Security Newsletter

Redcar Council Victim Of Major Ransomware Cyber Attack

A Northern England Borough Council has been reduced to using pen and paper to deliver key services. Redcar and Cleveland Borough Council has struggled to counter a Ransomware attack which has disrupted local government digital services in the borough for more than a week. Council chiefs have told the press that their systems have experienced scrambled files and they have been given a virtual ransom to pay to return systems to normal.

According to BBC News:

“Redcar and Cleveland Borough Council’s website and all computers at the authority were attacked on Saturday.

One cyber-security expert told the BBC the incident had all the hallmarks of a ransomware attack, in which files are scrambled until a ransom is paid.

But the council refused to confirm the nature of the hack.

Online appointment bookings, planning documents, social care advice and council housing complaints systems are just some of the services knocked offline.

The National Crime Agency said it was supporting the council.

A team of experts from the UK’s National Cyber Security Centre (NCSC) has been on site since the cyber-attack.

The NCSC said: “We are aware of a cyber-incident affecting Redcar and Cleveland Borough Council.

“This is an isolated incident and we are supporting the organisation and working with partners to understand its impact.”

The leader of the council, Councillor Mary Lanigan, told the BBC: “Computers have been taken offline and systems are being rebuilt.

“We have a massive team here – including cyber-security experts – working around the clock flat out to get it fixed.

“They have to go through [IT systems] bit by bit to make sure everything is clean. A lot of our staff are not able to work without computers but they are coping quite well here. The main problem is that we have no email systems. so, we have extra phone lines for residents.”

The website for council tax payments is nevertheless open and the council says frontline services are continuing, with staff using pen and paper.

The council says it is updating taxpayers using Facebook and Twitter.”

The National Cyber Security Agency has a raft of features and training support materials to help small businesses counter the growing threat of ransomware and cyber criminality. To find out more, click here.

Microsoft’s Final Update for Windows 7 Gets Another “Final” Update For The Legacy Platform

Microsoft has issued a new ‘final’ Windows 7 update a few days after the Redmond software giant confirmed it would no longer release patches for the legacy operating system platform. However, in a big U-turn, Microsoft unveiled a second “final” patch days later.

According to BBC News:

“It made the U-turn after it emerged there was a bug in its “final” patch.

It caused “wallpaper issues” for users who configured their computers with the stretch option for their background desktop, causing a plain black screen to be shown when Windows was restarted.

And users took to Reddit and Microsoft own support forums demanding a fix.

Security consultant Graham Cluley tweeted: “That didn’t take long. Microsoft backs down on ‘no more updates for Windows 7’ in order to fix stretched wallpaper bug.”

Initially, Microsoft said it would issue the new fix only to those who subscribed to its extended security updates (ESU) program.

But later it said: “We are working on a resolution and will provide an update in an upcoming release, which will be released to all customers running Windows 7 and Windows Server 2008 R2 SP1.”

Microsoft officially ended support for Windows 7 on 14 January, although ESU subscribers will continue to receive security updates.

One in four Windows users is still running Windows 7, according to measurement website StatCounter.

Security experts have advised them to upgrade their operating systems to Windows 10.”

The advice from Microsoft and the wider security community is to upgrade Windows 7 systems as soon as possible. Windows 10 has seen a slight price reduction accordingly during the last seven months. Life-cycle planning in an ever-changing cyber security environment means operating system updating should be a major priority for SMEs.

Estee Lauder Data Breach Affects Nearly Half a Million Users

The luxury cosmetics giant Estee Lauder has fallen victim to a major data breach which occurred through a ‘middleware’ data exposure issue that created a diversionary pathway for malware to infiltrate EL’s network and compromise private data. The main issue surrounded a non-password protected cloud service that contained hundreds of millions of Estee Lauder customer records.

According to ThreatPost:

“In all, 440,336,852 individual data pieces were exposed, according to researcher Jeremiah Fowler at Security Discovery. Many of the records importantly contained plaintext email addresses (including internal email addresses from the @estee.com domain). There were also reams of logs for content management systems (CMS) and middleware activity. Fortunately, there was no payment data or sensitive employee information included in the records that Fowler saw.

“This company has been a household name for over 70 years and had an annual revenue of $14.863 billion in 2019 – [so] it seems logical that there would be a large dataset associated with the business,” Fowler wrote in a report on his discovery, published Tuesday. He added that while he saw that there were “massive” numbers of consumer email addresses involved, he didn’t calculate the total number because he immediately pivoted to notifying the company.

“I can only speculate or assume that the email addresses were from digital commerce or online sales,” he said.

As for the other data, most of it could be used as reconnaissance for a larger network attack, Fowler noted. The logs for instance contained IP addresses, ports, pathways and storage information that could be used to map out the company’s internal LAN or WAN; and, middleware used by the company to connect different data-generating software packages was also detailed.

Middleware typically handles tasks like providing a consistent front-end for data management across different internal systems; application services; messaging; authentication; and API management.

“Middleware can create a secondary path for malware, through which applications and data can be compromised,” Fowler explained. “In this instance, anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.””

However, researchers and tech commentators did highlight Estee Lauder’s response as a text-book example of how a big company should react to a major data breach. The reporting structures, the lessons learnt dynamic and the way millions of customers were engaged highlighted the company’s maturity surrounding cyber security and their responsibilities therein.

Honda Lax Security Reveals 26,000 Customer Information Online

Honda, the car giant, was found to have publicly exposed the personal information of nearly 30,000 Honda USA car owner details on a mis-configured cloud database that was publicly available for over a week. The cloud setup error resulted in the full names, mailing information, email data and more being publicly available for all to see.

According to ThreatPost:

“The records appear to have been exposed for over a week, which would have allowed malicious parties ample time to copy the data for their own purposes if they found it,” security researcher Bob Diachenko said in a Wednesday analysis. “We don’t know if any other unauthorized parties accessed the database while it was not secured.”

The database was a data-logging and monitoring server for telematics services for North America, covering the process for new customer enrollment as well as internal logs. It was discovered accessible online to anyone with a web browser.

Diachenko first discovered the unprotected database on Dec. 11 and notified Honda’s security team on Dec. 12. The server was shut down the next day.

While Diachenko estimated that there were 976 million total records in the database, Honda in a statement to the researcher said that there were roughly 26,000 unique consumer related records. This number was approximated by eliminating duplicate information and data that did not contain consumer PII (personal identifiable information), according to Honda.

“We quickly investigated this issue, determined the specific breach in protocol, and took immediate steps to address the vulnerability,” Honda said in a statement. “All data in this database is now secure. We can also say with certainty that there was no financial, credit card or password information exposed on this database.”

However, the server on which the database resides was misconfigured on Oct. 21, leaving the information open for the taking for a week. If malicious third parties were able to access the data, it could lead to an array of attacks – most notably, using the customer PII data for highly targeted phishing attacks, security experts said.”

If you need help or support with your SME cyber security systems – the National Cyber Security Agency provides a range of training solutions and guidance. Click here to read more.

Currys PC World Hit By Massive ICO Data Breach Fine

DSG Retail Limited – who run Currys PC World among other retail businesses – has been fined by the Information Commissioner’s Office after a point of sale network was compromised resulting in a cyber attack affecting 14 million people. The year-long cyber breach saw a nine-month period of criminal harvesting of personal data. DSG’s continued inability to secure their network resulted in nearly 5.6 million payment card details being available for criminals to steal.

According to the ICO:

“An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.

The company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.

DSG breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.

In January 2018, the ICO fined Carphone Warehouse, which is part of the same company group, £400,000 for similar security vulnerabilities.

Steve Eckersley, ICO’s Director of Investigations, said:

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving affected customers vulnerable to financial theft and identity fraud. The ICO received 158 complaints between June 2018 and November 2018 from DSG’s customers. As of March 2019, the company reported that nearly 3,300 customers had contacted them directly in relation to this data breach.”

Why not visit the Government’s micro and small business cyber security help page. It can provide small businesses with the necessary tools and resources to help setup a basic cyber security system to help protect your business.