Happy New Year! The final month of the decade was a pretty quiet one as major security news and data breaches go, given cybers attack have become the norm in the past decade. The biggest UK media security story was saved for the very end of 2019, with the freshly elected UK government apologising after it had accidentally published online the addresses of the 1,097 New Year Honour recipients. Among the addresses posted were those of Sir Elton John, cricketer and BBC 'Sports Personality of the Year' Ben Stokes, former Conservative Party leader Iain Duncan Smith, 'Great British Bakeoff Winner' Nadiya Hussain, and former Ofcom boss Sharon White. The Cabinet Office said it was "looking into how this happened", probably come down to a 'user error' in my view.
An investigation by The Times found Hedge funds had been eavesdropping on the Bank of England’s press conferences before their official broadcast after its internal systems were compromised. Hedge funds were said to have gained a significant advantage over rivals by purchasing access to an audio feed of Bank of England news conferences. The Bank said it was "wholly unacceptable" and it was investigating further. The Times claimed those paying for the audio feed, via the third party, would receive details of the Bank's news conferences up to eight seconds before those using the television feed - potentially making them money. It is alleged the supplier charged each client a subscription fee and up to £5,000 per use. The system, which had been misused by the supplier since earlier this year, was installed in case the Bloomberg-managed television feed failed.
A video showing a hacker talking to a young girl in her bedroom via her family's Ring camera was shared on social media. The hacker tells the young girl: "It's Santa. It's your best friend." The Motherboard website reported hackers were offering software making it easier to break into such devices. Ring owner Amazon said the incident was not related to a security breach, but compromised was due to password stuffing, stating "Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services."
Online retailer 'LightInTheBox' is said to have exposed a whopping 1.6 billion shopper records online for a three month period, by not properly securing a cloud based database. In a separate incident, another unsecured online database was found on the dark web holding the personal details of 267 Facebook users. And yet another open database exposed 26,000 Honda customers was found and reported to Honda a security researcher.
Ransomware continues to plague multiple industries and it has throughout 2019, even security companies aren't immune, with Spanish security company Prosegur reported to have been taken down by the Ryuk ransomware.
Finally, a Microsoft Security Intelligence Report concluded what all security professionals know well, is that implementing Multi-Factor Authenication (MFA) would have thwarted the vast majority of identity attacks. The Microsoft study found reusing passwords across multiple account-based services is still common, of nearly 30 million users and their passwords, password reuse and modifications were common for 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses. This behaviour puts users at risk of being victims of a breach replay attack. Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.
BLOG
- Cyber Attacks are the Norm
- Only Focused on Patching? You’re Not Doing Vulnerability Management
- 12 days of Christmas Security Predictions: What lies ahead in 2020
- How the Cyber Grinch Stole Christmas: Managing Retailer Supply Chain Cyber Risk
- Plundervolt! A new Intel Processor 'undervolting' Vulnerability
- MoJ Reports Over 400% Increase in Lost Laptops in Three Years
- Accelerated Digital Innovation to impact the Cybersecurity Threat Landscape in 2020
- Cyber Security Roundup for November 2019
- Three Consequences of a Misaddressed Email
- New Year Honours List 1,000 Recipients Addresses Published Online in Error
- UK’s Cyber Security Chief Ciaran Martin to step down from NCSC
- Hijacked Bank of England Audio Feed Sold to Hedge Funds Seconds Ahead of Broadcast
- Santa Hacker Speaks to Girl via Smart Camera
- 1.6 billion LightInTheBox Customer Records left Exposed
- Spanish Security Company Prosegur hit with Ryuk
- Open Dark Web Database Exposes Info on 267 Million Facebook Users
- Open Database Exposes 26,000 Honda Motors Customers
- Iran 'foils second Cyber-Attack in a week'
- Briton extradited over claims he was key member of hacker group 'Dark Overlord'
- MicrosoftPatches 35 Vulnerabilities, including 6 Critical for Visual Studio, Win32k and Hyper-V
- Microsoft issues an Advisory for a SharePoint Vulnerability
- Adobe Patches 25 Vulnerabilities, 21 in Acrobat products
- Intel Patches 15 Vulnerabilities affecting Software and Firmware
- WordPress Patches Four Security Vulnerabilities
- Mozilla Patches 11 Vulnerabilities in Firefox 71 and ESR 68.3
- Citrix Vulnerability places80,000 Companies at Risk
- The Top 20 Vulnerabilities to Patch before 2020
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
- 2020 Cybersecurity Forecasts: 5 Trends and Predictions for the New Year
- Visa Warns against new POS attacks, Fin8 fingered as the Culprit
- Momentum Botnet Spotted in the Wild
- Chinese State 'likely' linked to Cyber Spies Targeting Human Rights Workers
- Biggest Malware Threats of 2019
- China-Based Cyber Espionage Group Targeting Orgs in 10 Countries
- Microsoft Reveals Phishing Tactic Evolution
- Microsoft Security Intelligence Report
- PreciseSecurity.com Research: XSS Nearly 40% of All Attacks
No comments:
Post a Comment