Security of UK ISPs failing users

The security of the UK’s biggest ISPs needs “major improvement”, according to one expert.

The security of the UK's biggest ISPs needs improvementSecurity consultant Paul Moore examined the publicly available information of the UK’s six biggest ISPs. He said he found plenty of bugs that could be exploited by hackers.

But he said most ISPs had been in contact with him and had worked to tighten security once told of the issues.

The audit of TalkTalk, Sky, BT, Plusnet, EE and Virgin Media was kicked off in the wake of the TalkTalk hack, which saw the personal details of 157,000 of its customers exposed and more than 15,600 bank account number and sort codes were stolen.

Similar problems to those encountered by TalkTalk could have been experienced by any of the major ISPs, Mr Moore believes.

The audit found a variety of problems, including passwords stored in plain text, exposed code that would allow hackers to inject their own code on to ISPs’ websites and, potentially load malware on to them, and issues with encryption certificates that meant Mr Moore could apply for them from the certificate authority and pose as the webmaster for a set of ISP-owned websites.

Mr Moore said he was impressed by most of the ISPs’s responses when he raised the issues with them.

“Ordinarily they would not be so open and honest with me but, after what happened at TalkTalk, they have been stepping in quickly,” said Mr Moore.

“On one occasion I notified BT and PlusNet about a bug at 14:00 and they kept people back until 22:00 to fix it.”

But, he added, TalkTalk was yet to contact him. TalkTalk did supply a statement saying it had “integrated Paul Moore’s comments into an ongoing programme of work”.

“We constantly run vulnerability checks using industry-standard third party tools. The vulnerability exploited by the hackers was not picked up by this testing, and if it had been, we would clearly have acted on that information straightaway to secure our system,” it added.

Prof Alan Woodward, a security expert at Surrey University, said he was shocked by the findings.

“TalkTalk still has problems and others have not dissimilar ones,” he said. “I find it very surprising that after the TalkTalk hack, they the six ISPs still appear not to be attending to the basics.

He added: “ISPs are the single biggest handlers of our personal data and I would expect them to get this right.”

Web spying proposals may be costly

MPs are investigating what it will cost ISPs to meet government proposals to log online Britons.

MPs are investigating what it will cost ISPs to meet government proposals to log online BritonsThe House of Commons Science and Technology committee is looking at whether gathering data on online citizens is even financially feasible.

It also wants to look into the potential impact that logging browsing will have on how people use the web.

The consultation comes as questions mount over the money the government will set aside to support monitoring.

The draft Investigatory Powers Bill (IP Bill) was unveiled as it attempts to update the way the state, police and spies gather data to fight crime, terrorism and other threats.

One of the most contentious aspects of the IP Bill obliges ISPs to record information about the services, websites and data every UK citizen uses. These “Internet Connection Records” would hold a year’s worth of data.

The Science and Technology committee has said it wants to look more deeply into this and its potential cost.

In a notice announcing the inquiry, the Committee said it wanted to find out if it was possible for ISPs to meet the IP Bill’s requirements. The text of the Bill asks ISPs to log where people go but not what they do when on a site or using a service.

MPs also want to find out how easy it is for ISPs to separate data about a visit to a site from what happens once people log in, because more stringent rules govern who can discover what people do on a site as opposed to the sites they use.

The Committee will also look at how much it might cost the providers to do this.

The government has said it will provide £175 million to ISPs over 10 years to pay for data to be gathered and stored.

Adrian Kennard, head of UK ISP Andrews and Arnold, said it was not clear whether that was enough because the government had not specified what exactly it wanted recorded.

Added to this will be the “big issue” of how to meet the need to separate data about the sites people visit from what they do, he said.

ISPs watch the flows of data across their networks to help manage traffic, he said, but they typically only sample these streams because they deal with such massive quantities of information every day.

Added to this, he said, was the question of how to log which device was being used for which visit.

Microsoft builds UK cloud data centres

Microsoft is building two cloud data centres in the UK next year.

Microsoft is building two cloud data centres in the UK next yearThe move will allow the company to bid for cloud computing contracts involving sensitive government data, which it was restricted from providing before.

Consumers should also benefit from faster running apps.

The announcement, made by Microsoft chief executive Satya Nadella in London, follows a similar declaration by Amazon last week.

The two companies vie to provide online storage and data crunching tools via their respective platforms Microsoft Azure and Amazon Web Services.

The companies’ latest efforts should address highly regulated organisations’ privacy concerns.

In a related development, the firm has also announced plans to offer its Azure and Office 365 cloud services from two German data centres controlled by a third-party, a subsidiary of Deutsche Telekom.

“Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision,” it said.

The move will make it even harder for overseas authorities to gain access to the files.

Microsoft is currently engaged in a legal battle with the US Department of Justice, which is trying to make it hand over emails stored on a server in Ireland – the tech firm says the government is trying to exceed its authority.

Mr Nadella announced the plan to open a data centre near London and another in elsewhere in the UK – whose location has yet to be named – in 2016.

They will bring the company’s tally of regional data centres to 26.

He added Microsoft had also just completed the expansion of existing facilities in Ireland and the Netherlands.

“It really marks a huge milestone and a commitment on our part to make sure that we build the most hyperscale public cloud that operates around the world with more regions than anyone else,” he told the Future Decoded conference.

Scott Guthrie, Microsoft’s cloud enterprise group chief, added that the move would address privacy watchdogs’ concerns about “data sovereignty”.

Amazon has also committed itself to multiple UK data centres, but has not said how many at this stage. It will make the UK its 15th regional base.

Although that is fewer than Microsoft’s, the company is currently the global leader in this field in terms of market share.

Announcing its move, Amazon said an added benefit of having a local data centre was that the public would experience less lag when using net-based services.

Amazon’s other EU-based data centres are in Ireland and Germany.

Although outsourcing computing work to one of the big tech companies offers the potential for savings – as they do not have to build and maintain their own equipment – there are also risks involved.

A fault with Azure knocked many third-party websites offline last year, and Amazon has experienced glitches of its own. However, major faults taking clients’ services offline are a relatively rare occurrence.

New EU data laws threaten huge fines

Companies could face fines of up to 4% of their global annual turnover under new European rules on data protection.

Companies could face fines of up to 4% of their global annual turnover under new European rules on data protection
The European Union has approved significant changes to data laws, aimed at putting individuals back in charge of their information.

It is the biggest shake up to privacy regulation for 20 years, according to experts. The changes would make privacy “a board-level issue”, one lawyer said.

Peter Church, a technology lawyer at Linklaters, said it would make businesses “start taking these issues a lot more seriously”.

US technology companies already have problems with European regulators, with both Google and Facebook facing big fines – Facebook over its use of cookies and Google over its privacy policy.

Although this new law will not come into force until 2018, the changes meant the tech giants would have to “pay more attention to what regulators are saying”, said Mr Church.

The new draft policy, in discussion since 2012, will need to be ratified by the European Parliament next year.

Other changes include:

  • Firms will have to report serious data breaches to regulators within 72 hours
  • Consumers’ right to be forgotten will be extended beyond search engines to all aspects of their web history – so, for example, a user could request to have his or her Facebook profile removed
  • Consumers have the right to transfer their data from one company to another – so, for example, a user could request all data relating to shopping purchases be sent to them so they can transfer their preferences to a rival supermarket
  • Companies that handle significant amounts of data will have to employ a data protection officer

Jan Philipp Albrech, chief negotiator, said of deal: “This would be a major step forward for consumer protection and competition and ensure Europe has data protection rules that are fit for purpose in the digital age.”

 “The scale and breadth of the EU’s changes to privacy rules will deliver unprecedented challenges for business and every entity that holds of uses European personal data both inside and outside the EU.”

“Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years – it is not much time for the magnitude of the internal changes that will be required.”

Facebook’s data tracking issues in trouble

Facebook is in trouble from the Belgian privacy commission-  which is cross that it tracks internet users who are not members of the social network.

Facebook is in trouble from the Belgian privacy commission- which is cross that it tracks internet users who are not members of the social network
A court has ruled that it is unacceptable that every time someone clicks a “like” button on a website, their browsing activity is collected, regardless of whether they are Facebook users or not.

The controversy centres around a cookie – a simple text file which can track a number of user activities – which Facebook has used for the last few years.

Researchers found that even non-members who visited any page that fell under the facebook.com domain would have what Facebook calls its datr cookie – which has a two-year lifespan – installed on their browser.

They conducted a series of tests including one where they did a Google search for the term “facebook data policy”. It led them to the Facebook data policy page which placed the datr cookie on their browser.

They then visited a Belgian website related to prostate cancer treatment which includes a Facebook like button and found that the datr cookie was sent to Facebook.

There was no formal Facebook privacy notice regarding any cookie being stored.

It’s tracking functionality has led the Belgian court to, rather dramatically, give Facebook 48 hours to stop using it or face a fine of £176,000 per day.

Investigators were drawn to the details of how Facebook’s cookies worked when the social network rolled out new terms and conditions in January, authorising it to track its users across websites and devices, use profile pictures for both commercial and non-commercial purposes and collect information about its users’ locations.

Users could agree to the changes or they could leave Facebook.

One of the things that the Belgian privacy commission did in response to the changes was commission a report from the Universities of Leuven and Brussels.

It concluded that tracking non-users was in breach of EU law.

Its findings were handed to the Belgian authorities who, after initial talks with Facebook failed to reach agreement, decided to take the case to court.

The judge agreed with the Belgian privacy commissioner, ruling that the information collected by the social network was personal data “which Facebook can only use if the internet user expressly gives their consent”.

Advertising revenue is Facebook’s biggest source of income, jumping 45% this year, with mobile ad sales accounting for 78% of that. Being able to track web browsing habits, even anonymised ones, allows it to better target that advertising.

Privacy campaigners are very clear though about what they want from Facebook.

They argue that Facebook needs to be more explicit about what it is tracking and offer users the right to opt in to such tracking rather than having to search through the site to find ways to opt out.

And a court in Austria is now considering whether it will bring action against Facebook for violating privacy laws in its country.

The battle between privacy campaigners and the big tech firms is far from finished.

TalkTalk hack to cost up to £35 million

The cyber attack on TalkTalk could cost it up to £35 million the company has said.

TalkTalk hack to cost up to £35 millionFollowing the hack- which divulged some users’ financial details, all customers of the telecoms group will be offered a free upgrade.

Chief executive Dido Harding said that despite the hack, TalkTalk was “well positioned to deliver strong and sustainable long-term growth”.

The firm expects still full year results to be in line with market expectations.

TalkTalk shares had jumped more than 13% by the close of trade on Thursday- but were still down more than 20% compared with their pre-hack value.

Speaking to the BBC, Ms Harding said: “The estimated one-off costs are between £30 million and £35 million – that’s covering the response to the incident, the incremental calls into our call centres, obviously the additional IT and technology costs, and then the fact that over the last three weeks until yesterday our online sales sites have been down, so there will be lost revenue as a result.”

She added that in recognition of the uncertainty that this had caused customers, they would be offered an upgrade.

A spokesperson said the type of upgrade offered would depend on the kind of package customers already had. For example, customers with TV packages might be offered a sports channel that they did not already have.

Customers who were financially affected directly will be free to leave TalkTalk without financial penalty. They would have to be able to show they had lost money as a result of the hack.

Customers who wish to leave for a different reason – for example, if they feel their data is not secure – would still have to pay a contract termination fee.

However Talk Talk’s offer to it’s customers is very limited

Some of TalkTalk’s millions of customers might have been angry enough to try to terminate their contracts when the telecommunications company first revealed details of a major data security breach last month.

But, with contracts for mobile, fixed line, broadband and television services of up to two years (always worth looking at those few lines at the bottom of the paperwork) customers found they couldn’t leave TalkTalk without incurring hefty costs.

When Dido Harding, the chief executive, first announced that customers would only be able to leave if they could show a “direct impact” on their bank account – a pretty high bar – investors heaved a sigh of relief and TalkTalk’s share price bounced up.

More than 15,600 bank account numbers and sort codes were stolen. Four people have been arrested and bailed in connection with the hack.

Ms Harding told the BBC that it was “too early to tell” what the longer term impact of the breach would be on the business.

Heartbleed attacks US banks

US banks have been the victim of hacking and attacked by the heartbleed cybervirus.

US banks have been the victim of hacking and attacked by the heartbleed cybervirus
In April 2014 the cybersecurity world was shocked by the discovery of Heartbleed- the name given to a vulnerability found in one of the systems we use to securely communicate over the internet.

In this hack – which investigators are calling the largest theft of consumer data from financial institutions ever – the Heartbleed bug was exploited to gain access to “Victim 2”, an as-yet unnamed financial firm headquartered in Boston.

But it’s just one angle to this enormous attack.

The real damage appears to have been done with some social engineering, executed in a way that shows just how difficult it is to defend against determined cybercriminals.

According to investigators, hackers gained access to various networks belonging to JP Morgan and six other financial institutions, scraping personal data they would then use to manipulate stock prices.

The three indicted men – Israelis Gery Shalon and Ziv Orenstein and American Joshua Samuel Aaron – were conducting “security fraud on steroids”, prosecutors say.

Another man, Anthony Murgio, was charged over running an illicit operation trading virtual currency Bitcoin.
Targeted mail

This is how prosecutors say Heartbleed functioned.

The hacking technique often involved using legitimate accounts belonging to Joshua Aaron.

Using this legitimate access, as if Mr Aaron was a normal customer, paved the way for the hackers to gain access to networks and systems containing reams of data about other customers – people who were investing in stocks.

Over the course of several years, they stole personal data on more than 100 million people. The hackers didn’t access bank details. They didn’t need nor want them.

Investigators said the hackers used the personal details to send out information to bosses’ email addresses, promoting certain stocks that hackers had bought cheaply. The price would rise, and the hackers would then sell off their now very valuable shares.

It’s a technique known as “pump and dump”.

The hackers were said to be using a remote server in Egypt to access the network of “Victim 3” – a financial services firm based in Omaha, Nebraska.

The remote server, which covered the accused’s real location, was used to log in to Mr Aaron’s account with Victim 3.

When info-security staff at the firm noticed the odd sign-in location, it locked Mr Aaron’s account. Good security practice.

But, according to the court papers: “Aaron called Victim 3 and, upon being notified that his account had been locked and asked by a customer service representative whether Aaron had been traveling in Egypt in March 2014, Aaron lied to the representative, and claimed that he had been in Egypt.

“In truth and in fact, and as Aaron well knew, Aaron had not been in Egypt and was merely attempting to convince Victim 3 to allow Aaron and his co-conspirators to access Aaron’s account online in furtherance of their efforts to hack into Victim 3.”

For banks – indeed any big company online – there’s a constant balance between making a system as secure as possible, but not locking it down so much that its frustrating for normal customers to use.

But that’s not all these men are accused of doing. According to the court papers, the men were involved in a myriad range of online crime.

As well as the stock manipulation, and running a Bitcoin trading platform to help launder the cash, the men were said to be running illegal online casinos, selling fake antivirus software and – that age old internet scam – offering the purchase of pharmaceuticals.

All of this added up to an alleged haul of £75 million which they kept in bank accounts in Switzerland.

Faulty ransomware makes data unrecoverable

Faulty coding in a ranson program that encrypts data means anyone hit by the Power Worm virus will not be able to recover files.

Faulty coding in a ranson program that encrypts data means anyone hit by the Power Worm virus will not be able to recover filesNormally, viruses known as ransomware decrypt files and data is recoverable when victims have paid a substantial fee.

But one variant of Power Worm destroys keys that could help recover any data that it scrambled.

Power Worm infects Microsoft Word and Excel files but the latest poorly written update of it goes after many more types of data files it finds on a victim’s machine.

The news comes as hackers produce new ransomware that is aimed at websites and encrypts data sitting on servers.

Malware researcher Nathan Scott discovered the variant and uncovered the mistakes its creator made when updating it.

Mr Scott believes the errors arose when the creator tried to simplify the decryption process. They tried to make it use just one decryption key but mangled the process of generating it. As a result, there is no key created for the files it encrypts when it compromises a computer.

There is unfortunately nothing that can be done for victims of this infection. If you have been affected by this ransomware, your only option is to restore from a back up.

The one consolation is that anyone attacked by the Power Worm should not pay the 2 bitcoin- about £500, ransom it asks for because they will not get any data back.

Many ransomware gangs accept payments in bitcoins and make a lot of money from each victim as Bitcoins are not traceable.

Ransomware is proving increasingly popular with hi-tech thieves and one group has now extended its list of potential targets to web servers that run Linux.

Russian anti-virus firm Dr Web has discovered a novel ransomware variant called Linux.encoder that tries to infect sites via add-ons such as shopping systems that many of them use.

Once it lands on a server, the software encrypts any files, images, pages, scripts and stored source code it finds on the machine’s main and back-up directories. Linux.encoder leaves behind a text file detailing how victims can pay the 1 bitcoin ransom required to recover their data.

Change of cyber theft approaches

“In the volume cybercrime space, ransomware is one of the most prolific problems we face,” said Greg Day, chief security officer for Europe at Palo Alto Networks.

“Credit card theft is getting to the point where the value of each card is very low. As a result ransomware has stepped into that gap and gives a higher value for each victim.”

Research by Palo Alto Networks and industry partners suggests the well-known Crypto Wall family of ransomware has generated about £215 million for the gang behind it.

“The return is so much better,” Mr Day said. “That’s why it’s escalated to such a level.”

He said regularly backing up data would help people and companies avoid having to pay criminals if they got caught out by ransomware.

Secure email Protonmail paid a ransom after DDOS web attacks

A secure email firm Protonmail, based in Switzerland, has paid a ransom of more than £3,600 after web attacks crippled its website.

A secure email firm Protonmail, based in Switzerland, has paid a ransom of more than £3,600 after web attacks crippled its website
The criminals behind the web attacks said the payment would stop the deluge of data hitting the site. But despite paying up, the web attacks continued, leaving Protonmail struggling to operate.

It has now launched a fund raising drive to raise cash to tackle any future attacks.

In a blogpost, Protonmail said it received an email on 3 November that contained a threat to attack its website unless it paid a ransom of 15 bitcoins (£3,640).

Protonmail did not respond to the message and, soon afterwards, was hit by what is known as a distributed denial of service (DDoS) attack. This tries to knock a server offline by bombarding it with more data than it can handle.

Protonmail is a free, web-based, encrypted email service that needs its site up and running to serve customers.

The first attack knocked out Protonmail for about 15 minutes and then stopped. A second attack the next day was much bigger and overwhelmed efforts by the email firm and its ISP to stop it.

“This co-ordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just Protonmail,” it said on the blog.

In a bid to halt the attack, Protonmail said it “grudgingly” paid the 15 bitcoin ransom.

However, it said, this did not stop the attacks which continued to cause problems for many other firms.

Eventually, Protonmail’s ISP took action to remove the company’s site from the net to stem the flow of data.

Post-attack analysis suggests Protonmail was targeted in two phases, the company said. The first aided the ransom demand but the second was “not afraid of causing massive collateral damage in order to get at us”.

Switzerland’s national Computer Emergency Response Team (Cert), which helped Protonmail cope, said the attack was carried out by a cybercrime group known as the Armada Collective. This group has also targeted many other Swiss web companies over the last few weeks, the team said.

It said anyone who received ransom email should not pay up. Instead, they should talk to their ISPs about the best way to defend themselves against attacks.

Protonmail said that despite its work to harden itself against attack, it was still vulnerable to DDoS data deluges. It said it planned to sign up with a commercial service that can defend against the attacks but this would be likely to cost it more than £66,000 a year.

“We are fighting not just for privacy, but for the future of the internet,” it said.

TalkTalk hack affected 157,000 customers

TalkTalk has said nearly 157,000 of its customers’ personal details were cyber hacked on it’s website.

TalkTalk has said nearly 157,000 of its customers' personal details were cyber hacked on it's websiteMore than 15,600 bank account numbers and sort codes were stolen, the company said.

This week police released a 16-year-old boy on bail who was the fourth person arrested in connection with the hack.

Since news of the cyber-attack emerged, TalkTalk shares have lost about a third of their value.

The firm said 4% of TalkTalk customers have sensitive data at risk. It confirmed that scale of the attack was “much more limited than initially suspected”.

TalkTalk said:

  • 156,959 customers had personal details accessed
  • Of those customers, 15,656 bank account numbers and sort codes were stolen
  • 28,000 stolen credit and debit card numbers were “obscured” and “cannot be used for financial transactions”.

Customers whose financial details were stolen have been contacted, and the firm will contact other affected customers “within the coming days”.

The cyber attack on TalkTalk’s website happened on 21 October, it added.

Details that TalkTalk previously said had been stolen included names, addresses, dates of birth, telephone numbers and email addresses.

In October, the firm described the attack as “significant and sustained”, but that it was too early to say which data had been stolen.

It initially said that all of its customers may have been affected, but then restated in its estimate.

Four people have been arrested over the hack so far: a boy of 15 in Northern Ireland, a 16-year-old boy from west London, a 20-year-old Staffordshire man, and a 16-year-old boy in Norwich. All four have been released on bail.