Amazon Recommends Users Change Their Passwords

Who doesn’t have an Amazon account? If you do it may be worth changing your password as Amazon recommends users take the precaution after it discovered that some of their Amazon accounts could be found online.

Amazon discovered the leaked passwords were contained within a password list online, and while not exclusive to Amazon services, it has recommended that users change their passwords, even more, so if they use the same password on several sites. If your accounts email address was found to be on any of the lists then Amazon has taken the precaution to force a password reset on your account.

While many recommend against it, it’s common practice for people to use the same password and email combinations on several sites, thus increasing the chance that if one account is hacked, others will be compromised alongside.

While it’s recommended by some that we get rid of passwords altogether, alternative methods like biometric scanners for your fingerprints have been seen as easily bypassed and companies are even looking at using videos or selfies to access your accounts, a technique that has been met with mixed views. Would you prefer to access your account with a selfie or video of yourself or do you believe that the password still has a while to go if used correctly?

UPDATE: We were asked to remove the image, so one of our own, Robert Ainsworth, provided us with a copy of the email he received.

Executives Feel Like Cyber-Security is Just an IT Problem

Cyber-security is a big issue, with people and companies finding out the hard way that their security is exposed when it turns up online for sale or they receive phone calls advertising features with details they never hand out. With big companies like TalkTalk and even the government being victims of hacks, people are acting more and more with security at their mind front. This may change though soon as a survey of executives found they felt like cyber-security is just an “IT problem”.

The survey questioned 1,530 C-level executives, that is anyone who’s job title contains chief or another word beginning with c in it. This illusion of responsibility, one which often ends up landing with executives, comes as companies spent 25% more on information security in 2015 compared to 2014.

The survey was conducted on companies that were deemed “vulnerable” resulted in 91 percent of the executives saying that they couldn’t interpret a cybersecurity report, with 40 percent of those responding admitting that they didn’t even feel responsible for cyber-security.

These figures are certainly more than a little scary, with company executives feeling like they aren’t responsible on every level for protecting your information or even being aware of the threats and dangers that they encounter. In a day and age where you are more than likely to be attacked via the internet and your computer systems than on a street, it is the responsibility of everyone, especially those in power, to make sure that they uphold their legal responsibilities, even if that comes at a weeks crash course in cyber-security.

Suspect In The UK Told To Decrypt His Devices For The US

Apple vs the FBI may be over but that doesn’t mean the question about decryption and the law is over. In the most recent case to catch our ears a suspect from the UK being asked to decrypt his devices for the US authorities.

Lauri Love is a British computer scientist, who is a suspect in the breach of US government networks, which are claimed to have caused “millions of dollars in damage”. After being initially arrested in 2013, and then released, Love was re-arrested back in 2015 and is facing extradition to the US for the suspected crime. While he has not been charged with any crimes, Love has been asked as part of a Section 49 RIPA notice (doesn’t sound that bad does it?) to decrypt his devices by providing them with the passwords and keys required to unlock his devices.

With his devices confiscated, something that Love is now fighting in a counter-sue in civil court, the authorities want to access the data on his devices which include, a Samsung Laptop, a Fujitsu Siemens laptop, a Compaq computer tower, an SD card and a Western Digital hard drive. Alongside this, the National Crime Authority, the UK branch that has demanded the devices be decrypted, are interested in files located on the SD card and external drive that are encrypted using TrueCrypt.

What is most worrying is that if Love was to provide the keys, and this evidence is used against him in the US, then it would breach his fifth amendment rights within the US. The fifth amendment can be described as allowing someone to present evidence against themselves, meaning that you can’t be forced to prove your guilt, by unlocking a computer for example.

In his argument, Love states that “the NCA are effectively arguing that any information that cannot be read and comprehended by the police has a presumption of guilt”. An argument that if extended to other circumstances, could be seen as worrying for any groups that share information and protect journalists, whistleblowers and anyone within the legal profession.

Valve Found Guilty of Breaking Australian Consumer Law

Valve is known for creating the popular digital sales platform Steam, which does everything hardware to regular sales on video games. One thing they’ve been keen to improve on for a while has been their refund policy, something which saw the original policy replaced with one that could offer full refunds to people who purchased a game on the platform. The problem is that the original policy wasn’t in place when the court case against Valve was raised, a case which has now ended with Valve being found guilty of breaking Consumer Law in Australia.

In the court case, that was started back in 2014 by the Australian Competition and Consumer Commission (ACCC), Valve was taken to court because it lacked a refund policy, something that is required by Australian consumer law. In their defence they stated that it doesn’t “officially” conduct business, instead offering a portal to video games through clients.

Overlooking the case, Justice Edelman stated that Valve was doing business in Australia and must, therefore, follow Australian law. This is the first time that the term “goods” has been applied to computer software in Australia, something that is bound to have far-reaching impacts in Australia in regards to their legal statement.

With a hearing set for the 15th April to see how much Valve will have to pay in “relief”, including the likely outcome that they will pay the ACCC’s legal fees, it would seem that initial attempts to resolve this matter and follow the law will still cost the company.

Verizon Enterprise Breach Leads to 1.5 Million Customers Records Up For Sale

It’s not been a good year for Verizon. Earlier this month we reported on the fact that the company had been fined by the FCC for “supercookie” tracking, and now it would seem that Verizon Enterprise has been breached resulting in 1.5 million customer records being put up for sale.

The revelation comes as a seller has begun advertising the sale of a database with information for 1.5 million customers of Verizon entertainment, all being offered for the price of $100,000. If you feel like that is a little much you can buy 100,000 records for just $10,000. The thread also contains the option to buy information about security vulnerabilities in Verizon’s website, leading people to question just how safe their data is.

In response, Verizon stated that they had “recently discovered and remediated a security on our enterprise client portal”. Regarding the data itself they state that “an attacked obtained basic contact information on a number of our enterprise customers”.

This would appear to authenticate that the data is real although it may not be as juicy and chock filled with information as some might hope it is. This only looks bad for Verizon Enterprise as they are the ones commonly finding flaws and reporting on breaches like these every year. If you were wondering just how much that could have an impact on people, Verizon’s Enterprise client list includes 99% of Fortune 500 companies.

Hackers Leave Advice for Breached Security Company

Security firm Staminus servers have been taken offline today, following a supposedly successful cyber-attack on their network. The Newport Beach, California-based hosting and distributed denial of service (DDoS) protection company went down at 8 am EST on Thursday, with the company communicating details of the event via Twitter citing it as a “rare event [that] cascaded across multiple routers in a system-wide event.”

This ‘rare event’ was quickly revealed to be a far more deliberate malicious act against the company, with a data dump of Staminus’ servers being posted to the internet shortly afterwards. This leak contained the details of a large number of customer names and email addresses as well as their database table structures, routing tables and other crucial operational information. An unnamed Staminus customer verified the contents of the hack, confirming that his details were among those released in the dump. The posters of the dump declared that they had managed to gain access to all of Staminus’ routers and networked systems, resetting them to factory settings.

The dump begins with a note from the hackers responsible for the breach, titled “TIPS WHEN RUNNING A SECURITY COMPANY.” This preface detailed a number of security flaws found while breaching Staminus’ systems in a sarcastic style:

  • Use one root password for all the boxes
  • Expose PDU’s [power distribution units in server racks] to WAN with telnet auth
  • Never patch, upgrade or audit the stack
  • Disregard PDO [PHP Data Objects] as inconvenient
  • Hedge entire business on security theatre
  • Store full credit card info in plaintext
  • Write all code with wreckless [sic] abandon

While no credit card information was visible in the dumped data, doing so unencrypted goes against Payment Card Industry (PCI) security standards and inappropriate for any company handling such details, especially one claiming to be in the security business.

Also laid bare was the colourful selection of customers that Staminus served. From a number of small gaming server operators, including those for Minecraft all the way to the Ku Klux Klan, it was found that the KKK’s official website was in fact hosted by Staminus, as well as a number of affiliated sites such as the American Heritage Committee.

While Staminus claimed that service had been restored globally, many customers took to Twitter claiming that it was not the case. Since then, the only communication from the firm has been the announcement of a statement from their CEO, which is linked to their (currently offline) site. When Staminus will regain full functionality of the network is anyone’s guess, however, it will be interesting to see how the company will recover from this major event.

Hacker Who Leaked Bush’s Emails To Be Extradited

In this day and age, security and technology are constantly at odds. With the ability to chat with people all over the world with the press of a button, sometimes storing that information can be troublesome. A year and a half ago the U.S. found this out when it was discovered that former president George W Bush’s emails, now it would seem the hacker responsible is to be extradited.

Marcel Lehel Lazăr reportedly broke into the email account of several family members of George W Bush, gaining access to everything from family photos to self-portraits painted by the former president himself. The hack contained emails regarding family matters such as a funeral for his father, former president George H. W. Bush.

Lazăr, a former cab driver, is being charged with cyberstalking, obstruction of justice, aggravated identity theft, wire fraud and unauthorised access to a protected computer. Under Romanian Law, he can be extradited for up to 18 months to face the charges. With a former conviction in 2014 for hacking into accounts of Romanian officials, the past looks to have repeated itself again with his latest act.

With no names mentioned in the case, it lists one of the victims as a “family member of two former US presidents who was the true owner of an AOL account known to the grand jury”. With so few families having two former presidents in their midst, I think it’s safe to say that this case revolves around the Bush family.

Apple’s Official Response To The FBI Is Here!

In the last few weeks, the news has been awash with a single topic when it comes to technology, Security. Brought to life by a judge ordering Apple to unlock an iPhone, a move which has split America almost down the middle. The time has finally come and you can now read Apple’s official response.

Apple’s lawyer, Theodore Boutrous, wrote that “Apple is a private company that does not own or possess the phone at issue, has no connection to the data that may or may not exist on the phone”. This argument is a fair one, Apple has already said that they would comply and provide the information to the FBI if someone hadn’t changed the passcode.

Supreme Court Justice John Paul Stevens argued back in 1977 that “if the All Writs Act confers authority to order persons to aid the Government the performance of its duties… it provides a sweeping grant of authority entirely without precedent in our Nation’s history”.

Apple is continuing to argue with these points saying that their use of the All Writs Act even goes as far as breaking Apple’s First and Fifth Amendment rights. They argue that having to hire anywhere from six to ten engineers to work on this project for months, and maybe longer if more phone unlocks are ordered, would be an undue and overly burdensome task. Referring to the aforementioned changing of the passcode, Boutrous stated that the FBI haven’t even asked other agencies for their support, saying:

“Here, by contrast, the government has failed to demonstrate that the requested order was absolutely necessary to effectuate the search warrant, including that it exhausted all other avenues for recovering information. Indeed, the FBI foreclosed one such avenue when, without consulting Apple or reviewing its public guidance regarding iOS, the government changed the iCloud password associated with an attacker’s account, thereby preventing the phone from initiating an automatic iCloud back-up. See supra II.C. Moreover, the government has not made any showing that it sought or received technical assistance from other federal agencies with expertise in digital forensics, which assistance might obviate the need to conscript Apple to create the back door it now seeks.”

With the legal proceedings only set to continue, it could be a while before we see this case end but one thing is for certain. This case is more than likely to bring about a change in how companies, governments and even people think when it comes to their digital security.

Hacker Releases 17.8GB of Data From Turkish Police Server

A hacker going by the online alias ROR[RG] has released a large amount of data that belonged to a Turkish National Police database and is thought to contain large amounts of sensitive private information. ROR[RG] is aligned with the Anonymous hacktivist group and has leaked the data that was supposedly stolen from Turkish General Directorate of Security (EGM) onto a number of peer-to-peer sites for anyone to download and examine.

The data was released through The Cthulu website, which has been a host of a number of leaks by members of Anonymous in the past, including a serious hack against a US Police union last month. A statement released with the data explains that the data was taken from the EGM and that “the source has had persistent access to various parts of the Turkish Government infrastructure for the past 2 years.” It went on to explain that “in light of various government abuses in the past few months, has decided to take action against corruption by releasing this.”

Based on examination of the files in the leak, they appear to originate from a MySQL database, which Reddit confirms. A number of users on the world news subreddit (including some Turkish posters) loaded up the leaked database, finding that it was from the MERNIS system and contained a directory of an enormous amount of Turkish citizens, including ID numbers and full addresses. Exactly how much of the Turkish population this data covers is currently unknown, but this looks to be a disastrous breach for the Turkish government.

It is worrying for the information security of the Turkish government that such a leak was allowed to take place. Not just this, but the fact that the hacker had supposedly had continuous access to government systems for at least two years prior to the leak. The potential consequences of this leak are huge too, as it provides a treasure trove of personal data for criminals to use. Hopefully, the Turkish government will have an answer for this leak, however, it may be too-little-too-late for those whose personal data is already in the public domain.

Juniper Networks Finds ‘Unauthorised’ Code in Its Software

Cyber security and the integrity of applications are essential for consumers to have confidence their details will be kept safe and not intercepted by a third-party. Well known internet hardware company Juniper networks have issued a warning concerning a discovery it has made within its firewall software, which could have led to a third-party being able to decrypt data which has been sent through an encrypted VPN (Virtual Private Network)

During a recent internal code review, it was discovered that “unauthorised code” had somehow made its way into Juniper’s ScreenOS software, it’s interesting to note that many ISPs (Internet Service Providers) and also large firms implement the companies routers and network switches. The vulnerability could have allowed a third-party, or as the company refers to the threat as a “Knowledgeable attacker”, could be 12-year-old for all we know, to gain administrative access to NetScreen devices and to decrypt VPN connections.

The unwanted slice of extra code has been present within different versions of ScreenOS since 2012. Juniper has confirmed that it is not aware or received any reports of the vulnerabilities being exploited and urges everyone running the affected devices to quickly apply the released patches with the aim of stripping the unauthorised code out of its firewall software ASAP.

It’s a serious breach and questions will surely be asked concerning how the code managed to make its way into the software.

Image courtesy of smarteranalyst

Twitter Users Hit by State-Sponsored Attackers

On Friday, a number of Twitter users received a notification from the social networking platform, explaining that their accounts had been the target of state-sponsored actors. Unsurprisingly, the supposed targets of these attacks were mass surveillance researchers and security professionals.

The incident was surprising for users of Twitter, as until the notifications went out at 17:30 EST, Twitters notification service regarding state-sponsored attacks had never before been seen, let alone mentioned by Twitter. Fortunately for those affected, Twitter assures in the notification email that they believe that only email addresses, IP addresses, and phone numbers could have been taken by a breach, and even then, could not confirm that any data had been taken. The compromising of a single social media account can be a big deal though, with some users holding multiple Twitter accounts for different purposes, and using personal details and account credentials could yield access to other sites too.

Twitter is yet to release any further information beyond the notification letter, however people have begun theorizing what could be taking place, with Jacob Appelbaum, a key member of the Tor Project taking the effort to keep up a list of sorts of the individuals receiving the notifications. He questioned in a tweet whether Twitter had been “owned” or hacked. More information and theorycrafting on the topic has come under the hashtag #StateSponsoredActors which also discusses Twitter’s blocking of a number of accounts used through the Tor service.

Twitter is not the only online service with warnings against incidents with state attackers, with Google having one in place and Facebook having launched theirs back in October, which immediately identified attacks on US Government employees.

EU Agree On Cybersecurity Rules

Security is a word that has appeared more and more online when it comes to the digital world in recent years. With more and more attention drawn by everyone from presidential candidates like Donald Trump to toy companies like VTech, governments are now pushing for stricter security on their systems. The EU have since agreed upon a set of rules regarding how their countries should approach the problem and where their responsibilities lie.

The proposed legislation would mean that essential services, such as electricity management and traffic control systems would have to be able to withstand online attacks while major marketplaces like Amazon or eBay would be included with cloud-based services (things like your apps which use online storage app) would be required to ensure that their infrastructure is secure and will be legally responsible for reporting any incidents.

While teams will be set up to help coordinate responses there will be a set of rules to exchange information and support one another in regards to their capability of handling cyber security issues.

While this seems like a positive step, you have to consider this is a world where people have been open about wanting to reduce, or even remove encryption, potentially even creating back doors for ‘government’ use, you have to worry about how a European-wide system would handle matters proposed by each countries governments.

 

Wetherspoons Reveals Extent Of Hack

From phone calls made to and from prisons, to the details of thousands of children and their parents, hacks seem to be everywhere and are affecting everyone these days. The latest one to reveal they’ve been hacked is  JD Wetherspoons, the popular pub chain.

Revealing that its old website was hacked between the 15th and 17th of June, but only learning about the attack on the 1st of December, Wetherspoons called in security specialists before informing customers on the 3rd of December. Yet again the hack seems to have revealed a database containing numerous customer details, currently put at around 656,723 customers.

The details included in the database were the first name, surname, date of birth and contact details such as mobile phone numbers and email addresses.

If you purchased a voucher before August 2014, the last four digits of your credit or debit card could have been accessed, although they are keen to express that no other details, such as security codes or the remainder of your card details, were exposed.

Don’t pay by card? How about not using your card when you go to Wetherspoons? This doesn’t affect me? Did you sign up for their free wifi, or maybe even used the Contact us form? If you did then your data could be included in that which was revealed.

Amongst TalkTalk, Vodafone and VTech, more and more companies are finding their systems breached. Maybe now is a good time to avoid handing out any details to any company or person.

VTech Leak Contained Headshots of Kids and Chat Logs

Recently it came to light that VTech had been hacked, potentially revealing thousands of emails and usernames. The hacker has revealed more information though on what was contained and revealed within the hack, the information which was revealed yesterday.

The data that was obtained from the hack contained around 4.8 million users details, but the scope of the information is nothing compared to what the hacker was able to obtain. 200GB’s of images were downloaded from the server containing images of both the parents and child of the registered accounts, coupled with the chat logs between parents and children (some of which are recording of conversations).

VTech suggests using the image so that it’s easier for parents and children to talk and interact through their services. The hacker provided Motherboard with 3,832 image files and at least one audio recording to prove that the information they obtained was legitimate and the scope of the risk from such an amount of data.

If that wasn’t bad enough, the photos, chats and recordings were often linked to usernames, something that normally wouldn’t be a problem but with usernames, address and emails being revealed and even their security questions and answers (meaning that resetting your password would have been an easy task).

While the service has been stopped by VTech while they investigate. The hacker stated, “it makes me sick that I was able to get all this stuff” and I think it’s fair to say that no matter what they do VTech has a lot to answer for.

Amazon Passwords Could Have Been Leaked

It’s that time of the year again, when everyone goes crazy and starts buying ready for all the events and gift giving that is come over the next few months (some even preparing so much as to get some ordered for next year). Black Friday, one of the busiest shopping days of the year is upon us and with it a lot of people are looking and watching online stores waiting for that juicy one time deal they could quickly scope up before it all goes. To no surprise, Amazon is one of these online stores, so what does it mean when people started receiving emails asking them to change their passwords? That’s right another potential breach.

As reported by ZDNet, a selection of their readers received emails asking them to reset their password (the email was also sent via Amazons message centre, confirming that it came from a legitimate source). The reason given was that your password could have been stored on your device or transmitted in a way that exposed it to third parties.

Amazon continued to state they had corrected the issue, but that temporary passwords were being issued as a sign of caution.

Given recent hacks and breaches, it’s not surprising that Amazon is airing on the side of caution when it comes to people’s accounts, especially around this time of year.

TalkTalk Warned of Possible Data Breach in 2013

The data breach of TalkTalk customer information raised a number of serious questions about the company’s security and encryption measures. Embarrassingly, it appears to be the work of a 15-year-old boy, and customers are livid as new information suggests the poor security was known as early as 2013! According to The Guardian, TalkTalk’s chief executive’s office was warned of a data breach in July 2013.

One customer, Keith Aldridge subscribed to TalkTalk’s phone and broadband service in 2013, and lost £110 as part of a data scam. He said:

“The fraudsters called me on my brand new landline, on a new number that I had been given as part of the switch. It was so new that I had only passed it on to two family members, and yet the fraudsters had that number – and knew all about the technical problems I had had,”

“In my view the company did not address it in anything approaching an adequate manner. Perhaps if they had done so there might not have been these newer issues,” 

The scammer, contacted Alridge’s new TalkTalk landline and pretended to be from the company. It’s pretty startling how quickly his details were accessed by a fraudulent individual but this wasn’t taken seriously by TalkTalk’s management. They didn’t deem it to be a credible risk and drastically underestimated the scale of their network security flaws. Now we are beginning to hear about past mistakes, it doesn’t help TalkTalk’s reputation and makes them appear pretty reckless.

TalkTalk Hackers Only Accessed a Small Percentage of Data

Since the cyber attack on Internet Service Provider (ISP) TalkTalk on October 21st, it has been revealed that the hacker(s) have only been able to access 4% of sensitive customer details. I say only loosely as even a single customers details being revealed is bad enough.

BBC has  reported that 156,959 customers had personal data accessed, of which 43,656 had payment details accessed, but approximately 28,000 credit and debit card details were obscured beyond use to any hacker for financial transactions.

TalkTalk has already contacted a large amount of affected customers and the remaining customers will be contacted “within the coming days”. The firm and other data security firms have advised all customers to keep monitoring their personal accounts of both email and bank for any suspicious activity and report to your bank, TalkTalk and in extreme cases, the police.

Take a look at this video shared by the BBC twitter account of a scammer trying to con a customer. Most banks would have been informed to monitor customers accounts themselves, but you could take extra measures such as taking out a subscription to credit freezing subscriptions offered by Expedia which will not only freeze your credit score, but also inform you of fraudulent activity.

Has the hack impacted you or someone you know? Let us know what security measures have been taken in the comments.

Anonymous to Start OpKKK

The internet is a place where lots can happen. People can have their details exposed, like those that were taken in the latest breaches at TalkTalk or they could have them misused in SWAT’ings. Some people believe though that this means that not only can the internet be misused, it can also be used for good. To represent and defend the common people, one such group is Anonymous.

Famous for their operations against governments and controversial groups, Anonymous are already acting on their next operation, titled Operation KKK. Designed to target the Klu Klux Klan, who are listed as a hate group by the Anti-Defamation league and is said to have anywhere between 5,000 and 8,000 members. Anonymous wants to unmask around 1,000 of these in the next phase of their operation, an action called Hoods Off on November 5th.

Not one to shy away from the public, Anonymous have been updating their twitter reporting already that many sites related to the KKK have already been taken offline, and that more will come.

A hacker going by the name of Amped Attacks has already helped out with this by taking down the Westboro Baptist Church’s website as well as several KKK websites. In doing so they have apparently also gained access to a list of identifying information for a range of people including Mayors and Senators.

Microsoft Outlook Web App Vulnerable to Password Hacking via “Backdoor”

Typical Microsoft, the tech giant has more backdoors than Disneyland and World put together; the latest vulnerability that has been unearthed by researchers is a pretty serious breach and allows an attacker the option to steal e-mail authentication credentials from major organizations.

So what is it this time? The Microsoft Outlook Web Application or OWA in question is an Internet-facing webmail server that is being deployed within private companies and organisations, this then offers the ability to provide internal emailing capabilities. Research and subsequent analyses undertaken by security firm “Cybereason” has discovered a backdoor of sorts in the form of a suspicious DLL file. This file was found to be loaded into the companies OWA server with the aim of siphoning decrypted HTTPS requests.

The clever part of this attack is the innocuous nature of deployment in the form of the file name that was the same as another legitimate file; the only difference was the attack file was unsigned and loaded from another directory. According to Cybereason, the attacker (whoever it might be, mentioning no names) replaced the OWAAUTH.dll file that is used by OWA as part of the authentication mechanism with one that contained a dangerous backdoor.

Thus, this allowed attackers to harvest log in information in plain decrypted text, even more worrying is the discovery of more than “11,000 username and password combinations in a log.txt file in the server’s “C:\” partition. The Log.txt file is believed to have been used by attackers to store all logged data”.

The attackers ensured the backdoor could not be removed by creating an IIS (Microsoft Web Filter) that loaded the malicious OWAAUTH.dll file every time the server was restarted.

Indeed, yep, same old same old then, breaches of passwords is worryingly common in the digital age, there needs to be a radical re think of security infrastructure. I do feel companies are using tech as a cheaper alternative without investing in system protection or even real-time analyses, servers and communication lines are being ignored to the point whereby attackers have free reign over such systems. I wonder as I write this as to what else is being siphoned to individuals and attackers, if I see next the formula for Coke in China own brand cola, then it will make sense.

Thank you cybereason for providing us with this information.

Image courtesy of thehackernews

Global Nuclear Facilities at Greater Risk of a Cyber Breach than Previously Thought

We all know various connected infrastructure defences are vulnerable; these include recent attacks on high-profile websites and also communication arms of governments and well-known individuals. Technically anything can be hacked and therefore robust implementations need to be focused on securing data within organizations. Nuclear facilities are one such example and a new report warns of an increasing threat of a cyber attack that focuses on these plants.

The report by the influential Chatham House think tank studied cyber defences in power plants from around the world over an 18-month period; its conclusions are that “The civil nuclear infrastructure in most nations is not well prepared to defend against such attacks”. It pinpoints “insecure designs” within the control systems as one of the reasons for a possible future breach, the cause of this is most likely the age of the facilities and the need for modernization.

The report also disproves the myth surrounding the belief that nuclear facilities are immune from attacks due to being disconnected from the Internet. It said that there is an “air gap” between the public internet and nuclear systems that was easy to breach with “nothing more than a flash drive” Great, in theory that little USB drive could cause a nuclear holocaust. The report noted the infection of Iran’s facilities was down to the Stuxnet virus that used the above route.

The researchers for the report had also found evidence of virtual networks and other “links to the public internet on nuclear infrastructure networks. Some of these were forgotten or simply unknown to those in charge of these organisations”.

It was found by the report that search engines that sought out critical infrastructure had “indexed these links” and thus made it easy for attackers to find ways into networks and control systems.

This report has cheered me right up, it is noted that nuclear facilities are stress tested to withstand a variety of long-standing scenarios, though there does need to be a better understanding from staff in charge of the infrastructure in order to limit any potential damage a breach could inflict. The industry needs to adapt, gone are the days of one or two experts who could hack into a system, from state-sponsored cyber attacks to a teenager in their bedroom, the knowledge base is growing day by day and many companies are paying the price for poor security.

Let’s hope it’s not a nuclear power plant,

Thank you bbc for providing us with this information.

Image courtesy of zeenews

Millions of T-Mobile Customer Records Stolen In Data Hack

If I had a £1/$1 every time a company was hacked and private details of consumers were leaked to a third-party, I would be now looking at a brochure for mansions. The latest victim is mobile communications company T-Mobile, who have fallen victim to a data breach.

An estimated 15 million T-Mobile customer records have been stolen after hackers attacked Experian, who are the company responsible for processing credit applications from consumers for the mobile company. Below are the details that Experian believe have been stolen from consumers in the hack, this includes  “access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015.

  • Name
  • Address
  • Social Security Number
  • Date Of Birth
  • Drivers licence
  • Passport Number
  • Military ID Number
  • Any Other T-Mobile Credit assessment details

According to Experian, there were no “Payment Card or Banking Information” obtained during the discovery of the breach on the 15th September 2015. Over at T-Mobile, CEO John Legere stated that he was “incredibly angry about this data breach and T – Mobile will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously”.

In these situations a consumer can feel powerless, no matter how careful they are at their end, they may still find personal and very sensitive details leaked to a third-party. Companies need to fully prioritize and secure customers data, otherwise there will be many more instances of this nature which will be just around the corner. If Hollywood ever attempted to produce a film concerning the many breaches, it would have a plot akin to Groundhog day.

Thank you experian and t-mobile and nextweb for providing us with this information.

Original Image courtesy of droid

Ashley Madison Hackers Leaving Behind Footprints

Hacking has been big news in recent years, with everyone from Sony to Apple having breaches and personal information released. The latest in this long stream of hacks is a website titled Ashley Madison. In case you aren’t familiar with this website here is what’s happened so far. The Ashley Madison site is a site designed for people to search for companions, no matter what their marital status. This has resulted in it being a site popular among those who are unfaithful for their partners, a problem for many given that to leave the site you are required to pay a £15 fee. In protest of this though they seem to have been hacked, and as a result, this information has since been released on the internet. Now for the fun parts.

In contrast to the initial “moral” stance taken, of which many suspected the reason the hacked data was made public was in order to force people to be faithful and honest with their partners and in protest to the leaving fee, it would appear that this data is now being used by criminals to extort the people who have had their data exposed online. Demanding roughly 1.0000001 bitcoins (£147.28) from each person or to have their information revealed to their significant others.

All is not lost, as a file containing the emails of Ashley Madison’s CEO was left on an unprotected bittorrent server for hours. By not password protecting or disabling the web management system used in the file sharing system people were able to access and change the server configuration, and if it turns out that this was the original torrent server used to upload the files it could be possible to track down the IP of connecting users and find out who initially uploaded the files.

Hacks are appearing every day now and it would seem that people are using these to their own benefits, turning one crime into hundreds.

Thank you Neowin and Ars Technica for the information. 

Image courtesy of Ashley Madison.

SSL Bug Lets People Impersonate Anyone

So you’re browsing online, through Facebook, Ebay and even your bank and you notice that padlock at the start of your address bar. You see that symbol and you think, that means I’m secure. I’m safe and I can browse and send information without a worry. Seems like that might be a mistake according to a new bug report.

SSL is the system in which websites can be verified, this means you can be certain that the website you’re sending information to is actually the website you want and not someone pretending. It also means that you have to use a standard of encryption when communicating information across the web. OpenSSL is a standard used by a variety of websites in order to offer some security and reassurance to its users, and sadly is publicly available meaning that users are free to view and edit the code as they see fit.

From the log that’s available it appears that the code responsible for the problem was added all the way back in January, however, it was only released to the publicly used version last month. With this problem, it would be possible for fake websites to change and “appear” as if they were the legitimate version and due to how the system works, fake websites would also be able to provide “certificates” for other websites.

While it was in the public version it didn’t make its way into the mainstream versions used by a lot of people, meaning that it has since been removed and the damage limited (if there is any at all). This is in contrast to the Heartbleed virus that resided in OpenSSL for almost two whole years before being discovered.

Thank you ArsTechnica for the information.

Image courtesy of the BBC.

White House Orders New Measures to Combat Breaches In Digital Security

Earlier we mentioned how OPM (Office of Personal Mangement) in the US found they had been hacked with thousands of records accessed, including those relating to background checks for security clearances, something which if true leaves their employees open to blackmail and a whole host of actions that are unpleasant and unwanted by the government.

The White House has now taken action, directing all agencies to take a series of steps in order to prevent and detect any unwanted access into their networks. Tony Scott, U.S. Chief Information Officer, has launched what is being called a 30-day cyber security sprint.

The emergency measures listed include:

  • patching “critical-level” software holes “without delay”
  • Tightening security and access restrictions for “privileged users”, this includes cutting the number of users with this level of access and to monitor their access to the systems for suspicious behavior
  • Increase level of two-factor authentication, where a user is asked to confirm their login attempt, normally by receiving a text or phone call with a code in it

According to the released information, agencies have to report on their progress and problems implementing these steps within the next 30 days. With a “Cybersecurity Sprint Team” task force being deployed to lead the month long view and analysis of the US’s digital defenses, many organizations could find their technology changing.

While the actions are greatly appreciated, if the documents have been copied or accessed, a lot of personal information has been released to people who may use it for harm. Here’s hoping they don’t and that the government has stepped up their security because of this revelation.

Thank you NextGov for the information.

Image courtesy of NMINews.

OPM Hack Believed To Be Worse Than First Revealed

publically exposed hacks are almost an everyday occurrences in modern times, with everything from cloud storage hacks revealing personal pictures to large time security software companies being hacked. These can be anywhere from personally and professionally devastating to something which can become on a whole new level, such as the hack that took place on the Office of Personal Management (OPM) in America.

The Office of Personal Management is basically the human resources division for the American government, and while the government first addressed the breach they stated that details for approximately four million people were exposed, including dates of birth, addresses and the social security numbers.

The problem is, it may be a lot worse. SF-86 forms are used to conduct background checks for security clearance, and like you would expect on these forms they contain a whole spread of sensitive information, not only about the applicant but also their family and friends. This means the level of information revealed, accessed and possibly copied in the breach could be a lot worse than first admitted.

Initial reports stated that EINSTEIN, the governments hack detection software detected the breach. According to the Wall Street Journal today, however, it would seem that the breach was actually discovered during a sales demonstration by a company looking to show off its forensics product. So not only was the breach undersold to the public, but it looks like the governments detection software was beaten in a sales presentation.

If the new reports are true, everything from a person’s family’s names and addresses and  medical details could be in the hand of the very people they are meant to be protected from. This could be the start of a very painful message that governments need to work harder to protect the people they serve, both offline and online.

Thank you Wall Street Journal and Wired for the information.

Image courtesy of PCWorld.

Data Breach: The Sure Fast Way to Become a Retail Pariah

“18.5M Californians lose data to hackers”  

Shocking weekly headlines such as this illustrate the growing problem of major data breaches at multinational enterprises and have both consumers and operators crying foul. In fact, these large data breaches have spawned a 600 percent increase in the number of California customer records violated in cyber-attacks in 2014 according to the California Data Breach Report from state Attorney General Kamala Harris. Moreover, the average cost to investigate and deal with a data breach is $5.9 million, according to the 2014 Cost of Data Breach Study published by the Ponemon Institute and funded by IBM.

The unfortunate consequence of the data breach phenomenon is it not only affects large multinational enterprises but all in-store and online retail business engaging in point of sale transactions. Ultimately, your business is vulnerable as your valuable customers are losing confidence in the security of point of sale transactions.  After all, a primary concern raised by these data breaches is risk to consumer financial health. Data security and customer trust are inseparably linked. Once data security is compromised, your customer will no longer trust your company. Gartner Group statistics tell us that 80 percent of your company’s future revenue will come from just 20 percent of your existing customers. Never underestimate the value of retention. Customer retention is the lifeblood of your business. Indeed, to retain customers you must gain and keep their trust with an ironclad point of sale system.

“FCC Slaps Telcos With $10M Fine for Data Breaches” 

This recent headline illustrates the cost of a data breach to your business is not only qualitative in nature but quantitative. The United States Federal Communication Commission (FCC) fines for violations of the Communications Act can run into the tens of millions of dollars for those operators who do not properly secure customer information such as customer names, Social Security numbers, and addresses. The bottom line is if you fail to protect your customer data, the U.S. government can find you liable and you will have to pay up.

What Can You Do To Mitigate a Data Breach?

Proper security measures to secure customer information must be in place to protect the confidentiality of the consumer information you have on file. It is imperative to honor the trust of your customers and protect them from harm caused by violations of the Communications Act.

Whether point of sale providers or hackers are to blame, as an operator, you are the bridge between your customer information and the point of sale provider. The simple fact is not if you should shore up your consumer data, but when.According to techhealthperspectives.com, you must ask your point of sale provider how secure your customer data is. Additional questions should be asked such as: Is it stored on publicly accessible Internet servers? Do they have a current risk assessment model in place to determine if your investment in data security is up to par? Can they help you improve your audit controls and conduct breach drills?

Data security is usually reactive in nature. However, it is imperative for you to be proactive and reduce the threat and ultimately prevent a data breach. The use of a reputable expert such as Shopify can shore up your customer data and assist you with rapid and continuous defense against cyber-attacks to save your business from the monetary and reputational damage of a data breach.  Reputable online point of sale providers should host a Payment Card Industry Security Standard (PCI) compliant shopping cart. Moreover, to streamline your operations, you will want to look for a complete eCommerce solution which will help you organize your products, customize your storefront, track and respond to orders, and of course accept credit card payments.

If you currently find yourself in a situation where your customer data has been breached, until Congress passes a data breach notification law, you will be required to traverse the complex maze of 47 state requirements. A guide to assist you with state laws on data breach notifications has been released by the Direct Marketing Association and is available at thedma.org.

It’s never too late to secure your customer data. Protect your business and provide your customers with confidence in the security of your point of sale transactions. After all, once data security is compromised, your customer will no longer trust your company. In summary, to retain customers you must gain and keep their trust with an ironclad point of sale system. What can you do to avoid a data breach? Assess your current point of sale provider and determine if they are Payment Card Industry Security Standard (PCI) compliant. Be bold and take a stand for your business and your customers against hackers. Ask your point of sale provider what steps you need to take to avoid becoming the latest weekly headline as a data breach retail pariah.