This Week In Security - 01/06/2020
UK Government Data Breach Exposes New Year’s Honors List
The Cabinet Office in the UK suffered significant public embarrassment over the Christmas period after the full list of this year’s New Year honors recipients were leaked. The data breach not only revealed the names of all the recipients but also their personal addresses and other sensitive information. The incident was reported to the Information Commissioner’s Office which recently fined British Airways and Marriott International, Inc. millions of pounds for failing to securely manage customer data and prevent data breaches.
The 2020 New Year’s Honors list includes musicians like Elton John, sportsmen including the inspirational English cricketer Ben Stokes, and a host of other celebrities and politicians. The leaked list was published online at 10.30 pm on Friday 27th December but was quickly removed and disappeared in the early hours of Saturday morning. A data rights lawyer, Ravi Naik believes the leak could be catastrophic, saying, “It is hard to put the information genie back in the bottle once it’s out. This quite sensitive information will spread like a virus…”.
Not only does a data breach of this magnitude call into question the Cabinet Office’s security procedures when it comes to handling personal data but it could also be a breach of the GDPR legislation.
Climate Activist Used to Lure Malware Victims
Greta Thunberg may be a controversial figure in some people’s minds, but cybercriminals were only too keen to use her worldwide following to spread a little malware this festive season. An email appearing to be an appeal for support for Greta Thunberg’s ongoing climate change activism urged recipients to sign up for one of the scheduled demonstrations. Unfortunately, to find out more, the recipient had to open an attached Word document or follow a link to a similar document online. Both of these were infected with malware known as Emotet. Although Emotet started as a simple banking Trojan, it’s evolved into a monstrous malware beast with inbuilt modularity and the ability to disseminate malware by applying worm-like capabilities. Experts say that Emotet is “Among the most costly and destructive malware”.
Upon opening the document, recipients were instructed to “enable content” – an unnecessary function for Word files and one that instead activated the macro code within the Word document and went off in search of the nearest malware which, in most reported instances, was Emotet. Experts are reiterating old cybersecurity best practices to prevent Emotet from spreading, reminding people not to open attachments they weren’t expecting and to retain their default security settings at all times.
Microsoft Kicks North Korean Hackers Where it Hurts
Two days ago, Microsoft won a court order allowing it to shut down 50 domains believed to be utilized by the North Koran hacking group, Thallium. Using a form of targeting email scamming known as spearfishing, Thallium has been hacking both individuals and organizations involved in nuclear proliferation and human rights. Although most of Thallium’s targets have been US-based, some have also occurred in both South Korea and Japan. Not only does Thallium break into an individual’s personal information and emails, but it can also infect a machine with malicious software that will direct all that user’s emails to the hackers themselves. While this isn’t the first time Microsoft has turned to the long arm of the law to combat cybercrime, it is one of the most wide-ranging counterattacks to date.
In July 2018, Microsoft took control of six domains used by the infamous Russian-based cybercrime syndicate, FancyBear, while earlier this year, Microsoft secured a court order against the Iranian hacking group, Phosphorus, permitting them to seize control of 99 websites used by the group to conduct its hacking operations. While Microsoft continues to up its game when it comes to cybersecurity, it also urged users to protect themselves by enabling two-factor authentication and educating themselves about phishing attacks.
ToTok Founder Hits Back at Spy Tool Accusations
Shortly before Christmas, The New York Times denounced the United Arab Emirates-based chat service, ToTok, calling it a spy tool “used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones”. As the New Year dawned, however, ToTok co-founder, Giacomo Ziani, hit back, denying the accusations and saying, “We are not linked to any government, not the UAE, the U.S., or China”.
Rather than installing back doors or malware, ToTok uses a simple yet effective approach – it gets the user to permit the app to access their data. According to a security researcher, Patrick Wardle, “You don’t need to hack people to spy on them if you can people to willingly download this app”. As with other similar apps, ToTok asks users for permissions, like location so it can send you the latest weather forecast, or your contact list so it can help you connect with friends. Sharing such information is always risky and if The New York Times is to be believed, even more so for ToTok users.
2020 will no doubt see the truth revealed but, in the meantime, it’s advisable to steer clear of what could be a weapon of mass surveillance.