Tuesday 31 March 2015

Serious Fraud Office Fined £180,000

The Serious Fraud Office (SFO) has been fined £180,000 after thousands of confidential documents from a high-profile bribery investigation were mistakenly sent to the wrong person.
The papers, from an investigation into a BAE Systems deal, contained evidence relating to 64 people.
They were wrongly sent to a witness in the case in an "astounding" lapse, the Information Commissioner's Office said.
The SFO said it had "substantially overhauled its procedures".
It is the first time the SFO has been fined by the UK's privacy regulator.
The documents - including bank statements, hospital invoices and passport details - related to the SFO's investigation into allegations that executives at BAE received payments as part of an arms deal with Saudi Arabia.
How do you manage your confidential data? 

Monday 30 March 2015

British Airways, Git Hub & Slack Hit by Attacks

British Airways' air-miles accounts, the coding site GitHub and the work chat service Slack have all been hit in the latest wave of cyber-attacks.
The firms have all notified their users of the incidents, which varied in approach and do not appear to be connected.
In addition, several Uber users have complained of their accounts being hacked.
However, the car pick-up service said it had "found no evidence of a breach".
The firms have dealt with the attacks in different ways, and BA has been criticised for how it responded.

Complaints about points being stolen from the BA's Executive Club scheme date back at least a fortnight.

One user said their account had been used by someone else to book a hotel room in Spain, while others reported that their list of transactions showed "ex-gratia" deductions that had wiped out their entire credit.
GitHub DDoS attack 
The attack on San Francisco-based GitHub - which is used by more than 8 million software developers - has involved an attempt to knock its site offline by flooding it with traffic.
"We are currently experiencing the largest DDoS (distributed denial of service) attack in GitHub's history,"
Slack reported it was attacked in February.
The US firm provides a way for team members to communicate with each other as an alternative to email.
The service is less than two years old, but was recently valued at being worth $2.8bn (£1.9bn). Were businesses to believe the data it held was insecure then its future would be threatened.Slack said it believed the hackers had accessed a database that would have allowed them to see user names, email addresses and Skype IDs.
However, it added that passwords - which give users access to posted information - were encrypted in a form that made it "computationally infeasible" for the hackers to unscramble them.
Cited at BBC News
Are you next? Have you got a Breach, Response & Readiness Program in place?
Contact us for more information

Thursday 26 March 2015

Data Security Breaches - Throw back Thursday

We take a look back at 2014 most infamous data security breaches:

Morrison’s supermarket (2014) An insider attack; the attacker published details of the firm’s entire workforce database online, 100,000 employees in all. An employee was eventually arrested for the incident and will presumably come to court at some point which could reveal more details of how the firm’s security was bypassed. 
Staffordshire University (2014) The Laptop scenario (which happens more than you think) - which involved 125,000 students and applicants on a computer stolen from a car.  But the files had been password-protected said the University... That wouldn't have been much of a barrier to the name, address, telephone number and email data.
Mumsnet (2014) Victim of the Heartbleed SSL software flaw, the compromise allowed hackers to access anything up to 1.5 million user accounts on the hugely popular site, its owners revealed. Although the data inside these accounts was less sensitive than for some of the other accounts, the hack revealed both the potency of big but undiscovered software issues affecting multiple sites and that even big brands could be affected.
Think W3 Limited (2014) A serious attack in which a hacker was able to get his or her hands on 1,163,996 credit and debit card records from online holiday firm Think W3 by using an SQL injection attack to exploit a weakness on its website. The ICO described the incident as a “staggering lapse” and fined it £150,000.
Moonpig (2015) Another biggie, a software flaw in the firm’s Android app let a researcher access the records of any Moonpig account holder he tried, in theory compromising a total of three million people. As serious, the researcher reported the issue to the firm 18 months before going public in early 2015 after receiving an inadequate response. Significant partly because it involved a mobile app rather than the more common website breach.
How do you go about reviewing/testing your IT Security?

Wednesday 18 March 2015

ZeroDayLab & Falanx Assuria Launch SOC

The Group's Security Operations Centre (SOC) is now fully operational from its Reading base. It was developed with Falanx's partner Assuria Limited and meets all UK Government recommended standards.

The SOC will provide a platform for the Group's Protective Monitoring solution, which is designed specifically to secure computer networks at the boundary and across data sources. The solution provides management and analysis of data and the provision of helpdesk services to continuously protect both legacy and cloud computing networks and systems from hostile attack, unauthorised data access, data theft, malicious damage, failure of process or technology, and human error.

In addition, the Group has agreed a Value Added Reseller (VAR) contract with ZeroDayLab, a leading provider of cyber security solutions. ZeroDayLab estimates that this agreement will attract orders in the region of £500k over the coming year.

Following on from the contract with CERT UK, the UK Government's Cyber Watchdog and joint venture with Principia Underwriting, Falanx Assuria has also commenced technical evaluation with several system integrators to deliver its Protective Monitoring service across their client base and projects.

Kevin Roberts, Managing Director of ZeroDayLab commented:

"We're delighted to be partnering with Falanx Assuria for our Next Generation SOC service providing 360 degree Threat Intelligence.  An effective SOC is a vital component of an effective security strategy and this collaboration enables us to deliver a world-class SOC service for our clients which combined with our market-leading security consulting services, will deliver an unrivalled, comprehensive approach to security strategy that is needed in today's constantly changing threat environment."

Hannah Doughty
Business Development Co-Ordinator 
0207 979 2067

Google Leaks Nearly 300k Customers' Personal Details

Google has accidentally leaked the personal details of more than 280,000 customers, Ars Technica reports. The fault first appeared back in mid-2013, but it has only recently been discovered and fixed, meaning people have been at risk for years.
Identified by security researchers at Cisco, the vulnerability affects websites registered via Google Apps for work, using the registrar eNom. The owners of the websites in question had all opted into "WHOIS privacy protection," which means that when someone WHOISes — or queries — the website, the personal details of the individual who registered it are hidden.
You might use the service if you're an anonymous political blogger, or run a website about an embarrassing hobby — or are just particularly privacy-conscious.
305,925 websites domains were registered this way — but Cisco found that 282,867 of them (94%) have had their personal details unmasked due to a fault in Google's code. Customers' leaked information includes "full names, addresses, phone numbers, and email addresses."
Cisco first discovered the issue on February 19, 2015, two years after the fault first arose. After Google was notified, the search giant then fixed it around a week later, and notified customers last night. It's unclear how many customers seeking anonymity were unmasked as a result of this error.
Cited Business Insider UK

How do you go about reviewing and testing your IT Security? 

Staff are the 'Weakest Link in the Security Chain'

Advice issued by GCHQ and seen by The Telegraph warns firms that staff are the 'weakest link in the security chain' and could be blackmailed by enemy spies

Britain’s spies have told businesses to consider stripping employees of company smart phones and memory sticks to protect themselves from cyber-attacks, The Telegraph can disclose.
Advice issued by GCHQ, the government’s listening post, and other departments warns firms that staff are the “weakest link in the security chain” and protective action must be taken.
Companies have been told staff should only use trusted Wi-Fi networks – effectively ruling out using laptops in coffee shops like Starbucks without special protections – and constantly update internet browsers.
They were also warned disgruntled employees may attempt to “steal or physically deface” computers or become vulnerable to blackmail if secrets about their personal lives become known.
The warnings were contained in ‘10 Steps to Cyber Security’ guidance issued by CESG – the Information Security arm of GCHQ – in conjunction with the Cabinet Office, Business Department and Centre for the Protection of National Infrastructure.
Cited in The Telegraph 

What would you say is your weakest link?

Monday 16 March 2015

Rotten Apples on Jamie Oliver's Website...Again!

Just weeks after the website was deemed safe, the vulnerability returns...

Naked chef Jamie Oliver's website has been exposed by malware for the second time in less than a month.
Researchers discovered the flaw on Friday, and although it was dealt with in minutes, some claimed it had been active for up to eight days.
Site visitors using Internet Explorer without up to date plug-ins for Java and Flash were redirected to another page that installed a virus called Dorkbot.ED, which monitors activity and which can steal passwords or log-in information.
“We have taken measures to clear the offending code and the site is now safe to visit. We are now running a forensic audit to find out more information," the site's operators said in a statement.
Security experts have suggested that this second attack was related to the first one, revealing administrators of Oliver's site may not have completely removed the malware from servers when it was first discovered back in February.
Cited ITPRO 

How do you go about reviewing/testing your IT Security?

Tuesday 10 March 2015

Supply Chain Risk = Data Loss

When it comes to working with third-party vendors, organisations around the world are more worried about the loss or exposure of mission-critical data than any other risk.
This is according to a poll of almost 500 IT and risk-management professionals, conducted by Forrester Research, published on March 3rd.
Some 63 % of respondents considered data loss and theft the most significant risks associated with their supply chain relationships.
For comparison, just 55 % said they were worried about whether or not their vendors would deliver a quality and timely service as contracted.
With stories such as TalkTalk getting hacked via they're third party recently and others including TK Maxx, Tesco Clubcard, Home Depot, Aviva. McDonalds and others to mention please see  Supply Chain Risk: Defending Business Continuity & Improving Cyber Security for more information.

For more information on our Supplier Evaluation Risk Management (SERM) service please CLICK HERE
Please join our webinar where we will be examining the threat environment, a new 360 approach to Supplier Evaluation Risk Management and a demonstration and case study of how one leading organisation's collaborative approach to Supplier Risk is providing greater transparency, consistent reporting and risk analysis across multiple functions and departments and eliminating spreadsheet management; in less time and more cost-effectively.

Click to Register