Security QuickThink – thinking out loud to Security news

ID-10097819

Reading about the TalkTalk Breach (again)

So far they have admitted to £60m cost and the loss of over 101k customers. Of course they have also launched a 100% free (line rental only) advertising campaign, but I am not sure if this entirely self-supported promotion has been factored into the losses. Its short sighted to think a quick share price recovery means all is well; they frequently rally. At the end of the day consumers will decide if they trust them or not and who knows how much it will cost to convince them of that now after 3 breaches in 12 months.

ID-10097819 Fine for patient data-peddling online pharmacy

In the news today, NHS approved online pharmacy Pharmacy2U has been fined by the ICO. Given the huge sums of money to be made from selling personal medical data, the fine of £130k is not likely to prove much a deterrent. This is the largest ‘NHS approved’ online pharmacy, so questions may also need to be asked about the due diligence required to be approved? Full story

ID-10097819 Casino loses 150k credit cards as hackers stroll through a security-free virtual environment.

Depressing news form the Register today and the article goes on to say another six casinos could also be affected. Even the most basic security precautions were missing; not even a firewall in place. The casino in question and the other six potential targets have not been named. Shockingly cavalier attitude to customer information security. You can read the whole sorry tale here

ID-10097819 EU Court has ruled against ‘Safe Harbor’ transatlantic data sharing.

Comment from Advent IM Director, Julia MCCarron

This could have a severe impact on businesses operating in the UK but owned by American companies that host customer and employee data Stateside. Safe Harbour was the only US wide regulation that could be relied on to allow data transfer without infringement on data protection and privacy. Without this we are reliant on individual state regulations, which some have and some don’t and that can vary widely. The only potential fall back was relying on model clauses but from the press release even that looks doubtful. The decision by the European Court of Justice has massive implications.

ID-10097819Chrysler has not enjoyed good press lately. Security researchers managed to hack a moving Jeep through its entertainment systems, control the brakes and transmission and drive it into a ditch. Acknowledging you have a security problem is the first step to getting help, we all know that. However they decided to patch this particular vulnerability by sending a USB stick to owners through the post. We all know not to put USBs that aren’t ours or we cant vouch for into our networks and devices don’t we? So if this had been tampered with or was fraudulent in some way…I’m just not sure this isn’t compounding one security failure with another one, or at the least a potential one. So I guess now spoofers out there know that Jeep send patches by mail on USB so they know what to do next I suppose? *facepalm*

ID-10097819Cyber attacks ‘as big a threat to new warships as missiles and torpedoes – headline from The  Telegraph 06.08.15

The design of the new Type 26 war ship which will be the new Royal Navy workhorse, has included protection from cyber attack. This is a good example of bringing together cyber-sec in real terms, with all of the elements that require protection from cyberspace. Legacy systems that get dragged into IP service will continue to be a threat not only to business but the military and Critical National Infrastructure. You also can’t pick and choose which web enabled systems you protect…

Enough of that…here is the article and an impression of the new ship

ID-10097819San Diego Lawyer falls prey to $289k phish…

A Lawyer from San Diego was hit by a spear phish when what he believed was an email from his bank turned out to be a virus which logged his keystrokes, giving confidential information to attackers.The attack was first noticed as John got a phone call from the supposed bank employee two days later. He asked him to “enter the information several times” and then told him he was locked out of his account for 24 hours. Within this time $289,000 dissappeared from the account to a chinese bank.

The biggest failure was the lack of awareness and education. John clicked on a suspicious email from his bank with the address ending in “.gov.” and downloaded files. He then entered his confidential information into the website when asked by the supposed bank employee. This insider threat due to lack of education to the lawyer involving cyber threats. John is held accountable for the loss at Pacific Premier Bank, as they declined to cover the cost.

Process, procedure and training clarity would prevent this situation from being repeated. The threat of spear phishing will always be there but if employees knew exactly what to do when the threat was realised this phish could of been spotted and ignored/reported. Giving away banking information is disastrous for any company, losing customers trust and having to make ammends to the huge money loss. this specific incident goes to show how much damage can be done with just a phone call and an email, which could easily be stopped with just a an hour or two of John’s time.

The full story is available here from ABA Journal

Today’s contribution to our SecurityQuickThink section comes form our Business Admin Apprentice. Well done, Dan.

ID-10097819The Morgan Stanley breach/theft seems to have been enabled by the fact the perpetrator had access to files of customers who weren’t actually his. My first response is to wonder why this was considered good practice?

___________________________________________________________________________________________________

ID-10097819A Spear-phishing email containing ransomware knocked out a TV channel. ABC News 24 out of Sydney Australia was forced off the air after a simple but devastatingly effective phishing email delivered a ransom-ware payload that locked out users in a Cryptolocker-like offensive. The emails that contained the malware were carefully constructed but simple and purported to be from a source most likely to get an unwitting staff member to open: The Australia Post. Be vigilant, folks.

___________________________________________________________________________________________________

ID-10097819

image courtesy of freedigitalphotos.net

Today marks the start of National Cyber Security Awareness Month (#NCSAM if you are a tweeter). I note it coincides with Sober October and Stoptober…giving booze and smokes a rest for the month of October. If your Information Security Manager is taking part in all three of these activities, you may suddenly find your security gets much tighter/draconian and a bit more snarly 🙂

On a (slightly) more serious note, our Twitter account @Advent_IM will be publishing a tip per day for #NSCAM and if you have any you want to share we hope to see them on that hashtag too.

___________________________________________________________________________________________________

phishing apple

ID-10097819

Recent phishing email asking for iCloud verification. This is clearly dodgy given that it is addressed to Dear Member and when you hover over the link a very unlikely looking URL appears.

If you are unsure about your Apple ID, login  using your normal method, do not click links in emails.

_________________________________________________________________________

ID-10097819More phishing.!  This isn’t anything personal against U2 or Bono but the placing of their new music in iPhone users libraries has proved to be a bit of faux pas. Many have received this auto download and found it in their purchased folder despite having de-activated the auto download function – Apple has overridden their preferences in order to push U2.

Anyway the reason why this is not only a privacy invasion but also a danger to iPhone users (again nothing personal, Bono) is that in the previous weeks, iPhone users had been spammed with phishing emails saying  they had purchased a movie. Some may now unintentionally make themselves vulnerable thinking that it Apple are giving away music, maybe they are giving away films too….

You have been warned, iPhone users/Film Lovers/Music Lovers/Bono

______________________________________________________________________

ID-10097819New phishing email doing the rounds. It purports be from Tesco and offers cash for opinions. We’re not sure anyone would really fall for it as its pretty bad but just in case…tell any more gullible friends to avoid it.

Also there is a scam ‘Award’ email going around too. USITC.org is the latest incarnation of a series of these websites claiming your small business has won an international business award. It hasn’t (unless you are aware of entering a competition of course) and so you should just delete it. Additionally these people have used several similar acronym based names so keep on your security toes.

_________________________________________________________________

ID-10097819So several hacks on and now we are faced with a time sensitive warning about Cryptolocker from the NCA. Apparently some ISPs will be contacting users to warn them they could be infected. I do hope people don’t confused with those vishers who phone up claiming to be from Microsoft and then try to get £300 off them after showing them their Event Viewer….

_________________________________________________________________

ID-10097819Our Twitter feed makes for depressing reading this afternoon…people still reeling from the aftershocks from the Target breach and the realisation that the bucks stops with CEO for Information Security; the Silverlight exploit targeting Netflix users on PC or laptop and now the news that Ebay has had a breach and that users personal information was not encrypted. Cheer us up someone…

_________________________________________________________________

ID-10097819Heartbleed is everywhere. There will be a guide on this blog later but in the meantime, be wary. Phishers are using Heartbleed as a means to get people to click links or open files. Don’t click anything you don’t 100% trust. If in doubt go to the website it claims to be from yourself, don’t navigate via an email link. Then change your password through the website’s prescribed manner.

_________________________________________________________________

ID-10097819Changes to the Government Protective marking Scheme appears to have launched a fresh plague of phishing emails targeted at security types and coming from a fake.gov address. The emails themselves are rather flimsy but we felt it was worth mentioning. Tell your friends.

PS. If you need any genuine help with the Government Security Classification Policy, just drop us an email bestpractice@advent-im.co.uk

_________________________________________________________________

ID-10097819Bitcoin theft. Its staggering to consider the value of the Bitcoin that has been stolen in the whole MtGox shenanigans. Apparently £279m worth had been stolen by hackers due to a ‘security bug’. We read now that £70m have now been found in an old digital wallet. You couldn’t make it up. Can you think of a bank robbery that would attract so little mainstream media coverage? It isnt even in the Business Section of the BBC website, but is in Technology… anyway if you would like to read about it the link is below.

http://www.bbc.co.uk/news/technology-26677291

_________________________________________________________________

ID-10097819I know this is another Phishing warning but this is so cynical and unpleasant, it had to be mentioned. This morning we saw one we haven’t seen before – an email purporting to be from a blood test facility suggesting the recipient has cancer and needs to print off an attachment and take it to their doctor.

Vile. Anyway, please be vigilant and do not click any links or attachments you are not entirely confident about or are not expecting.

The email address is NICE Consultations [mailto:no_reply@nice.org.uk]

_________________________________________________________________

ID-10097819Phishing is alive and well and getting bolder by the week it would appear.

This week’s #phishingTackle target purports to come from The Ministry of Justice and informs the recipient that they have attracted a £70 fine and the file attachment is photographic evidence.

The email address used is justice.alerts@public.gov.delivery.com so watch out everyone.

http://www.scmagazineuk.com/ministry-of-justice-scam-email-attracts-hundreds-of-calls/article/337670/?DCMP=EMC-SCUK_Newswire

_________________________________________________________________

ID-10097819The Barclays and Santander account raiders trial has now started. Billed in the media as a ‘hack’ it transpires it was enabled by a KVM and an alleged ‘Inside Man’.

Another opportunity for us to discuss the human impact on cybercrime as not only was there someone posing as an IT consultant to istall the KVM but also now allegedly an insider, facilitating proceedings and the subsequent theft. Threat convergence.

http://news.sky.com/story/1213660/inside-man-helped-1m-barclays-bank-fraud

_________________________________________________________________

ID-10097819Apparently the demise of Flappy Bird has caused not only ruffled feathers (sorry) with mobile gamers, but created an opportunity for those wonderful phishers and scammers to fill your device with spam and/or malware. Don’t click on links to anything claiming to be Flappy Bird would be the sensible thing.

_________________________________________________________________

ID-10097819Reading about the Barclays Data Breach. Apparently the stolen customer details in question were offered for sale on a USB but so far there is not detail on how they were stolen, by using a USB or otherwise. Of course, Information comes in a myriad of formats and so we shouldn’t assume that these were necessarily saved to a USB to sell. Also wondering as this was apparently a defunct service, if perhaps the security around the information had not been maintained. Perhaps un-patched or not updated, it meant that it was vulnerable but no longer on anyone’s radar? Makes me also wonder if it should still have been stored then? #Justasking

It’s interesting that this was positioned in the media immediately as a data theft and not as a ‘hack’ as we normally have in these cases..even when it isn’t strictly speaking, a hack. The previous Barclays and Santander breaches are good examples. For those who don’t recall they involved someone posing as an IT contractor who went into a branch and placed image recording equipment to steal login credentials. I wonder what is different about this incident? Watching with interest.

http://www.v3.co.uk/v3-uk/news/2327789/barclays-hit-by-data-theft-of-27-000-customer-accounts

_________________________________________________________________

ID-10097819Apparently 11 pupils at a Californian School managed to steal login credentials to their school’s system and change their grades. Good job they only chose to change their grades and no perhaps go through the personal files of students, or other such nefarious activities. Schools really need to get a handle on how they store and manage information. This is the second school security breach I have read about in a week.

http://nakedsecurity.sophos.com/2014/02/03/eleven-ca-schoolkids-expelled-for-hacking-teacher-accounts-bumping-up-grades/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=5a413658c5-naked%252Bsecurity&utm_term=0_31623bb782-5a413658c5-454804325

_________________________________________________________________________

ID-10097819One in four UK office workers do not know what Phishing is. This wouldn’t matter so much if 100% of those people had no email account. But we all know that they do, don’t they and the reason they don’t know what phishing is? Maybe because the solution to so many security issues seem to be approached from an IT stance instead of a human one. People will always do daft things. Its no use raising your eyes to the ceiling once they have clicked a link that they think is going to take them to HMRC and the huge tax rebate they are excited about and loaded malware onto the network. Wouldn’t it be simpler just to ensure all new employees have a security induction which covers issues like passwords, phishing and other basics?

It doesn’t just happen to UK businesses either, a spear phishing attack recently enabled attack on an Israeli Defence computer…

The hackers were able to infiltrate these devices by what appears to be a spear phishing campaign. They reportedly sent out emails pretending to be from the Shin Bet secret security service. The email offered an attachment which allowed the hackers to install Xtreme RAT, a remote access Trojan which enables cyber criminals to gain complete control over the infected device. -SC Magazine

This is clearly as attractive as a phoney Tax refund to a UK office worker….

_________________________________________________________________________

ID-10097819Its EU Data Protection Day (You do know that every day is Data Protection Day, yeah?) and lots of mainstream media coverage of Data Protection all over the place, which is great! We love events like this that raise awareness of course.

I found the BBC coverage particularly interesting as the article on this morning’s BBC Breakfast. It started with the information about this EU Data Protection Day and why it is important and then swiftly moved into a discussion about the new NHS database and how do we feel about sharing our patient data.

For me this article brought together the two worlds of Security and Privacy very nicely. The media has been all over Privacy in the last few months and I really hope that this will start to widen the debate out into the whole picture of the two related topics.

visit us at www.Advent-IM.co.uk

________________________________________________________________

ID-10097819So it turns out that the massive credit card breach in south Korea (some 20m people have been affected – around half of the population) is probably an inside job carried out by an IT Contractor. The huge cache of details were loaded onto one of our old friends the USB (Ubiquitous Security Breach) and offered for sale to two marketing agencies.

Insider threat is a huge issue to security. We see this so often, according to Ponemon 78% of organisations have experienced a security breach due to an insider (negligent or malicious employee or other insider) and yet we still allow employees (56% apparently) to wander around with highly sensitive or sensitive information on mobile devise (which includes USBs).

Time to check those sticks and maybe shift to issuing corporate USBs and blocking all others from use and checking vetting procedures. Its impossible to be 100% secure 100% of the time but working a lot smarter can at least eliminate all but the most determined data thieves.

http://www.computerweekly.com/news/2240212797/South-Korean-data-breach-linked-to-an-insider

Visit us at http://www.advent-im.co.uk

_________________________________________________________________

 

ID-10097819Android has been growing as the OS of choice for a while now and business users have been moving toward it in droves as Blackberry’s spectacular fall from favour continues. This is the kind of news we have been worried about for a long time and we have also been trying to shake business out of a certain amount of complacency about BYOD. Stats from Ovum indicated that more than 50% of BYOD was carried out without the employers knowledge or permission, that means no corporate security, no governance and no idea what apps are accessing company data, where it is taken and for what purpose. According to Trend Micro there are around 700,000  apps containing malware, vastly increasing the chance that your device may become infected. Come on everyone, get your policy on and get all over your BYOD like a pigeon on a chip.

http://www.scmagazineuk.com/corporate-android-users-face-flaw-affecting-billions-of-devices/article/329858/?DCMP=EMC-SCUK_Newswire

and a bit more reading … http://www.scmagazine.com/new-android-malware-disconnects-calls-intercepts-texts-of-victims/article/330572/

Visit us at http://www.advent-im.co.uk

_____________________________________________________________

ID-10097819I am noticing a subtle shift in a lot of positioning since the launch of Cyber Streetwise. It has taken a home and work approach. I really like this. Mainly because it is acknowledging the blurred line we all now tread in our lives as flexible working, proliferation of mobile tools and a culture change means we have made the world our office or workplace. That being the case the thinking on security should be a lifestyle change and remove the thinking borders to make sure we observe good security hygiene in all aspects of our lives. The thinking being if you do something often enough it becomes habit and then culture and then we achieve the much needed paradigm shift into truly holistic security.

http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/NewsReleases/Pages/corporate-finance-collapsing-unless-cyber-security-ramped.aspx

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s