Friday, 24 February 2017

Blueprint for Secure Driverless Cars

Robust Cyber Security is an intrinsic requirement with all connected technology in our daily lives, and it is especially challenging with new cutting edge technological advances. Connected and driverless cars promises to be one greatest technological advances of the century, as such fascinates and excites yet at the time there are concerns. Getting cyber security right from the outset will be critical to the success of this industry, as vulnerable connected computer controlled cars is a matter of life and death. Securing the ever increasing sophistication and complexity of computers that control cars is certainly not for the faint hearted.

The car industry recognises trust and security go hand in hand, so in league with the likes of Aeris, Intel and Uber, the industry formed an industry wide organisation called FASTR - Future of Automotive Security Technology Research.  FASTR seeks to enable automotive security by driving cybersecurity across the entire vehicle manufacturing supply chain, to ensure smart cars will be secure from cyber attack.

FASTR recently produced an interesting infographic covering their approach to cyber security, it also has great stats about the car's of today and the cars of tomorrow. If you are interested in learning more about FASTR's approach, check out their Manufesto

Tuesday, 21 February 2017

Google & Bing UK Piracy Website Blocking is a Bad Idea for Security

Search engine giants Google and Bing have announced an agreement to make it harder for UK internet users to find pirated films, music and illegally stream football by blocking websites. It appears they have bowed to pressure by the entertainments industry and the UK government's Department for Culture, Media and Sport, to sign up to a voluntary code of practice.

I certainly don’t condone piracy or digital theft of any kind, but blocking websites is really a terrible idea for the security, privacy and even piracy prevention and enforcement, as it will just drive more people onto the dark web looking for the material they desire. I fear this will only serve to pour petrol on the illicit activities of the dark web by the swelling dark web ‘punters’. What's worst is new and inexperienced UK dark web users are vastly more likely to end up as victims of cyber crime in their desperate attempts to find banned content. 

This is a 'sweeping under the carpet' approach, driving piracy underground onto the dark web where it will be almost impossible to police and prevent. A much more sensible approach to better educate the masses about morality and impact of digital theft. If the UK government are serious about protecting our digital economy from digital piracy, then this morality education needs to start within UK schools.

I am sure privacy advocates will be looking for their Guy Fawkes masks alarmed that the UK government are seemingly involved in pushing the UK's two major search engines into blocking Internet content to UK citizens.

Lee Munson, a security researcher at Comparitech.com, said.

“The new voluntary code of practice pledged by major search engines is bad news for anyone looking to download or consume content without paying for it but good news for everyone who wants to stay safe online.

While not every pirate site hosts or links to misnamed files, Trojan-laden porn or malware-infected movie files, many do and, even though security software should be in place, we all know that a great many people do run into trouble on these sorts of sites.

That’s not to say that this new initiative will make malicious files a thing of the past though – the determined will still find the websites they need, however far down the search engine results pages they may fall, and the sharing of such files between family and friends will no doubt carry on unabated.”

Tuesday, 31 January 2017

Cyber Security Roundup for January 2017

Lloyds Banking Services were hit by a massive 3-day long DDoS attack in mid-January, impacting millions of Lloyds, Halifax and Bank of Scotland customer’s ability to conduct online and mobile banking. Lloyds weren't the only UK business hit with a major DDoS attack in January, web hosting firm 123-Reg was taken down by another large DDoS attack. It seems major DDoS attacks are set to continue in 2017, their scale and capability fuelled by the rise of insecure IoT devices popping online. I think large scale DDoS attacks will be a major menace to the UK national and financial infrastructure for the years to come. 

For the first time 'Cyber Crime' statistics were included in the England and Wales crime survey, with over 3.6 million fraud cases and over 2 million computer misused offences recorded in 2016, which is more than the typical 'physical world' recorded crime. It is worth considering that not all cybercrime is reported in England and Wales, in my view the majority of UK cybercrime isn't reported.

The latest Beazley Breach Insights Report predicts the number of Ransomware attacks will double again in 2017, and UK schools are the latest sector to become victims of Ransomware. With the growing ransomware threat in mind, the Malware Hunters Team produce an interesting breakdown of a new ransomware strain called FireCrypt this month, well worth a look if you are interested in how the bad guys create, evolve and use ransomware tools.

There are lessons for the UK call centre industry to learn from a US telemarketing firm, which had a database of 400,000 call recordings reportedly breached. These voice recordings were said to hold personal information and more concerningly debit/credit card information. This breach is a reminder of the importance of adequately securing call recording data with call centres, and of the Payment Card Industry Data Security Standard (PCI DSS) industry regulation requirement 3.2, which states debit/credit card “3 or 4 digit security codes”, known in the industry as Sensitive Authentication Data, is never permitted to be recorded or stored beyond the authorisation of the card payment transaction. This is a PCI DSS requirement that far too many UK call centre businesses turn a blind eye to. This strict requirement is there for a reason, as if fraudsters get hold of credit/debit card data with the 3/4 digit security code, they can instantly commit fraud without having possession of the customer's payment card.

News
Awareness, Education and Threat Intelligence

Reports

Thursday, 5 January 2017

Cyber Security Roundup 2016: The Year of the Big Data Hack

A decade ago I was walking into Boardrooms clutching newspaper clippings of half dozen data breaches which had occurred during the previous years, in a bid to warn of future threats and to persuade executives to increase their information security budgets. Those days are long gone, as most executives I encounter tend to be already worried about the cyber threat to their business, all reinforced by the mainstream media which today reports hacks most days.

"Big Data" is a recent marketing buzzword used to usher in the age of businesses utilising the vasts amount of data which they process and store for increasing efficiently and profit. The problem is much of this "Big Data" is our personal data, and there are cyber criminals also seeking to profit from it. So here we are in the era of "Big Data Hacks", which sums up 2016 quite well.

I have compiled a list of media headlines of data breaches in 2016 below, the volumes involved with these data theft hacks are truly mind–boggling. Yahoo on their own had 1.5 billion personal records stolen in two cyber attacks. It isn't necessary that stealing digital text data in such volumes is difficult, but have to wonder about what level of IT security was in place to protect such large volumes of personal data in the first place.

DDoS attacks continued to grow in strength in 2016, thanks to the explosion of the Internet of Things, with hackers creating huge DDoS botnets from insecure and rushed IoT devices, which frankly have no business of being sold and placed online with default passwords and basic software vulnerabilities.

2016 was also the year Ransomware made a huge comeback. The UK public sector seems particularly vulnerable to ransomware infections, with cyber criminals making millions by evolving various strains of ransomware and catching victims out with the age old infection techniques of phishing emails, malware infected websites and trojan software.

In 2017 we can expect to see more Big Data hacks and huge IoT fuelled DDoS attacks. Ransomware isn't going to go away either, however I am most concerned we'll see our first IoT attack which results in physical world damage and human harm in 2017.

Personal Data Theft and Data Breaches in 2016

Tuesday, 3 January 2017

Cyber Security Roundup for December 2016

Yahoo announced the largest ever data breach in history, with over 1 billion Yahoo user accounts compromised by a past cyber attack, which I covered in Yahoo's Mind-blowing One Billion Data Theft Hack. This truly humongous data hack is distinct from the 2014 breach of 500 million accounts reported by Yahoo in September. Elsewhere KFC, Topps, The Daily Motion and LinkedIn’s Lynda.com also reported large customer data breaches of millions of records during December. 

We need to be mindful of never to "get use to" and accepting these massive numbers of hacked online accounts, by businesses we entrust with our personal information, especially where these businesses have been found 'wanting' on the cyber security defences by under investing. The old spin doctor excuses of indefensible super hacks orchestrated by sophisticated nation-state backed dark forces tends not to stand up once the facts are uncovered. There is nothing sophisticated about teenage kids using freely downloadable software to take advantage of decade old and basic security vulnerabilities.

The media and security experts continues to pour scorn on TalkTalk’s cyber security, following the firm’s poor handling and customer advice after a cyber attack of unpatched TalkTalk customer broadband routers.

ThyssenKrupp, a large German steel maker firm, disclosed it was a victim of cyber intellectual property (IP) theft. Businesses rarely admit to IP data theft given such admissions can serious harm the business's reputation and share price. Given the high media and public attention in protecting personal data from cyber attacks, following a year of high profile large customer record losses due to cyber attacks, it can be easy for businesses to take their eye off protecting their IP, and to become complacent with IP protection and security.

I was quoted in the Focus Training's Blog. An 'Ask the Experts' piece on 'How to Protect your business from Cyber Crime', my advice was as follows.

There was a Christmas bumper of patch releases in December, with Microsoft, VMWare, Joomla, PHP and Android all releasing patches for critical vulnerabilities.

News
Awareness, Education and Intelligence
Reports

Wednesday, 21 December 2016

How to Protect your Business from Cyber Crime

Today I was quoted in the Focus Training's Blog. An 'Ask the Experts' piece on 'How to Protect your business from Cyber Crime', my advice was as follows.
  • Educate all business staff about dangers and latest attack methods, particularly ensuring they aware of targeted scam emails (spear phishing). Cyber criminals are increasingly targeting individual business staff members, typically those with finance responsibilities, by crafting highly convincing emails using information about the business, its staff and its suppliers. These scam emails once responded to, will typically try to convince (social engineer) individual staff members to arrange a bank transfer or payment to a bogus account operated by the cyber criminals
  • Keep all Servers, PCs, Laptops, Tablets and Smart Phones operating systems and applications updated (security patching). Out of date software is vulnerable and commonly exploited by malware and hackers.
  • Business staff should use unique passwords with each third party/online service used by the business. Ensuring passwords are complex and changed every 90 days. Where possible use mutli-factor authentication (I.e. password + hardware token or text message confirmation). Cyber criminals know many people use the same email and password combination across multiple websites, so when they obtain one credentials combination, usually via a third party website hack, the database of which are often dumped onto the darkweb, cyber criminals try the same stolen email and password combinations to attempt to access further online services, with the intent of stealing personal data and money.
Useful thoughts and advice from others in the post as well.

Tuesday, 20 December 2016

UK Identity Fraud on the Rise

UK identity fraud is on the rise according to the latest research by Equifax. The data shows UK ID crime is going up within all age groups, with those living in the London and Manchester areas increasingly the most likely to become victims of ID fraud. Equifax has asked me to share the following infographic on their research, which includes good advice to stay protected.

Are you losing your identity? We look at the growth of identity fraud and what can be done about it

Thursday, 15 December 2016

Yahoo's Mind-blowing One Billion Data Theft Hack

Just over three months ago I posted about Yahoo, The Largest Data Breach in History...so far. It was apt I added "so far" in the post title as in the early hours today, Yahoo announced an even more mind-blowing data theft hack of over One Billion Yahoo user accounts.

If you are a concerned Yahoo email account holder
1. Reset your Yahoo account password, make sure your old Yahoo passwords are not used on any other of your online accounts
2. Change your Security Questions and Answers on all accounts with same Q&A as Yahoo, you might have to make up false answers only you know to ensure safety
3. Be extra vigilant, especially with signs of any access to your email account, and receiving scam phishing emails

Mark Crowther, Associate Director at Cyber Security Specialists Cyberis (www.cyberis.co.uk),  has some interesting thoughts on the latest breach at Yahoo, raising serious questions about the company's historical and ongoing security programme. The following are his views.

The latest reports say that Yahoo lost data for more than one billion users back in August 2013 and that the data is suspected to contain names, email addresses, hashed passwords, security questions and associated answers. In addition, Yahoo has stated that the attackers have accessed Yahoo proprietary code used to generate cookies for user access without credentials.

This breach raises a number of questions, including: Why did it take so long to identify and notify authorities about it? What are the implications for Yahoo users? What might this mean for Yahoo going forward?

Yahoo appears to have been informed by law enforcement that the breach may have occurred, indicating that its internal detective controls have been, and may continue to be, inadequate. This is reinforced by a statement from Bob Lord (Yahoo's CISO) who stated "we have not been able to identify the intrusion associated with this theft." (https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users).

Although Yahoo claims that this notification is distinct from the 2014 breach (reported in September 2016), it raises questions as to why this more significant breach was not identified during earlier investigations. Forensic investigations may have been either too focussed on the 2014 breach, or incomplete, preventing identification of this earlier and more significant breach. To add balance to this argument, it should be stated that it is not clear at this time if the breached systems were related, however following the 2014 breach, Yahoo should certainly have considered further investigations to identify if any wider breaches had occurred.

So what are the implications for Yahoo users? Considering that this breach constitutes approximately one-third of Yahoo’s user base, it would be a fair assumption for all Yahoo users that their accounts have been compromised. The data set reported to be compromised includes both username and passwords, and whilst the passwords are reportedly hashed, the weak algorithm in use leaves them wide open to abuse (see our earlier blog post on password hashing - https://www.cyberis.co.uk/2012/06/adding-pinch-of-salt.html)

Cyberis advises Yahoo users, and users of related services such as Flickr and Tumblr, to change their passwords with immediate effect. If you have used your Yahoo password with any other service, you should also change these passwords. If you have registered for a website using a Yahoo email account, you should also consider resetting your password for these services, especially if you haven't used them for some time. Password reset services often use email addresses to manage a password change or forgotten password function. Anyone with access to the breached data could have potentially used this information to access any site associated with your Yahoo email account.

Given that Yahoo has announced that proprietary data was accessed, the breach is currently assumed to extend to Yahoo internal systems. This could suggest a highly skilled and motivated adversary, potentially even a state-sponsored hacking group. Access to millions of email accounts would be a clear motivation to many different threat actors of course, including foreign intelligence services and governments. We fully expect that further information about the extent of the breach will be released in the near future, but in the meantime, it’s certainly not looking good for Yahoo.

Thursday, 1 December 2016

Cyber Security Roundup for November 2016

Several major UK household brands made the headlines for wrong reasons following cyber attacks in October. Tesco Bank refunded £2.5 million to over 20,000 of its customers after Tesco Bank account credentials were hacked and account funds were stolen. Mobile giant ‘Three’ said 6 million of its customer’s personal data records could be at risk after hundreds of new mobile phones were stolen following the hack of a Three employee account. The National Lottery disclosed 26,500 of its online customer accounts had been accessed by hackers, leading to three arrests. Elsewhere a 17 year old pleaded guilty to taking part in the recent TalkTalk hack.

The next evolution of ransomware has arrived with a new variant called Ransoc, and it's pretty nasty. The malware scans internet history, social media accounts, Skype and photos, and then uses any found illegal, embarrassing and sensitive information to threaten the victim’s reputation should a payment not be sent. 

It turns out locked computer desktops aren’t as safe as you might think after a security researcher Samy Kamar released details of new attacking method called PoisonTap. Samy is famous for hacking MySpace with a worm way back in the day, I had the pleasure of meeting him a few years ago - An Evening with Samy, creator of the Samy MySpace Worm. In simple terms PoisonTap works by plugging a £4 Raspberry Pi Zero computer configured with hacking tools into a USB port, forcing the USB port to act as a network port, the tool is able to eavesdrop non-encrypted network traffic and steal web sessions from web browser sessions running in the background on PCs and Apple Macs, despite the desktop being locked with password protection. Samy released the source code for PoisonTap on Github, and I intend to create a PoisonTap tool for myself in the next few days.

News
Awareness, Education and Intelligence