Friday 29 January 2016

Lincolnshire Council Shuts Down all IT After Data Breach

Medical records, addresses, dates of birth, and bank details all exposed according to insider

A Zero day security breach at Lincolnshire County Council has exposed locals' medical records, addresses, and bank details, claimed an anonymous tipster, though the council denies any data was stolen.

The breach was reported by The Lincolnite, which stated "anonymous reports from inside the council" suggested a major breach of its "main adult care system" had spaffed the sensitive personal information of constituents.

Talking to The Register this morning, a council spokesperson denied that any data had been lost and claimed an email attachment with a zero-day exploit had managed to infect its internal system after being sent to multiple members of staff.

In addition, The Lincolnite reported that another system which stored staff details and bank details, as well as "the G Drive, which holds various other documents and forms", had been breached.
According to the local paper's source, emails were not initially affected by the breach, however the attackers' access seems to have been extended to include them.

The council's response has been to order staff to "close their computers and turn the power off."

Judith Hetherington Smith, the council's CIO, told the local paper that the council "closed down our systems very quickly to protect the data and are investigating the cause but at this stage have found no evidence of any breach."

A spokesperson for Lincolnshire County Council added that, "as a precautionary measure, [we] have suspended IT use until the extent of it is clear."

The shut-down seems to be affecting all of the council's systems.

As part of a campaign into UK councils' cyber security conducted last year, The Register was told that Lincolnshire County Council's AV solution(s) - the specifics of which the council declined to disclose - had thrown up 196,553 malware alerts in 2015.

The Register has learned that the council has outsourced its IT operations to Serco since last April, although what AV solutions the outsourcer company uses has not been disclosed.
The council told us that there had been 32 malware infections, via email, over that period. The areas and machines affected were not recorded, however.

Cited and more on this story at The Register 

Wednesday 27 January 2016

US Health Insurer #Centene Loses 950,000 Records

The medical records of nearly a million people have gone missing, a US health insurance company has admitted.
Centene Corporation said it was conducting an internal search for six hard drives containing the information.
Customers' names, addresses and dates of birth were included, as well as their social security numbers, membership details and health information, Centene said.
But no financial or payment details of customers were on the drives, it said.
"While we don't believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives," said Centene's chief executive, Michael Neidorff.
"The drives were a part of a data project using laboratory results to improve the health outcomes of our members."
Centene said the hard drives contained the personal health information of about 950,000 people who had received laboratory services between 2009 and 2015.
It said it would notify those affected and offer them free healthcare monitoring.
The company also said it would reinforce and review its procedures.
Cited and more on this story at BBC News
However on research, there is nothing to state this to their website, to notify customers.. 

Glasswall Solutions & ZeroDayLab join forces to launch cyber security offering

London UK, 25th January 2016: Glasswall Solutions, the acclaimed UK cyber security company, has cemented its partnership with expert cyber security consultancy group, ZeroDayLab.
ZeroDayLab will be utilising Glasswall’s unique “known good” approach to cyber security, which breaks in-bound files down to byte level to match them against manufacturers’ standard, in order to provide their clients with absolute security. Glasswall Solutions fits into ZeroDayLab’s 360° approach to IT security, providing best of breed technologies and award winning consultancy to offer total security management.
Kevin Roberts, managing director at ZeroDayLab said: “In recent times we have seen threats to cyber security increase at an alarming rate, and many businesses have found themselves unprepared and vulnerable to attacks. Having initially been commissioned to conduct an independent penetration test of the Glasswall software and email platform, which it passed with flying colours, we immediately saw the potential benefits Glasswall would provide our customers. Our partnership with Glasswall will cover every angle to provide a uniquely holistic approach to managing risks, which makes this an exciting and beneficial relationship.”
“Glasswall Solutions has developed a highly innovative answer to solve the single biggest cyber threat facing organisations around the world, presented by the corruption of email-bound documents. This threat is currently responsible for 94% of successful attacks, but with Glasswall’s technology and ZeroDayLab’s 360° IT security plan, these attacks are stopped at source. This unique partnership will bring something really special to our clients to provide complete protection,” added Roberts.
Due to the uniqueness of Glasswall’s technology, its addition represents an entirely new string to ZeroDayLab’s portfolio. ZeroDayLab plans on utilising Glasswall Solutions in order to close this gap in security for UK businesses.
ZeroDayLab’s client portfolio includes some of Europe’s leading firms in markets such as BFSI (banking, financial services and insurance), retail, telco, e-commerce, travel & logistics and defence.
“This partnership will address some of the biggest challenges businesses are expected to face in the coming year and beyond,” said Chris Dye, VP of Alliances at Glasswall Solutions. “With new EU regulation imminently coming into effect, companies must prove their compliance and protection, or risk facing fines of up to 5% of global revenue.”
“We have been looking for a partner who can support the implementation of our technology as part of organisations’ holistic IT security strategy. This partnership with ZeroDayLab offers an exciting prospect to combine our game changing technology – recently applauded by Chancellor George Osborne in his speech on renewed cyber security investment – with consultancy led expertise and relationships offered by ZeroDayLab. The partnership spells an exciting time for both companies,” concludes Dye.

Friday 22 January 2016

#TalkTalk Trouble as 7% of Customers Leave Following Data Breach

Remember the TalkTalk breach four months ago (for a recap, here is my blog on it) well new statistics came out yesterday by Imran Choudhary from the market watcher Kantar Worldpanel. 
These figures claim that the firm lost 7% of its broadband customers in the fourth quarter; with their customers turning to different providers. BT was the biggest winner by picking up 40% of this lost share. Nearly a fifth of those leaving TalkTalk did so directly as a result of poor reliability. 
TalkTalk share of the home services market fell by 4.4% from the previous quarter in terms of new customers. 
Imran argued that “customers have lost faith in TalkTalk as a trustworthy brand.”
He goes on to say “TalkTalk continues to offer some of the most attractive promotions across the home services market and almost a third of its new customers did choose it for this reason, but there can be no doubt that it lost potential customers following the major data hack,” Choudhary added.
“If it’s to recover from recent events TalkTalk will need to offer more than just good value.”
In the end it was claimed that 'just' 4% of customers had sensitive data exposed in the cyber attack – amounting to fewer than 160,000 users.
However, the firm was widely criticized for its muddled media response, and its refusal to waive substantial account termination fees unless customers could prove money had been stolen from their bank accounts as a direct result of the breach.
Shareholders actually responded pretty well to TalkTalk’s hardline stance on exiting customers, with shares rising 12% after the firm’s 1H 2015 financials were released.
However, TalkTalk has already admitted a one-off bill of £35m would have to be paid to cover incident response, external consulting and increasing call volumes as a result of the incident.
CEO Dido Harding claimed in the aftermath of the attack: “in the end our customers will judge us over the course of the next few months, and not by mine or anyone else’s words right now".
For the full article from Kantar Worldpanel click here

We, as an Industry, continue to learn from these kind of breaches. I recently wrote a blog on just this - see here for more information 

Irish Lottery Site Hit by DDoS Attack

Ireland's National Lottery website and ticket machines were knocked offline after a distributed denial of service (DDoS) attack on Wednesday.
Customers trying to buy tickets for the €12m (£9m) draw found themselves unable to do so for nearly two hours.
The jackpot was the largest in 18 months.
Premier Lotteries Ireland (PLI), the operator, has said the incident is under investigation.
During a DDoS attack, a website or online service's capacity to handle internet traffic is overloaded - usually by automated programs set to flood the site with requests.
The attack began at 11:21 GMT on Wednesday and lasted for about two hours.
Retail systems were brought back online by 12:45 GMT and the website by 13:25 GMT.
"They said you couldn't buy tickets from the ticket machines, which is really interesting, it's not just the website - it would be quite interesting to understand why that happened," said John Graham-Cumming at DDoS-protection company Cloudflare.

"This incident is still under investigation," a spokeswoman said.

"However, we can confirm that at no point was the National Lottery gaming system or player data affected."
Given the large jackpot involved, the lottery was experiencing high demand for tickets on Wednesday lunchtime.
The impact of the attack may well have been heightened by this, according to Igal Zeifman, senior digital strategist at cybersecurity company Imperva.
"As a rule, record-setting prizes and jackpots result in traffic spikes on lottery sites, and it is very common for DDoS attackers to strike during such predictable peak traffic times, especially when going after big targets," he said.

Friday 8 January 2016

Data Breaches & IT Glitches One Week in 2016

A week into 2016, we have already seen a few Security breaches/glitches that have hit our screens. 

Time Warner Cable (an American cable telecommunications company) yesterday started notifying up to 320,000 customers of a data breach in which their email and password details were likely stolen. However I am still yet to see anything on their website or social media platforms with comms on this...
An exact account of what happened remains unclear; TWC has not yet found any indication that its systems were directly breached.
The organization learned of the problem from the FBI, which recently notified TWC that some customers' email addresses and account passwords "may have been compromised."
"We are in the process of notifying approximately 320,000 customers across our markets of the possible breach," a company spokeswoman told PCMag in an email. "The information we received from the FBI is limited but there are no indications that TWC's systems were breached.
Cited and more on this story at PC Magazine 

Most people started their 2016 working year on Monday and unfortunately for HSBC customers they were faced with yet another IT glitch. This impacted customers using the banking site and mobile banking application. Customers were being told on Tuesday that they were overdrawn and would encounter a £5 charge...Incorrectly, may I add.
Customers took to Twitter and other social media sites to get their complaints and views across to HSBC. 
A video was posted by the Chief Operating Officer at HSBC, John Hackett, on Tuesday evening which said: 'Sorry, Sorry for the inconvenience and frustration that many of you have suffered. This was not a Cyber attack, it was an Internal issue and at no time was your data at risk in anyway. We don't want any of our Internet banking customers out of pocket.' 
Unfortunately when HSBC posted this Tweet on the first occasion, the helpful link was not working...But I checked this morning and the Link is up.
Now HSBC has 17 million personal and business banking customers across the UK. It is not known how many of them have been affected by the problems.
But rightfully so, MPs are demanding HSBC to explain what went wrong - amid concerns the failures "suggest a systemic weakness in infrastructure". This is not the first leading UK bank to have suffered in the past 6-12 months. 
Reflection Mode 
Data breaches that we have seen over the last 2 years can have a major impact on not only your brand reputation but your share price. Don't get me wrong will it impact on you immediately...maybe, maybe not, but I think it does depend on what market you are in. For example, Ashley Madison (a dating website for people in relationships - slogan 'Life is short. Have an Affair') got hit by an attack last year that saw over 32 million of their customer details to be leaked. They have stated that since the attack their subscribers have grown by 4 million! This now brings it to 43 million subscribers.  Take a look at Graham Cluely's blog for a good brief.
I found the below on CSO online which gives a good indication of how some of the companies that have hit our screens have had a big impact on their share price a year after being hit.

However when TalkTalk got hit last year, their share price fell by 10%. Even though the results above show that the companies affected, share prices actually went up; I would say every market is different and unless you're one of the big boys - it's time to pull your socks up, not to mention the new EU laws or other legislations that will affect your business.

I feel that when I write these blogs that I am repeating myself. Now every breach, and yes I will use 'glitch', has an impact on you, however big or small you are. It will come down to 'Has this impacted on my business' or 'will this' - money talks, which of course comes down to your customers' loyalty. Thoughts going forward; and feel free to add onto this but; we get better by understanding and mitigating against attacks by getting more predictive, but we need the armour to do so. With this comes incident response plans, good or great PR response and SECURITY AWARENESS/BEHAVIOUR TRAINING (sorry for the caps but it's needed..). You and your users have a massive problem because of phishing attacks and information sharing (including social media).  Training needs to be done continuously.  How good are the people in your business at following policies and procedures? Where are the gaps - you might think you have it covered, but do you? Are your solutions/technologies still fit for purpose? What's happening on the deep and dark web - are the cyber criminals targeting you? Worse still is your data for sale there? The list is limitless. Where do you start? Where do you end? 

I could go on but would as always thoughts welcome... 

Monday 4 January 2016

Review of 2015 & Predictions for 2016 #ITSecurity

Guest Blogger: Nick Prescot 
Senior Information Security Manager
A new year beckons and there's been a lot in regards to what happened in 2015 and what will happen in 2016.  Well what has been a occurence and a prediction is that cyber data breaches are becoming more commonplace in the minds of the C-level suite, news headlines and conversation at dinner parties.

Like many people over the festive period, there was the catch up with relations and friends along with the inevitable phrase of, 'what are you now doing these days?' - given that most of my respondents are used to the lawyer/accountant/banker/doctor/army officer type response, the reply of 'cyber security' always raises a slight eyebrow.  Their next thoughts are that I'm a hacker and/or work for the government. And then there are lots of questions about emails and credit cards and how they use various ways to thwart the hackers.

My response has been that I'm not a hacker, neither do I work for the govt. and then the general security awareness training.  People I think are interested for the first 10 mins and I can then see them gently nodding off whilst I get into the swing of it.  That's good news because they won't ask me again what I do and there is discussion of normal things.

So big breaches will happen (there was even a DDoS attack on the BBC on 31st December 2015) and the rise of awareness and investment in these areas will continue.  Companies will be buying cyber insurance and at the same time be putting in preventive controls as well. Whilst cyber insurance can help you in the event of a data breach, they can't help you prevent a data breach and that's where preventive and detective controls are so important.  This is where there will be an emerging difference in the market in that the insurers will be hedging on which of their insured will be the news story that will ignite the market and the companies not 'letting in a goal' when they didn't employ best practices in terms of defending their cyber assets.

Reputation is a big thing now too.  'Talk Talk' has a whole new meaning now and whilst many people felt that brave appearances on news channels was a good thing, little did it hide that it was the third time in a year that their systems had been breached and that it was allegedly taken down by some bedroom script kiddies using a DDoS attack and some SQL much for state sponsored cyber terrorists/hackitivists doing the dirty work.

Oh, and there's the EU GDPR (yes, it's a new acronym) and it's one that will be pressing on the minds of all.  Whilst it won't come into effect until next year, it will mean a lot of changes to any company processing personal data as a 3rd party.  Also the EU NIS (Network and Information Security Directive) will mean that countries within the EU will need to have a maintainable level of network and information security in place...this means CERT's...lot's of CERT's, co-operation and resilience reporting from large institutions and public bodies to ensure continuity of these services in the event of a data breach.

So before I rabbit on in a dinner party style conversation and my audience nods off over the glass of port, the trend is clear; the legislation is getting tighter in terms of ensuring that you don't lose the data or be in a position where the data can be lost.  Also, reputation of the cyber assets is now firmly in the scope of dealing with good and bad PR.  Being secure is a positive attribute and if there is a data breach, having a track record of not being continuously hacked and a lack of controls won't be a bad thing!

Whatever happens in the next year, what's clear is that more data than ever will be processed, there will be a new iphone/ipad; Microsoft will sell their holographic glasses and Google will have a new version of the google glass.  Apart from that, I will most probably be saying the same thing in 12 months time.

Blog on LinkedIn
More about me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.

Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

BBC Taken Down by DDoS Attack on New Years Eve

A group that says it targets online activity linked to so-called Islamic State (IS) has claimed it was behind an attack on the BBC's website.
All the BBC's websites were unavailable for several hours on New Year's Eve after what a BBC source described as a "distributed denial of service" attack.
The group, calling itself New World Hacking, said it had carried out the attack as a "test of its capabilities".
In a tweet to BBC technology correspondent Rory Cellan-Jones, the group said: "We are based in the US, but we strive to take down Isis [IS] affiliated websites, also Isis members.
"We realise sometimes what we do is not always the right choice, but without cyber hackers... who is there to fight off online terrorists?
"The reason we really targeted [the] BBC is because we wanted to see our actual server power."
Earlier, New World Hacking had said: "It was only a test, we didn't exactly plan to take it down for multiple hours. Our servers are quite strong."
One of the group's members - nicknamed Ownz - told the BBC News website's Leo Kelion that New World Hacking was a team of 12 people - eight male and four female - who came together in 2012.
The group's other recent activities included taking part in a campaign against the Ku Klux Klan, and the #OpParis effort to identify and report IS social media accounts following the November attacks on the French capital, Ownz told the BBC.
Ownz said his group used a tool called Bangstresser - created by another US-based "hacktivist" - to direct a flood of traffic against the BBC, and had supplemented the attack with requests from its own personal computer servers.
The group has already used the technique against IS websites, but intended to "really get into the action" against a new list of targets associated with the militant Islamist group from Tuesday, Ownz claimed.

The problems on the BBC sites began at about 07:00 GMT on Thursday, and meant visitors saw an error message instead of the intended content.

The attack hit the main BBC website as well as associated services including the iPlayer catch-up service and iPlayer Radio app.
An initial statement tweeted by the BBC blamed the problems on a "technical issue". The corporation said it was working to make sites, services and pages reachable again.
By 10:30 GMT the site was largely working again although some pages and indexes took longer than normal to load.
At midday on Thursday, the BBC said its websites were now "operating normally", and apologised for any inconvenience caused.