Camelot’s National Lottery accounts are hacked

It could be you- as tens of thousands of online lottery Camelot players’ accounts are hacked.

It could be you- as tens of thousands of online lottery Camelot players' accounts are hacked.National Lottery operator Camelot says the login details of thousands of people who do the lottery online have been stolen.

There are 9.5 million national lottery players registered online, but Camelot said only around 26,500 accounts were accessed. It added that fewer than 50 accounts have had suspicious activity, such as personal details being changed, since the breach.

The company said it unearthed “suspicious activity on a very small proportion of our players’ online National Lottery Accounts” during its online security monitoring on 28 November 2016.

It added that there has been no unauthorised access to core systems. “In addition, no money has been deposited or withdrawn from affected player accounts,” said Camelot.

“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”

The company said it is now trying to find out what happened, but it believes that “the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details”.

The affected accounts have been suspended and Camelot will contact the account holders to re-activate them. Camelot added that it is working with the National Cyber Security Centre on the incident.

Are you an online lottery player?

If so, just crossing your fingers is not enough. To mitigate risks in the short term, account holders should update passwords and avoid using the same password across multiple sites.

Why are businesses ignoring cybercrime and cyber risks?

How can cyber security professionals help businesses to understand the cyber risks?

How can cyber security professionals help businesses to understand the cyber risks?

Business owners don’t like spending money on anything that doesn’t make them more money. Even insurance is a grudge purchase. I’m never fond of paying a high premium, but if there’s a risk that I could lose my livelihood and house if I fail to get the right insurance cover, then I accept that.

Mitigating cyber risk is exactly the same. If companies don’t do it, then they could go out of business.

But there’s definitely over-confidence in the space, and I often hear “well, it will never happen to us, we’ve just installed anti-virus on all of our laptops”.

So exactly how do you give the business that niggling feeling that encourages them to mitigate security risks? The reactive approach definitely isn’t the right way, demanding cash after something has happened to plug a hole.

The sales led approach isn’t the right way, where security suppliers force silver bullets down your throat and you end up buying something to help them meet their sales targets, regardless of how nice it makes your treasured server rack look.

It’s about taking a proactive stance, and dealing with cyber security before something happens; and being prepared to tell security suppliers where to stick their hardware if it doesn’t fit into your security programme.

I’ve never seen a business turn down a carefully prepared cyber security risk mitigation programme that fits the business. Fortunately, creating one is remarkably simple. Define scope. Carry out a security audit on said scope. Conduct a gap analysis, work out three costed options with pros and cons to address each gap, and present to the business.

But that still doesn’t mean the business will buy in. We’re missing that niggling feeling. Much as I dislike scare tactics, now would probably be a good time to think about them, with a short, sharp exercise that demonstrates to the business exactly what could go wrong in their cyber world.

Simulate a phishing email. It’s easy enough. Put an EICAR (European expert group for IT-security) malware test file on your CEO’s laptop. Take your CFO’s laptop away for an hour and simulate critical hardware theft. Leave a suspicious package in the mail room. Simulate a web server hack.

These exercises would take less than an hour of the board’s time and, while they won’t get the cheque book out, they will raise awareness over time. Throw in a few fire drills to keep their minds off cyber for a bit. Simulate a flood. The point being, over time, your business can become cyber-aware; and ultimately this loosens the purse strings and gets you that next hire and support for implementing change.

UK organisations are still not taking ransomware seriously enough

UK organisations are still not taking ransomware seriously enough, and continue to fall prey to this method of low cost, low risk cyber extortion.

UK organisations are still not taking ransomware seriously enough

Businesses still get caught by ransomware, even though straightforward avoidance methods exist.The CryptoLocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

Another factor promoting the popularity of ransomware among attackers, is that unlike many other forms of malware, ransomware does not require any special user rights.

“If your system gets infected by a keylogger, it has to escalate privileges to become an administrator on the system so it can survive a reboot, but all ransomware needs is access to the files the infected user can access,” said chief research officer at F-Secure Mikko Hypponen.

“This makes them a unique problem because you can’t fight ransomware by locking down systems, restricting user access or removing administrator privileges from users.

“I fully support this approach to security. Only give users access to what they need, take away admin privileges, but none of these things will protect against ransomware.”

The most effective way to counter ransomware, said Hypponen, is to backup all critical data, but many organisations are failing in this.

“They may be backing up data, but they are typically not doing it often enough. They are not backing up all the information they really need because files are not being saved to the right folders, and they are not testing their backups regularly. Even if they have backed up the information, they are often unable to restore it to a usable form,” he said.

“In addition to regularly tested backups, organisations should also ensure they would be able to detect and respond to a live ransomware Trojan on their network before it has succeeded in locking up all the data,” said Hypponen.

One way of approaching this is to plant dummy “canary” files throughout the network. These should never be touched by legitimate users and act as alarms. If these files are touched, it points to malicious activity on the network.

Ransomware is also popular, he said, because its developers are able to outsource the risk to partners whose role is infect computers in return for a share in the money extorted from victims.

In addition to ransomware, another new business model for cyber criminals is circumventing the fingerprint locks on iPhones.

“Once fingerprint readers were added to iPhones, users were able to lock and unlock them quickly and easily. This meant that if the phone was stolen, it was useless and could be only sold for spares, which did not yield very much,” said Hypponen.

But researchers are now starting to see criminal organisations that are able to trick victims of mobile phone theft into revealing their iCloud credentials.

“Victims typically receive an email message a few days after their phone is stolen to say it has been located using the ‘track my iPhone’ facility, telling them to click the link embedded in the message,” said Hypponen.

“But the link takes them to a phishing site that asks them to log into their iCloud account, and once they have done that, the criminals have the information to reset the stolen phone and sell it as a fully working device.”

The second lesson learned in 25 years of cyber security, said Hypponen, is that people will never learn, and that user education is a waste of time.

“It doesn’t matter how many times you tell them, they will always double click on every executable. They will always follow every link, they will always type their password and credit card number into any online form that asks for that information, and they will always post their credit card picture and even CVV numbers on Twitter,” he said.

Admitting this may be overly pessimistic, Hypponen said that instead of trying to “patch” people by educating them, the responsibility should be shifted to those better equipped to handle it.

“We should be thinking about where we really want the responsibility to be,” he added. “Do we really want people to be responsible for security when most of them can’t handle it, or should we be thinking about taking the responsibility away from the user and giving it to operating system developers, security companies, and internet service providers and mobile operating firms that provide the connectivity that causes the problems in the first place?”