Carphone Warehouse Fined £400,000
The Information Commissioner’s Office (ICO) has fined Carphone Warehouse an eye-watering £400,00 for what it referred to as distinct and significant inadequacies in the phone company’s security controls.
The full report by the ICO (PDF) is worth reading. It goes into a lot of detail around the vulnerabilities such as the attacker scanning using Nikto, and gaining access to a woefully out-of-date WordPress installation that was running its CMS. It also covers how credentials were stored in plaintext and how the attacker was able to access large amounts of personal data.
There are many more details in the report, that I highly encourage you to read, but essentially it boils down to an absence of fundamental security controls, no assurance to verify systems were secured, and a lack of monitoring or detection controls in place.
- Carphone Warehouse cops £400k fine after hack exposed 3 meeellion folks’ data | The Register
- Britain fines Carphone Warehouse 400,000 pounds over data breach | Reuters
Data protection bill amended to protect security researchers
The UK has revealed amendments to its data protection bill to de-criminalise research into whether anonymised data sets are sufficiently anonymous.
This is very good news for researchers who may have been worried they could be prosecuted for demonstrating weaknesses in anonymization.
- UK gov updates Data Protection bill to protect security researchers | The Inquirer
- UK Data Protection Bill tweaked to protect security researchers | The Register
- Data protection bill amended to protect security researchers | The Guardian
- Data Protection Bill | Parliament UK (pdf)
Toy firm VTech fined over data breach
VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children.
Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest.
Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security.
- FTC fines VTech toy firm over data breach | SC Magazine
- FTC Fines IoT Toy Vendor VTech for Privacy Breach | eWeek
- After breach exposing millions of parents and kids, toymaker VTech handed a $650K fine by FTC | Techcrunch
Who’s that in your WhatsApp?
End-to-end encryption for every encryption? Well, that was the promise as it was rolled out about two years ago. And while it may be true for 1-1 conversations, group chats are a bit more tricky. Basically, anyone can spoof an invitation (if they have control of a server) to get themselves added to a group chat, thus seeing all the conversations from that point onwards.
It’s not quite a stealth attack, as everyone in the group would see the standard notification that a new member has joined.
Facebook (which owns WhatsApp) CSO Alex Stamos said on twitter in relation to the news:
- Whatsapp security flaws could allow snoops to slide into group chats | Wired
- WhatsApp, Signal group chats not as secure as users might believe | HelpNetSecurity
Twitter promoting a phishing tweet
Making money is important for all businesses, and Twitter is no different. Plus we’re fed a diet of ‘agile’ and rapid customer acquisition, so it appears as if Twitter takes money and promotes tweets first and asks questions a lot later.
The tweet, which is being promoted on users' Twitter feeds, claims to offer users "verified" blue checkmarks, which some see as a sign of status on the site.
Users who click the link are directed to a site posing as Twitter, but with a different domain name. The colours and font are the same as Twitter’s, and the language on the site is worded as though it is an official part of Twitter’s platform.
- Twitter allows apparent phishing scam to buy promoted tweet | The Hill
- Twitter Promoted a Tweet That Steals Your Credit-Card Details | The Daily Beast
A North Korean Monero Cryptocurrency Miner
My colleague Chris Doman has penned a blog on how the AlienVault labs team analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea. His research includes lots of juicy details and info which has piqued the interest of media outlets around the world.
- A North Korean Monero Cryptocurrency Miner | Chris Doman, AlienVault Blog
- Hackers have found a way to mine cryptocurrency and send it to North Korea | CNBC
- North Korean Monero miner: educational tool or weapon prototype? | SC Magazine
The stress of working from home
I work from home, and have been doing so for a number of years – so I found myself nodding in agreement all the way through reading this article which sums up some of the common stresses of working from home.
“Working at home can mean a lot of loneliness. I do enjoy being alone quite a lot, but even for me, after two weeks of only seeing colleagues through my screen, and then my family at night, I end up feeling quite sad. I miss feeling integrated in a community of pairs.”
- The stress of remote working : Martin De Wulf, Medium