Cyber Security Roundup for January 2020

A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, December 2019.

Happy New Year!  The final month of the decade was a pretty quiet one as major security news and data breaches go, given cybers attack have become the norm in the past decade. The biggest UK media security story was saved for the very end of 2019, with the freshly elected UK government apologising after it had accidentally published online the addresses of the 1,097 New Year Honour recipients.  Among the addresses posted were those of Sir Elton John, cricketer and BBC ‘Sports Personality of the Year’ Ben Stokes, former Conservative Party leader Iain Duncan Smith, ‘Great British Bakeoff Winner’ Nadiya Hussain, and former Ofcom boss Sharon White. The Cabinet Office said it was “looking into how this happened“, probably come down to a ‘user error’ in my view.

An investigation by The Times found Hedge funds had been eavesdropping on the Bank of England’s press conferences before their official broadcast after its internal systems were compromised. Hedge funds were said to have gained a significant advantage over rivals by purchasing access to an audio feed of Bank of England news conferences. The Bank said it was “wholly unacceptable” and it was investigating further. The Times claimed those paying for the audio feed, via the third party, would receive details of the Bank’s news conferences up to eight seconds before those using the television feed – potentially making them money. It is alleged the supplier charged each client a subscription fee and up to £5,000 per use. The system, which had been misused by the supplier since earlier this year, was installed in case the Bloomberg-managed television feed failed.
A video showing a hacker talking to a young girl in her bedroom via her family’s Ring camera was shared on social media. The hacker tells the young girl: “It’s Santa. It’s your best friend.” The Motherboard website reported hackers were offering software making it easier to break into such devices. Ring owner Amazon said the incident was not related to a security breach, but compromised was due to password stuffing, stating “Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services.”

Ransomware continues to plague multiple industries and it has throughout 2019, even security companies aren’t immune, with Spanish security company Prosegur reported to have been taken down by the Ryuk ransomware.

Finally, a Microsoft Security Intelligence Report concluded what all security professionals know well, is that implementing Multi-Factor Authenication (MFA) would have thwarted the vast majority of identity attacks. The Microsoft study found reusing passwords across multiple account-based services is still common, of nearly 30 million users and their passwords, password reuse and modifications were common for 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses. This behaviour puts users at risk of being victims of a breach replay attack. Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.
BLOG

NEWS 

VULNERABILITIES AND SECURITY UPDATES

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

*** This is a Security Bloggers Network syndicated blog from IT Security Expert Blog authored by SecurityExpert. Read the original post at: http://feedproxy.google.com/~r/securityexpert/~3/IoV2H0URxYs/cyber-security-roundup-for-january-2020.html