Weekly Threat Report - 25th May 2018
Report's are drawn from recent open source reporting, see the latest report here:
GDPR and what it means for cyber security
The General Data Protection Regulation (GDPR) comes into force today, 25th May, setting clear instructions about the appropriate technical and organisational measures that must be in place to securely process personal data.
While there has been a lot of messaging around GDPR, what you may not know is that the NCSC has been working closely with the Information Commissioner’s Office (ICO) to develop a set of security outcomes. The guidance provides an overview of what GDPR says about security and describes a set of related outcomes which all organisations that process personal data should seek to achieve.
Some overarching information around GDPR has been produced by the NCSC which serves as a good starting point before tackling GDPR security outcomes. The ICO, which is the UK’s supervisory authority for GDPR, has also published plenty of useful guidance on its own websitetoo.
The NCSC’s Principal Technical Director for Risk Management Capability, Ian M, has also blogged about GDPR which may be a good starting point for those looking for more information about the impact upon cyber security.
Children’s details leaked in monitoring app breach
Media reports detail another serious Amazon S3 bucket cloud storage breach. According to ZDnet, a UK-based security researcher found two open servers belonging to TeenSafe, a mobile app for iOS and Android, that allows parents to monitor the texts, calls, locations and social media exchanges of their children. The servers were reportedly left unsecured and accessible to anyone without a password. This breach exposed at least 10,200 records covering the preceding three months, including childrens’ Apple ID and plaintext passwords, children's' device names and their device’s unique identifier.
This latest incident is yet another instance of a Amazon S3 Bucket cloud storage breach. This breach is particularly serious, due to the potential for online predators to access the personal details of minors. It may also leave the affected children (and their parents) more vulnerable to identity theft in the future.
When an Amazon cloud server is purchased, it is set private by default and security would need to be manually turned off for to the public to access. There are at least two layers of security that should have been implemented. The encryption was turned off on the server allowing anyone access and secondly, the stored data at rest was not encrypted, allowing anyone to read any files stored on the server.
If you are using or considering using Cloud technology, he recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.
‘Sharenting’: increasing the risk of identify fraud?
Research by Barclays Bank has indicated that the sharing of family life on social media by parents, known as ‘sharenting’, could leave their children exposed to online identity fraud when they grow up.
For example, a photo celebrating a child’s birthday reveals a date of birth; a reference to their first pet could be used as an answer to a bank security question; or the child’s favourite football team may also be a useful clue to a password. If this information is obtained by fraudsters it gives them a head-start in breaking into their future online lives. Also given that many adults use this kind of information when choosing passwords, this can also expose the parent to online fraud.
It is advisable for users to check the privacy settings on social media accounts.
The NCSC has also provided guidance on choosing good passwords, and CPNI has produced some useful material on minimising your digital footprint.
For those building services, it is advisable not to use easily discoverable information for password resets.
Up to 800,000 DrayTek routers at risk due to zero-day exploit
Network equipment vendor Draytek has said several of its wireless routers (details here) are vulnerable to a suspected ‘zero-day’ exploit allowing hackers to remotely change the device's settings. This could allow attackers to re-direct traffic or conduct man-in-the-middle attacks in order to steal information and credentials from users.
Researchers suggest up to 800, 000 routers are at risk. Reports from victim IT departments suggest the exploit is bypassing password-based security and even access control lists (which restrict connections to trusted devices only). UK-based technical online forums indicate there are multiple UK victims. Draytek has issued a security advisory, encouraging users to manually update firmware.
Users should also ensure regular patching is undertaken across all device types. Where possible, users should set devices to automatically apply all security updates as they become available. The NCSC's approach to patch management can be found here.