Applications open for GCHQ’s two Cyber Summer Schools

This summer, students from across the UK have the chance to immerse themselves in the world of intelligence by living and learning at one of GCHQ’s Cyber Summer Schools.

Now in its second year, the Summer Schools programme offers successful applicants a chance to develop their own cyber skills, learn how GCHQ protects the UK against cyber threats and meet other people with similar interests.

A student from last year said: “It was an exceptional experience, giving us a chance to enter the industry and earn experience unique to this place. The accommodation, pay and courses were excellent and really serve to attract students to this opportunity.”

To deal with demand for places, the summer schools will now be based at four sites across the UK rather than just two.

The Cheltenham-based school, Cyber Insiders, which runs from 4 July to 9 September, gives first or second year university students studying computer science, maths and physics (or related subjects) the chance to learn from some of the world’s best cybersecurity experts.

Cyber Exposure, which runs from 11 July to 19 August at sites in Scarborough, the Manchester area and the Thames Valley, is for those with a natural curiosity for technology and problem-solving. It will be open to students studying any subject who have five GCSEs, including Maths and English, and are also on track to achieve two A-Levels at C grade or higher (or equivalent).

Work at both summer schools will cover a wide range of technologies. Students will learn about GCHQ’s role in defending the UK against cyber threats whilst being paid £250 a week.At the end of the placements students may be offered the opportunity to apply for future summer schemes or permanent roles at GCHQ.

To apply, visit the GCHQ careers website at Applications open from 18 January.



8 of the Largest Data Breaches of All Time

By: Lauren Sporck, associate, OPSWAT

According to the ITRC (Identity Theft Resource Center), there have been 5,754 data breaches between November 2005 and November 2015 that have exposed 856,548,312 records. According to their data, there were 783 breaches in 2014, the largest number of data breaches in a single year to date. ITRC data also indicated that 29% of breaches involved hacking incidents in 2014, compared to just 14.1% in 2007. This shows an upward trend in the number of data breaches resulting from an outside cyber-attack. Although this data includes a comprehensive list of data breaches, whether large-scale or small, there are a few that stand out from the rest as some of the worst data breaches in history in terms of resulting costs and the number of records compromised. Below is a list of 8 of the worst breaches in history that highlights the cause of the breach and the effects on the public and business sectors.

1. TJX – 2003
A hacker managed to infiltrate TJX chains, including Marshalls and TJ Maxx, and stole 45.7 million customer credit card and debit card numbers. Although not thought to be responsible for the hack itself, a group of people in Florida were charged for buying customer credit card data from the hackers and then used that data to purchase $1 million dollars’ worth of electronic goods and jewelry from Walmart. This breach is still considered one of the biggest retail data breaches of all time.

2. Hannaford Brothers – 2013
Hackers managed to steal 4.2 million credit and debit card numbers within 3 months from 300 Hannaford stores, a large supermarket retailer. Hackers collected customer data via malware uploaded to Hannaford servers. The malware could intercept customer data during transactions, which was then used in over 2,000 cases of international customer fraud.

3. Target – 2013

In order to gain access to customer credit and debit card numbers, hackers installed malicious software on POS systems in Target stores in self-checkout lanes. The card-skimming malware compromised the identities of 70 million customers and 40 million credit and debit cards. The same malware was later found in the Home Depot breach referenced below.

4. Home Depot – 2014

A security breach that attacked Home Depot’s payment terminals affected 56 million credit and debit card numbers. The Ponemon institute estimated a loss of $194 per customer record compromised due to re-issuance costs and any resulting credit card fraud. For example, protection from identity theft through Experian is $14.95 per month. For this specific breach, that would amount in $837.2 million in costs related to fraud monitoring, which is often offered in the wake of a breach in order to protect victims from identity theft. Hackers first gained access to Home Depot’s systems through stolen vendor login credentials. Once the credentials were compromised, they installed malware on Home Depot’s payment systems that allowed them to collect consumer credit and debit card data.

5. Ebay – 2014

Between February and March of 2014, Ebay requested that 145 million users change their account passwords due to a breach that compromised encrypted passwords along with other personal information. Like many of the other breaches included in this post, hackers gained access to Ebay accounts through stolen login credentials. The credentials did not come from customers themselves but instead from Ebay employees. In this particular breach, user payment information via PayPal was safe since it was encrypted; users were only asked to change their passwords as a precautionary measure.

6. JP Morgan Chase – 2014
In 2014, a cyber-attack aimed at JP Morgan Chase compromised 83 million household and business accounts that included personal information such as names, email addresses, and phone numbers. The attack was said to impact two-thirds of all American households, making this breach one of the largest in history. A little less than a year later, four men were indicted for the attack on JP Morgan Chase as well as several other financial institutions with charges including securities and wire fraud, money laundering, and identity theft. The men made over $100 million through the scheme. In some instances, login credentials were obtained through tricking users and then used to access customer information. Hackers also exploited the Heartbleed bug in this breach, a vulnerability in OpenSSL that allowed hackers to steal information that is normally encrypted.

7. Sony Pictures – 2014

Analysts believe that the Sony breach began with a series of phishing attacks targeted at Sony employees. These phishing attacks worked by convincing employees to download malicious email attachments or visit websites that would introduce malware to their systems. This type of attack used social engineering, where phishing emails appeared to be from someone the employees knew, thus tricking them into trusting its source. Hackers then used Sony employee login credentials to breach Sony’s network. Over 100 terabytes of data was stolen and monetary damages are estimated to be over $100 million.

8. Anthem – 2015

In February of 2015, hackers broke into Anthem’s servers and stole up to 80 million records. The healthcare giant is the parent company of several well-known healthcare providers including Blue Cross and Blue Shield. The attack began with phishing emails sent to five employees who were tricked into downloading a Trojan with keylogger software that enabled the attackers to obtain passwords for accessing the unencrypted data. This breach was particularly devastating because it included the theft of millions of medical records thought to be worth 10 times the amount of credit card data. It is suspected that the stolen health records will be sold on the black market in the future.

1. NBC News Reference
2. Network World Reference
3. Tripwire Reference
4. Krebs on Security Resource
5. Forbes Reference
6. USA Today Reference
7. Washington Post Reference
8. Wired Reference



Hyatt credit card breach affected 250 hotels worldwide

If you stayed at a Hyatt hotel between August 13 and December 8, 2015, there’s a possibility that your credit or debit card data was stolen by unknown cyber thieves who infiltrated many of the hotel chain’s payment systems. In its first disclosure about the scope of a breach acknowledged last month, Hyatt Hotels Corp. says the intrusion likely affected guests at 250 hotels in roughly 50 countries.

Commenting on this, Mark Bower, global director, product management at HPE Security said:

“Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in. Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.

According to the latest information, it appears a good portion of breached data came from the restaurant side of the hotel chains facilities. These are often integrated POS environments running applications in an environment that is not as secure as modern hardened payment terminals designed to capture payment data and implement encryption independent from the POS itself.

Such POS systems are thus a target for payment specific malware. Many quick service and restaurant organisations have implemented newer data-centric security in these platforms by the addition of new card reading systems which encrypt the data before it arrives into the POS itself. Given the need to update the POS to handle EMV chip cards, the addition of encryption to protect the sensitive data from all forms of payment card is a no-brainer. If the POS is compromised with this approach, the attackers get nothing. This data-centric approach is realistically the only way to avoid POS malware impact. Traditional approaches of monitoring and anti-virus will only be effective until the next undetectable malware arrives.”



Spyumel: A data stealing Trojan

Researchers have discovered a new data stealing Trojan called Spyumel thatemploys real certificates to evade security tools. Hackers using Spymel are using a certificate issued by DigiCert and given to SBO Invest. Since Hackers got their hands on the first certificate, DigiCert has issued another certificate but hackers are now using another certificate from SBO Invest.

Tim Erlin, Director of IT Security and Risk Strategy says, “Why break in when you can steal a key? Compromising authentication, from passwords to certificates, is a tried and true method for cybercriminals across the globe. The reality of compromised authentication is what drives ‘trust but verify’ and ‘defense in depth’ models. If you put all your security eggs in one basket, someone else is going to make a data omelet with them.”



Did Russia Knock Out Ukraine’s Power Grid?

In light of new developments around the BlackEnergy cyber attacks perpetrated by the Moscow-affiliated hackers Sandworm (,

@DFMag has had the following insights from Leo Taddeo, Chief Security Officer of Cryptzone and former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office: 

“The Sandworm Team is known to have conducted reconnaissance on US infrastructure.  If in fact the Sandworm Team was behind the recent attack on the Ukrainian power grid, it would send an important message to infrastructure operators and US authorities.  Perimeter defenses such as firewalls, and antivirus are not enough.  Assume the adversary is already inside your network.  Tight identity and access management and network traffic flow management are critical to preventing the malware from spreading from workstations to critical control systems.” 

Rohyt Belani, Co-Founder and CEO of PhishMe told @DFMag;

“Cyberattacks are now a matter of life and death — the shutting down of power plants in the Ukraine resulting in a loss of power to hundreds of thousands proves this.

“Defending against attacks that can cripple critical infrastructures should now be a top priority for every individual, public and private sector organisation.

“When the full investigation into this attack is complete and all of the official reports are filed away, there will be much written about malware and its payload, but ultimately it will be concluded that it was the result of human error — in this case the inability to recognise a simple phishing email.

“When it comes to cybersecurity, 2016 needs to be the ‘Year of the Human.’ All organisations need to take drastic and immediate steps to prepare their employees and leaders with the ability to defend their organisations against cyberthreats.”



Expert Insight: European data center giant Interxion suffers data breach

In light of the news that European data center services giant Interxion is informing customers that it has suffered a security breach, which has seen hackers access contact information stored in its CRM about corporate clients and prospects, please see below for some comments from two UK cyber security experts.

Luke Jennings, Researcher at Countercept gave @DFmag this comment;

“This shows that in 2016 even large organisations for which security is a top priority are still being compromised. Attack detection has become increasingly important as people are beginning to realise that no company can prevent every compromise and so it is imperative that they are able to detect and respond to them when they occur.

“In this case, customers of Interxion should also be concerned about potential targeted phishing attacks purporting to be from Interxion as someone out there now clearly knows a lot about them.”

Cris Thomas, Strategist at Tenable Network Security shared this insight with @DFmag;

“Interxion said the breach was due to a compromise of local credentials to the CRM system. Credentials are becoming an increasingly valuable target for attackers who are looking to compromise networks. Companies who practice good cyber hygiene should be auditing user credentials on a regular basis.

“It looks like the only data impacted in this incident was contact details, so there should be little risk of identity theft or financial fraud, however users who received a warning from Interxion should be on the look out for such activity. 

“The information obtained by the attacks would be of value to attackers looking to conduct spear phishing campaigns, fake tech support fraud or other social engineering attacks. Security teams at companies that are Interxion customers should be extra vigilant.”

More information on this story can be found here:



Operation Pleides: Police from several countries take action against DD4BC

Operation Pleiades, a co-ordinated international operation aimed at the cyber criminal gang calling itself DD4BC (DDoS for bitcoin) has resulted in arrests being made. Europol provided a report on the operation

Dave Larson, COO at Corero Network Security – a company that specialises in mitigating DDoS attacks provided @DFmag with the following insight into how damaging such attacks can be;

“ The collateral damage associated with successful DDoS attacks can be exponential. When service providers lack proper protection mechanisms to defeat attacks in real-time, the costs associated with the outages are wide ranging and the impact to downstream or co-located customers can be devastating.”  Dave adds, “Further fueling this epidemic is the payout on these ransom related threats. DDoS attack tools are easy to come by and perhaps even easier to use. This is an easy and anonymous recipe for anyone looking to make a quick buck, and the victims are proving this every day.  Properly prepared organizations can stem this tide by refusing the ransom requests, secure in the knowledge that they are protected and can withstand the storm.

During October 2015, 10% of Corero’s customer base was faced with extortion attempts, which threatened to take down or to continue an attack on their websites unless a ransom demand was paid. If the volume of DDoS attacks continues to grow at the current rate of 32% per quarter, according to Corero’s latest Trends and Analysis Report, the volume of Bitcoin ransom demands could triple to 30% by the same time next year.”

Europol provided details of the operation on their website



A third of UK legal sector risking confidential information by failing to provide unique employee logins

The lack of unique logins, manual logoffs and concurrent logins is putting confidential information in the legal sector at risk, new research has revealed. A report by security software provider IS Decisions found that despite requirements by regulatory bodies, only 28% are prevented from concurrent logins on multiple machines, which not only puts information at risk but also narrows the options for investigation should something go wrong. A third (34%) of legal employees in the UK do not have a unique user login for their employer’s network. Furthermore 24% do not require a login for access at all, despite this basic information security process being a requirement of any security standard, including Lexcel and ISO 27001. 

The report, ‘Legal and Law Enforcement: Information Access Compliance’, covers a number of issues that can have a direct effect on information security in the legal sector. Pertinent information such as case files, identity profiles and confidential statements can potentially and unknowingly become compromised if there isn’t a reliable access management procedure and system in place.

The report also details how the legal sector is deploying security training, for both on-boarding new employees and those who have settled into their jobs. Almost a third (31%) did not receive any security training when they were employed and less than half (43%) the number of existing employees received IT security training. According to the report 69% have access to information such as case files and crime data but half shared that they do not have an automatic logoff procedure in place.

This is despite the security policies included in the set of objectives of ISO 27001, the international standard that specifies best practice for information security management. 

The figures in the report around access, logins and information security training shows the need, first, to implement a good access management system, and secondly to train staff to raise awareness and build accountability.

François Amigorena, CEO of IS Decisions commented, “The information that passes through legal professionals’ hands can be incredibly sensitive, and naturally attorney-client privilege must be taken into account. It is important to have a reliable system in place to manage and track access to this information and it doesn’t have to be a complicated process. This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing.”



Bromium 2015 Threat Report Highlights Vulnerabilities and Exploits for Popular Applications

Bromium®, Inc announced the publication of “Endpoint Exploitation Trends 2015,” a Bromium Labs research report that analyses the ongoing security risk of popular websites and software. The report highlights that software vulnerabilities and exploits in popular applications spiked in 2015 with vulnerabilities increasing nearly 60 percent and Flash exploits increasing 200 percent. The report also highlights common attack trends, including the resurgence of macro malware, the continuous growth of ransomware and the ubiquitous presence of malvertising.

“Attackers focus on high value targets with the path of least resistance, which means that attack vectors may shift as previously vulnerable software implements new security to mitigate attacks,” said Rahul Kashyap, EVP, Chief Security Architect. “We have seen Microsoft take great steps to improve the security of Internet Explorer and Windows, which has forced attackers to focus on Flash exploits, malvertising and macro malware delivered through phishing emails.”

Key findings from “Endpoint Exploitation Trends 2015” include:

Vulnerabilities and Exploits Spiked in 2015 — Vulnerabilities and exploits targeting popular software, including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Adobe Flash, Oracle Java and Microsoft Office spiked in 2015. Vulnerabilities increased nearly 60 percent (from 733 in 2014 to 1167 in 2015) and exploits increased nearly 40 percent (from 10 in 2014 to 14 in 2015). Adobe Flash exploits increased 200 percent (from four exploits in 2014 to 12 exploits in 2015).

Malvertising is Ubiquitous – Bromium threat sensors identified malicious advertising (malvertising) attacks on 27 percent of the Alexa 1000.

Macro Malware Makes a Resurgence – Macro malware masquerades as a legitimate Microsoft Office document with a seemingly legitimate macro that obfuscates the attack. Social engineering techniques, such as naming the file “Invoice Details,” will entice users to open the file, enabling the attack to succeed. The malicious code itself is hidden in large repositories of visual basic, making it difficult for behavioral analysis and anti-virus scanners to detect it.

Angler Exploit Kit Most Popular – Exploits kits are still the choice of attackers for launching malware. In 2015, Exploits kits led by Angler EK, were up to date with the latest vulnerabilities and continue to innovate techniques to bypass network defenses.   

Ransomware Doubled in 2015 — Ransomware has become one of the most common attack trends since 2013, increasing the number of ransomware families 600 percent (from two in 2013 to 12 in 2015). Ransomware families continue to innovate their distributions, with Cryptowall 4.0 adding encrypted file names and Cryptolocker Service leasing its malware as a service.

The full report is available here



Expert Comments on Vulnerability of U.S. Nuclear Computers

A new report out from the Office of the Inspector General claims the Nuclear Regulatory Commission’s cybersecurity center isn’t optimized to protect the agency’s network in the current cyber threat environment. The nation’s unclassified nuclear computer systems are vulnerable to cyber attacks because of generic security contracts that don’t spell out who is responsible for keeping an eye on them.

Tim Erlin, Director of IT Security and Risk Strategy for Tripwire says,

“It’s always less costly to build security in from the beginning instead of bolting it on at the end. This adage is true of both code and contracts. When IT outsourcing relationships are formed, information security is rarely at the top of the list of priorities. 

Securing computing systems isn’t a static task that can be easily described in contractual language. While there are best practices that can be specified, a reference to an established framework that can keep up with the changing threat environment may be a better approach.”