Category Archives: Hackers

Hackers can access iCloud-locked iPhones using fake receipts and phishing kits

Hackers, Thieves, and Repair Shops Access iCloud-Locked iPhones, Here’s How

Hackers, thieves, and repair shops have discovered a new way to bypass the ‘Find My iPhone’ feature on iCloud-locked iPhones so that they can sell stolen or non-stolen devices, according to a report from Motherboard.

For those unaware, “Find my iPhone” is an app and service from Apple, which lets you locate, lock down or wipe your lost iPhone, iPad, iPod, or Macbook and requires a password to continue. Apple had introduced this feature in 2013 to safeguard people’s information stored on their iPhones.

In order to keep iPhones secure and make it less valuable targets to would-be thieves, iPhones can be associated only to one iCloud account at a time. This means that the hackers and thieves need to figure a way out to remove the iCloud account from the iPhone in order to sell the stolen device to someone else or for someone new to use it. The iCloud account can only be removed by entering the Apple ID password.

“The iCloud security feature has likely cut down on the number of iPhones that have been stolen, but enterprising criminals have found ways to remove iCloud in order to resell devices. To do this, they phish the phone’s original owners, or scam employees at Apple Stores, which have the ability to override iCloud locks. Thieves, coders, and hackers participate in an underground industry designed to remove a user’s iCloud account from a phone so that they can then be resold,” according to Motherboard.

In order to get into iCloud-locked iPhones, thieves are now producing fake receipts and invoices to fool Apple into believing that they are the actual owners of the phone. While the tricks include social engineering at Apple Stores, there are also “custom phishing kits for sale online designed to steal iCloud passwords from a phone’s original owner,” mentions Motherboard.

Additionally, a few hackers also reprogram stolen iPhones with a new IMEI. Besides this, there are also forums for the hacker community where they share new methods and tips to break into locked iPhones.

Even some unnamed repair companies have become actual customers of companies that illegally reset and reactivate the iCloud-locked iPhone.

“There are many listings on eBay, Craigslist, and wholesale sites for phones billed as ‘iCloud-locked,’ or ‘for parts’ or something similar,” added Motherboard. “While some of these phones are almost certainly stolen, many of them are not. According to three professionals in the independent repair and iPhone refurbishing businesses, used iPhones — including some iCloud-locked devices — are sold in bulk at private ‘carrier auctions’ where companies like T-Mobile, Verizon, Sprint, AT&T, and cell phone insurance providers sell their excess inventory (often through third-party processing companies.)”

Basically, in the event your iPhone is stolen or lost, ensure that you change the password of your iCloud account immediately. Further, beware of phishing scams and carefully check the addresses or URLs of the websites you visit, especially login pages. It is recommended to keep a unique password not only for your iCloud account but also for every other online account. Also, ensure that you have enabled two-step authentication on your iCloud account.

The post Hackers can access iCloud-locked iPhones using fake receipts and phishing kits appeared first on TechWorm.

Hackers can hack an Android smartphone just by looking at a PNG image

Vulnerability in PNG file can allow hackers to hack Android smartphones

Beware, while opening a harmless-looking image downloaded from the internet, emails, social media apps, or messaging apps, as it could compromise your smartphone.

Google has discovered three new critical vulnerabilities that allow hackers to hack an Android smartphone just by looking at a PNG image. This bug has affected millions of devices that run on Android OS versions, ranging from Nougat 7.0 to its current Android 9.0 Pie.

The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, were, however, patched in Android Open Source Project (ASOP) by Google as part of their Android Security Updates for February 2019.

According to Google’s Android Security Bulletin, the vulnerability that allows “a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” is the most severe vulnerability.

This means that if a hacker successfully manages to deceive a user to open or download an image from any webpage, or received through an instant messaging service, or as an attachment in an email, he or she can get access to your smartphone.

Besides the three flaws, Google also included fixes for 42 vulnerabilities in the Android OS in total in its 2019 February update, of which 11 are considered as critical, 30 high impact and one medium-gravity.

Google has said that it has no reports of anyone exploiting the vulnerabilities listed in its February security bulletin against real users or in the wild. The search giant also said that it has alerted its Android partners of all vulnerabilities a month before publication, adding that “source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours.”

Unfortunately, it is unknown when third-party handset manufacturers will roll out the security updates on their phones, as many of them take weeks, if not months, to do roll them out. This means your Android handset is still not protected even after receiving the 2019 February update. It is suggested that one should patch their Android smartphone as soon as a security update available from the handset manufacturer.

The post Hackers can hack an Android smartphone just by looking at a PNG image appeared first on TechWorm.

Safer Internet Day: Are you where you think you are?

Safer Internet Day is an excellent opportunity for users of all kinds to brush up on their cyber safety knowledge — although security practice should be maintained on all days, it

The post Safer Internet Day: Are you where you think you are? appeared first on The Cyber Security Place.

IT Security Expert Blog: Customers Blame Companies not Hackers for Data Breaches

RSA Security latest search reveals over half (57%) of consumers blame companies ahead of hackers if their data is stolen. Consumer backlash in response to the numerous high-profile data breaches in recent years has exposed one of the hidden risks of digital transformation: loss of customer trust.

The RSA Data Privacy & Security Survey 2019 identified that companies have lost the trust of customers as a disconnect has formed between how companies are using customer data and how consumers expect their data to be used.

Despite the fact that consumers harbour heightened concerns about their privacy, they continue to exhibit poor cyber hygiene, with 83% of users admitting that they reuse the same passwords across many sites, leaving them more vulnerable.

Key takeaways from the RSA Data Privacy study, include:
  • Context matters: Individuals across all demographics are concerned about their financial/banking data, as well as sensitive information such as passwords, but other areas of concern vary dramatically by generation, nationality and even gender. For example, younger demographics are more comfortable with their data being used and collected than older survey respondents. 
  • Privacy expectations are cultural: Consumers respond to data privacy differently based on their nationality due to cultural factors, current events and high-profile data breaches in their respective countries. For example, in the months of the GDPR being implemented, German attitudes shifted in favour of stricter data privacy expectations, with 42% wanting to protect location data in 2018 versus only 29 percent in 2017.
  • Personalisation remains a puzzle: Countless studies have demonstrated that personalised experiences increase user activity and purchasing. However, the survey results showed that respondents do not want personalized services at the expense of their privacy. In fact, a mere 17% of respondents view tailored advertisements as ethical, and only 24% believe personalisation to create tailored newsfeeds is ethical. 
“With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, Vice President of International, RSA. “Now is the time for organisations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.


IT Security Expert Blog

Customers Blame Companies not Hackers for Data Breaches

RSA Security latest search reveals over half (57%) of consumers blame companies ahead of hackers if their data is stolen. Consumer backlash in response to the numerous high-profile data breaches in recent years has exposed one of the hidden risks of digital transformation: loss of customer trust.

The RSA Data Privacy & Security Survey 2019 identified that companies have lost the trust of customers as a disconnect has formed between how companies are using customer data and how consumers expect their data to be used.

Despite the fact that consumers harbour heightened concerns about their privacy, they continue to exhibit poor cyber hygiene, with 83% of users admitting that they reuse the same passwords across many sites, leaving them more vulnerable.

Key takeaways from the RSA Data Privacy study, include:

  • Context matters: Individuals across all demographics are concerned about their financial/banking data, as well as sensitive information such as passwords, but other areas of concern vary dramatically by generation, nationality and even gender. For example, younger demographics are more comfortable with their data being used and collected than older survey respondents. 
  • Privacy expectations are cultural: Consumers respond to data privacy differently based on their nationality due to cultural factors, current events and high-profile data breaches in their respective countries. For example, in the months of the GDPR being implemented, German attitudes shifted in favour of stricter data privacy expectations, with 42% wanting to protect location data in 2018 versus only 29 percent in 2017.
  • Personalisation remains a puzzle: Countless studies have demonstrated that personalised experiences increase user activity and purchasing. However, the survey results showed that respondents do not want personalized services at the expense of their privacy. In fact, a mere 17% of respondents view tailored advertisements as ethical, and only 24% believe personalisation to create tailored newsfeeds is ethical. 
“With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, Vice President of International, RSA. “Now is the time for organisations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.

How to browse the Internet safely at work

This Safer Internet Day, we teamed up with ethical hacking and web application security company Detectify to provide security tips for both workplace Internet users and web developers. This article is aimed at employees of all levels. If you’re a programmer looking to create secure websites, visit Detectify’s blog to read their guide to HTTP security headers for web developers.

More and more businesses are becoming security- and privacy-conscious—as they should be. When in years past, IT departments’ pleas for a bigger cybersecurity budget fell on deaf ears, this year, things have started looking up. Indeed, there is nothing quite like a lengthening string of security breaches to grab people’s—and executives’—attention.

Purely reacting to events is a bad terrible approach, and organizations who handle and store sensitive client information have learned this the hard way. It not only puts businesses in constant firefighting mode, but is also a sign that their current cybersecurity posture may be inadequate and in need of proper assessment and improvement.

Part of improving an organization’s cybersecurity posture has to do with increasing its employees’ awareness. Being their first line of defense, it’s only logical to educate users about cybersecurity best practices, as well as the latest threats and trends. In addition, by providing users with a set of standards to adhere to, and maintaining those standards, organizations can create an intentional culture of security.

Developing these training regimens requires a lot of time, effort, and perhaps a metaphorical arm and a leg. Do not be discouraged. Companies can start improving their security posture now by sharing with employees a helpful and handy guide on how to safely browse the Internet at work, whether on a desktop, laptop, or mobile phone.

Safe Internet browsing at work: a guideline

Take note that some of what’s listed below may already be in your company’s Employee Internet Security Policy, but in case you don’t have such a policy in place (yet), the list below is a good starting point.

Make sure that your browser(s) installed on your work machine are up-to-date. The IT department may be responsible for updating employee operating systems (OSes) on remote and in-house devices, as well as other business-critical software. It may not be their job, however, to update software you’ve installed yourself, such as your preferred browser. The number one rule when browsing the Internet is to make sure that the browser is up-to-date. Threats such as malicious websites, malvertising, and exploit kits can find their way through vulnerabilities that out-of-date browsers leave behind.

While you’re at it, updating other software on your work devices keeps browser-based threats from finding other ways onto your system. If IT doesn’t already cover this, update your file-compressor, anti-malware program, productivity apps, and even media players. It’s a tedious and often time-consuming task, but—shall we say—updating is part of owning software. You can use a software updater program to make the ordeal more manageable. Just don’t forget to update your updater, too.

If you have software programs you no longer use or need, uninstall them. Let’s be practical: There’s really no reason to keep software if you’ve stopped using it or if it’s just part of bloatware that came with your computer. It’s also likely that, since you’re not using that software, it’s incredibly outdated, making it an easy avenue for the bad guys to exploit. So do yourself a favor and get rid. That’s one less program to update.

Know thy browser and make the most of its features. Modern-day browsers like Brave, Vivaldi, and Microsoft Edge have launched quite a bit differently than their predecessors. Other than their appealing customization schemes, they also boast of being secure (or private) by default. By contrast, browsers that have been around for a long time continue to improve on these aspects, as well as their versatility and performance.

Regardless of which browser you use, make it a point to review its settings (if you haven’t already) and configure them with security and privacy in mind. The US-CERT has more detailed information on how to secure browsers, which you can read through here.

Refrain from visiting sites that your colleagues or boss would frown upon if they look over your shoulder. Most employees know that visiting and navigating to sites that are not safe for work (NSFW) is a no-no, but they still do it. Trouble is, not only does this welcome malware and other threats that target visitors of such sites, but it could also result in being—rightfully or not—accused of sexual harassment. Browsing sites of a pornographic nature could make coworkers incredibly uncomfortable, and if this behavior is generally tolerated by the brass, it could result in the company becoming the subject of a hostile environment claim. So if hackers don’t scare you, maybe a lawsuit will.

Use a password manager. It may sound like this advice is out of place, but we include it for a reason. Password managers don’t just store a multitude of passwords and keep them safe. They can also stop your browser from pre-filling fields on seemingly legitimate, but ultimately malicious sites, making it an unlikely protector against phishing attempts. So the next time you receive an email from your “bank” telling you there’s a breach and you have to update your password, and your password manager refuses to pre-fill that information, scrutinize the URL in the address bar carefully. You might be on a site you don’t want to be on.


Read: Why you don’t need 27 different passwords


Consider installing apps that act as another layer of protection. There is a trove of fantastic browser apps out there that a privacy- and security-conscious employee can greatly benefit from. Ad blockers, for instance, can strip out ads on sites that have been used by malicious actors before in malvertising campaigns. Tracker blockers allow one to block trackers on sites that monitor their behavior and gather information about them without their consent. Script blockers disable or prevent the execution of browser scripts, which criminals can misuse. Other apps, such as HTTPS Everywhere, force one’s browser to direct users to available HTTPS versions of websites.

Consider sandboxing. A sandbox is software that emulates an environment where one can browse the Internet and run programs independently from the actual endpoint. It’s typically used for testing and analyzing files to check if they’re safe to deploy and run.

We’re not saying that employees should know how to analyze files (although kudos if you can). Only that employees who normally open attachments from their personal emails, stumble into sites that may be deemed sketchy at best, or want to check out programs from third-party vendors do so in a safe setup that is isolated from their office network. Here is a list of free sandbox software you can read more about if you’re interested in trying one out.

Assume you are a target. Not many employees would like to admit this. In fact, it may not have crossed their minds until now. A lot of small businesses, for example, would like to think that they cannot be targets of cyberattacks because criminals wouldn’t go after “the little guy.” But various surveys, intelligence, and research tell a different story.

Employees need to change their thinking. Each time we go online at work, whether for valid reasons or not, we are putting our companies at risk. So we must take the initiative to browse safely, adopt cybersecurity best practices, and embrace training sessions with open minds. Realize that a lot is at stake in the office environment, and a single mouse click on a bad link could bring down an entire business. Do you want to be the person responsible?

We’re all in this together

When it comes to preventing online threats from infiltrating your organization’s network and keeping sensitive company and client data secure, it is true that they are no longer just IT concerns. Cybersecurity and privacy are and should be every employee’s concern—from the rank-and-file up to the managerial and executive level.

Indeed, no one should be exempted from continuous cybersecurity training, nor high-ranking officials should go on thinking that company policies don’t apply to them. If every employee can adhere to the simple guideline above, we believe that organizations of all sizes are already in a better security posture than before. This is just the first step, however. There is still the need for organizations to assess their cybersecurity and privacy needs, so they can effectively invest in tools and services that help better secure their unique work environment. Whatever changes they choose to implement that require employee participation, IT and high-ranking work officials must ensure that everyone is in it together.

Stay safe!

More Safer Internet Day blog posts:

The post How to browse the Internet safely at work appeared first on Malwarebytes Labs.

Hacker behind Collection #1 credential database identified

The threat actor was believed to be working on this breach for over two to three years. Known by the pseudonym ‘C0rpz’, it was hinted that there was more than

The post Hacker behind Collection #1 credential database identified appeared first on The Cyber Security Place.

A Hackers Take On Blockchain Security

One of the leading factors of the blockchain—aside from the obvious decentralization—is the high level of security behind it. It’s not uncommon to hear people claim that it is “unhackable.”

The post A Hackers Take On Blockchain Security appeared first on The Cyber Security Place.

Execs Remain Weak Link in Cybersecurity Chain

Despite their high-ranking positions, senior executives are reportedly the weak link in the corporate cybersecurity chain with a new report from The Bunker, which finds that cyber-criminals often target this known

The post Execs Remain Weak Link in Cybersecurity Chain appeared first on The Cyber Security Place.

Cyber Security Roundup for January 2019

The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018.  On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.

B&Q said it had taken action after a security researcher found and disclosed details of B&Q suspected store thieves online. According to Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs, which included: the first and last names of individuals caught or suspected of stealing goods from stores descriptions of the people involved, their vehicles and other incident-related information the product codes of the goods involved the value of the associated loss.

Hundreds of German politicians, including Chancellor Angela Merkel, have had personal details stolen and published online at the start of January.  A 20 year suspect was later arrested in connection to this disclosure. Investigators said the suspect had acted alone and had taught himself the skills he needed using online resources, and had no training in computer science. Yet another example of the low entry level for individuals in becoming a successful and sinister hacker.

Hackers took control of 65,000 Smart TVs around the world, in yet another stunt to support YouTuber PewDiePie. A video message was displayed on the vulnerable TVs which read "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!" It then encourages victims to visit a web address before finishing up with, "you should also subscribe to PewDiePie"
Hacked Smart TVs: The Dangers of Exposing Smart TVs to the Net

The PewDiePie hackers said they had discovered a further 100,000 vulnerable devices, while Google said its products were not to blame, but were said to have fixed them anyway. In the previous month two hackers carried out a similar stunt by forcing thousands of printers to print similar messages. There was an interesting video of the negative impact of that stunt on the hackers on the BBC News website - The PewDiePie Hackers: Could hacking printers ruin your life?

Security company ForeScout said it had found thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools. Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.

Reddit users found they were locked out of their accounts after an apparent credential stuffing attack forced a mass password invoke by Reddit in response. A Reddit admin said "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access."

Kaspersky reported that 30 million cyber attacks were carried out in the last quarter of 2018, with cyber attacks via web browsers reported as the most common method for spreading malware.

A new warning was issued by Action Fraud about a convincing TV Licensing scam phishing email attack made the rounds. The email attempts to trick people with subject lines like "correct your licensing information" and "your TV licence expires today" to convince people to open them. TV Licensing warned it never asks for this sort of information over email.

January saw further political pressure and media coverage about the threat posed to the UK national security by Chinese telecoms giant Huawei, I'll cover all that in a separate blog post.


BLOG
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

This Week in Security News: Hacker Strategies and Spyware Attacks

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how hackers are improving their breach strategies. Also, learn about new spyware attacks via URLs, websites, and mobile apps.

Read on: 

Informing Your Security Posture: How Cybercriminals Blend into the Background

Maintaining protection over an enterprise’s critical data, systems and assets is a continual uphill battle. Hackers are bolstering their capabilities to silently breach platforms and staying under the radar.

Trend Micro: Cybersecurity Staff Feel Unsupported By Businesses

In a global survey of 1,125 IT executives, Trend Micro discovered that enterprise cybersecurity staff feels unsupported by their enterprises, with 33 percent feeling isolated in their positions.

What Enterprise Leaders Should know about Persistent Threats in 2019

As hackers continually shift and improve upon their attack and breach strategies, IT and security stakeholders must do their best to keep up and remain informed of these trends. 

Facebook Pays Teens to Install VPN That Spies on Them

Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity.

ThinkPHP Vulnerability Abused by Botnets Hakai and Yowai

Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks.  

Major iPhone FaceTime Bug Lets You Hear the Audio of the Person You Are Calling … Before They Pick Up

A bug has been discovered that lets you call anyone with FaceTime and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call.

Various Google Play “Beauty Camera” Apps Sends Users Pornographic Content, Redirects Them to Phishing Websites and Collects Their Pictures

Trend Micro discovered several beauty camera apps on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes. 

Microsoft Exchange Vulnerability Enables Attackers to Gain Domain Admin Privileges

Microsoft Exchange 2013 and newer versions are vulnerable to a privilege escalation attack that gives anyone with a mailbox a way to gain domain administrator rights at potentially 90% of organizations running Active Directory and Exchange.

Zero-Day Vulnerability in Total Donations Plugin Could Expose WordPress Websites to Compromise

Owners and administrators of WordPress websites that use the “Total Donations” plugin are advised to remove the plugin after a zero-day vulnerability and design flaws were seen actively exploited. 

U.S. Judge Rejects Yahoo Data Breach Settlement

A U.S. judge rejected Yahoo’s proposed settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history, faulting the Internet services provider for a lack of transparency.

Modified TeamViewer Tool Drops Trojan Spyware on Victims

On January 20, a security researcher going by FewAtoms spotted a malicious URL in the wild. The URL is an open directory that leads would-be victims to a malicious self-extracting archive. 

Which spyware attack were you most surprised to hear about? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Hacker Strategies and Spyware Attacks appeared first on .

Email Attacks Increasingly Using Compromised Accounts

Hackers are realising that it’s easier to defraud someone if you’re using a legitimate email address, rather than creating one yourself. With that in mind, they’re increasingly using compromised emails

The post Email Attacks Increasingly Using Compromised Accounts appeared first on The Cyber Security Place.

Most IT Pros Share and Reuse Passwords: Report

Nearly two-thirds (63%) of IT professionals are more concerned about data privacy and security than they were two years ago, but their poor online practices continue to drive cyber-risk, according

The post Most IT Pros Share and Reuse Passwords: Report appeared first on The Cyber Security Place.

1 in 8 Businesses Are Destroyed by Data Breaches. Don’t Be a Statistic

I have frequently stated that one of the leading causes of business failures is poor cash flow management. According to a study by US Bank, 82% of all businesses that

The post 1 in 8 Businesses Are Destroyed by Data Breaches. Don’t Be a Statistic appeared first on The Cyber Security Place.

Why it’s important for organisations to train staff in cybersecurity

Breaches are an ongoing issue that organisations face on a day to day basis. For as long as risk carries

Why it’s important for organisations to train staff in cybersecurity on Latest Hacking News.

Unpatched Vulnerabilities Exposes Businesses To Hackers

Are organizations keeping software up to date and maintaining security patches on a scheduled basis? The answer may shock you. According to Veracode’s latest research, most businesses will not patch critical security

The post Unpatched Vulnerabilities Exposes Businesses To Hackers appeared first on The Cyber Security Place.

North Korean hackers get access to Chile’s ATM after employee falls for fake job interview over Skype

Employee tricked into giving North Korean hackers access to Chile’s ATM over fake Skype job interview

North Korean hackers fooled a Redbanc employee into a fake job interview over Skype and then tricked him into downloading malware onto his work computer to get access to the company’s interbank network, according to a report by Chilean news site trendTIC.

For those unaware, Redbanc is an interbank network in Chile that connects the ATMs of all the banks in Chile.

It all began when the Redbanc employee in question responded to a developer job advertisement on the job website, LinkedIn. When the Redbanc professional clicked to apply for the position, he was contacted by the hackers for an interview, which they conducted in Spanish via a Skype call.

During the interview, the employee was asked to download, install, and run a program named ApplicationPDF.exe on the computer. He was told that it was a part of the recruitment process and would generate a standard application form online in PDF format.

However, the program instead installed malware on the computer, which in turn allowed hackers to gain access to the employee’s work computer username, hardware and OS, and proxy settings. This information was later used to deliver a second-stage payload to the device.

Although this attack took place in December last year, it was only made public after Chilean Senator Felipe Harboe used Twitter to accuse Redbanc of not disclosing the breach in time.

In a statement, the company says “the event had no impact on our operations, keeping our services running smoothly”.

Security company Flashpoint linked the malware strain to PowerRatankba, a malware toolkit that was previously used by North Korea-affiliated hacker group Lazarus. This hacking group which is behind the infamous Sony hack in 2014, have also been accused of attempting to steal money from Banco de Chile last year.

The post North Korean hackers get access to Chile’s ATM after employee falls for fake job interview over Skype appeared first on TechWorm.

Report: Iranian APT Actors Regroup After Main Security Forum Shuts Down

Iranian state-sponsored hackers are regrouping after the shutdown last year of their main security forum, migrating to other forums and making new connections for potential cyber-response against mounting political pressures from the United States and Europe, according to a new report.

The post Report: Iranian APT Actors Regroup After Main...

Read the whole entry... »

Related Stories

A week in security (January 7 – 13)

Last week on the Malwarebytes Labs blog, we took a look at the Ryuk ransomware attack causing trouble over the holidays, as well as a ransom threat for an Irish transportation company. We explored the realm of SSN scams, and looked at what happens when an early warning system is attacked.

Other cybersecurity news

  • Password reuse problems. Multiple Reddit accounts reported being locked out after site admins blamed “password reuse” for the issue. (Source: The Register)
  • 85 rogue apps pulled from Play Store. Sadly, not before some 9 million downloads had already taken place. (Source: Trend Micro)
  • Home router risk. It seems many home routers aren’t doing enough in the fight against hackers. (Source: Help Net Security)
  • Deletion not allowed. Some people aren’t happy they can’t remove Facebook from their Samsung phones. (Source: Bloomberg)
  • Takedown: How a system admin brought down the notorious “El Chapo.” (Source: USA Today)
  • 2FA under fire. A new pentest tool called Mantis can be used to assist in the phishing of OTP (one time password) codes. (Source: Naked Security) 
  • Facebook falls foul of new security laws in Vietnam. New rules have brought a spot of bother for Facebook, accused of not removing certain types of content and handing over data related to “fraudulent accounts.” (source: Vietnam News)
  • Trading site has leak issue. A user on the newly set up trading platform was able to grab a lot of potentially problematic snippets, including authentication tokens and password reset links. (source: Ars Technica)
  • Local risk to card details. A researcher discovered payment info was being stored locally on machines, potentially exposing them to anyone with physical access. (Source: Hacker One) 
  • Facebook exec swatted. The dangerous “gag” of sending armed law enforcement to an address ends up causing problems for a “cybersecurity executive,” after bogus calls claimed they had “pipe bombs all over the place.” (source: PA Daily post)

Stay safe, everyone!

The post A week in security (January 7 – 13) appeared first on Malwarebytes Labs.

That Other Moscow: Sketchy LinkedIn Job Posts Mix US, Russian Locales

Bogus LinkedIn job postings for leading US organizations, including the US Army, the State of Florida and defense contractor General Dynamics, are popping up for Russian locales like St. Petersburg and Moscow, the firm Evolver has found. Is it AI-Gone-Wild, or is something more nefarious afoot?  Moscow, on the border between Idaho and Washington...

Read the whole entry... »

Related Stories

Malware Attack Compromises Titan’s System and Steals Customer Data


Titan Manufacturing and Distribution  Inc. and its computer framework was reported to be compromised by a malware that too for about a year around from November 23, 2017 until October 25, 2018 as per an IT security expert.

Given the fact that the company expressed that it doesn't store customer data, the malware installed in the company's framework could have gained access to the users' shopping cart including their data, for example, the users' full names, billing addresses, contact numbers, payment card details, like the card numbers, termination dates, as well as verification codes.

After finding out about the episode, Titan advised its customers about the occurrence and unveiled in a notice for the customers who have had purchased products from its online stores between November 23, 2017 and October 25, 2018, that they might have been influenced by the said incident.

 “Titan Manufacturing and Distributing, Inc. (“Titan”) values your business and recognizes the importance of the security of your information. For these reasons, we are writing to let you know, as a precautionary measure, that Titan has been the victim of a data security incident that may involve your information,” the notice read.

Titan is now working intimately with a 'third-party' IT security expert so as to research and investigate the incident carefully and is all set to provide one-year complimentary identity theft protection for all conceivably influenced customers.

By finding a way to upgrade their security framework and moving its computer framework to another server, deleting and resetting all authoritative login credentials the company has additionally asked for its users to remain cautious by frequently monitoring their financial records for any suspicious exercises and take immediate measures by reporting them.

More Questions as Expert Recreates Chinese Super Micro Hardware Hack

Though the companies named in a blockbuster Bloomberg story have denied that China hacked into Supermicro hardware that shipped to Amazon, Apple and nearly 30 other firms, a recent demonstration at hacking conference in Germany proves the plausibility of the alleged hack.  

The post More Questions as Expert Recreates Chinese Super Micro Hardware...

Read the whole entry... »

Related Stories

Hackers defeat vein authentication by making a fake hand

Biometric security has moved beyond just fingerprints and face recognition to vein-based authentication. Unfortunately, hackers have already figured out a way to crack that, too. According to Motherboard, security researchers at the Chaos Communication Congress hacking conference in Leipzig, Germany showed a model wax hand that they used to defeat a vein authentication system using a wax model hand.

Source: Motherboard

Why other Hotel Chains could Fall Victim to a ‘Marriott-style’ Data Breach

A guest article authored by Bernard Parsons, CEO, Becrypt

Whilst I am sure more details behind the Marriott data breach will slowly come to light over the coming months, there is already plenty to reflect on given the initial disclosures and accompanying hypotheses.

With the prospects of regulatory fines and lawsuits looming, assimilating the sheer magnitude of the numbers involved is naturally alarming. Up to 500 million records containing personal and potentially financial information is quite staggering. In the eyes of the Information Commissioner’s Office (ICO), this is deemed a ‘Mega Breach’, even though it falls short of the Yahoo data breach. But equally concerning are the various timeframes reported.

Marriott said the breach involved unauthorised access to a database containing Starwood properties guest information, on or before 10th September 2018. Its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.

Starwood disclosed its own breach in November 2015 that stretched back to at least November 2014. The intrusion was said to involve malicious software installed on cash registers and other payment systems, which were not part of its guest reservations or membership systems.

The extent of Marriott’s regulatory liabilities will be determined by a number of factors not yet fully in the public domain. For GDPR this will include the date at which the ICO was informed, the processes Marriott has undertaken since discovery, and the extent to which it has followed ‘best practice’ prior to, during and after breach discovery. Despite the magnitude and nature of breach, it is not impossible to imagine that Marriott might have followed best practice, albeit such a term is not currently well-defined, but it is fairly easy to imagine that their processes and controls reflect common practice.

A quick internet search reveals just how commonplace and seemingly inevitable the industry’s breaches are. In December 2016, a pattern of fraudulent transactions on credit cards were reportedly linked to use at InterContinental Hotels Group (IHG) properties. IHG stated that the intrusion resulted from malware installed at point-of-sale systems at restaurants and bars of 12 properties in 2016, and later in April 2017, acknowledging that cash registers at more than 1,000 of its properties were compromised.

According to KrebsOnSecurity other reported card breaches include Hyatt Hotels (October 2017), the Trump Hotel (July 2017), Kimpton Hotels (September 2016) Mandarin Oriental properties (2015), and Hilton Hotel properties (2015).

Therefore perhaps, the most important lessons to be learnt in response to such breaches are those that seek to understand the factors that make data breaches all but inevitable today. Whilst it is Marriott in the news this week, the challenges we collectively face are systemic and it could very easily be another hotel chain next week.

Reflecting on the role of payment (EPOS) systems and cash registers within leisure industry breaches is illustrative of the challenge. Paste the phrase ‘EPOS software’ into your favourite search engine, and see how prominent, or indeed absent, the notion of security is. Is it any wonder that organisations often unwittingly connect devices with common and often unmanaged vulnerabilities to systems that may at the same time be used to process sensitive data? Many EPOS systems effectively run general purpose operating systems, but are typically subject to less controls and monitoring than conventional IT systems.

So Why is This?
Often the organisation can’t justify having a full blown operating system and sophisticated defence tools on these systems, especially when they have a large number of them deployed out in the field, accessing bespoke or online applications. Often they are in widely geographically dispersed locations which means there are significant costs to go out and update, maintain, manage and fix them.

Likewise, organisations don’t always have the local IT resource in many of these locations to maintain the equipment and its security themselves.

Whilst a light is currently being shone on Marriott, perhaps our concerns should be far broader. If the issues are systemic, we need to think about how better security is built into the systems and supply chains we use by default, rather than expecting hotels or similar organisations in other industries to be sufficiently expert. Is it the hotel, as the end user that should be in the headlines, or how standards, expectations and regulations apply to the ecosystem that surrounds the leisure and other industries? Or should the focus be on how this needs to be improved in order to allow businesses to focus on what they do best, without being quite such easy prey?


CEO and co-founder of Becrypt

Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.

Chinese hackers reportedly hit Navy contractors with multiple attacks

Chinese hackers have been targeting US Navy contractors, and were reportedly successful on several occasions over the last 18 months. The infiltrators stole information including missile plans and ship maintenance data, according to a Wall Street Journal report that cites officials and security experts.

Source: Wall Street Journal

DarkVishnya: Banks attacked through direct connection to local network

While novice attackers, imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in the hope that an employee from the target company picks one up and plugs it in at the workplace, more experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

High-tech tables with sockets are great for planting hidden devices

High-tech tables with sockets are great for planting hidden devices

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines. To overcome the firewall restrictions, they planted shellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels.

Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access. Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe to run executable files remotely.

Verdicts

not-a-virus.RemoteAdmin.Win32.DameWare
MEM:Trojan.Win32.Cometer
MEM:Trojan.Win32.Metasploit
Trojan.Multi.GenAutorunReg
HEUR:Trojan.Multi.Powecod
HEUR:Trojan.Win32.Betabanker.gen
not-a-virus:RemoteAdmin.Win64.WinExe
Trojan.Win32.Powershell
PDM:Trojan.Win32.CmdServ
Trojan.Win32.Agent.smbe
HEUR:Trojan.Multi.Powesta.b
HEUR:Trojan.Multi.Runner.j
not-a-virus.RemoteAdmin.Win32.PsExec

Shellcode listeners

tcp://0.0.0.0:5190
tcp://0.0.0.0:7900

Shellcode connects

tcp://10.**.*.***:4444
tcp://10.**.*.**:4445
tcp://10.**.*.**:31337

Shellcode pipes

\\.\xport
\\.\s-pipe

Thousands of House GOP campaign committee emails were stolen in hack

The Republican Party's House campaign committee said it was a victim of "cyber intrusion" during the 2018 midterm campaign. Party officials told Politico that "thousands of sensitive emails" were stolen in the National Republican Congressional Committee hack. The party has reported the incident to the FBI.

Via: Associated Press

Source: Politico

Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!

A mammoth data breach was disclosed by hotel chain Marriott International today (30 Nov 18), with a massive 500 million customer records said to have been compromised by an "unauthorized party". 
Image result for marriott
The world's largest hotel group launched an internal investigation in response to a system security alert on 8th September 2018, and found an attacker had been accessing the hotel chain's "Starwood network" and customer personal data since 2014, copying and encrypting customer records. In addition to the Marriott brand, Starwood includes W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. 

Image result for starwood
You are at risk if you have stayed at any of the above hotel brands in the last 4 years

The Marriott statement said for around 326 million of its guests, the personal information compromised included "some combination" of, name, address, phone number, email address, passport number, date of birth, gender and arrival & departure information. The hotelier also said encrypted payment card data was also copied, and it could not rule out the encryption keys to decrypt cardholder data had not been stolen.

The hotel giant said it would notify customers affected and offer some a fraud detecting service for a year for free, so I expect they will be making contact with myself soon. In the meantime, Marriott has launched a website for affected customers and a free helpline for concerned UK customers 0808 189 1065.

The UK ICO said it would be investigating the breach, and warned those who believe they are impacted to be extra vigilant and to follow the advice on the ICO website, and by the National Cyber Security Centre
. The hotel chain could face huge fines under the GDPR, and possibly a large scale class action lawsuit by their affected guests, which could cost them millions of pounds. 

What I really would like to know is why the hotel chain had retained such vast numbers of guest records post their stay. Why they held their customer's passport details and whether those encryption keys were stolen or not. And finally, why the unauthorised access went undetected for four years.

Tom Kellermann, Chief Cybersecurity Officer for Carbon Black, said "It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation - they’re getting in, moving around and seeking more targets as they go."

The report also found that 50% of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation's affiliates, often smaller companies with immature security postures and this can often be the case during an M&A. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”

Jake Olcott, VP of Strategic Partnerships at BitSight, said "Following the breaking news today that Marriott’s Starwood bookings database has been comprised with half a billion people affected, it highlights the importance of organisations undertaking sufficient security posture checks to avoid such compromises. Marriott’s acquisition of Starwood in 2016 allowed it to utilise its Starwood customer database. Therefore, proactive due diligence during this acquisition period would have helped Marriott to identify the potential cybersecurity risks, and the impact of a potential breach".

“This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a “snapshot in time” view.

“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.”

Hackers targeted Dell customer information in attempted attack

Earlier this month, hackers attempted to breach Dell's network and obtain customer information, according to the company. While it says there's no conclusive evidence the hackers were successful in their November 9th attack, it's still possible they obtained some data.

Via: The Verge

Source: Dell (1), (2)

Police arrest alleged Russian hacker behind huge Android ad scam

Police in Bulgaria have arrested an alleged Russian hacker who may be responsible for a huge Android ad scam that netted $10 million. The individual identified as Alexander Zhukov is a Saint Petersburg native who's been living in Varna, Bulgaria, since 2010 and was apprehended on November 6th after the US issued an international warrant for his arrest, according to ZDNet.

Source: Kommersant

US government accuses Chinese hackers of stealing jet engine IP

The Justice Department has charged ten Chinese nationals -- two of which are intelligence officers -- of hacking into and stealing intellectual property from a pair of unnamed US and French companies between January 2015 to at least May of 2015. The hackers were after a type of turbofan (portmanteau of turbine and fan), a large commercial airline engine, to either circumvent its own development costs or avoid having to buy it. According to the complaint by the Department of Justice, a Chinese aerospace manufacturer was simultaneously working on making a comparable engine. The hack afflicted unnamed aerospace companies located in Arizona, Massachusetts and Oregon.

Via: ZD Net

Source: US Department of Justice

Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Latest on the Currys PC World Data Breach Impacting 10 Million Customers

Following further investigations, Currys PC World today confirmed 10 million of their customer personal details may have been stolen by hackers, a revised number from the 1.2 million customers and 5.9 million payment cards it advised back in June.

In June 2018, the company said there was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked after hackers attempted access to company's payment processing systems.

The hack was said to have occurred nearly a year before it was disclosed, so it either went undetected, which is common where there is inadequate security monitoring in place, or the business knew about the breach but choose not to disclose it to their impacted customers.

The Information Commissioner's Office (ICO) fined the Dixons Carphone £400,000 for a data in 2015 breach, however, Currys PC World stated the incidents were not connected.

The business stressed it has now improved its security measures including enhanced controls, monitoring, and testing to safeguard customer information, and "trebling their investment in cybersecurity". Unfortunately, no details have been disclosed explaining how the hackers were able to access such large quantities of personal data. The company "security improvement" statement suggests their IT security was rather underfunded and not at a sufficient standard to adequately secure their business operations and customer data.

The ICO (statement) and the NCSC (statement) both have released statements in June about the breach. So we'll see what the ICO makes of it, but I think the business is likely to be fined again, although not the potentially massive GDPR penalties, as this data breach occurred before the GDPR came into force in May.

Customer statement by Currys PC World to their customers today

On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware.

We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts.

Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated.

As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud. These include:

If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.


If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.

We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
You can find more information here


We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.

We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

I lost money because my petrol pump was hacked by attendants!


The neighborhood petrol pump which I occasional use, was in the news for allegedly tampering with the meter readings. Some of the staffers had hacked the circuitry to modify the pulser readings which converted the flow volume to the digital readout. As a consequence, 5% of the bill value was inflated. Hacking is typically associated with software and remote Internet connections, but all sort of meter readings can be tampered with to skim small sums of money or develop glitches that result in inflated bills.
The only way to tackle such misuse is by surprise calibration checks and stringent penalties. In the case of the above petrol pump, the ingenious system also had a switch to toggle back to normal values during a calibration inspection.

The police believes that this particular fraud may be widespread, which simply demonstrates the ease with which the perpetrator of the modified pulser is able to sell his invention without being caught.