Welcome back and happy Friday to all!
File this week’s cybersecurity news under “UK” since there were a greater number of security stories than usual stemming from, or at related to, the region. Here’s a quick breakdown of the activity:
- British security experts warned consumers that baby monitors and wireless cameras are at risk of being hacked by cyber criminals unless people take security measures to protect themselves.
- It was also announced this week the UK Home Office has breached GDPR at least 100 times.
- Airline carrier Cathay Pacific has been issued a £500,000 penalty by a UK-based data watchdog for a data breached that was disclosed in the fall of 2018. The security lapses exposed the personal details of some 9.4 million customers globally — 111,578 of whom were from the UK.
- Finally, a new BBC documentary details a UK cybercrime vigilante so incensed by tech support scammers, he reverse-hacked the call center in India to reveal CCTV footage of perpetrators as they ripped off their victims in real-life calls. (Absolutely fabulous in my humble opinion!)
Grab your coffee mug or tea, and read on for more.
Top Global Security Stories
ZDNet (March 4, 2020) Let's Encrypt to revoke 3 million certificates on March 4 due to software bug
"The Let's Encrypt project will revoke more than 3 million TLS certificates on Wednesday, March 4, 2020, due to a bug it discovered in its backend's code. More specifically, the bug impacted Boulder, the server software the Let's Encrypt project uses to verify users and their domains before issuing a TLS certificate.
The bug impacted the implementation of the CAA (Certificate Authority Authorization) specification inside Boulder. CAA is a security standard that was approved in 2017 and which allows domain owners to prevent Certificate Authorities (CAs; organizations that issue TLS certificates) to issue certificates for their domains.
Domain owners can add a 'CAA field' to their domain's DNS records, and only the CA listed in the CAA field can issue a TLS certificate for that domain."
ZDNet (March 5, 2020) T-Mobile says hacker gained access to employee email accounts, user data
"US telecommunications giant T-Mobile disclosed yesterday a security breach that impacted both its employees and customers alike. In data breach notifications posted on its website, the company said that its security team has recently stopped 'a malicious attack' against its email vendor.
The attack was successful, T-Mobile said, and the hacker (or hackers) gained access to 'certain T-Mobile employee email accounts, some of which contained account information for T-Mobile customers and employees.' The company said it believes the hacker might have used this access to steal data on T-Mobile employees and some of its customers."
Coin Desk (March 5, 2020) Crypto Investment Fund Suffers Hack Exposing Data of 266,000 Users: Report
"In the latest privacy breach to hit the cryptocurrency space, Malta-based Trident Crypto Fund has suffered a major data leak, Russian newspaper Izvestia reports on Thursday.
Ashot Oganesyan, chief technology officer of cybersecurity firm DeviceLock, told the publication the personal data of about 266,000 people registered with the fund was posted on a number of file-sharing websites following the breach.
The stolen database, including email addresses, cellphone numbers, encrypted passwords and IP addresses, was posted online around Feb. 20, along with the description of the website vulnerability that made the breach possible, Oganesyan said. On March 3, the unknown hackers decrypted and published a dataset of 120,000 passwords, he added."
CISO (March 4, 2020) FDA Reveals Potential Vulnerabilities in Certain Medical Devices
"The U.S. Food and Drug Administration (FDA) has notified patients, health care providers about a set of cybersecurity vulnerabilities mentioned as 'SweynTooth.' According to a statement from the FDA, attackers can exploit SweynTooth vulnerabilities to remotely crash devices, stop it from working, or access device functions normally only available to the authorized user. It’s also said that the vulnerabilities may pose risks to a variety of medical devices like pacemakers, glucose monitors, and ultrasound devices.
According to the FDA, SweynTooth affects the wireless communication technology known as Bluetooth Low Energy (BLE), that allows two devices to pair and exchange information to perform their intended functions while preserving battery life and can be found in medical devices as well as other devices such as consumer wearables and IoT devices."
Reuters (March 3, 2020) Smart cameras and baby monitors vulnerable to hackers, warns UK cyber security agency
"Baby monitors and wireless cameras risk being hacked by cyber criminals unless people take security measures to protect themselves, British security experts warned on Tuesday.
Internet-connected cameras used in the home are becoming popular and affordable but security flaws mean live feeds or images including of children sleeping, could be accessed by hackers, said Britain’s national cyber security agency.
The National Cyber Security Center urged users to change default passwords, regularly update security software and disable remote internet access if not being used regularly.
Hacked feeds showing people in their homes going about their daily lives have appeared online in recent years."
ZDNet (March 2, 2020) UK Home Office breached GDPR 100 times through botched management of EU Settlement Scheme
"The UK Home Office has breached European data protection regulations at least 100 times in its handling of the EU Settlement Scheme (EUSS). IDs have been lost, documents misplaced, passports have gone missing, and applicant information has been disclosed to third parties without permission in some of the cases, according to a new report. David Bolt, the Independent Chief Inspector of Borders and Immigration (ICIBI), said in a report (.PDF) conducted by the immigration watchdog that serious breaches of the EU's General Data Protection Regulation (GDPR) have been recorded by the EUSS, despite GDPR awareness training imparted to staff."