Cyber Security Roundup for June 2018

Dixons Carphone said hackers attempted to compromise 5.9 million payment cards and accessed 1.2 million personal data records. The company, which was heavily criticised for poor security and fined £400,000 by the ICO in January after been hacked in 2015, said in a statement the hackers had attempted to gain access to one of the processing systems of Currys PC World and Dixons Travel stores. The statement confirmed 1.2 million personal records had been accessed by the attackers. No details were disclosed explaining how hackers were able to access such large quantities of personal data, just a typical cover statement of "the investigation is still ongoing".  It is likely this incident occurred before the GDPR law kicked in at the end of May, so the company could be spared the new more significant financial penalties and sanctions the GDPR gives the ICO, but it is certainly worth watching the ICO response to a repeat offender which had already received a record ICO fine this year. The ICO (statement) and the NCSC (statement) both have released statements about this breach.

Ticketmaster reported the data theft of up to 40,000 UK customers, which was caused by security weakness in a customer support app, hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. Ticketmaster informed affected customers to reset their passwords and has offered (to impacted customers) a free 12-month identity monitoring service with a leading provider. No details were released on how the hackers exploited the app to steal the data, likely to be a malware-based attack. However, there are questions on whether Ticketmaster disclosed and responded to the data breach quick enough, after digital banking company Monzo, claimed the Ticketmaster website showed up as a CPP (Common Point of Purchase) in an above-average number of recent fraud reports. The company noticed 70% of fraudulent transactions with stolen payment cards had used the Ticketmaster site between December 2017 and April 2018. The UK's National Cyber Security Centre said it was monitoring the situation.

TSB customers were targetted by fraudsters after major issues with their online banking systems was reported. The TSB technical issues were caused by a botched system upgrade rather than hackers. TSB bosses admitted 1,300 UK customers had lost money to cyber crooks during its IT meltdown, all were said to be fully reimbursed by the bank.

• Couple 'lose thousands' to TSB fraudsters
• TSB letter error 'may have broken law'
• TSB left man on hold as his wedding savings were stolen

The Information Commissioner's Office (ICO) issued Yahoo a £250,000 fine after an investigation into the company's 2014 breach, which is a pre-GDPR fine. Hackers were able to exfiltrate 191 server backup files from the internal Yahoo network. These backups held the personal details of 8.2 million Yahoo users, including names, email addresses, telephone numbers, dates of birth, hashed password and other security data. The breach only came to light as the company was being acquired by Verizon.

Facebook woes continue, this time a bug changed the default sharing setting of 14 million Facebook users to "public" between 18th and 22nd May.  Users who may have been affected were said to have been notified on the site’s newsfeed.

Chinese Hackers were reported as stealing secret US Navy missile plans. It was reported that Chinese Ministry of State Security hackers broke into the systems of a contractor working at the US Naval Undersea Warfare Center, lifting a massive 614GB of secret information, which included the plans for a supersonic anti-ship missile launched from a submarine. The hacks occurred in January and February this year according to a report in the Washington Post.

Elon Musk (Telsa CEO) claimed an insider sabotaged code and stole confidential company information.  According to CNBC, in an email to staff, Elon wrote “I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties". Telsa has filed a lawsuit accusing a disgruntled former employee of hacking into the systems and passing confidential data to third parties. In the lawsuit, it said the stolen information included photographs and video of the firm's manufacturing systems, and the business had suffered "significant and continuing damages" as a result of the misconduct.

Elsewhere in the world, FastBooking had 124,000 customer account stolen after hackers took advantage of a web application vulnerability to install malware and exfiltrate data. Atlanta Police Dashcam footage was hit by Ransomware.  And US company HealthEquity had 23,000 customer data stolen after a staff member fell for a phishing email.

IoT Security

The Wi-Fi Alliance announced WPA3, the next generation of wireless security, which is more IoT device friendly, user-friendly, and more secure than WPA2, which recently had a security weakness reported (see Krack vulnerability). BSI announced they are developing a new standard for IoT devices and Apps called ISO 23485. A Swann Home Security camera system sent a private video to the wrong user, this was said to have been caused by a factory error.  For Guidance on IoT Security see my guidance, Combating IoT Cyber Threats.

As always, a busy month for security patching, Microsoft released 50 patches, 11 of which were rated as Critical. Adobe released their monthly fix for Flash Player and a critical patch for a zero-day bug being actively exploited. Cisco released patches to address 34 vulnerabilities, 5 critical, and a critical patch for their Access Control System. Mozilla issued a critical patch for the Firefox web browser.

NEWS

• Dixons Carphone Admits 5.9M Payment Cards and 1.2 M Personal Records Data Breach
• European Authority and the ICO both Fine Yahoo! and Optical Center £250,000
• Ticketmaster Discloses Data Theft of up to 40,000 UK Customers via Third-Party Customer Support App
• Wi-Fi Alliance issues WPA3 Standard to improve Wireless Security
• Chinese Hackers Steal Secret US Navy Missile plans in Contractor Breach
• Tesla Chief Elon Musk says an Insider Maliciously Changed Code and Exfiltrated Data
• HealthEquity Exposes PII of 23,000 Customers after Employee fell for Phishing Scam
• Privacy by Design  Standard being developed for IOT devices and apps
• TSB admits 1,300 accounts hit by Fraud amid IT Meltdown
• Facebook privacy bug 'affects 14 Million Users’
• Swann Home Security sends Video to Wrong User
• Hackers exploit FastBooking flaw to steal Customer Data from Hundreds of Hotels
• Ransomware hits Atlanta Police Dashcam Footage
• 27 Million Account Data Breach and Website Defacement Rock Ticketfly
• Australian Bank Mistakenly Sent Data on 10K Customers to Wrong Domain
• Watchdog org accuses HMRC of collecting 5.1 million audio signatures without consent
• Microsoft Patches 50 Vulnerabilities for Windows IE\Edge, Office, Chakra & Flash
• Adobe Releases Critical Fixes for Flash Player
• Adobe issues a critical patch after Flash zero-day bug actively exploited in Middle East
• Cisco Patches 34 vulnerabilities, 5 Critical
• Cisco patches Critical Secure Access Control System (ACS) Remote Code Execution Flaw
• Mozilla issues Critical patches for Firefox ESR 52.9, Firefox ESR 60.1, and Firefox 61

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• VPNFilter Malware Affects more Devices and Exploits Endpoints
• Sofacy rolls out Zebrocy Toolkit to hit Government Targets
• Olympic Destroyer Threat Group Switches Target Sectors
• TG-3390 deemed responsible for Watering Hole Attacks
• Scammers Abuse Multilingual Domain Names
• 539% uptick in Attacks Targeting Consumer-grade Routers Since, Report

REPORTS

• 539% uptick in Attacks Targeting Consumer-grade Routers Since, Report