Monthly Archive April 2015

Information Security Breach Report – 27 April 2015

A round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.


Breaches, Incidents and Alerts:

Tesla’s website has been hacked –

White Lodging Services confirms second payment card breach –

Punkey, a new POS Malware in the criminal ecosystem –

Zero-Day Malvertising Attack Went Undetected For Two Months –

NetNanny Found Using Shared Private Key, Root CA –

Pushdo spamming botnet still active in the wild –

Cash register maker used same password – 166816 – non-stop since 1990 –

Phasebot, the fileless malware sold in the underground –

Samsung Galaxy S5 could be open to fingerprint theft –

Costa Coffee Club members wake up and smell the data breach –

Hacked off: Tesco Clubcard and Costa Coffee cards breached in Cambridge area –

Bypassing OS X Security Tools is Trivial, Researcher Says –

Login Vulnerability Exposes SAP ASE Databases –

Magento Flaw Exploited in the Wild a few hours after disclosure –

New Threats Range From ‘Dribbling Breached Data’ to IoT and Toys –

39,000 patients may have been victim in Seton data breach –

Hack breaches Taipei government computers –

Phishing Leads to Healthcare Breach –

No evidence that any data removed from system: Premera –

Anonymous Claims Hack of Israeli Arms Importer, Fab-Defense; Leaks Massive Client Login Data –

Evil Wi-Fi kills iPhones, iPods in range – ‘No iOS Zone’ SSL bug revealed –

WordPress Releases Version 4.1.2, Calls It A “Critical Security Release” –


Miscellaneous Infosec stories:

Hacking telesurgery robots, a concrete risk –

Spy in the sandbox attack to spy on your online activity –

Insider threats force balance between security and access –

Study: Firms not ready to respond to complex threats –

48,000 Windows XP PCs are still running at TEPCO … which are the risks? –

Insurers mull proposed cyber rules –

Low IT security spend in region leaves businesses open to cyber attacks –

Cyber-Attacks Getting Respect All Over The World –

Russian Hackers Read Obama’s Emails During White House Security Breach –

Congress to banks: Admit you’ve been hacked! –

Should we fear hackers? –

Banks Lose Up to $100K/Hour to Shorter, More Intense DDoS Attacks –

Massive TalkTalk data breach STILL causing customer scam tsunami –

Fraud or Breach? Questions to Ask Before Calling in the Cavalry –

Ransomware crims drop Bitcoin faster than Google axes services –

The international effort to confront international cybercrime –

Encryption adoption slows, but users believe it frees them from breach reporting –

It’s official: David Brents are the weakest link in phishing attacks –

A Few Challenges in Calculating Total Cost of a Data Breach Using Insurance Claims Payment Data –

Your city’s not smart if it’s vulnerable, says hacker –

BYOD and cloud are top data breaches and malware risks, survey shows –


Tools, Tips and How it’s done:

Analyzing the Magento Vulnerability (Updated) –

1,500 iOS apps have HTTPS-crippling bug. Is one of them on your device? –

The hacker Stefan Esser shows the jailbreak for iOS 8.4 beta 1 –

How to hack Avaya phones with a simple text editor –

How to discover NSA Quantum Insert attacks on your systems –

Former hacker talks phone password security –

Your big data toolchain is a big security risk! –

Quantum Insert Attack –

Smarter threats and the rising complexity of cybercrime –

Millions of accounts are being compromised because developers don’t have a specialised user database –

How To Protect Your Business From Social Engineering –

This machine catches stingrays: Pwnie Express demos cellular threat detector –

Inside the rickety, vulnerable systems that run just about every power plant –


Miscellaneous Privacy stories:

Hackers spy on Kansas family through unsecured baby monitor –


Safeguarding Children and School E-Safety stories:

We’re not getting to grips with online hate –

Rise in reports of abusive texts prompts headteacher to send letter to parents –

5 ways to tell an online predator may be grooming your child –


If you would like this report sent to your inbox each morning, email me at

You can see all previous issues of this blog at


My Linkedin Profile is

Information Security Breach Report – 21 April 2015

A round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.


Breaches, Incidents and Alerts:

Operation Pawn Storm on Continued Marathon, Attacking Targets Now with Advance Infrastructure –

Several Vulnerabilities Found in Enterprise Search Engine SearchBlox –

WikiLeaks Dumps Data from Sony Hacking Scandal –

HSBC Acknowledges Data Breach –

Updates Fix Several Vulnerabilities in HP Network Automation –

Local families among victims of improper use of DCF information –

D-Link: sorry we’re SOHOpeless –

JavaScript CPU cache snooper tells crooks EVERYTHING you do online –

Watch: Nasty JPEG pops corporate locks on Windows boxes –

Patch Tuesday, exploit Thursday: Windows HTTP.sys flaw under attack –

Flaw in Schneider Electric Vamp Software Allows Arbitrary Code Execution –

Moxa Industrial Surveillance Products Affected by RCE Vulnerability –

Hotel Operator White Lodging Struck Again by PoS Attack –

Phishing catches victims ‘in minutes’ –


Miscellaneous Infosec stories:

Zero-Day Vulnerabilities Rose in 2014: Symantec –

The Rise of the Chief Security Officer: What It Means for Corporations and Customers –

Verizon Data Breach Study Finds Old Flaws Remain Dangerous –

Anonymous slams cyber threat-sharing bill –

IT’S WAR: Hacktivists throw in their lot with spies and the military –

Most Cyberattacks Are Phishing Related, Not Sophisticated Technical Attacks –

It’s boom times for hackers as cyber sleuths gather –

Can security analytics be key in breach detection? –

Study highlights increasing cyber crime threats to governments –

United boots cyber security expert from flight after he noted security flaws –

The positive side of security threats –

Employees have no qualms in selling corporate passwords –


Tools, Tips and How it’s done:

What does PCI DSS Version 3.1 mean to you? –

The 20,000 fake phone numbers –

9 things retailers need to know about data breaches –

Cybercriminals still rely on decades-old techniques –

How to create a powerful password: Your ultimate guide to beating the hackers –

4 Ways Your Small Business Can Better Prevent Cyber Crime –

Get Cyber Fit Without Breaking a Sweat –

RFIDs, Encryption, and Stop Rules. –

sptoolkit Rebirth – Simple Phishing Toolkit –


Miscellaneous Privacy stories:

That’s right: FBI agents can’t pretend to be ISP repairmen to search homes without a warrant –

Lawyer: Cops dropped robbery case rather than detail FBI’s StingRay phone snoop gizmo –

Lost in the clouds: Your private data has been indexed by Google –


Safeguarding Children and School E-Safety stories:

Arrest Made In Connection With Instagram Death Threats In San Dimas –

Thousands of children receive lessons on online safety –

Protecting Children’s Rights in the Digital World: An Ever-Growing Challenge – Social Work Helper –


If you would like this report sent to your inbox each morning, email me at

You can see all previous issues of this blog at


My Linkedin Profile is

What does PCI DSS Version 3.1 mean to you?

logo pci

By Paul Brennecker, Principal QSA at Security Risk Management Ltd

On Wednesday 15th April 2015 the PCI SSC (Payment Card Industry Security Standard Council) published the PCI DSS Version 3.1 to upgrade payment card industry guidelines. While these changes will mean enhanced privacy for consumers and better safeguarding of data, they will also require most companies holding cardholder data or processing payments to review their payment procedures as soon as possible.

Superficially, PCI DSS v3.1 comes with only subtle adjustments to the existing requirements but the impact of these will have far-reaching implications.

Effective immediately, all versions of Secure Socket Layer (SSL) and early Transport Layer Security (TLS) are no longer considered to be strong cryptography. This impacts PCI DSS Requirements 2.2.3, 2.3 and 4.1. SSL and early TLS cannot be used as a security control after 30 June 2016.

Moreover, the PAN requirement has been reinforced with 3.1. The new guidelines prioritise ‘PAN truncation’ which refers to a security measure based on removing all but the first 6 and last 4 digits, thereby helping to protect payment card data. PAN truncation is a mechanism used by POS (point of sale) terminals and in many countries is already a mandatory cyber security measure.

Previously the hashed and the truncated version of the PAN were not considered to be cardholder data, but 3.1 makes it clear that to protect cardholder data, the two must never come together, because hackers are able to find the missing digits by using the first six and the last four digits and generate hashes until a match is found.

Another important change is the prohibition against sending PANs via ‘end-user messaging technologies’. This means that sending SMS which show the PAN of a card is explicitly no longer accepted unless it is encrypted. In this way, cardholder data is not only prohibited from traversing the Internet via email or instant messaging but from now on all messages sent over GSM, CDMA and TDMA networks are also part of the PCI Compliance requirements.

Lastly, and perhaps the most significant change, is in the hardening of attitude to Secure Socket Layers (SSL). On 25th March 2015 PCI SSC released a PCI SSC FAQ with additional information on how SSL poses a risk to payment card data and how it impacts point-of-sale devices and web servers. PCI DSS 3.1 clarifies this stance. It is therefore now vital to switch to the TLS protocol and abandon the SSL one as soon as possible.

The revisions included in 3.1 reflect the changes in the threat landscape and an increase in the number of attacks registered during 2014 and the PCI Council initiative therefore needs to be taken seriously. Most of the companies that hold cardholder data and process payments through debit or credit cards will be required to review their processes and technologies in the near future.

North East Cyber Security Cluster

uk csf

By Mustafa El-Jarrah, Information Security Support Consultant at Security Risk Management Ltd

The North East Cyber Security Cluster was launched on the 12th February 2015 at the Digital Skills Academy at Newcastle College. SRM are the sponsor of the campaign, hosting and managing the cluster with a main aim of bringing together cyber security companies within the region to promote growth and raise awareness.

One of the first clusters to be established in the UK was the Malvern cluster in September 2011. As it became prominent, it faced high demand from cyber security companies wanting to join from across the UK. As a result, the UK Cyber Security Forum was established in April 2014 in response to the high demand. This was the catalyst to form other regional Clusters throughout the UK.

The collection of Clusters enables individuals and organisation to meet to discuss various Cyber Security issues. The North East Cluster is now actively seeking new members. One of the many advantages of the cluster is that it presents an opportunity for smaller cyber security organisations to join forces and compete for larger contracts on offer from bigger corporations.

Membership of the cluster is free of charge. For more information, contact us…

Information Security Breach Report – 13 April 2015

A round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.


Breaches, Incidents and Alerts:

Lufthansa customers were targeted by a cyber attack –

Apple Patches Critical Backdoor Flaw in OS X 10.10.3 –

AT&T To Pay $25 Million to Resolve FCC Data Breach Claims –

ɘƨɿɘvɘЯ algo attack cracks Belkin router WPS PINs: researcher –

18 out of 20 top boxlines vulnerable to ‘click-jacking’ cyber attacks –

China Accused Of Decade Of Cyber Attacks On Governments And Corporates In Asia –

Hobart Airport website taken offline after cyber-attack –

Hackers attack Belgian press group, second cyber siege since French station Tv5Monde –

IBM uncovers fraud scheme by well funded Eastern European gang of cyber criminals –

AlienSpy RAT exploited to deliver the popular Citadel Trojan –

Security Advisory: Persistent XSS in WP-Super-Cache –

Many big companies are still vulnerable to the biggest computer bug ever discovered, report says –

FireEye claims discovery of 10-year hack campaign by China –

Walters McCann Fanska notifies clients of network security breach –


Miscellaneous Infosec stories:

In a flash, I became a victim of cyber thieves –

Emergence of various gadgets gives rise to wider cyber crimes –

Insurance payout ‘threat’ a push for better cyber-safety –

Your smartphone app may be… malware trap –

Thousands could launch Sony-style cyber attack, says ex-hacker –

“Great Canon” The most powerful Cyber-Weapon is getting used by China Government –

Most Cyber Security Breaches Due to Known Issues, Says tech Firm’s Report –


Tools, Tips and How it’s done:

How Identity Data Security Helps Financial Services Fight Cyber Crime –

Cyber Incident/Data Breach Response: Your emergency Checklist –

Lessons in War Series – The Role of Computer Forensics –

Backtrack 5 Social Engineering Toolkit Fake Facebook Arp Dns Sing –

Dealing With a Data Breach: What to Do if Your Server Is Compromised –

The critical 48 hours: how to mitigate the damage from a cyber-attack –

The oldest trick in the ASCII book –

Here’s a tip for some Crime Stoppers in Canada: you’ve been hacked –


Miscellaneous Privacy stories:

The government hides surveillance programs just because people would freak out –

As encryption spreads, U.S. grapples with clash between privacy, security –

Meet the privacy activists who spy on the surveillance industry –

Facebook claims ‘a bug’ made it track nonusers –

“I feel violated:” Fraudulent Green Dot accounts set up using stolen identities –

Process servers can find you on Facebook –

Snowden keeps saying that US is still catching our emails –


Safeguarding Children and School E-Safety stories:

Five steps for an effective school e-safety policy –

Limerick kids to take the fight to online bullies at major summit –

Why community intelligence modelling is vital when dealing with the ‘digital native’ –

Full Frame Panel: Cyberbullying 101 –

Higgins proposes cyber bullying legislation after falling victim –

Florida Teen Charged With Felony For Changing Teacher’s Desktop Wallpaper –

Why Online Abuse Is Not Our Destiny –

Every Teacher’s Must Have Guide to Facebook –

TeaMp0isoN reveals schools’ vulnerabilities –

Police Chief Unable To Simply Do Nothing Over Reported Teen Sexting, Brings Child Porn Charges Against Four Minors –

“Lessons will Be learned”: Safeguarding in schools –

Education Sector Struggles With Botnets: BitSight –



If you would like this report sent to your inbox each morning, email me at

You can see all previous issues of this blog at


My Linkedin Profile is

SRM Blog

SRM Blog