PC PORTAL

Experienced. Trusted. Solutions.

IT Security

By

Cyber News Rundown: Evite Data Breach

Reading Time: ~ 2 min.

Over 100 Million Accounts Exposed in Evite Breach

More than 100 million users of Evite were exposed after the company’s servers were compromised earlier this year. While the company doesn’t store financial information, plenty of other personally identifiable information was found in the leaked database dump. The initial figures for the breach were thought to be much lower, as another database dump of 10 million Evite users was found on an underground marketplace around the time they discovered the unauthorized access, though that site was shut down soon after.

American Express Suffers Phishing Attack

Many American Express customers recently fell victim to an email phishing attack that used the uncommon tactic of hiding the URL domain when hovering over the hyperlink. The attack itself, which requests the victim open a hyperlink to verify their personal information before re-routing them to a malicious site, was reliably full of spelling and grammar mistakes. The phishing landing page, though, looks nearly identical to the real American Express site and even has a drop-down list to catch multiple types of user accounts.

NHS Worries Over XP Machines

Over five years after Microsoft officially ceased support for Windows XP, the UK government has revealed that there are still over 2,000 XP machines still being used by its National Health Services (NHS). Even after becoming one of the largest targets of the 2017 WannaCry attacks, the NHS has been incredibly slow to roll out both patches and full operating sytem upgrades. While the number of effected systems, the NHS has over 1.4 million computers under their control and is working to get all upgraded to Windows 10.

Google Defends Monitoring of Voice Commands

Following a media leak of over 1,000 voice recordings, Google is being forced to defend their policy of having employees monitor all “OK Google” queries. After receiving the leaked recordings, a news organization in Belgium was able to positively identify several individuals, many of whom were having conversations that shouldn’t have been saved by the Google device in the first place. The company argues that they need language experts to review the queries and correct any accent or language nuances that may be missing from the automated response.

Monroe College Struck with Ransomware

All campuses of Monroe College were affected by a ransomware attack late last week that took down many of their computer systems. The attackers then demanded a ransom of $2 million, though it doesn’t appear that the college will cave to such exorbitant demands. Currently, the college’s systems are still down, but officials have been working to contact affected students and connect them with the proper assistance with finishing any coursework disrupted by the attack.

The post Cyber News Rundown: Evite Data Breach appeared first on Webroot Blog.

By

Fighting talk and fines obscure other GDPR lessons from BA and Marriott data breaches

There’s been lots of talk about regulations with bite, a watchdog baring its teeth, and that ‘the gloves are off’ after the UK Information Commissioner’s Office one-two punch of a £184 million fine against British Airways, and £99 million against Marriott International announced a day later.

It certainly looks like the ICO went for the jugular (sorry, it’s contagious) over breaches of the General Data Protection Regulation. But it reminds me of the build-up to the regulation before May 2018. Then, much of the coverage focused on the potentially huge fines at stake. In the same way, last week’s news shouldn’t obscure the lessons beyond the attention-grabbing sums of money.

A wake-up call

The first thing to clarify is that these fines haven’t been issued yet. In both cases, the ICO is saying it’s an intention to fine – it’s giving both companies a warning. Whether or not the amounts will be close to the published figures, we know there will be fines for sure. Companies should take this as a wake-up call that non-compliance with GDPR requirements may result in tough penalties.

As I noted in the SANS Institute newsletter, the fines are not for having a breach, but for poor security that helped it. The ICO press statement makes this very clear. “The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information,” it said.

Strong message

That being said, the proposed fine nevertheless amounts to 1.5 per cent of British Airways’ revenue. “This should send a strong message to all organisations that are regulated by the GDPR to take the security and privacy of their customer data seriously,” I wrote.

In an interview with Bank Info Security, I said that more GDPR fines are likely on the way. “Many GDPR data breaches, especially the highly publicised ones, can take a long time for proper investigations by the supervisory authorities… What we are seeing now are the beginnings of the supervisory authorities issuing penalties under GDPR, and I expect we will see many more over the coming months.”

The ICO’s moves last week aren’t the first fines that a supervisory authority has imposed under GDPR. As Tracy Elliott noted in our blog marking the first year post-GDPR, there have been other, smaller fines issued in the UK, Portugal and France. We also know that Ireland’s Data Protection Commission (DPC) has several cases ongoing against Facebook, Google and Quantcast.

(Don’t just) follow the money

Last week, I was at the Maastricht University European Centre on Privacy and Cybersecurity, where I contribute to certification training for data protection officers (DPOs). Some attendees said their senior management were now asking what the fines could mean. They also wondered what assurances they have that their own organisations aren’t at risk from a similar incident.

After the race to get ready for GDPR by May 2018, a certain amount of complacency set in. Since these breaches, the size of these proposed fines has raised GDPR on senior management’s radar again. (Side note: BA’s share price fell by more than £115 million after the news came out.)

There are broader lessons from last week’s news. It’s important to look beyond the financial repercussions, particularly in companies whose business model relies on gathering and processing data. Bear in mind that fines are just one penalty that a regulator can impose. They could compel companies to delete data or stop processing certain types of data. That could have a bigger long-term impact on their business than a monetary fine which they could absorb. Not being able to gather data in a certain way could have negative repercussions on how you do business.

Third-party risk

The root causes of BA and Marriott’s breaches highlight a particular security risk: external third parties. BA’s breach was due to a software script integrated into its website. There were no checks in place to verify any changes to that code. The Marriott breach came from its acquisition of Starwood hotels in 2016. It only discovered in 2018 that Starwood’s customer database suffered a hack in 2014.

So, companies need to ask what due diligence they need to carry out against third-party vendors and suppliers. If your company plans to acquire or partner with businesses, you inherit their risk profile, security and data protection frameworks. You need to check what assurances you have that these third parties are adhering to your security requirements, rather than you inheriting theirs.

In light of the news, what actions should other companies take? Interestingly, even before the ICO’s news, the Irish DPC issued a short guide to information sources to consider when reviewing or setting security.

Companies should carry out continuous auditing and verification to ensure their security and privacy controls are working. And if they don’t have the internal resources to do this, to work with independent experts to verify those controls.

The post Fighting talk and fines obscure other GDPR lessons from BA and Marriott data breaches appeared first on BH Consulting.

By

Cyber News Rundown: Major Spike in Magecart Attacks

Reading Time: ~ 2 min.

Magecart Attacks See Spike in Automation

The latest attack in the long string of Magecart breaches has apparently affected over 900 e-commerce sites in under 24 hours. This increase over the previous attack, which affected 700 sites, suggests that its authors are working on improving the automation of these information-stealing attacks. The results of these types of attacks can be seen in the latest major fines being issued under GDPR, including one to Marriott for $123 million and another to British Airways for a whopping $230.5 million.

Agent Smith Android Malvertiser Spotted

Researchers have been tracking the resurgence of an Android-based malware campaign that disguises itself as any number of legitimate applications to deliver spam advertisements. After being installed from a third-party app store, the malware checks both a hardcoded list and the command-and-control server for available apps to swap out for malicious copies, without alerting the device owner. The majority of targeted devices have been located in southwestern Asia, with other attacks showing up in both Europe and North America.

Third Florida City Faces Ransomware Attack

Almost exactly one month after the ransomware attack on Lake City, Florida, a third Florida city is being faced a hefty Bitcoin ransom to restore their systems after discovering a variant of the Ryuk ransomware. Similar to the prior two attacks, this one began with an employee opening a malicious link from an email, allowing the malware to spread through connected systems. It is still unclear if the city will follow the others and pay the ransom.

British Airways Receives Record GDPR Fine

Following a data breach last year that affected over 500,000 customers, British Airways has been hit with a total fine amount of $230.5 million. The amount is being seen as a warning to other companies regarding the severity of not keeping customer data safe, though it’s still much less than the maximum fine amount of up to 4% of the company’s annual turnover.

Georgia Court System Narrowly Avoids Ransomware Attack

Thanks to the quick work of the IT team from Georgia’s Administrative Office of the Courts (AOC), a ransomware attack that hit their systems was swiftly isolated, leading to minimal damage. Even more fortunate for the AOC, the only server that was affected was an applications server used by some courts but which shouldn’t disrupt normal court proceedings. Just days after the initial attack, the IT teams (aided by multiple law enforcement agencies) were already in the process of returning to normal operations without paying a ransom.

The post Cyber News Rundown: Major Spike in Magecart Attacks appeared first on Webroot Blog.

By

Security roundup: July 2019

Every month, we dig through cybersecurity research, trends, advice and news for our readers. This month: T&Cs, stronger security in Europe, and a birthday with bitter memories.

Policing policies to protect privacy

One of the greatest lies on the internet is “I have read the terms and conditions”. But maybe most people aren’t to blame when those same policies read like “an incomprehensible disaster”. That’s what a New York Times investigation found after reviewing 150 privacy policies. The European Commission came to a similar conclusion after surveying 27,000 citizens on their attitudes to data protection. Commissioner Věra Jourová noted that 60 per cent of Europeans read their privacy statements, but only 13 per cent read them fully. “This is because the statements are too long or too difficult to understand,” she said.

But not reading T&Cs could have unwitting consequences; like turning your phone into a spying tool. Spain’s Liga app activated a user’s smartphone audio function when it knew they were in a bar. Spain’s football administrators said the app’s terms made it clear this was to identify places that were streaming matches illegally. The Spanish data protection authority took a different view and slapped the league with a €250,000 fine.

In other privacy news, the UK Information Commissioner’s Office has published guidance providing clarity and certainty on correct cookie use. Cookie rules technically fall under the Privacy and Electronic Communications Regulations, but some of that regulation’s concepts derive from GDPR. As well as a reader-friendly myth-busting blog, there’s also more comprehensive guidance in a longer document.

Strengthening security across Europe

The EU Cybersecurity Act came into force on 26 June. For the first time, it introduces EU-wide cybersecurity certification rules for digital products, services and processes. It also strengthens the mandate for ENISA. The Union’s cybersecurity agency will set up the certification framework and it now has a remit to help Member States to handle cyber incidents.

BH Consulting is a contributor to ENISA and our CEO Brian Honan recently gave a presentation on threat intelligence at an ENISA industry event. The meeting also covered cybersecurity, internet regulation and Europe’s position in the race to a competitive ICT global industry. Brian also spoke to the Irish Times for a feature article about steps under way to improve security. Meanwhile Ireland’s second national cyber security strategy is expected in the coming weeks, as the Irish Examiner reports.

Déjà vu all over again

If working in information security can sometimes feel like Groundhog Day, then you might want to pause before reading further. Consider the following sentences, then guess when they were written (no peeking). “Paradoxically, the drive for business efficiency and globalism serves only to increase the potential damage which computer viruses and other malicious programs can cause… the more streamlined and interconnected computers become, the greater will be the penalties resulting from carelessness, recklessness and vandalism… no-one knows when or where a computer virus will strike. They attack indiscriminately. Virus writers, whether or not they have targeted specific companies or individuals, must know their programs, once unleashed, soon become uncontrollable.”

So how old is that text? Five years? Ten? Fifteen, at a push? Actually, it’s double that number. Edward Wilding penned them in the summer of ’89, for the very first edition of Virus Bulletin (PDF). Brain, the world’s first computer virus, appeared just three years before then.

It says a lot that Wilding could write these words and, without knowing, still have them resonate three decades later. The same issues he identified then have not gone away. (Side note: the same is true of attacks like SQL injection. Even today, they account for two-thirds of all web app attacks, according to new findings from Akamai.) The industry’s progress, or lack of it, is a point to ponder while security professionals (hopefully) enjoy some deserved downtime this summer.

Links we liked

NIST guidance on understanding and managing security risks with IoT devices. MORE

Demand for cybersecurity jobs in Ireland is growing, but supply can’t keep up. MORE

Controversial: you should think about paying to get data back from ransomware. MORE

An open letter to the security profession, from a privacy practitioner. MORE

You know that ‘padlock’ icon in your web browser? It could be a fake. MORE

How a data request can quickly turn into a data breach. MORE and MORE

The Irish privacy champion on a mission to clean up dirty adtech. MORE

A sceptical take on Facebook’s planned move into cryptocurrency. MORE

When BGP goes wrong, the whole internet feels it. MORE

How a trivial cell phone hack is ruining lives. MORE

 

The post Security roundup: July 2019 appeared first on BH Consulting.

By

From the BH Consulting archives: fake invoicing scams are a constant security risk

Trawling through archives can quickly turn bittersweet when it hits home how little has changed between past and present. Looking back through the posts on BHconsulting.ie, invoice redirect scams have featured regularly since 2015. Fast forward to 2019: An Garda Siochana warned that this fraud cost Irish businesses almost €4.5 million this year. The global costs are even more sobering – but more of that later.

Back in 2015, we reported the Irish Central Bank was fleeced to the tune of €32,000. This fraud was a growing trend even then. Our blog quoted Brian Honan’s Twitter account: “Looks like a fake invoice scam we’ve seen with other clients”. The same post also referred to Ryanair, which was duped around the same time and reportedly lost around €4.5 million.

The impersonation game

Scams like this have many names, like CEO fraud, invoice redirection fraud, or business email compromise. Preventing them from being successful is about knowing how they work and spotting potential red flags. Brian blogged about this in December 2015, detailing scammers’ steps when executing CEO fraud and fake invoicing tricks.

“The premise of the attack is the criminals impersonate the CEO, or other senior manager, in an organisation (note some attacks impersonate a supplier to the targeted company). The criminals may do this by either hijacking the email account of the CEO or setting up fake email accounts to impersonate the CEO.”

Next, criminals send an email seeming to come from the CEO to a staff member with access to the company’s financial systems. The email will request that payment be made to a new supplier into a bank account under the criminals’ control. Alternatively, the email may claim the banking details for an existing supplier have changed and will request payments into a new bank account under the criminals’ control.

Video to beat the scam

In February 2017, we blogged about an educational video that Barclays Bank developed to raise awareness of fake invoicing and similar online scams.

 

Later that same year, we covered the issue again, twice in quick succession. The first of these posts, in August 2017, noted how legitimate email senders do themselves no favours by composing messages that “practically begged to be treated” as fakes. A genuine email from a large insurer was so poorly composed that it would have raised suspicion with anyone who’d been paying attention during security awareness training.

The process problem

Now we’re getting to the heart of the problem. Call it what you want, but this scam is a people and process failure. That was our conclusion from another post in August 2017, after news emerged of yet another victim in Ireland. “The effectiveness of an email scam like CEO fraud relies on one person in the target organisation having the means and the opportunity to make payments. It’s not a security problem that technology alone can fix.”

In the same blog, we noted how the FBI has been tracking this scam since 2013. The agency put collective losses between then and August 2017 at an eye-watering $5 billion. As we blogged then, ways to fix this issue don’t necessarily need to involve technical controls. For example, companies could make it compulsory to have a second signatory whenever they need to make payments over the value of a certain amount.

The risk of these frauds goes beyond just commercial businesses. As we noted in a blog from October 2017, local public sector authorities are also potential victims. The post referred to Meath County Council, which had €4.3 million stolen from it in a dummy invoicefraud.

Staying ahead of the fraudsters

Our August blog included FBI special agent Martin Licciardo’s very practical advice: “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”

This brings us neatly back to 2015, where we provided similar advice to avoid falling victim to fake invoice scams. The steps include:

  • Ensure staff use secure and unique passwords for accessing their email
  • Ensure staff regularly change their passwords for their email accounts
  • Where possible, implement two factor authentication to access email accounts, particularly when accessing web-based email accounts
  • Have agreed procedures on how requests for payments can be made and how those requests are authorised. Consider using alternative means of communication, such as a phone call to trusted numbers, to confirm any requests received via email
  • Be suspicious of any emails requesting payments urgently or requiring secrecy
  • Implement technical controls to detect and block email phishing, spam, or spoofed emails
  • Update computers, smartphones, and tablets with the latest software and install up-to-date and effective anti-virus software. Criminals will look to compromise devices with malicious software in order to steal the login credentials for accounts such as email accounts
  • Provide effective security awareness training for staff.

The post From the BH Consulting archives: fake invoicing scams are a constant security risk appeared first on BH Consulting.