National Lottery data breach

Following this morning’s news of the National Lottery data breach, please find below comments from Alert Logic and Positive Technologies.

Oliver Pinson-Roxburgh, EMEA director at Alert Logic:

“The National Lottery breach highlights the challenge all organisations face today – and reiterates the fact that consumers have a significant role to play in protecting their online accounts.  Attackers leave digital fingerprints in their network activity or system logs that can be spotted if you know what to look for, and have qualified people looking for it. Through continuous monitoring, 24×7, and being able to distinguish normal from abnormal, organisations can identify and act against sophisticated attackers. Front the statement given by Camelot their monitoring uncovered the breach but the breach likely occurred due to poor password management from their customers. 

Consumers will be forced to change the password on their National Lottery account, and any other accounts that use the same password.  However they need to ensure that they don’t use the same password for other accounts, You should keep track of all the user accounts and passwords you maintain on the Internet.

A passphrase is also highly recommended, instead of a password.  You can take a common phrase and create a pattern that means something to you, then add minor edits as a way to keep passphrases different.  An example is: The sun rise is great today.  A simple passphrase could be: Tsr!Gr82day.  The passphrase is 11 characters long and contains number, upper/lower case letters and a symbol.  The exclamation mark (!) substitutes for the “i” in the word is.  You can add something specific to make the passphrase different on multiple accounts. 

This really demonstrates that no brand is safe and whilst organisations need stringent security policies and technologies, consumers play a role in the security of their accounts.”

Alex Mathews, EMEA technical manager, Positive Technologies:

“Big consumer brands which hold vast amounts of personal details are pay-dirt for cybercriminals. They often hold massive databases of  information which can be used for follow-up attacks on other services.  The people contacted should make sure they keep a close eye on their online accounts for phishing and other suspicious activity.  If anything looks awry, then it is probably best to treat it with caution.  Now is probably a good time for the affected people to change their passwords across the board.” 



Netflix kills password masking in tests

Following the news that Netflix is testing a new feature that may cause your browser to spill your passwords, please see below for a comment from Lee Munson, security researcher at

“Netflix, flying in the face of a popular opinion that suggests you should only tweak things to solve problems or make improvements, has dropped a bit of a clanger with its new feature that appears to boast ‘plain text passwords’ as its selling point.

“While I have every sympathy with people who have trouble using a keyboard, directly reducing the security of the service and, potentially, displaying login credentials which may have (carelessly) been used across a range of other sites, is a crazy idea from a company which seems to be increasingly out of sync with what its customers want and need.

“Netflix users with a cookie-deleting browser may, unfortunately, now need to disable that feature, while those who store their login credentials in their browser may be well advised to consider the pros and cons of a password manager instead.”



German Telekom investigating-hackers suspected as 900,000 hit by internet outage is reporting that German Telekom is looking into evidence of a cyber attack after 900,000 internet, phone and television clients were hit by a massive outage starting on Sunday, and going into Monday.

Mike Ahmadi, Global Director – Critical Systems Security at Synopsys:

“While it is still unclear what caused this mass outage, it is important to note that massively scalable cybersecurity attacks, as evidenced by the recent Mirai Botnet attacks, is sure to be the new rage with the malicious hacker community.  This is particularly alarming because our testing tools have been able to uncover literally thousands of scalable attacks on very commonly deployed networking equipment and IoT devices over the last several years.  On more than one occasion we have discovered malformed inputs directed at the broadcast address of networks which caused the firmware of particular devices to erase, all at once.  It seems that simply finding a vulnerability is no longer all that interests the malicious hacker world, but finding and exploiting high impact vulnerabilities is very interesting.  Unless developers and users implement more rigor into discovering and mitigating software vulnerabilities, scalable attacks will continue to grow.”

Alex Mathews, EMEA technical manager at Positive Technologies:

“The attack of this kind isn’t something new: this year we had multiple reports about thousands of infected routers used for DDoS botnets. We would even suspect that this German story is about “a broken botnet”. After all, hackers are not very interested in broken routers, they prefer to take control over working routers, and use them for other attacks. Perhaps, someone tried to build a Mirai-like botnet out of these infected routers in Germany but something went wrong and routers just went off.

“Whether this attack could have been prevented depends on what type of vulnerability was used to infect the routers. For example, Mirai botnet code wasn’t too serious: the malware was looking for gadgets with well-known default passwords (admin: admin, root: password, and so on). If people had just changed these default passwords, their routers wouldn’t have been infected. On the other hand, the malware authors can use more serious, unknown vulnerability in routers’ firmware or in communication protocols. In this case, users hardly can do anything to protect themselves. Only serious security tests can detect such vulnerability. It should be done by service providers and by routers’ manufacturers… but unfortunately, they don’t do enough safety testing.”



San Francisco’s transport agency has been hacked – Mishcon de Reya Cyber Security Lead

Commenting on the news that San Francisco’s transport agency has been hacked resulting in customers being able to travel for free, Mishcon de Reya Cyber Security Lead Joe Hancock said:

“This attack is intended to extort money from the San Francisco Municipal Railway by denying access to ticket machines, e-mail and personnel systems. The hackers have encrypted over 2000 machines and demanded 100 bitcoin, showing this to be a larger scale attack others we have seen – usually it’s limited to just a few machines and 1 or 2 bitcoins per system.

“The attack has allowed passengers to ride for free in order to keep the railway running, and calls into question security and safety more widely. If the ransom is paid, it’s likely we’ll see other similar attacks with these real world consequences in 2017. Regulation around anonymous crypto currencies – like bitcoin – may now become a priority: removing the ability to receive anonymous payments will stop many of these criminal attacks, and should be a focus for government.

“There has been no mention of safety or railway operations being affected, suggesting the Municipal Transportation Agency (Muni) has older, analogue systems. Given that transport systems worldwide are being upgraded to Digital systems, especially for signalling, the next attack of this kind has the potential to stop trains or impact passenger safety.

“Businesses need to be resilient to these attacks. In the case of Muni, it’s positive that trains have kept running, even when the systems are under attack. For many businesses, a hack of this scale would mean shutting up shop for a few days. Despite the measures that are in place, the reputational fallout could be enough to stop those passengers with another option from using this public transport: with over 600,000 daily riders, Muni is dependent on its fares to operate. This attack could call the security in lots of transport sectors – such as airlines and shipping – into question.

“There is likely to be a greater uptake in Business Interruption coverage through Cyber Insurance, which has been on offer from insurers for a while with limited uptake. In light of these events, we would expect this to change. Businesses which rely on physical operations should review their cyber risks, as much as those that rely on eCommerce or digital channels.”



Cyber Security Roadshow Supported By Law Enforcement

Over 150 people attended the first cyber security UK roadshow event supported by law enforcement agencies.

Metsi Technologies proudly worked with Law Enforcement Agencies and industry partners to deliver the first cyber security and resilience roadshow event in London on Wednesday 23rd November 2016 at the Aviva head office.

The event has been extremely well received with attendees receiving valuable insight from cyber security experts and personnel.

During 2017 there will be a series of regional events that are aimed specifically at educating UK businesses, who are currently facing an alarming escalation from the threat, risk and impact of cyber crime.

The campaign named “Humans & Technology: Collaborate or Collide” is taking an ‘inside-out approach’ to reinforce the message that organisations can’t only rely on technology to safeguard them from data breaches.

Metsi are excited to be supported by law enforcement agencies NPCC including Metropolitan Police and City of London Police, NCA, Cyber Aware, London DSC and, leading industry partners including Resilient, Sailpoint, Skyhigh, RSA and NTT Security to deliver this national campaign.



NuData Security Threat Intelligence Highlights Risk Around Cyber Monday

Threat intelligence from NuData Security, provides an insight into the ominous cyber fraud threats coming over this holiday period.

Fraudsters are using increasingly sophisticated cyber fraud techniques and leveraging spikes in activity over Cyber Monday and holiday shopping periods to circumvent detection. As merchants and financial institutions implement additional security layers for automation, account takeover and fraud detection, hackers are evolving to find more complex and pervasive ways to commit fraudulent activities online. Much like a virus mutates in response to a vaccine, hackers are finding new ways of infiltration.

NuData Security analyses over 80 billion behavioural events annually over its customer base, and this month alone, have performed real-time analysis on 40 billion data points. NuData findings are such:

  • High risk events have more than doubled since this period last year representing a higher percentage of total traffic over all placements.
  • At the login, fraudulent activity increased from 4% to 15%.
  • According to NuData’s intelligence, 60% of new account creations are fraudulent compared to 39% last year. With the underground awash in compromised consumer data from breach-after-breach, fraudulent account creation will continue to climb. Fraudsters will create fraudulent accounts, and let them sit dormant or make the accounts look legitimate during the time leading up to holiday seasons, then strike. Typically, cyber-criminals target these times of year because they know security teams are stretched and policies are loosened up to accommodate volume. They can generally hide attacks within the volume of transactions.
  • Account takeover continues to be a dire problem for retailers. We saw a staggering 600% increase in login anomalies over this time last year. Both volume and sophistication has spiked, as stolen personal data is so easy to obtain, and consumers continuing to use the same user names and passwords from site to site, login processes have never been so easy to subvert.
  • This month has already seen a 128 percent increase in sophisticated scripted attacks from hackers gearing up for this holiday weekend.
  • We identified 50 million fraudulent attempts last November across our consortium, and as we are upon holiday shopping season – which will be a banner year for fraudsters – we are predicting an increase in high risk attacks targeting key retailers. We are predicting around 82 million of these attacks over the same holiday period across our consortium.

Mobile transactions represent a concern for merchants this holiday season, as consumers are moving more and more to mobile shopping, retailers are trying to balance security and experience. We’ve observed a 258% increase in unique devices (across our customer base), firmly supporting industry statistics of over 50% of all e-commerce traffic now coming from mobile devices.

  • Last holiday season mobile devices represented only 11% of total purchases; this year we are trending to reach 25% of all purchases coming from a mobile device.
  • As predicted, with increased usage, will come increased threats. We are seeing a spike in fraudulent activity from the mobile. With a spike from 11% of mobile transactions being high risk in 2015 to 32% this year, equating to a 190% increase over 2015. Fraud increases of this kind could have significant dollar value.

The typical value of a fraudulent transaction on Black Friday is $190 on a smartphone and $210 for tablets.

Fraudsters are using increasingly sophisticated techniques to steal data and circumvent detection:

  • Device and location spoofing has grown, to evade traditional security tools. Organisations relying heavily on device ID and geolocation based solutions to find risk, may be in trouble, as geographical and IP spoofing represented 10% of all risky login activity last fall leading up to Black Friday.
  • Account takeover and new account creation attacks are more challenging to detect as compared to conventional fraud tactics.

Robert Capps, VP, business development, NuData Security, said: “Analysing the information discovered from our Trust Consortium of data, it is clear that attackers are rapidly evolving their methods to more complex and evolved schemes. Organisations must be ever vigilant as fraudsters leverage the mass of freely available data on the dark web for cyber crime. Expecting consumers to maintain strong, non-reused passwords isn’t realistic, meaning retailers need to shoulder an even larger responsibility to protect their brand and users. This is why it is more important than ever for online merchants to employ technology that can help them effectively differentiate good customers from bad.”



Personal password practices place thousands of UK businesses at risk

SecureData, a leading provider of cybersecurity services and solutions, with its elite consulting arm SensePost, has published original research revealing thousands of UK businesses are immediately at risk from potential compromise of their Outlook Web Access platform.


This research serves to illustrate the potential impact of a new generation of hacking tools that escalate the impact of a compromised email address and password via the Outlook Web Access interface to full remote compromise of the corporate network.


The research suggests close to 0.5% of all organisations in the SecureData study could be cracked using a combination of publicly available email addresses from previous data breaches and poor password security behaviour by users, as they reuse passwords between professional and personal applications.


The researchers analysed 1.5million compromised email addresses from 173,000 individual organisations in the UK. SecureData could crack 92% of passwords* where the compromise included the hashed, or one-way encrypted password. From this sample of organisations, 1,226 could be identified as using Outlook Web Access. Assuming some users were reusing the same password (or password ‘scheme’) between their private and work accounts**, as many as 868 organisations in the study are at immediate risk of simple, low-cost and sophisticated compromise of their network systems. Using the ratio of compromised organisations revealed in the research (0.5%), it suggests as many as 53,000 of the 10.5million .uk domain registrations in the UK could be similarly at risk.


With 1 billion newly breached email addresses exposed on the public web during 2016 (Source:, the SecureData team has highlighted this attack vector as a sleeping dragon of corporate network security and a style of exploit which they expect to increase in prevalence.


Charl van der Walt, Head of Security Strategy at SecureData comments: “We developed this research as a vehicle to illustrate the increasing security challenge as employees mix their corporate and personal online universes. This is exacerbated by enterprise risk models that fail to appreciate how attackers view their business, reflecting instead their own view as to what is valuable.


“The prize here for the hacker is not just the email account itself, but the ability to write Outlook rules on the user’s desktop via OWA. The SensePost “Ruler” toolset shows how we can turn an OWA password compromise into full and persistent remote access to the network, with potentially devastating effect,” van der Walt continues. “Microsoft Exchange has been considered a relatively benign element of corporate IT, but it’s becoming more popular and valuable as a target. In addition, Exchange is exposed onto the Internet via OWA and put more at risk via weak or leaked email passwords.  We wanted to highlight this simple exploit as a way to warn security managers not to under value what appear to be low-risk corporate assets.”


Email address compromise has become more common and is often the intention of large-scale hacks (Ashley Madison, LinkedIn, YouPorn, Adobe etc). With the increasing supply of compromised email addresses available to hackers, organisations should be vigilant about the potential impact of these leaks, for example via an escalation of phishing attacks or password reuse attacks.


Key stats from the study:

·         Research took place between October 22 and November 22, 2016

·         Dataset 1 – breached email data:

o   1.5million compromised email address researched, from 173,000 UK domains (.uk only)

o   Scanning uncovered 1,226 OWA interfaces

o   92% of passwords leaked could be cracked by SecureData

o   868 UK organisations, or 0.5% overall of UK organisations are at risk from this type of exploit (assuming 77% password prediction rate)

·         Dataset 2 – LinkedIn:

o   3.7 million compromised email address researched, from 500,000 UK domains (.uk only)

o   Scanning uncovered 2,000 OWA interfaces

o   92% of passwords leaked could be cracked by SecureData

o   1842 UK organisations, or 0.36% overall of UK organisations are at risk from this type of exploit (assuming 77% password prediction rate)

·         Dataset 3 – Alexa Top Million:

o   From the Alexa “Top Million” websites list, 15,653 have a .uk domain

o   Scanning identified 1,105 unique .uk domains within this dataset with exposed OWA servers (7%)

o   712 of these OWA accounts were also present in the list of 173,000 organisations exposed in the breaches we studied in dataset 1

o   92% of passwords leaked could be cracked by SecureData

o   This analysis suggests 504 .uk domains in the Alexa Top Million (3.2%) are potentially at risk to an OWA compromise


Key supporting information and industry sources:

·         * “SecureData can crack 92% of passwords”, statement refers to SensePost’s elite consulting team activity and is supported through previous analysis, for instance of 3,743,733 UK addresses compromised in the 2012 LinkedIn breach, 2,622,252 included hashed passwords. Of these the SecureData research team were able to crack 2,382,216 or 90.85%. SecureData reports the percentage crack range to be consistently between 90-95% for UK email addresses

·         ·         ** “77% of passwords are reused by users”, statistic is referenced by Princeton University study, 2014 which suggested that most internet users have a universe of 25 online accounts. When asked to select a password for anew account, the study found 77% would either modify or reuse existing passwords. Further SecureData research supports this statistic.



Global cyber-crime expert warns airports are ‘extremely vulnerable’

International cybercrime expert and United Nations advisor Dr. Jim Kent has warned airports around the world are ‘extremely vulnerable’ to infiltration by terrorists wanting to launch catastrophic attacks from within.

Dr Kent, the Global Head of Security and Intelligence with Australian technology and data investigation company Nuix , says there is a real risk of terrorist groups targeting airports, penetrating their systems and technology to recruit, extort and potentially launch devastating attacks.

Dr Kent’s says the revelation in 2012 that an entrenched network of corrupt customs officials had been operating out of Sydney Airport, and the exposure this year that a network of Australian border security officials had allegedly been working for organised criminals, as well as last week’s major security breach at Melbourne airport only confirms his assessment that terrorist groups could infiltrate airports and other Australian businesses in similar ways.

In his advisory role, Dr Kent has worked with international intelligence agencies on a number occasions to investigate cases where companies have been infiltrated by groups such as radicalised jihadists.

Dr Kent is in Australia this week to advise intelligence and corporate leaders about these type of specific terrorist threats to Australian and multi-national organisations.

“We have clear evidence that radicalised jihadist groups are infiltrating mutli-billion dollar global companies to covertly use their structures and technologies to prepare for attacks,” said Dr Kent.

“Big businesses like airlines, airports and mining companies, have highly valuable networks, technologies and infrastructure which are very appealing to terror cells.

“While the threat to companies is very real, most would have absolutely no idea they have been infected by organised crime or terrorist groups to use them as a host.”

While specifics around infiltration investigations remain confidential, Dr Kent says he has uncovered terrorist groups operating covertly within global companies for long periods of time without attracting attention.

Dr. Kent says many Australian businesses are unaware that terrorist and organised crime cells employ tactics where they infiltrate and weaponise internal infrastructures to mask and execute their operations.

“Australian companies are vulnerable to terrorist groups using them as hosts if they don’t closely monitor individual behaviours across their organisation in a holistic way,” Dr Kent said.

While all industries are at risk, Dr Kent has warned that businesses specifically operating in the aviation, transport, finance and resource sectors need to be extra vigilant, ensuring they have effective cybersecurity strategies in place to prevent infiltration by terrorist groups and crime syndicates.

“Large organisations often operate in silos, which creates a false perception of security,” Dr Kent said.

“In my view, airports are still extremely vulnerable to infiltration and attack by terrorist groups because critical monitoring of unusual activity and enforcement of security measures is rarely joined up.

“In my assessment, terrorist groups could still work their way into an airport like a virus, for example by covertly infiltrating baggage handlers, immigration staff, freight drivers, pilots and cabin crew.

“Organisations really need to scrutinise their internal structures and systems to uncover avenues virus groups may attempt to exploit.

“Whether its logistics to track where assets are moved, finance to monitor cash flows or human resources to see patterns in positions filled – these are all elements that come together to tell a story of how organisations can be infiltrated and used in different ways.”

In raising awareness of the terrorist and organised crime risks, Dr Kent is urging organisations to be more transparent and collaborative with one another around data breaches.

Dr Kent is calling on organisations to adopt a holistic view of cybersecurity; focusing on technology that not only defends against external threats, but also monitors and alerts businesses of trends, behaviours and keywords to protect themselves from internal threats.



Android banking malware masquerading as email app targets German banks

Security researchers have found an Android banking malware masquerading as an email app that targets several large German banks. This banking malware is designed to steal login credentials from 15 different mobile banking apps for German banks. It also has the ability to resist anti-virus mobile apps, as well as hinder 30 different anti-virus programs and prevent them from launching.

Commenting on this, Don Duncan, security engineer at NuData Security , said “In the Android world, device administrator access comes with a lot of benefits. It’s this level of access that allows malware access and control over a device pretending to be you. A BYOD (bring your own device) that you’ve purchased and use has now become the vehicle for others to collect not only your personal information, but corporate data as well.

This is one challenge with device authentication, as it assumes that the person with the device and the information on the device represents a living and breathing user. Device authentication is a carry-over from the personal computing era which doesn’t map well to the new mobile world. Users have multiple devices in various forms, and it’s important in this age of IoT (Internet of Things) to determine if there is a real user behind the device or if it’s an impersonator. For example; I may be driving the car, but that doesn’t mean it’s my name on the insurance slip in the glove box.

The use of passive behavioural biometrics allows another level of authentication without introducing frustration into the user’s mobile experience. The use of passive behavioural biometrics during the user engagement is not only with the device, but the mobile application, and addresses many of the gaps in the existing mobile user authentication process making exploits like this much easier to spot. This is true when the device is being impersonated, as with this malware, or when the data is farmed via the intercepted SMS messages and later used for identity crimes. Because passive biometrics and behavioural analytics can detect if it’s the real human user interacting with the device, it can detect this type of impersonation in real-time. Placement examples are at user login, initiating a transaction, credit applications, money movement, account changes, or opening new accounts. This enables FI’s to make good risk decisioning at any of these stages because they have a fuller and more accurate understanding of the risk each customer or “customer” presents.”



UX versus User Security: Part three

Part three: Reduce the impact security has on IT
By François Amigorena, CEO, IS Decisions 
There are a lot of barriers when it comes to guarding against compromised credentials and many solutions can add further complexity to the IT department. In fact, in our guide UX versus User Security, (featuring a survey of 500 IT Security Managers in the US and UK) we found the three biggest barriers to guarding against compromised credentials to be: complexity within the IT infrastructure; having the time to manage and properly oversee the network; and the cost of technology solutions.

Each issue is a serious challenge in its own right and some IT departments may face more than one simultaneously. For example, the side effect of a complex infrastructure is that it is probably time consuming to manage. But what IT departments need to know is that finding a way to overcome these barriers doesn’t need to be frustrating and doesn’t mean they need to start from scratch.

My advice would be to seek out solutions that are adaptive to the existing IT infrastructure and can be deployed across all users without the need for additional hardware or software such as tokens or individual installations across workstations. This effectively tackles the three major barriers — complexity, time and cost — in one hit.

By choosing a solution that leverages existing investments in IT infrastructure and can be remotely installed — rather than individually workstation-by-workstation — without the need for complex or customised code, it is possible to guard against compromised credentials without additional headache for the IT department. Most importantly of all, make sure it is easy to manage.

Compromised credentials is a very real thing and it can happen to anyone, anytime and from anywhere so it’s important to it take seriously. While there may be barriers, there are certainly credible options for IT departments that will help them take the necessary steps to protect the organisation and its employees from threats.

Learn more about Supporting user experience through education to cultivate a culture of security within the organisation.