Kids play as toy maker Vtech gets hacked

Just a few short weeks after mere children hacked TalkTalk – allegedly – and its the kids turn to be hacked.

Or a firm that caters to youngsters at any rate.

In a statement released late yesterday, Chinese toy and gadget company Vtech revealed how an unauthorised visitor accessed data stored in its Learning Lodge app store database on 14 November.

The Learning Lodge is a resource centre from which customers can download apps, ebooks, learning games and other educational content to be used with their Vtech products.

Oh, and it also stores names, physical addresses, email addresses, encrypted (no mention of whether that means hashed and salted) passwords, secret questions and answers (guess the previous observation is moot then) used to reset forgotten passwords, IP addresses and download histories.

Nice segregation of data there, eh?

There’s no word on how many customers have been affected but Motherboard suggests it could be north of 5 million parents and 200,000 children.


The only silver lining I can see right now is the fact that, according to Vtech, no credit card data has been compromised.


Motherboard says exposed child data is not that extensive – first name, gender and birthdays only – but by combining the parental data, it was quite possible to match each up with their parents, thus allowing full identification.

Even though the breach took place almost 2 weeks ago, the company was not aware of it until Motherboard approached it for comment, saying:

On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database. We were not aware of this unauthorized access until you alerted us.

And that, in my opinion, is pretty damning, given the fact that Troy Hunt’s HaveIBeenPwned lists this breach as the 4th largest ever consumer data breach.

Vtech breached

Vtech, which strangely says it is “committed to protecting our customer information and their privacy” had this to say about the attack:

Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.

Meanwhile, the alleged attacker behind the breach told Motherboard that he had no plans to release the data which he says was acquired through… SQL injection.

One of those two statements is shocking – I’ll let you decide which one is the bigger surprise!

Hopefully, the fact that two major firms have apparently been breached via an ancient attack vector will be a wake-up call to, well, everyone else – if someone can gain access to your customers’ personal information via SQL injection, something is very, very wrong with your security setup!

Why you shouldn’t give you bitcoin to a ‘Patreon hacker’ or any other type of extortionist

Up until recently, ransomware has been the approach of choice for cyber criminals looking to make some cash from something they have hijacked.

Last week I learned at IRISSCON – from our CEO Brian Honan – that DDoS extortion is a big deal, at least in Ireland. In this case, the bad guys hit a website with a small DDoS attack – kind of like a taster of what’s to come – and then demand money not to ramp the attack up.

Now, however, it looks like the scum and villainy of the web have found a new way to monetise your data – by extorting hack victims.

You may remember how Patreon – a crowdfunding website – was hacked last month.

As the hack unfolded, it became apparent that around 15 GB of data had been stolen, though Patreon’s CEO Jack Conte noted at the time that no payment cards had been compromised. It also seems unlikely that any passwords – which were accessed – have been cracked, given the fact that we were told they were encrypted with a 2,048-bit RSA key.

During the attack, large amounts of code and data were swiped and now the thieves appear to have found a use for it – blackmail.

With users having seen personal information, such as credit cards, social security numbers and tax identification numbers swiped, some may be tempted to hand over a pile of virtual cash (bitcoins to be precise) in order to keep said details out of the public domain.

Not only is caving into such demands the wrong answer, it would also be totally unnecessary in this case, at least according to Patreon’s official Twitter account which said:

Some of you have received a scam email mentioning Patreon. No need to worry – the info is false & is spam, so please ignore it.

Patreon customers rejoice – no need to shell out for a bitcoin, the value of which is still over £200 at current prices.

So, if you receive an email that begins by saying a crook has your personal info, much like this –

– don’t respond.

And remember, in all cases of extortion, the best advice is to never pay up.

In the case of ransomware, the best defence is to have a robust backup plan in place that includes not only testing the integrity of those backups, but also sees them stored offsite too.

Where DDoS extortion is concerned, the advice given out by Brian Honan on Thursday holds true – tell the authorities, regularly review your Business Continuity Plan, ensure your internet-facing services are adequately protected and configured correctly and never, ever pay up – as Brian mentioned at the time, most DDoS extortionists do not follow their threats through anyway.

And as for extortion after the hack, are you going to trust someone called Carter not to release your data after you’ve paid, or to not come back for more – if they even have your data in the first place? Nah, me neither.

So be aware, be alert and please train your staff to be on their guard too.


Is Dublin Airport recording your phone data?

Hmmm… interesting question, and one many of you may have in mind as you pass through the airport on your way to and from IRISSCON later this week.

The query in question came about following a piece in the Irish Independent about a man who ‘erroneously’ carried a sharp-bladed implement onto a plane.

As part of that write-up, author Emaa Jane Hade wrote:

The DAA [Dublin Airport Authority] uses an “automated technology” system to ensure passengers spend no longer than half an hour in the queue for security checks.

It is understood this ­technology tracks the length of time that passengers carrying Bluetooth- and wifi-enabled devices spend in the queue.

A member of the security team at Dublin Airport revealed there are sensors placed in the roof of the security area that record the time the device and the passenger enters and leaves the queue.


On the face of it, a quick run through security checks may sound appealing, though perhaps slightly less so right now in the wake of the Paris attacks, but what does it mean for passenger privacy?

If you have Wi-Fi or Bluetooth switched on, which I guess many travellers probably do, at least up until the point where they board the aircraft, then Dublin Airport has the capability to track your devices through either or both, irrespective of whether they are actually connecting to anything or not.

And that obviously relates not only to your mobile phone but also your smart watch, tablet, fitness tracker, etc.

The corresponding Wi-Fi and/or Bluetooth MAC address will be hoovered up and, under normal circumstances, both will act as a sort of fingerprint on account of the fact that they are unique to every device.

With that information, the airport can track passengers in much the same way some shops already do, building profiles of where they go.

Given the size of the airport and the relative lack of shopping facilities, it doesn’t appear to be that big a deal but Dublin Airport caters for a large volume of traffic each year, and we know how security services are attracted to bulk data like bees to honey.

Again, possibly not too much for the average passenger to become overly concerned about but there is still an important question at the heart of all this: when did Dublin Airport ask permission to collect this data in the first place?

According to the DAA, the data it collects is not “personal” even though it is obviously personally identifying, and is used only to:

measure and check queue/dwell times at the airport, and the only parties who have access to the data are DAA and the company which operates the system.

Fortunately, the airport appears to be listening though, recently saying that it is in the process of upgrading its system to encrypt collected MAC addresses in such a way that they won’t be able to be linked back to the original MAC address.

Sounds good… but, once again, when and where did Dublin Airport reveal it was collecting such data in the first place?

The answer to that question is something I cannot find.

Top-ranking InstaAgent app pulled over password harvesting claims

InstaAgent, the most downloaded free app in Britain and Canada, has been pulled from both Google Play and the App Store amid claims that it was secretly stealing users’ passwords and uploading them to the developer’s server.

The app, marketed as “Who Viewed Your Profile – InstaAgent” was ‘outed’ by a tweet from another developer who said:

“Who Viewed Your Profile” will send your Instagram Username and Password to an unknown server!

The motive, according to David Layer-Reiss, of Peppersoft, was the sending of spam images to unsuspecting users’ Instagram accounts – in direct violation of the site’s terms of service which prohibit the direct posting of content to users’ feeds without their permission.

And that spam may have been published on a grand scale too it seems:

I would say “Who Viewed Your Profile – InstaAgent” is the first malware in the iOS Appstore that is downloaded half a million times.

The creator of the app – which Google says has been downloaded between 100,000 and 500,000 times – declined to comment when the BBC called his Turkish phone number, telling the news provider that his command of the English language was poor.

The Beeb, which identified the developer as Turker Bayram, or at least someone using that name, quotes Facebook-owned Instagram’s response to the news:

These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user’s accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password.

Sound advice indeed and, to add to that, I would suggest reading our guide to creating a strong password, paying particular attention to point #3, especially if you have already recycled your Instagram password across other online accounts.

And another tip for app developers – if you are uploading your work to Google Play or the App Store, it may be worth checking to see if there is another app with that name first.

Craig Pearlman, who also has an app called InstaAgent, now has something of a headache to contend with as people are already confusing his app with the pulled one:

I wasn’t aware of another app with a similar name until I started receiving support requests for behaviour that’s impossible for my app to produce.

It’s especially troubling given the scrutiny iOS apps are subjected to before being approved for the App Store. I may need to consider renaming mine now.

Lastly, remember that ‘who viewed your profile’ scams are rife and, though most sites don’t even make such an option a possibility due to not sharing that data with third parties, they still suck far too many people in.

Indeed, at the time of writing, it is possible to find many such apps available on the various app stores.

You wouldn’t share your fingerprint… would you?

Do you let your friends borrow your bank card?

Would you let your brother access your online bank account?

Do your kids know your PIN number?

Chances are, you will have said no to all of those questions, and rightly so. If you answered yes, you may want to reassess your thinking, and how well you can trust those with who you share your most intimate financial details.

But what if your banking details were less tangible than a card, letters typed on a keyboard, or a set of digits?

What if they were tied to a fingerprint? Would you share that around?


I’d hope not, and that’s a stance also taken by the major banks too, as noted by SC Magazine which today singled out Apple Pay, the newly-launched payment system increasingly favoured by cool kids with iPhones and even (yes, I’ve seen it with my own eyes) the odd iPad-wielding nerd.

Utilising fingerprint scanning technology (Touch ID), Apple Pay offers an incredible level of convenience when it comes to paying for low-cost goods and services but it is not without its issues.

As with most aspects of security, the potential pitfalls are far less about technology and far more to do with human fallibility – namely that desire to trump sense with convenience that tempts the best of us at times.

In this case, SC Mag warns of the dangers of passing an iPhone round the entire clan so each parent, child, sibling and cousin can enjoy the thrill of adding their unique digit print to the device’s repository of saved fingerprints.

For that, it says, may be a violation of their online banking terms and conditions.

And we all know what happens when fraudulent activity is later traced back to a customer’s mistake – no payout!

As Jeremy Seth Davis notes, banks (quite rightly in this case, in my opinion) will say no dice when a customer queries an unauthorised transaction on their account when it is known that they have gone all cop on their family, minus the messy ink. Likewise, a collector of fingerprints is also likely to be shooed away if or when they ever cry for help in the wake of obviously fraudulent activity on their account.

The banks all say much the same thing:

You must ensure you only register your own fingerprints (and not anyone else’s).

Got that?

Good! Now, for your homework, have a think about where else this advice may apply.

TalkTalk hack ‘only’ affected 157,000 customers

Things at TalkTalk are bad. Real bad. But not quite as bad as first thought.

I am of course referring to the news that ‘only’ 157,000 customer records were accessed during the recent breach, not the incident management/response which was just… bad.

According to figures published by the BBC earlier today, some 156,959 customers had their personal information accessed – which is a somewhat lower figure than the 4 million or so that was suggested when news of the hack first came to light.

Not all of those customers saw their financial details exposed though – the number of bank account numbers and sort codes swiped came in at a ‘mere’ 15,656.

TalkTalk said 28,000 credit and debit card numbers stolen during the attack were essentially useless to those behind the breach as they had been “obscured” and were therefore unable to be used to initiate any type of financial transaction.

The company said anyone whose financial info had been exposed had already been contacted, and other affected customers would hear from TalkTalk in short order.

Having previously confirmed that usernames, addresses, dates of birth, email addresses and telephone numbers had been swiped, the company confirmed that around 4% of its userbase had at least some sensitive data at risk.

In addition to all the bad publicity garnered since the attack, the BBC also revealed another blow for the company, stating that TalkTalk shares had lost around a third of their value since the initial attack on 21 October.

Whether that will be a long-term concern for the leadership of the telecoms firm is debatable – I cannot find the relevant tweet right now, but Neira Jones has previously said that stock prices often bounce back quite strongly once the news of a breach starts to recede from peoples’ memories.

Whether that will be the case with TalkTalk or not remains to be seen and, in my opinion, will largely be affected by CEO Dino Harding’s performances in the coming weeks.

Meanwhile four people aged between 15 and 20 remain on police bail, having been arrested under the Computer Misuse Act.

The alleged motives of the youngsters, who of course remain innocent unless proven otherwise, are still unclear, though the Daily Mail has today had a stab at adding some flesh to one hypothesis, saying that up to 25 fun-seeking hackers had their mitts on customer data in the wake of the attack.

Citing Channel 4 News, the online paper quoted one hacker who apparently said:

It was in a Skype group call…with a lot of laughing and making fun of TalkTalk.
There was no group, it was just a few friends laughing about a company with bad security. It’s fun for us.

Responding to the program, in which one hacker claimed to have been rebuffed by an uninterested TalkTalk when explaining its security issues, a spokesman for the company gave the stock post-breach response that the company was taking the issues very seriously before adding that it was co-operating fully with police.

The spokesman then sprinkled what I would describe as a pinch of scorn on the Channel 4 report by saying “the information included in this report has not been verified and is in some respects materially inaccurate.”

They may take our homes, but they’ll never take our data!

For hundreds of years there has been a long-held belief that an Englishman’s home is his castle, but the technological advancements of the 21st century now look set to challenge that notion.

Not only have we evolved to the stage where anyone can live in a medieval building, regardless of gender, we have also seen a shift in what the majority of people seem to hold most dear, at least according to new research from Citrix.

The tech company has revealed how almost one-third of UK workers would sense a greater feeling of violation if someone stole their computer files than they would if an intruder broke into their home.

(Interestingly, there were some regional variations though – the survey noted that Londoners (49%) were especially concerned about having their data stolen – which only leads me to speculate as to whether that was borne out of a concern for the value of their own personal information, or an understanding of the value of the business data they may have taken out of the office).

Sounds extreme I know, but there is a reason for that: almost half of the 2,000 full-time UK workers polled said they had a private folder on their machine that was so confidential they really would rather no-one else ever saw it.

Despite the fact that younger people tend to have a better understanding of new technology, it was the 16-24 age range that was most likely (48%) to save confidential information on their computer. Surprising, then, that this was also the age group that would feel most outraged if that data was accessed by an unauthorised third party.

Among the over 55s, the situation was somewhat different as only 1-in-6 admitted to having more than one private file saved on their device.

Other differences between the age groups were noted when it came to the storage of passwords – that 16-24 age bracket was the most likely to keep multiple login credentials recorded in one file on either their computer or mobile device.

With such a strategy leaving them wide open to any attacker who gained access to said file, the fear is that such a risky attitude could find its way into the workplace, either now, or in the near future, as the younger generation replaces the apparently more security-conscious older workforce.

Commenting on the survey, Chris Mayers, chief security architect, Citrix, said:

Data safety has never been more important, as workers are storing increasing amounts of data online.

The results of the study suggest that UK workers are indeed aware of the risks of data theft. Yet more work must be done to ensure this growing awareness translates to safer practices at work. A homeowner wouldn’t leave their front door open, so businesses shouldn’t run the risk of losing the keys to their data to the wrong hands.

Whatever the actual motivations of those polled, the report does offer up some encouragement though.

While it hints at potentially poor password security, the fact that people are better assessing the value of the data at their disposal can only be a good sign for those companies looking to secure their assets through a program of security awareness training.

After all, if your employees are concerned about their own data falling into the wrong hands, they’re far more likely to consider the consequences of the same thing happening to your corporate data.

Communication key as UK and US banks prepare for Operation Resilient Shield

Following on from the two Waking Shark trials conducted over the last few years, the largest UK banks are once again set to face a simulated cyber attack.

This time, they’ll be joined by some of the biggest banks in the US as the Bank of England and its American cousins unleash a mock attack, designed to test their resilience to attackers who may wish to steal data or cripple the entire financial industry.

The latest operation, dubbed Resilient Shield, was jointly announced by Prime Minister David Cameron and President Barack Obama back in January.

Commenting at the time, the White House said:

both leaders agreed to bolster efforts to enhance the cybersecurity of critical infrastructure in both countries, strengthen threat information sharing and intelligence cooperation on cyber issues, and support new educational exchanges between US and British cybersecurity scholars and researchers.

The upcoming operation will be co-ordinated by the Computer Emergency Response Team (CERT) in both countries.

One of the key aims of the operation is to test the ability of banks to not only communicate with each other during a time of crisis, but also with their respective governments. It will also assess how well the US and UK CERTs communicate with each other.

Announcement of the upcoming operation comes at a time when cyber attacks are very much in the news, at least here in the UK where we’ve seen account compromises at both TalkTalk and Vodaphone, as well as a sharp increase in the crime statistics, caused by the inclusion of online crime for the first time.

Given the cutbacks in police numbers, and the challenges faced in investigating cyber crime, the financial sector has more than a passing need to ensure that its security protocols are tested and refreshed in order to counter the ever-present threat of attack.

The nature of the information held by banks and other financial institutions is such that even a minor breach could be catastrophic for any business or individual affected.

And, given the fact that it is not just teenagers who are suspected of hacking into organisations of all sizes, but also nation states such as China and Russia, a robust and well-practised incident response plan becomes all the more important.

Meanwhile, the Bank of England is continuing to check in with insurers amid fears that the insurance market is also becoming a key target for hackers.

After the Bank released its Financial Stability Report in July, governor Mark Carney said the “adaptive nature of the threat means that ways of managing the risk must continually evolve” and called for resilience to be “regularly assessed.”

The Bank’s Financial Policy Committee (FPC) has recently recommended widening the scope of exercises such as Resilient Shield to encompass an increasing number of major firms, including those in the insurance sector.

According to a recent report by PwC, insurers themselves appear to be increasingly concerned about their attractiveness to attackers due to the nature of the personal data they hold and the fact that heavily rely upon cloud storage systems.

One in fifty mobile devices are already compromised or under attack

According to security firm Skycure, 2-in-100 mobile devices are already infected with malware or under attack.

While no device is immune, compromise rates were highest on Android devices with around 1-in-3 harbouring a nasty secret.

Furthermore, over a quarter of Google-powered smart devices were found to been opened up to third-party app installation, allowing unofficial apps to be installed from outside of the official store environment. Interestingly, this risky situation is more evident within the business environment (33%) than with personal devices (20%), primarily because some organisations have a need to install their own enterprise apps.

The company’s Mobile Threat Intelligence Report also reveals how more than 15% of Android devices have USB debugging enabled, providing a conduit for malware to travel from a computer to the device.

Data compiled from millions of monthly security tests also reveals other risks, including the fact that around 30% of all devices were running an outdated operating system – one in three Android devices are susceptible to recent high-profile attacks, simply because manufacturers have failed to make operating system updates available to the end-user.

Before Apple fans get too carried away, it should also be noted that around a quarter of iOS devices are running an out of date version of the operating system, though it is unclear whether that is due to a large number of older, ineligible devices remaining in use, or through a lackadaisical approach to security from a subset of users.

The report did note that jailbreaking within the enterprise environment was almost unheard of though and, while the rooting of Android devices was far more prevalent, it too was significantly less likely on business devices, though not entirely unseen.

Overall, Skycure concluded that the risks faced by mobile devices are continually increasing and that around 22% of smartphones and tablets would face a network threat over a period of one month, increasing to 40% over a three month period.

One thing that certainly doesn’t help here is the report’s most important discovery, the fact that 52% of smart devices are not locked down with even the simplest of protection.

Given the vast array of options available now, from pass codes to pass phrases, and swipe patterns to fingerprint scans, I think it may be fairly safe to agree with the conclusion of Adi Sharabani, CEO of Skycure, who said:

Threats to mobile devices are real and based on what we’re seeing in this report people aren’t doing enough to protect themselves.

Overall then, the report paints a pretty scary, if not totally unexpected, picture of mobile compromise.

It’s good to see that many enterprises appear to have mitigated the risk of having rooted or jailbroken devices added to their networks but, overall, its reasonable to conclude that the human factor is the biggest issue when it comes to device security, especially in terms of the basics.

With around half of all users failing to implement even the simplest of security measures on their personal or work devices, its easy to imagine what sort of other risky behaviour they are engaging in.

So the question is, what are your employees or family members doing with their mobile devices?

Are they aware of the risks posed by malware, or the damage that could be done to your organisation, or their own personal lives, should their smart phone or tablet become lost or stolen?

How could you lessen those risks by talking to them about security and providing a little awareness training that could help them in both their professional and private lives?

Has the Government Gateway been hacked?

Earlier this morning I read an interesting Financial Times article which detailed how stolen IDs were changing hands for around $30 (£20 / 27 Euros) on the dark web.

The main direction taken by the piece was to highlight how British companies, including TalkTalk of course, were struggling to protect their digital assets and, more importantly in my opinion, the personal details of their customers.

Highlighting how 600,000 British customers had their data swiped from UK companies in 2014, Defence and Security Editor Sam Jones cited Symantec research which suggests that 358 million identities were compromised worldwide last year.

Such figures truly are scary and definitely worthy of reporting, especially in conjunction with other news today which suggests the majority of scam victims in this country never recover a penny of their losses –

One of the UK’s biggest banks has said 70% of its customers who fall victim to a scam do not get a single penny back… From January to September this year almost 5,000 of the bank’s customers fell victim to various scams – at a total cost of more than £25m… The bank says the average cost of falling for a scam has gone up by 40% since 2014, to more than £13,000.

– but within the FT article is a startling claim that I, for one, was not previously aware of: the possibility that a key government database, used by HMRC and the Department for Work and Pensions, may have been hacked.

Government Gateway

Quoting “senior government officials,” Jones said “tens of thousands” of Brits’ identities were trading on the dark web. Nothing new there of course, but he went on to say that included within that figure were “thousands of detailed profiles stolen from the government’s own computer systems, with all the information necessary to completely seize control of an individual’s digital identity.”


The Government Gateway site has been breached?

When did that happen? When was it disclosed? Was I sleeping?

I don’t recall seeing anything about this at all, and a quick bit of Googling hasn’t revealed any further information either.

Hmmm… seems like a massive scoop and breaking news story in the making, especially given the fact that Jones says the profiles hacked from the site are the “crown jewels” of ID theft (no wonder they’re apparently available for the much higher price of $75 (£59 / 81 Euros) – which is probably not an understatement given the type of information likely to be included in such records.

So that again begs the question: why is this not the news story of today?

Has this breach even occurred, has it slipped under the radar as the security community and media at large go to town on TalkTalk’s incident response plan, or is there an error in the original FT reporting?

I’d be very interested in hearing your thoughts on this – has anyone got any information they’d care to share?