Scan your app to find and fix OWASP Top 10 - 2017 vulnerabilities

Following the updated release of OWASP Top Ten (2017), I have updated my IBM developerWorks article "Scan your app to find and fix OWASP Top 10 - 2017 vulnerabilities", which was released on the IBM Developer Works website today

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS

• Uber paid off Hackers to delete the Stolen Data of 57 Million People
• OWASP Top Ten 2017 Released: App Development Best Practice & Top Vulnerabilities
• Equifax's Net Income down £20m and £67m Costs Post Data Breach
• Jewson tells Customers their Data may have been Stolen
• Cash Converters hit by Security Breach
• Web Analytics may Jeopardise User Information and GDPR Compliance
• US charges members of elite Chinese Hacking Unit APT3
• Imgur Discloses years-old Data Breach that Compromised 1.7 Million Users
• Hackers 'fool' iPhone X Face ID with a Simple Mask
• Tether Crypto-Currency Operator Reports $31m Raid
• Microsoft releases 20 Critical Security Updates for IE/Edge, Office, & Windows
• Adobe releases fixes for 83 Security Vulnerabilities in Acrobat and Flash
• Apple Addresses KRACK exploits in iOS and macOS Updates, and an Emergency Patch
• Cisco: Critical Vulnerability in 12 types of Voice OS-based Products
• Oracle issues emergency patch for JoltandBleed bug in Tuxedo Middleware
• Windows, Mac and Linux all at Risk from Flaws in Excel File Reader Library
• US CERT issues warning on ASLR vulnerability in Windows 8 & 10
• Intel Management engine Vulnerabilities Expose Millions of PCs to Attack

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• APT28's latest Word doc Attack Eliminates needing to Enable Macros
• DDoS attacks have doubled in the six months, up 91% in the First Quarter of 2017
• New Mirai variant back on the Radar after New Exploit Code Published
• Cobalt Malware leverages recently Patched 17-year-old Microsoft Flaw

REPORTS

• Akamai Q3 State of the Internet Security Report: WebApp Attacks up 69%

Cyber Security Roundup for October 2017

State-orchestrated cyber attacks have dominated the media headlines in October, with rogue state North Korea and its alleged 6,800 strong cyber force blamed for several cyber attacks. International intelligence scholars believe the North Korean leadership are using cyber warfare to up the political ante with their ongoing dispute with the United States. The North Koreans, as well as terrible security practices, were directly blamed by the UK National Audit Office for the recent NHS WannaCry attack (despite North Korea denying it). North Korea was also reported to be implicated in the stealing US War Plans from South Korea, and for a spear phishing campaign against the US Power Grid. The possible Russian manipulation of the US election with cyber attacks and rogue social media campaigns is still a story not going away, while the Chinese are alleged to be behind the data theft of Australian F-35 fighter jet, in what is described as an 'extensive' Cyberattack. The finger was pointed at Iran for the recent Parliamentary Emails cyber attacks in the UK, meanwhile, EU governments venting their cyber concern, warning that Cyber Attacks can be an Act of War.

Stephen Hawking caused controversy in both the science and tech industry last year when he said Artificial Intelligence could be a serious threat to human existence, could the plot of The Terminator really come to fruition? Perhaps so, as it was reported that AI had already defeated the Captcha Security Check system. Personally, I believe both AI and Quantum Computing will pose significant new threats to cybersecurity space in the next decade.

A far higher number of personal records were compromised in the Equifax data breach than was previously thought, with millions of UK citizens confirmed to be impacted by the US-based credit checking agency hack. Equifax’s now ex-CEO provided an interesting blow-by-blow account of the cyber-attack at a US government hearing, even though Equifax technical staff were specifically warned about a critical Apache Struts (web server) patch, it was ignored and not applied, which in turn allowed hackers to take full advantage of vulnerability to steal the Equifax data on mass. To make matters even worse, the Equifax consumer breach help website was found to be infecting visitors with spyware.

Yahoo revealed all 3 Billion of its user accounts had in fact been breached, in what is truly an astonishing mammoth sized hack, biggest in all history, so far. Elsewhere on the commercial hacking front, Pizza Hut's website was reported to be hacked with customer financial information taken, and Disqus said a 2012 breach it discovered in October exposed the information of 17.5 million its users from as far back as 2007.

It was a super busy month for security vulnerability notifications and patch releases, with Microsoft, Netgear, Oracle, Google, and Apple all releasing rafts of critical level patches. A serious weakness in the wireless networking WPA2 protocol was made public to great fanfare after researchers suggested all Wifi devices using WPA2 on the planet were vulnerable to an attack called Krack, which exploited the WPA2 weakness. Krack is a man-in-the-middle attack which allows an attacker to eavesdrop or redirect users to fake websites over Wifi networks secured using the WPA2 protocol. At the time of writing most wireless access point vendors and operating system providers had released patches to close the WPA2 vulnerability, and there have been no known exploits of the vulnerability reported in the wild.

BadRabbit is a new strain of ransomware which is emerging and is reported to be infecting systems and networks in Russia and the Ukraine at the moment. BadRabbit is the latest network self-propagating malware, like NotPeyta and WannaCry, to use the NSA EternalRomance hacking tool. A massive new IoT botnet was discovered, its continued growth is fuelled by malware said to be more sophisticated than previous IoT botnet king, Mirai. Russian based threat actor group APT28 is said to be targeting the exploitation of a recently patched Adobe vulnerability (CVE-2017-11292), in using a malicious Microsoft Word attachment, so ensure you keep on top of your system patching and always be careful when opening email attachments. 

Finally, the UK National Cyber Security Centre (NCSC) released its first annual report, as it seeks to improve cybersecurity across the UK. Among NCSC achievements cited in the report are:

• The launch of Active Cyber Defence, credited with reducing average time a phishing site is online from 27 hours to 1 hour
• Led UK response to WannaCry
• Advice website with up to 100,000 visitors per month
• Three-day Cyber UK Conference in Liverpool
• 43% increase in visits to the Cyber Security Information Sharing Partnership (CiSP)
• Produced 200,000 physical items for 190 customer departments via UK Key Production authority to secure and protect communications of Armed Forces and national security
• 1,000 youngsters on CyberFirst courses and 8,000 young women on CyberFirst Girls competition.
• Worked with 50 countries, including signing Nato's MoU

NEWS

• Equifax Data Breach Scale Increased / Caused by not Patching Apache Struts
• Equifax Credit Assistance Website Infected with Spyware
• NHS Cyber 'WannaCry' Attack Could Have Been Avoided With 'Basic' Security - NAO
• Yahoo Reveals all 3 Billion of its User Accounts were Breached
• Russian Hackers used Kaspersky software to gain info on U.S. Intel
• North Korea behind NHS WannaCry Attack after stealing US Cyber Weapons - Microsoft
• WannaCry: North Korea Denies Involvement in Ransomware Attack 
• North Korea Hacked South's Secret Joint US War Plans
• North Korea Spear Phishing Campaign aimed at U.S. Power Grid
• Data on Australia F-35 fighter jets stolen in 'Extensive' Cyberattack
• Indian Government and Corporate Credentials found for sale on the DarkNet
• Hackers breached Pizza Hut website, Stole Financial Info of Customers
• Websites Hacked to Mine Crypto-Cash
• Artificial Intelligence Smart Enough to Fool the Captcha Security Check
• Cyber-Attack Threat as important as Fighting Terrorism says GCHQ
• Disqus Breach Exposed Info on 17.5M between 2007-2012
• EU Governments to warn Cyber Attacks can be an Act of War
• Iran is being blamed for a cyber-attack against Parliamentary Emails
• Heathrow Investigates after Security and Anti-Terror Data found on USB stick
• Vulnerabilities in WiFi WPA Protocol - Krack Attack
• Microsoft release 28 Critical Security Updates for IE/Edge, Office, JET, Skype & Windows
• Oracle patches 252 bugs, increase in E-Business Suite and PeopleSoft flaws
• Netgear Patches 50 Vulnerabilities, 20 rated as High Risk
• Google Patches 7 Flaws in Dnsmasq
• Apple issues New Security Update for macOS High Sierra
• No Adobe Patches this Month

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• BadRabbit: Latest Malware using the NSA Hacking tool EternalRomance to Propagate
• APT28 joins BlackOasis in exploiting latest Adobe Flash Vulnerability
• Massive IoT Botnet Infects over 1 Million Organisations: More Sophisticated than Mirai

REPORTS

• NCSC First Annual Review: 1,131 Cyber Attacks Reported
• DDoS 2017 Report: Dangerous Overconfidence

How to start a Career in Cyber Security

I received an infographic by cybersecurityjobs.net on the top ten tips on landing a cyber security job, I  thought it provided excellent advice for budding cyber security professionals looking to gain a foothold. 

There is a considerable shortage of experienced cyber security professionals in the UK, but starting out in cyber security is a 'chicken and egg' scenario, in that it can be difficult to land a cyber security job without having the experience, but you can't get the necessary experience without being in a dedicated cyber security role. 

If you are struggling to get into the industry I recommend initially specialising in a specific area of security, undertake training and gain qualifications. Be patient, expand upon your areas of knowledge and experience, working your way up in different roles to your dream cyber security job. Dream big, but think small.

Krack WiFi Attack: Vulnerabilities in WPA2 Protocol

All Wi-Fi connections are potentially vulnerable to a newly discovered security attack called "Krack", which allows an attacker to listen in on internet traffic (a Man-in-the-Middle Attack) over a wireless network. 

In theory, a hacker could read your web and email communications, and even inject malware like ransomware onto your device. Krack takes advantage of unpatched Apple, Android, and Windows operation systems, while unpatched Wi-Fi access points can be manipulated to orchestrate the man-in-the-middle attack.

The sky is not falling in on WiFi, this is not like the WEP protocol situation of many years ago, WEP is a security protocol fundamentally flawed by design, WPA2 encryption is not broken, the software that uses it needs to be corrected to secure it. Wireless Access Points (APs) and operating systems that use WPA2 are (or soon will be) patchable, which protects them from this attack.

For a video demo of the attack see - https://www.krackattacks.com/#demo 

For the full technical details of the WPA2 flaw and attack method see - https://papers.mathyvanhoef.com/ccs2017.pdf

Wireless Usage Advice

• Make sure your laptop operating system has the very latest security updates patched (always) i.e. Windows, Linux, Mac. Microsoft said they have already patched Windows systems, but at this time have not confirmed details about which patch it was. Several Linux distributions have released patches for the flaw.

• Make sure your smartphone and tablet devices have the latest security updates patched, especially Android devices, and Apple, and Windows (if anyone still uses it)

• As always, if you are going to use public WiFii networks, my first suggestion is to avoid using public WiFi, but if you are, use VPN software. Using a secure VPN will protect you against "Krack exploited" public WiFi access points, regardless of patching and whether AP is exploited. Failing that, if you like to take risks with your personal and confidential information, as a very last resort ensure you use "https://" websites only, and be extra vigilant the "https://" do not revert to "http://".  If it does, it is a clear sign of a compromised wireless network and of your connection to it.

Preventing Your Wireless Access Point from being Exploited

Wireless Access Points (AP) firmware versions are presently being updated and released to fix this WPA2 flaw, apply them with they are released - see https://www.kb.cert.org/vuls/id/228519/. AP firmware patches are often missed, as routers updates tend not to be applied automatically.

Cyber Security Roundup for September 2017

A massive data breach at Equifax dominated the UK media finance headlines this month, after 143 million customer records were compromised by a cyber-attack, 400,000 of which were UK customer accounts. Hackers took advantage of Equifax’s negligence in not applying security updates to servers. The data breach has already cost the CEO, CIO and CISO their jobs. In the UK Equifax faces investigations and the prospect of significant fines by both the Financial Conduct Authority and the Information Commissioner's Office over the loss of UK customer financial and personal data respectively.

Hackers stole a quarter of a million Deloitte client emails, follow the breach Deloitte was criticised by security professional for not adopting two-factor authentication to protect the email data which they hosted in Microsoft’s Azure cloud service.

September was an extremely busy month for security updates, with major patches releases by Microsoft, Adobe, Apache, Cisco and Apple to fix an array of serious security vulnerabilities including BlueBorne, a Bluetooth bug which exposes billions of devices to man-in-the-middle attacks.

UK government suppliers using Kaspersky to secure their servers and endpoints may well be feeling a bit nervous about the security software after Kaspersky was banned by US Government agencies. The US Senate accused the 20-year-old Russian based security company as being a pawn of the Kremlin and posing a national risk to security. Given the US and UK intelligence agency close ties, there are real fears it could lead to a similar ban in the UK as well. A UK ban could, in theory, be quickly extended to UK government suppliers through the Cyber Essentials scheme, given the Cyber Essentials accreditation is required at all UK government suppliers.

While on the subject of the Russia, the English FA has increased its cybersecurity posture ahead of next year's World Cup, likely due to concerns about the Russian Bears hacking group. The hacking group has already targeted a number of sports agencies in recent months, including hacking and releasing football player's world cup doping reports last month. 

In the last couple of weeks, I was Interviewed for Science of Security, and I updated my IBM Developer Works article on Combating IoT Cyber Threats.

NEWS

• Equifax Data Breach: 143 Million Records Stolen, including 400,000 UK Customers
• Deloitte hit by Cyber Attack Revealing clients’ Secret Emails
• Kaspersky software banned from US Government Agencies
• Avast CCleaner used to Spread Backdoor to over Two Million Users
• NSA Cryptography Proposal Rejected by Allies
• Thousands of Amazon AWS Instances Host C&C Servers for POS Malware
• FA increases Cyber Security over World Cup 2018 Hacking Concerns
• Lenovo fined over Superfish Adware-Ridden Laptops
• 20% of Manchester Police computers at Risk of Ransomware - using XP
• BlueBorne: Billions of Bluetooth devices Vulnerable to MITM Attacks
• Apache Struts alters API code, Patch Critical Remote Code Execution Flaw
• Microsoft release Critical Security Updates for IE/Edge, Office, .NET, Skype & Windows
• Adobe Releases Fixes for 43 Critical Security Vulnerabilities in Acrobat and Reader
• Cisco patches remote code execution flaws in IOS and IOS XE
• Bashware Vulnerability could put 400 million Windows systems at Risk
• Joomla 3.8 Patches eight-year-old Credential Stealing Flaw
• Apple Patches a potentially Critical Vulnerability with iOS 11.0.01 Update
• Apple iOS 11 makes it harder for Law Enforcement to Access Data

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• Dragonfly APT Group Targeting Power Facilities
• SynAck Ransomware Attacks on the Rise - Active £325k Bitcoin Wallet
• Locky Ransomware back in Huge Spam Campaign; New Variant Escapes Sandbox
• Phishers Target LinkedIn users via Hijacked Accounts
• NIST Guidelines for Ransomware Recovery: Situational Awareness Vital
• Dolphin Attack could allow Hackers to take over AI Voice Assistants

REPORTS

• 2017 Global Internet Report: Catastrophic Worldwide Attack Feared by Experts

Science of CyberSecurity: Latest Cyber Security Threats

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 5 of 5.

Q. What keeps you up at night in the context of the cyber environment that the world finds itself in?

The growing dependence and integration of connected computers within our daily lives, means we are embarking on an era where cyber attacks will endanger our lives. Networked and complex IT systems are inherently insecure, meaning it is open season for nation-states, cyber terrorists and the curious to attack these life integrated emerging technologies, from driverless cars and countless new home IoT devices. I fear it will only be a matter time before a cyber attack causes human harm or even loss of life. The impact of the recent NHS ransomware attack serves as a warning, this cyber attack directly caused the closure of accidental and energy departments and the cancellation of operations. The future threats posed artificial intelligence and quantum computing are also growing concerns for cyber security, and well worth keeping an eye as these technologies continue to progress.

Science of CyberSecurity: What Cyber Security Blogs to Follow

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 4 of 5.

Q. Do you recommend a particular cyber security blog that our readers could follow?

Of course, my own IT Security Expert Blog, and my Twitter accounts @SecurityExpert and @SecurityToday are well worth following.  My two favourite blogs are Bruce Schneier’s blog, Bruce is a true rock star of the industry, and Krebs on Security blog is also an excellent read, Brian provides the behind the scenes details of the latest hacking techniques and data breaches, and pulls no punches with his opinions. Both these bloggers have books that are a must read for budding cyber security professionals as well.

Science of CyberSecurity: Where to get CyberSecurity Science

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 3 of 5.

Q. Where do you go to find your “science” of cybersecurity?

While cyber security controls appear simple to follow in policy statements and best practice guides, the reality is they are not always easy to implement across diverse organisations. When attempting to resolve complex security problems it can be easy for security professionals to lose sight of the goal of cyber security. To keep clarity, I think it helps to strips away the technology from the problem, and learn the security science and lessons from history.  So reading military strategy books like Sun Tzu’s “The Art of War” can improve how you think about and assess the cyber adversaries facing the organisation. Delving into the science of psychology is invaluable when seeking to bring about effective and positive staff security awareness and behavioural changes in the workplace.

Science of CyberSecurity: Reasons Behind Most Security Breaches

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 2 of 5.

Q. What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?

Simply put insecure IT systems and people are behind every breach, insecure IT systems are arguably caused by people as well, whether it is poor system management, lack of security design, insecure coding techniques, and or inadequate support, it all boils down to someone not doing security right. For many years seasoned security experts have advocated that people are the weakest link in security, even hackers say ‘amateurs hack systems, professionals hack people’, yet many organisations still focus most of their resources and funds heavily on securing IT systems over providing staff with sustained security awareness. Maybe this is a result of an IT security sales industry over hyping the effectiveness of technical security solutions. I think most organisations can do more to address this balance, starting with better understanding the awareness level and risk posed by their employees. For instance, the security awareness of staff can be measured by using a fake phishing campaign to detect how many staff would click on a link within a suspicious email. While analysing the root causes of past cyber security incidents is a highly valuable barometer in understanding the risk posed by staff, all can be used as inputs into the cyber risk assessment process.

A developer's guide to complying with PCI DSS 3.2 Requirement 6 Article

My updated article on "A developer's guide to complying with PCI DSS 3.2 Requirement 6" was released on the IBM Developer Works website today.

This article provides guidance on PCI DSS requirement 6, which breaks down into 28 further individual requirements and sits squarely with software developers who are involved in the development of applications that process, store, and transmit cardholder data.

Science of CyberSecurity: Thoughts on the current state of Cyber Security

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 1 of 5.

Q. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?

Thanks to regular sensational media hacking headlines most organisational leaders are worried about their organisation’s cyber security posture, but they often lack the appropriate expert support in helping them properly understand their organisation’s cyber risk. To address the cyber security concern, an ‘off the peg’ industry best practice check box approach is often resorted to. However, this one-size-fits-all strategy is far from cost effective and only provides limited assurance in protecting against modern cyber attacks, given every organisation is unique, and cyber threat adversaries continually evolve their tactics and methodologies. In these difficult financial times of limiting cyber security budgets, it is important for the cyber security effort to be prioritised and targeted. To achieve this, the cyber security strategy should be born out of threat intelligence, threat assessing and a cyber risk assessment. This provides organisational leaders with the information to take effective cyber security strategy decisions, and to allocate funding and resources based on a subject matter they do understand well, business risk. Nothing can ever be 100% safeguarded; cyber security is and always should be a continual risk based undertaking, and requires an organisation risk tailored cyber security strategy, which is properly understood and led from the very top of the organisation. This is what it takes to stay ahead in the cyber security game.

Combating IoT Cyber Threats Article

My updated article on Combating IoT cyber threats post released on the IBM Developer Works website today.

This article outlines the best practices for secure coding techniques and security functions that will help development teams to produce resilient IoT applications that mitigate IoT security risks.

Cyber Security Roundup for August 2017

TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner's Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information.

Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here http://blog.itsecurityexpert.co.uk/2017/08/up-to-2-million-cex-customer-account.html

Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram's API.

In what looks like a follow on from the UK's Parliament's email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let's hope the Welsh Assembly have taken note and have learned the password security lessons.

A massive 'spambot' holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.

On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.

On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.

NEWS

• Up to 2 Million CeX Customer Accounts Stolen in Hack
• Giant Spambot Scooped up 711 Million Email Addresses to Spread Ursnif Malware
• Scottish Parliament targeted by Email Brute-Force Cyber Attack
• TalkTalk Fined for Poor Staff Monitoring causing a Data Breach of 21,000 Customers
• Instagram Flaw allowed Celebrity Contact Details Stolen by Hackers
• Real Madrid Twitter accounts Hacked shortly after FC Barcelona Account is Breached
• LG hit by WannaCry Ransomware, causing a Two Day Shutdown
• World of Warcraft, Overwatch, Hearthstone and other games hit by DDoS
• Hackers steal nearly £400K from Enigma Virtual Currency ICO Investors
• Anonymous Hacks NHS System, Data of 1.2 Million Patients Allegedly Exposed
• Customers 'furious' with TNT after NotPetya Cyber Attack Meltdown
• Game of Thrones Social Media Hacked in spate of Cyber Attacks against HBO
• Fancy Bears Release Data on Footballers' TUE drug use after New Hack
• Russian Hackers Accused of Spying on Hotels
• Microsoft release 25 Critical Updates to fix flaws in IE, Edge, SQL, Flash & Windows
• Adobe releases fixes for 43 Critical Security Vulnerabilities in Acrobat and Reader
• Drupal Patches Critical Remote Access Bypass Bug  
• Popular Robots are Dangerously Vulnerable and Easy to Hack, Researchers Say

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• SyncCrypt Ransomware able to Sneak Past most Antivirus Defenses
• Major Decline in Exploit Kits due being Less Financially Viable than Ransomware
• SSL Encrypted Malware Doubles this Year, Phishing Over SSL/TLS up 400%
• Malicious PowerPoint slide show files deliver REMCOS RAT

REPORTS

• 2017 Cloud Security Report: Web Application Attacks Account of 73% of Incidents
• Cyber Governance Health Check Report 2017:  68% of boards not trained to handle Cyber Security Incidents
• Article: Microsoft’s perspective on Cyber Resilience

Up to 2 Million CeX Customer Accounts Compromised by Security Breach

If you are a CeX online customer, change your account password now, as the second hand UK goods chain has been informing over two million of its customers their personal details have been hacked. In a customer email CeX discloses they have been the subject of a security breach by a third party, and that's about as much detail as CeX are presently admitting about the cyber attack at the moment.

Despite the CeX email referring to a "sophisticated breach of security" without any further detail about what happened, it is impossible to judge whether it was actually a sophisticated cyber attack or not. Rather oddly CeX have not forced a password change on their compromised customer accounts despite admitting account passwords were at risk.  

My CeX Customer Advice

• Change your CeX password straight away. Ignoring the CeX website advice of using a 6 character password, which is too weak - see the Account Password section of this post below.  Alternatively you could also close your CeX account through the website
• If you have used your old CeX password on any other websites, change those account passwords quickly. 
• Be vigilant for personalised scam emails from CeX, given cyber criminals might have your email address and know you are a CeX customer.
• Review your Credit Card statement and Bank Statements for suspicious activity. Note CeX might have put your bank account details and BitCoin address at risk/

Data Compromised

CeX have not been too clear on detailing the customer account data that is at risk, stating  "The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied". And "In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared."   

Reviewing a CeX website account suggests the following customer account personal data is at risk:

Email Address

BitCoin Address

Full Address

Bank Details - Account Holder Name, Sort Code, Account Number, Roll Number

Phone Number

It is concerning CeX refer to storing debit/credit card details past their expiry dates - why? CeX also appear to be glossing over the significance of compromised customer debit/credit card details in stating " We would like to make it clear that any payment card information that may have been taken, has long since expired".  A rather misleading statement given some payment card issuers use the debit/credit card number when reissuing new cards, and the new expiry date is guessable. Given that statement, you  have to wonder whether the CeX operation was secure enough to handle debit/credit card data, are CeX PCI DSS compliant.? Payment Card Industry Data Security Standard compliance is required for all organisations which process, store and/or transmit debit/credit card details, no PCI DSS compliant organisation ever been successfully breached.

Account Password

CeX also states the account passwords were not been stored in plain text, but have not advised how the passwords were protected. For instance, whether passwords were stored using a unique value (salt) together with the password before being scrambled with an industry recognised one-way hashing algorithm (adequate security protection), or by just using the hashing algorithm on the password (inadequate security protection). 

Change your CeX password

CeX recommends a 6 character password or longer on their website's password change process which is too weak. CeX customers should avoid setting that minimum 6 character strength, go for an at least 8 character password consisting of at least one number, one upper case character, one lower case and one special character (i..e #!"£$%^&). I recommend using a password manager (see advice on https://www.itsecurityexpert.co.uk) to generate a unique and secure random password of at least 12 characters to really be on the safe side.

By the CeX requires you know your old password in order to change it, so you'll have to hope the hacker hasn't changed your password.

CeX also has a "Cancel Your Account Option" which I assume will remove all personal data from CeX, customer's could submit a Data Subject Access Request to CeX after account closure to be certain.

Breach Recovered and Fixed?

CeX say "Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.", however, without any detail about the hack and the new measures put in place, this statement provides little assurance to CeX customers. The following statement also skirts what customers want to know  "additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening ". If this cyber attack turns out not to be sophisticated, CeX can expect heavy criticism by a more cyber entitled media, and interest from the Information Commissioner's Office for violating the Data Protection Act.

CeX Email

Dear Customer,

We are writing to inform you that unfortunately we have recently been subject to an online security breach. We are taking this extremely seriously and want to provide you with details of the situation and how it might affect you. We also want to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.

The situation
As a result of a breach of security in which an unauthorised third party accessed our computer systems, we believe that some customer data has been compromised. This includes personal information, and, for a small number of customers, it also includes encrypted data from expired credit or debit cards. As a customer of CeX, there is a possibility this might affect you.

Please note, we did not have any card data stored for your account. We ceased storing customer card details in 2009.

What we’ve done about it
This was a sophisticated breach of security and we are working closely with the relevant authorities to help establish who was responsible. Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.

What we suggest you do?

• Although we have put in place additional security measures, we recommend that you change the password for your webuy online account.
• If you used the same password elsewhere, we also suggest that you change your password for those accounts.

Further details on this issue are provided in a Q&A below. If you have additional questions, please email us at: guidance@webuy.com where we will be compiling the most frequently asked questions, which will then be updated via uk.webuy.com/guidance

We apologise for inconvenience this may cause.

Yours sincerely,

David Mullins
Managing Director

Questions & Answers

How much data has been compromised?
As a precautionary measure we are contacting up to two million of our registered website customers who could potentially be affected.

Does this affect in-store membership personal information?
We have no indication that in-store personal membership information has been compromised.

What does the data include?
The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.

What about financial data?
A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.

What has happened to the data that has been compromised?
We are aware that an unauthorised third party has accessed this data. We are working closely with the relevant authorities, including the police, with their investigation.

What should I do?
We advise that you change your webuy.com password, as well as any other online accounts where you may share the same password, as a precautionary measure.

Why do I need to change my passwords?
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.

Can customers find out exactly what data has been shared about them?
At this stage, it is not possible for us to share this information as we are still undergoing an investigation. At this stage, we are alerting all customers who might have been affected as a precaution.

What security do you have in place to protect this data?
We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.