Month: October 2015

In today’s increasingly connected world, GCHQ, MI5 and MI6 are putting far greater focus on growing their own technical specialists and are searching for technically-minded Apprentices.

For prospective programmers and tech-savvy talent, the British Intelligence Higher Apprenticeship in IT, Software, Internet and Telecoms could be a tempting alternative to a university degree – and a unique start to a career.  But applicants need to move quickly to avoid missing out. The closing date of 9 November is approaching fast.

The Apprenticeship is a two-year foundation degree scheme run by GCHQ at its Cheltenham HQ. There is an optional third year to obtain a full degree.

Aimed at young people interested in technology and coding, the scheme in some ways is like any other Apprenticeship in that it allows participants to build up their technical expertise while developing soft skills like teamwork, communication and leadership. There’s a mix of classroom-based learning and practical experience – leading to a recognised qualification and a full-time job.

Working in GCHQ alongside MI5 and MI6, students will earn a salary and gain a unique insight into a world otherwise hidden behind closed doors. They will work with some of the world’s best and newest technology and, because our jobs are constantly evolving, there will be plenty of opportunities to develop their skills while they work towards gaining a university-based qualification.

Students will be part of a team that helps ensure that UK Government can operate in cyberspace, playing vital roles in GCHQ’s mission to tackle terrorism, organised crime and cyber threats.

To join the scheme, applicants will need a strong interest in programming and technology. And, due to the technical nature of the scheme, applicants need to have or be expecting three A-levels at Grade C or above (or the equivalent), with at least two in Science, Technology, Engineering or Maths related subjects. The minimum age for the apprenticeship is 18, and there is no upper age limit.

They are particularly keen to encourage applications from women, as part of their effort to promote Science, Technology, Engineering and Mathematics (STEM) careers for women across the UK, and from ethnic minorities to maintain their commitment to a diverse workforce.

Applications can be made via the GCHQ website: http://www.gchq-careers.co.uk/index.html

(434)

TalkTalk has confirmed that it has suffered a “significant and sustained cyber-attack.” TalkTalk has which has over 4 million customers in the UK.

While details are limited, TalkTalk has said that the hackers may have accessed its customer database – including names, addresses, date of birth, email address, telephone numbers, TalkTalk account information, credit card and/or bank details:
http://help2.talktalk.co.uk/oct22incident

Jon French, security analyst of AppRiver has offered the following advice to customers that may have been affected:

“The two major things customers need to do is keep an eye on their banking information to look for fraudulent transactions, as well as be vigilant with communications. By communications, I mean they should be suspicious of any unexpected emails or phone calls that may be asking them for additional information. If someone calling or emailing you already has information like name, address, email address, or other account information, that doesn’t mean they can automatically be trusted. They may cite that data to get someone to trust them to hand over more information like a credit card or password.”

Benjamin Harris, Managing Security Consultant of MWR InfoSecurity adds additional advice to customers, but also to organisations generally that may be targets to this type of cyber attack:

“As always when there is a concern that payment data may have been breached, consumers should pay attention to transactions made on their debit and credit cards and report any suspected fraudulent transactions to their card issuer. Being proactive will help to limit any damage caused by exposure of credit card information, however if consumers are heavily concerned about the confidentiality of their debit or credit card, it is recommended that they contact their card issuer to provision replacement cards, thus invalidating the previous credit or debit card used.
 
“It appears that TalkTalk have been proactive in this instance, and have done the correct things by issuing a public statement and involving the relevant authorities, allowing the attack to be investigated and thus limit any further damage.

“Incident response is a necessity for most organisations. In this case, it is important that organisations are both proactive and honest about any security breaches, and that they enlist the correct help from the outset. Identifying the attack mechanism is an important step in mitigating the risk, and pre-emptive actions (such as immediately destroying an infected machine) could lose vital evidence that would be useful in identifying the actual impact.
 
“Organisations should also regularly test their incident response plans. For example, logging and monitoring systems may not be regularly inspected. Realising that a log collation server has not been working for months and has not recorded information relating to a breach can be very frustrating, and these issues can be avoided with regular inspection.

Richard Cassidy, technical director EMEA, Alert Logic commented about the incident;

“This represents another serious incident from a data-breach perspective at TalkTalk; unfortunately not for the first time this year. Questions have to be raised around the point of data-at-rest security and whether organisations are indeed doing all they can to assure that customer data (whether it be credit card, banking details or personally identifiable information) is as protected as it could be in the case of a serious data breach.

We cannot continue to rely on legacy security tools and techniques in the battle against the modern day cyber criminals that are targeting our organisations on a global scale. Fundamentally it is safer to assume that we will be a target of an attack (and in many cases an advanced threat) and look at the problem from the inside out. Clearly it’s important to look at how we can better prevent data breaches and implement more effective tools to identify pre and post compromise activity, however CISO’s, CSO’s and CEO’s should take the lessons learned from the countless data breaches we’ve seen this past while and seek to answer the question on how well prepared is the organisation in the event a data-breach does occur and how can customer data be better protected should the worst happen.

Clearly there are questions in the case of this breach, as to what mechanisms were put in place to protect the data hackers came after; perhaps too much focus was put on perimeter security and detection of threats, rather than focusing on better protecting what assets attackers would be coming after in the first place. Fundamentally organisations need to start with an intrinsic understanding the anatomy of an attack as the first line of defence. Organisations have responsibility for protecting our data and perhaps a change is needed in legislation to compensate customers who suffer a financial loss as a result of their data being compromised; all too often we see organisations defer liability when a customer suffers a financial loss at the hands of bad actor groups who used the data they stole from a successful breach to compromise the organisations customers. The vast majority of consumers are not I.T or even Security savvy, especially the older generation; it can often be incredibly hard to discern from a bogus call purporting to be your provider (using the data they’ve gleaned from a breach) and a legitimate call. It would be far better for organisations of the ilk of TalkTalk to offer up better information to consumers on how to identify how their data could be used in such campaigns and to take more responsibility in supporting customers who suffer a loss as a result.

Ultimately however it points to the need for organisations to really question their “data-at-rest” encryption standards and capabilities and more importantly the protection of the keys that are used to maintain encryption. If more focus was placed on the assumption that a data breach is highly likely to occur and as a result of this, how can losses be mitigated against should corporate or customer data be exfiltrated. The first answer quite evidently lies in how we encrypt the data we might lose and thus make any attempt at using that data a very tall order indeed for the bad actors to seek it.”

(473)

By; Martyn Ruks – Technical Director of MWR InfoSecurity

It’s finally here – the day that Marty McFly and Doc Brown will arrive in their time travelling DeLorean. Wearable technology, multi-channel television and the odd 1980’s Apple Macintosh in an antique shop will all come as no surprise.

They might be a little disappointed, however, to discover that the future they have arrived in doesn’t possess all the cool tech like Fusion reactors, holographic projection and more importantly real hoverboards, that will enable them to avoid the unwanted attentions of characters like old Biff, Needles and Griff. However, in the place of this missing tech they’ll find the Internet, smartphones, tablets and other cool gadgets that they might not have expected.

They’ll also find a wealth of cyber security challenges that just weren’t anticipated, or maybe had actually been solved in the alternate version of 2015 they previously arrived in (temporal paradoxes withstanding).

So, if you should happen to spot the pair flying in to a town near you, maybe you could get them to share the cyber security solutions that the fictional 2015 had clearly solved.

We’ve got some good solutions ourselves in many of these spaces but it’s always good to learn more. With that in mind, here are some of the pressing questions we have about their experience of the alternate 2015:

Q1. Drone Dog Walking

So, in the fictional 2015 there are drones that can take your dog for walkies. However, how are they secured? We’d probably consider these to be part of the Internet of Things (IoT) and therefore we’re still coming to terms with how we manage the security of a myriad of technologies all designed to be Internet enabled.

The concern in today’s 2015 is that, while drones hanging on to leads could be a reality, securing them against attack could be a challenge. Mischievous hackers would doubtless be looking at reprogramming them for fun, leading our pets a merry dance. There could be others with a slightly more sinister intention were they to access these connected devices, walking animals such as guard dogs to either lead them into harm (no pun intended) or just exhaust them so they become ineffective.

We know that if the vendors of this type of technology understand the security threats their products are facing – and build in the controls needed to protect against them – we can solve this problem. Perhaps in our alternate 2015, they just got really good at putting this into practice, maybe Doc or Marty will know more.

Q2. Hoverboards – were the blueprints stolen?

Like everyone else, we want to know ‘where are they?’ Perhaps at some point between 1985 and today, the companies developing hover technology have had their designs tampered with, which is why we’re still struggling to get it right.

Yes, true – Lexus has made a valiant attempt and should be applauded for its ‘hover board’, but you have to admit that a metal track and magnets is never going to scale!

How did the inventors protect their intellectual property so they were able to achieve such saturation of the technology and undoubtedly massive commercial success? In today’s 2015 we’re still struggling to manage the theft of such valuable Intellectual Property from both large and small organisations. Maybe hoverboard tech just wasn’t on the attacker’s radar, but more likely those companies had great cyber security to protect it.

This is one area that organisations are now starting to get their heads around but some advice from our time travelling friends would help.

Q3. Flying Cars

This one is really important – especially given the public disclosures about the insecurity of vehicles that we’re currently seeing. How did the alternate 2015 manage to secure the highly complex transport network control systems associated with personal flying vehicles to prevent hackers causing chaos in our skies!

In the alternate future the skyways appeared to be highly dangerous and in need of some advanced piloting skills. However, given the current direction of technology maybe Doc was faking it and all the cars are actually driving themselves.

One thing is clear though, we can’t even begin to think about letting our cars take to the skies if we still can’t control them while driving on solid ground! That said the increased awareness of the need for security in these technologies will drive improvement and we’re confident that we’ll be able to manage this in the future.

All things considered though, maybe it’s better if they don’t arrive as, without flying capabilities, many of us might conclude that our roads simply aren’t clear enough to hit the necessary 88 mph to travel back in time, so Marty and Doc would be trapped! But that’s another debate for another day!

Q4. Biometrics

Fictional 2015 is all over this one with the police able to identify anyone on the street from their fingerprint and even the press identifying individuals in a story for the newspaper, based seemingly on facial recognition performed by their drones.

Today’s Governments are fighting two battles with this – how to secure systems so they can’t be exploited by nefarious individuals (or even states), and how have they overcome the raging debate between security versus right to privacy.

As the citizens of Hill Valley seem to be content with the use of this kind of technology, perhaps Doc Brown could shed some light on how they managed it and whether everyone is as happy with this as they appear to be?

Q5. Access Control Systems

Leading on from biometrics in general terms, and into deployments of it – it would be good to unlock the secret (yes, pun intended this time) of replacing our physical locks with palm readers. I think we’re on the right line with some of the adoptions we’ve seen, such as smartphone developments, iris scanners, etc., but we’ve still got a long way to go to have confidence that this is a method of securing our houses.

In the Hilldale of the alternate future, clearly not the nicest neighbourhood around, the technology is ubiquitous and used to grant access to every house. How is that being managed and secured and is it also in use on secure facilities? Maybe this is an area of tech that we’re better at securing than they were, after all an unconscious, younger version of Jennifer was able to open her own front door.

Certainly something to ask Doc and Marty about and maybe something where we can share some of our successes with them.

Q6. Intruder Detection

Spotting unauthorised transactions in financial systems is also clearly working well in 2015 Hill Valley, so they must have mature detection capabilities in place.  Mr Fujitsu is clearly able to spot these in real time and even connect directly with his employees to follow up on it in a pseudo investigation, also known as a Human Resources fail.

If the detection capabilities for spotting this are so mature does that also extend into other areas of IT? So the question to ask is whether Mr Fujitsu is able to track the APT activity in his business so effectively? We work with companies who have this capability today so maybe this is another area we’re living up to.

In summary

So whilst this article is written purely for your entertainment (unless you really do bump into Marty and his flying car – in which case we’re deadly serious), the capabilities of the authorities portrayed in the film clearly aren’t perfect. For one thing, they weren’t able to detect the temporal displacement associated with the DeLorean whizzing back and forth in time. But maybe we should be congratulating Doc for his apparently flawless OpSec (well except for the Plutonium theft) by keeping his invention so secret and not allowing anyone to realise what he was doing. After all you don’t need to be able to detect something that doesn’t exist… or do you?

In reality though, the one thing that we really learn from Marty’s trip forward in time (and therefore this article), is that the pervasiveness and importance of cyber security simply wasn’t in the consciousness of filmmakers and the general public just under 30 years ago. One thing is for certain, predicting what it will look like in 30 years’ time will be tough.

(431)

By Richard Kirk, Senior Vice President, Telecom and Service Provider Sales, AlienVault

When most people think of crowdsourcing, it is usually within a social context – i.e. sharing the latest news, gossip and trends. However, crowdsourcing can also be useful for information security professionals, allowing them to find out about new malware, malicious IPs, vulnerabilities and exploits. This is vital because no one vendor has all the answers.  However, when you pool their collective resources, such as event logs, firewalls, IPS/IDS, proxies etc, then you start to get a holistic view of what’s happening in the threat landscape and this can significantly improve your security posture.

This demonstrates the ‘power of the crowd,’ because in the security industry, it is not simply about one great expert, but rather the expertise of thousands of security practitioners who become the collective genius. And with the network of users and the community connected to modern platforms, sharing threat data in real-time, it can be done, and it can be even more effective in preparing everyone for the inevitable and growing barrage of attacks.

Despite the many benefits, there is a reluctance to share threat intelligence among some sections of the security community. One of the main factors contributing to this is that people are nervous about inadvertently exposing sensitive company information when sharing threat intelligence. While this is a legitimate concern for many, it doesn’t need to cover the entire spectrum of threat intelligence, because items such as hash values, suspicious IP addresses and domain names can easily be shared without exposing any internal information.

Whilst collaborating on threat data in the infosec community, there are three things we can do: identify who is attacking me, so if there is an attack on one of us, we all know about the attack and attacker. This is one of the most effective ways that threat sharing can benefit the entire group. To take this a step further, individuals can share stories on how they were attacked and how they might prevent different methods of attack; and finally sharing what we did to overcome the attack through the use of tools, policies and procedures. This is all the more important given that cyber attacks are growing by more than 50 per cent each year, and becoming ever more sophisticated.

(474)

The National Crime Agency has warned that UK internet users should protect themselves against Dridex, a significant strain of malicious software which has  cost victims in the region of £20 million so far.

Ronnie Tozakowski, senior researcher at PhishMe has offered @DFMag the following insight:

“The challenge for all of us is that attackers constantly tweak their malware to avoid detection. We’ve been monitoring Dridex, as well as numerous other banking malware and trojans, and the each new iteration is designed to evade anti-virus, sandboxing, and other detection technologies. One example is, back in March and even though Dridex was known malware at the time, we identified a variant that was not being flagged as malicious by any of the anti-virus programs. Another sandbox evasion technique they included needed user-input to ‘push the button’. Even once it had been downloaded, detection was grim as just five out of 57 AV vendors were picking up on it making it very difficult to detect.

“For Dridex and other banking trojans, bypassing security defences is child’s play. One of the best ways to stop these attacks is to catch them early in the delivery phase, as this will hinder the attackers operations. Trained users are instrumental in early detections, and a person who can correctly identify a majority of phishing attacks is an asset to security, particularly if your organization has a program in place to gather user reports of suspicious emails. These employee-sourced reports provide the incident response (IR) team and security operations analysts with the information needed to rapidly respond to potential phishing attacks and mitigate the risk from those that may fall prey to them. Organisations should capitalize on the users that can become active human sensors and act like informants for the IR teams.”

(624)

The Angler exploit kit has compromised the Daily Mail’s online domain, potentially exposing up to 156 million readers a month to malicious advertising. The security firm Malwarebytes discovered the Mail Online attack, wherein the malware ads sent people to the Angler exploit kit. The Angler exploit kit infects computers with ransomware, which locks your computer until you pay a fee.

@DFMag has received several comments from a wide range of industry experts on this topic which are as follows;

Tony Berning, senior manager, OPSWAT;

“To protect against ransomware, users must back up their data regularly. In addition to this, an important defence against ransomware is the use of multiple anti-virus engines to scan for threats. With over 450,000 new threats emerging daily, anti-malware engines need to detect new threats continuously, and will inevitably address different threats at different times. A single engine will not be able to detect 100% of threats. However, by using multiple anti-malware engines, companies can benefit from several detection algorithms and heuristics to significantly increase the malware detection rates, as well as their protection against new threats. With multi-scanning, only one engine needs to detect the threat in order for a company to be protected.”

Richard Cassidy, technical director EMEA, Alert Logic;

“Recovering from these types of malware campaigns will rely largely on whether you employ a good backup policy for your data and preferably entire system backups (as opposed to specific folders or files). Failing that, then it’s a case of either accepting your data loss, paying the bitcoin ransom (and then hoping that your data is de-encrypted) or have a go at breaking the encryption algorithm and hope for the best!

Users need to be vigilant in their online activities and in receipt of attachments from untrusted and unverified sources. Unfortunately ransomware can be one of the most debilitating attacks, especially where data is not back-up regularly to another secure destination.”

Simon Crosby, co-founder and CTO, Bromium;

“Ransomware variations have been doubling every year for the past two years, and continue to pose a significant threat to individuals and organisations. Crypto-ransomware families are in a rapid ‘growth’ phase, with BitCoin as the desired currency for ransom and TOR as the desired channel to communicate – making them increasingly hard to detect or trace. They commonly employ real-world cryptography using either WinCrypto or statically linked OpenSSL which makes it impossible to decrypt without a key. Many variants also attempt to delete shadow copies and backups; and sometimes kernel exploits (such as CVE-2013-3660) are used to gain administrator privileges. Some of the more advanced families use encrypted communication such as HTTPS or relaying their C&C protocol over TOR; and include the ability to infect removable media and network shares. All this leads to the conclusion that the only meaningful way to prevent these attacks is to isolate them. You can simply make them irrelevant through microvirtualization. If the ransomware detonates in an isolation container it can encrypt whatever it likes, because it’s not encrypting anything you care about; just a tiny VM that was created for it. Don’t play a game when the other team is infinitely better equipped than you. Change the game so that they can no longer play.”

Rahul Kashyup, chief security architect, Bromium;

“Ransomware is a particularly nasty form of malware because, once you are hit with its encryption, your files are toast. Anti-virus can’t do anything to bring those encrypted files back to you. I only expect this trend to continue because it is so effective.

 This increase in ransomware highlights the importance of best practices, such as endpoint protection and external data back-ups. Many times, when you are hit with ransomware it is impossible to get your files back because the payment processing may fail or the encryption keys may not work – not to mention the danger of providing your credit card number to these attackers. The ransomware trend will only continue if those infected continue to pay the ransom. We cannot encourage this behaviour, so we suggest these ransoms are not paid.”

Fraser Kyne, principal systems engineer, Bromium;

“Ransomware will continue to cause significant problems for many organisations, simply because their IT security mechanisms fail to protect them. Modern threats need modern and innovative solutions. It not enough to go through a continual ‘pay-up or wipe’ loop as these attacks become ever more popular. We also need to ask ourselves this question:

“If we have ransomware that is TELLING us we’ve been hit because it wants our money, what does that reveal about our vulnerability to more convert attacks too?”

Gavin Reid, VP of threat intelligence, Lancope;

“If the recent high profile attacks on organisations have shown us anything, it is that many organisations have critically under spent in security preparedness. Even attacks easier to defend against have been successful. Organisations need to invest in security maturity in basics like patching, security controls and incident detection and response. Recovery from ransomware is made much easier if the organisation has robust backup and restore programs.“

TK Keanini, CTO, Lancope;

“Ransomware will continue until folks stop paying.  The exchange of money needs to stop before this activity stops.  Every time someone pays the ransom, they fund this cybercrime business!  Stop paying, and they will need to find another way to make their money. As I have said before, Backups are not a big deal anymore with Cloud backup services.  Install client, stay connected, and it just happens.  The fact of the matter is that this yearly fee is cheaper than a single ransomware incident and we should be doing everything we can to not make it profitable for attackers.

Back up back up back up.  We are dealing with information so they when steal it, you still have it.  By that same token, in the case of ransom, they are holding your working data set ransom but you should have a backup copy always at the ready.  This is business continuity and even for personal computing, this is personal continuity.”

David Gibson, VP of strategy and market development, Varonis;

“It’s very difficult to prevent all types of malware from entering into the network, and organisations should expect that some will penetrate external defences. Ransomware is very problematic for organisations because most aren’t watching or analysing user or data activity on file shares or in SharePoint. This means that it’s difficult to spot and stop an attack/infection while it’s in progress and very difficult to recover from. Without a record of activity, it’s difficult to know which files were encrypted and when. Tracking and analyzing file activity with User Behaviour Analytics can help detect and stop the spread of malware, and make recovery much more straight-forward.”

(758)

A pair of French researchers at ANSSI, a French government agency devoted to information security, have discovered the voice command on  iPhones and Android smartphones helpfully obeys the orders of any hacker who talks to them—even, in some cases, one who’s silently transmitting those commands via radio from as far as 16 feet away.

http://www.wired.com/2015/10/this-radio-trick-silently-hacks-siri-from-16-feet-away/

Gavin Reid, VP of Threat Intelligence at Lancope stated;

“Additional functionality, especially concerning user convenience, has often come at the cost of some security. In this case the hack needs proximity to work and is a proof of concept needing specialised hardware. High security government equipment and installations have often come with additional shielding specifically to limit emanations and any covert channels. This attack is less likely to be leveraged by the criminal underground especially with other methods much easier to implement”.

@DFMag will bring further updates on this topic as they become available.

(510)

By Jon French – AppRiver

When you give your personal information to a financial institution, government, or insurance company, you have a certain level of trust that they will do everything in their power to keep it safe. It’s easy to forget that at the same time you’re filling out paperwork online, in the dark world of cybercrime, hackers are doing everything in their power to get your information. Yes, your information. And yes, the UK’s National Crime Agency warning that cyber criminals are constantly coming up with new ways to hack victims is worrying, but its not the only weapon in the hackers arsenal.

In recent months many high profile organisations have had their systems breached, and customer data stolen. Experian, Carphone Warehouse and the UKs NHS have all had their virtual filing cabinets ripped opened and their records rifled through.

The big question many ask is why hackers want this information, what they do with it, and how can people safeguard themselves.

Why do they want my information?

Some hackers just enjoy a challenge. Some want to become infamous. Other are self-titled hacktivists. But more are in it for the money, and the bigger the data breach – 2.4million at Carphone Warehouse alone, the more opportunity they have to make it.
 

What do they do with my information?                                                    

Depending on how much information is taken, a hacker could try to open lines of credit in your name. With a home address, national insurance number, and first and last name, a hacker has just about everything he needs to apply for a credit card online, or even a loan.

Maybe you don’t have a lot of money in the bank or the best credit score. But if a hacker stole £100 from 100 people, he’d have £10,000. And while you’d probably notice and question a £100 charge you couldn’t remember making, you would be much less likely to question a £20 charge you couldn’t remember making. It’s not that they’re targeting you; it’s that they are targeting everyone as a whole. Of course, there are always those bad guys who will just open up as many credit cards in your name that they can and max them out even more quickly.

There’s also the case that we saw with Ashley Madison where hackers ran spam campaigns against customers on the list that was released onto the Dark Web. These spam and malware campaigns extorted the customers in exchange for not outing them to their families and friends. While blackmail spam campaigns are rare, since they normally require much more work than lifting an NI number from breached files, they could certainly be used – especially when emotions are involved.

How can I safeguard myself from this happening?

Between online banking, insurance, and medical forms online, it’s nearly impossible to control where your information is stored and who has access to it.

However, you can take some personal steps to keep your information safe and learn some proactive steps too:

Routinely check your credit score for suspicious activity, or even enroll in a credit monitoring service. It’s much easier to dispute suspicious charges and unauthorised lines of credit sooner than later. Many financial institutions have time limits on how long you can wait to dispute a charge.
additional
Create strong passwords and change them routinely. P@$$w0rd may seem like it’s a clever password but, actually, it’s not.

Don’t take the bait. You may think you’d never fall for a phishing scam, but hackers are getting creative. We’ve seen some very legitimate-looking emails from credit card companies and online stores “alerting” users that their cards have been blocked, requesting the users “confirm” their billing addresses and credit card numbers to restore access.
Don’t let the Trojan horse in. If you’re confused why your favourite store emailed you an attached .zip receipt for a purchase you didn’t make, it’s because that .zip attachment contains a Trojan virus. Opening that attachment can execute a command to turn your computer into a botnet, download a keylogger, or just completely lock up your computer until you pay a ransom. You can always confirm your purchasing history with the store’s customer service department or log into your online account.

Cover yourself with layered online security. You can shield your home or business from online threats with email spam and virus filtering and Web protection. Email spam and virus filtering keeps malware from finding you, and Web protection keeps you from finding it.

Don’t forget the updates. Updates often contain security patches that can fix previous gateways for malware. If your online security solutions don’t update automatically, schedule regular updates. 

(508)

One of the UK’s largest banks is being investigated over an extraordinary security lapse which left customers’ bank accounts open to hacking by fraudsters for up to two years. Halifax and Bank of Scotland (HBOS) has admitted criminals could easily access customers’ bank details and other personal information using only their name, date of birth and postal address. Armed with this basic information, fraudsters could go on to view account numbers, sort codes and credit card details as well as any payments made or received by their victim.

@DFMag received the following comment from Ryan Wilk, director at NuData Security;

“This breach exposed records including incredibly personal data such as a person’s bank account number, name, address, date of birth and so on. Data thieves sell this information to aggregators, who cross-reference and compile full identities – called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches. With this level of information, fraudsters can create new bank accounts or take out loans under an actual person’s name, causing problems for fraud victims for years down the road.

We’ve seen among our clients that account creation fraud attempts are on a sharp rise. Of the 500+ million account creations we analysed, more than 57% of them were flagged fraudulent and account creation fraud has risen over 100% since February of this year alone. That kind of long-term, big payout fraud can only happen with stolen customer PII.  

This underscores why it’s vital to switch from traditional and insecure KBA-based authentication – easily stolen, hard to replace – to user behavioral analytics (UBA) and passive biometrics. Harness the power of behavioral attributes to authenticate users in ways that are less intrusive yet more secure. We learn how a legitimate users act and get a front row seat to watch thieves try and fail to game the system with their stolen data. Becoming complacent in an age of massive data breaches is both a financial and reputational hazard”.

Mark Bower, global enterprise director at HP Data Security commented further;

“This hack underscores the need for companies to protect all of the sensitive information they hold on their customers – particularly fields like in this scenario that should not have been accessible in the clear so easily.  Criminals are always looking for a way to exploit a system in a way that they can then monetize in various ways.  In this case there is a further risk in that personal information about the user such as their name, account information and so on.  Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or potential identity theft attacks, especially when combined with other identity information available for that consumer online or from other data thefts.  Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line.  A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.

With the available technologies today to protect sensitive data fields in applications very easily and quickly, it’s a simple matter to cover all sensitive data to protect consumer trust and satisfaction. Securing sensitive personal data, which is commonly attacked to conduct fraud and irritating phone scams and phishing attacks at the expense and inconvenience of the British consumer, is a duty of every UK business today and not optional – and indeed a compliance requirement to the UK ICO privacy regulator”

(446)

Charity shop chain America’s Thrift Stores has become the latest hacking victim after crooks planted malware at a third-party service provider and stole payment card numbers. In a statement, the for-profit outfit which supports Christian ministries confirmed the attack, which appears to have come from crooks in Eastern Europe. Customers who bought items at any of America’s Thrift’s 18 stores in America’s south during September may have had their card numbers and expiration dates stolen, according to the US Secret Service.

Mark Bower, global director of enterprise data security at HP Data Security provided @DFMag with the following expert comment;

“This is yet another hack that underscores the need for companies to protect all of the sensitive information they hold on their customers.  Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line.  Particularly with the transition to EMV, a data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.

Proven methods are available to neutralise this data from breaches. Leading retailers have adopted data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.

With the available technologies today to protect sensitive data very easily and quickly, it’s a simple matter to cover all your bases to protect consumer trust and satisfaction.”

(452)