Thursday 31 August 2017

Cyber Security Roundup for August 2017

TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner's Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information.

Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here http://blog.itsecurityexpert.co.uk/2017/08/up-to-2-million-cex-customer-account.html

Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram's API.

In what looks like a follow on from the UK's Parliament's email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let's hope the Welsh Assembly have taken note and have learned the password security lessons.

A massive 'spambot' holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.

On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.

On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Wednesday 30 August 2017

Up to 2 Million CeX Customer Accounts Compromised by Security Breach

If you are a CeX online customer, change your account password now, as the second hand UK goods chain has been informing over two million of its customers their personal details have been hacked. In a customer email CeX discloses they have been the subject of a security breach by a third party, and that's about as much detail as CeX are presently admitting about the cyber attack at the moment.

Despite the CeX email referring to a "sophisticated breach of security" without any further detail about what happened, it is impossible to judge whether it was actually a sophisticated cyber attack or not. Rather oddly CeX have not forced a password change on their compromised customer accounts despite admitting account passwords were at risk.  

My CeX Customer Advice
  • Change your CeX password straight away. Ignoring the CeX website advice of using a 6 character password, which is too weak - see the Account Password section of this post below.  Alternatively you could also close your CeX account through the website
  • If you have used your old CeX password on any other websites, change those account passwords quickly. 
  • Be vigilant for personalised scam emails from CeX, given cyber criminals might have your email address and know you are a CeX customer.
  • Review your Credit Card statement and Bank Statements for suspicious activity. Note CeX might have put your bank account details and BitCoin address at risk/

Data Compromised
CeX have not been too clear on detailing the customer account data that is at risk, stating  "The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied". And "In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared."   

Reviewing a CeX website account suggests the following customer account personal data is at risk:
Email Address
BitCoin Address
Full Address
Bank Details - Account Holder Name, Sort Code, Account Number, Roll Number
Phone Number

It is concerning CeX refer to storing debit/credit card details past their expiry dates - why? CeX also appear to be glossing over the significance of compromised customer debit/credit card details in stating " We would like to make it clear that any payment card information that may have been taken, has long since expired".  A rather misleading statement given some payment card issuers use the debit/credit card number when reissuing new cards, and the new expiry date is guessable. Given that statement, you  have to wonder whether the CeX operation was secure enough to handle debit/credit card data, are CeX PCI DSS compliant.? Payment Card Industry Data Security Standard compliance is required for all organisations which process, store and/or transmit debit/credit card details, no PCI DSS compliant organisation ever been successfully breached.

Account Password
CeX also states the account passwords were not been stored in plain text, but have not advised how the passwords were protected. For instance, whether passwords were stored using a unique value (salt) together with the password before being scrambled with an industry recognised one-way hashing algorithm (adequate security protection), or by just using the hashing algorithm on the password (inadequate security protection). 
Change your CeX password

CeX recommends a 6 character password or longer on their website's password change process which is too weak. CeX customers should avoid setting that minimum 6 character strength, go for an at least 8 character password consisting of at least one number, one upper case character, one lower case and one special character (i..e #!"£$%^&). I recommend using a password manager (see advice on https://www.itsecurityexpert.co.uk) to generate a unique and secure random password of at least 12 characters to really be on the safe side.

By the CeX requires you know your old password in order to change it, so you'll have to hope the hacker hasn't changed your password.

CeX also has a "Cancel Your Account Option" which I assume will remove all personal data from CeX, customer's could submit a Data Subject Access Request to CeX after account closure to be certain.

Breach Recovered and Fixed?
CeX say "Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.", however, without any detail about the hack and the new measures put in place, this statement provides little assurance to CeX customers. The following statement also skirts what customers want to know  "additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening ". If this cyber attack turns out not to be sophisticated, CeX can expect heavy criticism by a more cyber entitled media, and interest from the Information Commissioner's Office for violating the Data Protection Act.

CeX Email
Dear Customer,
We are writing to inform you that unfortunately we have recently been subject to an online security breach. We are taking this extremely seriously and want to provide you with details of the situation and how it might affect you. We also want to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.
The situation
As a result of a breach of security in which an unauthorised third party accessed our computer systems, we believe that some customer data has been compromised. This includes personal information, and, for a small number of customers, it also includes encrypted data from expired credit or debit cards. As a customer of CeX, there is a possibility this might affect you.
Please note, we did not have any card data stored for your account. We ceased storing customer card details in 2009.
What we’ve done about it
This was a sophisticated breach of security and we are working closely with the relevant authorities to help establish who was responsible. Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.
What we suggest you do?
  • Although we have put in place additional security measures, we recommend that you change the password for your webuy online account.
  • If you used the same password elsewhere, we also suggest that you change your password for those accounts.
Further details on this issue are provided in a Q&A below. If you have additional questions, please email us at: guidance@webuy.com where we will be compiling the most frequently asked questions, which will then be updated via uk.webuy.com/guidance
We apologise for inconvenience this may cause.
Yours sincerely,
David Mullins
Managing Director


Questions & Answers
How much data has been compromised?
As a precautionary measure we are contacting up to two million of our registered website customers who could potentially be affected.
Does this affect in-store membership personal information?
We have no indication that in-store personal membership information has been compromised.
What does the data include?
The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.
What about financial data?
A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.
What has happened to the data that has been compromised?
We are aware that an unauthorised third party has accessed this data. We are working closely with the relevant authorities, including the police, with their investigation.
What should I do?
We advise that you change your webuy.com password, as well as any other online accounts where you may share the same password, as a precautionary measure.
Why do I need to change my passwords?
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.
Can customers find out exactly what data has been shared about them?
At this stage, it is not possible for us to share this information as we are still undergoing an investigation. At this stage, we are alerting all customers who might have been affected as a precaution.
What security do you have in place to protect this data?
We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.

Tuesday 8 August 2017

Cyber Security Roundup for July 2017

Apologises for the delay in this month's Cyber Security Roundup release, I been away on holiday and taking a breach for monitor screens and keyboards for a couple of weeks.

The insider threat danger manifested at Bupa where an employee stole and shared 108,000 customer health insurance records. Bupa dismissed the employee and is planning to take legal action. The Bupa data breach was reported both to the FCA and the ICO, it remains to be seen if the UK government bodies will apportion any blame onto Bupa for the data loss. 

The AA was heavily criticised after it attempted to downplay a data compromise of over 13 gigabytes of its data, which included 117,000 customer records. The AA’s huge data cache was incorrectly made available online after an AA online shop server was “misconfigured” to share confidential data backup files.

A customer databreach for the World Wrestling Entertainment (WWE) should serve as a stark warning for businesses to adequately assure third parties and to secure hosted cloud systems. Three million WWE fan records were compromised after a third party misconfigured a cloud hosted Amazon server used by the WWE online shop.

The aftershock of Peyta \ NotPeyta rumbles on with, with malware still reported as disrupting firms weeks after the attack. There there are claims the mass media coverage of the attack have improved overall staff cyber security awareness.

It was found that over 1.6 million NHS patient records were illegally provided to Google's artificial intelligence arm, DeepMind, without patient concern meant the NHS and Google have breached the Data Protection Act.

A 29 year old British hacker named as Daniel K, but better known by his hacker handle "BestBuy" or "Popopret" admitted to hijack of 900,000 Deutsche Telekom routers in Germany after he was arrested at Luton airport in February. He said he made "the worst mistake of my life" when he carried out a failed attack in November for a Liberian client who paid him 8,500 Euros to attack the Liberian's business competitors. BestBuy used a variant of the Mirai malware to take advantage of a security vulnerability in Zyxel and Speedport model routers which were used by Germany Internet Service provider, with his intention to increase his botnet, and so the scale of DDoS attacks he could perform on behalf of clients.

A document from the National Cyber Security Centre (NCSC) was obtained by Motherboard and was verified by the BBC with NCSC as being legitimate. The document states some industrial software companies in the UK are "likely to have been compromised" by hackers, which is reportedly produced by the British spy agency GCHQ. The NCSC report discusses the threat to the energy and manufacturing sectors. It also cites connections from multiple UK internet addresses to systems associated with "advanced state-sponsored hostile threat actors" as evidence of hackers targeting energy and manufacturing organisations.

UniCredit Bank had over 400,000 customer loan accounts accessed through a third party. This is the second security breach at the Italian bank in a year.

Finally this blog was awarded with the Best Technology Blogs of 2017 by Market Inspector and by Feedspot this month.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Monday 7 August 2017

New Awards

I've been away on holiday in sunny Bulgaria for the last couple of weeks and working on a few articles for IBM, delaying my monthly security roundup post this month. While away I was proud to learn the blog and website had been given a couple of awards. 

Best Technology Blogs of 2017 by Market Inspector and an award by a panel at Feedspot. I'm not usually one for bleating on about awards as that's not the reason I started writing the blog over ten years ago, so lets put this rather narcissistic post down to having too much sun on my hols!
Best Technology Blogs 2017