Friday, 17 July 2020

Twitter Hack & Scam

What Happened?
Twitter confirmed 130 celebrity Twitter accounts were targeted in the cyberattack on Wednesday 15th July, with 45 successfully compromised. The hacked Twitter accounts included high profile individuals such as Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Their accounts were used to send a tweet to scam Bitcoin out of their millions of followers.

Twitter confirms internal tools used in bitcoin-promoting attack ...
Scam Social Engineering Tweet sent from Bill Gates' Twitter Account
Twitter quickly reacted to the hack by taking an unprecedented step of temporarily preventing all verified users from tweeting, including yours truly; I was trying to warn people about the attack but my tweets were repeatedly prevented from posting. Before the scam tweets were taken down more than £80,000 ($100,000) was sent to the scam Tweet's advertised Bitcoin address. The FBI is investigating the incident.

How the Twitter Accounts were Compromised
Twitter said hackers had targeted employees with access to its internal systems and "used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf".  A report by security researcher firm HudsonRock said an advert appeared on a dark web hacker's forum earlier in the week, which offered a service to takeover any Twitter account. The seller said they were able to achieve this by being able to change any Twitter account's linked email address. 

The seller was a group or individual that managed to hack their way into Twitter's backend systems, probably by social engineering Twitter's staff, to gain full administration rights at Twitter. This enabled them to provide their buyers with the opportunity to control any Twitter account and to write those accounts' tweets. Hence this nefarious service being bought and then used to acquire Bitcoin via scam messages.
Hackers posted the view from the Twitter control panel
Security researchers at Hudson Rock spotted Twitter Hack advertisement
Additional Impact?
It is not yet clear whether the hacker(s) stole the Direct Messages (private messages) of the high profile Twitters users, such messages could be used to cause embarrassment and for cyber extortion.  The attack appears to be a quick 'smash and grab' money maker, by both the seller to make a quick buck and by the buyer, who used the service to quickly obtain £80k worth of Bitcoin, rather than anything more sinister or sophisticated. 

Update as of 18th July 2020
Twitter confirmed the perpetrators used its administration tools to orchestrate the attack and had downloaded data from up to eight of the accounts involved, but said none of these accounts was "verified" high profile accounts.  

A New York Times article suggested at least two of the attackers are from England. The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems

Twitter's statement said "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems. We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We're embarrassed, we're disappointed, and more than anything, we're sorry."

Facts Twitter confirmed
  • Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.
  • Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
  • In cases where an account was taken over by the attacker, they may have been able to view additional information. Forensic investigation of these activities is still ongoing.
What the Experts Think
Nigel Thorpe, technical director at SecureAge said the latest Twitter hack exposes the identity and access management vulnerability and the risk of administrator accounts being compromised, leaving data vulnerable. It appears that cybercriminals gained access to Twitter's internal network, then used an admin tool to control the user accounts of prominent individuals and organisations to post fraudulent messages. Using social engineering to gain access to Twitter staff accounts, giving access to data stored in the network.

This incident illustrates the loophole with identity and access management such that if a user account is compromised, data is left unprotected. This loophole can be closed by taking a data-centric approach to security, where information is automatically protected, with authenticated encryption built right into the data. This means that even unencrypted files, when changed or moved, will immediately be encrypted so that, if stolen, they will appear to be garbage to the thief.

A compromised user account still has access to data, but it remains encrypted all the time, even when in use. When copied from its ‘safe’, access-controlled location - even if that's outside the organisation - the data remains encrypted and therefore useless. No ransom, no embarrassing disclosures, no legal action.

Liviu Arsene, Global Cybersecurity Researcher at Bitdefender said with attackers successfully compromising high-profile Twitter accounts that potentially also had two-factor authentication can only point to a coordinated cyberattack at Twitter’s employees and systems. It’s likely this could be a result of attackers exploiting the work-from-home context, in which employees are far more likely to fall prey to scams and spearphishing emails that end up compromising devices and ultimately company systems.

This high-profile Twitter breach could be the result of a spray-and-pray spear-phishing campaign that landed some opportunistic cybercriminals the could potentially be the hack of the year for Twitter. They could have done potentially far more damage. Instead, by delivering a simple Bitcoin scam, we could be looking at attackers that wanted to quickly monetize their access, instead of a highly coordinated and sophisticated operation performed by an APT group.

If this is the case, it’s likely that more companies could potentially be breached as a result of cybercriminals phishing employees. With 50% of organizations not having a plan for supporting and quickly migrating employees and infrastructure to full remote work, we’re probably going to see more data breaches that either exploit employee negligence or infrastructure misconfigurations left behind during the work from home transition.

While large organizations may have strong perimeter security defences, security professionals mostly worry that a potential breach could occur because of attackers exploiting the weakest link in the cybersecurity chain: the human component.

Tony Pepper, CEO of Egress said Twitter has suffered a co-ordinated attack targeting its employees "with access to internal systems and tools" is deeply concerning. However, screenshots obtained from two sources who took over accounts which suggest that this breach was caused by an intentionally malicious insider adds an additional layer of concern and complexity to this saga.

In our 2020 Insider Data Breach, we found that 75% of IT leaders surveyed believe employees have put data at risk intentionally in the past year and this latest breach seems to bear out those beliefs.

So, what can security professionals do to prevent this risk and keep sensitive data out of the reach of malicious threat actors? Organisations have an opportunity to do more by understanding the ‘human layer’ of security, including breach personas and where different risks lie. Technology needs to do more by providing insight into how sensitive data in the organisation is being handled and identifying risks, including human-activated threats.

By spotting the characteristics of a potentially malicious insider and being aware of what they are susceptible to and motivated by, organisations can put the tactics, techniques, and technology in place to mitigate the risk.

Tuesday, 14 July 2020

Returning to the Workplace and the Ongoing Threat of Phishing Attacks

Guest post by Richard Hahn, Consulting Manager, Sungard Availability Services

According to the Office of National Statistics (ONS), approximately 14.2 million people (44% of the total number of working adults) have worked from home during the coronavirus pandemic. To put these figures into perspective, this number stood at around 1.7 million in 2019, representing just 5% of the total working population.

While these statistics are unsurprising, it’s clear that the paradigm of working from home every day was sudden and significant. Few businesses can claim to have anticipated such a scenario, nor to have had the business continuity planning capabilities to contend with its consequences. For example, one of the biggest cybersecurity trends to have emerged in recent weeks is a surge in phishing attacks targeting remote workers.

As will be described in this article, phishing thrives on isolation, uncertainty and periods of change, which have all been common characteristics of the working world recently. Accordingly, Google has reported a 350% cent increase in phishing attacks from January to March of this year. 
Education is the First Line of Defence against Phishing Attacks
Now that organisations are beginning to transition back to former work settings, social distancing will mean that change and uncertainty will continue to be a significant factor. During this time, it is imperative that all workers are aware not only of how phishing attacks work, but also the impact that it can have on an organisation’s reputation, it’s the bottom line, and, crucially, the continuity of the business overall. Here are some key pieces of advice for staying secure under these circumstances.

1. Phishing Attacks are Socially Engineered
The anatomy of an effective phishing attack is rooted more in social engineering than technology. Phishing messages try to trick individuals into taking an action, such as clicking on a link or providing personal information, by offering scenarios of financial gains or ramifications, or the potential of work disruption or playing into a personal panic.

However, phishing messages typically have tell-tale signs that can – and should – give users pause. Attempts to obfuscate the sender, poor spelling and grammar, and malicious attachments are a few of the classic signs that the message is not genuine.

Phishing attack messages that have the highest response rates are often related to time-bound events, such as open enrolment periods or satisfaction surveys. Some other common phishing message themes include unpaid invoices, confirming personal information and problems with logins.

Before acting, think about what is being asked. For example, phishing attacks may take advantage of the fact that many workers are currently anticipating updates from their employers about returning to the workplace. The email may ask users to log in to a new system designed to allocate socially distant spaces within the workspace upon their return. This tactic exploits the user’s often unconscious confirmation bias, not only impersonating their employer but also taking advantage of their expectations around returning to work and acknowledgement of social distancing.
If unsure whether it might be a malicious message, encourage staff to ask a colleague or the IT team to analyse the message (including the full Simple Mail Transfer Protocol (SMTP) information).

2. Attackers Use a Diverse Portfolio of Tactics
Attackers often attempt to impersonate a known person or entity to obtain private information or to carry out an action. This is also known as pretexting and is commonly executed by crafting a fraudulent email or text message to execute an action that is not part of the standard process.

One example is calling the service desk and pretending to be a valid user to get a password reset. Another ruse attackers frequently take advantage of is an out-of-band wire transfer or an invoice payment for a critical vendor. Small companies have traditionally been the targets, but larger companies are increasingly being targeted.

Organisations must understand that pretexting is considered fraud and is often not covered by cyber insurance policies. Therefore, it’s critical that organisations design effective business processes with oversight so there are no single points of approval or execution, and stick to them. While it may be tempting to bypass processes, such as accounts payable or IT procurement, businesses can’t afford to let their guard down – especially when large numbers of workers are logging on remotely as is the case for so many today.

3. Education is the First Line of Defence
Phishing is often discussed within the cybersecurity space, but the conversations typically don’t involve intent and rigour.

The common compliance measure usually involves in-person or virtual annual training, along with some other method of education, such as hanging posters around the workplace. This approach pre-dates highly connected computing environments and doesn’t address the urgency needed for the current threat landscape or pattern of working experienced by so many in 2020.

Organisations must conduct security awareness education with the same decisiveness and gravity that other industries do with safety training. For example, it’s not uncommon for drivers in the commercial trucking and transport sector to take monthly training modules, or for managers to participate in quarterly safety meetings.

Planning for the New Normal
The main priority for organisations moving forward is to be more proactive about implementing, practising and testing cyber hygiene from the ground up. There’s much more in the way of fundamental change on the horizon which opens organisations up to a diverse and complex threat landscape. 

At the same time, bad actors will constantly be on the lookout for opportunities to take advantage of the chaos. By paying attention to the signs, looking out for pretexting and emphasising regular training, companies can better fend off future phishing attacks.

Investing time and resources into regularly training and educating staff on information security awareness and current cyber threats is critical in building resilience in the ‘new normal’ of the post-COVID-19 working world. A crippling cyberattack is always just around the corner, but by establishing plans and capabilities that reduce risk and prevent data loss, leakage or offline systems from disrupting business continuity, the chances of survival rise exponentially. 

Monday, 13 July 2020

iPhone Hacks: What You Need to Know About Mobile Security

Guest Post by Jennifer Bell

Learn How Hackers Steal and Exploit Information to Ensure This Doesn’t Happen to You 


Cybersecurity is an important topic to know and understand in order to keep your information safe and secure. Even more specifically, it’s important to know and understand mobile security as well. Mobile security, especially with iPhones, is crucial as hackers are becoming smarter and more creative when it comes to iCloud hacks. Apple has partnered with network hardware and insurance companies such as Cisco and Aon to provide security against data breaches; but how can you ensure that even with these Apple partnerships that your iPhone is secure and protected against hackers? Here are the most common ways that hackers get into iPhones to steal or exploit personal information, keep these points in mind to best protect yourself from mobile security hacks.


Poor Passwords
Often, poor password choices or poor password management allows hackers to easily hack into iPhones and other Apple products. Hackers are skilled at obtaining Apple IDs and passwords using phishing scams which are attempts to obtain personal data and information by posing as credible and trustworthy electronic entities. Here are some tips to protect your password from hackers and phishing scams:

  • Set up two-factor authentication for your Apple account 
  • Choose passwords that have no significant personal meaning; such as birthdays or names of family or pets. Hackers can easily do their research and make educated guesses as to what a password maybe 
  • Back up information in other places besides just the iCloud 
  • Change all passwords if even just one account is hacked 
Untrustworthy Websites
One of the most common ways that hackers make their way into iPhones and other Apple products is by using websites that are not credible. These websites either have holes in the software that allows hackers to get into an iPhone or, they use websites to ask for personal information such as credit card information or contact information. How do you know if a website is credible?
  • Ask yourself, does this website look trustworthy? Have I ever heard of it? Does it make sense for it to be asking me these questions? 
  • Use a secure middle layer payment option for purchases. Using PayPal or Visa Checkout is a great way to make payments online because the payment is not directly connected to any of your bank information 
  • Don’t open emails or any attachments that link you to a website if it comes from an untrusted sender 
  • Look up websites if you haven't ever heard of them. If the website is untrustworthy, it’s likely that people have been scammed or hacked on there before and have shared/posted their story 
Public WiFi Networks
Hackers have been known to gain access to iPhones using WiFi spoofing which is creating a WiFi network that doesn’t require a password and seems like a trustworthy network. Computer forensic services have also discovered that if your iPhone is set up to automatically connect to WiFi, your iPhone will automatically sync up to a spoofed WiFi network and will open your phone up to hackers without you knowing. Avoiding public WiFi networks can potentially save your iPhone from hackers; similarly, avoid public hotspots for the same reason. 

Protect Your iPhone From Cyberattacks
Hackers are becoming more and more knowledgeable when it comes to stealing and exploiting people’s personal information found on their iPhones. Keep these points in mind and remember to keep your iPhone’s software up to date; these things can ultimately secure your personal information and save you from falling victim to hackers’ harsh motives.

About the Author 

Jennifer Bell is a freelance writer, blogger, dog-enthusiast and avid beachgoer operating out of Southern New Jersey

Thursday, 9 July 2020

Mind the Gaps! The Requisite Mindset to Stay Ahead of Cybersecurity Threats

Guest Post by Matt Cable, VP Solutions Architects & MD Europe, Certes Networks

At the end of 2019, it was reported that the number of unfilled global IT security positions had reached over four million professionals, up from almost three million at the same time the previous year. This included 561,000 in North America and a staggering 2.6 million in APAC. The cybersecurity industry clearly has some gaps to fill.

But it’s not just the number of open positions that presents an issue. Research also shows that nearly half of firms are unable to carry out the basic tasks outlined in the UK government’s Cyber Essentials scheme, such as setting up firewalls, storing data and removing malware. Although this figure has improved since 2018, it is still far too high and is a growing concern.

To compound matters, the disruption of COVID-19 this year has triggered a larger volume of attack vectors, with more employees working from home without sufficient security protocols and cyber attackers willingly using this to their advantage.

Evidentially, ensuring cybersecurity employees and teams have the right skills to keep both their organisations and their data safe, is essential. However, as Matt Cable, VP Solutions Architects & MD Europe, Certes Networks explains, as well as ensuring they have access to the right skills, organisations should also embrace a mindset of continuously identifying - and closing - gaps in their cybersecurity posture to ensure the organisation is as secure as it can be.

Infrastructure security versus infrastructure connectivity
There is a big misconception within cybersecurity teams that all members of the team can mitigate any cyber threat that comes their way. However, in practice, this often isn’t the case. There is repeatedly a lack of clarity between infrastructure security and infrastructure connectivity, with organisations assuming that because a member of the team is skilled in one area, they will automatically be skilled in the other.

What organisations are currently missing is a person, or team, within the company whose sole responsibility is looking at the security posture; not just at a high level, but also taking a deep dive into the infrastructure and identifying gaps, pain points and vulnerabilities. By assessing whether teams are truly focusing their efforts in the right places, tangible, outcomes-driven changes can really be made and organisations can then work towards understanding if they currently do possess the right skills to address the challenges.

This task should be a group effort: the entire IT and security team should be encouraged to look at the current situation and really analyse how secure the organisation truly is. Where is the majority of the team’s time being devoted? How could certain aspects of cybersecurity be better understood? Is the current team able to carry out penetration testing or patch management? Or, as an alternative to hiring a new member of the team, the CISO could consider sourcing a security partner who can provide these services, recognising that the skill sets cannot be developed within the organisation itself, and instead utilising external expertise.

It’s not what you know, it’s what you don’t know
The pace of change in cybersecurity means that organisations must accept they will not always be positioned to combat every single attack. Whilst on one day an organisation might consider its network to be secure, a new ransomware attack or the introduction of a new man-in-the-middle threat could quickly highlight a previously unknown vulnerability. Quite often, an organisation will not have known that it had vulnerabilities until it was too late.

By understanding that there will always be a new gap to fill and continuously assessing if the team has the right skills - either in-house or outsourced - to combat it, organisations can become much better prepared. If a CISO simply accepts the current secure state of its security posture as static and untouchable, the organisation will open itself up as a target of many forms of new attack vectors. Instead, accepting that cybersecurity is constantly changing and therefore questioning and testing each component of the security architecture on a regular basis means that security teams - with the help of security partners - will never be caught off guard.

Maintaining the right cybersecurity posture requires not just the right skills, but a mindset of constant innovation and assessment. Now, more than ever, organisations need to stay vigilant and identify the gaps that could cause devastating repercussions if left unfilled.

Wednesday, 8 July 2020

How to Embed a Positive Security Culture in the COVID-19 Remote Working ‘New Normal'

Guest Post by the information security experts at Security Risk Management Ltd

If promoting a positive company-wide security culture had been a challenge before the Covid-19 pandemic, that challenge has just become a whole lot more difficult. That is because the widespread move to remote working has added another layer of vulnerability. It is not simply a question of sharing office systems across a range of settings and the fact that some are using home computers (frequently shared with personal accounts); instead, it is that individuals are now one step removed from the reach of those responsible for in-house information security, usually the Chief Information Security Officers (CISOs), and the organisation’s security protocols.

This fact has not been wasted on ever-opportunistic hackers

Email phishing attacks target individuals, often persuading them to check or type passwords on malicious domains that appear to be legitimate. Researchers have found a 600 per cent increase in the number of phishing emails worldwide this year, frequently using Coronavirus-related themes to target individuals and businesses. These are not always easy to spot, including email headings like ‘revised vacation and sick time policy’ or ‘important message from HR’. It is easy to see how a lone worker could fall into the trap.

The sharp rise in this type of attack reflects what hackers already know: that the human element of an organisation’s security is the weakest link. Of course, best practice network security relies on a number of elements but perhaps the hardest to establish is a positive security culture. CISOs have, however, struggled with this, even before the Covid-19 pandemic changed business practices. A survey of CISOs by ClubCISO reported that 49 per cent felt that organisational culture was already a block to them achieving their security objectives.

In a world where remote working has become the ‘new normal’, effectively engaging individuals is more important than ever. Understanding protocols and providing easy-to-understand training and awareness are crucial for every single user of a network system and this needs to be prioritised in the current climate. But it is equally important that employees feel able to report suspicious activity quickly and in full without fearing blame or repercussions. Without this element of positive security culture, the security policy could fail because employees will be reluctant to highlight suspicious activity, with potentially devastating consequences.

Effective Information Security Management
In the traditional setup, the CISO or ISM would be responsible for network security. Based on an office, they manage the protocols and policies for everything from regulatory and legal compliance to staff training and breach notification. Yet, with little time for preparation, many will be challenged, perhaps lacking the immediate knowledge or experience of how to translate these to the complexities of employees working from home offices.

This is not necessarily bad news but presents an opportunity for positive change. Now we are becoming used to the fact that employees no longer need to be office-based, we can take a step back and ask if the CISO actually needs to be resident within the bricks and mortar of an organisation? Would an outsourced (or virtual) CISO model not be equally well suited – if not better suited - to the ‘new normal’ of remote working?

Virtual CISOs are highly skilled professional teams, drawing on a wealth of experience, working with organisations to meet all the requirements of the CISO function. Individually assigned team members work remotely with an organisation, overseeing network security at all levels; from board-level engagement and compliance to effectively embedding a company-wide positive security culture.

It is also worth noting that they can be used for as much or as little as required, simply advising the resident CISO on strategy or developing and implementing the whole policy. Yet this best-practice alternative does not cost the earth. In fact, it is likely to cost significantly less than the traditional model, while delivering a service which is ideally suited to remote working.

Thursday, 2 July 2020

Cyber Security Roundup for July 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, June 2020.

Australian Prime Minister Scott Morrison announced a sophisticated nation-state actor is causing increasing havoc by attacking the country’s government, corporate institutions, and his country's critical infrastructure operators. He said, “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used". While Morrison didn't actually name the specific country responsible in his statement, Reuters said its sources confirmed China was the culprit.  Political t
ensions have ramped up between Australia and China in recent months after Australia called for an investigation into China’s handling of the COVID-19 pandemic. China then reacted by placing tariffs on Australian exports and banning shipments of beef from Australia.

Why am I leading a UK cybersecurity blog with an Australian cyberattacks story? Well, it is because the UK might well be next in the cross-hairs of China's sophisticated cyber army, after the UK Governance stance on using Huawei in 5G infrastructure significantly soured last month. And also due to the increasing political pressure applied by the UK government on the Chinese government following their introduction of a controversial new security law in Hong Kong.

Increased UK Huawei Tensions in June 2020
While the Australian PM righty suggested their nation-state threat actor was sophisticated, the cyberattacks they described aren't so sophisticated. Their attackers engaged in spear-phishing campaigns designed to trick email recipients into clicking a link leading to a malicious files or credential harvesting page, opening malicious attachments or granting Office 365 OAuth tokens to the actors.  This is the same MO of cyber attacks orchestrated by the cybercriminals fraternity on a daily basis. The Australian government statement advises organisations to patch their internet-facing devices, including web and email servers and to use multifactor authentication. All good advise, in fact, all essential good practice for all organisations to adopt no matter their threat actor landscape.

Away from the international cyber warfare scene, a coalition led by security companies is urging the UK government to revamp the much-dated Computer Misuse Act. The UK's 'anti-hacking' law is 30 years old, so written well before the internet took root in our digital society, so is not really suitable for prosecuting for modern cybercriminals, they tend to be prosecuted under financial crime and fraud laws. The coalition is calling for a change in the law includes the NCC Group, F-Secure, techUK, McAfee and Trend Micro. They argue section 1 of the Act prohibits the unauthorised access to any programme or data held in any computer and has not kept pace with advances in technology. In their letter to PM they said "With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims and criminals systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access."

Since launching a 'Suspicious Email Reporting Service' in April 2020, the UK National Cyber Security Centre (NCSC) announced it has now received one million reports, receiving around 16,500 emails a day. NCSC Chief Executive Officer Ciaran Martin called the number of reports a “milestone” and “a testament to the vigilance of the British public". I think the email reporting service is another fantastic free service provided by NCSC (i.e. UK Gov) to UK citizens, so one thing the UK government is definitely getting right in the cybersecurity space at the moment.

Zoom announced it will extend 'optional' end-to-end encryption (E2EE) to free users. It is not certain when exactly Zoom's free E2EE will commence or whether it will be defaulted as on, given the Zoom CEO said, “We plan to begin early beta of the E2EE feature in July 2020.” Still good to see the much security criticised Zoom is continuing to bolstering its security, and also by appointing a seasoned Chief Information Security Officer from Salesforce.

Some men just want to watch the world burn...
With the recent uptick in ransomware, phishing, unsecured cloud buckets and massive data breaches dominating the media headlines over the past couple of years, you could be forgiven for forgetting about the threat posed by Distributed-Denial-of-Service (DDoS) attacks. So then, a timely reminder that some threat actors have vast botnets as their disposal for orchestrating huge DDoS attacks after Amazon reported thwarting the biggest ever DDoS attack, and a European bank suffered the biggest ever PPS DDoS attack. The motives of these colossal DDoS attacks are unclear, I guess some men just want to watch the world burn.
Quote from Batman butler Alfred (Michael Caine), The Dark Knight
BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Thursday, 25 June 2020

Back to Basics: Simple Moves to Keep You Secure at Home

Guest Post by Susan Doktor

Staying at home, something we’ve all been doing a lot more of, can be relaxing. But as our attention has been focused elsewhere, particularly on our health and the economic crisis brought on by the global pandemic, some of us may have also relaxed our safety standards. We are witnessing a serious spike in cybercrime since the coronavirus took the world hostage. Even those institutions that are working diligently to vanquish the virus have not been immune to attack. And that means we have to be more diligent about our privacy and cyber safety.

As mentioned in a recent post, the technology we’re relying on to stay connected while adhering to social distancing guidelines may be contributing to our vulnerability. But whether you’re chatting on a video conferencing app or charging airline tickets to your travel credit card, there are built-in security weaknesses inherent to our online lives. I’m talking about passwords. They’re necessary, of course. And they’re ubiquitous. A 2017 study estimated that the average business user has nearly 200 of them. That’s why it’s a good idea to refresh our understanding of safe password hygiene.

A few simple rules to follow:
  • Choose passwords that are difficult to guess and have nothing to do with your personal information. Don’t use your birthday or house number or any information that’s easy to gather to make up your passwords.
  • Never share your passwords. Beyond matters of basic trust, you don’t know how the person you shared them is protecting them. Does your shared password reside on a mobile phone or a slip of paper kept in a wallet? Both of those things can be lost or stolen.
  • Don’t re-use passwords. If one of your accounts is hacked, that leaves more them vulnerable.
  • Change your passwords often. If you don’t, that computer that was stolen six months ago can come back to haunt you. And you’re more at risk from security breaches that online retailers, credit card companies, and even hospitals are experiencing with greater frequency. That risk multiplies any time one of the companies you do business with sells your personal information to one of its marketing partners. So make it a habit to check the privacy policy on any site where you enter your personal data
  • Enable two-factor authentication whenever you have the option to do so on a website or device. It takes a moment more to complete a log-in but it can save you years of headaches if your identity is stolen.
If all that sounds like too much work, I have another tip for you. And it’s a real time-saver. Get yourself a password manager. The best password managers perform all of those tasks for you automatically. You need only create and remember a single master password to gain a tremendous amount of protection when you install a password manager app on your various devices. There are some excellent free open-source password manager apps out there and quite a few paid ones that offer advanced features like secure file sharing and automatic synching of all of your devices.

Another layer of safety you might want to consider is a Virtual Private Network (VPN). VPNs allow you to surf the web anonymously and encrypt any data you send across it. That means you can use public wi-fi networks, like the one at your favourite Costa, more securely. They can boost your download speed, increase your bandwidth, and let you take advantage of peer-to-peer sharing of films and other entertainment media.

Protecting your personal data through the use of password managers and a secure VPN are great first steps towards increased cybersecurity. But there's no such thing as absolute safety online. Identity thieves have long memories--which means they may have access to your old passwords. And thanks to all the data breaches that have occurred over the last decade, they also have your name, address, phone, email, date of birth, and other personal information. So they spoof your phone number, call your bank, and pretend to be you. They give all the correct identity information and then say that they've lost the device that had their current account password on it—but they remember their old password. And they persuade the customer service rep to change your password again. Now you are effectively locked out of your own account while the thieves vacuum out your money.

Does this mean that password managers, VPNs, and the like are a waste of time? Hardly. The above scenario requires a lot of work on the criminals' part. They'll be much more likely to go after a bank account that's secured with the same password you used back when you were on GeoCities and MySpace. Beefing up your cybersecurity practices now will tilt the odds of staying safe back in your favour.

Author Bio:Susan Doktor is a journalist and business strategist who hails from New York City. She writes, guest- and ghost-blogs on a wide range of topics including finance, technology, and government affairs.

Monday, 1 June 2020

Cyber Security Roundup for June 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
  • 86% of data breaches for financial gain - up from 71% in 2019 
  • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
  • 67% of data breaches resulted from credential theft, human error or social attacks. 
  • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
  • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
The vast majority of breaches continue to be caused by external actors.
  • 70% with organised crime accounting for 55% of these. 
  • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
    • 37% of credential theft breaches used stolen or weak credentials,
    • 25% involved phishing
    • Human error accounted for 22%
The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Tuesday, 19 May 2020

    Passwords are and have always been an Achilles Heel in CyberSecurity

    LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

    Quotes
    “I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”

    "There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"

    "The built-in biometric authentication capabilities of smartphones are a significant advancement for security"

    "Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."

    "As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."

    "The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."

    "Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"

    "When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"