InfoSec Round-Up : April 20th - 30th

NCSC Campaign, Warwick University Breach, and Kinomap

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends and industry news from across the world of information security.

The NCSC’s Cyber Aware Campaign

With the apparent uptick in online scams since the coronavirus pandemic, the UK’s National Cyber Security Centre launched this April their Suspicious Email Reporting Service, or SERS:

In the first twenty-four hours of the campaign, the service received an enormous 5,151 reports of suspicious emails, and as of the 24^th April, the NCSC announced around 220 scams had brought down as a result of the campaign.

The NCSC’s Chief Executive Officer Ciaran Martin noted that they hope that the Suspicious Email Reporting Service will “deter criminals from such scams”, adding the coronavirus is the current top lure for conducting cybercrime.

Unsurprisingly, the Covid-19 crisis has been exploited by cyber criminals across the world, with Google blocking tens of million virus-related emails and Action Fraud, a fraud watchdog, reporting a known cost of coronavirus related scams of well over £2 million.

If you are in the UK and spot a suspicious email, take advantage of the service by forwarding the message to the following address:

Warwick University

In other news, it has also been reported that the University of Warwick has failed to alert affected individuals about a breach of their administrative network.

The attack, which took place last year, occurred as a result of a member of staff installing remote viewing software, possibly infected with malware, leading to individuals’ data likely being stolen.

The university was also making “widespread” us of software known for vulnerabilities and overall poor security.

To make matters worse, according to a leaked internal audit of the university’s IT systems, cyber security practices at the Russell Group institution were so poor that it was impossible to identify the extent of the data breach or identify individuals affected.  

A separate audit completed by the UK’s Information Commissioner’s Office, published in March, contained over 60 recommendations for ways in which the university could improve its practices, 15 of which were rated as urgent, whilst also rating the University’s level of ‘Training and Awareness’ as ‘Very Limited’.

Kinomap

The records of 42 million users has reportedly been left on an unsecure online database by fitness tech company, Kinomap.

Containing the personal data of many of their users, the French firm was first alerted to the security flaw by researchers at vpnMentor who discovered the security issue as part of a web mapping project.

The 40GB database, containing information from users across the world, was left exposed for almost a month due to a misconfiguration. Though the flaw was eventually fixed on April 12^th following the French data protection regulator, the CNIL, being informed.

Full names, email addresses, usernames, gender and fitness data were amongst the unsecure information found. Should hackers have discovered the data base, this information would have undoubtedly been used to orchestrate phishing attacks and other malicious scams.

A member of vnpMentor noted: “With millions of people across the globe now under quarantine at home due to the Coronavirus pandemic, the impact of a leak like this grows exponentially”. Adding, “by not having more robust data security in place, Kinomap made its users vulnerable to a wide range of frauds.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.