Data on Thousands of Children Exposed in VTech Hack

It has come to light that earlier this month, popular children’s computer company VTech were the victims of an attack by an unnamed hacker. The hacker was able to gain access to around 5 million user’s credentials, including the 200,000 children whose data was stored by VTech’s Learning Lodge online service.

The data was leaked as parts of the credentials may include details such as their names, email addresses and home addresses. Additionally included in the leak were the security questions and answers of the users, meaning cracking of the users passwords would not be necessary to compromise accounts and if the same password reset information was used on another site, those accounts would also be vulnerable. The scariest part is that the details of the children recorded by VTech included their names, birth dates and genders and could be used to link them to their parent’s accounts, providing those with sinister motives access to the locations of countless children. According to the site Have I Been Pwned, a reputable repository of data breaches, this breach is the fourth largest leak of consumer data to date.

Thankfully, in an interview with Motherboard, the hacker, when asked what he intended to do with the data replied with “nothing”. And while he intends to do nothing with it, warned that others may have extracted data from the site before him, due to the ease of attack. The technique used to break into the site was an SQL injection, an old and simple way of attacking vulnerable websites, typically executed by inputting malicious code into the forms on a website, to manipulate it into performing an attackers desired operations. After using this to gain full access to the systems and databases, the attacker had free access to all of the data within.

And while VTech has responded to the breach by promising to “look at additional ways to strengthen our Learning Lodge database security.” However, this may not be enough. Following the attack, security expert Troy Hunt, as well as examining the data to assess the extent of the leak, went on to do a cursory security review of Vtech’s Learning Lodge site. He warned that the lack of encryption anywhere on the site as well as the site’s databases and APIs had the tendency to leak data mean that there didn’t even need to be a data breach for user information to be at risk.

If you are a user of the Learning Lodge site and wish to enquire further with VTech, they have set up a series of email accounts to handle them, which can be found here.

It should be considered fortunate that the perpetrator of this attack was willing to bring the breach to light and has no ill intentions for the data acquired, however, it is still unacceptable for a company that handles data, especially on vulnerable parties such as children, to engage in such poor security practice.

EA Denies Data Breach After User Details Leak to Pastebin

Electronic Arts has denied that it has suffered a data breach following user account details being leaked and briefly posted to Pastebin. According to EA, its servers have not been compromised in any way, but it will still assess the leaked data to determine if it is genuine, and secure any at-risk accounts, probably in the form of a password reset.

EA’s statement reads:

“Privacy and security is our top priority at EA. At this point, we have no indication that this list was obtained through an intrusion of our account databases. In an abundance of caution, we’re taking steps to secure any account that has an EA or Origin user ID that matches the usernames on this list. As always, we encourage all players to safeguard their account credentials and use unique usernames and passwords on all online accounts.”

Security website CSO, which discovered the leak, notes that only a handful of the details for EA and Origin appeared to be valid, which suggests that the information posted to Pastebin could be outdated. While username, password, e-mail address, and purchased games were listed for many accounts, a high number had missing or corrupted information.

EA did suffer a confirmed server breach last year, which compromised over 40,000 EA forum accounts. The game publisher only admitted to the breach after a whistleblower revealed it first.

Stolen User Data Sells for as Little as $1 on the Dark Web

Online data breaches and stolen user details are becoming a sad reality of life on the internet. Whether it’s the infamous Ashley Madison hack or a phishing attack, it’s tough to stop your information from falling into the wrong hands. You might be surprised, however, how much your personal data is worth. According to a new report from Trend Micro, entitled “Understanding Data Breaches”, user data is being sold on for as little as one dollar on the dark web.

Trend Micro also found, thanks to the Privacy Rights Clearinghouse Data Breaches database, that only 25% of data breaches between 2005 and 2015 were due to online hacks. The most common breaches are inside jobs, committed by employees of a company, as well as device skimming and physical theft of laptops, flash drives, and mobile devices.

Credit and debit card details are still being most effectively gathered via skimmers or cameras connected to an ATM or point-of-sale terminals, or by hardware keyloggers on cash registers, rather than by online methods.

Much of this stolen data is then sold on through the dark web, with bank details fetching up to $500 per account, PayPal and eBay accounts going for around $300, while US mobile accounts can go for as little as $14. Personally identifiable information (PII) – name, address, date of birth, and social security/national insurance number – sells for $1 per line, which means that the tiny sum of $4 can effectively buy a person’s identity. Bump that fee up to $25, and a full credit report on that person is yours.

Thank you ZDNet for providing us with this information.

Image courtesy of WIRED.

Three Spammers Accused of Largest Data Breach in History

The US Department of Justice has charged three men with what could be the biggest data breach in the history of the internet. The three spammers are accused of stealing billions of e-mail addresses from the databases of e-mail service providers. Two of the men, Giang Hoang Vu and Viet Quoc Nguyen, are Vietnamese citizens residing in the Netherlands, while the third, David-Manuel Santos Da Silva, is Canadian.

A statement from Assistant Attorney General Caldwell read: “These men… are accused of carrying out the largest data breach of names and email addresses in the history of the Internet. The defendants allegedly made millions of dollars by stealing over a billion email addresses from email service providers.”

The three men targeted the largest e-mail providers in the world, including Gmail, Yahoo! Mail, and Hotmail. Considering the scope of the operation and the volume of addresses accrued, it is quite likely that someone reading this has had their e-mail address stolen by these spammers. Only addresses were gathered, though: no passwords were compromised during the data breach.

Santos Da Silva is alleged to have laundered money that Hoang Vu and Quoc Nguyen earned through their spamming through his website, Da Silva and Hoang Vu have been arrested, but Quoc Nguyen remains at large. Huoang Vu has pleaded guilty to computer fraud.

Source: Cyber Kendra

Retailers Must Invest in New Security Procedures, or Major Breaches Could Accelerate

Companies struggle greatly to try to keep their networks safe, including ensuring employee and customer data remains secure.  Major retailers are suffering data breaches that often lead to stolen customer debit and credit card data taken by hackers.

Popular retailer Target was compromised late last year and 40 million customers were affected – and the company has reportedly spent more than $145 million in expenses stemming from the incident.  Target’s sales temporarily dropped, customers were weary to continue shopping there, and it has been an overall public relations nightmare.

Home Depot recently confirmed a breach with up to 56 million potentially affected customers, with some stolen data posted in online cybercriminal forums.  It’s too early to tell what type of financial damage the company will suffer, but Home Depot will deal with the same type of backlash Target did.

Here is what Joe Caruso, Global Digital Forensics CEO noted:

“Most people tend to focus on how many credit card numbers were stolen, almost like it’s a way to score a game… but the numbers that should really be seeing the spotlight more are the ones that put dollar signs to the costly aftermath of a successful breach.”

Companies sometimes fail to even install antivirus and anti-malware technology, and then forget to conduct vulnerability assessments.  GDF recommends that companies be aware of what threat vectors could cause them the most problems, along with identifying weak links in the security chain.

Thank you to Global Digital Forensics for providing us with this information

Image courtesy of SoftPedia

UK National Crime Agency Disrupts ‘Shylock’ Malware

Distribution of the “Shylock” malware has been disrupted by the UK National Crime Agency (NCA), in an effort to prevent a growing number of users from being compromised.

The Shylock malware reportedly infected more than 30,000 PCs across the world, with a specific focus on targeting bank accounts of UK residents.  Shylock, which included Shakespeare’s The Merchant of Venice passages hidden within its code, targeted PCs running Microsoft Windows.

The NCA confiscated servers responsible for distributing the malware – and the malware was able to steal banking login credentials.  Shylock could also capture data entered on select websites, and then upload it back to its home servers.

Here is what Andy Archibald, NCA’s National Cyber Crime Unit deputy director, said in a statement announcing the police operation:

“This phase of activity is intended to have a significant effect on the Shylock infrastructure and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime impacting the UK.  We continue to urge everybody to ensure their operating systems and security software are up to date.”

At the very least, security experts recommend users update their PCs and mobile OSes with the latest security updates, along with running anti-virus and anti-malware software.  Also, end-users need to be aware of clever phishing attacks using social engineering to trick them into clicking fraudulent links or downloading malicious programs.

Thank you to The Guardian for providing us with this information

Image courtesy of Getty Images

Cybersecurity Insider Threats Dangerous and Difficult to Defend Against

Cybersecurity experts are finding it difficult to keep hackers out of their networks, but the risk of insider threats continues to cause headaches.  It’s a troubling epidemic because most system and network security systems are designed to keep outsiders from breaching current infrastructure.

To make matters worse, 75 percent of insider crimes are underreported and don’t typically lead to prosecution – a troubling fact that insider threats normally cost more to combat, according to a US State of Cybercrime study published earlier in the year.

There will be a major effort to try to limit insider threats, with better monitoring services to better track what is being accessed.

Here is what Ron Ross, National Institute of Standards and Technology information risk management leader in “Security Agenda”:

“We talk about the geeks inheriting the world.  You got the system admins sitting on top of a treasure trove of gigabytes of classified information and they really have a lot of power out there.  And, it’s going to be really important that we take extraordinary measures where those assets are very critical to make sure one person can’t bring down the entire organization.”

The risk of insider threats is more prominent for governments, financial institutions, and critical infrastructure, security researchers say.  Stolen information is highly valuable on the black market, with cybercriminals interested in selling and trading data.

Thank you to the Information Security Media Group for providing us with information

Image courtesy of Blogs Absolute

UK Government Partners With Open University to Teach Cybersecurity Defense

The UK government has partnered with the Open University and plans to launch a cybersecurity course that will open up classes for future candidates.  The multi-year program will hopefully develop students interested in technology to focus on security, which will help boost UK defenses from foreign attack.

As western governments try to wrap their heads around growing cyberthreats, there is a shortage of skilled security specialists.  Unfortunately, it has proven to be a difficult and expensive process, while data breaches and cyberattacks continue to be successful.

Here is what Natalie Black, Cabinet Office deputy director of Cyber Defence and Incident Management said:

“A key tenet of the national cybersecurity strategy is developing the cybersecurity skills we need to keep the UK safe and to do that we have to work together, we have to work through industry and academia.  It goes without saying that the government takes cybersecurity incredibly seriously and we’re investing £860m over the course of five years.”

The United States government wants to recruit cybersecurity specialists for the military – but has struggled to find qualified candidates – especially compared to private sector companies willing to open up their checkbooks.  There are similar efforts to partner with universities and private sector companies to help boost education to create future cybersecurity specialists.

Thank you to The Inquirer for providing us with this information

Image courtesy of Wired UK

U.S Department of Public Health Exposes 1.3 Million Records In Data Breach

A new report suggests that hackers managed to access an American government server for the Department of Public Health and Human Services (DPHHS) in Montana. The data breach means that the sensitive personal data of 1.3 million individuals was exposed to the hackers. The details that were accessed included names, addresses, dates of birth, and Social Security numbers. Furthermore, there was information relating to health assessments, diagnoses, treatment, health condition, prescriptions, and insurance of certain individuals.

The initial findings suggest that it isn’t possible to determine if data was directly removed from the server but a breach did occur. The server was shut down a week after an investigation into suspicious activity started. Officials from the government of Montana have stated that all affected parties will be notified of the breach and offered credit monitoring and identity protection insurance in order to contain the damage. The security of the DPHHS servers has now been upgraded but it is clearly too little, too late for those affected by it.

Source: Softpedia

Image #1 courtesy of, image #2 courtesy of U.S DPHHS

McAfee Says Mobile Malware Threats on the Rise in 2014

Cybercriminals are finding great success using mobile malware to compromise features and vulnerabilities of legitimate apps and services, according to the McAfee Labs Threats Report: June 2014.

Much of the attention focuses on the Google Android mobile operating system, but Apple iOS users are vulnerable to malware and other sophisticated attacks, too.

In addition, there are a growing number of mobile malware that target trusted apps and services users grant permissions to on smartphones and devices.  Threats such as Android/BadInst.A, Android/Waller.A, and Android/Balloonpopper.A are increasingly common and can do everything from money-transfers to accessing app stores.

Here is what Vincent Weafer, McAfee Labs Senior VP, said in a press statement:

“We tend to trust the names we know on the Internet and risk compromising our safety if it means gaining what we most desire.  The year 2014 has already given us ample evidence that mobile malware developers are playing on these inclinations to manipulate the familiar, legitimate features in the mobile apps and services we recognize and trust.  Developers must become more vigilant with the controls they build into these apps, and users must be more mindful of what permissions they grant.”

McAfee’s “zoo” of mobile malware samples increased a whopping 167 percent year-over-year, with suspicious URLs also rising 19 percent – more than 18 million – during Q1 2014.

Mobile users should run some type of anti-virus software on mobile devices, though security researchers recommend also installing an anti-malware solution.

Thank you to McAfee for providing us with this information

Image courtesy of GSM Nation

Companies Struggle to Defend Against Growing Surge of Cyberattacks

Sophisticated cyberattacks are giving security experts around the world complete fits, indicating how serious the problem continues to be. Custom-created malware and cyberattack strategies are easily found online and used to exploit unsuspecting users on a frequent basis.

Most recently, Domino’s Pizza restaurants in Belgium and France suffered cyberattacks, in which hackers stole customer data.  Customer records of around 650,000 were affected by the breach, as hackers demanded a ransom payment or information would be posted online.

Although some companies are stepping up to embrace modern security platforms, the amount of data stored without password-protection and encryption is staggering. A data breach can be costly for companies, but many executives would rather ignore the problem, roll the dice, and hope they aren’t targeted.

If nothing else, it’s clear that companies are struggling in their effort to keep customer and employee data secure from data theft. Once information is stolen and made available on the underground market, it can be hours – or months – before bulk records are sold or traded.

Credit card data, for example, must be distributed quickly, as customers will alert banks to flag stolen data. However, companies that either don’t inform users of a data breach, or are unaware they have been compromised, give cybercriminals better opportunity to get rid of the information at their own leisure.

Thank you Fierce CIO for providing us with this information

GCHQ Wants to Share Cyber Threat Analysis With Private Companies

The GCHQ intelligence agency plans to become more proactive in its fight against cyberattacks, opening up cyber threat intelligence information with private companies. It’s a unique turn of events following former NSA contractor Edward Snowden’s snooping disclosures, which also accused the GCHQ of organized surveillance activities.

To bolster support for the initiative, Cabinet Office minister Francis Maude mentioned how a “state-sponsored” criminal group accessed an account on an intranet government secure network.

Here is what GCHQ said in a statement:

“GCHQ will commit to sharing its classified cyber threat information at scale and pace to help communications service providers protect their customers; starting with suppliers to government networks and then moving on the other sectors of critical national infrastructure.”

The GCHQ hopes to help companies become the first line of security defense against sophisticated cyberattacks – a growing problem, as cybercriminals are becoming increasingly sophisticated when launching attacks. Compromised stolen data is worth big bucks on the underground market, with bulk records from data breaches available for sale.

The UK has seen an uptick of organized attacks from China and Russia, in an effort to steal intellectual property and gain a competitive advantage, which officials are keen to defend.

Thank you to the Engineering and Technology Magazine for providing us with this information

Image courtesy of Wired UK

‘Human Error’ to Blame For 95 Percent of Data Breaches in 2013

Organizations can implement next-generation cybersecurity technologies, but 95 percent of security issues in 2013 were caused by “human error,” according to the IBM Security Services 2014 Cyber Security Intelligence Index.

Companies are struggling to keep employee and customer data secure, and cybercriminals are exploiting these weaknesses.  A major retailer with millions of leaked credit and debit card information could face upwards to £59 million in direct costs that also includes government fines.

Using custom malware is a popular technique, but phishing attacks are an easy way for criminals to compromise data.  Here is what Nick Bradley, IBM Threat Research Group practice lead said in a recent interview with SC Magazine:

“Protecting yourself or a company from a phishing attack is obviously not an easy task.  If it were, phishing would not be as successful as it is.  User education is a powerful tool… teach your employees that they should not provide personal information to unfamiliar requesters.”

The United States and Germany suffered the highest total average cost following a data breach, while Brazil and India have the lowest total average cost.  In 2013 alone, more than 500 million records of personal information were stolen by criminals, with the information sold online.

In addition to companies, colleges and universities that suffer 40,000 or more record losses might lose up to £3.2 million in losses.

Thank you SC Magazine for providing us with this information

Domino’s Pizza Europe Hacked, Criminals Demand Ransom Payment

Domino’s Pizza customers in Belgium and France have been compromised, with more than 600,000 customers affected, and a cash ransom demand issued to the company.  The Rex Mundi hacker group wants £23,890 payment or the stolen information will begin to leak online.

More than 58,000 records were stolen from Domino’s Belgium, with 592,000 customer records stolen from France.  The data taken includes names, email addresses, passwords, and phone numbers, according to Domino’s – company officials said the ransom will not be paid, confirming that financial payment information wasn’t stolen in the breach.

Here is what Rex Mundi said in a statement:

“Earlier this week, we hacked our way into the servers of Domino’s Pizza France and Belgium, who happen to share the same vulnerable database.  And boy’ did we find some juicy stuff in there! We downloaded over 592,000 customer records (including passwords) from French customers and over 58,000 records from Belgian ones.”

The data theft hit independent franchise owners in just Belgium and France, while the incident has been described as an “isolated” occurrence, according to Tim McIntyre, Domino’s Vice President of Communications.  The information was encrypted, but the hackers appear to be well-organized and should be able to decode all stolen data.

The silver lining is that no payment information was taken, but it’s never good when personal customer data is stolen in a breach.

Thank you Daily Mail for providing us with this information.

Image courtesy of memphistanista

Bank of England Unveils New Framework to Defend Against Cyberattacks

The Bank of England officially launched its CBEST framework to help mitigate the risk of cyberattacks, as criminals continually target banks and other financial institutions.

Using guidelines and threat intelligence from the British government and security providers, CBEST is designed to identify attacks against specific banks.  And then attack strategies are replicated so banks are able to test their defenses to try to determine future methods to reduce risks.

In addition, the realistic penetration tests are replicated, with indicators available to assess cybersecurity maturity.  Banks will be able to better understand where and how they are vulnerable – and how IT staff can improve security efforts.

The Digital Shadows UK cyberintelligence company assisted in developing the new testing framework, and it will be monitored and modified as needed.

“The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment,” said Andrew Grace, Bank of England Executive Director, in a statement.  “The results should provide a direct readout on a firm’s capability to withstand cyberattacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.”

Financial crime is a high-profile target, with cyberattacks targeting financial institutions serving as the second largest source of direct loss from cybercrime, according to McAfee’s “Net Losses: Estimating the Global Cost of Cybercrime” report.

Source: Bank of England.

Target Confirms P.O.S Terminals Hit By Malware

The data breach at target is much worse than first thought. Originally the retail chain estimated that around 40 million customers information may have been stolen from their Point Of Sale systems or P.O.S. This information included customer names, mailing addresses, phone numbers, email addresses and card numbers. Now this number looks more likely to be around 110 million customers, with Target announcing on Friday that as many as 70 million additional customers may have been affected as well. The breach was first identified on the 15th of December 2013, which was four days before the breach was made public. Target CEO Gregg Steinhafel went onto detail the process taken by Target in regards to the data breach that was achieved by infecting Target’s P.O.S system with malware and why it took four days to notify the public;

“Sunday December 15th was really day one. That was the day we confirmed we had an issue and so our number one priority was making environment safe and secure. By six o’clock at night, our environment  was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk. Day two was really about initiating the investigation work and the forensic work that has been ongoing. Day three was about preparation, we wanted to make sure our stores and our call centers could be as prepared as possible and day four was about notification.”

Target hasn’t been the only U.S. retailers to suffer a security breach over the holiday period, with the practice of card skimming at P.O.S terminals becoming more frequent. In a statement released by Target, a spokesman went on to say that customers will suffer no liability for fraudulent charges and the company will also offer one year of free credit monitoring and identity theft protection. For those who have shopped at Target in the U.S. between the dates of November 27th and December 15th 2013 and are worried about their accounts, should seek advice from your financial institution.

Thank you CNET for the information provided

Image courtesy of