Smashing Security podcast #329: Pornhub, Barbie dolls, and can you trust a free TV?
Just how much do porn websites know about your sexual peccadillos? How are Barbie dolls involved in identity scams? And would you trust a completely free telly?
Oh, and Graham has some opinions to share about “Indiana Jones and the Dial of Destiny”.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Matt Davey from the “Random but Memorable” podcast. Read More
The AI Fix #9: When AI detectors fail (spectacularly), and OpenAI’s five steps to Skynet
In episode nine of “The AI Fix”, our hosts learn about the world’s most dangerous vending machine, a cartoonist who hypnotises himself with AI, and OpenAI’s plans to eat Google’s lunch.
Graham tells Mark about a pig-farming professor, and Mark tests Graham’s tolerance with OpenAI’s terrifying roadmap to Artificial General Intelligence.
All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley. Read More
UK Electoral Commission Hacked – 40 Million Britons Data Exposed
The UK Electoral Commission, entrusted with safeguarding voter information, recently faced a complex breach that triggered a vital public notification.
In a digital age, securing sensitive data is paramount, yet even the most robust systems can be vulnerable to cyber-attacks.
This article delves into the technical intricacies of the incident, its impact on data subjects, and the Commission’s response to fortify its defenses.
Unveiling the Breach:
In October 2022, the Electoral Commission discovered a breach stemming from suspicious activities detected on its systems.
Closer scrutiny revealed that malevolent actors had illicitly accessed the systems as far back as August 2021.
This incursion exposed sensitive data, raising concerns about data subjects’ privacy and security.
During the cyber-attack, the perpetrators infiltrated the Commission’s servers, granting them access to significant repositories, including email systems, control systems, and copies of the electoral registers.
Crucially, they were able to extract reference copies of these registers, which held information about UK voters between 2014 and 2022, excluding details of anonymous registrants.
Moreover, the Commission’s email system was also compromised.
Risk Assessment and Impact:
In collaboration with the Information Commissioner’s Office, it was assessed that the compromised data, including names, addresses, and contact information, didn’t present an immediate high risk.
Nevertheless, concerns were raised about the potential combination of this data with publicly available information to infer behavior patterns and individual profiles.
Importantly, the breach didn’t disrupt the electoral process, citizens’ access to democracy, or their registration status.
Following the breach’s discovery, the Commission diligently partnered with security specialists to investigate the incident and bolster system defenses.
Several actions were taken to mitigate future risks:
Strengthened network login requirements.
Enhanced monitoring and alert systems for active threats.
Review and update firewall policies.
Collaboration with external security experts and the National Cyber Security Centre.
API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar
Empowering Data Subjects:
While immediate action wasn’t deemed necessary, the Commission urged those who had interacted with them or registered to vote between 2014 and 2022 to remain vigilant.
If concerned about personal data sent to the Commission, individuals were encouraged to contact their Data Protection Officer.
This incident underscores the ongoing battle against cyber threats and reinforces the significance of robust cybersecurity measures.
By promptly notifying the public and taking proactive steps to fortify its systems, the UK Electoral Commission sets an example of transparent response and commitment to data protection.
In a world increasingly reliant on digital infrastructure, organizations must recognize their responsibility to safeguard sensitive data and maintain transparency in the face of cyber-attacks.
22-yr Old Hacker from ShinyHunters Group Arrested for Hacking 60+ Organizations
A 22-year-old French citizen, Sebastian Raoult, has been sentenced to three years in prison and ordered to pay over $5 million in restitution for his role in a sprawling cybercrime ring that hacked and exploited the data of millions across the globe.
Raoult, also known online as “Sezyo Kaizen,” was apprehended in Morocco in 2022 and extradited to the United States to face justice for his multi-layered scheme.
U.S. Attorney Sarah Vogel emphasized the gravity of Raoult’s actions, stating that he “robbed people of millions of dollars.”
This wasn’t just a technical exploit but a calculated act of financial plunder.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Beyond Stolen Data, Stolen Lives:
Vogel further highlighted the broader impact, noting the “unmeasurable additional losses to hundreds of millions of individuals whose data was sold to other criminals.”
Raoult’s actions put countless people at risk of identity theft, financial fraud, and other forms of harm.
Raoult and his co-conspirators targeted businesses worldwide, including companies in Washington State.
They infiltrated protected computer systems, pilfering confidential information and customer records.
This stolen data was sold on notorious dark web forums, enriching the perpetrators while jeopardizing millions.
ShinyHunters: A Digital Bazaar of Stolen Identities The conspirators operated under the alias “ShinyHunters,” flaunting their ill-gotten gains by advertising the sheer volume of stolen records. This practice not only facilitated widespread identity theft but also fueled a thriving black market for personal data.
He designed websites mimicking legitimate login pages and sent phishing emails to company employees, tricking them into divulging their credentials.
This insidious approach granted the conspirators access to even more sensitive data and widened the scope of their criminal enterprise.
The total number of stolen customer records is estimated to be in the hundreds of millions, with financial losses exceeding $6 million.
Raoult’s actions caused significant economic damage to victim companies and fostered a climate of fear and uncertainty for countless individuals whose personal information was compromised.
Highlighting the human cost of Raoult’s actions, Hinman wrote to the court, “Stealing and selling customer records put these hundreds of millions of individual customers at risk of identity theft and financial loss.” Raoult’s greed enriched himself and exposed millions to potential harm.
Raoult told the court, “No more hacking,” to show that he felt bad about what he did and wanted to move on. I don’t want to disappoint my family again.”
Judge Lasnik acknowledged his remorse but cautioned Raoult’s family and friends to remain vigilant upon his return to France.
The FBI Seattle Cyber Task Force spearheaded the investigation, while Assistant U.S. Attorney Miriam R. Hinman led the prosecution.
The Department of Justice’s Office of International Affairs and Moroccan and French authorities provided crucial assistance in bringing Raoult to justice.
Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – Free Demo