ICYMI 2016 - What an explosive year!
ICYMI 2016 - What an explosive year!

The internet is inherently insecure, and 2016 headlines emphasised the fact, with cyber-security setting more records than the Brazil Olympics, and causing more disruption to business and politics than Trump and Brexit combined.

IOT devices from CCTV cameras to appliances were commandeered in a Mirai botnet 1.1 Terabyte DDoS attack on the DYN servers and Yahoo was revealed to have suffered a billion client credentials lost due to a hack that occurred years ago. Total cyber-crime losses exceeded physical crime in the UK for the first time with some estimates putting the UK losses at around £1 billion.

We've seen more senior staff lose their jobs after becoming victims of the growing plague of ransomware and whaling which has increased exponentially. The security flaws in mobile, cloud and IoT all arrived to enliven our lives, the Russians stepped up politically motivated hacking – believed by some to have secured their biggest ever coup by influencing the US presidential election to secure a win for their preferred candidate - while the Chinese appear to have reduced their pursuit of Western IP, resulting in a 90 percent drop in the previous wholesale illegal value transfer.  Cyber Warfare got real with Ukrainian power stations brought down by Russian Hackers and Nato declared cyber-space a domain of warfare.

Criminals have found a way to steal from the SWIFT Banking payment system, believed to have accessed genuine credentials, while Tesco Bank was also hacked and lost £2 million, though it has yet to reveal the method used.

In response, law enforcement and government have increased their access to and control over information flows, including laws demanding information on their citizens be kept on servers in their countries, Russia makes moves to wean itself off western technology, while China makes its own copies, and laws such as the IP Bill legitimise secret services access to and retention of personal data.

With cyber-security having become such a high profile well publicised activity, it should come as no surprise that finally, finally, global industry gets it and understands their information has a value and needs to be secured against theft by criminals and other adversaries, even if two thirds of boards in the UK still don't understand what their cyber-security risk appetite may be.

December

Yahoo billion email breach

November

Adult friend finder hacked, 412 million users compromised

Lauri Love extradition order confirmed by Home Secretary

UK Government launches new National Cyber Security Strategy

IP Bill receives Royal Ascent, officially becomes law

Tesco Bank accounts frozen as cash taken from 20,000

October

Huge DDoS attack hits Twitter, Github, Spotify and others

National Cyber Security Centre HQ operational

September

Fancy Bear hacks World Anti-Doping Agency

Online fraud overtakes physical crime in UK

August

Barclays bank to identify customers by voice

Leoni AG suffers £34 million whaling attack

Shadow Broker's leaked files confirmed real by Snowden docs 

NIST axes SMS-based two-factor authentication for US government apps

July

Intelligence officials have 'high confidence' Russian gov hacked DNC

June

TeamViewer has potential security flaw, Reddit community in upheaval

May

New PCI DSS version concentrates on multi-factor authentication and encryption

Swift: BoE demands UK banks to step up cyber-security after Bangladesh attack

Action Fraud warns of new wave of Lizard Squad DDoS attacks

April

Panama Papers: Who let the docs out?

6000 staff join data breach lawsuit against Morrisons

Worldpay merchant portal allowed merchants to view customer card data

The EU General Data Protection Regulation (GDPR) passes final approval in the European Parliament

March

US team find 0-day to hack Apple iCloud photo, Adele and Harry Styles among victims

NatWest online banking suffers SMS 'smishing' scams

Data breach authority Verizon Enterprise breached; 1.5 million customers impacted

Locky ransomware 'on the rampage' globally

February

Snapchat got whaled, employee payroll released

Costs of TalkTalk breach amount to £60m

US Gov confirms Ukraine power outages were caused by cyber-attack

January

I hacked Citrix, says Russian hacker w0rm

OpenSSH vulnerability means your keys are OpenPREY

Hospitals under attack

December

Yahoo billion email breach

The year ended with a bang when Yahoo's CISO, Bob Lord, announced on the company's blog that the accounts of more than one billion users may have been accessed in a cyber-attack dating back to 2013, separate from the 2014 hack previously reported earlier this year which affected 500 million accounts.

Alluding to who may be behind such an attack, Lord said: “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” referring to the 2014 breach.

The firm said that the unauthorised third party had stolen the data, including names, emails, phone numbers, dates of birth and passwords encrypted in MD5. And added, “payment card data and bank account information are not stored in the system the company believes was affected.”

The company said, “based on the ongoing investigation, we believe an unauthorised third party accessed our proprietary code to learn how to forge cookies,” and added, “we are notifying the affected account holders, and have invalidated the forged cookies.”

This new breach threw a spanner in the works of Verizon's imminent US $4.8 billion (£3.9 billion) acquisition of Yahoo, and whether the US mobile carrier will try to get a better a deal or drop it.

More

November

Adult friend finder hacked, 412 million users compromised

In what could rival the size and impact of an earlier hack of MySpace, usernames, purchasing patterns, internet addresses and passwords of more than 412 million subscribers were exposed after Adult Friend Finder was breached.

In a number of instances, passwords stored in clear text are visible, and in other cases passwords hashed with SHA1 were easily cracked, according to breach notification website LeakedSource.

At the time this was the worst hack of 2016, outdoing the MySpace hack whose tally reached 360 million. And, this is not the first time that Adult Friend Finder, a portal operating a number of so-called 18+ services, has been breached. It was the target of an attack in May 2015.

October's attack hit six properties operated by FriendFinder Networks (FFN): Adultfriendfinder.com, Cams.com, Penthouse.com, Stripshow.com. iCams.com and an unknown domain. It was reported that the attackers purloined nearly 20 years of data.

FFN has so far not confirmed the attack, but did acknowledge being made aware of "potential security vulnerabilities." 

“FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources," Diana Ballou, VP and senior counsel at FFN, told ZDnet. "While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”

More

Lauri Love extradition order confirmed by Home Secretary

An order for the extradition of Lauri Love to the United States to face multiple charges of computer misuse was approved by the Home Secretary.

Love, age 31, was ordered to be extradited at a court hearing (video and story) on 16 September by Westminster Magistrates Court. Under the Extradition Act, once the judge approves a request from a foreign country for extradition, it must be ratified by the Home Secretary before it is carried out.

The case was seen as the first test of the forum bar, a new provision of the Extradition Act 2003 which was introduced to correct the perceived imbalance in extradition arrangements between the UK and the USA. However, the judge rejected the forum bar argument, saying in effect that Love could expect to receive the same measure of justice in the US as he would in the UK.

Love also argued that his mental and physical health would be jeopardised by extradition. Love suffers from Asperger's syndrome and depression and his counsel argued that he was at high risk of suicide if extradited.

He also suffers from severe eczema which requires a rigorous treatment regime which it was argued he would not be able to get in a US prison.

Both of these arguments were rejected by the judge who ordered his extradition.

A Home Office spokesman said: "On Monday 14 November, the Secretary of State, having carefully considered all relevant matters, signed an order for Lauri Love's extradition to the United States.

More

UK Government launches new National Cyber Security Strategy

In a bid to become one of the “safest places in the world to do business”, the UK government launch its new five-year National Cyber Security Strategy. It was unveiled by the chancellor Philip Hammond.

He set out a number of measures that government will take while encouraging businesses to “up its game to prevent damaging cyber-attacks”.

The strategy confirms a previously announced budget of £1.9 billion, nearly double the amount invested in the previous cyber strategy, much of which will be spent on existing programmes at the intelligence agencies.

The strategy recognises the increasing vulnerability of the network of connected devices, the skills gap, risks from the use of legacy IT and the ubiquity of hacking tools available to attackers.

The strategy also spells out the role of the new National Cyber Security Centre (NCSC) and how it will support organisations as they struggle to deal with cyber defence.

The National Cyber Security Centre (NCSC) became operational on 1 October 2016 and is part of GCHQ. Its vision is to help make the UK the safest place to live and do business online. Led by chief executive Ciaran Martin, the NCSC will have a team of approximately 700 people in the Nova Building, Victoria, London with full occupancy expected by early 2017.

The strategy has been broken down into three areas: defence, deter and develop.

More

IP Bill receives Royal Ascent, officially becomes law

Queen Elizabeth II has given Royal Ascent to the Investigatory Powers Bill, which officially makes it a law.

Legal challenges against the bill are already under way, and popular opposition to the law has already gathered over 133,000 citizens to sign a petition calling for its repeal. It is unlikely to happen, but the petition's case must now be considered by Parliament for further debate.

Members of the Don't Spy on Us coalition continuing their involvement in legal action against the proposed mass surveillance powers. The organisation notes: “The UK's legal regime for bulk surveillance is being challenged in two separate cases at the ECHR, while the data retention regime is being questioned in the UK and EU courts in the Watson (previously Watson-Davis) challenge.”

ruling by the Court of Justice of the European Union in late December means that parts of the Bill are shown to be unlawful and will need to be amended.

More

Tesco Bank accounts frozen as cash taken from 20,000

Tesco Bank has frozen online banking transactions after 20,000 of its customers had money stolen from them over the weekend.

The ‘precautionary measure' was taken after around 40,000 customers of the supermarket's retail finance arm are alleged to have had suspicious activity on their current account. Of that, 20,000 are known to have reported money taken from their accounts without their consent.

Online transactions have been frozen by the bank to stem further potential thefts from current accounts. Benny Higgins, chief executive of the bank said in a statement that "as a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts."

A statement posted on the Tesco Bank's website, said that “current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal.” Tesco Bank has also declared that it will refund customers who had money stolen.

More

October

Huge DDoS attack hits Twitter, Github, Spotify and others

A number of websites have been hit by an outage, meaning many users were unable to access sites such as Twitter, SoundCloud, Spotify and Shopify.

The cause appears to be a sweeping outage of DNS provider Dyn, as a result of a DDOS attack. On its status update webpage, Dyn said the issue started at 11.10 UTC this morning.

“We began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure,” it said. “Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.”

In an update, the firm said that the attack was mainly impacting US East and was impacting Managed DNS customers in this region. “Our engineers are continuing to work on mitigating this issue,” it added.

The problem lasted just over two hours and services were restored to normal as of 13:20 UTC.

Other sites having problems included Box, Boston Globe, New York Times, Github, Airbnb, Reddit, Freshbooks, Heroku and Vox Media.

More:  Mirai botnets like the ones recently used in distributed denial of service (DDoS) attacks on a French internet service provider and a well-known security researcher were at least partly responsible for the waves of DDoS attacks against Dyn DNS that took down Twitter, Spotify, Netflix, GitHub, Amazon and Reddit and other websites Friday, according to a Flashpoint blogpost.

Mirai does its dirty work on Internet of Things (IoT) devices and “Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks,” the post said.

Flashpoint noted that while “Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and [French Internet provider] OVH.”

After “Anna_Senpai,” the hacker behind the Mirai botnet used to attack Krebs, released the malware's source code online, “copycat hackers have used the malware to created botnets of their own in order to launch DDoS attacks,” making it difficult to draw a relationship between Friday's DDoS attacks, which were still ongoing well into the evening, and previous attacks where Mirai botnets were used.

More

National Cyber Security Centre HQ operational

The UK's new National Cyber Security Centre (NCSC) officially opened for business as a public-facing part of GCHQ that acts as a focal point for the government to deliver authoritative advice on tackling cyber-security issues. It will be based in the Nova office and shopping complex near Victoria Station in London, not in Cheltenham at GCHQ, as originally announced last year, though it will also have offices there.

While this operational centre will focus on defensive work, it will be able to call on offensive capabilities developed by GCHQ and the Ministry of Defence.

According to Evening Standard reports, the NCSC will have a staff of 700, more than half of whom will be based in the new HQ, moving in to the building later this year and in early 2017.  It will have specialist teams for the City, Whitehall, intelligence and security services, energy, telecoms and other parts of the critical national infrastructure.

It is led by CEO Ciaran Martin who was director general cyber at GCHQ, with Dr Ian Levy, former technical director of cyber-security at GCHQ, becoming technical director at the NCSC. The NCSC's website is scheduled to go live tomorrow (4 October).

More

September

Fancy Bear hacks World Anti-Doping Agency

The World Anti-Doping Agency has been hacked and the medical records of top western athletes published.

Fingers have almost instantly pointed towards Russia whose taste for using cyber-tactics against ‘the west' is almost as famous as the country's relationship with athlete doping.

WADA published a memo yesterday saying it had confirmed “that a Russian cyber-espionage group operator by the name of Tsar Team (APT28), also known as Fancy Bear, illegally gained access to WADA's Anti-Doping Administration and Management System (ADAMS) database via an International Olympic Committee (IOC)-created account for the Rio 2016 Games.”

The hackers released the medical data of some of US' top athletes, showing the records of celebrated gymnast, Simone Biles and Tennis giant, Serena Williams.

More

Online fraud overtakes physical crime in UK

Including fraud in the UK crime figures resulted in online crime overtaking physical crime, now Financial Fraud Action UK (FFA UK) reports that fraud in the payments sector has jumped 53 percent over last year.

With more than a million cases of card, cheque, phone or online fraud recorded in the first six months of 2016 – one every 15 seconds, FFA UK has found that the rate of fraud in the UK payments industry is accelerating, from £755 million in 2015, itself a 26 percent rise over the previous year, soaring by 53 percent in the first six months of this year. Phishing,  and  vishing (phone and text based scams) are the focus of concern for the FFA UK in its Take Five campaign (advising caution before responding to information requests from their bank) to protect businesses and consumers.

Katy Worobec, director of FFA UK said in the report that banks stopped £7 in every £10 of attempted fraud – though of course that means that by value, thirty percent of such frauds are successful.

Home Office security minister, Ben Wallace is supporting the initiative and adds in the review that,” the Government is working closely with law enforcement and the banking sector through the Joint Fraud Taskforce to take action to stop the organised criminals behind financial fraud.”  And Ian Dyson, commissioner, City of London Police, which is the national policing lead for fraud said in a press statement: “Fraud and cyber crime account for nearly half of all crime according to the British Crime Survey and this campaign is aimed at giving people the confidence to think before they act. Pausing for that short moment and asking ourselves, is this the safe thing to do, will go a long way to thwarting the fraudsters that prey on peoples trusting nature.

More

August

Barclays bank to identify customers by voice

Barclays bank is to begin identifying customers by voice recognition, removing the need for customers to answer a set of security questions to access their accounts while banking over the phone.

The bank is said to be favouring those who regularly use phone banking, rather than banking in-branch or over the website/app as users of the scheme.

The move represents the latest step in the industry to abolish passwords, moving to technologies which banks believe are more convenient for customers as well as more secure.

Recent data from Opus Research predicted that the voice biometrics authentication market will grow from US$ 200m in 2013 to US$ 750m globally by 2017. As the greater security and convenience offered by voice authentication becomes the norm for customer experience in financial services, we are likely to see this trend extended to all customer-facing industries.

Online-only banks First Direct and HSBC took similar steps earlier this year, introducing voice pattern recognition for online banking for its retail banking operations. In addition to voice recognition, customers of HSBC will also be able to use fingerprint recognition systems for identification verification.

More

Leoni AG suffers £34 million whaling attack

Leoni AG, Europe's biggest manufacturer of wires and electrical cables, has announced losses of £34 million (US$ 44.6 million) following a whaling attack that tricked finance staff into transferring money to the wrong bank account.

The incident took place on August 12th, and the company announced it publicly on August 16. Upon announcement, the company's shares dropped between 5 and 7 percent.

Few details on the loss were shared when the incident had occurred in August other than Leoni AG announcing that they had launched an investigation into the matter.

Leoni AG also reassured investors that the company's financial situation had not been affected by the sudden loss of capital.

However, new details have come to light about the incident in the Romanian press, who revealed that the scam took place at Leoni's factory based in Bistrita, Romania.

According to authorities, the CFO at the factory was the target of the scam. She received an email spoofed to look like it came from one of the company's top German executives.

Investigators have said the email was crafted in such a way to take into account Leoni's internal procedures for approving and transferring funds. This detail shows that attackers scouted the firm in advance.

The Bistrita factory may not have been chosen at random either. Leoni has four factories in Romania, and the Bistrita branch is the only one authorised to make money transfers.

Leoni AG is now working with local police, and Romania's top investigators in the DIICOT (Directorate for Investigating Organised Crime and Terrorism) division.

More

Shadow Broker's leaked files confirmed real by Snowden docs

The Snowden files have apparently confirmed that a series of openly auctioned cyber-weapons do belong to the US National Security Agency (NSA)

‘The Shadow Brokers' claims were apparently verified in a draft NSA manual leaked as part of the large tranche of internal files stolen by whistleblower Edward Snowden in 2013. The manual details a tool called SECONDDATE, which tricks its targets into downloading malware by redirecting users from legitimate websites to a server called FOXACID which installs NSA viruses onto the targeted machine.

This is supposedly the same tool referenced in the taster dump that the Shadow Brokers' offered for sale last week. The Intercept, an investigative outlet, madethe revelation recently, adding that 14 references to SECONDDATE were found in the recent dump.

The group emerged last week, when it offered a taste of what it said was a much larger tranche of information on cyber-weapons from the Equation group, an APT group believed to be controlled by the NSA and supposedly implicated in large campaigns like Stuxnet and Dugu.

The Brokers wrote on PasteBin: “How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame.”  

Adding, in broken English, “We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files”.

The group posted a small sample of the full tranche, it claims to posses, offering ‘the best' parts for the highest bidder. However, it seems to be auctioning the info in a rather strange way: lower bids will not be returned and if the Shadow Brokers receive a total of one million bitcoin, then the whole tranche will be dumped publically.

While questioned before, this new disclosure supposedly links the Equation Group, the APT from which the cyber-weapons were supposedly taken, to the NSA. The link was previously considered dubious as concretely linking governments to their cyber-attack actors is a notoriously hard thing to do.

More

NIST axes SMS-based two-factor authentication for US government apps

US government service providers will be required to phase out the use of SMS-based two-factor authentication (2FA) as the result of new guidelines from the National Institute of Standards and Technology (NIST).

The federal technology agency, which provides government and private industries with standards reference materials, issued on Wednesday its draft Special Publication 800-63B Digital Authentication Guideline. The 17,000-word document concludes that because of the possibility that the one-time code itself could be intercepted or redirected, SMS-based two-factor authentication should no longer be used.

"Digital authentication is the process of establishing confidence in user identities electronically presented to an information system," the NIST document states. What's at stake is the strength of authentication transactions.

“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. [Out of band] using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”

The development follows in the wake of several malware attacks impacting SMS codes as well as malicious campaigns where users' VoIP connections were hijacked.

More

July

Intelligence officials have 'high confidence' Russian gov hacked DNC

American intelligence officials believe with ‘high confidence' that the Russian government is behind the recent hack of the Democratic National Committee (DNC), the US Democratic Party's governing body.

The New York Times reported the revelation yesterday, adding that intelligence officials uttered the claim in a briefing with the White House.

Its sources were unsure whether the release of documents were, as some have claimed, an attempt to swing the presidential election in the favour of Donald Trump, the Republican presidential nominee.

The hack produced several embarrassing results for the DNC. The first was the publication of a dossier on Donald Trump, detailing the various ways the Republican candidate might be publicly attacked. With that was a spreadsheet of various donors to the Democratic Party and the Clinton campaign.

The real hammer blow however came on 21 July when the leaker database, Wikileaks, published nearly 20,000 emails from internal DNC servers which showed clear bias and even an attempt to manipulate the Democratic primaries between Hillary Clinton and her outsider opponent Bernie Sanders.

The revelations elicited outrage across the political spectrum and resulted in the resignation of Debbie Wasserman-Schultz, the chairperson of the DNC. At this week's Democratic National Convention, where Hillary Clinton was crowned the party's candidate for President, heavy tension was noted from left-leaning Sanders supporters who booed pro-Clinton speakers.

More

June

TeamViewer has potential security flaw, Reddit community in upheaval

One Reddit thread said, "whoever does PR for TeamViewer should be fired".

The TeamViewer community on Reddit has brought to light claims that while using TeamViewer, their computers were hacked, PayPal and other banking accounts completely drained and malicious software installed.

Users took to the Reddit community to alert others that while looking through their log files of connections to the computer, they had found unknown computer logins from unknown locations.

TeamViewer is a popular remote desktop access client, which is often used by IT department for example to service a client's PC from anywhere in the world. This means they can use your computer normally, without having to actually be in the room.

Currently TeamViewer has clients for both personal computers and mobile devices making it an incredibly lucrative target for those with malicious intent.

Interestingly, TeamViewer has issued a statement saying that, ““There is no evidence to suggest that TeamViewer has been hacked. Neither do we have any information that would suggest that there is a security hole in TeamViewer.”

TeamViewer believes that users re-using passwords is what led to this problem, saying that “Unfortunately, users are still using the same password across multiple user accounts with various suppliers. While many suppliers have proper security means in place, others are vulnerable. The latter ones tend to be targeted by professional data thieves. As TeamViewer is a widely spread software, many online criminals attempt to log in with the data gained from compromised accounts (obtained via the aforementioned vulnerable sources), in order to discover whether there is a corresponding TeamViewer account with the same credentials.”

More

May

New PCI DSS version concentrates on multi-factor authentication and encryption

The PCI Security Standards Council (PCI SSC) has released the latest version of the PCI Data Security Standard.

Version 3.2 includes requirements that merchants and banks must deploy in strong encryption and multi-factor authentication, as well as when those changes must take place.

The previous version, 3.1, expires 31 October this year. But the PCI SSC has said that firms that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyberattacks.

Among the key changes are a revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates. An expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment. And additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.

The primary changes in the new version are clarifications on requirements that help organisations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process, according to PCI Security Standards Council general manager Stephen Orfei.

“This includes new requirements for administrators and services providers, and the cardholder data environments they are responsible to protect. PCI DSS 3.2 advocates that organisations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.”

PCI Security Standards Council chief technology officer, Troy Leach, said that multi-factor authentication is now a requirement for any personnel with administrative access into environments handling card data.

“Previously this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator's identity and grant access to sensitive information,” he said.

“Additionally, service providers, specifically those that aggregate large amounts of card data, continue to be at risk. PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective.”

More

SWIFT: BoE demands UK banks to step up cyber-security after Bangladesh attack

Following the attack in February on the Central Bank of Bangladesh, the Bank of England (BoE) has issued an urgent call for all British banks to carry out a security review of any computer connected to theSWIFT network.

The warning was issued in mid-to-late April, but is only now being made public. In the attack launched three months ago, hackers were able to compromise £56 million in what is thought to be one of the largest bank robberies in history.

In addition to the audit, the BoE demanded a compliance check to ensure that security policies recommended by SWIFT are being followed. The BoE wants UK banks to conduct ‘user entitlement reviews' to ensure that only authorised staff have access to SWIFT sensitive applications and web portals. Computer logs for digital evidence are also being reviewed as ‘indicators of compromise' including IP addresses and email addresses linked to recent attacks.

The attack on the Bangladesh central bank was not the only attack of its kind. SWIFT issued a notice on 13 May saying that another instance of a malware-led attack on an institution directed at banks' secondary controls had emerged. Before SWIFT was made aware, attackers exploited vulnerabilities in banks funds' transfer initiation environments.

Banks in the UK are not the only ones affected by the Bangladesh attack. High levels of security arebeing maintained in other central banks such as those of Singapore and the Philippines.

There have been further SWIFT compromises during the year.

More

Action Fraud warns of new wave of Lizard Squad DDoS attacks

A number of UK businesses have been hit by extortion demands from the Lizard Squad hacker group, according to an alert issued by Action Fraud. At least 20 companies have been threatened, with victims told that if they don't pay five bitcoins – just over £1,500 – they will suffer a DDoS attack.

Lizard Squad has a history of DDoS attacks, including taking down the UK's National Crime Agency (NCA) website and the global Xbox and Playstation gaming networks.

Action Fraud, part of City of London Police, sent out its alert late on Friday, warning: “In the past 24 hours a number of businesses throughout the UK have received extortion demands from Lizard Squad. The group has sent emails demanding payment of five bitcoins, to be paid by a certain time and date. The email states that this demand will increase by five bitcoins for each day that it goes unpaid.

“If their demand is not met, they have threatened to launch a Denial of Service attack against the businesses' websites and networks, taking them offline until payment is made. The demand states that once their actions have started, they cannot be undone.”

An Action Fraud spokesperson told SCMagazineUK.com that so far 20 companies are known to have received the threat. He added: “The problem was first notified to us on Friday and we sent out the alert the same day. We're monitoring the situation. As it was only last Friday, there is currently no force actually investigating it, but obviously that will be decided shortly.”

Action Fraud is urging any companies which receive the threat to call 0300 123 2040 or report it online. It says: “Do not pay the demand. Retain the original emails with headers. Maintain a timeline of the attack, recording all times, type and content of the contact.”

The agency advises any companies experiencing a DDoS attack, “Report it to Action Fraud. Call your ISP or hosting provider, tell them you are under attack and ask for help. Keep a timeline of events and save server logs, web logs, email logs, any packet capture, network graphs, reports, etc.”

More

April

Panama Papers: Who let the docs out?

The dramatic exfiltration of 2.6 terabytes of data from the Panama-based law firm Mossack Fonseca has been countered by an equally uninformative explanation for how this international organisation, with a class A customer list, allowed itself to be turned over.

Very little is known as this stage about how the company came to lose 11.5 million documents. A German journalist, who works for the newspaper Sueddeutsche Zeitung, was contacted a year ago by an anonymous source who insisted on the use of encrypted communications for every contact. The journalist claims to have no knowledge of who the leaker was only that he or she didn't want any payment, saying that exposing the “crimes” of Mossack Fonseca was enough.

Debate is rife within the cyber-security community as to whether the data leak was the work of a disgruntled insider rather than an external hacker as SCMagazineUK.com and others reported yesterday based upon the company's initial response. 

Mossack Fonseca's explanation for the attack was that it had experienced an “unfortunate” email server attack. This was followed by assurances that security would be tightened and expert consultants drafted in to figure out what happened.

But as Paul Ducklin, writing on the Naked Security blog, said, it is difficult to conceive how anyone could intercept and exfiltrate 2.6tb of data via email, especially given the range and variety of information and types of documents.

Ducklin – who is incidentally appalled that professional journalists are willing to handle stolen data – said that rather than an email server attack, it was more likely that the perpetrator gained access to an email account and then leveraged that access to upgrade their privileges.

To Jens Puhle, UK managing director at 8Man, the breach was more likely the result of an insider attack, in the same vein as Edward Snowden and Chelsea Manning, although in this case the identity of the leaker – who reportedly fears for their life – may take a long time to ascertain. “It's an unusual case, however, since it was apparently leaked directly to the press which signifies someone taking a moral standpoint rather than looking for financial gain,” said Puhle.

Thierry Bettini, director of international strategy at Ilex International, tends to agree with Puhle. “It's really too early to say at this point and it's worth noting the only breach Mossack Fonseca has recognised at this point is the hacking of its email server. However, given the number/volume of documents stolen, that is probably not the only cause. This could definitely have been the work of an insider, like in other cases such as in the Clearstream case.”

And Mark Sangster, VP of marketing at eSentire, said: “We're seeing many cases of insider data breaches that involve leaking sensitive data for front running trades or more malicious intent. In this case, seemingly one individual got his or her hands on a massive collection of files spanning four decades. If this holds true, this extreme case of an apparent insider threat will result in catastrophic consequences for Mossack Fonseca.”

But some favour the theory that it was an external attacker, possibly a nation state. Charles White, founder and CEO of IRM, believes the leak is likely to have come from a high level external hack, partly because of its sophistication and partly because of Panama's notorious human rights record which might deter insiders from taking the risk.

“The leak could be the work of an external hacker, and one would hope with information of this magnitude a very competent hacker potentially at nation state level,” White said. “Legal companies like this hold a lot of rich, exciting information that can be very useful at a nation state level, especially when current and former world leaders are involved. The huge amount of data makes it likely the entire database was stripped out, which also points to an external attack.”

Agreeing with White that it could have been an outsider is Adam Boone at Certes Networks. He said that available evidence points to the theory that a compromised email server was the attack vector.

He said that law firms are ripe for attacks because of the extremely sensitive data they hold for important clients. “Without modern access control and application isolation techniques, these firms are wide open for malicious insiders or external attackers to get access to the most sensitive data,” he told SC. “Effective application isolation is almost nil at many companies. Attacks on third parties like external law firms, contractors and the like have been the main attack vector in the high profile data breaches over the past three years, including Target, Sony and many others.”

No doubt these are questions that the directors at Mossack Fonseca are trying to answer right now, but the chances are – given the company's history of secrecy and its reticence in speaking publicly about the data leak – we are unlikely to find out the results of the investigation unless, of course, they get hacked again. 

More

6000 staff join data breach lawsuit against Morrisons

Morrisons is still feeling the ramifications of a data breach two years ago as 6000 current and former staff signed up to a group lawsuit ahead of the 8 April deadline.

Nearly 6000 current and former staff of retail giant Morrisons have signed up to join a combined lawsuit against the company following a massive data breach two years ago.

According to the law firm which is coordinating the litigation, 5954 current and former members of staff joined the group action ahead of the 8 April cutoff date last week.

JMW Solicitors, a law firm based in Manchester, is coordinating the lawsuit following a data breach in March 2014 which saw the details of 99,998 staff published on the internet and shared with media outlets.

The details were in a spreadsheet which contained names, bank details, salaries and National Insurance numbers.

The spreadsheet was leaked by Andrew Skelton, an internal auditor for Morrisons who had developed a grudge against the company after he was suspected of dealing controlled drugs at work. He was jailed at Bradford Crown Court in July 2015 for eight years.

More

Worldpay merchant portal allowed merchants to view customer card data

Technology industry watchers have castigated payments processing service Worldpay for potential operational vulnerabilities. Worldpay is billed as a secure payment gateway for businesses that incorporates the worlds of online payments, card machines and telephone payments.

The firm itself proposes that it delivers a secure proprietary technology platform to enable ‘merchants' to accept a vast array of payment types, across multiple channels, anywhere in the world.

It is precisely the Worldpay Merchant Portal that Randy Westergren has a problem with. As a senior software developer at XDA Developers, Westergren claims he has found “multiple vulnerabilities” in the Worldpay Merchant Portal. He further states that this is not the first time he has uncovered compliance issues with this kind of payment gateway technology.

Where the vulnerability arises

Westergren explains that he encountered the concerns when working with setup and testing inside the Worldpay API and Merchant Center web portal.

One of the functions of the Merchant Center is to lookup orders and associated transaction details. The real problem arose when the merchant viewed a customer's credit card transaction details in the Merchant Portal.

“This request was vulnerable such that any authenticated user of the system could view the credit card transactions of any other merchant's business, i.e. a simple IDOR (Insecure Direct Object References). While the full credit card number is not displayed in this interface, the last four digits and the expiration date are [visible] and this is valuable information for an experienced attacker,” explained Westergren.

More

The EU General Data Protection Regulation (GDPR) passes final approval in the European Parliament

The final passage of the EU GDPR represents the fruit of four years of work, seeking to harmonise levels of data protection in all 28 members states of the EU.

The bill is also set to make data handling easier for enterprises operating within the EU; where there were once many sets of data laws, there is now just one.

The provisions laid out in the GDPR give citizens a better say in how their data is handled by private organisations. It lays out clear guidelines for how EU citizens' data is to be handled and their continued ownership rights over that data once it is in private hands. GDPR also comes with limitations on the use of private data transferred across borders by security services.

Furthermore, the GDPR comes with mandatory breach reporting requirements, meaning companies will have to start reporting breaches within 72 hours of become aware of it.

David Mount, director, security solutions consulting EMEA, Micro Focus told SCMagazineUK.com, that this might end up being a mixed blessing: “This will be a technical challenge for those businesses unaccustomed to such stringent measures: they will need to identify the breach itself and the information assets likely to have been affected so they can give an accurate assessment of the risks.”

That said, added Mount, the US, which already has breach reporting requirements has not been free from unforeseen outcomes: “In reality there can be an unintended consequence of ‘data breach fatigue'. Consumers become accustomed to receiving frequent data breach notifications for even very minor breaches”.

The effect is that “sometimes consumers can't see the wood for the trees, and may start to ignore all warnings - which somewhat negates the point of the measure. “

Breaking the provisions could result in the regulatory iron fist being brought down upon whichever company overlooks them, in the form of a fine of up to four percent of global turnover.

More

March

US team find 0-day to hack Apple iCloud photo, Adele and Harry Styles among victims

A 0-day was found allowing cyber-criminals to hack an Apple iCloud photoThe revelation comes as British singers Adele and One Direction's Harry Styles reportedly became the latest celebrities to have private photos leaked online – Styles via an iCloud account hack and Adele through an email compromise.

Apple is promising to patch the flaw found by the John Hopkins team in today's release of iOS 9.3, and the researchers, led by Professor Matthew Green, are refusing to give full details of the bug until then.

But they say the 0-day allows attackers – or police - to view iCloud photos and videos being sent as instant messages via Apple iMessage, by brute-force guessing the required decrypt key.

More

NatWest online banking suffers SMS 'smishing' scams

News reports suggest that both NatWest and its Royal Bank of Scotland parent were hacked by journalists from BBC Radio 4's You and Yours programme.

Online banking appears to be suffering more security breaches today than at any other time in its past. Recent scams have included new strains of ransomware and the rise of so-called ‘smishing' techniques ie phishing by SMS.

News reports suggest that both NatWest and its Royal Bank of Scotland parent were hacked by journalists from BBC Radio 4's You and Yours programme. The ‘hack hackers' were able to use smishing techniques to break into a UK citizen's account and remove money.

Sometimes also called ‘SIM swap fraud', banks have fallen foul of smishing due to their use of SMS alerts where activation codes are often sent by text to users' smartphones when they forget their personal details - the same technology can also be used to allow payments to be made from an account.

How the scam works

SMS smishing works by blocking a genuine user's phone without the user knowing why their device has gone dead and stopped working. While hackers have control of a target device, the user's bank accountis vulnerable to exploitation and theft.

NatWest has told the BBC that its systems (and those at the Royal Bank of Scotland) would be changed as a direct result of the You and Yours investigation.

More

Data breach authority Verizon Enterprise breached; 1.5 million customers impacted

An online cyber-criminal forum was found to be selling a database containing information on 1.5 million Verizon Enterprise customers.

Known for its highly respected Data Breach Investigations Report, Verizon Enterprise Solutions has suffered its own data breach, after a cyber-criminal was discovered selling information linked to 1.5 million of its customers.

Cyber-security expert Brian Krebs uncovered the plot and posted details yesterday on his blog, reporting that a black-market online forum was advertising the sale of a database containing contact information belonging to Verizon Enterprise customers. The complete database was priced at $100,000 (£70,766), but interested buyers could instead buy portions of the list for $10,000 (£7,076) per segment. The seller also was offering information on security vulnerabilities found on Verizon's website.

According to Krebs, Verizon was already aware of the incident when he alerted them. This development is obviously embarrassing for the New York-based telecommunications company, whose Verizon Enterprise division offers a spectrum of B2B enterprise solutions, including cyber-security products intended to prevent and detect incidents such as data breaches.

Verizon shared the following statement with media: “Verizon recently discovered and remediated a security vulnerability on our enterprise client portal. Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”

The company has not yet revealed exactly how the malicious hacker was able to access its systems, but that hasn't stopped experts from making an educated guess.

The attackers “apparently offered to sell information about vulnerabilities within the website. This initially leads me to believe that the most likely cause of the break-in was probably a SQL injection vulnerability,” said Deral Heiland, global services research lead at security and analytics firm Rapid7, in an email sent to SCMagazine.com. “If [database platform] MongoDB was being used, this is known as a NoSQL database and traditional SQL injection attacks will not work, although NoSQL databases are still subject to injection attacks, which can be leveraged to extract data from the MongoDB.”

More

Locky ransomware 'on the rampage' globally

First spotted in the wild just in February, the Locky ransomware has exploded onto the world's computers and skewered some significant victims.

Locky ransomware is rising rapidly and “on the rampage” according to McAfee and Fortinet – confirming last week's warning of a huge spike in Locky-inspired global spam traffic by Surrey University Professor Alan Woodward.

Locky – blamed for the recent £2.4 million ransom attack on a Hollywood hospital – only sprang to life in mid-February. But Fortinet has already tracked over three million ‘hits' from Locky command and control server communications in the two weeks to 2 March, with just under 50,000 of those hits coming in the UK.

“Locky already covers a big chunk of ransomware infections in the two weeks of its existence,” Fortinet said.

Locky also twists the knife in its Western targets by refusing to attack computers that run a Russian operating system.

And McAfee warns that the malware has already switched from landing in classic Microsoft Word macros to hiding in small, benign-looking JavaScript file attachments, designed to evade AV detection.

McAfee describes Locky as “on the rampage” and warned “it propagates onto victims' systems through a widespread spam campaign”.

Subsequently the year saw Locky develop further with the addition of virtual machine (VM) and analysis tool countermeasures in June, to its use of off line encryption in July and an intermediate downloader in September.

More

February

Snapchat got whaled, employee payroll released

The social media giant Snapchat has fallen victim to a whaling attack. The company admitted as much in a blog post released yesterday.

With hat in hand, the company told the public that “it's with real remorse–and embarrassment–that one of our employees fell for a phishing scam and revealed some payroll information about our employees.”

On Friday 26th, a Snapchat employee was targeted by a scammer impersonating the Snapchat CEO, Evan Spiegel. The imposter named himself ‘Spiegel', and asked the unfortunate employee for payroll information, which was duly handed over. The information was released shortly after. 

Snapchat reported the incident to the FBI and looked for which employees may have been affected. The company has apparently also offered those affected by the publication of the details two years of free identity-theft insurance.

The company was keen to point out that no user information was accessed and no internal systems were breached.

More

Costs of TalkTalk breach amount to £60m

TalkTalk has revealed that the October data breach has cost the firm up to £60 million, including exception losses. However revenue increased 1.8 percent during the final quarter of the year from October through December 2015.

According to TalkTalk's first financial report of 2016, an estimated 101,000 customers left the company following the hack. 

However, Kantar Worldpanel research estimated the number of lost customers to be nearer 250,000.

Many customers were upset at how the firm handled the attack as TalkTalk did not allow people to terminate contracts without incurring charges, offering them a free upgrade instead.

“Although it took longer than expected to return the business to normal operational effectiveness, customer sentiment improved much more quickly as a result of the actions we took,” the report stated.

The Guardian reports that online sales operations shut down after the attack, leading to the company gaining fewer customers than expected.

Dido Harding, TalkTalk's chief executive, said: “It is encouraging to see the business returning to normal after a challenging quarter that was dominated by the cyber-attack. Both churn and new connections recovered during December and January and independent external research have revealed that customers believe that we acted in their best interests.”

The subsequent ICO fine of X was criticised in the industry as being too low.

More

US Gov confirms Ukraine power outages were caused by cyber-attack

A cyber-attack caused power-outages around Ukraine last December, at a time when temperatures can fall well below zero

The US government has confirmed that December power outages inUkraine were caused by a cyber-attack. The Department of Homeland Security announced the news yesterday, describing what is believed to be the first known case of hackers knocking a power grid offline.

Two days before Christmas last year, several Ukrainian power companies experienced outages. The outages affected 225,000 customers in the dead of winter, when temperatures can drop to -20C.

The investigation brought together the National Cyber-security and Communication Integration Center, U.S. CERT, Department of Energy, Federal Bureau of Investigation and the North American Electric Reliability Corporation to take a close look at the power outages.

The report compiles data from the Ukrainian government, six of the power companies that experienced outages and the investigation itself which includes interviews with individuals with first hand experiences of the power outages. However, the report states, the investigation team was not "able to independently review technical evidence of the cyber-attack".

The outages, according to the report "were caused by remote cyber intrusions at three regional electric power distribution companies." Power was restored, albeit at a constrained capacity which continues to this day.

More

January

I hacked Citrix, says Russian hacker w0rm

Citrix, a US software company specialising in virtualisation and cloud computing, has reportedly been compromised by a Russian hacker called w0rm.

w0rm is infamous for several attacks over the past five years on a number of high profile targets including the BBC, CNET, Adobe and Bank of America. The identity of the person or group behind w0rm is unknown.

According to a blog post (in Russian), w0rm claims to have been able to gain access to the content management system on the Citrix network via an insecure password. From there, it was able to exploit a series of security holes to gain access to the company's administrative system including the remote assistance system.

Cyberint, a cyber-security intelligence company based in Israel, said it identified the hack in October and promptly tried to notify Citrix.

According to Elad Ben-Meir, vice president of marketing at Cyberint, the company made repeated efforts to notify Citrix but received no response. In addition, the hacker w0rm tweeted Citrix with a link to its blog posting on 25 October 2015 and says it received no response.

SCMagazineUK.com has made several attempts to contact Citrix for a comment today but at the time of publication had not received a reply.

According to Ben-Meir, an analysis of w0rm's attack showed that it had gained access to all of Citrix's customers through the administrative system. This would have enabled an attacker potentially to bypass customers' security systems and upload malware undetected.

“Citrix offer a platform for remote assistance – [w0rm] could if he wanted to – but he didn't actually use it, but if he wanted to he could penetrate every endpoint of Citrix customers out there,” said Ben-Meir.

“Essentially if he had wanted to, he could have put malware into every end user of every Citrix customer which then would allow it to either keylog the things the people type, he could steal sensitive information from those end points, or he could use those endpoints as a botnet to run DDos attacks,” he continued. “A hacker that gains access to that amount of PCs is basically really powerful.”

This would have been “undetectable”, he said up until the point that the attacker tried to activate the malware or exfiltrate data, depending on the security systems installed on the organisation's system.

More

OpenSSH vulnerability means your keys are OpenPREY

Two vulnerabilities have been discovered (and fixed) in OpenSSHwhich could have been exploited by hackers to force clients to leak cryptographic keys and potentially expose users to man-in-the-middle attacks.

OpenSSH is one of the most widely used open-source implementations of the Secure Shell Protocol. The vulnerabilities which were patched on Thursday were present in the default configuration of OpenSSH. All users and administrators are advised to update as soon as possible.

SSH keys are a more secure alternative to passwords: you generate a public and private key pair, give the remote server your public key, and keep the private key on your own computer. Then when you next login, the SSH server and client use the keys to identify and authorise you. However, if someone swipes your private key, they can log in as you.

Versions 5.4 to 7.1 of the OpenSSH client are the ones in trouble – a feature enabled by default called ‘Roaming' allows for a restart of an SSH session after a connection was interrupted, but the roaming code contains both an information sharing bug (CVE-2016-0777) and a buffer overflow bug (CVE-2016-0778).

The roaming feature itself is not supported by servers and is meant for the client side – however, hackers could implement it server-side and exploit the information sharing bug to steal the keys.

And to cope with a connection break, the client keeps a buffer in memory that contains the user's private keys. Qualys, the firm that discovered these flaws, say it is possible to extract the cryptographic data, either partially or completely.

To kill off the client info-leak bug, industry experts are recommending an immediate patch and adding the line ‘UseRoaming no' to SSH config files.

More

Hospitals under attack

Throughout the year there were increasing numbers of hacks targeting the health sector and hospitals in particular including:

NHS Trust crippled by cyberattack

NOVEMBER 1, 2016

A malware infection on a Lincolnshire hospital has caused an NHS trust to shut down major operations across several hospitals 

Report uncovers the underground healthcare data market

SEPTEMBER 15, 2016

Derriford hospital hit by ransomware

SEPTEMBER 5, 2016

Three more US hospitals hit with ransomware

MARCH 24, 2016

Canadian hospital infected with ransomware

MARCH 18, 2016

Yet another hospital, this time in Canada, has been infected with Ransomware.

Turkish hackers claim responsibility for LA hospital ransomware

MARCH 1, 2016

Three more hospitals have been hit with ransomware, in what seems to be an endless rash of hospital attacks.

A new report from the Institute of Critical Infrastructure Technology looks at what happens to private medical data after its stolen from the hospital and the heaving marketplaces in which it it ends up.

Ransomware goes to Hollywood medical centre

FEBRUARY 15, 2016

When malware goes to war: South California hospital unable to relax in the face of US$3.6 million (£2.4 million) demand from attackers

Notable statistics for the year in Kaspersky Lab's Threat Review for 2016 include:

·   36 per cent of online banking attacks now target Android devices, up from just eight per cent in 2015.

·   262 million URLs were recognised as malicious by Kaspersky Lab productsand there were758 million malicious online attacks launched across the world – with one in three (29 per cent) originating in the US and 17 per cent in the Netherlands.

·   Eight new families of Point-of-Sale and ATM malware appeared – a rise of 20 per cent on 2015.

·   Attackers made use of the Google Play Store to distribute Android malware, with infected apps downloaded hundreds of thousands of times.