Security Headlines Present Little Christmas Cheer

Written by

The new year is here, and on the day that Blade Runner antagonist Roy Batty is due to be incepted, I wonder how much artificial intelligence could influence and improve security in 2016.

That is to come, but for the holiday period which has just passed all that I spotted were headlines about the same old problems in security.

One of the key stories was the taking down of the BBC website and iPlayer by a DDoS attack on New Year’s Eve. The corporation said in a statement that it was down to a “technical issue”, but later said it was a web attack which began about 7am GMT. This meant that visitors to the site saw an error message rather than webpages.

The BBC’s own technology correspondent Rory Cellan-Jones tweeted that a “US-based group calling itself New World Hacking” claimed that it carried out the DDoS in a test of its systems. It said in tweets to Cellan-Jones that “the reason we really targeted [the] BBC is because we wanted to see our actual server power”, according to the Telegraph.

I saw a very good point made by Professor Alan Woodward, who said that one thing proven by the BBC outage is how it is seen as a part of the critical national infrastructure and “messing with it is not popular”.

Television is as critical a broadcast system as much as radio and the internet, and as the national state-sponsored broadcaster, the BBC is a critical network and often the primary focal point for breaking news. Hopefully this incident will prove the apparent weaknesses in broadcast networks generally, and encourage strengthening in future.

Also following the BBC outage on Christmas Day, it was a return to the old days of mobile networks failing at midnight, as Whatsapp apparently went down on New Year’s Eve to prevent users from sending goodwill wishes.

As well as media and mobile communications, the Telegraph reported that London’s Oyster card network collapsed on the 2nd January, presenting free transport to rail, bus and tube passengers as readers failed to work. It’s not something that is unusual, speaking as someone who has enjoyed the odd free bus journey, and a TfL IT executive once told me that there are more transactions done on Oyster in London than major credit card services globally. It all seems a bit Y2K to me though!

In terms of exposed data, Fortune reported that a database of 191 million US voter records were exposed online. The list was discovered on December 20th and taken down eight days later. In a year when the OPM breach hit the US Government hard, this is hardly likely to inspire further confidence in the public.

However it was not just the USA who were impacted, as the details of 12 million Dutch citizens were revealed to be easy to breach. According to research, employees of retailer The Phone House had access to customer data of all Dutch telecoms via dealer portals, and the Excel file containing the passwords was stored on Google Docs and access was easy to guess.

It wasn’t just breaches and potential attack points though, as some vendors did not enjoy a very merry Christmas. In the firing line was AVG, whose Web TuneUp software was found to contain a flaw that put millions of people's personal data at risk.

According to Arstechnica, the plug-in bypassed the security of Google's Chrome browser, potentially exposing the browsing histories and other personal data of customers. Now patched, the plug-in sends the web addresses of sites visited by the user to AVG's servers to check against a database of known malicious sites, but that information is vulnerable to a cross-site scripting attack. An AVG spokesperson claimed that the Chrome extension is "offered as an option, not forcibly or automatically installed” in its free anti-virus product.

Also, vendor Cyberoam confirmed a cyber-attack on its systems over Christmas, resulting in possible leakage of its database that contained personal details of its customers and partners. The researcher who found the database online insisted that it was not only a marketing database, but the company’s entire customer and partner database with over one million records. This contains customer names, phone numbers, email addresses and company names, along with some transaction details, and it is available for purchase on the dark web.

Finally, real world battles went online as Islamic State were apparently foiled in a terror attempt, and the Daily Mail reported that Anonymous used their ‘Operation Paris’ Twitter account to announce: “In this month we are working in silence. We have already foiled 1 attack #ISIS against #Italy, we hope to block others.” It also warned the terror group to "expect massive cyber-attacks”, reported the Daily Star.

It wasn’t all we heard from Anonymous though, as the hacktivists took credit for a series of attacks which disrupted banks, internet services and Government websites in Turkey. This was an apparent punishment for Turkey allegedly turning a blind eye to activities that fund ISIS' extremism.

Anonymous issued a prior warning that “airports, military assets and private state connections” would be hit, before it would “destroy your critical banking infrastructure”.

It was reported by Reuters that several Turkish banks, including Isbank, Garanti and state lender Ziraat Bank confirmed attacks. Service provider Turk Telecom said that the attacks were serious, and it was doing defense against the attacks.

Attacks, breaches and bad news seemed to be the consistent theme through the past couple of weeks, and it is proof that security cannot take a holiday as incidents continue. As IT managers and CISOs return to work to secure the connected devices that were given as presents, let’s hope that 2016 brings us better news as if we are left

What’s hot on Infosecurity Magazine?