Cyber Security Roundup for January 2017

Lloyds Banking Services were hit by a massive 3-day long DDoS attack in mid-January, impacting millions of Lloyds, Halifax and Bank of Scotland customer’s ability to conduct online and mobile banking. Lloyds weren't the only UK business hit with a major DDoS attack in January, web hosting firm 123-Reg was taken down by another large DDoS attack. It seems major DDoS attacks are set to continue in 2017, their scale and capability fuelled by the rise of insecure IoT devices popping online. I think large scale DDoS attacks will be a major menace to the UK national and financial infrastructure for the years to come. 

For the first time 'Cyber Crime' statistics were included in the England and Wales crime survey, with over 3.6 million fraud cases and over 2 million computer misused offences recorded in 2016, which is more than the typical 'physical world' recorded crime. It is worth considering that not all cybercrime is reported in England and Wales, in my view the majority of UK cybercrime isn't reported.

The latest Beazley Breach Insights Report predicts the number of Ransomware attacks will double again in 2017, and UK schools are the latest sector to become victims of Ransomware. With the growing ransomware threat in mind, the Malware Hunters Team produce an interesting breakdown of a new ransomware strain called FireCrypt this month, well worth a look if you are interested in how the bad guys create, evolve and use ransomware tools.

There are lessons for the UK call centre industry to learn from a US telemarketing firm, which had a database of 400,000 call recordings reportedly breached. These voice recordings were said to hold personal information and more concerningly debit/credit card information. This breach is a reminder of the importance of adequately securing call recording data with call centres, and of the Payment Card Industry Data Security Standard (PCI DSS) industry regulation requirement 3.2, which states debit/credit card “3 or 4 digit security codes”, known in the industry as Sensitive Authentication Data, is never permitted to be recorded or stored beyond the authorisation of the card payment transaction. This is a PCI DSS requirement that far too many UK call centre businesses turn a blind eye to. This strict requirement is there for a reason, as if fraudsters get hold of credit/debit card data with the 3/4 digit security code, they can instantly commit fraud without having possession of the customer's payment card.

News

• Lloyds Online Banking Services taken down by Huge 3 day DDoS Attack
• Yahoo sale delayed following Security Breaches
• 3.6 Million Fraud Cases & 2 Million Computer Misuse offences a year - UK Crime Survey
• UK’s Largest Hosting Firm 123-Reg hit by DDoS Attack
• Fraudsters demand £8000 from UK Schools to Unlock Encrypted Data
• Royal & Sun Alliance fined £150K after Hard Drive Loss
• US Telemarketing Firm Leaks 400K Call Recordings, some containing Payment Data
• Thousands Warned they may be Victims of Rogue Webmaster
• Phone-Cracking Firm Cellebrite Hacked
• Microsoft release 1 Critical Patch for Adobe Flash Player
• WordPress updated to fend off SQL and XSS bugs
• Mozilla issues five critical patches for Firefox and Firefox ESR

Awareness, Education and Threat Intelligence

• Overview of the new FireCrypt Ransomware
• Zeus malware resurfaces as Zbot/Terdot, integrates legitimate apps

Reports

• KPMG Fraud Barometer Report - Leap in Cyber-Crime Court Case load in UK
• Ransomware Attacks will double in 2017 - Beazley Breach insights Report
• Tripwire Report: UK’s CyberSecurity Skills Shortage Gap Ranks 2nd Worst Worldwide

Cyber Security Roundup 2016: The Year of the Big Data Hack

A decade ago I was walking into Boardrooms clutching newspaper clippings of half dozen data breaches which had occurred during the previous years, in a bid to warn of future threats and to persuade executives to increase their information security budgets. Those days are long gone, as most executives I encounter tend to be already worried about the cyber threat to their business, all reinforced by the mainstream media which today reports hacks most days.

"Big Data" is a recent marketing buzzword used to usher in the age of businesses utilising the vasts amount of data which they process and store for increasing efficiently and profit. The problem is much of this "Big Data" is our personal data, and there are cyber criminals also seeking to profit from it. So here we are in the era of "Big Data Hacks", which sums up 2016 quite well.

I have compiled a list of media headlines of data breaches in 2016 below, the volumes involved with these data theft hacks are truly mind–boggling. Yahoo on their own had 1.5 billion personal records stolen in two cyber attacks. It isn't necessary that stealing digital text data in such volumes is difficult, but have to wonder about what level of IT security was in place to protect such large volumes of personal data in the first place.

DDoS attacks continued to grow in strength in 2016, thanks to the explosion of the Internet of Things, with hackers creating huge DDoS botnets from insecure and rushed IoT devices, which frankly have no business of being sold and placed online with default passwords and basic software vulnerabilities.

2016 was also the year Ransomware made a huge comeback. The UK public sector seems particularly vulnerable to ransomware infections, with cyber criminals making millions by evolving various strains of ransomware and catching victims out with the age old infection techniques of phishing emails, malware infected websites and trojan software.

In 2017 we can expect to see more Big Data hacks and huge IoT fuelled DDoS attacks. Ransomware isn't going to go away either, however I am most concerned we'll see our first IoT attack which results in physical world damage and human harm in 2017.

Personal Data Theft and Data Breaches in 2016

• Yahoo Hack: 1 Billion User AccountsCompromised by biggest Data Breach in History
• KFC's Colonel Club Hacked, 1.2 Million advised to Change Passwords
• DailyMotion breached, 85 Million Accounts Stolen
• LinkedIn’s Lynda.com breached, 55,000 user password reset, 9.5 Million Users Warned
• Star Wars card firm Topps hit by 'unforgiveable' Hack
• Three Data Breach Cyber Hack: Six Million Customers Data at Risk
• National Lottery Hack: 26,500 Players' Online Accounts Accessed
• Capgemini Leaks 780,000 Michael Page Job Candidate CVs
• Hackers steal 43 million credentials from Weebly
• Yahoo Hit in Worst Hack Ever, Over 500 Million Accounts Stolen
• Dropbox Hack 'affected 68 Million users'
• 200 Million Yahoo user credentials for sale on Dark Web
• Tesco Bank Hack: £2.5m refunded to 20,000 Customers
• Epic Games Forums Hacked with SQL Injection, over 800,000 User Credentials Stolen
• Telegram API flaw leaks 15 Million Iranian users' Data
• Hackers exploit vBulletin SQL Flaws to access 27M accounts on 11 Websites
• 1.6m ‘Clash of Kings’ forum accounts Stolen
• Over 750,000 Warframe Accounts Compromised
• O2 Customers' details sold on the Dark Web
• 'Significant' number of TeamViewer accounts Hacked
• 32 Million Twitter Logins found up for Sale
• Welsh Police fined £150,000 by ICO after revealing Sex Offender Identities in Error
• 117 million LinkedIn Email Credentials found for Sale on the Dark Web
• Email Error Leaks Hundreds of Northern Ireland Prison Officer Details
• World-Check Terrorism Database Exposed Online
• Chelsea & Westminster Trust fined £180K after email reveals over 700 HIV Patients
• ICO Fines Blackpool NHS Trust £185,000 for leaking staff data via Excel Error
• Kent Police fined £80k for serious Domestic Abuse Data Breach
• 272 Million email Account Credentials found on the Dark Web
• MySpace and Tumblr hit by 'Mega Breach'
• National Childbirth Trust suffers major Data Breach
• Personal Details of 50 million Turkish Citizens Leaked Online
• Huge data breach leaves details of 55 million Filipino voters exposed
• 93.4 million Mexican voters exposed in massive Database 
• Leak BeautifulPeople.com hack exposes data of 1.1 million users
• Cyber Criminals 'Hacked Law Firms'

Cyber Security Roundup for December 2016

Yahoo announced the largest ever data breach in history, with over 1 billion Yahoo user accounts compromised by a past cyber attack, which I covered in Yahoo's Mind-blowing One Billion Data Theft Hack. This truly humongous data hack is distinct from the 2014 breach of 500 million accounts reported by Yahoo in September. Elsewhere KFC, Topps, The Daily Motion and LinkedIn’s Lynda.com also reported large customer data breaches of millions of records during December. 

We need to be mindful of never to "get use to" and accepting these massive numbers of hacked online accounts, by businesses we entrust with our personal information, especially where these businesses have been found 'wanting' on the cyber security defences by under investing. The old spin doctor excuses of indefensible super hacks orchestrated by sophisticated nation-state backed dark forces tends not to stand up once the facts are uncovered. There is nothing sophisticated about teenage kids using freely downloadable software to take advantage of decade old and basic security vulnerabilities.

The media and security experts continues to pour scorn on TalkTalk’s cyber security, following the firm’s poor handling and customer advice after a cyber attack of unpatched TalkTalk customer broadband routers.

ThyssenKrupp, a large German steel maker firm, disclosed it was a victim of cyber intellectual property (IP) theft. Businesses rarely admit to IP data theft given such admissions can serious harm the business's reputation and share price. Given the high media and public attention in protecting personal data from cyber attacks, following a year of high profile large customer record losses due to cyber attacks, it can be easy for businesses to take their eye off protecting their IP, and to become complacent with IP protection and security.

I was quoted in the Focus Training's Blog. An 'Ask the Experts' piece on 'How to Protect your business from Cyber Crime', my advice was as follows.

There was a Christmas bumper of patch releases in December, with Microsoft, VMWare, Joomla, PHP and Android all releasing patches for critical vulnerabilities.

News

• Yahoo Hack: 1 Billion User AccountsCompromised by biggest Data Breach in History
• KFC's Colonel Club Hacked, 1.2 Millionadvised to Change Passwords
• DailyMotion breached, 85 Million AccountsStolen
• TalkTalk and Post Officerouters taken offline by Cyber Attack
• TalkTalk's Wifi Hack advice is'astonishing' Customers urged to get Routers Swapped
• German Steel firm's IP stolen in Massive CyberAttack
• European Banking Breach guidelines moreStrict than EU GDPR
• Ashley Madison forced to pay £1.3m forDeceptive Security Practices
• LinkedIn’s Lynda.com breached, 55,000 userpassword reset, 9.5 Million Users Warned
• Insurers handling 'Hundreds' of Breach Claims
• Domino'sPizza advises Customers to change their Passwords
• Star Wars card firm Topps hitby 'unforgiveable' Hack
• Ask The Experts: How to Protect Your Business From Cyber Crime
• Microsoft release 6 Critical Patches for Windows, Edge, IE, Office & Adobe Flash Player
• Skype Backdoor missed by Microsoft Development Team
• Android Dirty Cow flaw is Finally Patched (CVE-2016-5195)
• Joomla flaw allows Attacker to Change passwords and Seize Websites
• 3 Critical PHP 7 Flaws Detected and Patched
• VMware fixes stored XSS vulnerability in ESXi Hypervisor

Awareness, Education and Intelligence

• Over 400,000 Phishing websites have been detected Each Month in 2016
• Hailstorm Methods used to spread Malware in Phishing Attacks

Reports

• Critical Infrastructure Technology Report:Mirai 'is just the Tip of the Iceberg'
• UK Identity Fraud on the Rise