The airline has said the personal information of 9 million customers has been compromised
• EasyJet reveals cyber-attack exposed 9m customers’ details
Airline apologises after credit card details of about 2,200 passengers were stolen
EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.
The company on Tuesday disclosed that email addresses and travel details were accessed and said it will contact all of the customers affected.Continue reading...
The hackers who attacked a major entertainment and media law firm have now doubled the sum they’re demanding, and have included a threat to reveal compromising data on President Donald Trump.
Grubman Shire Meiselas & Sacks represents high-profile clients including U2, Madonna, Lizzo, Drake, and Lady Gaga among many others. The firm was targeted with ransomware earlier this month, which led to the reported exfiltration of 756 gigabytes of data, including contracts and client correspondence. REvil, the hacking group claiming responsibility for the attack, initially demanded $21 million in ransom and released contracts relating to a recent Madonna tour as proof of their access to the firm’s data. They have since doubled their demand.
“The ransom is now $42,000,000,” the hackers announced in a statement on the dark web. “The next person we’ll be publishing is Donald Trump… Grubman, we will destroy your company down to the ground if we don’t see the money.”
Donald Trump is not a client of the firm, which raises questions as to what data, if any, they have access to.
Grubman Shire Meiselas & Sacks has refused to cooperate with the hackers’ demands.
“The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile U.S. companies, government entities, entertainers, politicians, and others,” the firm said in an announcement.
The post Hackers Double Ransom Demands, Implicate Trump in Celebrity Law Firm Hack appeared first on Adam Levin.
Smartphones can be used to digitally trace Covid-19. But not if the public don’t download an app over privacy fears – or find it won’t work on their device
The idea of the NHS tracing app is to enable smartphones to track users and tell them whether they interacted with someone who had Covid-19. Yet this will work only if large proportions of the population download the app. No matter how smart a solution may appear, mass consent is required. That will not be easy. Ministers and officials have failed to address the trade-offs between health and privacy by being ambiguous about the app’s safeguards.
Instead of offering cast-iron guarantees about the length of time for which data would be held; who can access it; and the level of anonymity afforded, we have had opacity and obfuscation. It is true that we are dealing with uncertainties. But without absolute clarity about privacy the public is unlikely to take up the app with the appropriate gusto.Continue reading...
For the last few years, cybersecurity experts have been sounding the alarm on something called e-skimming. In this kind of attack, hackers intercept payment card data and personal information from e-commerce sites by exploiting the architectural complexity of those e-commerce sites.
While there have been several major breaches that were the result of e-skimming, including Macy’s and British Airways, the bulk of these hacking campaigns have been attributed to an individual or a group of hackers called Magecart. S/he or they usually target the Magento platform, often by injecting rogue code into outdated plugins and extensions for websites.
Magento isn’t the Covid moment here. E-skimming is.
Security researchers discovered what could be a game changer in e-skimming attacks earlier this month, one that exponentially expands our collective attackable surface.
Magento has about a 12% market share and represents less than 1% of the entire assemblage of code that comprises the Internet.
The discovery I mentioned is that a new e-skimming hack has been targeting WooCommerce, which is a far more ubiquitous online shopping plugin used in 26% of all e-commerce sites. WooCommerce is native to and powered by WordPress, a platform that represents over 35% of websites currently online. It would be hard to find a larger attackable surface on the Internet.
The threat posed by a hack targeting WooCommerce isn’t bad only because of the technology’s ubiquity. The issue has to do with who uses it. The quick answer is: Anyone. Contrast that with Magento, which is designed for enterprise-level sites that have detailed inventory needs and other layers of complexity. Magento requires installation, development, and maintenance by trained web professionals certified by the company to understand its many nuances.
WooCommerce, on the other hand, is easy to use and install; a user with little to no experience building websites—and even less knowledge of cybersecurity best practices—can use it to get an e-commerce site up and running with ease.
This would be a bad situation in normal times, but with the Covid-19 pandemic making many businesses more reliant on e-commerce and virtual transactions, the potential for an increase in poorly secured websites built on the fly is a matter for concern.
That said, the bigger issue may be the nature of the hack itself. While e-skimming attacks have usually involved the compromise of vulnerable third-party software, e-skimming injects malicious code into the core source code of WooCommerce which makes it much harder to detect–particularly for non-expert site builders.
There are parallels with the early days of the Covid-19 pandemic. A relatively familiar threat has surfaced in a more dangerous form that is harder to detect and has the potential to impact a significantly larger number of victims.
Like Covid-19 in January, the current WooCommerce hack is a nascent threat, but unlike the virus, you can prepare for the threat and mitigate the potential damage.
A good place to start is for businesses and consumers to use a system I call the 3 Ms:
Minimize the Threat: Businesses doing e-commerce need to keep their website and security software up-to-date. Those companies that have the technical know-how should run regular scans for the presence of rogue code on their websites. If they don’t have that resource in house, they would be well advised to hire a cybersecurity expert to do it for them. Most important is to practice good data hygiene, especially when relying on a remote workforce. A single login and password hooked by a phishing email could provide hackers with the necessary credentials to compromise a website, as well as its customer and payment data.
When making payments online, consumers should use credit cards instead of debit/bank cards, which can provide hackers a direct conduit to their bank accounts.
Monitor Accounts: Keep track of your bank and credit card accounts to know as quickly as possible when something isn’t right. The most effective way to do this is to sign up for transaction monitoring—offered for free by banks, credit unions and credit card companies— which notifies you of any activity in your credit or bank accounts.
Manage the Damage: If a business falls prey to an e-skimming campaign, it’s crucial to act as quickly as possible to alert the authorities, notify consumers and identify the source of the hack. Customers affected by an e-skimming breach should immediately contact their payment card companies, request new cards, and lock down any potentially impacted accounts.
Malware and viruses are opportunistic. With more businesses relying on e-commerce to make up for shuttered physical storefronts, newly remote workers struggling to secure their home offices from cyberthreats, and more customers using e-tailers for their day-to-day shopping, the circumstances are ideal for a new strain of malware to spread.
The post What E-Commerce Sites Can Learn from the Covid-19 Pandemic appeared first on Adam Levin.
An app that logs movements and contacts might seem like a fair trade now but we risk giving away our privacy for good
Even when the lockdown is lifted, there is no guarantee that life will ever return to normal. To prevent a future outbreak of coronavirus, the UK will need to roll out mass testing, maintain some social distancing measures and closely monitor communities to curb future flare-ups.
In pursuing that last aim, governments across the world are developing technology to track our movements. When lockdown ends, technology could be a valuable means of controlling future outbreaks, alerting people to cases of Covid-19 in their area and hopefully preventing future shutdowns.Continue reading...
The company has seen a 535% rise in daily traffic in the past month, but security researchers say the app is a ‘privacy disaster’
As coronavirus lockdowns have moved many in-person activities online, the use of the video-conferencing platform Zoom has quickly escalated. So, too, have concerns about its security.
In the last month, there was a 535% rise in daily traffic to the Zoom.us download page, according to an analysis from the analytics firm SimilarWeb. Its app for iPhone has been the most downloaded app in the country for weeks, according to the mobile app market research firm Sensor Tower. Even politicians and other high-profile figures, including the British prime minister, Boris Johnson, and the former US federal reserve chair Alan Greenspan, use it for conferencing as they work from home.Continue reading...
Studying the past is futile in an unprecedented crisis. Science is the answer – and open data is paramount
Wherever we look, there is a demand for data about Covid-19. We devour dashboards, graphs and visualisations. We want to know about the numbers of tests, cases and deaths; how many beds and ventilators are available, how many NHS workers are off sick. When information is missing, we speculate about what the government might be hiding, or fill in the gaps with anecdotes.
Data is a necessary ingredient in day-to-day decision-making – but in this rapidly evolving situation, it’s especially vital. Everything has changed, almost overnight. Demands for food, transport, and energy have been overhauled as more people stop travelling and work from home. Jobs have been lost in some sectors, and workers are desperately needed in others. Historic experience can no longer tell us how our society or economy is working. Past models hold little predictive power in an unprecedented situation. To know what is happening right now, we need up-to-date information.Continue reading...
At least one person from outside Virgin Media accessed non-financial details
Almost a million Virgin Media customers had their personal details stored on a marketing database that had been left unsecured since last April, the company has admitted.
Records show that the database has been accessed by at least one person from outside the company, Virgin Media said, although it does not yet have any evidence that the information has been used illegally.Continue reading...
Controls on the ‘online information content ecosystem’ bring heightened concern about freedom of speech
Sweeping new internet censorship rules have gone into effect in China, prompting concerns that authorities will further control information and online debate as the country reels from the coronavirus outbreak.
China’s cybersecurity administration has since Saturday implemented a set of new regulations on the governance of the “online information content ecosystem” that encourage “positive” content while barring material deemed “negative” or illegal.Continue reading...
Action to prevent deeper access to our private lives and data is more essential than ever
Health data paints a rich picture of our lives. Even if you remove your name, date of birth and NHS number to “anonymise” yourself, a full health history will reveal your age, gender, the places where you have lived, your family relationships and aspects of your lifestyle.
Used in combination with other available information, this may be enough to verify that this medical history relates to you personally and to target you online. Consequently, whenever the NHS shares health data, even if it is anonymised, we need to have confidence in who it goes to and what they can do with it.
When data about us influences a credit rating or a hiring decision, we are unlikely ever to find outContinue reading...
Bug affected users of Google Takeout exporting from Google Photos in late November
Google has said a software bug resulted in some users’ personal videos being emailed to strangers.
The flaw affected users of Google Photos who requested to export their data in late November. For four days the export tool wrongly added videos to unrelated users’ archives.Continue reading...
Not so long ago we searched Google. Now we seem quite happy to let Google search us
Probably too late to ask, but was the past year the moment we lost our technological innocence? The Alexa in the corner of the kitchen monitoring your every word? The location-betraying device in your pocket? The dozen trackers on that web page you just opened? The thought that a 5G network could, in some hazily understood way, be hardwired back to Beijing? The spooky use of live facial recognition on CCTV cameras across London.
With privacy there have been so many landmarks in the past 12 months. The $5bn Federal Trade Commission fine on Facebook to settle the Cambridge Analytica scandal? The accidental exposure of a mind-blowing 1.2 billion people’s details from two data enrichment companies? Up to 50m medical records spilled?
We gleefully carry surveillance machines in our pockets and install them in our homesContinue reading...
Amazon founder interviewed as FBI conducts inquiry into Israeli firm linked to malware
Jeff Bezos met federal investigators in April 2019 after they received information about the alleged hack of the billionaire’s mobile phone by Saudi Arabia, the Guardian has been told.
Bezos was interviewed by investigators at a time when the FBI was conducting an investigation into the Israeli technology company NSO Group, according to a person who was present at the meeting.Continue reading...
Former senior government figures voice security fears as PM chairs meeting of NSC
Former ministers have sounded their final warnings to Boris Johnson about the Chinese telecoms firm Huawei ahead of his expected decision on whether it will play a part in the UK’s 5G network.
The prime minister will chair a meeting of the national security council (NSC) later on Tuesday before making a judgment on the firm’s future in the country after months of concern around security, including from the US president, Donald Trump.
5G is the next generation mobile phone network and it promises much higher connection speeds, lower latency (response times) and to be more reliable than the creaking 4G networks we have now.
Huawei is a Chinese telecoms company founded in 1987. US officials believe it poses a security risk because the Chinese government will make the firm engineer backdoors in its technology, through which information could be accessed by Beijing. Donald Trump has banned US companies from sharing technology with Huawei and has been putting pressure on other nations to follow suit.Continue reading...
Judge orders NSO Group to fight case brought by Saudi activist and pay his legal costs
An Israeli judge has rejected an attempt by the spyware firm NSO Group to dismiss a case brought against it by a prominent Saudi activist who alleged that the company’s cyberweapons were used to hack his phone.
The decision could add pressure on the company, which faces multiple accusations that it sold surveillance technology, named Pegasus, to authoritarian regimes and other governments that have allegedly used it to target political activists and journalists.Continue reading...
Support for Windows 7 has ended, leaving Marcy wondering how they can protect themselves
I do a lot of work on a Windows 7 desktop PC that is about five years old. I’m a widow and can’t afford to run out and get a new PC at this time, or pay for Windows 10. If I do stay with Windows 7, what should I worry about, and how can I protect myself? I have been running Kaspersky Total Security for several years, which has worked well so far. Marcy
Microsoft Windows 7 – launched in 2009 – came to the end of its supported life on Tuesday. Despite Microsoft’s repeated warnings to Windows 7 users, there may still be a couple of hundred million users, many of them in businesses. What should people do next?Continue reading...
US agency revealed flaw that could be exploited by hackers to create malicious software
Microsoft is rolling out a security fix to Windows 10 after the US National Security Agency (NSA) warned the popular operating system contained a highly dangerous flaw that could be used by hackers. Reporting the vulnerability represents a departure for the NSA from its past strategy of keeping security flaws under wraps to exploit for its own intelligence needs.
The NSA revealed during a press conference on Tuesday that the “serious vulnerability” could be used to create malicious software that appeared to be legitimate. The flaw “makes trust vulnerable”, the NSA director of cybersecurity, Anne Neuberger, said in a briefing call to media on Tuesday.Continue reading...
Cyber-attacks that threaten to publish a victim’s data or block access to it unless a ransom is paid have grown internationally since 2012.Continue reading...
Exclusive: former Microsoft contractor says he was emailed login after minimal vetting
A Microsoft programme to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with “no security measures”, according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company.
The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google’s Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor.Continue reading...