Friday 27 February 2015

TalkTalk Hacked via Third Party

Talk Talk customers are being warned about scammers who managed to steal account numbers and names from the company's computers. In an email sent to every customer, TalkTalk said scammers were using stolen information to trick people into handing over banking details.

The theft of data was unearthed when TalkTalk investigated a sudden rise in complaints from customers about scam calls between October and December 2014, said a spokeswoman.

The attackers got at some of TalkTalk's internal systems via a third-party that also had access to its network. Legal action is now being taken against this unnamed third party.

The information stolen included names, addresses, phone numbers and TalkTalk account numbers. The company was confident that no sensitive or payment data went astray in the hack.
Cited at BBC News

A level of trust is often assumed when working with contractors, partners and suppliers but with over 40% of insider threats emanating from these third parties, how can a business track and manage this risk organisation-wide?

Join our webinar where we will be examining the threat environment, a new 360 approach to Supplier Evaluation Risk Management and a demonstration and case study of how one leading organisation's collaborative approach to Supplier Risk is providing greater transparency, consistent reporting and risk analysis across multiple functions and departments and eliminating spreadsheet management; in less time and more cost-effectively.

Click to Register

Wednesday 25 February 2015

ICO Fines Hacked Insurance Firm £175,000

The Information Commissioner's Office has handed out a £175,000 fine to Staysure.co.uk after the insurance company's data breach last year, which saw an unidentified hacker compromise 5,000 customers and access up to 110,000 live credit card details.  
Following the breach in October, the ICO has investigated the company's IT security practises and found that hackers had potential access to up to 110,000 live credit card details – including the three-digit security numbers (which should not be stored) – as well as customer medical records.
The hackers in question, however, only targeted and downloaded card information. At the time of the breach, the hacked database contained three million customer records.
The watchdog found that the company had breached the 1998 Data Protection Act by failing to keep personal information secure, while it also had no policy or procedures to review and update IT security systems.
In addition, it had twice failed to update (and thus remove flaws in) its database software, which the ICO says would have prevented this incident. As a result, the hackers exploited the flaws relating to the JBoss application server by injecting a malicious JavaScript webpage to create a backdoor onto the company's website. This flaw is said to have remained active for five years.

Monday 23 February 2015

Supply Chain Risk: Defending Business Continuity & Improving Cyber Security

A level of trust is often assumed when working with contractors, partners and suppliers but with over 40% of insider threats emanating from these third parties, how can a business track and manage this risk organisation-wide?
"One reason why organizations do not have effective plans in place for internal threats is that many classes of insiders, such as partners and suppliers, are invited within network perimeters and a certain level of trust is assumed,” says John Hunt, PwC Principal. “Businesses should understand that trust in advisors should not be implicit.”

The breaches we see in relation to hackers infiltrating there targets supply chain:
  • 2010 McDonaldshad a security breach that saw its customer’s emails, contact information and birth dates compromised. McDonald's said it had hired the marketing services firm Arc Worldwide to coordinate its e-mail promotions. Arc then hired another company to manage the e-mail list. It was that company, which Arc and McDonald's would not name, that suffered the breach.http://www.theregister.co.uk/2010/12/14/mcdonalds_data_breach/
  • China Governmentstole F-35 blueprints from Lockheed Martin (according to whistle blower Edward Snowden). Stealing 50 terabytes of data, including the blueprints for the Pentagon’s most advanced weaponry, including the Black Hawk helicopter and the brand new Littoral Combat Ship used by the Navy, have all been compromised. http://rt.com/usa/us-chinese-report-defense-888/
  • Home Depot, 53 million emails stolen. Criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network.https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf
  • Aviva was using BYOD service MobileIron to manage more than 1,000 smart devices such as iPhones and iPads. On 20th May 2014, a hacker compromised the MobileIron admin server and posted a message to those handhelds and the email accounts, according to our source. The hacker then performed a full wipe of every device and subsequently took out the MobileIron server itself. http://www.theregister.co.uk/2014/06/23/aviva_heartbleed_hack/ 
Join our webinar where we will be examining the threat environment, a new 360 approach to Supplier Evaluation Risk Management and a demonstration and case study of how one leading organisation's collaborative approach to Supplier Risk is providing greater transparency, consistent reporting and risk analysis across multiple functions and departments and eliminating spreadsheet management; in less time and more cost-effectively.

Click to Register

Thursday 19 February 2015

Police Scotland Loses Custody of over 20,000 records

The admission came as senior officers appeared before a committee of MSPs at Holyrood.
Among them was Chief Constable Sir Stephen House, who said he had apologised for giving incorrect information to the police watchdog over stop and search statistics.
He was referring to comments made to the Scottish Police Authority.
Assistant Chief Constable Wayne Mawson told the committee that a total of 20,086 records had been lost because a "computer programmer pressed the wrong button between May and July last year".
The figures suggested that 356 children were searched by police after the pledge to end the practice was made.
At last week's special meeting of the Scottish Police Authority, senior officers blamed a "clunky" ICT system and problems with the recording of incidents for inaccuracies in the data they had provided to the BBC.
They said analysis of the figures now suggested that only 18 of the searches had been contrary to force policy.

Wednesday 18 February 2015

Malware Served at Jamie Oliver's Website

Jamie Oliver's website was affected by a "malware problem", a spokesman for the celebrity chef has acknowledged.

The celebrity chef's site has 10 million visitors per month and is ranked 515th in Britain, according to an analyst.


This malicious code sought to exploit vulnerabilities in users' systems and install malware, researchers found.
If installed, that malware could give hackers control of users' computers, said one security consultant.
A spokesman for the Jamie Oliver Group played down the seriousness of the problem and told the BBC that it had been fixed.
The script would direct unsuspecting users to a Wordpress site that hosted yet more malicious code. That would then run an exploit kit that would seek to find vulnerabilities in any user's system and install malware called Dorkbot.
According to a spokesman for Jamie Oliver, only 10 users had written to the site about the issue in the past couple of days. Contineing to say that the "low-level malware problem" was identified and dealt with and that the site was now "safe to use".

Monday 16 February 2015

Cyber Bank Robbers Swag an Estimated $1bn

Up to 100 banks and financial institutions worldwide have been attacked in an "unprecedented cyber robbery", claims a new report.
Computer security firm Kaspersky Lab estimates $1bn (£648m) has been stolen in the attacks, which it says started in 2013 and are still active.
A cybercriminal gang with members from Russia, Ukraine and China is responsible, it said.
Kaspersky said it worked with Interpol and Europol on the investigation.
It said the attacks had taken place in 30 countries including financial firms in Russia, US, Germany, China, Ukraine and Canada.
"These attacks again underline the fact that criminals will exploit any vulnerability in any system," said Sanjay Virmani, director of Interpol's digital crime centre.
Kaspersky said the gang's methods marked a new stage in cyber robbery where "malicious users steal money directly from banks and avoid targeting end users".
The gang, which Kaspersky dubbed Carbanak, used computer viruses to infect company networks with malware including video surveillance, enabling it to see and record everything that happened on staff's screens.
In some cases it was then able to transfer money from the banks' accounts to their own, or even able to tell cash machines to dispense cash at a pre-determined time of day.
Kaspersky said on average each bank robbery took between two and four months, with up to $10m stolen each time.
"It was a very slick and professional cyber robbery," said Kaspersky Lab's principal security researcher, Sergey Golovanov.
The Financial Services Information Sharing and Analysis Center, a body that alerts banks about hacking activity, said that its members had received a briefing about Kaspersky's report in January.
"We cannot comment on individual actions our members have taken, but on balance we believe our members are taking appropriate actions to prevent and detect these kinds of attacks and minimise any effects on their customers,'' it said in a statement.

Thursday 12 February 2015

NIS Directive: Cyber Attacks & Consumer Confidence – How Would you Fare?


Originally intended to come into play in 2015, the European NIS Directive is yet to take its full shape but its potential impact on UK & European consumer confidence should not be taken lightly.

Cyber attacks are now commonplace in the news.  Until now European organisations have rested safely in the knowledge that it is their American counterparts and not they who are required to report security breaches and risk reputational damage as a result.  Whenever the NIS Directive comes into force, be it this year or next, its requirements could cause catastrophic damage to brand reputation resulting in their customers walking with their feet…or should we say, mice. 

Recent surveys conducted at the end of 2014 put the situation squarely into context.  The Sophos 2014 Retail Security Barometer states that 72% of 250 UK retailers surveyed did not have fundamental security in place to safeguard business and consumer data.  The Web Application Attack Report found that 48% of attacks target retail websites and at the same time a 2014 KPMG report states that 30% of respondents would not shop at a site that had previously experienced a cyber attack if they had other options, and 38% said they would perceive the company in a negative light once they had suffered a security breach.  In a brave new world where European companies will be required to report a breach, there is a real and significant danger for brand loyalty and negative revenue impact.

Yet, this is not something new.  While this problem is picking up pace, it has been around for a long time, so why, if you look at the retail sector alone are 40% of retailers acknowledging that they ‘don’t know why’ they haven’t implemented basic cyber security measures?  The head in the sand approach no longer cuts it, it’s not a question of ‘if’ but ‘when’ particularly when only 31% of retail organisations have any network protection beyond a firewall. 


It is easy to point a finger at retail sector, e-commerce sites with their consumer data and payment details that are obvious nectar for the cyber criminal.  All businesses are at risk.  Dealing with businesses from every vertical sector on a daily basis we can vouch that the state of unreadiness for cyber attack is not restricted to the retail sector alone.  

The question remains, what value do you place on reputation and customer loyalty and what measures do you need to take to shore up your defences?


Thursday 5 February 2015

Health Insurer Hacked - Mandiant to the Rescue

Anthem, the second largest health insurer in the US, has been hit by a cyber attack which, according to reports, could affect millions of customers.
The hackers gained access to Anthem’s IT system and have obtained personal information from its current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.
The insurer, which set up a website to advise customers about the breach and the action being taken, said: “Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.”
Joseph Swedish, president and chief executive officer of Anthem, added that Anthem’s own associates’ personal information, including his own, was accessed during the security breach.
“Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape,” said the company.