Cyber Security Roundup for November 2016

Several major UK household brands made the headlines for wrong reasons following cyber attacks in October. Tesco Bank refunded £2.5 million to over 20,000 of its customers after Tesco Bank account credentials were hacked and account funds were stolen. Mobile giant ‘Three’ said 6 million of its customer’s personal data records could be at risk after hundreds of new mobile phones were stolen following the hack of a Three employee account. The National Lottery disclosed 26,500 of its online customer accounts had been accessed by hackers, leading to three arrests. Elsewhere a 17 year old pleaded guilty to taking part in the recent TalkTalk hack.

The next evolution of ransomware has arrived with a new variant called Ransoc, and it's pretty nasty. The malware scans internet history, social media accounts, Skype and photos, and then uses any found illegal, embarrassing and sensitive information to threaten the victim’s reputation should a payment not be sent. 

It turns out locked computer desktops aren’t as safe as you might think after a security researcher Samy Kamar released details of new attacking method called PoisonTap. Samy is famous for hacking MySpace with a worm way back in the day, I had the pleasure of meeting him a few years ago - An Evening with Samy, creator of the Samy MySpace Worm. In simple terms PoisonTap works by plugging a £4 Raspberry Pi Zero computer configured with hacking tools into a USB port, forcing the USB port to act as a network port, the tool is able to eavesdrop non-encrypted network traffic and steal web sessions from web browser sessions running in the background on PCs and Apple Macs, despite the desktop being locked with password protection. Samy released the source code for PoisonTap on Github, and I intend to create a PoisonTap tool for myself in the next few days.

News

• Tesco Bank Hack: £2.5m refunded to 20,000 Customers
• Dark web hackers boast of Tesco Bank thefts
• Boasts preceded hack of Tesco Bank, report
• Tesco would face fines of up to £1.9bn under GDPR for breach
• Three Data Breach Cyber Hack: Six Million Customers Data at Risk
• The National Crime Agency is investigating the breach
• National Lottery Hack: 26,500 Players' Online Accounts Accessed
• Financial Conduct Authority rapped for Lack of Cyber Experts on Board
• Lincolnshire NHS Trust Operations cancelled after Cyber Attack
• Capgemini Leaks 780,000 Michael Page Job Candidate CVs
• UK iPhone users hit by large scale Smishing Campaign
• 17-year-old pleads guilty to offences linked to TalkTalk Hack
• European Commission gets DDoSed
• Hackers hit San Francisco transport Systems
• Bruce Schneier: ‘The internet era of fun and games is over'
• Microsoft release 6 Critical Patches for Windows, Edge, IE, Video Control & Flash

Awareness, Education and Intelligence

• NIST Releases CyberSecurity Guide for Small Businesses
• New Ransomware Variant Extorts your Reputation rather than Money
• PoisonTap: £4 Tool which can hack locked PCs via a USB Port
• YouTubers sell Phishing Kits in Plain View
• Cerber Ransomware: Now with Database Encryption
• Facebook spam caught delivering Locky Ransomware

Reports

• Norton Cyber Security Insights Report: 75% Click Links or Open Malicious Attachments