breach: what you need to know

Yesterday, news broke that the largest data dump in history had been discovered, with more than 770 million people’s Personally Identifiable Information (PII) decrypted, catalogued, and up for grabs on the Internet. The files, which are being dubbed Collection 1, were originally found on cloud service MEGA, and later posted to a popular hacking forum.

The Collection 1 folder contains more than 12,000 files and is a whopping 87 gigabytes large.

While on paper this sounds beyond alarming, the truth is much more nuanced. The collection is composed of data pulled together from multiple breaches and leaks, many of which contain email addresses and passwords that are at least two to three years old. Security researcher Brian Krebs cautioned folks on assigning too much significance to the find because the data is rather stale, and not particularly useful for threat actors.

However, as we saw in summer 2018, stale data can be used successfully in phishing and extortion campaigns. The mere mention of a correct password, even if it’s outdated, could coax unsuspecting users into giving up fresh PII or paying ransoms.

Every time an organization announces that it’s been breached, customers wait with bated breath to see if they’ve been impacted. But after a time, if an identity theft crisis, credit card tampering, or straight-up hack doesn’t take place, many users breathe a sigh of relief and imagine they’ve weathered the storm. Yet, as evidenced by Collection 1 and other such treasure troves of data that are offered for sale online, that may not be the end of it. If users don’t take steps to protect or change their credentials after a breach, they are at risk of being targeted again and again.

Our advice to users: Take a look to see if your information is caught up in this latest data dump. You can easily check to see if you’ve been compromised by using researcher Troy Hunt’s website Have I Been Pwned. Once there, enter your email address and scroll to the bottom of the page to see if you are part of Collection 1 or any other breaches. In addition, you can check if your password was compromised using a new feature of Hunt’s site called Pwned Passwords.

If you are on any of these lists, go forth and change your passwords immediately. We also recommend using a password manager and following other password best practices, such as avoiding using the same password across multiple sites and using long phrases that do not contain obvious dates, names, or other easily identifiable (and thus crackable) information.

No, this may not have been the breach to end all breaches. But that doesn’t mean it should be taken lightly. In fact, this is an opportunity for 770 million people to shore up their defenses by making a simple, yet effective, change.

As always: Stay safe, everyone!

The post Collection 1 data breach: what you need to know appeared first on Malwarebytes Labs.

10 Cybersecurity Conference Trips You Should Make Time for This Year

Cybersecurity remains a top priority for chief information security officers (CISOs) worldwide, but it’s easy to get out of touch as the industry evolves at breakneck speed and attackers discover new and innovative ways to compromise corporate networks. That’s why it’s worth investing in cybersecurity conference trips to help IT professionals stay up-to-date by networking with vendors, thought leaders and colleagues.

Top Cybersecurity Conference Trips You Should Book in 2019

Not sure where to distribute your IT budgets for ideal returns? Here’s a roundup of some of the top cybersecurity conferences happening this year.

Cybertech Israel

Cybertech Israel will once again descend on Tel Aviv from Jan. 28-30. One of the premier B2B networking conferences for security professionals, Cybertech offers both a major exhibition and full conference schedule over the course of three days. This year, speakers will include Prime Minister of Israel Benjamin Netanyahu, Professor Dieter Kempf, president of the Federation of German Industries, and Dr. Sridhar Muppidi, IBM fellow and chief technology officer at IBM Security.

HIMSS 2019

Up next for the new year is HIMSS19, which will take place from Feb. 11–15 in Orlando, Florida. This year’s theme, “Champions of Health Unite,” will bring together insights from trailblazers, game-changers and strategizers to help health IT professionals set the stage for a secure and successful 2019. Topics will range from privacy and telehealth to care culture and clinician engagement. Given the critical role of technology in delivering and empowering health services, HIMSS19 promises to be a great starting point for this year’s conference lineup in the U.S.

Think 2019

IBM Think 2019, happening Feb. 12–15, is making the move this year to San Francisco. With more than 160 security-focused sessions across the conference’s dedicated Security and Resiliency Campus, there’s something for everyone. Key offerings include sessions on making security relevant to the C-suite, understanding the value of collaborative defense and transforming the role of incident response (IR) with new technologies such as IBM’s Watson.

View the Think 2019 security and resiliency curriculum roadmap

RSA Conference

One of the industry’s biggest annual conferences, RSAC is also held in San Francisco and will run from March 4–8. This year’s theme is “Better” — building better solutions, creating better connections and developing better responses. From securing robot-designed code to measuring data breach impacts and examining the value of human risk management, this massive conference (40,000+ attendees) always delivers value.

Cyphercon 4.0

Demonstrating that bigger isn’t always better, Cyphercon 4.0 will be held in Milwaukee from April 11–12. This cryptography and information security-focused offering strives to create an informal, welcoming environment that offers benefits for experts and beginners alike. All session abstracts are reviewed without speaker names attached, ensuring that only high-quality (not merely high-profile) presentations make the cut.

40th IEEE Symposium on Security and Privacy

With the General Data Protection Regulation (GDPR) now in full effect and privacy legislation a top priority for many countries, enterprises would be well served by any cybersecurity conference that tackles this increasingly complex field. The Institute of Electrical and Electronics Engineers (IEEE)’s 40th symposium will take place in San Francisco from May 20–22 and wil lbring together some of the industry’s leading researchers and practitioners to help organizations evaluate their current privacy policies and prepare for the next generation of personal data defense.

Gartner Security and Risk Management Summit

Happening in National Harbor, Maryland, from June 17–20, Gartner’s yearly conference includes sessions about emerging information security priorities such as machine learning, analytics and blockchain. More generally, the conference tackles the critical need to make security and risk top organizational priorities by offering a combination of meaningful networks, expert guidance and real-world scenarios.

Black Hat

One of two premier hacker conferences taking place in Las Vegas each summer — DEF CON is the other — Black Hat is more formal and also one of the most popular conferences every year. This year, the conference will be held from Aug. 3–8. Topics are wide-ranging; last year’s event examined the potential of voting machine compromise, and in 2015, researchers hacked a moving Jeep.

BSides

BSides, scheduled for Aug. 6–7 in Las Vegas, is a free conference that will celebrate its 10th year in 2019 and offers the benefit of small-group participation for all attendees. Walk-in passes are snapped up quickly, so if you’re in town for Black Hat or DEF CON, make sure to stop by the Tuscany Suites; this year, BSides has the entire hotel booked.

GrrCon

Rounding out the year is the more informal GrrCon, scheduled for Oct. 24–25 in Grand Rapids, Michigan. This conference is small — just 1,500 attendees — and focuses on creating a fun atmosphere where executives, security professionals, students and hackers can exchange ideas and uncover new insights.

Start the Year Off Strong

Less than 24 hours after the ball dropped in Times Square, this year saw its first data breach: As reported by CBR Online, more than 30,000 Australian civil servants had their data stolen. It’s a bellwether for 2019 — a not-so-subtle sign that threat actors will continue to compromise corporate data to leverage or generate profit. More importantly, it’s a reminder to start the year off strong — to revisit existing security polices, design more holistic defenses and make time for the best cybersecurity conference offerings of 2019.

The post 10 Cybersecurity Conference Trips You Should Make Time for This Year appeared first on Security Intelligence.

Collection #1 dump, 773 million emails, 21 million passwords

The popular cyber security expert Troy Hunt has uncovered a massive data leak he called ‘Collection #1’ that included 773 million records.

The name ‘Collection #1’ comes from the name of the root folder.

Collection #1

Someone has collected a huge trove of data through credential stuffing, the ‘Collection #1’ archive is a set of email addresses and passwords totalling 2,692,818,238 rows resulting from thousands of different sources.

According to Hunt, there are 1,160,253,228 unique combinations of email addresses and passwords, while the unique email addresses totalled 772,904,991.

The data was posted on file-sharing service MEGA and also on an unnamed popular hacking forum, it includes more than 12,000 files for a total size of 87 gigabytes.

Hunt pointed out that approximately 140 million email accounts and some 10.6 million passwords are not part of known past data breaches.

The unique email addresses totalled 772,904,991. This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It’s after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of “cleanliness”. This number makes it the single largest breach ever to be loaded into HIBP.” wrote Troy Hunt.

The post on the hacking forum referenced “a collection of 2000+ dehashed databases and Combos stored by topic” and included a directory listing of 2,890 of the files, Hunted reproduced it here.

Users can check if their credentials are included in the Collection #1 dump by visiting the HIBP website.

“As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767.” concludes Hunt.

Pierluigi Paganini

(SecurityAffairs – Collection #1, data leak)

The post Collection #1 dump, 773 million emails, 21 million passwords appeared first on Security Affairs.

773 million records with emails & plain text passwords leaked online

By Waqas

It’s a whopping 87GB data – Find out if you are affected by the massive data breach. Security researcher and founder of Have I Been Pwned, Troy Hunt, has revealed that around 773 million ‘unique’ email IDs and 22 million ‘unique’ passwords were available on MEGA cloud service. Later on, the same data was found posted […]

This is a post from HackRead.com Read the original post: 773 million records with emails & plain text passwords leaked online

Nearly 800 Million Email Addresses Exposed in “Collection #1” Data Breach

A data breach known as “Collection #1” exposed approximately 800 million email addresses as well as tens of millions of passwords. In the beginning of January, multiple people reached out to Australian web security expert Troy Hunt about a sizable collection of files hosted on cloud service MEGA. This collection, which is no longer available […]… Read More

The post Nearly 800 Million Email Addresses Exposed in “Collection #1” Data Breach appeared first on The State of Security.

Lessons From Some Of The World’s Largest Data Breaches, And The Way Forward

“What I did 50 years ago is 4,000 times easier to do today because of technology,” says Frank Abagnale, 70-year-old FBI security consultant and former con man. His exploits as a check

The post Lessons From Some Of The World’s Largest Data Breaches, And The Way Forward appeared first on The Cyber Security Place.

Unprotected server of Oklahoma Department of Securities exposes millions of government files

A huge trove of data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a server for at least a week.

Another data leak made the headlines, a huge trove of data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a server for at least a week.
It is not clear how long data were left exposed online, according to the Shodan search engine, the server had been publicly open since at least November 30, 2018.

The unsecured storage server was discovered by security expert Greg Pollock from UpGuard, it contained 3 terabytes of data including millions of sensitive Government files and years worth of sensitive FBI investigations.

Other documents included social security numbers, names, and addresses
for over a hundred thousand brokers, credentials for remote access to ODS workstations, and communications meant for the Oklahoma Securities Commission.

The server also included email backups from 1999 to 2016, the largest and most recent reaching 16GB in size.

The exposed information includes passwords that could have used by an attacker to remotely access the state agency’s workstations, and credentials to access several internet services.

Digging in the archive it is also possible to find information related to people with AIDS including patient names and T cell counts.

Oklahoma Department

“By the best available measures of the files’ contents and metadata, the data was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” reads a blog post published by UpGuard.

“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server.”

UpGuard immediately notified the discovery to the ODS department, the storage server was secured by the agency.

The Oklahoma Securities Commission published a press release to disclose the data leak, it announced that a forensic team is still investigating the case.

“The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall.” reads the press release.

“An accidental vulnerability of limited duration to a server containing archived data was discovered and immediately secured. The ODS has notified law enforcement and OMES regarding the incident. A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them.”

Pierluigi Paganini

(SecurityAffairs – Oklahoma Department, data leak)

The post Unprotected server of Oklahoma Department of Securities exposes millions of government files appeared first on Security Affairs.

The Biggest Data Breaches of 2018

Online security label manufacturer Seareach.plc.uk who specialise in asset labels and asset tracking, has collated some of the biggest data breaches of 2018.



February

  • 150 million MyFitnessPal app users had their details leaked in a data breach including usernames, email addresses and passwords.
March
  • Orbitz had 880,000 customers payment card details, stolen by a hacker, thanks to a security vulnerability in the travel site's legacy booking system.
  • Fifa More than 3.4 terabytes of data and 70 million documents from FIFA, containing numerous allegations of corruption, was leaked to German magazine Der Spiegel by the Football Leaks organisation.
  • Cambridge Analytica harvested data (without user permission) from Facebook, more than 80 million people were affected by the data exposure.
April
  • Macy’s and Bloomingdale's online customers may have had their personal information and credit card details exposed to a third party between April 26 and June 12.
May
  • Rail Europe, breach saw customer details including credit card numbers, expiration dates, and card verification codes, stolen over three months.
June
  • Over a million Adidas customers were affected by their data breach. The website was hacked with contact information, usernames, and hashed passwords stolen.
July
  • Timehop suffered a significant data breach on 7 July 2018 names, email addresses and phone numbers of 21 million users were accessed.
  • Ticketmaster suffered data breach which saw hackers operating a massive credit card skimming operation, via third-party code installed on e-commerce websites.
  • 23,000 Fortnum and Mason customers details were accessed in a data breach, including addresses and contact phone numbers.
August
  • British Airways data breach hit 380,000 transactions through their website and mobile app. Personal and financial information was stolen.
September
  • 90 million Facebook user accounts were exposed when hackers stole access tokens that they could then use to take over almost 50 million profiles.
November
  • Cathay Pacific admitted this month that they had suffered a significant data breach affecting up to 9.4 million passengers, in March.
  • Over 100 million Quora users had their emails, passwords and names taken. The breach occurred after unauthorised access by a malicious third party.
  • Details from over 500 million guest reservations, were stolen from Marriot's Starwood database. Customers were notified in November but authorised accessed could date back to 2014.
December

  • Twitter was hit by a data breach on its platforms support form. It exposed user data to IP addresses from Saudi Arabia and China.

The Dark Overlord Claims to Have Stolen Secrets of 9/11 Attacks in Law Firm Data Breach

The threat group known as The Dark Overlord has claimed responsibility for a law firm data breach involving files allegedly related to the 9/11 terrorist attacks.

The Dark Overlord first announced on New Year’s Eve that it had stolen files belonging to Llyod’s of London, Silverstein Properties and Hiscox Syndicates Ltd., according to Motherboard. Although the group’s announcement on the Pastebin messaging service has been deleted, Motherboard confirmed the hack with Hiscox.

The stolen information reportedly includes email and voicemail messages as well as legal files such as non-disclosure strategies and expert witness testimonies.

9/11 Data Held for Ransom

In a Dec. 31 tweet, The Dark Overlord claimed it had managed to steal more than 18,000 secret documents that would provide answers about 9/11 conspiracy theories. Twitter has since suspended the group’s account.

SC Magazine reported that the law firm paid an initial ransom, but then violated terms of agreement by reporting the incident to law enforcement. The threat group is now demanding a second ransom be paid in bitcoin and said it will also sell information obtained in the breach to interested third parties on the dark web.

According to a post on Engadget, The Dark Overlord also attempted to prove it had committed the data breach by publishing nonsensitive material from other law firms as well as organizations such as the U.S. Transportation Security Administration (TSA) and Federal Aviation Authority (FAA).

How to Limit the Threat of Groups Like The Dark Overlord

This latest attack from The Dark Overlord is further proof that data breaches can not only create a PR nightmare, but also put organizations’ survival and, in some cases, national security at risk.

Unfortunately, the exact details around how The Dark Overload accessed the law firm’s network are unknown. Security experts recommend conducting a short but comprehensive 15-minute self-assessment to gauge the organization’s IT security strengths and weaknesses. The results can be benchmarked against similar firms, and security leaders can gain access to the expertise they need to keep groups like The Dark Overlord away from their data.

The post The Dark Overlord Claims to Have Stolen Secrets of 9/11 Attacks in Law Firm Data Breach appeared first on Security Intelligence.

The seven most serious data breaches of 2018

data breaches 2018 data leaks

Cybercrime grows every year, and 2018 was no exception. Cybercriminals can change their attack methods, their targets, or the way they act, but the challenge is always the same: breaking through companies’ corporate cybersecurity and getting access to as much data as possible.

Many companies, unfortunately, learn this lesson the hard way: Adidas, Ticketmaster, T-Mobile and British Airways are just a few. But, serious though these cases were, they didn’t top the list. The following are the seven most serious data breaches of 2018.

1.- Aadhaar: 1.1 billion records.

India has a serious cybersecurity problem. To be more precise, its national ID database, Aadhaar, which contains information on close to 1.1 billion citizens does. The database was leaked, and made available to anyone willing to invest (very little) money to get it.

In January, several Indian journalists discovered that throughout the country, there were circulating several WhatsApp groups in which anyone could buy the file of a specific citizen. The price, 500 rupees (a little under 6 euros), granted access to not only names and surnames, but also to personal data and bank details. Despite the fact that the government denied this leak, it went much further than this: researchers also discovered that, for a period of time, citizens who visited their own profile online could access other citizens’ profiles simply by changing their ID in the private URL on the Aadhaar website.

2.- Marriott: 500 million customers

Marriott is one of the largest hotel groups in the world, and its most serious weak point has just been discovered.  The company announced in November that the booking system for other hotel chains in its group had been hacked. The data leak had been in progress since 2014, and had affected no fewer than 500 million customers, whose bank details and personal data are now at the disposal of whoever wants to buy them.

3.- Facebook and its pact with Netflix, Microsoft…

One of the biggest scandals of the year, and yet another black mark for Facebook. The New York Times revealed that Mark Zuckerberg’s social network has, for years, shared its users’ data (without their knowledge) with over 100 tech giants. Among the companies that bought this information were some as important as Amazon, Bing, Yahoo!, and Netflix, all of which had access to users’ publications and even their private messages.

Data breaches 2018 infographic

4.- Exactis: 340 million records.

The plans of the American data broker Exactis were laid to waste last June. This time not because of theft, or even a cybercriminal act. So what had happened? The agency had left around 340 million records exposed on a public server.

In this case, there were none of the users’ bank details in the records, but they did contain 150 fields of information, with perhaps even more sensitive information: number of children in a house and their ages; the kind of payment card used by that person; an estimation of the value of their house; if they have shares in companies; their hobbies; the company with which they have their mortgage; their ethnic group; along with many others. The million dollar fines for GDPR infringement won’t take long to arrive.

5.- Under Armour: 150 million records.

If you use MyFitnessPal, one of the most widely used nutrition apps in the world, your data is at serious risk. The company that developed the app, Under Armour, was forced to admit in March that a cybercriminal had accessed the registration details of around 150 million users. Among the data stolen from each user are both the email address used to register and the password used to access the account.

6.- Panera Bread: 37 million records.

Is there anything worse than being the victim of information theft? Yes: ignoring those who have been telling you about it for eight months. This is exactly what happened to the restaurant chain Panera Bread, which had to announce that its website had exposed the registration details of at least 37 million customers. Now these customers know (or at least they should) that their names, email addresses, physical addresses and the last four digits of their credit cards have been at the mercy of whoever wanted to take or buy them.

7.- 35 million US voters

As if the elections in the States hadn’t suffered enough: suspicions of vote tampering, the spreading of all kinds of information using voter details… Then this: in October, it was discovered that a website was selling electoral records of around 35 million voters. This incident, which affected 19 states in the country, wouldn’t have allowed any alteration of votes, but it would have been enough to change voter lists at polling stations, stopping citizens from being able to vote correctly.

As we can see, many companies have been forced to make data protection the leading priority to protect their corporate cybersecurity. To fight this problem, there are tools such as Panda Data Control, the data protection module of Adaptive Defense. It stops uncontrolled access to the company’s personal and sensitive data by monitoring all system processes, sending out alerts in real time about leaks, use, and suspicious, unauthorized movements. Ultimately, it proactively and immediately detects any kind of threat, helping companies not only to protect their corporate cybersecurity, but also to comply with the GDPR and avoid its million euro fines.

The fact is that data has become the oil of the modern age, and this goes far beyond tech companies. Any kind of company, regardless of its sector or its size, can be exposed to cybercriminals. It is therefore essential that they know how to protect their greatest asset: their data.

The post The seven most serious data breaches of 2018 appeared first on Panda Security Mediacenter.

Over 30 Thousand Patient Records Exposed; Third-Party Breach To Blame




Cyber-cons recently targeted another health target. ‘Managed Health Services of Indiana Health Plan’ in recent times went public regarding the third-party data breach they had gotten imperiled by, which exposed 31,000 patients’ personal details out in the open. 


This breach was the result of one of the two security incidents that the institution had to face.



There are two major healthcare programs, namely, ‘Indiana’s Hoosier Healthwise’, and ‘Hooseir Care Connect Medicaid’ which this organization runs.


The MHS were informed about the breach by one of its vendors. The information was regarding someone having illegitimately gained access to their employees’ email accounts.


Disconcertingly, according to the reports, the unauthorized accessed had occurred between the month of July and September, last year.


During the investigation initiated by the MHS, it was found out that patients’ personal data including their names, insurance ID numbers, dates of birth, dates of services provided and their addresses were all potentially out in the open.


As the investigation unfolded, it was discovered that the incident was caused due to a phishing attack on the vendor’s system.


Rapid steps were taken by the vendor to counter the attack by the aid of a computer forensic company.


Some of the information in the email accounts that were affected was laid out pretty bare to be accessed. The email accounts “hacked” were the main source of information.


The easiest trick to harvesting personal data is performing a phishing attack. The phishing attack anywhere in the entire chain could affect all the people involved.


As a result of the overall effect on the chain, 31,ooo people got affected and had their data exposed and out in the open.


 Reportedly, this has been the 4th in the list of attacks made on the health plans, that too in the last month alone.


It gets evident after such an attack, that the health-care industry exceedingly requires better management and security cyber systems.

Luas data ransom: the hacker who cried wolf?

In a terrible start to the year for Irish tram firm Luas, their site was compromised a week ago and adorned with a stark ransom warning:

hacked site

Click to enlarge

You are hacked. Some time ago I wrote that you have serious security holes.

You didn’t reply.

The next time someone talks to you, press the reply button.

You must pay one bitcoin in five days. Otherwise I will publish all data and send emails to your users.

The message came with a Bitcoin address, and the defacement was quickly taken down.

Real threat or a blast of bluster?

Many observers questioned the legitimacy of this ransom threat. One Bitcoin is currently around 3,100 Euros. Luas aren’t exactly short of cash, so it wouldn’t be an issue for them to pay (not that we’d advise it). The general feeling was that either 3,100 Euros was a large sum of money to the attacker, or they just wanted the company to address the problem facing them without fuss.

As soon as the hack was announced, nervous customers wondered exactly what might be dumped into the ether should the ransom go unpaid. Names and addresses? Emails? Perhaps even payment data? However, this is where the hacker’s version of events starts to unravel. I’m not personally familiar with the website in question, and it’s currently still down, so I looked on Internet Archive.

A trip down memory lane

The site doesn’t appear to have any form of registration or login; it seems to be more of an information portal. Additionally, the one section that references payment—“Pay your standard fare notice”—leads to the payments site, which Luas pointed out hadn’t been compromised. The site read as follows:

The Luas website is undergoing restoration following a cyber-attack.

We wish to advise customers that the Tax Saver and Standard Fare Notice sites have NOT been compromised.

It’s worth noting the payments section hasn’t been taken offline, either.

The hacker who cried wolf?

We waited with baited breath as the ransom timer ticked down. Would we see a large blast of customer data popping up online? Or would the whole thing fall flat? If essential information such as logins and payment data hadn’t been grabbed, what exactly were we talking about here? Basic website metrics such as visitor stats or website referrers? What could this attacker possibly have grabbed while achieving what appears to have been a perfectly standard webpage defacement in all other respects?

The answer is, of course, “Nobody knows.”

The deadline has come, gone, and is now on vacation somewhere. Occasionally, it lets you know the weather is lovely and reminds you to put the bins out.

Absolutely none of which helps anybody who suspects they may have been caught up in this. Even more slightly surreal is the fact Luas said they’d contact anyone they thought may be affected, but there’s zero example of said contact on social media that I can find.

Customers: An update on the Luas cyberattack.

Luas technicians are still investigating it and are working to restore the site.

Luas has contacted the Commissioner for Data Protection and we have in accordance with best practice contacted everyone whose information may have been compromised.

This is absolutely not what normally happens, and at this point I’d usually be linking to a deluge of “you got me” posts. That’s the theory. The reality, currently, is nothing but a wave of silence.

This number is no longer available

Our suspicion here is that nothing customer related was taken and it was all a ransom-themed bluff to either grab some Bitcoin cash or attention, or perhaps both. If you’ve used any Luas site for any type of registration or payment, you’re probably fine.

Unless the site compromiser had a sudden change of heart, they were going to dump the data in public fashion instead of some hidden underground forum, but it hasn’t happened. People may call them “underground,” but the reality is data dumps don’t remain private for long.

No further updates are forthcoming from Luas, so it doesn’t appear they’ve been told their number is up either. All in all, we’d say cross some fingers and hope everything is coming up Milhouse.

While I try to remember if things coming up Milhouse is good or bad, here’s what you can do if you’re still worried you may be affected.

Data dump fallout tips

This isn’t just good advice for the Luas attack, but for any potential breach situation.

If you’re on Twitter, simply follow haveibeenpwned, a service maintained by security pro Troy Hunt. It will usually be one of the first places you’ll hear about any breach where data has been taken. After that, head over to the haveibeenpwned website and check if your emails have been included in any attacks. If they have, you’ll see a short summary of when it happened and what was taken. Note that you won’t see the stolen data.

Finally, you can register for alerts when any new breaches are added.

There’s really no need to go spelunking into the murky pools of hacker forums, looking in vain for a breach you may be on. Rest assured that if it’s happened, you’ll find out eventually—one way or another. At that point, it’s a case of changing your logins and applying whatever security steps are required to fix things up. Ransoms are always a major issue, whether from threats or infection files. If this story has any additional developments, we will of course update this post as to what anyone affected should do next.

The post Luas data ransom: the hacker who cried wolf? appeared first on Malwarebytes Labs.

That Other Moscow: Sketchy LinkedIn Job Posts Mix US, Russian Locales

Bogus LinkedIn job postings for leading US organizations, including the US Army, the State of Florida and defense contractor General Dynamics, are popping up for Russian locales like St. Petersburg and Moscow, the firm Evolver has found. Is it AI-Gone-Wild, or is something more nefarious afoot?  Moscow, on the border between Idaho and Washington...

Read the whole entry... »

Related Stories

Neiman Marcus to Pay $1.5 Million in Settlement with 43 States for Data Breach

Neiman Marcus, the Dallas-based chain of luxury department stores, has agreed to pay $1.5 million in compensation to the 43 states affected by a 2013 data breach, announced Texas Attorney General Ken Paxton on Tuesday.

This sum is significantly lower than Target’s settlement of $18.5 million following that retailer’s data breach in the same year, which was estimated to have costed $150 million.

A nation-wide investigation concluded that, in 2013, a third-party gained unauthorized access to 370,000 credit and debit cards used at 77 Neiman Marcus stores from multiple states. The breach went undetected for three months and was publicly announced in January of 2014. Some 9,200 cards were used for illicit purposes, said Paxton.

“Texas law requires businesses to implement and maintain reasonable safeguards against cyberattacks to protect consumers’ personal information from unlawful use or disclosure,” he said. “I urge companies to evaluate whether they have in place a thorough and ongoing written information security program that serves to safeguard their customers’ information.”

The retailer also has to strengthen security and implement a clear policy to fend off attacks and protect customer data. An information security assessment and report from a third party is also required.

Neiman Marcus is not the only luxury department store to expose its customers’ financial data or personal information. In 2018, Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores also fell victim to unauthorized intrusions that affected their customers.

Neiman Marcus to Pay $1.5 Million under Data Breach Settlement

Neiman Marcus Group, Inc. has agreed to pay $1.5 million as part of a settlement for an earlier data breach that exposed customers’ information. Ken Paxton, Attorney General of Texas, announced on 8 January that he and his fellow Attorneys General from 42 other states will enter into the $1.5 million settlement with Neiman Marcus. […]… Read More

The post Neiman Marcus to Pay $1.5 Million under Data Breach Settlement appeared first on The State of Security.

US Health Insurer Humana Announces Third Data Breach after Third-Party Hack

Kentucky-based health insurance provider Humana fell victim to a third data breach from December 2018, this time caused by a third-party vulnerability.

According to a detailed notice to the California Attorney General’s Office and affected customers, Humana was informed on Oct. 28 that its business partner, Bankers Life, had suffered an intrusion that allowed unauthorized access to select employee system credentials between May 30 and Sept. 13.

The intruder used employee credentials to hijack company websites used to apply for Humana insurance. An investigation determined that this may have given the intruder access to personal information of some policy holders. While data such as name, address, date of birth, last four digits of the Social Security number, and some information about policy type may have been compromised, critical information such as full Social Security number, banking and card information and details about medical care were not affected.

Bankers Life detected the breach on Aug. 7 and started an investigation. They informed law enforcement and contacted an external forensics team to help. Since then, they organized additional trainings for employees and implemented extra monitoring and security procedures.

While customers who may have been affected will received one year of identity repair and credit monitoring on behalf of Bankers Life, all are advised to keep a close eye on their account statements and insurance transactions to prevent fraud and identity theft attempts.

German Teen Confesses to Data Breach Affecting 1,000 Politicians, Journalists

2019 kicked off with a major security breach in Germany that compromised the personal data of some 1,000 politicians, journalists and celebrities, including Angela Merkel, Green party leader Robert Habeck, TV personality Jan Böhmermann and many others, including rappers and members of the German parliament, writes the BBC. For now, there is no evidence suggesting far-right party AfD members were also targeted.

While authorities initially had no idea who was behind the cyberattack, they brought in a 20-year-old German man for questioning, says The Guardian. At first he denied accusations but confirmed he knew who was behind the Twitter account that caused the breach: @_0rbit located in Hamburg, Germany.

In December, the Twitter account @_0rbit published the stolen data online disguised in a daily advent calendar. The compromised data includes telephone numbers, credit card information, photos, addresses, private conversations and contacts, reported BKA – the German federal criminal police. The account, which had over 17,000 followers, has been suspended.

Shortly after interrogation, the man, identified as Jan S., confessed to the attack, which he claims he carried out “alone and out of annoyance at statements made by the public figures he attacked.” On Twitter he also used the account name “G0d.” BKA says so far there is no evidence that a third-party was involved.

Interior Minister Seehofer told the BBC at the time that the data was accessed through “wrongful use of log-in information for cloud services, email accounts or social networks.” There is no evidence that government systems were hacked.

German newspaper Bild claims the data compromised is as old as October 2018, possibly even older.

Jan S. was released on Monday “due to a lack of grounds for detention.”

Kitchen Utensil Manufacturer Discloses Data Breach of E-commerce Site

A manufacturer of kitchen utensils, office supplies and housewares disclosed a data breach of customer information submitted to its e-commerce website. OXO International Ltd confirmed on 17 December 2018 that digital attackers might have compromised the data submitted by customers to its e-commerce website. The manufacturer believes that those responsible for the security incident might […]… Read More

The post Kitchen Utensil Manufacturer Discloses Data Breach of E-commerce Site appeared first on The State of Security.

Thieves make off with shoppers’ credit card numbers after hacking apparel site for four months

Shoppers who placed an order with discountmugs.com during a four-month period last year are receiving a worrying notification from the online apparel store. Apparently, hackers injected card skimming code into the company’s website, then stole enough customer data to conduct fraud.

In a letter to the state attorney general, the company explains what happened, what information the hackers took, and what the company is doing to remedy this embarrassing situation. From the letter:

“On November 16, 2018, we discovered that an unauthorized change had been made to our DiscountMugs.com website. We immediately initiated an investigation and learned that unauthorized code was inserted into our shopping cart page designed to collect information customers entered on that page. We immediately removed the unauthorized code and reported the matter to law enforcement and to the payment card companies.

By Dec. 20, the company said, its investigation found that “orders placed by credit or debit cards between August 5, 2018 and November 16, 2018, may have been impacted by the unauthorized code. We are providing you with this notice because our records indicate that you placed an order between August 5, 2018 and November 16, 2018.”

This email would undoubtedly alarm any recipient, but the paragraph that follows is even more chilling. It shows the malware siphoned off exactly the data hackers needed to conduct fraud:

“… name, address, phone number, email address, the credit card or debit card number used to place the order, the expiration date, and card security code (CVV2) for that card.”

The paragraph ends by offering some comfort to victims: “Since we do not request PINs when debit cards are used, PINs were not subject to collection.”

But not every card emitter offers the 3D Secure mechanism, and not every e-commerce website uses two-factor-authentication for transactions. Moreover, verifiability of site identity is not 100% bulletproof, because the system involves a pop-up window or inline frame requiring cardholders to enter the one-time password to verify their legitimacy. However, a hacked website might display a fraudulent pop-up designed to harvest passwords.

After learning of the breach, DiscountMugs launched an investigation and, with the help of an unnamed cybersecurity firm, removed the malicious code. It is now helping police and card issuers with their investigations into the breach. Affected customers are offered a reassuring “we do not have any evidence that your information has been misused,” but the company still advises them to review an enclosed document with further information and steps they can take to prevent any harm done. The shop is also offering a complementary year of identity monitoring through AllClear ID.

DiscountMugs fails to mention how many customers were impacted. According to TechCrunch, the shop ranks in the top 10,000 sites in the U.S., with a daily customer count in the thousands.

Marriott lowers estimate of customers affected by breach to 383 million, says 8.6 million encrypted payment cards involved

Following last year’s disclosure that hackers breached its systems, Marriot has released an update on the number of affected customers, the type of data that was leaked, as well as some changes to its practices and policies.

On Nov. 30, 2018, the world’s largest hotel chain issued an embarrassing notice that its servers were breached, leaving 500 million guest records in criminal wrong hands. With the help of internal and external forensics and analytics teams, Marriot now knows that the number of affected customers is lower – albeit still high, by any standards.

“Working closely with its internal and external forensics and analytics investigation team, Marriott determined that the total number of guest records involved in this incident is less than the initial disclosure,” Marriot says in the update, posted to its news center Friday. “Also, the number of payment cards and passport numbers involved is a relatively small percentage of the overall total records involved,” the hotel chain said.

According to the updated news release, Marriott now believes 383 million guests may have been affected, a number it refers to as “the upper limit” for the number of guest records involved in the incident. The number could be lower, Marriot says, considering that many guests have multiple records.

“The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” it clarifies.

The investigation has brought to light several other details as well. For example, approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were among the records accessed by the intruder. Investigators found no evidence that the master encryption key was accessed, but they haven’t ruled it out either. Guests can contact Marriott’s call center and ask reps to look up their passport number to see if and how they are affected.

Around 8.6 million encrypted payment cards were involved in the incident, including 354,000 that were unexpired as of September 2018. Again, Marriot believes hackers have not accessed either of the components needed to decrypt the encrypted payment card numbers, but investigators are not ruling out this scenario either. Notably, a small number of customers may be more affected than others because of the way Marriot encrypted some form fields while others were not subject to encryption. According to the notice:

“While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests.”

Lastly, Marriot has discontinued the Starwood reservations database, and is now taking registrations solely through its own system. The breach, as readers might remember, occurred via Starwood’s servers, following Marriott’s acquisition of the leisure company in 2015.

Some say Chinese spies could be behind the Marriott breach, as part of a larger intelligence-gathering campaign targeting the U.S. and operated from Beijing.

HHS Publishes Voluntary Healthcare Cybersecurity Practices for Medical Organizations

The U.S. Department of Health and Human Services (HHS) released voluntary healthcare cybersecurity practices to help medical organizations strengthen their security posture.

On December 28, HHS released “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” in response to a mandate to develop healthcare cybersecurity standards laid out by the Cybersecurity Act of 2015. More than 150 cybersecurity and healthcare experts from the private and public sectors worked together for two years to fulfill this directive.

The publication is broken down into three sections. The first examines cybersecurity threats confronting the healthcare industry. The second portion identifies weaknesses that render healthcare organizations vulnerable to threats, and the third and final segment outlines strategies that medical entities can use to defend against digital threats.

Healthcare Data Breaches on the Rise

Healthcare data breaches are on the rise. In a study published by the JAMA Network, researchers analyzed all the data security incidents reported to the Office of Civil Rights at HHS between January 2010 and December 2017. They found a total of 2,149 breaches affecting 176.4 million patient records. The annual number of data breaches increased each year during the analyzed time period except 2015, starting with 199 in 2010 and growing to 344 in 2017.

Of the incidents that exposed patients’ personal health information (PHI), 53 percent originated inside the organization. That’s consistent with the Office of the Australian Information Commissioner’s (OAIC) quarterly statistics for Q3 2018. OAIC received 45 data breach notifications from healthcare organizations during the quarter, 56 percent of which resulted from human error.

Healthcare Cybersecurity Best Practices

Security professionals can begin enforcing healthcare cybersecurity best practices by producing creative employee awareness content that specifically appeals to the company’s workforce. Healthcare organizations should also adopt a security immune system strategy that, among other things, uses artificial intelligence (AI) and automation to mitigate risk across the network.

The post HHS Publishes Voluntary Healthcare Cybersecurity Practices for Medical Organizations appeared first on Security Intelligence.

What does Cybersecurity have in store for 2019?

A guest article authored by Tom Kellermann, Chief Cybersecurity Officer, Carbon Black

In every intelligence industry there’s often a central aim: predicting the future. We collect and analyse, dissect and interpret, looking for that essential nugget that will give us the edge over our adversaries by indicating what they’ll do next. While this activity goes on 24/7/365, the end of the year encourages us to go public with forecasts to help navigate the choppy waters on the horizon. This year, because all good intelligence involves collaboration, I’ve combined my thoughts with those of our threat analysts and security strategists to give some insight into the TTPs and sectors likely to be top of the list for cyberattackers in 2019.

1. Destructive attacks and nation-state activity continue to ramp up
    Geo-political tension remained high throughout 2018, bringing with it an associated uplift in cyber insurgency. The US trade war with China is undoubtedly a factor behind the recent resurgence in Chinese cyber espionage and this is set to continue. As well as espionage targeted at infiltration and data theft, our intelligence detected an escalation of attacks where the primary objective was destruction. Our most recent Quarterly Incident Response Threat Report (QIRTR) depicted a wide-spread adoption of C2 on sleep cycles and a high prevalence of attack victims experiencing island hopping and counter incident response.

    In 2019, I’m predicting we’ll see more instances of island hopping, particularly via public cloud infrastructure. We’ll also continue to see a wave of destructive attacks as geopolitical tension continues to manifest itself in cyberspace.

    2. Counter-detection gets more sophisticated
    In 2019, we’ll continue to see attackers attempt to counter detection in the form of Vapor worms – fileless attacks that display worm characteristics and propagate through networks - and IoT worms. As attackers become more sophisticated in their methods, defenders will need to get more adept at spotting evidence of incursions through proactive threat hunting and analysis.

    3. Breach to extortion will become common
      Paul Drapeau, Enterprise Architect in our Threat Analysis Unit, believes our habit of putting our private lives online in the hands of third parties will come back to haunt us in 2019. He told me:

      “Attackers have been actively using ransomware to make a quick buck by locking systems and encrypting files, but this activity could move from compromise of systems to compromise of personal lives. Breaches of social media platforms present a wealth of data to be mined by bad actors. This data could be used to correlate activities between people to find illegal, scandalous or compromising behaviour and then leveraged for traditional blackmail at scale. “Pay up or your spouse/employer gets copies of these direct messages,” an example note might read. We can fight ransomware on our own networks with anti-malware tools or backups, but we depend on giant companies to protect our more personal details.”

      The breach doesn’t even have to be real to result in extortion attempts, as was seen in 2018 with the mass email scam purporting to have compromising video and passwords of the victims. Imagine an attacker building on data from a breach and fabricating message contents and then demanding “ransom” be paid. This type of attack definitely takes more work to pull off, it’s more targeted and difficult, but the payoff could be there. Victims may be willing to pay more money and pay up more readily when it is their real lives and reputations at stake vs. their digital files.

      4. Supply-chain attacks in healthcare
      When it comes to the sectors facing the highest risk, our Security Strategist Stacia Tympanick expects to see a lot more supply chain attacks occur within the Healthcare industry. Healthcare is a tough attack surface to protect and could be a tempting target for nation-state actors bent on disrupting critical national infrastructure (CNI).

      There is so much focus on just making sure that devices are discovered and protected on networks, that managing medical devices on top of this opens up a large attack surface. The trend toward remotely managing patient conditions via IoT devices increases that surface still further – this vector could be weaponised by bad actors.

      Healthcare is also starting to move to the cloud as part of UK government’s ‘Cloud-first’ policy, so cloud providers should be evaluated under a stern eye to ensure that proper and secure procedures/processes are in place to protect patient data.

      5. Steganography makes a comeback
        I always like to make at least one semi-bold prediction each year, and this year I’m saying that steganography makes a comeback. Steganographyis the technique of hiding secret information within innocuous images or documents and it’s an ancient practice – think Da Vinci hiding codes in the Mona Lisa. Examples of steganography are just as hard to detect in the cyber world, with code being masked in legitimate files designed to make it past scanners and firewalls. We could see steganography being used in combination with other attack vectors to create persistence and control mechanisms for malware that’s already running on a compromised network.

        Whatever 2019 holds, here at Carbon Black we’ll be working 24/7 to collect, analyse and interpret the intel that will keep us a step ahead of our adversaries. Wishing you all a happy and cybersafe New Year!

        Tom Kellermann, Chief Cybersecurity Officer, Carbon Black

        Cyber Security Roundup for December 2018

        The final Cyber Security Roundup of 2018 concludes reports of major data breaches, serious software vulnerabilities and evolving cyber threats, so pretty much like the previous 11 months of the year.

        5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.


        A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.

        Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.  
        NASA InSight Lander arrives on Mars 

        It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images

        Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.

        The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.

        Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant.  The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
        Security company Insinia cause controversy after it took over the Twitter accounts by Eamon Holmes, Louis Theroux and several others celebs. Insinia said it had managed the account takeover by analysing the way Twitter handles messages posted by phone, to inject messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent. However, Insinia were accused of being unethical and breaking the UK Computer Misuse Act in some quarters.

        Unsecured internet connected printers are being hacked again, this time they were used to sent print out messages of support for Swedish YouTube star PewDiePie. A hacker named TheHackerGiraffe was said to have targeted up 50,000 printers after using Shodan to search for open printer ports online, the scan was said to have found 800,000 vulnerable printers.

        An Financial Conduct Authority (FCA) report warned UK banks about their over-reliance on third-party security providers. The FCA said companies "generally lacked board members with strong familiarity or specific technical cyber-expertise. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. The report also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains.

        NEWS

        AWARENESS, EDUCATION AND THREAT INTELLIGENCE
        REPORTS

        Abine says Blur Password Manager User Information Exposed

        Customers who use the Blur secure password manager by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product. 

        The post Abine says Blur Password Manager User Information Exposed appeared first on The Security Ledger.

        Related Stories

        2018: The year of the data breach tsunami

        It’s tough to remember all of the data breaches that happened in 2018. But when you look at the largest and most impactful ones that were reported throughout the year, it paints a grim picture about the state of data security today.

        The consequences of major companies leaking sensitive data are many. For consumers, it represents a loss of privacy, potential identity theft, and countless hours repairing the damage to devices. And it’s costly for companies, too, in the form of bad press and the resulting damage to their reputation, as well as time and money spent to remediate the breach and ensure customers’ data is well secured in the future.

        But despite the well-known costs of data breaches, the problem of leaky data isn’t getting better. While there were a greater number of breaches in 2017, 2018 saw breaches on a more massive scale and from marquee players, such as Facebook, Under Armor, Quora, and Panera Bread. Cybercriminals stole sensitive personally identifiable information (PII) from users, including email and physical addresses, passwords, credit card numbers, phone numbers, travel itineraries, passport data, and more.

        You’d think these problems would cause companies to be extra diligent about discovering data breaches, but that doesn’t seem to be case. In reality, companies rarely discover data breaches themselves. According to Risk Based Security, only 13 percent of data breaches are discovered internally.

        To help people better understand the modern problem of data breaches, TruthFinder created this infographic. It clarifies the extent of the crisis using statistics from the Identity Theft Threat Center and Experian. Take a look at the infographic below to get sense of why 2018 was the year of the data breach tsunami.

        data breach

        The post 2018: The year of the data breach tsunami appeared first on Malwarebytes Labs.

        BevMo leaks credit card data (including CVVs) of 15,000 customers

        American alcohol retailer BevMo has suffered a breach that leaked credit card data, including security codes, belonging to 15,000 customers.

        A privately-held corporation based in Concord, California, BevMo sells mostly alcoholic beverages. The company was founded in January 1994 as Beverages & More and was re-branded as BevMo in January 2001. As of 2013, the company operates 148 stores.

        California attorney general’s office received a notice from BevMo this week that someone planted malware on its checkout page, the Associated Press reports. The code was designed to steal customers’ names, credit and debit card numbers, expiration dates, CVV codes (the three-digit security code used to confirm transactions), billing addresses, shipping addresses and phone numbers.

        NCR Corporation, the service provider that operates BevMo’s website, removed the malware soon after it learned of the breach. However, the personal and financial information of some 15,000 customers is reportedly already in the wrong hands. NCR is now collaborating with a third-party forensic firm to assist in further investigation. BevMo, for its part, has been in contact with law enforcement and credit card companies, and is conducting its own investigation into the breach.

        According to Tamara Pattison, BevMo’s Chief Marketing and Information Officer, if you’ve placed an order with BevMo between August 2 and September 26 you might be one of the 15,000 customers whose data was stolen by hackers. In such a case, you can contact a company official at (877) 565-6276.

         

        Why other Hotel Chains could Fall Victim to a ‘Marriott-style’ Data Breach

        A guest article authored by Bernard Parsons, CEO, Becrypt

        Whilst I am sure more details behind the Marriott data breach will slowly come to light over the coming months, there is already plenty to reflect on given the initial disclosures and accompanying hypotheses.

        With the prospects of regulatory fines and lawsuits looming, assimilating the sheer magnitude of the numbers involved is naturally alarming. Up to 500 million records containing personal and potentially financial information is quite staggering. In the eyes of the Information Commissioner’s Office (ICO), this is deemed a ‘Mega Breach’, even though it falls short of the Yahoo data breach. But equally concerning are the various timeframes reported.

        Marriott said the breach involved unauthorised access to a database containing Starwood properties guest information, on or before 10th September 2018. Its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.

        Starwood disclosed its own breach in November 2015 that stretched back to at least November 2014. The intrusion was said to involve malicious software installed on cash registers and other payment systems, which were not part of its guest reservations or membership systems.

        The extent of Marriott’s regulatory liabilities will be determined by a number of factors not yet fully in the public domain. For GDPR this will include the date at which the ICO was informed, the processes Marriott has undertaken since discovery, and the extent to which it has followed ‘best practice’ prior to, during and after breach discovery. Despite the magnitude and nature of breach, it is not impossible to imagine that Marriott might have followed best practice, albeit such a term is not currently well-defined, but it is fairly easy to imagine that their processes and controls reflect common practice.

        A quick internet search reveals just how commonplace and seemingly inevitable the industry’s breaches are. In December 2016, a pattern of fraudulent transactions on credit cards were reportedly linked to use at InterContinental Hotels Group (IHG) properties. IHG stated that the intrusion resulted from malware installed at point-of-sale systems at restaurants and bars of 12 properties in 2016, and later in April 2017, acknowledging that cash registers at more than 1,000 of its properties were compromised.

        According to KrebsOnSecurity other reported card breaches include Hyatt Hotels (October 2017), the Trump Hotel (July 2017), Kimpton Hotels (September 2016) Mandarin Oriental properties (2015), and Hilton Hotel properties (2015).

        Therefore perhaps, the most important lessons to be learnt in response to such breaches are those that seek to understand the factors that make data breaches all but inevitable today. Whilst it is Marriott in the news this week, the challenges we collectively face are systemic and it could very easily be another hotel chain next week.

        Reflecting on the role of payment (EPOS) systems and cash registers within leisure industry breaches is illustrative of the challenge. Paste the phrase ‘EPOS software’ into your favourite search engine, and see how prominent, or indeed absent, the notion of security is. Is it any wonder that organisations often unwittingly connect devices with common and often unmanaged vulnerabilities to systems that may at the same time be used to process sensitive data? Many EPOS systems effectively run general purpose operating systems, but are typically subject to less controls and monitoring than conventional IT systems.

        So Why is This?
        Often the organisation can’t justify having a full blown operating system and sophisticated defence tools on these systems, especially when they have a large number of them deployed out in the field, accessing bespoke or online applications. Often they are in widely geographically dispersed locations which means there are significant costs to go out and update, maintain, manage and fix them.

        Likewise, organisations don’t always have the local IT resource in many of these locations to maintain the equipment and its security themselves.

        Whilst a light is currently being shone on Marriott, perhaps our concerns should be far broader. If the issues are systemic, we need to think about how better security is built into the systems and supply chains we use by default, rather than expecting hotels or similar organisations in other industries to be sufficiently expert. Is it the hotel, as the end user that should be in the headlines, or how standards, expectations and regulations apply to the ecosystem that surrounds the leisure and other industries? Or should the focus be on how this needs to be improved in order to allow businesses to focus on what they do best, without being quite such easy prey?


        CEO and co-founder of Becrypt

        Cyber Security Roundup for November 2018

        One of the largest data breaches in history was announced by Marriott Hotels at the end of November. A hack was said to have compromised up to a mind-blowing "half a Billion" hotel guests' personal information over a four year period.  See my post, Marriott Hotels 4 Year Hack Impacts Half a Billion Guests for the full details. The Radisson Hotel Group also disclosed its Rewards programme suffer a data compromise. Radisson said hackers had gained access to a database holding member's name, address, email address, and in some cases, company name, phone number, and Radisson Rewards member number.

        Vision Direct reported a website compromise, which impacted users of their website between 3rd and 8th November, some 16,300 people were said to be at risk  A fake Google Analytics script was placed within its website code by hackers. 

        Eurostar customers were notified by email to reset their passwords following presumably successful automated login attempts to Eurostar accounts with stolen credentials obtained by an unknown method.

        Two of the TalkTalk hackers were sentenced to a grand total of 20 months for their involvement in the infamous 2015 blackmail hack, which was said to have cost TalkTalk £77 million. There may have been up to 10 other attackers involved according to the court transcripts when hackers attempted to blackmail TalkTalk’s then CEO Dido Harding into paying a ransom in Bitcoin to cover up the breach. Has the enterprise, and judiciary, learned anything from TalkTalk hack?

        Uber was fined £385,000 by the UK Information Commissioner's Office, after hackers stole 2.7 million UK customers in October and November 2016. Uber attempted to cover up the breach by paying the hackers $100,000 (£78,400) to destroy the stolen customer data. Meanwhile stateside,
         Uber paid $148m to settle federal charges. 

        HSBC announced it had suffered a customer data breach in between 4th and 14th of October 2018 in a suspected "credential stuffing" attack. HSBC didn't state how many customers were impacted but are known to have 38 million customers worldwide. HSBC advised their customers to regularly change and use strong passwords and to monitor their accounts for unauthorised activity, sage good practice online banking advice, but I am sure their customers will want to know what has happened.

        Facebook is still making the wrong kind of privacy headlines, this time it was reported that Facebook member's private message data was found for sale online, with one instance involving 257,256 stolen profiles and including 81,208 private messages. The report appears to suggest malicious browser extensions, not Facebook, may be behind the data breach.

        A report from a UK parliamentary committee warned the UK government is failing to deliver on protecting the UK's critical national infrastructure (CNI) from cyber attacks. "The threat to critical infrastructure, including the power grid, is growing" the committee reported, with some states -"especially Russia" - starting to explore ways of disrupting CNI. An advisory notice also warned that UK companies connected to CNI were being targeted by cyber attackers believed to be in eastern Europe. APT28 (Russian based FancyBear) has added the "Cannon" Downloader Tool to their arsenal, according to researchers.

        Amazon's showcase Black Friday sale was hit by data breach days before it started. The online retail giant said it emailed affected customers, but refused to provide any details on the extent or nature of the breach. The customer email said “Our website inadvertently disclosed your email address or name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.” 

        There was a far more positive security announcement by Amazon about their AWS (cloud) services, with the launch of three new services to simplify and automate AWS security configuration called AWS Control Tower, AWS Security Hub, and AWS Lake Formation McAfee released their 2019 'Cloud Adoption and Risk Report' which highlights the vital importance of configuring cloud services correctly and securely.

        RiskIQ claimed that monitoring for malicious code could have stopped the recent theft of 185,000 British Airways customer records. The Magecart hacker group is believed to be responsible for injecting twenty-two lines of malicious script into the British Airway's payment page, which successfully lifted debit and credit card details, including the CVV code.

        Finally, according to enSilo, European Windows users are said to be targeted by a sophisticated malware called 'DarkGate', which has an arrange of nefarious capabilities, including cryptomining, credential stealing, ransomware, and remote-access takeovers. The DarkGate malware has been found to be distributed via Torrent files disguised as popular entertainment offerings, which includes Campeones and The Walking Dead, so be careful to avoid becoming infected!

        NEWS

        Affected by a Data Breach? 6 Security Steps You Should Take

        It’s common for people to share their personal information with companies for multiple reasons. Whether you’re checking into a hotel room, using a credit card to make a purchase at your favorite store, or collecting rewards points at your local coffee shop, companies have more access to your data than you may think. While this can help you build relationships with your favorite vendors, what happens if their security is compromised?

        A high-profile hotel and another popular consumer brand’s perks program recently experienced data breaches that exposed users’ personal information. If you think you were affected by one of these breaches, there are multiple steps you can take to help protect yourself from the potential side effects.

        Check out the following tips if you think you may have been affected by a data breach, or just want to take extra precautions:

        • Change your password. Most people will rotate between the same three passwords for all of their personal accounts. While this makes it easier to remember your credentials, it also makes it easier for hackers to access more than one of your accounts. Try using a unique password for every one of your accounts or employ a password manager.
        • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
        • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
        • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
        • Update your privacy settings. Be careful with how much of your personal information you share online. Make sure your social media accounts and mobile apps are on private and use multi-factor authentication to prevent your accounts from being hacked.
        • Be vigilant about checking your accounts. If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

        And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

        The post Affected by a Data Breach? 6 Security Steps You Should Take appeared first on McAfee Blogs.

        Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!

        A mammoth data breach was disclosed by hotel chain Marriott International today (30 Nov 18), with a massive 500 million customer records said to have been compromised by an "unauthorized party". 
        Image result for marriott
        The world's largest hotel group launched an internal investigation in response to a system security alert on 8th September 2018, and found an attacker had been accessing the hotel chain's "Starwood network" and customer personal data since 2014, copying and encrypting customer records. In addition to the Marriott brand, Starwood includes W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. 

        Image result for starwood
        You are at risk if you have stayed at any of the above hotel brands in the last 4 years

        The Marriott statement said for around 326 million of its guests, the personal information compromised included "some combination" of, name, address, phone number, email address, passport number, date of birth, gender and arrival & departure information. The hotelier also said encrypted payment card data was also copied, and it could not rule out the encryption keys to decrypt cardholder data had not been stolen.

        The hotel giant said it would notify customers affected and offer some a fraud detecting service for a year for free, so I expect they will be making contact with myself soon. In the meantime, Marriott has launched a website for affected customers and a free helpline for concerned UK customers 0808 189 1065.

        The UK ICO said it would be investigating the breach, and warned those who believe they are impacted to be extra vigilant and to follow the advice on the ICO website, and by the National Cyber Security Centre
        . The hotel chain could face huge fines under the GDPR, and possibly a large scale class action lawsuit by their affected guests, which could cost them millions of pounds. 

        What I really would like to know is why the hotel chain had retained such vast numbers of guest records post their stay. Why they held their customer's passport details and whether those encryption keys were stolen or not. And finally, why the unauthorised access went undetected for four years.

        Tom Kellermann, Chief Cybersecurity Officer for Carbon Black, said "It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation - they’re getting in, moving around and seeking more targets as they go."

        The report also found that 50% of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation's affiliates, often smaller companies with immature security postures and this can often be the case during an M&A. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”

        Jake Olcott, VP of Strategic Partnerships at BitSight, said "Following the breaking news today that Marriott’s Starwood bookings database has been comprised with half a billion people affected, it highlights the importance of organisations undertaking sufficient security posture checks to avoid such compromises. Marriott’s acquisition of Starwood in 2016 allowed it to utilise its Starwood customer database. Therefore, proactive due diligence during this acquisition period would have helped Marriott to identify the potential cybersecurity risks, and the impact of a potential breach".

        “This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a “snapshot in time” view.

        “Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.”

        8 Ways to Secure Your Family’s Online Holiday Shopping

        It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

        Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

        8 Ways to Secure Your Family’s Holiday Shopping Online

        1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
        2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
        3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
        4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
        5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
        6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Choose a password that is unhackable rather than one that is super easy to remember.
        7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
        8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

        No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

        Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

         

        The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

        IoT Lockdown: Ways to Secure Your Family’s Digital Home and Lifestyle

        Internet Of ThingsIf you took an inventory of your digital possessions chances are, most of your life — everything from phones to toys, to wearables, to appliances — has wholly transitioned from analog to digital (rotary to wireless). What you may not realize is that with this dramatic transition, comes a fair amount of risk.

        Privacy for Progress

        With this massive tech migration, an invisible exchange has happened: Privacy for progress. Here we are intentionally and happily immersed in the Internet of Things (IoT). IoT is defined as everyday objects with computing devices embedded in them that can send and receive data over the internet.

        That’s right. Your favorite fitness tracking app may be collecting and giving away personal data. That smart toy, baby device, or video game may be monitoring your child’s behavior and gathering information to influence future purchases. And, that smart coffee maker may be transmitting more than just good morning vibes.

        Gartner report estimated there were 8.4 billion connected “things” in 2017 and as many as 20 billion by 2020. The ability of some IoT devices is staggering and, frankly, a bit frightening. Data collection ability from smart devices and services on the market is far greater than most of us realize. Rooms, devices, and apps come equipped with sensors and controls that can gather and inform third parties about consumers.

        Internet Of Things

        Lockdown IoT devices:

        • Research product security. With so many cool products on the market, it’s easy to be impulsive and skip your research but don’t. Read reviews on a product’s security (or lack of). Going with a name brand that has a proven security track record and has worked out security gaps may be the better choice.
        • Create new passwords. Most every IoT device will come with a factory default password. Hackers know these passwords and will use them to break into your devices and gain access to your data. Take the time to go into the product settings (general and advanced) and create a unique, strong password.
        • Keep product software up-to-date. Manufacturers often release software updates to protect customers against vulnerabilities and new threats. Set your device to auto-update, if possible, so you always have the latest, safest upgrade.
        • Get an extra layer of security. Managing and protecting multiple devices in our already busy lives is not an easy task. To make sure you are protected consider investing in software that will give you antivirus, identity and privacy protection for your PCs, Macs, smartphones, and tablets—all in one subscription.
        • Stay informed. Think about it, crooks make it a point to stay current on IoT news, so shouldn’t we? Stay a step ahead by staying informed. Keep an eye out for any news that may affect your IoT security (or specific products) by setting up a Google alert.Internet Of Things

        A connected life is a good life, no doubt. The only drawback is that criminals fully understand our growing dependence and affection for IoT devices and spend most of their time looking for vulnerabilities. Once they crack our network from one angle, they can and reach other data-rich devices and possibly access private and financial data.

        As Yoda says, “with much power comes much responsibility.” Discuss with your family the risks that come with smart devices and how to work together to lock down your always-evolving, hyper-connected way of life.

        Do you enjoy podcasts and wish you could find one that helps you keep up with digital trends and the latest gadgets? Then give McAfee’s podcast Hackable a try.

        The post IoT Lockdown: Ways to Secure Your Family’s Digital Home and Lifestyle appeared first on McAfee Blogs.

        Have You Talked to Your Kids About a Career in Cybersecurity?

        career in cybersecurityHere’s some cool trivia for you: What profession currently has a zero-percent unemployment rate, pays an average of $116,000 a year, and is among the top in-demand jobs in the world? A lawyer? A pharmacist? A finance manager, perhaps?

        Nope. The job we’re talking about is a cybersecurity specialist and, because of the increase in cyber attacks around the world, these professionals are highly employable.

        Job Security

        According to numbers from the Bureau of Labor and Statistics, a career in cybersecurity is one of the most in-demand, high-paying professions today with an average salary of $116,000, or approximately $55.77 per hour. That’s nearly three times the national median income for full-time wage and salary workers. How’s that for job security?

        Why is the demand so high? Sadly, because there are a lot of black hats (bad guys) out there who want our data — our user IDs, passwords, social security numbers, and credit card numbers. Every month it seems banks, hospitals, and major corporations are reporting security breaches, which has put the global cybersecurity talent an estimated deficit of two million professionals.career in cybersecurity

        It’s exciting to see gifts and passions emerge in our kids as they grow and mature. If a child is good at math and sciences, we might point them toward some the medical field. If they a child shows an affinity in English and communication skills, maybe a law, teaching, or media career is in their future.

        But what about a cybersecurity expert? Have you noticed any of these skills in your kids?

        Cybersecurity skills/traits:

        Problem-solving
        Critical thinking
        Flexible/creative problem solving
        Collaborative, team player
        Continual learner
        Gaming fan
        A sense of duty, justice
        Persistent, determined
        Works well under pressure
        Curious and perceptive
        Technology/tech trend fan
        Verbal and written communications

        Education

        Most jobs in cybersecurity require a four-year bachelor’s degree in cybersecurity or a related field such as information technology or computer science. Students take coursework in programming and statistics, ethics, and computer forensics, among other courses.

        Conversation Starters

        First, if your child has some of the skills/personality traits mentioned, how do you start directing him or her toward this field? The first place to begin is in the home. Model smart cybersecurity habits. Talk about digital safety, the importance of protecting personal data and the trends in cybercrimes. In short, model and encourage solid digital citizenship and family security practices. career in cybersecurity

        Second, bring up the possibility, or plant the seed. Be sure to encourage both boys and girls equally. Help your child find answers to his or her questions about careers in computer and data science, threat research, engineering and information on jobs such as cybersecurity analyst, vulnerability analyst, and penetration tester.

        Third, read and share takeaways from the Winning The Game a McAfee report that investigates the key challenges facing the IT Security industry and the possible teen gaming link to a successful cybersecurity career.

        Additional resources*

        CyberCompEx. A connection point for everything cybersecurity including forums, groups, news, jobs, and competition information.

        CyberCorps® Scholarship for Service. SFS is a program providing scholarships and stipends to undergraduate and graduate students studying cybersecurity at participating institutions. Great for those who want to work in government.

        CyberPatriot. This site is created by the Air Force Association (AFA) to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM).

        GenCyber. This is a summer cybersecurity camp for K-12 students and teachers that focuses on inspiring kids to direct their talents toward cybersecurity skills and closing the security skills gap.

        career in cybersecurityNational CyberWatch Center. The National CyberWatch Center is a consortium of higher education institutions, public and private businesses, and government agencies focused on advancing cybersecurity education and strengthening the workforce.

        National Initiative for Cybersecurity Careers and Studies. NICCS provides information on cybersecurity training, formal education, and workforce development.

        National Initiative for Cybersecurity Education. NICE is an initiative to energize and promote a robust network and an ecosystem of cybersecurity education, cybersecurity careers, training, and workforce development.

        *Resource list courtesy of Stay Safe Online.

         

        Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

        The post Have You Talked to Your Kids About a Career in Cybersecurity? appeared first on McAfee Blogs.

        #CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity

        Identity ProtectionIt wasn’t Kiley’s fault, but that didn’t change the facts: The lending group denied her college loan due to poor credit, and she didn’t have a plan B. Shocked and numb, she began to dig a little deeper. She discovered that someone had racked up three hefty credit card bills using her Social Security Number (SSN) a few years earlier.

        Her parents had a medical crisis and were unable to help with tuition, and Kiley’s scholarships didn’t cover the full tuition. With just months left before leaving to begin her freshman year at school, Kiley was forced to radically adjusted her plans. She enrolled in the community college near home and spent her freshman year learning more than she ever imagined about identity protection and theft.

        The Toll: Financial & Emotional

        Unfortunately, these horror stories of childhood identity theft are all too real. According to Javelin Strategy & Research, more than 1 million children were the victim of identity fraud in 2017, resulting in losses of $2.6 billion and more than $540 million in out-of-pocket costs to the families.

        The financial numbers don’t begin to reflect the emotional cost victims of identity theft often feel. According to the 2017 Identity Theft Aftermath report released by the Identity Theft Resource Center, victims report feeling rage, severe distress, angry, frustrated, paranoid, vulnerable, fearful, and — in 7% of the cases — even suicidal.

        Wanted: Your Child’s SSNIdentity Protection

        Sadly, because of their clean credit history, cyber crooks love to target kids. Also, identity theft among kids often goes undiscovered for more extended periods of time. Thieves have been known to use a child’s identity to apply for government benefits, open bank or credit card accounts, apply for a loan or utility service, or rent a place to live. Often, until the child grows up and applies for a car or student loan, the theft goes undetected.

        Where do hackers get the SSN’s? Data breaches can occur at schools, pediatrician offices, banks, and home robberies. A growing area of concern involves medical identity theft, which gives thieves the ability to access prescription drugs and even expensive medical treatments using someone else’s identity.

        6 Ways to Build #CyberAware Kids

        1. Talk, act, repeat. Identity theft isn’t a big deal until it personally affects you or your family only, then, it’s too late. Discuss identity theft with your kids and the fallout. But don’t just talk — put protections in place. Remind your child (again) to keep personal information private. (Yes, this habit includes keeping passwords and personal data private even from BFFs!)
        2.  Encourage kids to be digitally savvy. Help your child understand the tricks hackers play to steal the identities of innocent people. Identity thieves will befriend children online and with the goal of gathering personal that information to steal their identity. Thieves are skilled at trolling social networks looking at user profiles for birth dates, addresses, and names of family members to piece together the identity puzzle. Challenge your kids to be on the hunt for imposters and catfishes. Teach them to be suspicious about links, emails, texts, pop up screens, and direct messages from “cute” but unknown peers on their social media accounts. Teach them to go with their instincts and examine websites, social accounts, and special shopping offers.Identity Protection
        3. Get fierce about data protection. Don’t be quick to share your child’s SSN or secondary information such as date of birth, address, and mothers’ maiden name and teach your kids to do the same. Also, never carry your child’s (or your) physical Social Security card in your wallet or purse. Keep it in a safe place, preferably under lock and key. Only share your child’s data when necessary (school registration, passport application, education savings plan, etc.) and only with trusted individuals.
        4. File a proactive fraud alert. By submitting a fraud alert in your child’s name with the credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
        5. Know the warning signs. If a someone is using your child’s data, you may notice: 1) Pre-approved credit card offers addressed to them arriving via mail 2) Collection agencies calling and asking to speak to your child 3) Court notices regarding delinquent bills. If any of these things happen your first step is to call and freeze their credit with the three credit reporting agencies: Equifax, Experian, and TransUnion.
        6. Report theft. If you find a violation of your child’s credit of any kind go to  IdentityTheft.gov to report the crime and begin the restoring your child’s credit. This site is easy to navigate and takes you step-by-step down the path of restoring stolen credit.

        Building digitally resilient kids is one of the primary tasks of parents today. Part of that resilience is taking the time to talk about this new, digital frontier that is powerful but has a lot of security cracks in it that can negatively impact your family. Getting fierce about identity protection can save your child (and you) hours and even years of heartache and financial loss.

         

        Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

        The post #CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity appeared first on McAfee Blogs.

        Cyber Security Roundup for September 2018

        September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

        Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating. 

        There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.

        There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren't for Tesco's good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period. 

        Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

        The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers. 

        Looks like the MoD and GCHQ are looking to beef up Britan's Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong 'cyber force' to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie "Catch me if you Can".

        Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement

        Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

        NEWS
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        #CyberAware: Will You Help Make the Internet a Safe Place for Families?

        National Cyber Security Awareness MonthDon’t we all kinda secretly hope, even pretend, that our biggest fears are in the process of remedying themselves? Like believing that the police will know to stay close should we wander into a sketchy part of town. Or that our doors and windows will promptly self-lock should we forget to do so. Such a world would be ideal — and oh, so, peaceful — but it just isn’t reality. When it comes to making sure our families are safe we’ve got to be the ones to be aware, responsible, and take the needed action.

        Our Shared Responsibility

        This holds true in making the internet a safe place. As much as we’d like to pretend there’s a protective barrier between us and the bad guys online, there’s no single government entity that is solely responsible for securing the internet. Every individual must play his or her role in protecting their portion of cyberspace, including the devices and networks they use. And, that’s what October — National Cyber Security Awareness Month (NCSAM) — is all about.

        At McAfee, we focus on these matters every day but this month especially, we are linking arms will safety organizations, bloggers, businesses, and YOU — parents, consumers, educators, and digital citizens — to zero in on ways we can all do our part to make the internet safe and secure for everyone. (Hey, sometimes the home team needs a huddle, right!?)

        8 specific things you can do!

        National Cyber Security Awareness Month

        1. Become a NCSAM Champion. The National Cyber Security Alliance (NCSAM) is encouraging everyone — individuals, schools, businesses, government organizations, universities — to sign up, take action, and make a difference in online safety and security. It’s free and simple to register. Once you sign up you will get an email with a toolbox packed with fun, shareable memes to post for #CyberAware October.
        2. Tap your social powers. Throughout October, share, share, share great content you discover. Use the hashtag #CyberAware, so the safety conversation reaches and inspires more people. Also, join the Twitter chat using the hashtag #ChatSTC each Thursday in October at 3 p.m., ET/Noon, PT. Learn, connect with other parents and safety pros, and chime in.National Cyber Security Awareness Month
        3. Hold a family tech talk. Be even more intentional this month. Learn and discuss suggestions from STOP. THINK. CONNECT.™ on how each family member can protect their devices and information.
        4. Print it and post it: Print out a STOP. THINK. CONNECT.™ tip sheet and display it in areas where family members spend time online.
        5. Understand and execute the basics. Information is awesome. But how much of that information do we truly put into action? Take 10 minutes to read 10 Tips to Stay Safe Online and another 10 minutes to make sure you take the time to install a firewall, strengthen your passwords, and make sure your home network as secure as it can be.National Cyber Security Awareness Month
        6. If you care — share! Send an email to friends and family informing them that October is National Cybersecurity Awareness Month and encourage them to visit staysafeonline.org for tips and resources.
        7. Turn on multi-factor authentication. Protect your financial, email and social media accounts with two-step authentication for passwords.
        8. Update, update, update! This overlooked but powerful way to shore up your devices is crucial. Update your software and turn on automatic updates to protect your home network and personal devices.

        Isn’t it awesome to think that you aren’t alone in striving to keep your family’s digital life — and future — safe? A lot of people are working together during National Cyber Security Awareness Month to educate and be more proactive in blocking criminals online. Working together, no doubt, we’ll get there quicker and be able to create and enjoy a safer internet.

         

         

        Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

        The post #CyberAware: Will You Help Make the Internet a Safe Place for Families? appeared first on McAfee Blogs.

        British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected

        On Friday (7th September 2018), British Airways disclosed between 21st August 2018 and 5th September 2018, 380,000 BA customer's payment card transactions were compromised by a third party through its website and mobile app. This data included the customer's full name, email address, debit\credit card 16 digit number (PAN), expiry date and card security code i.e. CVV, CV2

        Details of how the hack was orchestrated have now come to light. In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

        In this case, once the customer has entered their payment card details and then submits the payment either on a PC or on a touchscreen device, the malicious script executes and captures their payment card data, sending it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it appear legit within the website html (code). The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the domain registration could have been picked up by a threat intelligence service.

        Other Researchers have also claimed the BA website wasn't PCI DSS compliant. Marcus Greenwood found files loaded from 7 external domains onto the BA website, and crucially said the BA payment page wasn't isolating the card payment entry within an iframe, which would prevent any third-party scripts (and XSS attacks) from being able to read the payment card form fields. The Payment Card Industry Data Security Standard (PCI DSS) is required by all organisations which accept, process, store and/or transmit debit and credit cards.

        Here is the advice from CEO of global cybersecurity specialist SonicWall, Bill Conner:

        "Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

        My view mass credit\debit card data (cardholder data) complete with the security code has always been targeted by cyber crooks as it is very easily sellable on the dark web, as the data only can be used in cardholder-not-present transaction fraud, where credit card holder is not physically present i.e. online, app, phone. The finger can be pointed at lack of PCI DSS compliance by merchants like BA, however, I think it is about time technology was used to improve the security of all cardholder-not-not present transactions, namely Multi-factor authentication (MFA).  While MFA on all cardholder-not-present is not a silver bullet, there is no 100% security, enforced usage across all industries would certainly devalue debit\credit card data considerably.

        British Airways Customer Data Stolen in Website and Mobile App Hack

        In a statement, British Airways stated: "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised." The airline said they will be notifying affected customers, and if anyone has been impacted to contact their bank or credit card providers.
        The Telegraph reported 380,0000 payments were compromised, and that BA customers had experienced payment card fraud as a result before the BA breach disclosure, which strongly suggests unencrypted debit\credit cards were stolen.

        There are no details about the data theft method at the moment, but given the statement said the BA website and BA mobile app was compromised, I think we could be looking at another example of an insecure API being exploited, as per the Air Canada breach and the T-Mobile breach last month.

        We'll see what comes out in the wash over the next few days and weeks, but thanks to the GDPR, at least UK firms are quickly notifying their customers when their personal and financial data has been compromised, even if there is little detail reported about how. Without knowing how the data was compromised, customers cannot be truly assured their private data is safe. It also will be interesting to learn whether the BA systems were compliant with the Payment Card Industry Data Security Standard (PCI DSS), required by all organisations that accept, process, store and/or transmit debit and credit cards.

        Update: 
        A spokesperson at BA said "hackers carried out a sophisticated, malicious criminal attack on its website" and impacted BA customers would be compensated. 

        380,000 card payment transactions were confirmed as stolen, specifically:
        • Full Name
        • Email address
        • Payment card number (PAN)
        • Expiration date
        • Card Security Code [CVV] - typically a 3 digit authorisation code written on the back of the debit\credit card
        BA insists it did not store the CVV numbers, these are not allowed to be stored after payment card authorisation under PCI DSS. This suggests the card details may have been intercepted during the payment transaction, perhaps by a maliciously injected or compromised third party website plugin, as opposed to data theft from the database, as often seen with SQL injections attacks against web apps.

        BA have published help and FAQs to anyone that is impacted by this data breach.
        https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information

        British Airways is owned by IAG, their share price dropped by more than 4%, which equates to a £500m+ value loss in the company.

        Update on the Attack Method (11 Sept 2018)
        In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

        In this case, once the customer entered their payment card details and submitted the payment either on a PC or on a touchscreen device, the malicious script captured their data and sent it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it look legit. The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the rogue domain registration could have been picked up by a threat intelligence service.

        Researchers have also claimed the BA website wasn't PCI DSS. They found 7 scripts running on the BA website, but crucially said the BA payment page wasn't isolating the card payments within an iframe, which would prevent third-party scripts (and XSS attacks) from being able to read the payment card form fields.

        Bill Conner, CEO SonicWall said "Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

        Cyber Security Roundup for August 2018

        The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

        Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

        Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

        On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

        On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

        There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

        Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

        NEWS
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Latest on the Currys PC World Data Breach Impacting 10 Million Customers

        Following further investigations, Currys PC World today confirmed 10 million of their customer personal details may have been stolen by hackers, a revised number from the 1.2 million customers and 5.9 million payment cards it advised back in June.

        In June 2018, the company said there was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked after hackers attempted access to company's payment processing systems.

        The hack was said to have occurred nearly a year before it was disclosed, so it either went undetected, which is common where there is inadequate security monitoring in place, or the business knew about the breach but choose not to disclose it to their impacted customers.

        The Information Commissioner's Office (ICO) fined the Dixons Carphone £400,000 for a data in 2015 breach, however, Currys PC World stated the incidents were not connected.

        The business stressed it has now improved its security measures including enhanced controls, monitoring, and testing to safeguard customer information, and "trebling their investment in cybersecurity". Unfortunately, no details have been disclosed explaining how the hackers were able to access such large quantities of personal data. The company "security improvement" statement suggests their IT security was rather underfunded and not at a sufficient standard to adequately secure their business operations and customer data.

        The ICO (statement) and the NCSC (statement) both have released statements in June about the breach. So we'll see what the ICO makes of it, but I think the business is likely to be fined again, although not the potentially massive GDPR penalties, as this data breach occurred before the GDPR came into force in May.

        Customer statement by Currys PC World to their customers today

        On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware.

        We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts.

        Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

        While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated.

        As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud. These include:

        If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.


        If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.

        We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
        You can find more information here


        We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.

        We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.

        Cyber Security Roundup for July 2018

        The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

        Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

        Other companies known to be impacted by the Typeform breach include:

        The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
        Facebook-Cambridge Analytica data scandal
        Facebook reveals its data-sharing VIPs
        Cambridge Analytica boss spars with MPs

        A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

        Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


        NEWS

        Cyber Security Roundup for June 2018

        Dixons Carphone said hackers attempted to compromise 5.9 million payment cards and accessed 1.2 million personal data records. The company, which was heavily criticised for poor security and fined £400,000 by the ICO in January after been hacked in 2015, said in a statement the hackers had attempted to gain access to one of the processing systems of Currys PC World and Dixons Travel stores. The statement confirmed 1.2 million personal records had been accessed by the attackers. No details were disclosed explaining how hackers were able to access such large quantities of personal data, just a typical cover statement of "the investigation is still ongoing".  It is likely this incident occurred before the GDPR law kicked in at the end of May, so the company could be spared the new more significant financial penalties and sanctions the GDPR gives the ICO, but it is certainly worth watching the ICO response to a repeat offender which had already received a record ICO fine this year. The ICO (statement) and the NCSC (statement) both have released statements about this breach.

        Ticketmaster reported the data theft of up to 40,000 UK customers, which was caused by security weakness in a customer support app, hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. Ticketmaster informed affected customers to reset their passwords and has offered (to impacted customers) a free 12-month identity monitoring service with a leading provider. No details were released on how the hackers exploited the app to steal the data, likely to be a malware-based attack. However, there are questions on whether Ticketmaster disclosed and responded to the data breach quick enough, after digital banking company Monzo, claimed the Ticketmaster website showed up as a CPP (Common Point of Purchase) in an above-average number of recent fraud reports. The company noticed 70% of fraudulent transactions with stolen payment cards had used the Ticketmaster site between December 2017 and April 2018. The UK's National Cyber Security Centre said it was monitoring the situation.

        TSB customers were targetted by fraudsters after major issues with their online banking systems was reported. The TSB technical issues were caused by a botched system upgrade rather than hackers. TSB bosses admitted 1,300 UK customers had lost money to cyber crooks during its IT meltdown, all were said to be fully reimbursed by the bank.
        The Information Commissioner's Office (ICO) issued Yahoo a £250,000 fine after an investigation into the company's 2014 breach, which is a pre-GDPR fine. Hackers were able to exfiltrate 191 server backup files from the internal Yahoo network. These backups held the personal details of 8.2 million Yahoo users, including names, email addresses, telephone numbers, dates of birth, hashed password and other security data. The breach only came to light as the company was being acquired by Verizon.

        Facebook woes continue, this time a bug changed the default sharing setting of 14 million Facebook users to "public" between 18th and 22nd May.  Users who may have been affected were said to have been notified on the site’s newsfeed.

        Chinese Hackers were reported as stealing secret US Navy missile plans. It was reported that Chinese Ministry of State Security hackers broke into the systems of a contractor working at the US Naval Undersea Warfare Center, lifting a massive 614GB of secret information, which included the plans for a supersonic anti-ship missile launched from a submarine. The hacks occurred in January and February this year according to a report in the Washington Post.

        Elon Musk (Telsa CEO) claimed an insider sabotaged code and stole confidential company information.  According to CNBC, in an email to staff, Elon wrote I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties". Telsa has filed a lawsuit accusing a disgruntled former employee of hacking into the systems and passing confidential data to third parties. In the lawsuit, it said the stolen information included photographs and video of the firm's manufacturing systems, and the business had suffered "significant and continuing damages" as a result of the misconduct.

        Elsewhere in the world, FastBooking had 124,000 customer account stolen after hackers took advantage of a web application vulnerability to install malware and exfiltrate data. Atlanta Police Dashcam footage was hit by Ransomware.  And US company HealthEquity had 23,000 customer data stolen after a staff member fell for a phishing email.

        IoT Security
        The Wi-Fi Alliance announced WPA3, the next generation of wireless security, which is more IoT device friendly, user-friendly, and more secure than WPA2, which recently had a security weakness reported (see Krack vulnerability). BSI announced they are developing a new standard for IoT devices and Apps called ISO 23485. A Swann Home Security camera system sent a private video to the wrong user, this was said to have been caused by a factory error.  For Guidance on IoT Security see my guidance, Combating IoT Cyber Threats.

        As always, a busy month for security patching, Microsoft released 50 patches, 11 of which were rated as Critical. Adobe released their monthly fix for Flash Player and a critical patch for a zero-day bug being actively exploited. Cisco released patches to address 34 vulnerabilities, 5 critical, and a critical patch for their Access Control System. Mozilla issued a critical patch for the Firefox web browser.

        NEWS

        Cyber Security Roundup for May 2018

        I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

        The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

        Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
        On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

        Developing GDPR Compliant Applications Guidance

        Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

        Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

        IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

        As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

        Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

        As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

        Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
        Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

        Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

        NEWS
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Application Development GDPR Compliance Guidance

        Last week IBM developerWorks released a three-part guidance series I have written to help 
        Application Developers develop GDPR compliant applications.

        Developing GDPR Compliant Applications Guidance

        The GDPR
        The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

        Part 1: A Developer's Guide to the GDPR
        Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

        Part 2: Application Privacy by Design
        Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

        Part 3: Minimizing Application Privacy Risk

        Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

        Cyber Security Roundup for April 2018

        The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
        Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

        TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

        Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

        The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

        IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

        A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

        Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

        NEWS
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE
        REPORTS

        Cyber Security Roundup for March 2018

        In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


        Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

        TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

        GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

        UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
        Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

        A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


        NEWS

        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        REPORTS

        When the Press Aids the Enemy

        Let's start with this- Freedom of the press is a critical part of any free society, and more importantly, a democratically governed society.

        But that being said, I can't help but think there are times when the actions of the media aid the enemy. This is a touchy subject so I'll keep it concise and just make a few points that stick in my mind.

        First, it's pretty hard to argue that the media looks for ever-more sensational headlines, truth be damned, to get clicks and drive traffic to their publication. Whether it's digital or actual ink-on-paper sensationalism sells, there's no arguing with that.

        What troubles me is that like in the war on terrorism, the enemy succeeds in their mission when the media creates hysteria and fear. This much should be clear. The media tend to feed into this pretty regularly and we see this in some of the most sensational headlines from stories that should told in fact, not fantasy.


        So when I came across this article on Buzzfeed called "The Messy Media Ethics Behind the Sony Hacks" it suddenly hit me - the media may very well be playing perfectly into the enemy's hands. The "Guardians of Peace" (GOP) in their quest to ruin Sony Pictures Entertainment have stolen an unfathomable amount of information. As Steve Ragan who has repeatedly written on about this and many other breaches tweeted that's 200Gb or 287,000 documents. That's mind-blowing.

        This cache of data has proven to be yet-unreleased movies, marketing presentations, email exchanges between executives and attorneys, financial plans, employees' medical records and so much more. The GOP have made it clear their aim is to "punish" Sony Pictures Entertainment - and while we don't really have an insight as to the true motivations here, I think it's clear that releasing all this data is meant to severely negatively impact the business.

        What has followed in the days since the announcement of the hack is a never-ending stream of "news" articles that I struggle to understand. There were articles like this one providing commentary and analysis on internal marketing department presentations. There were articles analyzing the internal and privileged (as far as I know, but I'm not a lawyer) communications between corporate legal counsel and Sony Pictures executives. There were articles talking about the release of SPE employee medical records. The hit-parade goes on and on... and I'm not linking over to any more of the trash because it embarrasses me.

        Clearly, clearly, the mainstream media (and hell even the not-so-mainstream) have long lost their ethics. Some would claim that it's the "freedom of the press" that allows them to re-publish and discuss sensitive, internal documents. Others argue that since it's already in the public domain (available on BitTorrent) then it's fair game. Note: This was discussed during the Snowden release - and it was clear that classified information released to the public domain does not suddenly lose its classified status. I'm fairly certain this easily applies to the not-national-security type of assets as well. To be honest, this argument makes me question the intellectual integrity of some of the people who make it.

        Anyway, back to my point. If the GOP wanted to destroy Sony Pictures Entertainment then hacking in and releasing secret information and intellectual property was only half the battle. The second half, unfortunately, is being picked up and executed by the media, bloggers, and talking heads putting out "analysis" on all this data. Publishing links to the hacked data, analyzing its contents, and looking for further embarrassing and ugly things to publish- the media should be ashamed of itself.

        The hack alone wasn't going to damage SPEs image to where it has fallen now - the media is clearly complicity in this and it's a shame. I'm not an attorney so I question whether publishing and discussing confidential communications between an attorney and executive is ethical. Forget that, is it even legal? Journalists and bloggers continue to hide behind the "freedom of the press", and some folks even to blasting me for daring to question the absolute rights of the press. Except - the freedom of the press isn't absolute, as far as I know.

        But whether it's legal, clearly there are ethical problems here. If you're in the media and you're poring over the confidential email communications stolen from Sony Pictures Entertainment systems, I emphasize stolen, and you're commenting on this - to what end? Arguing that the media is releasing this information because (a) it's already in the public domain and (b) it's "for the public good" is ludicrous.

        Remember - while you're reveling in someone else's misery that you too may be a coincidental victim one day. Then it'll be your turn to have your private information released and analyzed and attacked as part of the next breach. Your recourse? None... Glass houses, journalists. Glass houses.

        The Other Side of Breach Hysteria

        In a world where everyone is trying to sell you something, security is certainly no exception. But separating the hype from the truth can easily turn into a full time job if you're not careful.

        With all the recent retail data breaches, it would appear as though the sky is falling in large chunks right on top of us. Every big-name retailer, and even some of the smaller ones, are being hacked and their precious card data is bring whisked away to be sold to miscreants and criminals.

        Now enter the sales and marketing pitches. After every breach it would seem our mailboxes fill up with subject lines such as-
        "Learn how not to be the next , read how our latest gizmo will keep you secure!"
        I don't know about you, but the snake-oil pitch is starting to get old. While it's clear that the average buyer is getting the message about data breaches and hackers - I believe there are two other aspects of this which aren't talked about enough.

        First there is the notion of "breach fatigue". If you read the news headlines you would have thought that everyone's bank accounts would be empty by now, and everyone in the United States would have been the victim of identity theft by now. But they haven't. Or they haven't been impacted directly. This leads to the Chicken Little problem.

        You see, many security professionals cried that security incidents did not receive enough attention. Then the media took notice, and sensationalized the heck out of incidents to an almost rock-star fervor. The issue here is that I believe people are starting to grow weary of the "Oh no! Hackers are going to steal everything I have!" talk. Every incident is the biggest there has ever been. Every incident is hackers pillaging and stealing countless credit card records and identities. The average person doesn't quite know what to make of this, so they have no choice but to mentally assume the worst. Then - over time - the worst never comes. Sure, some get impacted directly but there is this thing called zero fraud liability (in the case of card fraud) that means they are impacted - but barely enough to notice because their banks make it alright. More on this in a minute.

        We as humans have a shocking ability to develop a tolerance to almost anything. Data breach hysteria is no exception. I've now seen and heard people around televisions (at airports, for example, where I happen to be rather frequently) say things like "Oh well, more hackers, I keep hearing about these hackers and it never seems to make a difference." Make no mistake, this is bad.

        You see, the other side of the awareness hill, which we are rapidly approaching, is apathy. This is the kind of apathy that is difficult to recover from because we push through the first wave of apathy into awareness, and then hysteria, which leads to a much stronger version of apathy where we will be stuck - I believe. So there we are, stuck.

        If I'm honest, I'm sick and tired of all the hype surrounding data breaches. They happen every day of every week, and yet we keep acting like we're shocked that Retailer X, or Company Y was breached. Why are we still even shocked? Many are starting to lose the ability to become shocked - even though the numbers of records breached and scale of the intrusions is reaching absurd proportions.

        Second point I'd like to make is around the notion of individual impact. Many people simply say that "this still doesn't impact me" because of a wonderful thing like zero fraud liability. Those 3 words have single-handedly destroyed the common person's ability to care about their credit card being stolen. After you've had your card cloned, or stolen online and had charges show up - you panic. Once you realize your bank has been kind enough to put the funds back, or roll-back the fraudulent charges you realize you have a safety net. Now these horrible, terrible, catastrophic breaches aren't so horrible, terrible and catastrophic. Now they're the bank's problem.

        Every time someone has a case of credit card fraud the bank covers under zero fraud liability (and let's face it, most cards and banks have this today) - their level of apathy for these mega-breaches grows. I believe this is true. I also believe there is little we can do about it. Actually, I'm not sure if there is anything that needs to be done about it. Maybe things are just the way they're going to be.

        There is a great phrase someone once used that I'm going to paraphrase and borrow here - things are as bad as the free market will support. If I may adapt this to security - the security of your organization is as good (or bad) as your business and your customers will support.

        Think about that.