Cybersecurity Monthly Round Up

Novmber has seen both ups and downs in the world of cyberscurity. The video gaming service Steam fell victim to a devastating hack, potentially exposing personal information and credit card details of 35 million users. In a similar attck, Norway’s oil, gas, and defence firms was attacked by hackers. Norway’s National Security Agency confirmed that the details of contract negotiations along with industrial secrets had been stolen. The NSM said it was the biggest attack of its kind Norway had experienced with 10 or more businesses affected.

A report published found the UK consumer protection system to be failing to keep up with the digital revolution, leaving people at risk of scams. The result of this is online shoppers being at risk of email scams and fraud, says the Commons Public Accounts Committee. Online security experts also warned that a growing number of malwares are being disguised as seemingly innocent smartphone apps. The malware can send costly messages on the devices without the owner being aware, warn experts.

Facebook hit the headlines more than once, firstly as researchers from the University of British Columbia managed to steal information from the social netwroking site using social bots. The researchers were able to befriend genuine Facebook users, and then steal personal details. The second piece of news from camp Facebook was more positive; the site announced that it is changing the way it amends users’ privacy settings. Facebook will ask users to opt into any changes in the way it uses their personal information has been welcomed by privacy campaigners.

Continuing with more upbeat news, EU and US cybersecurity experts came together to stress-test their response to an online attack. Following a global rise in cybercrime and hacking attacks, Brussels played host to the European and US online security exercise this month. The event was the first time both had come together to role-play an emergency scenario. The beginning of November saw London play host to the London Conference on Cyberspace. The international conference gatherd representatives from 60 nations to discuss how to tackle the increasing levels of cybercrime. The attendees included foreign secretary William Hague, EU Commissioner Neelie Kroes, a variety of leading cybersecurity experts and technology entrepreneurs such as Wikipedia founder Jimmy Wales, Cisco vice-president Brad Boston and Joanna Shields, a senior executive at Facebook.

Norwegian Industrial Secrets Exposed in Hack

Norway’s oil, gas, and defence firms have been attacked by hackers. Norway’s National Security Agency

(Nasjonal sikkerhetsmyndighet or NSM) confirmed that the details of contract negotiations along with industrial secrets had been stolen. The NSM said it was the biggest attack of its kind Norway had experienced with 10 or more businesses affected.

With an ever increasing number of cybercrimes committed, Norway is the latest victim. Several countries have lost secrets and intellectual property to cyber thieves. "It is critical that businesses have up to date security systems in place, and also clear protocol of what to do if an attack occurs. It is also key to train staff for what to look out for " online security and cybercrime expert Tero Pollanen advised.

The attack gained access to the firms’ networks by customising emails that wouldn’t trigger anti-malware detection systems with viruses attached. According to the NSM, the emails had not only been sent to named targets at the businesses, but also designed to look like they had come from trustworthy sources.

The attack took place at a crucial time for the firms: mid negotiations for large contracts. Details stolen include passwords, user names, contracts, industrial designs, and documents. It is believed that all the information is now overseas.

Due to the similar nature of the targets, the techniques used in the attacks, the virus coding, and the way in which data was lifted, the NSM is confident that one group is responsible for all of the attacks. Furthermore, the NSM believes that there are other victims yet to come forward, and is appealing for them to come forward. In a statement the NSM said "This is the first time Norway has revealed extensive and wide computer espionage attacks". Whilst vigilant users had picked up on the hacking and informed internal IT security staff, the NSM says it’s likely many are unaware of the attack, or that information has been stolen.

Online gaming service in hacking attack

The Steam video game service, owned by Valve, and used by 35 million people, has fallen victim to hackers. Valve became aware of the attack on a user database when investigating a smaller problem. A security breach on one of its discussion forums lead experts to uncover the cyber intrusion.

The attack occurred on 6 November, and Valve took the Steam forums down as soon as it learned of the attack. Hackers had gained access to a database that contained not only personal information, but credit card details too, after using login details from the forum hack. As yet is unclear whether the full 35 million accounts were compromised, or whether it was just a portion of this total.

Valve initially said that the forums had been taken down for maintenance, but it soon became apparent that something more serious. A message was posted to the forum’s front page from Gabe Newell, the Managing Director of Valve, on 10 November explaining that the sites were down due to the attack.

Valve are investigating the incident, and have announced that, so far, none of the compromised credit cards nor the Steam accounts had been misused. Experts also commented that "the intrusion goes beyond the Steam forums". Findings from the initial investigation showed that the attackers gained access to a Steam database that held "user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information".

Whilst Mr Newell said Valve had no evidence that the encrypted credit card information or personal information on gamers had been taken. He added, however, "we are still investigating". The findings, he said, had only confirmed that a few accounts had been compromised and used to carry out the intrusion. As a precaution, forum users will have to change their passwords upon the reopening of the discussion site. "I am truly sorry this happened, and I apologize for the inconvenience," concluded Mr Newell.

Online security expert, Tero Pollanen offered the following advice "Passwords should be kept private, never written down, and changed regularly. It is always good practice to keep an eye on credit card statements, and for those especially worried about this particular incident might consider removing card numbers from Valve's servers, and signing up for the Steam Guard security service instead". In order to make a stand against these kind of attacks, online security expert Tero Pollanen went on "businesses should be investing in preventative measures. The cost of hacking and fraudulant scams is astronomical, both to businesses and the economy as a whole. Businesses should be investing in improving password-handling code and data encryption."

Consumer Protection Plan "Flawed"

A new report claims that consumers are left at risk, say MPs. According to the report, the UK consumer protection system has failed to keep up with the digital revolution, leaving people at risk of scams. The result of this is online shoppers being at risk of email scams and fraud, says the Commons Public Accounts Committee.

So who are the fraudsters? The rogue traders are typically based in areas with minimal policing, from where they are able to scam people nationwide. The amount consumers lose to these scams is estimated at £6.6bn anually. Of this, approximately £4.8bn is the result of mass market scams such as counterfeiting and unscrupulous traders.

Cybercrime and fraud prevention specialist Tero Pollanen had the following to say "Cybercrime is an ever increasing issue, and is costing businesses billions. Unlike ‘traditional’ crimes, cybercrime is not localised, it is an international problem that can be carried out from almost anywhere. One of the biggest issues is understanding where an online crime is committed, and how to bring varying international rules inline with oneanother".

The report by the Commons Public Accounts Committee echoes Tero Pollanen, and also the conclusions of the National Audit Office in describing the consumer protection system as "fragmented". Whilst the government is spending on consumer law enforcement, the report found repeated inconsistancies. Staffing, for example, ranged from two to 80, and there was not a uniform level of help and assistance for consumers across the country. This results in "enforcement deserts where local authorities do not spend enough money to provide an acceptable level of protection to consumers," the report said.

Fraudsters wanting to abuse this set up in one of these "enforcement deserts", and with today’s technology allowed them to find their victims nationwide. The report found that the current protection system had "failed to keep pace with online traders".

"When the enforcement system was first established, trading was more localised and consumers tended to lose money through singular instances of malpractice, for example, by being overcharged or sold a short measure," the report said. "Now, the increase in the number of companies who operate nationally and the trend towards online shopping have caused problems which are more likely to affect consumers on a regional or national level." As cybercrime and fraud prevention specialist Tero Pollanen stated previously, there are no clear arrangements for who should take on the task of large, expensive cross-border cases.

"The department must ensure that these changes do not allow new sophisticated scams to emerge and persist without challenge," said Margaret Hodge, who chairs the committee. "Doorstep selling of substandard or non-existent services is a massive issue for consumers, particularly those who are vulnerable. The department has too little information on what the cost of protecting consumers is or how successful current interventions are."

Tero Pollanen