Tag Archives: hacking

Holding on to data is not good practice; A look at the Wetherspoons breach.

Del Brazil turns his well-experienced eye to the Wetherspoons customer data breach and asks some questions about how data was being managed, given how long some of this data had been retained by Wetherspoons. 

wetherspoonIt has been recently reported that the Pub chain JD Wetherspoon has admitted that card data of 100 customers has been stolen from a database after it was hacked.  Weatherspoon’s have stated that “Very limited” credit and debit card information was accessed in the hack in June and that the information could not be used as part of any attempted fraud.  Weatherspoon’s further stated that personal details, including names and email addresses may also have been stolen from more than 650,000 people.

The Information Commissioner’s Office has been notified of the breach, which only came to light recently and is investigating accordingly.

The hacked database contained customer’s details which included names, dates of birth, email addresses and phone numbers; however the 100 affected whose card data was stolen had apparently bought Wetherspoon vouchers online between January 2009 and August 2014.

Will a lead lined wallet be the only solution?

“Only the last four digits of payment cards were obtained in the hack as the remaining digits were not stored in Wetherspoon’s database” said John Hutson, Weatherspoon’s Chief executive.  None of the card data stored by Weatherspoon’s was encrypted because other associated details were not stored on the database.

A letter to those customers whose details may have been hacked advises them to “remain vigilant for any emails that they are not expecting that specifically ask you for personal or financial information, or request you to click on links or download information”.

Despite an email warning being received about the suspected breach little if anything was done to further investigate the possibility of a hack taking place.  The email warning may have been captured by a spam filter and either quarantined or automatically deleted dependent upon the settings of the relevant servers.

Mr Hutson said that the hack has occurred between 15th and 17th June and there was no evidence that fraudulent activity had taken place using the hacked data from the database.  Yo40 1jdHe added: “We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing.”

istock_000011991144medium.jpgSerious questions need to be asked of Wetherspoon’s as to why they were retaining customer data for such a long period time in fact well past the time for which it was intended to be used for.  Further investigation should establish as to how and why the data was retained for such a long period of time and again one of the main data protection principles is at the forefront of the author’s mind.   If the data was being retained for an appropriate reason and with the individual’s permission was there sufficient security measures in place to safe guard against and/or deter would be hackers.

Weatherspoon’s have already given a clear indication that they fully intend to keep their retention of personal data to a minimum, as stated by founder and Chairman Tim Martin.  Is this likely to be to satisfy the ICO, well in essence, yes, as it does show a clear intention to limit the amount of personal data being retained by Weatherspoon’s; although once the ICO investigation has been completed it is likely that a number of requirements and/or recommendations will be imposed by the ICO.

It is of the opinion of the author that should the ongoing investigation by the ICO highlight significant failings by Weatherspoon’s in the protection of customer data then a fine should be imposed that is in line with the seriousness and size of the breach.  The ICO may take a dim view of this breach as it likely to flaunt one of the key data protection act principles in that Weatherspoon’s may have been storing customer data for longer than necessary and may have not afforded the information the appropriate level of security measures.

Currently there is no legal requirement for companies to report data breaches and/or losses to the ICO; however this is likely to change in the very near future.  In the author’s opinion that each and every company has a moral obligation to not only report the breach or loss of personal data to the individual concerned but also to any recognised institute, such as the ICO, so that improvements on data protection can be pushed forward by looking at previous failings.

Advertisements

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

Why would anyone want to hack the weather?

A review of the news of the BoM attack  from Security Consultant, Chris Cope.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Or more precisely, why would anyone want to hack the Australian met office?  Well, its happened and officials are quick to announce that the damage will take millions of dollars to fix and that China was responsible for the hack.  Its not the first time that allegations have been made against Chinese hackers and, with the information available, it is pure speculation for non-official sources to speculate on how accurate the Australian allegation is.  But what is interesting is the close links between the Australian met office and the Ministry of Defence.  The nature of the links aren’t specified, but for an attacker looking to infiltrate the Australian Ministry of Defence, the obvious ways in are more than likely to be heavily protected.  But what about subsidiaries?  Could the Australian met office represent a weak link?  In this case, perhaps not as the intrusion was detected but there remains a lesson here for all companies.  Increasingly, outsourcing is becoming more common.  Services that organisations don’t want to deliver themselves are passed on to a service provider.  So, whilst we might be content that the security measures in place for our company are robust, can we say the same about those third parties that we connect to?  What assurances have been carried out, do contracts cover security consideration, are those connections monitored and is there a joined up incident reporting procedure?  All of these are valid questions and ones that are increasingly important in our interconnected world.  If you don’t know the answers to these questions, perhaps its time to find out, before a trusted partner becomes your Achilles Heel.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

 

Trident vulnerable to hacking?

By Julia McCarron with contribution from Chris Cope.

There have been a number of press stories in the last few days that could have us searching for our 3 pronged spears to protect these shores because, if the news is to be believed, the missile version of Trident could be rendered useless or obsolete from a cyber-hack.

I don’t know about you but I viewed these articles with some skepticism as I can’t believe that the MOD and Government haven’t thought to test the technical vulnerabilities of such a critical system before now, especially one with such far reaching consequences if it were breached?

As I understand it from those who have knowledge of MOD workings, all military systems, including Trident and its associated communications networks, are assured via the Defence Information Assurance Services (DIAS) Accreditors.  This assurance process takes into account the likely threats and resulting risks that apply to those systems, including hacking and other forms of cyber-attack.  There is a stringent policy of assessment and review for all major systems, and Trident will be one of the most assured systems due to its importance.  Clearly, though details of this assurance are highly unlikely to ever be released into the public domain; information on risks and counter measures taken against them will be very closely guarded. And I would hope so too!

The MOD will employ a number of safeguards to protect its most important systems.  Many of these will be familiar to the wider information security field and it’s no surprise that ISO27001 features heavily.  The greater the risks to the system, and the more critical it is, the more stringent the controls in place. Many high level MOD systems are effectively air-gapped and have no connection to the internet, even via a controlled gateway. That means they are effectively isolated from other communications networks, even the authorised users are heavily constrained in what they can and cannot do; use of mobile media for example is highly regulated.  Given Trident’s role as a potential counter-strike weapon, the communications to the deployed vessels receive very careful attention.  Not only will there be good level of assurance against the normal range of attacks, but there will be significant redundancy in place, just in case one fails.  Trident is carried by the Vanguard class submarine, which is designed to operate virtually undetected.  Commanders of these vessels have clear direction from the Prime Minister on what to do if there is evidence of a nuclear attack and all communication from the political leadership in the UK fails.

The comments made by a former Defence Secretary about potential vulnerabilities around the Trident system make interesting reading in light of recent concerns over cyber-attack, but the timing of these comments is telling. The House of Commons is due to vote on the future of the UK’s nuclear deterrent … there I go being skeptical again but as my hero Leroy Jethro Gibbs often says, Rule 39# There’s no such thing as a coincidence…

Attack of the Drones – guest post from Julia McCarron – Advent IM Director

So this week came the worrying news that mobile phones attached to drones can hack Wi-Fi devices and steal our data. That Star Wars script of yesteryear could be coming into its own! Oh hang on … that was Clones not Drones J But seriously, the use of drones in warfare is becoming more and more prevalent, so could their use in cyber hack-attacks become a common threat too?

Image courtesy of Victor Habbick at FreeDigitalPhotos.net

Image courtesy of Victor Habbick at FreeDigitalPhotos.net

Drone usage in war and the fight against terrorism is a concept that’s been explored by TV and film script writers for a long time. (SPOILER ALERT: An insight into my television habits coming up). 5 years ago an episode of Spooks saw an American drone hacked by the enemy in Afghanistan. An episode of NCIS a couple of years ago saw a systems engineer steal a surveillance drone for the purposes of selling it to a terrorist group who then bombed a high profile event attended by the US military. An episode of Castle saw a government drone hacked and used to kill a government whistleblower. Far-fetched? Maybe. Possible? Definitely. Likely? Well we would hope not! But as we often see, TV dramas have a nasty habit of bringing reality to our screens and indeed drone usage has been part of our warfare arsenal since 1959, albeit they were unsophisticated unmanned aircraft essentially.

Drones have many other uses aside from warfare, cyber or otherwise. The US Navy for example uses tiny drones called Cicada containing sensor arrays that monitor weather and location. But they also have microphones that can eavesdrop on conversations within their vicinity. A useful tool for espionage?

Since 2013 the Police Service Northern Ireland have deployed drones as surveillance cameras to support policing operations during royal visits, political summits, the Belfast Marathon, searching for missing persons and the Giro d’Italia. Arguably a positive use of unmanned aerial vehicles as crime prevention and detection aids and possibly deterrents.

In July this year, a student Videographer shot footage of 4 young people running across a school

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

roof in Northern Ireland. He lived nearby and spotted them on the roof, so sent his drone out to inspect what was going on. The children got spooked and jumped down, running for cover.  Private use of this nature however does open up a wider privacy issue in the same way that CCTV coverage does.

So how can they be used to steal data? Researchers at the National University of Singapore announced on Monday that by attaching a mobile phone containing two different apps to a drone, they successfully accessed a Wi-Fi printer and intercepted documents being sent to it. The apps were designed so that one detected open Wi-Fi printers and identified those vulnerable to attack and the other actually detected and carried out the attack by establishing a fake access point, mimicking the end device and stealing the data intended for the real printer. These are techniques they claim that ultimately could be used by corporate spies for industrial espionage, or indeed by terrorists.

As drones are yet to become common place in our everyday lives, it is likely that we would spot the physical threat before the cyber attack occurs. Today. But what about tomorrow? In the last 30 years technology has taken over our lives. Who would have thought we’d all be carrying around a telephone in our back pockets, that’s also a computer and literally voices, “Don’t forget it’s your Mother’s birthday”!

At some point, in the not too distant future, seeing drones flying above our heads will become the ‘norm’. And that’s when our guard will be down and drone attacks won’t just be connected to air strikes but cyber hack-attacks too.

Its 1984 meets Star Wars but this time it will be ‘Attack of the Drones’. May the Force be with us all!

How cyber-attacks affect local and national businesses – The Rt. Hon. James Morris MP visits Midland based experts to find out.

Midland based Cyber/Information Security Consultancy and members of the Malvern Cyber Security Cluster, Advent IM announce a forthcoming visit from Halesowen and Rowley Regis MP, James Morris.

The visit is planned for the Advent IM Offices and Training Centre on February 20th at 11.30am. 5 Coombs Wood Court, Steel Park Road, Halesowen B62 8BF.

This visit will afford Mr Morris the opportunity to understand the impact of cyber security threats to businesses and public bodies in his constituency and their supply chain partners. He will also meet members of the team dedicated to improving organisational cyber security practice both nationally and internationally, through high quality consultancy and training.

Understanding cyber threat and the resultant risk to business is vital in the fight against cybercrime and data loss. Many research papers and surveys have been produced on the topic and if we were to select just one to illustrate the scope of the problem – According to Ponemon Institute research on corporate information security, “Corporate Data: A Protected Asset or a Ticking Time Bomb?” some major issues need to be addressed as a matter of urgency. Some of these include:

  1. 71% of all surveyed users found they had access to information that they shouldn’t have and 4 in 5 of the IT professionals who responded confirmed this poor practice by saying that their organisation did not use a ‘need to know’ data policy.
  2. Almost half of total respondents believed that the Data Protection controls and oversight were weak
  3. Almost 80% of respondents thought it was acceptable to transfer confidential documents to potentially insecure devices.

Segregation of data and appropriate access controls limit what users can find and use and also controls where hackers may be able to move if they actually do manage to gain network access. If end users can see gaps in security as evidenced in point 2, you can guarantee hackers will too.

Point 3 reveals that poor practice, lack of governance and poor or non-existent training are creating a perfect environment for cyber criminals to exploit in order to attack businesses.

If technical security hygiene is also found to be lacking e.g.  out of date and/or unpatched software in use, no effective and updated anti-malware in place, systems and networks untested by regular IT Health Check including penetration testing, then any incursion from outside forces will be successfully executed and organisational information assets will be completely compromised. This can include staff personal information, as it did with the Target breach and that of clients and other supply chain partners.

Managing Director Mike Gillespie said, “Businesses are connected by the internet all over the world; local businesses may have supply chain partners thousands of miles away just as frequently as down the road. Organisations have a responsibility to each other to make sure they are taking adequate precautions both technically and corporately to ensure their information assets are properly secured”

We will be discussing this and other cyber security issues affecting the local community with Mr Morris during his visit.

Issued:  12.02.15                             Ends                                     Ref: VIP-200215- Advent

NOTES TO EDITORS

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats. Mike Gillespie is MD of Advent IM, Director of Cyber Strategy and Research for The Security Institute and a member of the CSCSS Global Cyber Security Select Committee.
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project