FFT news digest  Sep 14 2018

BA data breach

Following the data breach announced last week, British Airways has offered free credit checks to the 380,000 customers affected, but no details about the cause of the incident. Elsewhere, a clearer picture is emerging. According to security firm, RiskIQ, a group known as Magecart was behind the attack, which is one of several it is believed to be responsible for. RiskIQ says Magecart managed to compromise a script stored on a BA server. The modified script collected payment card data and sent it to a server in Lithuania. One of the questions for BA is why the payment element of its booking process wasn't isolated because this would have defeated the attack. Magecart has been on something of a crime spree recently with customer engagement service, Feedify, and Groopdealz, also falling victim to the group. If you booked with BA between August 21 and September 5 then you should contact your bank and request a new card.

Attacking Tor

Last year, exploit broker, Zerodium, offered up to $1 million for ways to attack the Tor browser. The offer clearly worked because this week it revealed details of a flaw that could be used to execute malicious code in the browser. The issue affected the NoScript add-on which stops web pages from executing JavaScript, Flash, Java and Silverlight. Zerodium published the vulnerability on Twitter because the latest version of Tor (released last week) isn't affected by it. Since Tor's default setting is to update itself automatically, the vulnerability was no longer useful. Zerodium makes its money by selling exploits to its corporate and government clients. This means that it's likely Tor users were not as anonymous or safe as they thought they were. Meanwhile, Zerodium has increased the prices it's willing to pay for exploits affecting browsers, servers and mobiles. 

5 key questions

The UK's National Cyber Security Centre (NCSC) has published invaluable guidance for large and small organisations which aims to reduce the risk of them becoming victims of cyber crime. At the large end of the scale, there are 5 questions aimed at generating constructive cyber security discussions between board members and their Chief Information Security Officers. These range from how to defend against phishing attacks to how to ensure partners and suppliers protect shared data. For smaller organisations, a leaflet provides a simple checklist designed to allow elements to be implemented individually. The NCSC's website is an excellent resource and provides an ideal place to begin examining your organisation's cybersecurity. If you run a small-to-medium sized organisation, both the NCSC and the Information Commissioner’s Office recommend implementing Cyber Essentials. Being certified demonstrates you have begun to take cybersecurity seriously.

The GDPR effect

British organisations appear to be playing it safe and "over-reporting" potential data breaches. The UK's data protection regulator, the ICO, says it has been receiving around 500 calls a week since enforcement of new EU legislation began at the end of May. Deputy Commissioner, James Dipple-Johnstone, told the Confederation of British Industry around a third of the "breaches" didn't meet the reporting threshold. He also suggested that, when a breach is reported, organisations need to provide appropriate detail. "It is not very helpful to be told there is a breach affecting lots of customers but the reporter isn’t authorised by the general counsel to tell us more than that," he said. The ICO's key message for organisations is to focus on the basics; adopting privacy by design, treating cyber security as a boardroom issue, and demonstrating a robust culture with appropriate transparency, control and accountability for its data and that of its customers.

North Korea email

The threat from email has been underlined by research showing that one in every 101 emails is sent with malicious intent. The report from security firm, FireEye, came as the US Department of Justice provided a detailed account of the part email played in the 2014 attack on Sony Pictures. FireEye says 91% of cyber crime begins with an email, making it by far the most popular method to launch cyber attacks. But FireEye adds that only 10% of emails contain malicious software; 90% are designed to fool the recipient into giving away corporate information or assets. In the case of Sony Pictures, the attack is alleged to have begun with a relentless email campaign carried out on behalf of the North Korean government. The Justice Department's provides a case study in how such attacks are conducted. In particular, it underlines the need to be careful about what information is shared on social media because of the way this is used by attackers during the reconnaissance phase preceding an attack. Check your organisation's social media policy to make sure you’re not giving away too much detail.

Unlearned lessons

To coincide with the first anniversary of the Equifax data breach, backup and recovery company, Veeam, has exposed an estimated 445 million customer records. Security researcher, Bob Diachenko, found the 200GB database on an Amazon server which had been left without a password. The database included names, email addresses, and IP addresses, and would be invaluable as part of a phishing campaign. Veeam's failure illustrates how little has been learnt in the year since Equifax failed to patch a web server and allowed the theft of details on 147 million consumers. The company's Chief Executive lost his job and was questioned by a congressional committee, but he also walked away with a $90 million retirement package. And Equifax's share price is almost back to where it was before the breach was revealed. What makes this so depressing is that the breaches were caused by basic failures which every organisation should be able to prevent.

In brief

The UK's approach to mass surveillance has been found to be in breach of the European Convention on Human Rights.

Several apps in the macOS app store have been found to be collecting sensitive user data and, in the case of Adware Doctor, sending details to China. Adware Doctor was one of the highest grossing apps in the store.

Windows and Linux Kodi users may have been infected with malicious software designed to mine cryptocurrency. ESET says three popular repositories were compromised.

The Russian parliament is considering draft legislation that would prohibit members of the military from sharing any information about themselves on the internet. The UK MOD’s guidance to its personnel is here.

An indictment in California demonstrates that street gangs are moving into cybercrime. Two gangs are accused of defrauding victims by hacking credit card terminals and merchant accounts of dozens of medical and dental businesses.

UK police are warning about a WhatsApp hoax that is targeting children. The sender pretends to be a friend with a new phone number and then sends a pornographic picture.

Apple released details of newish iPhone models and confirmed the death of the home button and headphone jack.

Updates

Microsoft: monthly update addresses 61 vulnerabilities, including a remote code bug which can be triggered by viewing an image file.

Adobe: updates to address 10 issues in Flash Player and Cold Fusion.

SAP: 13 security notes, 3 issues rates High.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved