Facebook login fail leads to ‘romantic’ hacking and marriage

On the face of it, the world of information and computer security is all doom and gloom, isn’t it?

I mean the news is full of data breaches, stories of identity theft, potentially insecure nuclear facilities and all manner of hacking, cracking and other forms of attacking.

Sure, there are many people out there fighting the good fight, achieving amazing things, from bringing down botnets to securing their organisations’ systems, but we don’t really get to hear about that side as much as perhaps we should.

So how refreshing is it to see a positive story surrounding a security issue?

Enter Schuler Benson.

Back in 2009 he was living in Arkansas and, like millions of other people, was logging into Facebook. Only on one occasion he used his mobile phone to login. Or would have done if Facebook had given him the opportunity to do so.

Instead, he found he was already logged in, only it wasn’t his account.


Instead it belonged to Celeste Zendler, a woman from Boulder, Colorado, who later posted this perfectly valid question onto her timeline:

wants to know how some stranger managed to log onto my account without meaning to?? Way to go facebook!

Given the distance between them it is hardly surprising that they had never met, had no friends or family in common, either in real life or on Facebook, and had no shared interests stated on the site.

Thus Benson, appearing to be Zendler, posted messages wondering just how he could log out of her account and wondering why he was her in the first place.

But, whatever either of them tried, they couldn’t separate themselves from Zendler’s account until Celeste sent Shuler a friend request.

Bizarre situation over, the pair planned to break their forced friendship soon after but got talking, only to find they had a lot in common.

Four years later, they met and Celeste ended up moving to Arkansas to be with Schuler.

By 2014 things had become serious so Schuler decided to indulge in some malicious hacking, this time taking over Celeste’s Facebook account to post a picture of an engagement ring, along with a message:

I’m coming back here. Celeste, I’m hacking into your Facebook account for the second time (on purpose for the first time ;)) to ask you a question….Will you marry me?

Come June 2015 and the pair were married.

So, if you can overlook Facebook’s login failure and Schuler’s unauthorised hacking of Celeste’s account, all’s well that ends well though, as one commenter on Schuler’s post said:

Meanwhile, faraway in a darkened room, Mark Zuckerberg sips his coffee, and whispers to himself, “Experiment 471 was a complete success.”

Experian, Patreon, Kmart and David Jones breached

Another week, another breach.

Or two.


Or perhaps four?

In what must surely be a busy week for information security professionals hampered by a lack of suitable candidates entering the field, we have already seen four high profile breaches.

The biggest involved the hacking of Experian’s servers and the theft of information concerning 15 million people who applied for T-Mobile contracts in the US which saw usernames, dates of birth, home addresses, encrypted social security numbers and more information fall into the wrong hands. (Observation: only T-Mobile customers were affected which suggests Experian are segregating customer data which is good to see).

Then there was the Patreon hack which led to a whopping 13.7GB of personal data being dumped online. While benefactors of the site that helps online creators and charities can probably breathe easy knowing that social security numbers and tax information were well encrypted, the fact that other personal details such as names and email addresses were leaked is probably not so welcome. Even more concerning may be the news that some messages were leaked in their entirety – something that may well be a cause of concern for some members.

Likewise, customers of Kmart Australia may also be feeling concerned right now after the company told its online customers that their accounts had been compromised by an “external privacy breach” which saw names, email addresses, delivery addresses, telephone numbers and purchase info disappear into the criminal underground.

And, finally, posh Aussie retailer David Jones has also been hacked via a vulnerability in its website. The company, which has declined to put a number on how many of its customers have been affected by the breach, says the usual data has been swiped – names, addresses, email addresses, etc. – but not credit card details.


That’s a whole lot of breaches for one week.


No-one saw unencrypted payment card data swiped… as far as we know.

So all’s well that ends well then?

No, not exactly.

Even though the most sensitive of data appears to be safe, customers affected by these four breaches still need to be very much on their guard as the information that has been taken could be used against them in phishing attacks, for identity theft, or for other malicious purposes.

While most people have a sufficient level of security awareness (if you don’t, October’s National Cyber Security Awareness Month is as good a time as any to check out the free resources offered by Securing The Human) to avoid falling for the most obvious of random scams that arrive in their inboxes, targeted emails (or phone calls) that include their real names and other private data can prove infinitely more successful when it comes to duping them.

So what can someone affected by these, or other, breaches do to lessen the risks posed by having their information in the wild?

Beyond being aware of what has happened and how that information could be used against them – which is a vital first step – other good practices should include the changing of passwords if any that have been compromised have been reused elsewhere, frequent checking of bank and credit card statements and, perhaps, the signing up to a credit checking agency, though perhaps not Experian, despite its offer of two years of free credit and identity monitoring?

No bliss in ignorance as ICO issues £200k fine to autocalling solar panel marketing firm

I’ve often heard it said that the UK’s Information Commissioner’s Office (ICO) is a bit toothless, limited in the value of fines it can issue, and apparently reluctant to hand them out at all.

While that perception is a fair one in my opinion, it is not entirely accurate either – the ICO can, and certainly has, issued some pretty hefty financial penalties since its inception and, today, we have been further reminded of how a breach of the Data Protection Act (DPA) or the Privacy and Electronic Communications Regulations (PECR) can prove exceedingly costly for any business that breaks the rules, knowingly or otherwise.

Take Home Energy & Lifestyle Management Ltd (HELM), for example.

The firm, which offered householders ‘free’ solar panels via a massive automated call marketing campaign, has just been slapped with a £200,000 fine, the largest ever issued in respect of nuisance calls.

So what was the company’s undoing?

Well, the law says an automated calling company need express permission before calling someone and that permission must have identified the company concerned.

Only HELM did not have such permission before embarking on a campaign that saw it make over six million calls to people like me and you, who probably have no interest in solar panels whatsoever.

But surely the company had a defence against such a ghastly campaign you think?

Of course – it told the ICO it didn’t know the rules!

Alas, while ignorance is often said to be bliss, it is more often said to be no defence within the legal framework.

So what was the result?

While I assume 6 million-odd people just hung up and 1 possibly made a few quid out of the calls, 242 contacted the ICO to complain, citing a number of personal reasons as to why they found the calls especially distressing.

Not only that but, surprise, surprise, the ICO also discovered that the use of the word ‘free’ wasn’t quite as accurate as it could have been in terms of the solar panels described in the recorded messages.

Steve Eckersley, the ICO’s Head of Enforcement, said:

This company’s ignorance of the law is beyond belief. It didn’t even bother to find out what the rules were and its badly thought out marketing campaign made people’s lives a misery. The monetary penalty is for a significant amount because of the clear failings of the company, and the number of people affected by its deliberate and unlawful campaign.

It should be a warning to other companies to think before they launch into a campaign. Direct marketing campaigns can be run within the law with a little thought and there’s plenty of advice available to companies in the ICO’s website.

According to a lawyer representing Home Energy & Lifestyle Management Ltd, an appeal against the penalty may be likely, based on the “the failure of [a] third party company to give any information to verify and explain the extent of the calls made”.

And so the moral of this story is?

Any company handling, storing or transmitting data has a responsibility to look after and secure that information in a way that is both responsible and in compliance with the laws and regulations of the jurisdictions in which it resides or trades with. Failure to do so can be costly, in terms of financial penalties, loss of reputation and many other ways besides.

Is your business looking after its own data and the personal details of its current and potential future customers adequately and are you aware of the rules you have to abide by? After all, ignorance is no defence in the eyes of the law.

Cloudflare: ‘650,000 Chinese smartphones used in 4.5bn request DDoS attack’

Researchers at distributed denial-of-service protection service CloudFlare believe more than 650,000 Chinese smartphones were unknowingly caught up in a huge attack against one of its customers.

Most likely designed to knock the site offline, the attack saw the site receive 4.5 billion page requests in just a few hours, mostly from Chinese IP addresses and smartphone browsers.

According to a post on the Cloudflare blog, the attack probably originated via an advertising network that had been linked to via booby-trapped adverts displayed either in mobile browsers or in mobile apps.

Analysis suggests users were presented with an iframe – containing content requested from the ad network – when they opened their browser or an app. From there, the ad network then forwarded the user to a third-party who had won an auction for the ad and the unsuspecting victim would then either land directly on an “attack page” or be further redirected to one. Once on the attack page, malicious JavaScript would then launch a flood of XHR requests against certain Cloudflare servers.

Cloudflare’s Marek Majkowski said that “Browser-based L7 floods have been rumored as a theoretical threat for a long time” but have not been seen until now, not because of difficulties in creating the JavaScript, but rather due to issues with “efficiently distributing malicious JavaScript to force a large number of browsers to make HTTP requests to a targeted site.”

Web ads, it appears, are the ideally efficient way to distribute such JavaScript, with Majkowski noting how the attack peaked at a whopping 275,000 HTTP requests per second.

Summing up, Majkowski said Cloudflare was confident the attack was not based around TCP packet injection, adding that:

Attacks like this form a new trend. They present a great danger in the internet — defending against this type of flood is not easy for small website operators.

The blog post concedes that the company’s research is still in the early stages so expect to see more details in the future.

For now, however, you may be well advised to think about how your organisation would deal with a distributed denial of service attack, however it is delivered. The figures mentioned in this case are significant and represent levels of traffic that exceed that which many medium size websites can handle. If you run a small business, 4.5 billion page requests in a short period of time will take your site down; would it also take your business down too?

Leaky NHS health apps removed amid privacy concerns

The UK’s National Health Service (NHS) has had to remove several of its own health apps from its library after researchers discovered they were putting users’ privacy at risk.

The affected apps, part of NHS England’s Health Apps Library, were found to be sending unencrypted personal and medical information over the internet.

The privacy blunder was discovered by researchers from Imperial College London who first contacted NHS officials in April to express concern over how some apps were handling data.

Kit Huckvale, a PhD student at the college, told the BBC that the findings were not altogether dissimilar to what they had found in other health apps but the fact that they had all supposedly been vetted and approved by the NHS was “surprising”.

Huckvale, the lead researcher, said man in the middle attacks were used to analyse 79 apps over a period of six months in 2013.

Of those, 70 transmitted data over the internet and 38 had a privacy policy in place which did not disclose what information would be sent. Furthermore, 23 apps transmitted personal information without encryption and 4 also passed medical data with the same lack of protection in place.

Commenting on the findings, Huckvale said:

Our study suggests that the privacy of users of accredited apps may have been unnecessarily put at risk, and challenges claims of trustworthiness offered by the current national accreditation scheme being run through the NHS.

The results of the study provide an opportunity for action to address these concerns, and minimise the risk of a future privacy breach.

The report into apps aimed at smokers, drinkers and those wishing to lose weight, comes at a time when the UK government says patients could soon be able to access their medical records via their smartphones – earlier this month the Health Secretary, Jeremy Hunt, said his ambition was to get 15% of NHS patients routinely reading and adding to their online medical records using smartphone apps within the next year – and the NHS looks to increase the use of apps as an additional support mechanism for patients.

Responding to the BBC’s story, a spokesman for NHS England said:

We were made aware of some issues with some of the featured apps and took action to either remove them or contact the developers to insist they were updated.

A new, more thorough NHS endorsement model for apps has begun piloting this month.

While health data is a high value commodity – can you imagine its worth to an insurance company? – personal information can often be far more valuable, though many people do not realise that until it’s too late and their identity has been stolen, or their details used against them for other types of fraud.

So, with that in mind, this story should hopefully serve as a wake-up call to any company that puts apps out in the marketplace, whether developed in-house or by a contractor.

With the appetite for smart devices and the apps that run on them remaining high, the temptation to put something out there quickly may be hard to resist. But stop. And think. Has your developer followed good security practice? Have they considered how the app will handle and transmit personal data?

And have you thought about the possible legal implications of offering an app that transmits personal or, heaven forbid, medical data, in an unencrypted format?

And the biggest cause of data loss in 2015 is… human error

There are a million and one (go on, count them, I dare you) technical measures you can employ to protect your business data but all are for nought if you ignore the biggest cause of data loss which is, according to the sixth annual Databarracks Data Health Check survey, human error.

In its latest report, the company says data loss is caused in many ways – as you would expect –  but its not all about hardware failure (which, at 21% suggests good backup plans are as essential as ever) or data corruption (19%).

Instead, human error (24%) topped the poll as the biggest factor in data loss.

Explaining the results, Oscar Arean, technical operations manager at Databarracks, said:

Human error has consistently been the biggest area of concern for organisations when it comes to data loss. People will always be your weakest link, but having said that, there is a lot that businesses could be doing to prevent it, so we’d expect this figure to be lower.

The results weren’t consistent across all organisations though. When we broke them down by business size, we saw that for the second year in a row, it was actually hardware failure, which contributed the most towards data loss across large organisations at 31 per cent (up from 29 per cent in 2014).

This isn’t surprising as the majority of large organisations will have more stringent user policies in place to limit the amount of damage individuals can cause. Secondly, due to the complexity of their infrastructure, and the cost of maintaining it, large organisations may find it more difficult to refresh their hardware as often as smaller organisations, so it’s inevitable at some point it will just give out.

So, while the biggest issue for IT departments within large firms may be the constant struggle to source budget increases to replace ageing hardware, smaller firms can learn much from their larger brethren in terms of securing the humans within the workplace via a combination of security awareness training and more robust security policies.

Unfortunately, such action – which we here at BH Consulting feel is an essential part of a company’s overall defences – is still overlooked to some degree, as touched upon by Arean who added:

The figures we’re seeing this year for data loss due to human error are too high (16 per cent of small businesses and 31 per cent of medium businesses), especially considering how avoidable it is with proper management. I think a lot of SMEs fall into the trap of thinking their teams aren’t big enough to warrant proper data security and management policies, but we would disagree with that.

In large organisations, managers can lock down user permissions to limit the access they have to certain data or the actions they’re able to take – this limits the amount of damage they’re able to cause. In smaller organisations, there isn’t always the available resource to do this and often users are accountable for far more within their roles. That is absolutely fine, but there needs to be processes in place to manage the risks that come with that responsibility.

Of course small organisations don’t need an extensive policy on the same scale that a large enterprise would, but their employees need to be properly educated on best practice for handling data and the consequences of their actions on the business as a whole. There should be clear guidelines for them to follow.

While Databarracks report looks at IT as a whole rather than just security, it also threw up a few other interesting tidbits in regard to security in general and cloud computing security specifically.

The first set of figures don’t make for great reading – the company says a whopping 25% of companies have suffered a cyber attack in the preceding 12 months which is bad enough, but worse, only 54% of victims reviewed their security procedures after the event while less than half (47%) reviewed their backup plans even post-attack.

On a more positive note, the survey discovered that the message does appear to be getting through in some ways as 63% of businesses reported security as their top concern when selecting a cloud service provider.

So, overall, this report seems to suggest, in my mind anyway, that companies as a whole are probably at least aware of the security issues, though not particularly well equipped to deal with them.

Does that sound like the case within your business? If so, what are you doing to remedy the situation?

Phone scam costs UK business £1 million

If you are running a business you have probably educated your staff to be on the lookout for suspicious emails that attempt to lure them to fake websites in an attempt to snag their, or your, login credentials for online banking and other sensitive accounts.

But have you also educated them to be on their guard against phone scams?

Just because they don’t garner much publicity these days, it doesn’t mean they can’t be costly, as one business in Suffolk found out recently.

The firm fell victim to a conman who rang up and pretended to be from the bank where it had an account.

After telling a member of staff that the company’s internet banking facility had been attacked by a virus, he advised them to transfer all of the firm’s money into separate holding accounts while the issue was fixed.

Spoofing the bank’s fraud department telephone number, the conman socially engineered the staff member into trusting him enough to download a piece of software to aid in that task, software which gave him remote access to the company’s accounts.

Once access was achieved, the fraudster was able to make off with £1 million in what is believed to be the largest ever telephone banking scam in the UK.

Suffolk police said the firm reported the crime on Wednesday after it realised what had happened and staff members were “understandably distressed”.

Unlike myself, Suffolk Police and Crime Commissioner Tim Passmore said he was “absolutely flabbergasted about the audacity of these criminals” before adding that:

I can fully understand how this crime took place and the damage to this company is potentially huge and it stands as a salient reminder that businesses too are victims of crime.

We are aware that it is an evolving pattern of crime and I think it’s going to get worse and we have to commit resources, even at a time of reducing budgets.

The information being spread is really important and if anyone suspects a problem with cyber crime then please report it.

There’s no shame in admitting we have been subject to fraud. We are all vulnerable and we are only going to tackle it by working together.

The devastating crime comes just three months after Suffolk police joined forces with the neighbouring constabulary in Norfolk to launch a £300,000 joint Cyber Crime unit to tackle the increasing numbers of high-tech offences.

A spokeswoman for Suffolk Police said

Banks or police will not ask you to transfer or handover sums of money and you should never give out details of bank accounts, PINs or personal information. If you receive contact from an unknown caller stop and think for a moment.

Be suspicious particularly if they are telling you something is wrong or that you need to send or handover money. If you suspect you may be the victim of a bogus call hang up and leave the phone down for at least ten minutes or use another phone before contacting anyone else.

Don’t be afraid to hang up on unknown callers. Genuine callers will understand if you want to call them back later, after checking existing paperwork to confirm numbers, to check their identity.

If you, your family, friends or business have fallen prey to this type of scam then you should immediately report it to the police or Action Fraud , the national fraud and cyber-crime reporting centre, on 0300 123 2040.

And if you haven’t fallen victim to a crime known as vishing you’re in luck – you still have time to learn about it and educate yourselves and others on what to look out for and how to avoid it.

Security makes us less productive say employees

A recent study from Dell, which does much to pimp its ‘solution’, suggests business users and IT professionals in the UK, Germany and US feel hampered by security measures, especially when working remotely.

Traditional security policies, the survey concludes, lead to “too many passwords, access protocols and employee workarounds that expose the business to risk,” a feeling shared by 91% of the 750+ respondents and echoed by Dell’s Product Marketing Manager, Todd Peterson, who said:

The key thing we learned is that everything everyone expected is true. Security is a higher priority and better funded than increasing user productivity.

Well, it’s good to see security being prioritised.

Unfortunately not everyone feels the same way – those surveyed provided the following analysis of their security experience:

  • more than 90% of business respondents use multiple passwords on a daily basis (what’s not to like about that, other than the fact it isn’t 100%? I do hope they are hard to guess and not shared around the office though)
  • 92% are negatively impacted when required to use additional security for remote work (ah, diddums)
  • more than half say security’s negative impact on day-to-day work has increased as a result of changes made to corporate security policies in the past 18 months (but their organisation is more secure, right?)
  • nearly 70% of IT professionals say employee workarounds to avoid IT-imposed security measures pose the greatest risk to the organization (agreed, shadow IT is a problem)

In all seriousness, I think a prioritisation of security over productivity is not the end of the world (I’m biased) but do recognise that a combination of both would be an ideal alternative, as does Spinal Tap fan (?) John Milburn, Executive Director and GM, Identity and Access Management, Dell Security, who said:

It’s undeniable that IT staff, business professionals, and employees struggle with security. The business puts security first above employee convenience, and, right now, IT thinks it has only two options for security – turn the dial to 1 (open) or 11 (super secure).

So what’s the alternative, given how other recent surveys have shown that employees continue to be one of the biggest sources of risk in the workplace, given their low valuation of corporate data and propensity to accept bribes or otherwise sell business secrets for as little as £100?

Dell has a solution – of course – but what about you?

How do you keep your employees working in as productive a manner as possible while also securing them, you and your business?

Do you see security or productivity as the priority or can you manage both at the same time?

Do tell…

Rocket launchers and hand grenades – putting UK bank security into perspective

If you have an interest in security you’ll likely be well aware that the topic of banks and credit security comes up often, from questions about secure logins to full-scale operations checking resilience to all-out cyber attacks. We’ve also seen stories about an Irish bank being duped by a money transfer scam and PCI DSS is something that appears in one of my Twitter timelines throughout the day.

On the face of it, the situation looks good overall, at least for consumers who hardly have to worry about the threat of fraud, yet there are still a good few stories of doom and gloom always ready to be published.

So how concerned should we be about a bit of inconvenience when a bank’s computer system delays wage transfers, or when money goes missing from our accounts for a while (hopefully you’re sufficiently aware of security that you haven’t facilitated such an occurrence by responding to a phishing email or getting shoulder surfed), or even the threat of a national or global meltdown brought about by a cyber attack?

I’ll leave you to answer that question in private, based upon your own views toward money and the importance it plays in your life.

But, however you feel, here is some perspective from a security expert of a different kind:

Dr. Ona Ekhomu is warning banks in Nigeria to be on their guard against terrorist attacks.

But not typically the sort that involve computers.

Speaking at the Banking and Finance Conference in Lagos on Tuesday, Ekhomu raised the issue of attacks by Boko Haram, a group said to have killed more than 20,000 people over the last six years, as well as other physical attackers who see the banking sector as a source of much-needed funding:

The Boko Haram terrorist organisation which had killed over 20,000 persons since it went operational in 2009 finances most of its operation by attacking and looting banks.

Aside from Boko Haram, other adversaries such as kidnappers, armed robbers and cyber-terrorists have been creative in their vicious onslaught on banks.

Bank robbers in the South-South and South-West have been displaying a wide array of arsenal during robbery attacks. They have used high explosives, rocket launchers and hand-grenades in attacking financial institutions. Ironically, the use of explosives in the commission of the criminal act automatically makes it a terrorist act.

Calling for a more collective and proactive response, the President of the Association of Industrial Security and Safety Operators of Nigeria said an intelligence-led program was required in order to understand the motivations, strengths and weaknesses of the banking sector’s adversaries. Only then, he said, would it be possible to develop strategies to combat the threats faced.

In other words, much the same situation bank information security teams find themselves in every day.

Only in this case, the stakes are far, far higher than make-believe money circulating via the interwebs or existing solely on virtual balance sheets.

Lives are worth far more than money.

Aren’t they?

GCHQ issues Dridex warning as Fujitsu uncovers email ‘hitlist’

Having your email on a list can sometimes be a good thing if you have, for instance, signed up for a newsletter of interest, but it can also be a bad thing if it appears on a list you never opted to be on in the first place (think: spam).

But now there is an even worse list to be on – the Dridex hitlist.

And such a thing does exist.

IT company Fujitsu recently discovered a database containing some 385 million email addresses. Nothing overly strange about that you may think, but this is a mailing list with a difference – instead of receiving an email of interest, or even a badly-worded prompt to buy some pills and potions, recipients are far more likely to be offered a Trojan, albeit one they wouldn’t know much about.

Fujitsu made the discovery after following clues left behind after major clients had become hacking victims. The company discovered that many had fallen foul of a Trojan that took control of infected computers in order to collect users’ passwords as well as sensitive corporate data.

While the bad guys were global in their pursuit of victims, Fujitsu noted that the nation that really piqued their interest was the UK.

As a result, GCHQ became involved.

The Brit spy agency trawled through the database and yanked out the names of all the companies they could find (primarily banks, government bodies and large corporations), alerting them to the risk they faced.

Michael Keegan, chief exec of Fujitsu in the UK, said the Trojan in question – Dridex – was more often than not discovered on devices used by those members of staff who “are typically churning through accounts,” making the risk especially severe within the corporate environment.

The news comes hot on the heels of a report from Brian Krebs in which he says some of the key players behind Dridex (and Citadel) have been arrested recently, including a Moldovan and Russian nationals.

Krebs says the pair were allegedly instrumental in “the Business Club,” an organised cyber crime gang that specialises in banking malware and which may have already used earlier versions of Dridex to steal as much as $100m (£65m) from numerous businesses around the world.

And in a warning call to all those businesses who still think data breaches only affect other companies, or who believe hackers and other online criminals only go after a select few firms, Keegan said:

When you look at the data, you probably can’t name a company that wasn’t hit. The Dridex emails were being crafted to target finance departments, but we have to assume the list is for sale on the dark web.

So, with that in mind, how do you feel about the possibility of your company being targeted?

Are your staff likely to welcome Dridex or any other threat onto your networks or have you trained them to be aware of at least the most common security risks? Have you assessed your defences recently ? Are you ISO 27001 compliant?

If you aren’t happy with your answers to any of those questions, BH Consulting can help put that right.

On the other hand, if all is well within your organisation that’s great – keep up the good work, but make sure you don’t let it slip.