Hello everyone - welcome to your October review!
We're finally into the final quarter of what's been a pretty intense year so far. Remember to take care of yourselves as we head into the winter months, and a second national lockdown in the UK.
We've been keeping busy - we were really pleased to be able to speak at Abertay HackSoc and also at DC151 in the last month, delivering a retrospective analysis of the Garmin WastedLocker ransomware attack back in July. We're waiting on a recording of this, so if you missed it we're hoping you'll be able to watch it on YouTube soon. Morgan also passed her AWS Solutions Architect Associate exam last week, which we're really pleased about, and she'll be writing a few things on cloud architecture in the future.
October was National Cybersecurity Awareness Month - and if you were following us on social media, you might have noticed that we shared a few security tips to help people stay safe online. We were also recently interviewed by Infosecurity Magazine about #NCSAM and IoT.
Moving onto industry news, British Airways have been fined £20 million by the ICO for the 2018 data breach which impacted over 400,000 customers; the fine was initially projected to be £183 million, but has been reduced due to the economic impact of the pandemic on the travel and tourism sector.
The Huawei Cyber Security Evaluation Centre (HCSEC) at GCHQ found some critical vulnerabilities in Huawei equipment at the end of 2019 that were too severe to disclose to Huawei. The vulnerabilities theoretically could allow threat actors (including nation state actors) to conduct a cyberattack. This likely contributed to the decision earlier this year to phase Huawei equipment out of the UK 5G network.
The ICO has ruled that Experian, TransUnion, and other credit referencing agencies need to make fundamental changes to the way they process customer data, or face huge fines. Following a two-year investigation arising from a privacy complaint, the ICO concluded that credit referencing agencies conduct a lot of invisible processing of customer data which consumers aren't made aware of - including the sale of this data onto third parties who use it for marketing purposes.
In other recent news, a Dutch ethical hacker recently logged into President Trump's Twitter account - apparently his password was "maga2020!" and at the time he hadn't enabled two-factor authentication. President Trump later made some questionable statements about what hackers need, to be able to access your accounts.
A string of cyberattacks against US hospitals is being attributed to a Russian criminal gang called Wizard Spider. Several hospitals were infected with Ryuk ransomware and the Trickbot trojan in September and October, in keeping with the increased focus on attacks against hospitals and other critical national infrastructure (CNI) that we've seen this year.
On the subject of ransomware, the US Department of the Treasury's Office of Foreign Assets and Control (OFAC) have recently released a statement cautioning companies that facilitating payment of the ransom demands accompanying these kinds of attacks risks breaching sanctions, and could result in enforcement actions or civil penalties. In other words, if you pay the ransom to a criminal gang under sanction, the US Government might fine you after the fact.
Microsoft recently leaked 6.5TB of Bing application search data via an unprotected Elastic server. Personal information wasn't included, but device IDs and hashes, search history and some location data was - and it included users from at least 70 countries. The data wasn't encrypted, and was available for up to six days before Microsoft fixed the problem.
BT and Toshiba have collaboratively revealed the UK's first "unhackable, quantum-secure network". If you're a cryptography nerd and you've looked into this, you'll see there's a bit of a red herring in this statement. The network is actually a quantum key distribution (QKD) system, which leverages fibreoptic technology to exchange cryptographic keys. It's definitely really cool, and faster than their current key-exchange process, but attacks have already been theorised against this technology. If you're interested, Imran Shaheem gave a related talk on this at BSides Manchester 2019.
Amazon recently fired an employee for disclosing customer email addresses to a third party, and are cooperating with law enforcement to prosecute the person involved. The UK Government also came under fire recently when it was discovered that the multi-billion pound Track and Trace system designed by Serco was using a spreadsheet rather than a database, and that an administrative error resulted in thousands of positive test results not being processed properly, which impacted projection figures used to model the spread of Coronavirus.
As always, thank you for reading - if you've missed any of our recent posts, you can check them out below!
Lots of love,
Security Queens xxx