Issue 36 - Week of Oct 26th

1.       TalkTalk Hack: UK ISP TalkTalk which was hacked recently has conceded that it could face a compensation bill running into millions, for customers whose bank accounts were raided after the telecom company was targeted in a huge cyber-attack. While TalkTalk was forced to shut down its website temporarily, Police arrested two teenage boys in relation to the "significant and sustained cyber-attack", they were later given bail. A 20 year old has also been arrested. The CEO of TalkTalk has apologized to customers and said, "This is a crime, a criminal has attacked TalkTalk systems and we are not the only ones, whether it is the US government, Apple, a whole host of companies."

2.       Train rider has his contactless card e-pickpocketed: Contactless bank payments usually rely on RFID or on Near Field Communication (NFC). These cards enable fast, low-value payments, typically with no signature or PIN required, merely by holding a card near a reader. Last week, in a crowded train, a man deliberately bumped into another man for a bit too long. The Victim did suspect the incident and called his bank to realize that his card was used in the train for an unauthorized transaction of £20. Users of such cards are using special sleeves, pouches and wallets but they do not always help, best thing is to always keep an eye on your bank statements, If you notice anything that doesn't look right, contact your bank immediately.

3.       Joomla flaw exploited in the wild within hours of disclosure: Joomla is a free and open-source content management system (CMS) for publishing web content. Joomala released 3.4.5 last week and announced that the new release patches three vulnerabilities, including a critical SQL injection issue. Within 4 hours of this release, hackers began to exploit the older versions of Joomla. It is reported that there have been 12000 daily hits on websites using Joomla. This data tells us is that the webmaster of an average site has less than 24 hours to patch after a serious disclosure like this and only a couple of hours for a popular site.

4.       000webhost hacked, 13 million customers exposed: Free website hosting service 000webhost has suffered a data breach which has placed the service's security practices under scrutiny. 000webhost is a free web hosting service which supports both PHP and MySQL, catering for millions of users worldwide. Last week, the firm told users in a Facebook message that the company had suffered a data breach on its main server. A hacker used an exploit in an old, unpatched version of PHP to upload malicious files and gain access to the service's systems. Not only was the full database containing the usernames, plain text passwords and email addresses compromised, but this information has been dumped online as well.

5.       Google to Symantec - Clean up your act or be branded unsafe: Google is evidently not very pleased about security firm Symantec's recent performance when it comes to issuing secure Web certificates and has outlined a list of demands to prevent the same mistakes from happening again. In September, Symantec fired a number of employees following glaring mistakes in issuing transport layer security (TLS) certificates. The company said "employee error" caused cryptographic certificates to be issued online without the consent of either Google or Symantec, allowing attackers to impersonate Google pages protected by HTTPS.

6.       MySQL servers hijacked with malware to perform DDoS attacks: Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks against other targets. Researchers have discovered malware that targeted MySQL servers to make them conduct distributed denial-of-service (DDoS) attacks against other websites. The majority of the compromised servers are in India, followed by China, Brazil and the Netherlands.

7.       Pentagon creates cybersecurity exchange program with industry: The U.S. Defense Department is sending its personnel on tours with private cybersecurity companies and bringing in specialists from those companies to gain the skills necessary to defend military networks from hackers. Last week Pentagon's CIO said, "There's not a time when I'm not being attacked somewhere in the world and We're looking to industry to help us solve problems in some specific areas."

8.       A security researcher claims that all Fortune 500 companies have been hacked: In an interview with Bloomberg the researcher has said that all Fortune 500 companies have experienced successful hacks. He said - If you have a big enough infrastructure, you won’t be able to secure all of it. In a related study it has been found that media coverage and awareness of data breaches is actually a top factor driving increased budgets and board level support for cybersecurity.

9.       Cybersecurity skills gap continues to grow: Cybersecurity is finally getting the attention - and dollars - it deserves from the C-Suite. The challenge now is finding the talent to take full advantage of these technology investments. Several CISOs in a recent study reported that they weren’t able to take full advantage of their technology investments because security staff couldn’t fully consume all of the features and advanced applications. In another survey, young adults just aren't flocking to the cybersecurity field, despite the industry's hot job market and talent gap. There's a lack of awareness of cybersecurity career opportunities, and young women are less interested and informed about the field than men.

10.   Online swindlers stalking e-commerce sites: E-commerce is growing and so is fraud on such sites. Times of India has reported that experts are witnessing a disturbing trend across the country where fraudsters are setting up fake e-commerce portals to trap victims. Fraudsters even advertise their websites in Facebook to attract victims. The primary objective of such sites is to steal credit card information. The mantra with ecommerce is go for Cash on Delivery whenever possible and remember - If a deal seems too good to be true, it probably is not true. Bigsop[.]com, was one such site that was based in Bangalore and had reportedly cheated public for over $200k before it was busted (in Nov 2014).