#IPEXPO: Cyber-Attacks: Why You Can’t Always Trust Companies, or Security Staff

Written by

Speaking at IP EXPO Europe, security analyst Graham Cluley presented a session exploring some ‘unbelievable tales’ of ‘cyber horrors’, arguing that you cannot always trust companies or IT security staff when it comes to cyber-attacks.

The first example he pointed to involved a dating site called BeautifulPeople which only allowed users to join based on their attractive appearance, which it actively vetted.

Cluley explained that, in June 2011, the website claimed they had ejected 30,000 members after a virus attack affected its vetting system. “We got suspicious when tens of thousands of new members were accepted over a six-week period, many of whom were no oil painting,” were apparently the words the firm used to explain the situation.

However, after reaching out to the site to inspect the malware and receiving confusing/unlikely responses about the nature of the virus, he came to the conclusion that the company’s claim of suffering a cyber-attack was nothing more than a ploy to increase its public exposure.

“Here we have a company which is lying about being hacked,” he said. “Normally companies like to say they haven’t been hacked, or they’ve only been hacked a little bit. In the case of BeautifulPeople, they lied and said they had been hacked in order to get more media attention, and more people joining their website.”

Ironically, the site did suffer a real data breach affecting over one million users in April 2016, Cluley said. “Surprisingly, BeautifulPeople did not decide to do a press release about this security breach. Not all companies tell the truth when it comes to computer security,” he added.

There are also instances when you cannot always trust IT security staff, Cluley continued, citing the example of a man who was the head of IT security of the Iowa lottery, who tried to defraud his own company out of millions of dollars in winnings by targeting the computer that was used to randomly generate the winning numbers.

With the use of a code that affected and compromised the method the number generator used, the man was able to reduce the possible number of outcomes from around 10.9 million to just a few hundred. After buying a few hundred lottery tickets that week, he was able to get the winning numbers, though he was arrested, investigated and jailed and did not receive the winnings.

“The threat can come from all kinds of different directions,” Cluley concluded, “there is so much focus on the external threat, but there is a significant threat posed by your internal staff as well.”

What’s hot on Infosecurity Magazine?