Translink report suspected IT hack to the police

As reported by the BBC, bus and train operator Translink has reported a suspected hack of its internal IT systems to the police. The firm confirmed it has reported an “incident” to the Police Service of Northern Ireland (PSNI) after experiencing difficulties with its internal IT systems. Bus and train services have not been affected, a spokesperson said.

Jake Moore, Cybersecurity Expert at ESET:

“I applaud organisations that report cyberattacks at the earliest opportunity, which in turn gives them the best chance of quicker recovery. Attacks such as ransomware are not legally required to be reported as usually personal data isn’t compromised in this way, but holding your hands will usually attract external expert support.

After the wake of the Travelex cyberattack, it has been proven that the reporting aspect of the situation is just as important as getting back to business as usual. Ransomware, although hugely impactful on a company, needn’t be embarrassing and we need to steer away from the stigma of damaging the brand or being further targeted. Cyberattacks are unfortunately inevitable but it’s the honesty from the start, including learning from what has happened, that will help put a company back on its feet with a stronger defence.”



Cisco Flaws Put Millions of Workplace Devices at Risk

As reported by Wired, researchers say that a crop of recently discovered flaws in Cisco enterprise products—like desk phones, web cameras, and network switches—could be exploited to penetrate deep into corporate networks. Because Cisco dominates the network equipment market, the bugs impact millions of devices.
All software has flaws, but embedded device issues are especially concerning given the potential for espionage and the inherent complexity of patching them. These particular vulnerabilities, found by the enterprise security firm Armis, can also break out of the “segmentation” IT managers use to silo different parts of a network, like a guest Wi-Fi, to cause widespread issues.
Jake Moore, Cybersecurity Expert at ESET:
“Cisco will always be targeted due to the huge numbers they operate on. However, the interesting aspect of this case is that these flaws could possibly be exploited by someone on the inside, which tends to be forgotten about in countless firms.
Usually automatic updates are the best way to protect against this type of threat, but so many of these devices do not allow auto updates and therefore become vulnerable very quickly even once a flaw is known. IT managers need to be aware of the risks and immediately update where possible before anyone is able to take advantage of this threat.”



NSPCC urges Facebook to stop encryption plans

As reported by the BBC, child-protection organisations say Facebook’s decision to strongly encrypt messages will give offenders a place to hide. The company is moving ahead with plans to implement the measure on Facebook Messenger and Instagram Direct. But more than 100 organisations, led by the NSPCC, have signed an open letter warning the plans will undermine efforts to catch abusers. They say Facebook has failed to address concerns about child safety.
Jake Moore, Cybersecurity Expert at ESET:
“Encryption is the backbone of the internet; without it, you lose all security. If you create a backdoor to encryption, you undermine the encryption entirely. There is an endless battle between law enforcement and the technology companies when it comes to encryption, but it is vital that we strike the correct balance. 
I think Facebook are right to secure their applications, which in fact protects users. Taking away encryption allows cyber criminals to view sensitive data, which creates more problems in the long run. You could also argue that if Facebook was to allow access to its messaging platforms, many users could simply move to other more privacy-focused applications.” 



Bug in Philips Smart Light Allows Hopping to Devices on the Network- Comment

It has been reported that security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network.

Commenting on this, Boris Cipot, senior security engineer at Synopsys, said “IoT devices, be it bulbs, door locks, home assistants, switches etc., are a common utility in many households today. This is due to their versatility of use, which also helps to make life easier and more comfortable. They can be controlled by devices like our phones and other IOT devices in the same network, so we can use our voice to turn them on and off, or in the case of the Philips Hue bulbs, change the colour or intensity of light. The communication protocol used for giving commands to the Philips Hue bulbs and receiving information from them is called ZigBee, a standardized protocol used by many other IoT devices. Unfortunately, this protocol has a vulnerability enabling an attacker to exploit these IoT devices, including the Philips Hue bulbs and the Philips Hue Bridge model 2.x.

The good news is that the vulnerability has already patched by Philips and was released on the 13th of January. Users that have automatic updates enabled on their bridges have already got the patch applied. Those who have not enabled automatic updates or are unsure if they have, should check what their status is on the Hue System in the Hue app (Settings -> Software update -> Automatic Update). It is highly advisable to turn the automatic updates on as you do not want to miss any security improvements now or in the future. Furthermore, there are other perks to having automatic updates switched on. This includes ensuring you do not miss out on quality, security or performance improvements, as well as guaranteeing that your Hue System stays compatible with new Hue products.”



The UK Gov law outlines will provide a necessary first-step in enhancing IoT device security

The UK Government has unveiled new regulatory proposals for the consumer Internet of Things (IoT), forcing the IoT ecosystem to take a more rigorous and conscious approach to cybersecurity. With an estimated 75 billion internet connected devices worldwide forecasted for 2025, there is no denying that the scope of IoT is becoming a more integral part of our lives; yet with this comes the increased security risks.

Whilst the new law outlines requirements for unique passwords, no ‘factory reset’ options, vulnerability reporting functions and minimum timeframes for security updates, Paul Farrington, CTO of EMEA at Veracode believes that as some of the worst offenders when it comes to fixing flaws, the proposal should be extended to ensure manufacturers are building in software security at the early stages.

Below is a comment from Paul on the topic. Please let me know if you’re interested in running it in a story. Alternatively, we can offer you a briefing or opinion piece from Paul to discuss this issue further.

Paul Farrington, CTO of EMEA at Veracode:

“The outcome of the consultation will provide a necessary first-step in enhancing IoT device security. The Government has attempted to balance the needs of industry with those of users. Removing default passwords, coordinating vulnerability reporting and bringing clarity to technical support coverage is progress. These measures do fall well short of what is necessary to protect users. Research shows that the manufacturing is one of the worst sectors at dealing with security bugs. 83% of software apps have at least one security issue. On average, firms take 171 days to fix a security defect. Improving ways for people to report problem is really a bare minimum. What we really need is a way for IoT device manufacturers to evidence how they are building security to the process, at the earliest stages. The toy industry has had to do something similar around safety-testing for decades. The Government will need to revisit IoT security legislation again before too long.”



CEOs are deleting their social media accounts to protect against cyber attacks- Comments

Professional services firm PwC surveyed over 1,600 CEOs from around the world and found that cyber attacks have become the most feared threat for large organisations – and that many have taken actions around their personal use of technology to help protect against hackers.

A total of 80 per cent of those surveyed listed cyber threats as the biggest threat to their business, making it the thing that most CEOs are worried about, ranking ahead of skills (79 per cent) and the speed of technological change. (75 per cent)

48 per cent CEOs surveyed said the risk of cyber attacks had caused them to alter their own personal digital behaviour, such as deleting social media accounts or virtual assistant applications or requesting a company to delete their data.

The full story can be found here:

Saryu Nayyar, CEO of Gurucul comments:

“The fact that CEOs are becoming more aware of the danger of cyberattacks is encouraging. With the staggering costs that data breaches have incurred – lost money, lost reputation, lost jobs – cybersecurity is now a big enough issue to be elevated to the c-suite and the boardroom. It can no longer be ignored or relegated to second tier status or dropped into the laps of low level employees. Defining and implementing an effective cybersecurity program starts at the very top. The CEOs who recognise this will be rewarded by staying out of the data breach headlines.”



Three United Nations offices hacked

As reported by Computing, according to a confidential internal report, leaked to The New Humanitarian, the United Nations was hacked via a Microsoft SharePoint vulnerability last year, with 20 administrative accounts compromised and malware implanted on 40 servers. Furthermore, the UN chose to cover-up the attack, which has been described as “sophisticated”, rather than publicly disclosing it.
Jake Moore, Cybersecurity Expert at ESET:
“I believe no one should be covering up attacks in any way, shape or form. We have learnt that being open and honest about cyberattacks can in fact help the brands and organisations in the wake of these hacks and help build stronger defences going forward. 
Owning up to a data breach or vulnerability usually brings the cyber security industry together, and can provide help and support. It also helps other organisations who may be at risk with similar vulnerabilities. Although it is yet to be seen how this attack was carried out, there is a lot to be learnt within the industry about reporting breaches, and hopefully over the next few years we will start to see a more honest approach.”



Zoom vulnerability would have allowed hackers to eavesdrop on calls- Comment

It has been reported that security flaws have been found in videoconferencing platform Zoom that would have allowed a potential hacker to join a video meeting uninvited and listen in, potentially accessing any files or information shared during the meeting. While Zoom has addressed the issue, the report raises deeper concerns about the safety of videoconferencing apps that require access to microphones and cameras.

Commenting on this. Jonathan Knudsen, senior security strategist at Synopsys, said “When running an online meeting, make sure you can identify all users who have joined. If you expect that any part of the meeting is information you want to keep confidential, use the password feature to protect the meeting from casual intruders. Meeting recordings should be protected with similar vigilance. For example, recording files should not be placed on unauthenticated servers, and any links to streaming recordings should be protected by some form of authentication.”



Thousands of Instagram passwords exposed by social media boosting service- Comment

It has been reported that Social Captain, a Instagram-boosting service, has exposed thousands of Instagram passwords. A website bug allowed anyone access to any Social Captain user’s profile without having to log in — simply plugging in a user’s unique account ID into the company’s web address would grant access to their Social Captain account — and their Instagram login credentials.

Commenting on this, Stuart Sharp, VP of solution engineering at OneLogin:

“It is disappointing that in 2020 we are still seeing service providers failing to follow even the most basic steps to secure their customers’ data. The vast majority of websites should never need to store a user’s password (instead they are stored as a one-way, non-reversable hash). The Social Captain use case is special — they need the user’s clear-text password to log into their customer’s account. Given the sensitive nature of this architecture, it is all the more surprising that they failed to encrypt users’ passwords by default — and it appears that they continue to store these passwords in the clear. Service providers have a duty of care to their users to follow security best practices — discovery of a vulnerability like this should prompt a service provider to go back to the drawing board and have a radical rethink their approach to security.”



Government plans new laws for smart gadgets

According to BBC News, the UK government is developing laws that would require manufacturers to ensure their smart gadgets cannot be hacked and exploited via the internet. This is in the face of concerns that many internet-enabled devices lack basic security features. Under the proposed laws, manufacturers would have to:

  • ensure all internet-enabled devices had a unique password
  • provide a public point of contact so anyone could report a vulnerability
  • state the minimum length of time a device would receive security updates

Jake Moore, Cybersecurity Expert at ESET:

“Confidence in the security of smart devices should come as standard so this new proposal can’t come soon enough. Long has there been a standoff between security professionals and manufacturers battling it out over the protection of customers and their gadgets, so if the government muscle in on the action it could just be the answer we have been fighting for.

 Unique passwords are more important than most people tend to realise, so this simple yet effective ‘security by design’ move will add an instant layer of protection without the user having to think. Security doesn’t have to be difficult, but it is far more successful when the user is obliged to protected themselves by design. However, this is no doubt the end of the matter as cyber security is a never-ending battle against persistent threat actors. If this new law is constantly monitored and updated, this could be an extremely positive movement in the right direction.”