Weekly Threat Report - 7th September 2018
British Airways data breach
British Airways (BA) have reported that it suffered a data breach that compromised names, email addresses and credit card information. BA suspect the breach was a result of criminal activity, and have notified the police and relevant authorities.
The NCSC is working with partners to better understand this incident and how it has affected customers, and have published a statement. It has been reported that up to 380,000 customers could have been affected. The incident is thought to have affected some customers who made bookings on the BA website or app between August 21 and September 5, 2018. BA have reported that the compromised data includes names, email addresses and credit card information. You can read BA’s latest information here.
The NCSC has published guidance for customers who think they may have been affected, and anybody who receives suspicious phone calls, emails or text messages should report them to Action Fraud.
Mobile spyware hacks and breaches
Media sources have reported multiple hacks and a data breach affecting businesses that offer mobile spyware as a service. In the last week TheTruthSpy, Family Orbit and mSpy have all been compromised. The NCSC previously reported on a similar data breach of the TeenSafe app back in May.
Mobile spyware is software that is used to monitor mobile phone use, activity and the location of individuals. It is often used by parents to check on their children; it has also been used by individuals wanting to spy on their current, or former partners and spouses.
The information exposed consisted of account information from those using and paying for the service, as well as the information collected from those individuals being monitored. Mobile spyware apps generally collect similar types of data from the subjects they monitor, often consisting of: call logs, SMS, messages sent by third party apps and services, real time location details and history, photographs stored on the mobile device and audio call recordings. This means a significant amount of personal and sensitive data has been exposed, and could potentially be used for blackmail or criminal activity.
Users of these compromised mobile spyware services should also remain vigilant for any strange activity on bank accounts or credit cards and take measures to protect the users of the devices they may have installed the software on. If you have used the same password for any other accounts, you should change this immediately. Often attackers know that many individuals re-use passwords and so will try to use stolen credentials on multiple sites hoping it will work.
To ensure that no one can access your mobile device without your permission, you should make use of your device’s security features such as pin protection, passwords or a biometric lock. The NCSC has published guidance on keeping mobile devices safe.
Domain abandonment and hijacking
Gabor Szathmari, an independent Australian cyber security researcher has published a blog highlighting the dangers of allowing corporate domain names to expire. Known as domain name abandonment, companies that have merged, been acquired, changed name or gone out of business will often abandon their domain name which is then available for anyone to re-register from domain registrars. Domain name abandonment allows threat actors to gain access to, or reset passwords for online services and profession-specific portals.
In his blog, the researcher purchased six domain names formerly belonging to several Australian law firms. Once the domains were re-registered, all email accounts linked to the domain were configured to forward email to one account controlled by the researcher. The new domain owner then simply sat back and watched emails arrive (25,000 in total).
The researcher used an online service to search for expired domain names linked to Australian law firms (a similar search for expired .co.uk domains containing the word “solicitors” revealed over 4,000 recently expired domains).
The researcher revealed several redacted screenshots of emails showing an abundance of personal details, such as bank statements, supplier invoices, court proceeding transcripts, divorce settlement negotiations and mobile phone billing information. All obtained from simple passive monitoring over three months.
In addition to this, he researched email addresses previously associated with the domains using data breach notification websites. The researcher was then able to identify multiple email addresses belonging to legal professionals and staff and was able to use the domain to register on the breach site to reveal leaked passwords previously associated with the email addresses. He was then able to prove that “legal professionals are guilty of using weak passwords on online services and tend to reuse them across multiple websites”.
Using just valid emails found on the data breach sites, the researcher was able to prove that he could have performed password resets on social network sites, LinkedIn, Facebook and Twitter. He could also have reset the password on file storage site Dropbox. The researcher was able to log into profession-specific web portals – The Australian Commonwealth Courts as well as State, District and Local courts. Finally, the researcher was able to log into the LEAP Practice Management Platform which is commonly used software (in the UK and Australia) for managing legal practices including client files, legal documents, trust accounting and billing. Had he wished, the researcher could have also reset passwords on Paypal and Google. He also attempted to reset passwords on Office 365 but was defeated due to two-factor authentication.
Domain abandonment does not just affect data security: In October 2017, IBM broke its cloud global load balancer and reverse DNS service for 21 hours when it allowed three of its domains to expire.
Domain name abandonment/hijacking is not a well-known security risk to cyber security professionals. Many businesses leave themselves exposed to cyber attacks by allowing their former domain names to expire.
Organisations can protect themselves against domain hijacking in several ways, including:
Setting the domain (and previous domains) to auto-renew each year indefinitely
Locking the domain using a web service to guard against unauthorised domain transfers
Ensuring all domain name contacts have valid contact information
Close, change or remove user accounts that were registered with the business email address (e.g. Dropbox, PayPal, LinkedIn, Facebook)
Enable two-factor authentication (2FA or MFA) where the feature is supported for online services
Use unique and complex passwords
The NCSC has published guidance on multi-factor authentication for organisations.
Printers need to be secured
A recent survey of 200 enterprises with over 1,000 employees in the UK, France, Germany and the US by business and IT analyst firm Quocirca revealed that 61% admitted suffering at least one data breach through insecure printers.i Modern multi-function printers come with a host of features to print, copy, fax, scan and e-mail documents, making them, in effect, computers themselves and therefore potentially vulnerable to cyber attack.
Multi-function printers are vulnerable to four main security weaknesses: printed documents left unclaimed in print trays, images stored on local printer hard drives, unauthorised access to the printer and several network vulnerabilities such as those using the fax functionality. Examples of cyber attacks have included: disabling printers for ransom, accessing insecure printers
for vandalismii and pausing print queues while data is extracted.iii Open network ports leave the printer vulnerable to unauthorised remote access which in turn could lead to data theft or their use in denial of service attacks.
Improperly decommissioned printers have the potential to be exploited for business records still in the printer’s memory.iv
Recent research also identified 3,800 3D printers that were left exposed online without a security password, leaving them vulnerable to interference. Users had failed to set up this fundamental security precaution through convenience or ignorance meaning hackers could either steal the 3D model plans or alter key parts of the plan to make the printer produce defective items.v
The vulnerabilities outlined above show that cyber security for printers should receive as much attention from organisations as other parts of their IT estate when establishing security controls.
The NCSC have previously issued guidance on managing network devices.