Thursday, 2 July 2020

Cyber Security Roundup for July 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, June 2020.

Australian Prime Minister Scott Morrison announced a sophisticated nation-state actor is causing increasing havoc by attacking the country’s government, corporate institutions, and his country's critical infrastructure operators. He said, “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used". While Morrison didn't actually name the specific country responsible in his statement, Reuters said its sources confirmed China was the culprit.  Political t
ensions have ramped up between Australia and China in recent months after Australia called for an investigation into China’s handling of the COVID-19 pandemic. China then reacted by placing tariffs on Australian exports and banning shipments of beef from Australia.

Why am I leading a UK cybersecurity blog with an Australian cyberattacks story? Well, it is because the UK might well be next in the cross-hairs of China's sophisticated cyber army, after the UK Governance stance on using Huawei in 5G infrastructure significantly soured last month. And also due to the increasing political pressure applied by the UK government on the Chinese government following their introduction of a controversial new security law in Hong Kong.

Increased UK Huawei Tensions in June 2020
While the Australian PM righty suggested their nation-state threat actor was sophisticated, the cyberattacks they described aren't so sophisticated. Their attackers engaged in spear-phishing campaigns designed to trick email recipients into clicking a link leading to a malicious files or credential harvesting page, opening malicious attachments or granting Office 365 OAuth tokens to the actors.  This is the same MO of cyber attacks orchestrated by the cybercriminals fraternity on a daily basis. The Australian government statement advises organisations to patch their internet-facing devices, including web and email servers and to use multifactor authentication. All good advise, in fact, all essential good practice for all organisations to adopt no matter their threat actor landscape.

Away from the international cyber warfare scene, a coalition led by security companies is urging the UK government to revamp the much-dated Computer Misuse Act. The UK's 'anti-hacking' law is 30 years old, so written well before the internet took root in our digital society, so is not really suitable for prosecuting for modern cybercriminals, they tend to be prosecuted under financial crime and fraud laws. The coalition is calling for a change in the law includes the NCC Group, F-Secure, techUK, McAfee and Trend Micro. They argue section 1 of the Act prohibits the unauthorised access to any programme or data held in any computer and has not kept pace with advances in technology. In their letter to PM they said "With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims and criminals systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access."

Since launching a 'Suspicious Email Reporting Service' in April 2020, the UK National Cyber Security Centre (NCSC) announced it has now received one million reports, receiving around 16,500 emails a day. NCSC Chief Executive Officer Ciaran Martin called the number of reports a “milestone” and “a testament to the vigilance of the British public". I think the email reporting service is another fantastic free service provided by NCSC (i.e. UK Gov) to UK citizens, so one thing the UK government is definitely getting right in the cybersecurity space at the moment.

Zoom announced it will extend 'optional' end-to-end encryption (E2EE) to free users. It is not certain when exactly Zoom's free E2EE will commence or whether it will be defaulted as on, given the Zoom CEO said, “We plan to begin early beta of the E2EE feature in July 2020.” Still good to see the much security criticised Zoom is continuing to bolstering its security, and also by appointing a seasoned Chief Information Security Officer from Salesforce.

Some men just want to watch the world burn...
With the recent uptick in ransomware, phishing, unsecured cloud buckets and massive data breaches dominating the media headlines over the past couple of years, you could be forgiven for forgetting about the threat posed by Distributed-Denial-of-Service (DDoS) attacks. So then, a timely reminder that some threat actors have vast botnets as their disposal for orchestrating huge DDoS attacks after Amazon reported thwarting the biggest ever DDoS attack, and a European bank suffered the biggest ever PPS DDoS attack. The motives of these colossal DDoS attacks are unclear, I guess some men just want to watch the world burn.
Quote from Batman butler Alfred (Michael Caine), The Dark Knight
BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Thursday, 25 June 2020

Back to Basics: Simple Moves to Keep You Secure at Home

Guest Post by Susan Doktor

Staying at home, something we’ve all been doing a lot more of, can be relaxing. But as our attention has been focused elsewhere, particularly on our health and the economic crisis brought on by the global pandemic, some of us may have also relaxed our safety standards. We are witnessing a serious spike in cybercrime since the coronavirus took the world hostage. Even those institutions that are working diligently to vanquish the virus have not been immune to attack. And that means we have to be more diligent about our privacy and cyber safety.

As mentioned in a recent post, the technology we’re relying on to stay connected while adhering to social distancing guidelines may be contributing to our vulnerability. But whether you’re chatting on a video conferencing app or charging airline tickets to your travel credit card, there are built-in security weaknesses inherent to our online lives. I’m talking about passwords. They’re necessary, of course. And they’re ubiquitous. A 2017 study estimated that the average business user has nearly 200 of them. That’s why it’s a good idea to refresh our understanding of safe password hygiene.

A few simple rules to follow:
  • Choose passwords that are difficult to guess and have nothing to do with your personal information. Don’t use your birthday or house number or any information that’s easy to gather to make up your passwords.
  • Never share your passwords. Beyond matters of basic trust, you don’t know how the person you shared them is protecting them. Does your shared password reside on a mobile phone or a slip of paper kept in a wallet? Both of those things can be lost or stolen.
  • Don’t re-use passwords. If one of your accounts is hacked, that leaves more them vulnerable.
  • Change your passwords often. If you don’t, that computer that was stolen six months ago can come back to haunt you. And you’re more at risk from security breaches that online retailers, credit card companies, and even hospitals are experiencing with greater frequency. That risk multiplies any time one of the companies you do business with sells your personal information to one of its marketing partners. So make it a habit to check the privacy policy on any site where you enter your personal data
  • Enable two-factor authentication whenever you have the option to do so on a website or device. It takes a moment more to complete a log-in but it can save you years of headaches if your identity is stolen.
If all that sounds like too much work, I have another tip for you. And it’s a real time-saver. Get yourself a password manager. The best password managers perform all of those tasks for you automatically. You need only create and remember a single master password to gain a tremendous amount of protection when you install a password manager app on your various devices. There are some excellent free open-source password manager apps out there and quite a few paid ones that offer advanced features like secure file sharing and automatic synching of all of your devices.

Another layer of safety you might want to consider is a Virtual Private Network (VPN). VPNs allow you to surf the web anonymously and encrypt any data you send across it. That means you can use public wi-fi networks, like the one at your favourite Costa, more securely. They can boost your download speed, increase your bandwidth, and let you take advantage of peer-to-peer sharing of films and other entertainment media.

Protecting your personal data through the use of password managers and a secure VPN are great first steps towards increased cybersecurity. But there's no such thing as absolute safety online. Identity thieves have long memories--which means they may have access to your old passwords. And thanks to all the data breaches that have occurred over the last decade, they also have your name, address, phone, email, date of birth, and other personal information. So they spoof your phone number, call your bank, and pretend to be you. They give all the correct identity information and then say that they've lost the device that had their current account password on it—but they remember their old password. And they persuade the customer service rep to change your password again. Now you are effectively locked out of your own account while the thieves vacuum out your money.

Does this mean that password managers, VPNs, and the like are a waste of time? Hardly. The above scenario requires a lot of work on the criminals' part. They'll be much more likely to go after a bank account that's secured with the same password you used back when you were on GeoCities and MySpace. Beefing up your cybersecurity practices now will tilt the odds of staying safe back in your favour.

Author Bio:Susan Doktor is a journalist and business strategist who hails from New York City. She writes, guest- and ghost-blogs on a wide range of topics including finance, technology, and government affairs.

Monday, 1 June 2020

Cyber Security Roundup for June 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
  • 86% of data breaches for financial gain - up from 71% in 2019 
  • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
  • 67% of data breaches resulted from credential theft, human error or social attacks. 
  • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
  • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
The vast majority of breaches continue to be caused by external actors.
  • 70% with organised crime accounting for 55% of these. 
  • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
    • 37% of credential theft breaches used stolen or weak credentials,
    • 25% involved phishing
    • Human error accounted for 22%
The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Tuesday, 19 May 2020

    Passwords are and have always been an Achilles Heel in CyberSecurity

    LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

    Quotes
    “I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”

    "There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"

    "The built-in biometric authentication capabilities of smartphones are a significant advancement for security"

    "Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."

    "As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."

    "The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."

    "Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"

    "When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"

    Friday, 1 May 2020

    Cyber Security Roundup for May 2020

    A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

    As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that
     REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

    Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

    Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

    Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

    Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

    April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

    Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,Sophos said.

    There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

    Stay safe, safe home and watch for the scams.

    BLOG
    NEWS

    AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      Thursday, 23 April 2020

      Security Threats Facing Modern Mobile Apps

      We use mobile apps every day from a number of different developers, but do we ever stop to think about how much thought and effort went into the security of these apps?

      It is believed that 1 out of every 36 mobile devices has been compromised by a mobile app security breach. And with more than 5 billion mobile devices globally, you do the math.

      The news that a consumer-facing application or business has experienced a security breach is a story that breaks far too often. As of late, video conferencing apps like Zoom and Houseparty have been the centre of attention in the news cycle.

      As apps continue to integrate into the everyday life of our users, we cannot wait for a breach to start considering the efficacy of our security measures. When users shop online, update their fitness training log, review a financial statement, or connect with a colleague over video, we are wielding their personal data and must do so responsibly.

      Let’s cover some of the ways hackers access sensitive information and tips to prevent these hacks from happening to you.

      The Authentication Problem

      Authentication is the ability to reliably determine that the person trying to access a given account is the actual person who owns that account. One factor authentication would be accepting a username and password to authenticate a user, but as we know, people use the same insecure passwords and then reuse them for all their accounts.

      If a hacker accesses a user’s username and password, even if through no fault of yours, they are able to access that user’s account information.

      Although two-factor authentication (2FA) can feel superfluous at times, it is a simple way to protect user accounts from hackers.


      2FA uses a secondary means of authenticating the user, such as sending a confirmation code to a mobile device or email address. This adds another layer of protection by making it more difficult for hackers to fake authentication. 

      Consider using services that handle authentication securely and having users sign in with them. Google and Facebook, for example, are used by billions of people and they have had to solve authentication problems on a large scale.
      Reverse Engineering

      Reverse engineering is when hackers develop a clone of an app to get innocent people to download malware. How is this accomplished? All the hacker has to do is gain access to the source code. And if your team is not cautious with permissions and version control systems, a hacker can walk right in unannounced and gain access to the source code along with private environment variables.

      One way to safeguard against this is to obfuscate code. Obfuscation and minification make the code less readable to hackers. That way, they’re unable to conduct reverse engineering on an app. You should also make sure your code is in a private repository, secret keys and variables are encrypted, and your team is aware of best practices.

      If you’re interested in learning more ways hackers can breach mobile app security, check out the infographic below from CleverTap.



      Authored by Drew Page Drew is a content marketing lead from San Diego, where he helps create epic content for companies like CleverTap. He loves learning, writing and playing music. When not surfing the web, you can find him actually surfing, in the kitchen or in a book.

      Wednesday, 15 April 2020

      How to Keep Your Video Conferencing Meetings Secure

      Guest Post by By Tom Kellermann (Head Cybersecurity Strategist, VMware Carbon Black)

      The sudden and dramatic shift to a mobile workforce has thrust video conferencing into the global spotlight and evolved video conferencing vendors from enterprise communication tools to critical infrastructure.

      During any major (and rapid) technology adoption, cyberattackers habitually follow the masses in hopes of launching an attack that could lead to a pay day or give them a competitive advantage. This has not been lost on global organisations’ security and IT teams, who are quickly working to make sure their employees’ privacy and data remains secure.

      Here are some high-level tips to help keep video conferencing secure.

      Update the Application
      Video conferencing providers are regularly deploying software updates to ensure that security holes are mitigated.  Take advantage of their diligence and update the app prior to using it every time.

      Lock meetings down and set a strong password
      Make sure that only invited attendees can join a meeting. Using full sentences with special characters included, rather than just words or numbers, can be helpful. Make sure you are not sharing the password widely, especially in public places and never on social media. Waiting room features are critical for privacy as the meeting host can serve as a final triage to make sure only invited participants are attending. Within the meeting, the host can restrict sharing privileges, leading to smoother meetings and ensuring that uninvited guests are not nefariously sharing materials. 

      Discussing sensitive information
      If sensitive material must be discussed, ensure that the meeting name does not suggest it is a top-secret meeting, which would make it a more attractive target for potential eavesdroppers.  Using code words to depict business topics is recommended during the cyber crime wave we are experiencing.

      Restrict the sharing of sensitive files to approved file-share technologies, not as part of the meeting itself
      Using an employee sharing site that only employees have access to (and has multi-factor authentication in place) is a great way to make sure sensitive files touch the right eyes only.  This should be mandated as this is a huge Achilles heel.

      Use a VPN to protect network traffic while using the platform 
      With so many employees working remotely, using a virtual private network (VPN) can help better secure internet connections and keep private information private via encryption. Public WiFi can be a gamble as it only takes one malicious actor to cause damage.  Do not use public WiFi, especially in airports or train stations.  Cyber criminals lurk in those locations.

      If you can, utilise two networks on your home WiFi router, one for business and the other for personal use.
      Make sure that your work computer is only connected to a unique network in your home. All other personal devices – including your family’s – should not be using the same network. The networks and routers in your home should be updated regularly and, again, should use a complex password. Additionally, you should be the only system administrator on your network and all devices that connect to it.

      All of us have a role to play in mitigating the cyber crime wave.  Please remember these best practices the next time you connect. Stay safe online

      Also related - How Safe are Video Messaging Apps such as Zoom?

      Friday, 3 April 2020

      YesWeHack Cybersecurity Training Temporarily Free for Schools and Universities

      YesWeHack, a European bug bounty platform, is providing universities and schools with free access to its educational platform YesWeHackEDU. This offer aims to allow educational institutions to hold a practice-oriented cybersecurity training. As of 1st April 2020, all universities and schools can benefit from free licenses of YesWeHackEDU, which are valid until 31st May 2020.

      Preparation for IT Security Professions
      YesWeHackEDU is aimed at educational institutions that, in the current situation, want to integrate IT topics and cybersecurity into their curricula via distance learning. The educational platform is a simulation of the real bug bounty platform of YesWeHack. The attack scenarios, which are available as practice projects, are simulations of real-world situations. Universities and schools also can kickstart a real bug bounty program on YesWeHackEDU to have their IT infrastructure security-proofed by their students.

      YesWeHackEDU teaches the identification and elimination of vulnerabilities and allows both students and instructors to develop technical and managerial skills required to run successful bug bounty programmes. At the same time, it opens up prospects for sought-after professional specialisations such as DevSecOps, Data Science or Security Analysis. Furthermore, YesWeHack EDU facilitates the implementation of cooperations and cross-functional projects between academic institutions and the business community.

      Young Cybersecurity Specialists more Needed than Ever
      "The current COVID19 pandemic has driven students and teachers out of the classroom. For cybercriminals, however, the pandemic wave is by no means a reason to pause. They are even more active, taking advantage of the insecurity of many consumers" explains Guillaume Vassault-Houliere, CEO and co-founder of YesWeHack. "The training of future cybersecurity talents cannot, therefore, be delayed. We need to support educational institutions in their mission right now. YesWeHackEDU provides a world-class educational resource for educators and students to develop cybersecurity skills in times of pandemic.'

      Free licenses for YesWeHackEDU are distributed worldwide with the support of YesWeHack education partner IT-GNOSIS and can be applied for here.

      Wednesday, 1 April 2020

      Cyber Security Roundup for April 2020

      A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2020.

      The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and 
      businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
      Convincing COVID-19 Scam Text Message (Smishing)

      I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the gov.uk domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.

      I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams.  It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.

      March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way.  There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution

      Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data.  

      International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guestsTony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”

      Five billion records were found to be exposed by UK security company Elasticsearch.  Researchers also found an Amazon Web Services open MongoDB database of eight million European Union citizen retail sales records was left exposed, which included personal and financial information.  And Let’s Encrypt revoked over 3 million TLS certificates due to a bug which certification rechecking

      March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants.  Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.

      Stay safe, safe home and watch for the scams.

      BLOG
      NEWS
        VULNERABILITIES AND SECURITY UPDATES
          AWARENESS, EDUCATION AND THREAT INTELLIGENCE