Cyber Security Training from QA

Cyber Pulse: Edition 19

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


15 June 2018

Dixons Carphone reveals major data breach

Dixons Carphone has revealed that it suffered a huge data breach in which 5.9m payment cards and 1.2m personal data records were obtained by hackers.The company is currently investigating the breach which occurred in July of last year but as of now there is no evidence that any of the cards involved in the breach have been used fraudulently.According to Dixons Carphone, hackers made “an attempt to compromise” 5.8m credit and debit cards though only 105,000 cards without chip-and-pin protection were leaked.The hackers responsible for the breach tried to gain access to one of the processing systems used by Currys PC World and Dixons Travel stores.The National Cyber Security Centre noted that it is working with Dixons Carphone and other agencies to better understand how this data breach has affected customers in the UK.This breach stands out because usually just names, email addresses and login credentials are leaked but this time customer payment details were also obtained by hackers. Fortunately though, chip and pin protection has prevented the hackers behind the breach from using the leaked cards fraudulently.

Huge Cortana exploit allowed an attacker to bypass Windows 10’s lock screen

Windows 10 users will likely be concerned to hear that Cortana had major vulnerabilities, which allowed a malicious party to potentially bypass the lock screen – or easily view sensitive information from it – although the good news is that Microsoft has just patched these issues. McAfee uncovered and documented the security flaws in a lengthy blog post, with one simple issue being the fact that you could trigger the voice assistant from the lock screen (assuming Cortana is enabled in this respect, on default settings), and bring up a contextual Windows 10 menu simply by typing while Cortana is listening to a query. And the details of files – and possibly file contents – revealed in that contextual menu could potentially leak sensitive information from the locked laptop. Beyond that, the security firm found that it was possible to exploit Cortana in order to execute code on the PC from the lock screen, allowing an attacker to trigger a backdoor dropped from, say, a previously successful phishing email attack.

Android Malware Found Mining Cryptocurrency on Amazon Fire TVs

Amazon’s Fire TV devices are a popular way to watch streaming content on a TV because they support plenty of services and come with a low price tag. However, a new spate of malware infections has the potential to interrupt your viewing as the device secretly mines cryptocurrency in the background. Amazon’s Fire TV boxes and sticks all run Android, but it’s not the version of Android that Google certifies for smartphones, tablets, and Android TV devices. This is Amazon’s modified version of Android known as FireOS. It’s the same base used on the Fire tablets, but with a “lean back” UI that’s comfortable to use from across the room. However, that store doesn’t have as much content. That has apparently led users to look for alternative apps to sideload manually on their streaming boxes. Unfortunately, some of those supposed streaming apps are in reality malware called ADB.Miner. ADB.Miner is a worm, meaning it can spread to multiple devices across a network. If ADB debugging is enabled on the Fire TV stick, the worm can set up shop there even if it was installed someplace else. Leaving the “unknown sources” toggle for sideloading apps activated could also leave you vulnerable. These are both off by default, so someone would have to make changes in the settings to give the worm access.

AI startup Clarifai hacked by Russian operatives during Pentagon Maven project, lawsuit claims

Artificial intelligence startup Clarifai failed to report that it had been hacked by Russian operatives while it was working on the Defense Department's Maven project, according to a lawsuit filed by former Clarifai employee and Air Force Capt. Clarifai had reportedly snagged the six-month, $7 million Maven contract from the Pentagon to analyze drone footage, along with Google who were working under a separate contract. Wired obtained an incident report saying the company's code and customer data could have fallen prey to malware from Russia in November 2017. “The Clarifai breach demonstrates an issue that has become a problem for large enterprises managing third-party risk. When a company has thousands of third parties in their digital ecosystem, there will invariably be differences in the level or risk each of those third parties introduce,” said Fred Kneip, CEO at CyberGRX. “That's why assessments that measure the maturity of security controls and procedures, which cast light on how a third party will manage a breach, are so important. Organizations need to understand not only which third parties are most likely to be breached, but which have the processes in place to handle a breach effectively.”

Macs at risk from 'super dangerous' Java zero-day

Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today. The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers. David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion. "This exploit works on OS X if you are running the 1.7 JRE (Java Runtime Environment)", said Maynor in an update to an earlier blog post. Maynor said he was able to trigger the vulnerability with the Metasploit code in both Firefox 14 and Safari 6 on OS X 10.8, better known as Mountain Lion. Although the exploits now circulating in the wild have been aimed only at Windows users, it's possible that Macs could also be targeted.

HealthEquity breach exposes PII of 23,000 customers

About 23,000 health savings accounts have been compromised by a data breach that took place at HealthEquity when an employee fell for a phishing scam. The incident took place on April 11 and was first noticed by the company two days later, reported healthdatamanagement.com and stems from a single staffer email account being compromised by a malicious actor. That email account has been eliminated and a forensic investigation is now underway. Health Data Management is stating no other HealthEquity systems were affected. "HealthEquity is committed to protecting the privacy of our employers and members, and we sincerely regret this recent event. In response to this incident, we have implemented enhanced security measures, heightened monitoring of impacted accounts and provided additional training for our team members. While we have no evidence to indicate actual or attempted misuse of information, we are offering free identity theft and credit monitoring services to impacted individuals," Joel Johnson, HealthEquity's senior VP of Audit and risk management, told SC Media.

Yahoo fined £250,000 over cyber-attack

Yahoo's UK arm has been fined £250,000 ($335,000) by the UK Information Commissioner's Office (ICO) over a data breach affecting more than 500 million users which took place in 2014. The incident was reported two years later. The firm said "state-sponsored" hackers had stolen personal information, which included names, emails, unencrypted security questions and answers.The ICO said Yahoo had failed to take appropriate measures to protect it. Yahoo said it did not comment on regulatory action. Around eight million of the affected accounts were believed to belong to people in the UK. The ICO's investigation also found the firm failed to ensure that its Yahoo-owned data processor "complied with the appropriate data protection standards and It did not ensure that the credentials of employees with access to customer data were monitored.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 18

Cyber Pulse: Edition 17

Cyber Pulse: Edition 16

Cyber Pulse: Edition 15

Cyber Pulse: Edition 14

Cyber Pulse: Edition 13

Cyber Pulse: Edition 12

Cyber Pulse: Edition 11

Cyber Pulse: Edition 10

Cyber Pulse: Edition 9

Cyber Pulse: Edition 8

Cyber Pulse: Edition 7

Cyber Pulse: Edition 6

Cyber Pulse: Edition 5

Cyber Pulse: Edition 4

Cyber Pulse: Edition 3

Cyber Pulse: Edition 2

Cyber Pulse: Edition 1

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.