We’re at the tail end of another year and, as always, we’ve had plenty to talk about in the realm of cyber security. As a wrap up, we’ve put together a list of some of the cyber security lessons from 2018 that made it into Cyber Bytes, in the hope that we won’t see too many repeats in 2019.
Facebook hack attack
Back in October, reports emerged that up to 50 million Facebook accounts had been compromised due to a weakness in the platform’s code.
This wasn’t the first case of a social media platform suffering a data breach, and it likely won’t be the last, so what can we learn from this?
- Make sure you change your password on Facebook (and change it regularly) – even if you were not contacted by Facebook to change it.
- Use a different password for all your different online accounts.
- Enable two-factor authentication on any platforms that give access to your finances or personal data.
- Decouple any applications and accounts you’ve configured to use your Facebook (or other apps such as Twitter) credentials to login. If a Facebook account is compromised, then the attackers potentially have access to all these other apps.
- Check your privacy settings on Facebook and make sure you’re not sharing more than you need to. You should get into the habit of doing this on a regular basis e.g. at least every three months.
Town dusts off typewriters after cyber-attack
In June this year, staff at a Borough in Alaska were forced to dust off old typewriters to continue with their duties after ransomware infected the computer system.
In the current environment, it’s not unusual for a business to have one or two devices infected with ransomware. Typically, those devices are isolated from the network and all other machines are checked to ensure that patching and antivirus signatures are up to date. In this case, the entire network—including servers—were infected and devices had to be built from scratch, with alternative technology being used in the meantime.
Prevention of ransomware is certainly better than reacting to an infection. Training staff to be vigilant to phishing emails, ensuring your systems are patched with the latest updates and maintaining separate back-ups of important data are all basic steps that every business should take. This example in Alaska provides a timely reminder to find out:
- Does your organisation have an incident response plan and does it include a scenario like this?
- Are your organisation’s patching and antivirus regimes appropriate, and is there any kind of reporting in place to identify gaps?
- Does your organisation have a standard build, and are the build states known?
- How are backups checked and stored?
- What scanning of incoming attachments is carried out?
- What training have staff had in respect of phishing emails and incident response procedures?
World Cup Phone app phishing
The phones of soldiers in the Israel Defence Forces were compromised earlier this year when Palestinian Islamist group, Hamas, loaded fake football and dating apps with malware.
Fake apps are becoming increasingly common, especially for major sporting events such as the Olympics and other global competitions. Therefore, users should be increasingly vigilant about where they are downloading additional apps from.
As mentioned above, it is important to make sure that any email, app or software you download is genuine. With most phishing campaigns there are tell-tale signs, including incorrect grammar or strange formatting, but detecting fake apps is much harder for end users. Although technical measures to identify malicious apps is improving, increasing user awareness is key and anyone downloading any new apps should ensure they only do so from official stores such as Google Play and the App Store.
Researchers show how Amazon Echo can be used for eavesdropping
With the use of handy ‘personal assistants’ like Google Home and Amazon’s Alexa increasing significantly in 2018, it is no surprise that their capability as listening—or ‘eavesdropping’—devices is causing concern amongst technology experts and device owners.
Whilst they are undoubtedly innovative and entertaining, the reality is that any device which is connected to the internet is at risk of being compromised. Security concerns have been raised that due to the listening capabilities, a compromised device could be configured to stream conversations without the owner’s knowledge.
Although it is likely to cause a feeling of unease in many, some users may not be concerned if their innocent conversations in their homes are being listened to. However, imagine you’re talking in a meeting room, discussing plans for an upcoming merger or acquisition and your competitors find out what your plans are and how much you’re willing to spend. This has significant implications and could lead to a serious advantage for your competition.
Anyone who is considering purchasing one of these devices should make a personal choice as to whether the benefits outweigh the potential risks of having one. Owners should ensure they change the default password that their new device comes with, that any software updates are applied as soon as possible, and that they exercise caution around what is said within listening range of these devices.
150m MyFitnessPal users hit by data breach
Back in April, health and fitness app MyFitnessPal was hit by one of the biggest data breaches to date, when hackers accessed the personal data of 150 million users.
There have been several fitness app breaches in the past few years and the severity of a compromise is determined by the immediate mitigating actions of the companies involved. In this case, the owner of MyFitnessPal, Under Armour, handled this breach very well as they addressed the affected users immediately and were using a strong encryption (bcrypt) which should slow any attempt to crack a user’s password from the data breach.
Slowing down an attacker’s chance to retrieve a password from a data ‘dump’ is vital in allowing users a chance to change their password on any other site where they may have re-used the same password as they did with MyFitnessPal.
Did you know? Over 80% of users aged 18 or over reuse the same password across multiple accounts, meaning an account being compromised on one site can impact the same user across multiple sites.
With almost every site online now requiring users to register with an email and password (research has found that the average person may have as many as 90 different accounts requiring passwords), manging them all manually is becoming a virtually impossible task. The use of a password manager can help eliminate password reuse and will also generate complex, high entropy passwords that would be extremely difficult to crack if compromised.
UK firms failing to make financial plans for cyber attacks
A survey by Lloyds Bank in early 2018 showed that only a third of companies have a financial plan in place should a cyber-attack ever occur. Sadly, companies often look at the risks from cyber-attacks with a very narrow viewpoint – failing to consider that it is not just an IT issue. As well as the obvious business availability problems, there is a larger impact when a company is a victim of a cyber-attack – the bottom line.
Calculating the overall cost of a cyber breach is notoriously difficult. After the breach of Point-of-Sale machines at US retailer Target in 2013, the loss of business, cost of replacing compromised cards, refunds and equipment upgrades is believed to have cost them in excess of $400 million.
The recent NotPetya malware attacks are also estimated to have cost TNT Express around $300 million dollars in the last quarter of 2017, and in this case no data breach actually occurred. Such disruption can cause operational issues, which can lead to reputational damage and significant cash-flow problems. Whilst many large corporations may be able to absorb short-term availability issues and potential share price fluctuations, many small to medium sized businesses can be put out of business within days of such an attack.
While cyber insurance can provide a blanket of comfort and peace of mind for some organisations, prevention should be a key focus, rather than recovery. There are many frameworks, such as ISO 27001, that allow businesses to develop and mature their internal policies so that a good cyber security posture becomes engrained in the workflow. Regular testing of these implemented controls is vital to ensure that they are working, rather than waiting to discover the presence of security holes when an incident takes place for real.
Don’t fall for fake iTunes and App Store messages
Phishing emails are becoming more and more sophisticated, particularly those claiming to come from brands we trust, like Apple or Amazon. It just takes one click on a link in a fake email for a computer to be infected with malware and, following the recent flurry of online purchasing during the seasonal Black Friday event, criminals will be seeking to exploit this annual opportunity with a deliberate increase in fake purchase messages.
Often, companies do not help themselves or their customers by placing links to their website inside important email communications. If Apple users do receive any messages about an App Store or iTunes purchase, we recommend manually visiting the App Store or iTunes websites to check, rather than risk clicking on a link in an email which might be trap. This equally applies to any messages from financial institutions where customers may be asked to update personal details via links in email messages.
Never click on these links as banks have pledged not to ask their customers to do so in these situations so any such requests are likely to be a scam.
Police hand out Malware-infected USBs as prizes at cyber security event
In probably one of the most ironic stories of the year—as part of a celebration of cracking down on cybercrime—Police in Taiwan accidentally distributed USBs containing a malware file. Out of 250 prizes given out to attendees at a cyber security expo, 54 drives were found to be compromised.
This is a clear example of why companies must ensure their supply chain is reliable and trustworthy, for both security reasons and reputational damage. It is also a reminder of the dangers of a social engineering technique known as USB baiting. This is a tactic used by criminals (and indeed many other malicious threat groups) where they purposely leave USB drives in public spaces in the hope that curious individuals will pick up the infected device and plug it into a workstation.
Back in 2008, the US suffered what was described at the time as ‘the worst ever cyber-attack against the US military’ after abandoned USB sticks were found in the Middle East and plugged into computers inside a US base. It took the Pentagon nearly 14 months to clear up the infection.
Even with improved public awareness, this is still a remarkably successful attack vector and we encourage all users to be suspicious of any unclaimed USB devices found lying around, and especially any that are given out as prizes or free gifts at events.
Here’s to a cyber safe 2019
As they say, the best defence is prevention. These are just a handful of the cyber security issues we saw in 2018 and we hope this blog post will help prevent a few in the future.
However, if your organisation’s IT security needs a review, a boost, or you need to start from scratch, talk to us. We have cyber experts on hand who can work with you to ensure you won’t be the next victim of cyber criminals.
Contact us today to talk about your cyber security: firstname.lastname@example.org or +44 (0) 845 600 4403