InfoSec Round-Up: December 20th
Inside Attacker Jailed, GDPR Fines Twitter & Trump’s Twitter Password
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
Subway Sandwich Scams
Customers of fast-food franchise Subway have taken to social media, reportedly receiving scam emails as part of a phishing campaign.
Beginning early last week, UK customers received emails purporting that a food order had been placed, directing users to see further ‘confirmation details’ via a malicious link which pointed user to install a strain of malware known as TrickBot.
With the emails containing customer names, many immediately assumed that the company had been in some way breached, with Subway initially only alluding to a ‘disruption’, though later admitting a system used to manage email campaigns had been compromised.
As well as noting that no financial information had been accessed, a spokesperson for the company said: "We are aware of some disruption to our email systems and understand some of our guests have received an unauthorised email."
Adding, “We are currently investigating the matter and apologise for any inconvenience. As soon as we have more information, we will be in touch, until then, as a precautionary measure, we advise [recipients] delete the email."
Ex-Cisco Engineer Jailed
A former employee of the American technology company Cisco has been sentenced to 24 months in prison, following an incident which cost the company an estimated $2.4 million.
Sudhish Kasaba Ramesh, of San Jose, had in August pled guilty in federal court to intentionally accessing a protected computer without authorization and recklessly causing damage; actions which were taken during his two years working at the company.
Accessing cloud infrastructure in 2018, Mr Ramesh deployed code which deleted 456 virtual machines supporting the WebEx Teams application used by clients. Resulting in over 16,000 customer accounts being shut down, and over $2 million being spent to remediate the issue, the engineer’s motivation for the attack has not been made public.
According to research, around 30% of breaches are linked to insider actions. Despite most of these being thought to be the result of human error rather than malicious intent, insider attacks are estimated to now cost organisations a startling annual average of $1.6 million.
Speaking at the time of the arrest, a spokesperson for Cisco stated on the matter, "We brought this issue directly to law enforcement and appreciate their partnership in bringing this person to justice. We are confident processes are in place to prevent a recurrence."
Twitter Fined €450,000
Ireland’s Data Protection Commission has fined social media company Twitter €450,000 for failing to comply with the General Data Protection Regulation (GDPR)
Coming as a result of a bug that exposed protected accounts’ private tweets, the data authority found that Twitter had breached regulation by both failing to notify the authority within the 72-hour timeframe and by not adequately documenting the incident.
Describing the imposed fine as an “effective, proportionate and dissuasive measure”, the data watchdog worked closely with Twitter during the investigation; a platform which last year recorded an annual revenue of $3.4 billion.
Under the EU-wide regulation, data protection authorities have the power to hand out fines up to a maximum of €20 million or 4% of the offending organisation’s annual global turnover – whichever is greater.
Speaking directly to the fine, Twitter has stated: “We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur.” Adding “We’re sorry it happened.”
Dutch Hacker’s Presidential Password Claims
Dutch police have confirmed a hacker’s claim that he accessed President Donald Trump’s Twitter account by simply guessing his password.
Victor Gevers, an ‘ethical hacker’, shared screenshots in October which appeared to show him editing the President’s Twitter profile information, also suggesting that he had gained access by guessing the password – “MAGA2020!”.
Mr Gevers, who will not be facing any charges, said he had been conducting a semi-regular sweep of high-profile Twitter accounts during the time of the US election when he successfully guessed the password, following six failed attempts.
Though Dutch prosecutors confirm the incident, at the time the White House denied the claim, likewise with Twitter, who stated “we've seen no evidence to corroborate this claim, including from the article published in the Netherlands.”
Adding “We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
The Five Biggest Breaches and Hacks of 2020. Information Security blog by Information Security Awareness provider Hut Six Security.
Preparing for SOC 2 Compliance. What are the 5 Trust Service Principles? Security · Availability · Processing Integrity · Confidentiality · Privacy
Top 10 Security Tips for Remote Work. Securing Work from Home blog image by Information Security Awareness Training provider Hut Six Security.
Building a Business Case for Information Security Awareness Training blog by Information Security Awareness Training provider Hut Six.
How Zero Trust Works - Zero Trust Security blog by Information Security Awareness Training provider Hut Six Security.
How to Write a Cyber Job Specification: Finding the Best Cybersecurity Talent. Cyber blog by Information Security Awareness solution provider Hut Six Security.
How to Build a Cyber Team - Top Points to Consider When Building Your Team. Blog by Information Security Awareness solution Hut Six Security.
What is GDPR Compliance UK? Understanding the General Data Protection Regulation and UK Compliance. Blog by Hut Six Security.
What is a DDoS attack and what should you do if you think you are experiencing one? Blog by Information Security Training provider Hut Six Security.
Does GDPR Apply to Individuals? How GDPR Relates to you Personally. Blog by Information Security Awareness Training provider Hut Six Security