- Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
- The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
- Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
- Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary
Tuesday, June 27, 2017
It could happen here! It should happen here! Will it happen here?
Small and medium sized businesses are being warned to take note as a company which suffered a cyber attack is fined £60,000 by the Information Commissioner’s Office (ICO).
An investigation by the ICO found Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked.
Sally Anne Poole, ICO enforcement manager, said:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. [What a concept! Bob]
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.
The ICO’s investigation found:
Ms Poole said:
“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.
“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
The ICO has a range of guidance available to help businesses ahead of the implementation of GDPR on 25 May 2018. This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.
SOURCE: Information Commissioner’s Office
Note that DataBreaches.net had covered this breach (search Boomerang Rentals), and had noted its frustrating and customer-irritating incident response.
Of note, I think this monetary penalty by the ICO is fairly consistent with what the Federal Trade Commission here has tried to do, highlighting basic security steps and failures to maintain “reasonable” security. One difference, however, is that the FTC has no authority to impose any monetary penalty like this.
For some reason, I don’t believe this.
HMS Queen Elizabeth, UK’s Largest Warship, Runs On Windows XP, Vulnerable To Hacking
It was recently revealed that HMS Queen Elizabeth, Britain’s largest warship, which left Rosyth Dockyard, Scotland, heading to the North Sea for its first ever sea trials, ran on the outdated operating system, Microsoft Windows XP.
… Mark Deller, commander air on the HMS Queen Elizabeth, defended the use of the operating system on the ship, refusing to admit that it can be hacked. "The ship is well designed and there has been a very, very stringent procurement train that has ensured we are less susceptible to cyber than most," Deller told the Guardian.
Windows XP is the operating system that was incapable of protecting organizations like the National Health System (NHS) of the United Kingdom among others from a massive WannaCry ransomware attack in May 2017. The attack saw the cyber terror group take control of over 300,000 computers in 150 countries.
… “We are a very sanitized procurement train,” Deller stated. “I would say, compared to the NHS buying computers off the shelf, we are probably better than that. If you think more NASA and less NHS you are probably in the right place.”
HMS Queen Elizabeth not vulnerable to cyber attack, defence secretary insists
Britain's most powerful warship is not vulnerable to a cyber attack, the Defence Secretary has insisted, after fears were raised about its software.
… Sir Michael Fallon insisted the security around the computer software on the aircraft carrier is "properly protected".
Should it be a crime to conceal a security breach?
FBI: $1.45 Billion in Losses to Internet Crime Reported in 2016
The FBI has published its Internet Crime Report 2016 based on information received by the Internet Crime Complaint Center (IC3). It shows that 298,728 complaints were received by the IC3 during 2016 (up from 288,012 in 2015); and that reported losses to internet crime totaled more than $1.45 billion (up from $1.07 billion in 2015).
These figures, however, are likely to be only a fraction of the full picture. The FBI estimates that only 15 percent of the nation's fraud victims report their crimes to law enforcement.
For my Ethical Hacking students. Let’s build one!
… The Wi-Fi Pineapple is a piece of hardware that was originally created for network penetration testing. Pen testing is an authorized attack of a system in order to find vulnerabilities. The practise is part of a larger branch of testing known as Ethical Hacking.
Also for my Ethical Hacking students. Can we tap into any Echo, anywhere? (And if so, who should we give one to?)
The Amazon Echo now doubles as a home intercom system
Amazon will officially release the Show in a few days, but in the meantime, the company is introducing a long-awaited intercom feature for existing Echo devices. The addition uses Drop-In, a teleconferencing feature introduced on the Show that lets close friends and family members call into one another’s device with little warning.
I really didn’t like the feature when I tested the device this week — I found it to be pretty intrusive compared to standard calling
… The system works through household groups created during the setup process, rather than in-home Wi-Fi. That means the app can also be used to check in on loved ones from afar, for those who have kids or elderly relatives — or, one imagines, for more nefarious reasons.
Not surprising. By their nature, start-ups are not “mature” in areas like security and privacy.
WASHINGTON, DC, June 27, 2017 – In a report released today from graduate researchers at Carnegie Mellon’s Heinz College, new research examines how educational technology startups balance limited resources and privacy concerns. The graduate researchers found that a disconnect between education providers and edtech startups may be due to the limited consideration startups put into creating, much less communicating, their privacy practices.
Additional findings include that, with startups’ limited resources and emphasis on product development, privacy isn’t often a priority.
… While only exploratory, the study asks important questions about how startups can best protect student data and effectively communicate with the public regarding privacy.
A summary of the report’s findings can be found here.
I don’t know many of these people. Should I?
TIME – The 25 Most Influential People on the Internet
by Sabrina I. Pacifici on Jun 26, 2017
“For our third annual roundup of the most influential people on the Internet, TIME sized up contenders by looking at their global impact on social media and their overall ability to drive news… Here’s who made this year’s unranked list“
Hey, Google! Give me a call. I happen to know a good anti-trust lawyer.
Google hit with record EU fine over Shopping service
Google has been fined 2.42bn euros ($2.7bn; £2.1bn) by the European Commission after it ruled the company had abused its power by promoting its own shopping comparison service at the top of search results.
The amount is the regulator's largest penalty to date against a company accused of distorting the market.
The ruling also orders Google to end its anti-competitive practices within 90 days or face a further penalty.
The US firm said it may appeal.
“I’m shocked. Shocked I tell you!”
Global view of US worsens under Trump, Pew says
… Surveys of residents in 37 nations across the world released on Tuesday found that since Trump took office in January, the US's image overseas has sharply declined and views of the new US leader in general are largely negative.
… When each country was asked which leader they had confidence in to "do the right thing regarding world affairs," only Israel and Russia had more confidence in Trump than former US President Barack Obama.
It would have to be thus, if you are hiring from a global pool of talent.
In Unilever's radical hiring experiment, resumes are out, algorithms are in
When Saniya Jaffer arrived for a job interview at Unilever PLC's Englewood Cliffs, N.J., office last October, she was a finalist for a summer position in information technology. After three rounds of interviews and assessments, the Chicago-native was about to encounter the first human in the process.
Before then, 21-year-old Ms. Jaffer had filled out a job application, played a set of online games and submitted videos of herself responding to questions about how she'd tackle challenges of the job. The reason she found herself in front of a hiring manager? A series of algorithms recommended her.
… The company has made more than 450 hires across the globe this way since the fall of 2016. Its experiment provides a glimpse of a tech-fueled future of recruiting in which humans write job descriptions and make the final decisions, but software and algorithms do the rest. Goldman Sachs Group Inc. and Wal-Mart Stores Inc.'s Jet.com have begun using similar digital tools to hook young workers and broaden their candidate base.
Worth a try?
Management, as seen from below.