Marriott hit by hack but where was their log management?

Marriott International Inc is the latest hack to be announced and this one could be the largest breach in corporate history.

Details of some 500 million guests were accessed from the company’s reservation database at its Starwood unit. This included passport numbers, mailing and email addresses and even some credit card details.

The breach reputedly happened in 2014, which begs the question, why was no one checking the logs? Was there no log management system, were their system administrators negligent in their duty, or worse still, the incident ignored?

A log management system collects data from servers, computers, routers, applications, databases etc. and generates information on what is happening in each system. All this diverse information is gathered together and, by looking at the trends or events happening on each system, an administrator can detect unusual behaviour, identifying a possible hack.

If these incidents go unchecked, a hacker has a free journey around the entire network, gaining access to more and more valuable resources such as personal data.

According to Colin Tankard, Managing Director of data security company, Digital Pathways, “when a hack occurs there are usually three stages. First, the primary hacker gains access and takes what they want. Second, the way- in to the network is shared by the primary hacker to their colleagues and community. They then ‘pick over the bones,’ much like a vulture does after the lions have had their fill. Finally, login details are shared openly to all hackers on various websites and then all the wannabe hackers come in to ‘have a party’ inside the network. The most damage is often done at this point.”

The second question to raise is, where were the encryption keys being stored?

According to Marriott the data was encrypted but the encryption keys were taken, so the data could be read.

“There should always be separation of duties between administrators and security as well as encryption key storage and the systems the encryption is being used on,” says Tankard. “ Any system that does not have this in place has a major flaw in its data security strategy. I always advise that encryption keys should be stored in a High Security Module (HSM) administered by the security team.

“The HSM is a server which creates encryption keys, stores them and when needed by an application, passes the encryption key for use. The key is never stored permanently in the application” explains Tankard.

He adds, “it is also very important to change the encryption key on a regular basis, this is called key rotation.

“There is simply no cutting corners when it comes to data security, especially in today’s climate where cyber-criminals are on the increase and strident legislation, such as GDPR, is in place.

“Where personal data is being stored, robust data security systems must be in place but not only this, they must be managed in a responsible and timely way.”

Read the full article here in Global Security Magazine

The Future of Network-Connected Device Security

The proliferation of poorly secured network-connected devices has prompted the UK government to publish new best practice guidelines. Do these go far enough?

Wireless functionality has improved workplace efficiency and organisations are no longer restricted by cabling access. Unfortunately, many of these devices are poorly secured and rarely have their firmware updated.

The vulnerabilities in internet of things (IoT) devices have led to smart devices being part of botnets and incidents such as cardiac devices being vulnerable to hackers.

“The proliferation of IoT devices with poor security posture has increased the attack surface for threat actors dramatically,” says John Sheehy, vice-president of ioActive. “Compromised devices can be used by threat actors for anything from listening in on conversations and harvesting sensitive data, to cryptomining and jumping to traditional IT systems.”

Incidents where hackers have been able to exploit poor device security to obtain sensitive data have resulted in significant reputational damage, as happened to vTech in 2016. Such incidents could now – under the Data Protection Act 2018 – see companies fined.

As such attacks have become more frequent, the UK government has decided to step in. Earlier this year, the Department for Digital, Culture, Media and Sport (DCMS) published the Secure by Design report and later the Code of Practice for Consumer IoT Security – a guidance document advising on the best practices for securing IoT devices.

These guidelines are currently voluntary and are broken down into thirteen steps, as follows:

  1. No default passwords – all IoT device passwords should be unique and not resettable to any universal factory default value.
  2. Implement a vulnerability disclosure policy – all companies that provide internet-connected devices should provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.

To read all 13 steps click here to read the full article in Computer Weekly.com

Guideline benefits

For all of the challenges that come with this, organisations can nonetheless benefit from following such guidelines. In a survey by Bain and Co, it was discovered that executives would be prepared to spend 22% more on IoT devices that were proven to be secure.

“If a product has followed these guidelines, and has been independently checked, then people would pay more,” says Colin Tankard, managing director of Digital Pathways.

This increase in income could be used by manufacturers to offset the costs associated with following these best practice guidelines. Furthermore, reputation of the company would be protected by having secured their devices appropriately.

Can you trust one free app to keep all your passwords safe?

How to navigate the world of virtual storage vaults as hackers target providers.

A password manager can be a vital tool to keep your personal information out of the hands of online criminals – giving you a single log-in to an app that saves you having to remember lots of different codes.

Once you have signed in, you can use the app to store passwords for all your online accounts securely, or even log in to them directly from the password manager itself.

But there is a potential dark side to this technology as it could be a target for hackers.

If a fraudster were able to steal your master password, they could gain access to key financial details all at once. So should you trust a password manager to keep your information safe?

The apps use software to store all an individual’s passwords in a ‘virtual bank vault’. They are then accessed via the single hard-to-crack master password.

Experts including the National Cyber Security Centre – part of the Government Communications Headquarters intelligence service (GCHQ) – believe a password manager makes an individual’s data more secure.

But it has not stopped criminals targeting these password vaults. Last year, password manager LastPass discovered a flaw in its software that was fixed without it affecting the service. In 2015, it also had to fend off a cyber attack.

Password manager OneLogin also ‘detected unauthorised access’ last year but it was able to block it in time.

Colin Tankard, of Harlow-based data security company Digital Pathways, says a password manager does not offer bullet-proof security because it will always be a target for hackers.

Read the full article in The Mail Online here

The chilling email threatening to share embarrassing information that is ‘driving people to suicide’

“It breaks up perfectly stable relationships and causes untold misery”

A shocking email is reportedly being sent round to random victims threatening that embarrassing information will be shared online unless large sums of money are paid.

The ransom messages are even believed to be leading some victims to the brink of suicide, according to cyber security expert Colin Tankard.

He told the Mail on Sunday that the hackers are claiming to have set up malware on particular porn websites that have recorded what is happening on a person’s computer screen, while also recording them via webcam.

In one particular incident, a member of the public was warned that unless they made a “donation” of $3000 (or £2300), the embarrassing material would be leaked online to their contact list.

As reported by the Mirror Online, Colin Tankard said: “There have been instances when people have committed suicide as a result of the horrible threats made.

“It breaks up perfectly stable relationships and causes untold misery.”

There doesn’t appear to be any set group that is being targeted, with victims being selected at random.

Tankard added that in these situations, the worst thing that you can do is to pay the demand as it could then lead to that person’s contact details being put on a ‘sucker list’.

As reported by the Mirror Online, Colin Tankard said: “There have been instances when people have committed suicide as a result of the horrible threats made.

“It breaks up perfectly stable relationships and causes untold misery.”

It is thought that around £30 million per year could be made from threatening innocent people.

One person who was randomly targeted by the scam was Mail on Sunday journalist Sarah Hartley, who said: “Although I knew I had not been watching pornography, the way I was threatened – that a video of me would be passed on to contacts if I dared breathe a word – was horribly menacing.”

The scam involves two payments to the sum of £500 or more that is paid in anonymous bitcoins, which creates problems in trying to track down the hacker.

Read the full article here in Essex Live

How trustworthy is AI?

Artificial intelligence (AI) and machine learning (ML) are two very hot buzzwords within the broader waves of technological change that are sweeping through our world under the banner of the Internet of Things (IoT). And, although their benefits look good, there is a fear that AI programs could go rogue and turn on us – or even be hacked by other AI programs.
Researchers from Harvard University demonstrated how medical systems using AI can be manipulated by an attack on image recognition models, getting them to see things that were not there. The attack program finds the best pixels to manipulate in an image to create adversarial examples that will push models into identifying an object incorrectly
and thus cause false diagnoses.

Another doomsday scenario came from the RAN Corporation, a US policy think-tank that described several scenarios in
which ML technology tracks and sets the targets of nuclear weapons. This would involve AI gathering and presenting intelligence to military and government leaders, who make the decisions to launch weapons. If the AI is compromised, it could be fooled into making the wrong decision.

Hackers love artificial intelligence as much as everyone else in the technology space and are increasingly tapping AI to
improve their phishing attacks. Anup Gosh, a cyber-security strategist, recently reported: “The evidence is out there that machines are far better at crafting emails and tweets that get humans to click. Security companies that fight these bad guys will also have to adopt machine learning.”

An AI security arms race is likely to be coming, as hackers’ ML-powered attacks are met with cyber-security professionals’
ML-powered countermeasures. A new concern around AI is in regard to regulation, specifically the General Data Protection Regulation (GDPR). Is it permissible to let a user give an application permission to make automated decisions on their behalf? If yes, will it be accompanied by a comprehensible explanation of how the AI makes decisions and how these decisions may impact that user? It could be a problem for companies developing AI that is so advanced nobody fully understands how it makes decisions. It is hard to know how all this will play out in practice. From a technical perspective,
the level of granularity GDPR requires in explaining automated decisions is unclear. Until this is known, some innovators may choose to forge ahead with super algorithms. Others, worryingly, may ban European citizens from using some highly valuable functionality.

 

Read the full article here on page 20 of Network Security Magazine.

‘Pay the ransom – or watch me wreck your life’

‘Pay the ransom – or watch me wreck your life’: Chilling new fraud email that says you’ve been filmed on an adult website

  • The ‘ransom’ email explains that you have been caught viewing an adult website
  • The email includes key private details, such as secret passwords for a bank
  • Criminals are frightening victims into handing over £500 or more in Bitcoins

At first, the message seems harmless – an email pops up on your screen that could be from a friend or colleague.

But click on it and your blood will run cold. Because what follows is a string of vicious threats to destroy your life unless you hand over money.

The ‘ransom’ email explains that you have been caught viewing an adult website – captured on your computer’s camera.

To add credibility to the sting, the email includes key private details, such as your phone number and secret passwords for a bank or shopping account.

The effect is chilling, as Sarah Hartley, a Mail on Sunday journalist, found out for herself when she was targeted recently.

‘Like most journalists, I am as tough as old boots and used to dealing with all sorts. Yet what horrified me most about receiving such an email is that it breached my work firewall,’ she says.

‘That was my fault – the email name had looked credible. It came from a common female name and I had assumed it was a public relations adviser. So I clicked on the option to permit.

‘But when I read it I flushed hot and cold from head to toe – I was stunned by the sheer nastiness of the words. [see below].

‘If the person had been standing in front of me I felt they would have been wielding a knife. Adding to my sense of fear was that the email included a password I use for an online shopping account. A barrier had been broken.’

Hartley adds: ‘Although I knew I had not been watching pornography, the way I was threatened – that a video of me would be passed on to contacts if I dared breathe a word – was horribly menacing.

‘I would have been mortified to know my friends and work colleagues might be contacted in this way. The language was perfect – no hieroglyphics or request to send money to a Nigerian bank account – and that is what made it plausible.’

Hartley ignored the email. But criminals are frightening victims into handing over £500 or more in anonymous Bitcoins.

If they do not pay up, the blackmailer says they will share the details they have on the web.

Millions of computer users are being targeted in the sinister wave of ransom scams reputed to be cheating innocent people – targeted at random – out of at least £30million a year.

Personal information the blackmailers use to add credence to their claims can be bought for as little as £3 over the ‘dark web’ or ‘harvested’ using gadgets that can be purchased for about £40.

Colin Tankard is a cyber security expert who has been targeted himself by such criminals.

He says: ‘Ransomware can destroy lives.

‘There have been instances when people have committed suicide as a result of the horrible threats made.

‘It breaks up perfectly stable relationships and causes untold misery.’

Tankard, managing director of Harlow-based Digital Pathways, adds: ‘Part of the awfulness of such cyber attacks is that these emails are often sent randomly.

‘The criminal has no idea what a recipient has been doing – just making a guess.

‘Paying up is the worst thing a victim can do. You are then put on a ‘sucker list’.’

This means your name will be added to lists of people deemed susceptible to crime, which are then traded among criminals – invariably leading to victims receiving further demands for money.

Menacing language is used to make a victim feel insecure and vulnerable to the prey.

Tankard says: ‘Wording usually goes as follows, “While you were watching videos, your internet browser started out functioning as a remote viewer having a keylogger which gave me accessibility to your screen and web cam. After that, my software program obtained all your contacts.”

‘Then, “Well, in my opinion, $1,000 is a fair price for our little secret. You’ll make the payment by Bitcoin.”

Read the full article here in The Mail on Sunday

Chilling ransom attacks

Chilling ransom attacks threatening to share embarrassing information ‘driving people to suicide’

Victims are told compromising material will be shared unless they cough up huge sums of money

Chilling ransom messages being sent to random victims are costing them thousands of pounds and even driving some to the brink of suicide, according to reports.

Shocking emails sent to victims warn that compromising material will be used against them unless they hand over vast sums of cash.

In some cases, hackers claim claims that malware is set up on porn sites, meaning they have recorded what’s happening on a person’s screen while recording them on a webcam.

One such demand, the Mail on Sunday reports, says that unless the user gives a “donation” of $3,000 – £2,300 – the material will be sent to their contacts.

Cyber security expert Colin Tankard told the newspaper: “There have been instances when people have committed suicide as a result of the horrible threats made.

“It breaks up perfectly stable relationships and causes untold misery.”

Victims tend to be selected at random and the sender does not have compromising material.

Mr Tankard said paying up is the worst thing someone can do in this situation, as this means they could be put on a ‘sucker list’.

This means they could be targeted again.

It is thought that innocent people could be ripped off to the tune of £30million per year.

Mail on Sunday journalist Sarah Hartley, who was targeted by ransomware, said: “Although I knew I had not been watching pornography, the way I was threatened – that a video of me would be passed on to contacts if I dared breathe a word – was horribly menacing.”

People are persuaded two pay sums of £500 or more in anonymous bitcoins, making it hard to track down the scammer.

Famous examples include the WannaCry virus, which impacted more than 200,000 computers, including those used by the NHS.

Some victims paid up more than £100,000 to unlock their machines.

Read the full article here in The Mirror

Quantum Computers are coming.

Prepare now for quantum computers, QKD and post-quantum encryption
The predicted processing power of quantum computers is likely to make existing encryption algorithms obsolete. Quantum key distribution (QKD) is a possible solution – we investigate whether QKD is viable
Quantum computers have been on the horizon for several years, but recent breakthroughs mean we could expect to see enterprise-level quantum computers within 20 years.

Quantum computers use the principles of quantum mechanics, such as superposition and entanglement, to perform their processes. While current computers use binary digits (bits), quantum computers use quantum bits (qubits), which can be in superpositions of states. This allows quantum computers to perform multiple calculations simultaneously, making them exponentially faster.

Given their ability to perform multiple processes simultaneously, quantum computers will enable many useful applications, such as imaging technologies and the modelling of chemical reactions. But these are just two areas in which quantum computers are expected to have a huge impact.

Quantum computers are still very much at the experimental stage, mostly under the remit of private research and development laboratories. However, it is only a matter of time before the engineering hurdles are overcome and quantum computers become cost-effective.

Attempting to prophesise when technology will become available is always risky. That said, many professionals believe the 20-year time-frame is realistic, but quantum computers are likely to become available to governments, universities and research institutes a bit sooner.

Encryption in the quantum age of computers

Quantum computers will have grave consequences for current encryption algorithms. “In the world of counting on being able to hide the key through prime numbers, when quantum comes online, all of a sudden that does not work so well,” says Jeff Hudson, CEO of Venafi. “Quantum computers can theoretically instantaneously work what would take a long time for standard computers.”

The current encryption protocols are based on complex mathematical problems. These mathematical problems are so complicated that it would take many years for conventional computers to solve them without the encryption key. “The flaw at the moment is that the message and the private key travel together, so if you have enough processing power you can work out the key and compromise the data,” says Colin Tankard, managing director of Digital Pathways. “That is where quantum computing is going to break encryption, because it will be able to process it really quickly.”

It is believed that a sufficiently powerful quantum computer running Shor’s algorithm could easily break these encryptions in a fraction of the time a conventional computer would take. “For a normal computer it is still around 70 years before they can break AES256 encryption,” says Tankard. “The faster the processor, the quicker that is going to be.”

Read the full article in Computer Weekly here

Recent Hacks Highlight Need For Intelligence Threat Detection

The recent cyber-attacks on both British Airways and Stena Line highlights the growing need for any entity that stores sensitive information, to install intelligence threat detection software, in order to try to avert hackers before they cause damage.

British Airways saw some 380,000 passenger’s card details accessed, while Stena Line had 800 of their staff’s bank accounts and personal details taken.

In the case of Stena, it appears that hackers gained access via ‘phishing’ emails, whilst there is concern that British Airways’ Payment Card Industry (PCI) compliance may not have been robust enough. As a result of the attacks, both could face major fines under the GDPR, should they be seen to have not had sufficient data security in place.

“There is no doubt, that cyber-attacks are going to increase and, become more and more sophisticated”, says Colin Tankard, Managing Director of data security company, Digital Pathways.

“Because of this, installing robust, Intelligence threat detection, software becomes a ‘no-brainer’”.

Advanced threat detection (ATD), goes beyond basic security analysis. It works at a deeper level in order to fix vulnerabilities and help prevent cyber threats before they take hold.

In traditional anti-virus software, known ‘signatures’ of malware, which could cause damage or leak out data, are the focus. Such systems recognises the program and stops it, putting it into quarantine. However, the modern threats tend not have a signature, do not look like a program and so, go undetected by anti-virus.

Even odd data movement can be disguised by these programs, making it look legitimate. For example, the data flowing out could be seen as a normal batch process, being undertaken by a website, say, transferring user data over to a billing system.

Adds Tankard, “File less attacks often go undetected. It is vital, therefore, to have a system in place that can instantly recognise the threat once it is revealed and is able to take the necessary action to stop it. Otherwise, the data will be gone before anyone knows about it”.

Read the full article in Global Security Magazine here

Hackers steal details of 380,000 BA Customers

EXCLUSIVE: As hackers steal details of 380,000 BA customers, we are given unique access to the agents fighting masterminds of financial crime

The recent data breach at British Airways saw hackers steal the financial details of 380,000 customers.

It is the latest in a maelstrom of cyber attacks that are spreading computer viruses and installing malware to plunder bank accounts and make ransom demands.

The Mail on Sunday gained exclusive access to the secret service’s National Cyber Security Centre to discover more about this growing dark web threat.

These days James Bond requires more than just a poison dart-firing fountain pen or an Aston Martin with revolving number plates. He also needs the skills of an IT expert.

While the secret agent may be a fictional character, his evil nemesis Spectre is becoming a reality. Led by super-villain Blofeld – portrayed by cat-stroking actor Donald Pleasence in You Only Live Twice – Spectre stands for Special Executive for Counter Intelligence, Terrorism, Revenge and Extortion. The shadowy organisation could also be used as a 21st Century description for the dark web.

To combat this growing threat of cyber terrorism, the National Cyber Security Centre was set up two years ago as a new arm of the Government’s intelligence service that includes the Security Service (MI5) and Secret Intelligence Service (MI6).

Controlled by the Government Communications Headquarters (GCHQ), which cracked the German Enigma codes in World War Two, it is housed in a grand office block close to the Secret Intelligence Service headquarters in Millbank, Central London.

Its cyber security technical director is Dr Ian Levy, who invited The Mail on Sunday into his lair to learn how its secret technology is defending us from an avalanche of cyber attacks.

Welcomed by half a dozen sharply dressed security guards in the foyer, we are ushered through two security level checks requiring separate colour code passes. A guide taps digits into the wall as we walk through bank vault-style doors to an open plan office.

There is no sign of Daniel Craig sitting at a desk doing his expenses and outside M’s meeting room Miss Moneypenny appears to have gone to lunch. Even the hat stand in the corner is missing.

The intelligence service has gone smart-casual. Dr Levy arrives sporting a trendy Ted Baker jacket, two-tone brown brogues and blue jeans.

He says: ‘There is a common misconception that cyber security is all spooks on the trail of hackers in hoodies. The reality is that cyber security is something we need to be open about. We use our technical expertise and knowledge to block an average of 4.5 million malicious emails a month that would otherwise reach computer users.’

A dedicated army of computer boffins housed within the top-security building works around the clock to keep up this cyber ring of steel for the nation.

Staying one step ahead of the hackers is a constant challenge and requires the best IT brains in Britain to develop new software to block the fraudster attacks. The moment a new phishing website targets our shores, an ‘active cyber defence’ unit pounces – blocking the criminal in an hour.

Some 80,000 cyber attacks were thwarted last year – including 590 ‘significant instances’ that might have led to widespread computer virus infections and ransomware stealing our personal data. The centre also provides online security advice to up to 100,000 computer users a month.

The Secret Service’s behind-the-scenes work has been funded with a £1.9 billion cash injection from the Government. It is not only stopping millions of unwanted emails getting through but the centre’s work is also helping to crack down on copycat websites and block 120,000 spoof ‘@gov.uk’ addresses.

Foreign government hackers – from Russia, China and North Korea – are also regularly intercepted from the tell-tale way their software codes are written.

Levy says: ‘Our job is to make Britain an unattractive target for cyber criminals, but we are not a regulator. We are here to offer real support. There is no need to panic but we must all take cyber security seriously. As a computer user you should not only always back up data but consider using security software and password managers that store complex password codes on your behalf.’

The National Cyber Security Centre offers advice to combat fraud at ncsc.gov.uk. It also supports businesses wanting to improve their cyber security. Last year, it worked with the National Health Service when WannaCry ransomware hacked into the computers of 47 trusts.

Fight email ‘phishing’ fraudsters

About 17 million victims in Britain were swindled out of a total of £4.6 billion last year as a result of cyber fraud, according to the software security firm Norton.

One of the most common methods employed by criminals to steal our money was by getting computer users to reveal key personal banking information through the sending of bogus emails.

Known as ‘phishing fraud’ the sender often pretends to be someone official to gain trust, perhaps posing as a bank official or tax inspector. There is usually a sense of urgency involved, such as a claim that someone else is emptying your bank account, thereby panicking you into taking rash action.

The best response is to stay calm and not reply. Often just checking the details of the email address from which the message was sent is enough to send alarm bells ringing. Spelling mistakes are rife because the senders are often based overseas.

Phone the company the email sender claims to be representing to check if they are real. A bank will never ask you to share your personal details with them or with anyone else.

Colin Tankard, of Harlow-based data security company Digital Pathways, says: ‘Look at whether the email address tallies with whom it claims to be from. Small spelling mistakes are a tell-tale sign something is up.

‘You might also do a search of an email address on Google to see if it is flagged up as a security risk.’

It is not just bogus emails that can trick you into revealing key personal information.

Also keep an eagle eye out for copycat websites. Accommodation websites, passport assistance and tax support services can look the real thing until you study the email’s suffix. For example, ‘co.uk’ is normally an indication of an official website. But ‘co.com’ could well suggest the website is a copycat, hoping to trick you into paying for services free from official websites.

Website ActionFraud offers advice to victims but you must first contact your bank and the police.

Read the full article in Mail on Sunday here