Things I hearted this week: 12th Jan 2018

January 12, 2018 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Carphone Warehouse Fined £400,000

The Information Commissioner’s Office (ICO) has fined Carphone Warehouse an eye-watering £400,00 for what it referred to as distinct and significant inadequacies in the phone company’s security controls.

The full report by the ICO (PDF) is worth reading. It goes into a lot of detail around the vulnerabilities such as the attacker scanning using Nikto, and gaining access to a woefully out-of-date WordPress installation that was running its CMS. It also covers how credentials were stored in plaintext and how the attacker was able to access large amounts of personal data.

There are many more details in the report, that I highly encourage you to read, but essentially it boils down to an absence of fundamental security controls, no assurance to verify systems were secured, and a lack of monitoring or detection controls in place.

Data protection bill amended to protect security researchers

The UK has revealed amendments to its data protection bill to de-criminalise research into whether anonymised data sets are sufficiently anonymous.

This is very good news for researchers who may have been worried they could be prosecuted for demonstrating weaknesses in anonymization.

Toy firm VTech fined over data breach

VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children.

Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest.

Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security.

Who’s that in your WhatsApp?

End-to-end encryption for every encryption? Well, that was the promise as it was rolled out about two years ago. And while it may be true for 1-1 conversations, group chats are a bit more tricky. Basically, anyone can spoof an invitation (if they have control of a server) to get themselves added to a group chat, thus seeing all the conversations from that point onwards.

It’s not quite a stealth attack, as everyone in the group would see the standard notification that a new member has joined.

Facebook (which owns WhatsApp) CSO Alex Stamos said on twitter in relation to the news:

Twitter promoting a phishing tweet

Making money is important for all businesses, and Twitter is no different. Plus we’re fed a diet of ‘agile’ and rapid customer acquisition, so it appears as if Twitter takes money and promotes tweets first and asks questions a lot later.

The tweet, which is being promoted on users' Twitter feeds, claims to offer users "verified" blue checkmarks, which some see as a sign of status on the site.

Users who click the link are directed to a site posing as Twitter, but with a different domain name. The colours and font are the same as Twitter’s, and the language on the site is worded as though it is an official part of Twitter’s platform.

A North Korean Monero Cryptocurrency Miner

My colleague Chris Doman has penned a blog on how the AlienVault labs team analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea. His research includes lots of juicy details and info which has piqued the interest of media outlets around the world.

The stress of working from home

I work from home, and have been doing so for a number of years – so I found myself nodding in agreement all the way through reading this article which sums up some of the common stresses of working from home.

“Working at home can mean a lot of loneliness. I do enjoy being alone quite a lot, but even for me, after two weeks of only seeing colleagues through my screen, and then my family at night, I end up feeling quite sad. I miss feeling integrated in a community of pairs.”

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT