April 2023 Newsletter
Posted By: Mark Monday 15th May 2023 Tags: AI, Artificial Intelligence, cyber attacks, cyber crime, Cyber Security, Hacking, malware, Newsletter, phishing, ransomware, technologyThis month: Spring cybercrime review; companies under-reporting cyber security issues; Digital Markets, Competition And Consumer Bill takes effect; messaging apps oppose ‘surveillance’ provisions in Online Safety Bill; AI image wins photography award; and the mobile phone turns 50.
April Cybercrime Review
Another month goes by and another series of cyber attacks, data breaches, data thefts, data leaks, ransomware attacks, and other assorted acts of cybercrime have been hitting companies around the world.
Here’s a selection of the high profile cybercrime targets from the last month or so.
3CX Supply Chain Attack
VoIP software provider, 3CX, was alerted to suspicious activity from the exploitation of a vulnerability in their software. Investigations found this activity to be part of a supply chain attack.
More than 600,000 business customers were victim of a serious software supply-chain compromise when both Windows and macOS applications were injected with malicious code by cyber criminals. The cybercrime gang are believed to be North Korean, while the scale and style of the attack is reminiscent of the 2020 SolarWinds hack by Russian hackers.
At time of writing there appears to be no confirmation of when or where exactly the supply chain attack started, but Symantec called it financially motivated against critical infrastructure targets. They said: “To date, [we] found that among the victims are two critical infrastructure organizations in the energy sector, one in the US and the other in Europe. In addition to this, two other organizations involved in financial trading were also breached.”
More fall out is likely to be seen in the coming weeks.
Western Digital Data Breach
Hackers have claimed the digital theft of terrabytes of customer data from the data storage manufacturer. The cybercriminals are demanding an eight-figure ransom payment to return the data, samples of which they claim to have posted online.
Western Digital haven’t confirmed the scale or scope of any breach, but said in a statement: “In connection with the ongoing incident, an unauthorized third party gained access to a number of the company’s systems.”
“[We have] implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts… and Western Digital is coordinating with law enforcement authorities.”
The hackers are threatening to publish stolen data on ransomware gang, Alphv’s, website if their demands aren’t met.
Uber Data Theft
The taxi, delivery and courier service, no stranger to data breaches over the years, has informed its drivers that sensitive data, including Social Security numbers and Tax Identification numbers, had been stolen in a data breach of the law firm, Genova Burns. There is no information about the number of drivers affected by the intrusion.
This is the third known data breach of the company in the last six months, and was again attributed to a third-party vendor.
The breach has IT experts stressing the importance of cybersecurity across all vendors. If you’re outsourcing services and sharing data with other companies, your security responsibilities don’t end at the office door.
MSI Data Breach
A ransomware gang called Money Message has claimed the theft of source code data from Taiwanese global computer hardware giant, MSI. The cyber criminals have listed the company on their portal along with screenshots of various keys and source code snapshots.
The hackers claim to have stolen 1.5TB of data and are demanding a ransom payment of $4,000,000.
MSI confirmed the attack a few days later posting: “After detecting some information systems being attacked by hackers, MSI’s IT department has initiated information security defense mechanism and recovery procedures. The Company also has been reported [sic] the anomaly to the relevant government authorities”.
The company claims the cybercrime has had no significant operational or financial impact.
Yum! Brands Ransomware Attack
The owners of big brand chains, such as KFC, Pizza Hut and Taco Bell, has sent out a notification of a data breach to people who had personal details stolen in a ransomware attack. Yum! Brands had initially said no customer information had been taken, but this has been revised.
The cyberattack caused the closure of around 300 restaurants for a day in the United Kingdom.
While Yum said personal information such as names, driver’s license numbers, ID numbers, and other PII was stolen, they had no evidence of identity theft, fraud attempts or other cybercrime using the data.
SDWorx Cyber Attack
A cyber attack on HR and payroll giant, SDWorx meant the shut down of their IT systems for all of the UK and Ireland
An advisory notice to UK and Ireland customers said: “Our security team has discovered malicious activities in our hosted data centre last night. We have taken immediate action and have preventively isolated all systems and servers to mitigate any further impact. As a result, there is currently no access to our systems, which we deeply regret of course”.
Login portals for customers in other European countries were unaffected by this act of cybercrime.
The nature of the company’s work raises concerns over the potential loss of very sensitive PII data, but the company said: “We are further investigating this case and can confirm that this is not a ransomware attack. Also, at this time, there is no evidence to assume that any data has been compromised.”
Capita Data Breach
Business tech services provider, Capita, says there is proof that some customer data was taken as they notified the London Stock Exchange about the cyber attack.
The report stated: “As a result of the interruption, the incident was significantly restricted, potentially affecting around 4 percent of Capita’s server estate. There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data.”
Russian cybercrime gang, Black Basta, claimed responsibility for the data breach with sensitive PPI data being put up for sale online. Capita were criticised for the slow disclosure of the cyber attack, and many are wondering what level of information has been taken, when customers include the NHS, DWP, UK military, and many large public and private organisations such as banks and telcos.
UK data watchdog, ICO, is monitoring closely.
American Bar Association Data Breach
The largest global association of lawyers and legal professionals announced they were victims of a data breach that allowed hackers to compromise credentials for 1.5 million legacy members.
We’re told this wasn’t a ransomware attack and that no corporate or personal data was stolen, but there are concerns that stolen credentials could be used. Although it’s a legacy system, there is concern that default passwords, assigned at account sign up, were left in place by many members, and that those same credentials might be currently used on the new system.
From our office in Stockton On Tees, LaneSystems provides cyber security services to businesses in Teesside, Durham, Northumberland, Tyne & Wear, North Yorkshire, and all across the North East of England. Whether it’s data recovery, backups, cloud services or other IT advice, get in touch about quality IT support for your company.
Survey finds companies Under-report Data Leaks
A global Bitdefender Cybersecurity Assessment survey that appears to show a reticence for companies to go public about becoming the victim of ransomware attacks, data theft & leaks, and other forms of cybercrime.
The report was created from responses provided by the infosec departments of organisations in the US, EU, and Britain. It found that, in the last year alone, around half of the companies had experienced a network intrusion. It was even higher in America with a reported three-quarters having been hit.
Worryingly, 40% of the IT security teams had been told not to report the incidents, rising to over 70% in America. Of those, 30% followed orders and didn’t report while that number climbs to 55% in America. This worry about reporting incidents stemmed from a fear of legal consequences for the data breaches.
Bitdefender puts these findings down to “organizations under tremendous pressure to contend with evolving threats such as ransomware, zero-day vulnerabilities and espionage, while struggling with complexities of extending security coverage across environments and ongoing skills shortage”.
It’s a sobering reminder of the constant and growing threat to on-premises, cloud and hybrid security environments, which will continue to grow in the years to come.
From our office in Stockton On Tees, LaneSystems provides cyber security services to businesses in Teesside, Durham, Northumberland, Tyne & Wear, North Yorkshire, and all across the North East of England. Whether it’s data recovery, backups, cloud services or other IT advice, get in touch about quality IT support for your company.
Digital Markets, Competition And Consumer Bill Takes Effect
April 25th saw the introduction of new legislation aimed at protecting businesses and customers from, fake reviews, subscription traps and other potential rip offs, while also promoting increased competition for ‘big tech’ firms.
The Digital Markets, Competition and Consumer Bill sees new powers for the Competition and Markets Authority (CMA) to tackle businesses that breach consumer rights law. Gov.uk highlights the following parts of the bill.
- New powers aimed at boosting competition in digital markets currently dominated by a small number of firms
- Clamping down on subscription traps that cost consumers £1.6bn a year, making it easier for consumers to opt out
- Tackling fake reviews so customers aren’t cheated by bogus ratings
The bill, which has been in the pipeline since 2021, will ban people from receiving money or being given goods for free in exchange for positive reviews. Companies will have to take ‘reasonable steps’ to ensure reviews are genuine.
Subscription services come under the spotlight, as the bill aims to help consumers with clearer rules. It will be a requirement for firms to clearly remind people when a free subscription trial is coming to an end, while extending ‘cooling off’ periods.
The Gov.uk press release confirms: The CMA will be able to directly enforce consumer law rather than go through lengthy court processes. The reforms will also heighten the consequences for wrongdoers as the CMA and the courts will have the power to impose penalties of up to 10% of global turnover for breaching consumer law.
Business and Trade Minister Kevin Hollinrake said:
“Smartphones and online shopping have profoundly changed the landscape for businesses, consumers and the foundations of a modern thriving economy, which now lie in strong consumer choice, confidence and competition.
“From abuse of power by tech giants, to fake reviews, scams and rip-offs like being caught in a subscription trap – consumers deserve better. The new laws we’re delivering today will empower the CMA to directly enforce consumer law, strengthen competition in digital markets and ensure that people across the country keep hold of their hard-earned cash.”
WhatsApp & Other Messaging Apps Oppose Surveillance
Online chat apps, WhatsApp and Signal, have been joined by other messaging services to protest provisions in the Online Safety Bill, which they say could undermine the safety and privacy of UK citizens.
The rival chat services have joined forces to co-sign an open letter warning that the bill could outlaw end-to-end encryption (E2EE), which is a security method that allows only the message recipient to view the message contents. Not even the company can see what’s in a message secured by E2EE. The two messaging companies have been joined by five other chat apps – Viber, Threema, Wire, Element, and Oxen Privacy Tech Foundation in raising concerms.
The letter is signed by:
- Element chief executive Matthew Hodgson
- Oxen Privacy Tech Foundation and Session director Alex Linton
- Signal president Meredith Whittaker
- Threema chief executive Martin Blatter
- Viber chief executive Ofir Eyal
- head of WhatsApp at Meta Will Cathcart
- Wire chief technical officer Alan Duric
The companies say they will have to block service to the UK if the law comes into force unamended, as they’d no longer be able “to operate a service that is premised upon defending user privacy”. They won’t re-engineer their software to meet UK demands.
“Global providers of end-to-end encrypted products and services cannot weaken the security of their products and services to suit individual governments,” the letter says.
“There cannot be a ‘British internet’ or a version of end-to-end encryption that is specific to the UK.”
“Proponents say they appreciate the importance of encryption and privacy while also claiming that it’s possible to surveil everyone’s messages without undermining end-to-end encryption. The truth is that this is not possible”.
The government, and prominent child protection charities have long argued that encryption hinders efforts to prevent online crime. The Home Office had said: “The Online Safety Bill does not represent a ban on end-to-end encryption but makes clear that technological changes should not be implemented in a way that diminishes public safety.”
Open Rights Group said it highlighted how the bill threatened to “undermine our right to communicate securely and privately”. Signal president, Meredtith Whittaker, said “back doors” to enable the scanning of private messages would be exploited by “malignant state actors” and “create a way for criminals to access these systems”, while WhatsApp chief, Will Cathcart, said: “Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users.”
Sony Photography Award Winner Uses AI
The BBC reports that the winner of a prestigious photography award has refused the prize after revealing his work was created using AI.
Pseudomnesia: The Electrician was entered in the creative open category of the Sony World Photography Award by German artist, Boris Eldagsen, where it took first place.
Elgdasen generated the image using the DALL-E 2 image generation platform, and said he was surprised to win. He said he immediately told the competition that it was an AI-generated image, although organisers claim that Eldagsen had misled them about the extent of AI that would be involved.
The artist said he entered the image to test the competition and start a conversation about the relationship between AI and photography and the future of the medium. He also thinks there should be a separate category created for AI images.
Elgdasen said:
“It was not about winning anything,”
“I was just making a test to see if they were aware — like a hacker who hacks a system not to exploit it, but to see if there are weaknesses.”
“AI images and photography should not compete with each other in an award like this”
“They are different entities. AI is not photography. Therefore I will not accept the award.”
The photo has since been removed from the Sony World Photography Awards 2023, removed from their website and won’t feature at their London Exhibition.
With the growth of platforms such as Dall-E, Midjourney, Stable Diffusion, and others, the world of AI art isn’t going away. It’s another part of the ongoing ethical debates about AI use in day-to-day life.
50 Years Of The Mobile Phone
This month saw the 50th anniversary of the first mobile phone call. That first call was made on April 3rd 1973 by Motorla Engineer, Martin Cooper, when he called someone at a rival company to announce the achievement.
The call was made on the Motorola DynaTAC 8000X, which weighed about 1.13 kilograms, had 30 minutes of talk time and a price tag of £2,738. Back then, a portable communication device was an incredible feat of technology. Since then, mobile phones have become a ubiquitous part of life.
The commercial version of Marty Cooper’s prototype was released 11 years after that first call, in 1984. It would cost the equivalent of £9,500 ($11,700) if bought today. And, it still weighed 790g (1.7lb). For comparison, the iPhone 14 weighs 172g — a quarter of the weight.
Ben Wood, who runs the Mobile Phone Museum, said:
“Basically, it was just dial the number and make the call,”
“There was no messaging, no camera. Thirty minutes of talk-time, 10 hours to charge the battery, about 12 hours of stand-by time and a 6in (15cm) antenna on the top.”
Metro newspaper details the key mobile phone developments:
Key milestones in the evolution of mobile phones:
1973: The first mobile phone, Motorola DynaTAC 8000X, is invented.
1983: The first commercially available cell phone, the Motorola DynaTAC 8000X, is released.
1989: The Motorola MicroTAC is introduced, the world’s first flip phone.
1992: The first text message is sent on a mobile phone.
1993: The first smartphone, the IBM Simon is introduced.
1996: The Motorola StarTAC, the first clamshell phone, is introduced.
2000: The first mobile phone with a built-in camera, the Sharp J-SH04, is released.
2007: The iPhone is introduced, marking the beginning of the smartphone era.
2013: The first fingerprint scanner is introduced on a mobile phone, the iPhone 5S.
2017: The iPhone X is released, which features a full-screen display with no home button.
Still, Martin, now 93, isn’t impressed with the evolution of the phone — in terms of design, at least.
“I think today’s phone is suboptimal. It’s really not a very good phone in many respects,” he says.
“Just think about it. You take a piece of plastic and glass that’s flat – and you put it against the curve of your head; you hold your hand in an uncomfortable position; when you want to do these wonderful things that it can do, you have to get an app [first].”
But, he is impressed at having a portable supercomputer in your pocket, and sees a bright future for the device he helped to invent.
