Cyber Security Roundup for December 2016

Yahoo announced the largest ever data breach in history, with over 1 billion Yahoo user accounts compromised by a past cyber attack, which I covered in Yahoo's Mind-blowing One Billion Data Theft Hack. This truly humongous data hack is distinct from the 2014 breach of 500 million accounts reported by Yahoo in September. Elsewhere KFC, Topps, The Daily Motion and LinkedIn’s Lynda.com also reported large customer data breaches of millions of records during December. 

We need to be mindful of never to "get use to" and accepting these massive numbers of hacked online accounts, by businesses we entrust with our personal information, especially where these businesses have been found 'wanting' on the cyber security defences by under investing. The old spin doctor excuses of indefensible super hacks orchestrated by sophisticated nation-state backed dark forces tends not to stand up once the facts are uncovered. There is nothing sophisticated about teenage kids using freely downloadable software to take advantage of decade old and basic security vulnerabilities.

The media and security experts continues to pour scorn on TalkTalk’s cyber security, following the firm’s poor handling and customer advice after a cyber attack of unpatched TalkTalk customer broadband routers.

ThyssenKrupp, a large German steel maker firm, disclosed it was a victim of cyber intellectual property (IP) theft. Businesses rarely admit to IP data theft given such admissions can serious harm the business's reputation and share price. Given the high media and public attention in protecting personal data from cyber attacks, following a year of high profile large customer record losses due to cyber attacks, it can be easy for businesses to take their eye off protecting their IP, and to become complacent with IP protection and security.

I was quoted in the Focus Training's Blog. An 'Ask the Experts' piece on 'How to Protect your business from Cyber Crime', my advice was as follows.

There was a Christmas bumper of patch releases in December, with Microsoft, VMWare, Joomla, PHP and Android all releasing patches for critical vulnerabilities.

News

• Yahoo Hack: 1 Billion User AccountsCompromised by biggest Data Breach in History
• KFC's Colonel Club Hacked, 1.2 Millionadvised to Change Passwords
• DailyMotion breached, 85 Million AccountsStolen
• TalkTalk and Post Officerouters taken offline by Cyber Attack
• TalkTalk's Wifi Hack advice is'astonishing' Customers urged to get Routers Swapped
• German Steel firm's IP stolen in Massive CyberAttack
• European Banking Breach guidelines moreStrict than EU GDPR
• Ashley Madison forced to pay £1.3m forDeceptive Security Practices
• LinkedIn’s Lynda.com breached, 55,000 userpassword reset, 9.5 Million Users Warned
• Insurers handling 'Hundreds' of Breach Claims
• Domino'sPizza advises Customers to change their Passwords
• Star Wars card firm Topps hitby 'unforgiveable' Hack
• Ask The Experts: How to Protect Your Business From Cyber Crime
• Microsoft release 6 Critical Patches for Windows, Edge, IE, Office & Adobe Flash Player
• Skype Backdoor missed by Microsoft Development Team
• Android Dirty Cow flaw is Finally Patched (CVE-2016-5195)
• Joomla flaw allows Attacker to Change passwords and Seize Websites
• 3 Critical PHP 7 Flaws Detected and Patched
• VMware fixes stored XSS vulnerability in ESXi Hypervisor

Awareness, Education and Intelligence

• Over 400,000 Phishing websites have been detected Each Month in 2016
• Hailstorm Methods used to spread Malware in Phishing Attacks

Reports

• Critical Infrastructure Technology Report:Mirai 'is just the Tip of the Iceberg'
• UK Identity Fraud on the Rise

How to Protect your Business from Cyber Crime

Today I was quoted in the Focus Training's Blog. An 'Ask the Experts' piece on 'How to Protect your business from Cyber Crime', my advice was as follows.

• Educate all business staff about dangers and latest attack methods, particularly ensuring they aware of targeted scam emails (spear phishing). Cyber criminals are increasingly targeting individual business staff members, typically those with finance responsibilities, by crafting highly convincing emails using information about the business, its staff and its suppliers. These scam emails once responded to, will typically try to convince (social engineer) individual staff members to arrange a bank transfer or payment to a bogus account operated by the cyber criminals
• Keep all Servers, PCs, Laptops, Tablets and Smart Phones operating systems and applications updated (security patching). Out of date software is vulnerable and commonly exploited by malware and hackers.
• Business staff should use unique passwords with each third party/online service used by the business. Ensuring passwords are complex and changed every 90 days. Where possible use mutli-factor authentication (I.e. password + hardware token or text message confirmation). Cyber criminals know many people use the same email and password combination across multiple websites, so when they obtain one credentials combination, usually via a third party website hack, the database of which are often dumped onto the darkweb, cyber criminals try the same stolen email and password combinations to attempt to access further online services, with the intent of stealing personal data and money.

Useful thoughts and advice from others in the post as well.

UK Identity Fraud on the Rise

UK identity fraud is on the rise according to the latest research by Equifax. The data shows UK ID crime is going up within all age groups, with those living in the London and Manchester areas increasingly the most likely to become victims of ID fraud. Equifax has asked me to share the following infographic on their research, which includes good advice to stay protected.

Are you losing your identity? We look at the growth of identity fraud and what can be done about it

Yahoo's Mind-blowing One Billion Data Theft Hack

Just over three months ago I posted about Yahoo, The Largest Data Breach in History...so far. It was apt I added "so far" in the post title as in the early hours today, Yahoo announced an even more mind-blowing data theft hack of over One Billion Yahoo user accounts.

If you are a concerned Yahoo email account holder

1. Reset your Yahoo account password, make sure your old Yahoo passwords are not used on any other of your online accounts

2. Change your Security Questions and Answers on all accounts with same Q&A as Yahoo, you might have to make up false answers only you know to ensure safety

3. Be extra vigilant, especially with signs of any access to your email account, and receiving scam phishing emails

4. See My advice to Stay Safe from Cyber Crime

Mark Crowther, Associate Director at Cyber Security Specialists Cyberis (www.cyberis.co.uk),  has some interesting thoughts on the latest breach at Yahoo, raising serious questions about the company's historical and ongoing security programme. The following are his views.

The latest reports say that Yahoo lost data for more than one billion users back in August 2013 and that the data is suspected to contain names, email addresses, hashed passwords, security questions and associated answers. In addition, Yahoo has stated that the attackers have accessed Yahoo proprietary code used to generate cookies for user access without credentials.

This breach raises a number of questions, including: Why did it take so long to identify and notify authorities about it? What are the implications for Yahoo users? What might this mean for Yahoo going forward?

Yahoo appears to have been informed by law enforcement that the breach may have occurred, indicating that its internal detective controls have been, and may continue to be, inadequate. This is reinforced by a statement from Bob Lord (Yahoo's CISO) who stated "we have not been able to identify the intrusion associated with this theft." (https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users).

Although Yahoo claims that this notification is distinct from the 2014 breach (reported in September 2016), it raises questions as to why this more significant breach was not identified during earlier investigations. Forensic investigations may have been either too focussed on the 2014 breach, or incomplete, preventing identification of this earlier and more significant breach. To add balance to this argument, it should be stated that it is not clear at this time if the breached systems were related, however following the 2014 breach, Yahoo should certainly have considered further investigations to identify if any wider breaches had occurred.

So what are the implications for Yahoo users? Considering that this breach constitutes approximately one-third of Yahoo’s user base, it would be a fair assumption for all Yahoo users that their accounts have been compromised. The data set reported to be compromised includes both username and passwords, and whilst the passwords are reportedly hashed, the weak algorithm in use leaves them wide open to abuse (see our earlier blog post on password hashing - https://www.cyberis.co.uk/2012/06/adding-pinch-of-salt.html)

Cyberis advises Yahoo users, and users of related services such as Flickr and Tumblr, to change their passwords with immediate effect. If you have used your Yahoo password with any other service, you should also change these passwords. If you have registered for a website using a Yahoo email account, you should also consider resetting your password for these services, especially if you haven't used them for some time. Password reset services often use email addresses to manage a password change or forgotten password function. Anyone with access to the breached data could have potentially used this information to access any site associated with your Yahoo email account.

Given that Yahoo has announced that proprietary data was accessed, the breach is currently assumed to extend to Yahoo internal systems. This could suggest a highly skilled and motivated adversary, potentially even a state-sponsored hacking group. Access to millions of email accounts would be a clear motivation to many different threat actors of course, including foreign intelligence services and governments. We fully expect that further information about the extent of the breach will be released in the near future, but in the meantime, it’s certainly not looking good for Yahoo.

Cyber Security Roundup for November 2016

Several major UK household brands made the headlines for wrong reasons following cyber attacks in October. Tesco Bank refunded £2.5 million to over 20,000 of its customers after Tesco Bank account credentials were hacked and account funds were stolen. Mobile giant ‘Three’ said 6 million of its customer’s personal data records could be at risk after hundreds of new mobile phones were stolen following the hack of a Three employee account. The National Lottery disclosed 26,500 of its online customer accounts had been accessed by hackers, leading to three arrests. Elsewhere a 17 year old pleaded guilty to taking part in the recent TalkTalk hack.

The next evolution of ransomware has arrived with a new variant called Ransoc, and it's pretty nasty. The malware scans internet history, social media accounts, Skype and photos, and then uses any found illegal, embarrassing and sensitive information to threaten the victim’s reputation should a payment not be sent. 

It turns out locked computer desktops aren’t as safe as you might think after a security researcher Samy Kamar released details of new attacking method called PoisonTap. Samy is famous for hacking MySpace with a worm way back in the day, I had the pleasure of meeting him a few years ago - An Evening with Samy, creator of the Samy MySpace Worm. In simple terms PoisonTap works by plugging a £4 Raspberry Pi Zero computer configured with hacking tools into a USB port, forcing the USB port to act as a network port, the tool is able to eavesdrop non-encrypted network traffic and steal web sessions from web browser sessions running in the background on PCs and Apple Macs, despite the desktop being locked with password protection. Samy released the source code for PoisonTap on Github, and I intend to create a PoisonTap tool for myself in the next few days.

News

• Tesco Bank Hack: £2.5m refunded to 20,000 Customers
• Dark web hackers boast of Tesco Bank thefts
• Boasts preceded hack of Tesco Bank, report
• Tesco would face fines of up to £1.9bn under GDPR for breach
• Three Data Breach Cyber Hack: Six Million Customers Data at Risk
• The National Crime Agency is investigating the breach
• National Lottery Hack: 26,500 Players' Online Accounts Accessed
• Financial Conduct Authority rapped for Lack of Cyber Experts on Board
• Lincolnshire NHS Trust Operations cancelled after Cyber Attack
• Capgemini Leaks 780,000 Michael Page Job Candidate CVs
• UK iPhone users hit by large scale Smishing Campaign
• 17-year-old pleads guilty to offences linked to TalkTalk Hack
• European Commission gets DDoSed
• Hackers hit San Francisco transport Systems
• Bruce Schneier: ‘The internet era of fun and games is over'
• Microsoft release 6 Critical Patches for Windows, Edge, IE, Video Control & Flash

Awareness, Education and Intelligence

• NIST Releases CyberSecurity Guide for Small Businesses
• New Ransomware Variant Extorts your Reputation rather than Money
• PoisonTap: £4 Tool which can hack locked PCs via a USB Port
• YouTubers sell Phishing Kits in Plain View
• Cerber Ransomware: Now with Database Encryption
• Facebook spam caught delivering Locky Ransomware

Reports

• Norton Cyber Security Insights Report: 75% Click Links or Open Malicious Attachments

"Hacked Again" by Scott N Schober - Book Review

I have just finished reading the book "Hacked Again" by US CyberSecurity Expert Scott Schober. Along with covering and explaining several recent major hacks, the book provides excellent advice and tips for staying safe from cyber crime. 

What I found particularly interesting was Scott's own account on how he was hacked. As CEO of his own successful Wireless Security company and a popular Cyber Security TV pundit, I imagine Scott's natural instinct would be to not disclose his "been hacked" experience with the world. Scott disregards any potential embarrassment to himself and chooses to explain what exactly happened to him and why, passing on valuable lessons learnt to help others, a brave and noble undertaking I applaud.

What "Hacked Again" is, is a potent reminder that no one is ever safe from the clutches of persistent cyber criminals. But this doesn't mean we should give up trying to be secure, on the contrary, as following the practical advice given in the book significantly reduces your chances of becoming a victim of cybercrime.

Hacked Again is available from Amazon as a Hardback, Paperback, Kindle or an Audiobook.

Stay Safe from Cyber Crime - Top Ten Tips InfoGraphic

Given I am regularly asked to explain cyber attacks and then advise on how to protect against them, particularly to home users of late, I thought I would try my hand at creating a simple InfoGraphic to help. It was a challenge to create due to the limitation to the amount of space for text, which means you can't cover everything and you can't go into much detail. However concise messaging is kind of the point of infographics, especially when using them as awareness tools. 

This InfoGraphic is squarely aimed at the average "home user", it highlights what the bad guys are after, their most popular and most successful attack methods, and then provides 10 tips to help avoid and detect home user cyber attacks, simples.

If this InfoGraphic proves popular I'll create some more, starting with one covering home IoT Security advice, another subject I'm regularly asked about at the moment.

Download full version here

Why a Cyber Attack can cost a Law Firm an Arm and a Leg

Law firms collect, process and store vast amounts of extremely sensitive data about their clients, this when combined with a poor 'people security' culture and a general lack of digital security know-how, is a recipe that leaves legal companies highly vulnerable to cyber attacks. Given the typical large scope and sensitivity of data held by law firms, cyber attacks in the legal industry can be particularly costly affairs to recover from. Often you will read about regulators imposing considerable data breach fines on companies that have been the subject of a cyber attack. Yet the hidden cost of a data breach recovery in using crisis management services, disruption of critical business operations, contractual penalties, bringing in forensic investigators, and engaging a legal counsel, ironic I know, and the loss of client trust often exceeds the financial penalty figures plastered across the headlines.

Emphasising the legal profession's vulnerability to cyber attacks, Logikcull, a provider of automated data discovery and management to the legal sector, have compiled an InfoGraphic of data breach statistics to highlight the issue, and tips to help safeguard data and prevent cyber attacks from being successful.


Via logikcull

Cyber Security Roundup for October 2016

Cyber security experts have long predicted that thousands of vulnerable Internet of Things (IoT) devices such as internet-connected CCTV systems would be hacked on mass and directed to perform huge DDoS attacks. That’s exactly what happened on 21^st October when 152,000 IoT devices infected with malware were remote controlled by hackers and then used to orchestrate a 1Tb DDoS attack, the largest in history. A tsunami of network traffic was directed at a company called Dyn, a major domain name registrar, and it impacted their client’s web services, including Twitter, Yammer, PayPal, Starbucks, The Guardian, PlayStation, Wix, CNN, Spotify, Github, Weebly and Reddit.

Those IoT developers may want to read up on my IoT guidance on the IBM developersWorks website - Combating IoT cyber threats Top security best practices for IoT applications

The UK National Cyber Security Centre HQ went operational, which is part of the UK government's 5 year £1.9 billion cyber defence strategy,  a much-needed investment to help safeguard the UK's digital economy from cyber attacks during these uncertain economic times for the country.

Ransomware continues to cause problems, especially within NHS, but on the flipside the https://www.nomoreransom.org/ website continues to be supported, with site providing excellent advice to both home users and businesses.  I have even added a separate Ransomware Help section on my own website - https://itsecurityexpert.co.uk/en/securityhelp/ransomware-help

A couple of surveys show UK businesses are still struggling to understand what they need to do in order to comply with new strict General Data Protection Regulation (GDPR), which comes into force in May 2018 despite brexit. I plan to do a blog post providing business help the GDPR in the coming weeks.

News

• World Biggest DDoS attack blows away Dyn, impacting Twitter, Yammer, and others
• UK National Cyber Security Centre HQ Operational
• NHS Attacked by Ransomware 'Dozens' of Times
• 'Hackable' Apple watches banned from UK Government Cabinet meetings
• Hackers steal 43 million credentials from Weebly
• In wake of Massive Data Breach, Verizon reassessing price for Yahoo Acquisition
• Student discovers security flaw in Virgin Media Recruitment System
• MasterCard plans to authenticate transactions using Selfies
• European Ransomware initiative gains 13 new Member Countries
• Over £1 Billion Lost by UK businesses to Online Crime in the Last Year
• UK Banks not Reporting Cyber-Attacks
• Hackers hiding Stolen Credit Card Details in Images
• Forged Rail Tickets sold on 'Dark Web', BBC investigation reveals
• Microsoft bundles Security Updates - no more pick and choose
• Microsoft release 7 Critical Patches for Windows, Edge, IE, Office & Flash Player
• Throw your Backdoored D-Link DWR-932B Router in the bin, urges Security Researcher

Awareness, Education and Intelligence

• BAE releases online Cyber-Risk Tool Assessor
• Top Five Email Phishing Attack Lures Revealed and How to Prevent Them

Reports

• EU GDPR - Nine out of Ten Don't Understand it
• Thales Survey: 84% of Brits reconsider Brands affected by Data Breaches
• PCI SSC: The UK Business CyberSecurity Threat
• Mobile is the New Playground for Thieves: How to Protect against Mobile Malware
• 73% of organisations across the globe have suffered a DDoS attack – Neustar Study
• 82% of Global and IT business Pros are concerned about GDPR compliance
• Network Security Playbook Guide