UK debt relief charity Christians Against Poverty has begun writing to supporters following a data breach that exposed personal details – including phone and bank account numbers, and banking sort codes.

Unidentified hackers broke into the charity’s systems in late July. The intrusion was only detected a week later, as an alert by Christians Against Poverty (a charity that works to lift the poor out of debt) explains.

On 1 August 2016 we identified some suspicious activity on our computer systems that presents a potential security risk for those whose data is held by Christians Against Poverty.

Our investigations show that some, but not all, of our systems were compromised the previous week. As soon as we identified this we called in IT security experts who confirmed that although our servers and systems were well protected, we have been subjected to a sophisticated, illegal, external attack.

Unfortunately, this means that details belonging to supporters and clients (both current and former) may have been accessed. These details could include names, addresses, email, phone and bank account numbers/sort codes. I’m really disappointed that this has happened, but I want to reassure you that we are taking all possible steps to ensure the ongoing security of our systems.

Christians Against Poverty published the notice on 4 August, since when it has begun the process of contacting all affected parties, including supporters and poor families the charity helped with debt problems. El Reg became aware of the breach after an email notice sent to the elderly relative of a reader, Colin, was forwarded to us late last week.

Christians Against Poverty has set up a dedicated micro-site designed to respond to the concerns of affected parties. The charity’s handling of the breach has received a sympathetic response from supporters on Twitter, even though the extent of the problem goes beyond what’s sadly becoming a steady stream of login credential / password breaches.

It's unclear whether the exposed data was encrypted or not, nor why the charity itself was holding banking data on its own systems. In its FAQ, Christians Against Poverty sought to downplay the concerns of supporters and clients while admitting that they may be at heightened risk of phishing attacks.

“We are taking this issue very seriously and are continuing to investigate with the help of the police and external security experts,” it said. “Please be reassured that we are taking all possible steps to ensure the ongoing security of our systems.”

Christians Against Poverty has reported its breach to the Information Commissioner's Office, the UK’s data protection watchdogs. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016

The Register - Security

Microsoft researchers have devised a way for third parties to make use the vast amount of encrypted data stored in the cloud by companies and individuals, without them actually having access to it or learning anything about it (except for what can be deduced from the result).

use encrypted data

The solution involves a protocol for a Secure Data Exchange (SDE) that uses Secure Multi-Party Computation (MPC), and which removes the need of the third party decrypting (and, therefore, being able to peek into) the data before it is used in computations.

The owner of the data gives the keys to it to the buyer (or keys to part of it to the potential buyer) and the buyer uses them to decrypt the data inside a multiparty computation.

“All of the computation is performed in the cloud, and the computation itself is encrypted in such a way that not even the cloud knows what is being computed, which protects any of the buyer’s data used in the computation such as a proprietary algorithm. If everything goes as expected, the cloud reveals the decrypted results to the interested parties,” Microsoft’s John Roach explains.

In the paper describing the solution, the researchers offered several real-world business scenarios where a secure data exchange using their protocol can come in handy.

For example: A company that’s developing machine learning models that will assist primary care providers in choosing the best treatment plans for their patients needs data to develop and study their models. They want to buy anonymized patient medical records from hospitals to do that, but only if the data does not already fit the model.

“This could in theory be tested by running simple statistical tests comparing the model parameters with the data, but in practice not because the hospital is not willing to disclose its data before a deal has been made,” the researchers explained.

A secure data exchange of this kind can also provide a way for the buyer to try out a fragment of this data, so that he can make an informed decision about whether it will be worth to buy the entirety of the data.

The researchers’ solution is still in the concept phase but, according to Roach, they are planning to create – and publicly release – the tools that will allow the creation of secure data exchanges in the not-so-distant future.

Help Net Security

I travel all over the world for my job, and for my hobbies. Although there are still plenty of places I haven't been, I've visited enough foreign countries that I don't deny it when someone calls me a world traveler. Over the years, I've experienced my fair share of foreign spying. I know what it's like to be snooped on.

I'm no longer surprised when I suddenly get gobs of spam from a country I've visited. My best guess is that someone in the country intercepted my email and recorded my email address. I still get porn spam in Arabic and ads for weight loss products in Mandarin. I've had my laptop and USB keys searched at countless borders.

[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

An eye-opening moment: On one trip to an Asia-Pacific country, while I was taking a shower in my hotel room, I saw someone insert a USB key into my unlocked laptop. I yelled and jumped out of the shower, and the intruder ran out of the room, leaving his USB key behind. On it was a remote backdoor Trojan. That someone believed I was significant enough to spy on made me feel pretty important. It also taught me to be much more careful with my laptop.

Besides keeping your eyes and ears open, what else can you do to protect your privacy and data when traveling? After discussing the topic recently with Salo Fajer, CTO of cybersecurity firm Digital Guardian, I put together the list below. After spending just a brief time with Fajer, I realized we shared a lot of the same ideas on protecting our data from foreign adversaries, but he had a few I hadn't thought of.

#1. Know your rights before you go

First, and foremost, know your rights and laws before you go to a foreign country. Just as you must know the currency and exchange rate and when to tip, you need to know the legal rights that a particular country might have to your data.

It might surprise you to learn that your normal privacy rights, not to mention your Constitutionally protected rights as a U.S. citizen, go away at the border. Border crossings are a legal no-man's land, where each country's laws often do not apply. One of my Canadian co-workers, who traveled to the United States dozens of times a year, was once asked at the border to turn on his laptop, provide his encryption key, and let the border authorities copy his laptop's digital contents. He initially refused because his laptop contained private customer data that he legally could not provide ... or so he thought.

The border guards told him that if he did not provide the data he would be immediately prevented from entering our country for five years. He called our company's lawyers and they recommended that he provide the encryption key and give the border guards access to the data.

One little tip I gained from that experience is to double encrypt my data. I use a full disk encryption product that is readily apparent to anyone who turns on my computer. But I use a second encryption product to encrypt my most critical data a second time. I have changed the directory path, icon, and executable names so that they look like they belong to a common, run-of-the-mill program. Turns out that if the border guards don't know something is double encrypted, they don't ask for the second set of encryption keys. It's a cryptographer's variation of “Don't ask, don't tell.”

#2. Protect copied data

I'm a big fan of data encryption schemes like Microsoft's Active Directory Rights Management Service that encrypt the data from unauthorized eyes no matter where it is copied. So even if the border guards or spies get to your data, they are unlikely to be able to review it later on.

#3. Leave the data home

Better yet, leave the data at home. These days, all my data is stored in the cloud. Before traveling, I just delete the local copy after disabling the sync feature, so that there is no data on my laptop in the first place. I do all my updates and edits on cloud-based copies when I'm away, and then re-enable the local cache when I return home. Or I use the same method, but take another device that never had the data on it in the first place.

#4. Always choose the most secure network option

Whether you're traveling foreign or domestic, you should always choose the most secure network option available. Be wary of all free Wi-Fi and Bluetooth connections. Make sure you're connecting only to official Wi-Fi offerings and not fake hacker Wi-Fi access points. Better yet, if you can't be sure you're using the right open Wi-Fi network, use your cell phone's tethering feature.

#5. HTTPS is your friend

Make sure all of your web surfing, or at least your surfing to the websites you use authentication with, is protected by TLS-enabled HTTPS. You don't want bad guys sniffing your connections. Make sure that any wireless connections you use don't try to place fake digital certificates on your computer in an attempt to man-in-the-middle the connections. It's more common these days than ever.

Also, it's important to remember that your 2FA (two-factor authentication) methods may not work, especially if your 2FA option uses your cell phone or messaging and your cell phone's voice or data service doesn't work.

#6. Use a VPN

Use your corporate VPN whenever possible. If your VPN connection uses split-tunneling, understand which traffic is secure and which is not secure. Fajer uses his own personal VPN router when traveling to make sure all connections are protected. Personally, I'm a big fan of Anonabox.

#7. Use privacy screens

I'm very old school. When I travel I always make sure I have a good privacy screen over my laptop display to keep prying eyes from reading what I'm reading or typing. 3M makes some of the most versatile and secure privacy screens you'll find.

#8. Use throwaway accounts

I try not to use other people's computers, but there are times when using other computers is necessary or at least very useful. When I use those computers, I often use temporary, throwaway email and cloud storage accounts when I travel. For example, I send my airline tickets to print to a throwaway account so I can pick up and print the tickets on hotel computer equipment. Hotel computers are obvious targets for malware and keystroke recording equipment. If you print that ticket from a throwaway account that you'll never use again, who cares if someone can access it after you leave?

#9. Lock your device

It goes without saying that you should lock your computing devices anytime you aren't using them -- even in your own hotel room when you're using the shower.

#10. Make sure your device is secure

Don't take your regular device along on trips if you don't have to. But regardless of whether the computer is your normal device or just a travel one, you want it as secure as possible. It should be securely configured, have all security patches applied, and have a host-based firewall, and host intrusion prevention software, as well. He also said to make sure that you turn off any file or network sharing features.

#11. Don't broadcast your current location

Lastly, while this isn't exactly a travel tip, don't share your current location with the world. This happens all the time when people use social media. Maybe it's the paranoia gripping me, but I've never understood my friends letting everyone know when they are out of the country, advertising that either their house is empty or that their spouse or kids are home alone. I love to share my pictures and adventures on social media, but I wait until I'm home and able to protect my assets and loved ones.

If you travel, whether halfway around the world or halfway across the state, you must take special care to make sure your data and devices stay secure. If you don't take precautions, it's only a matter of time before you get burned.

InfoWorld Security Adviser

Researchers at Rapid7 spotted bugs in Fisher-Price and hereO products that could expose data.
Researchers at Rapid7 spotted bugs in Fisher-Price and hereO products that could expose data.

Researchers at Rapid7 discovered vulnerabilities in Fisher-Price's Smart Toy and hereO's GPS platforms that could allow an attacker to collect the personal information of a user.

The Smart Toy is a stuffed animal that connects to an online account via Wi-Fi to provide users with a customizable educational and entertainment experience.

The toy's platform contained an improper authentication handling vulnerability that could allow an unauthorized user to obtain a child's name, age, date of birth, gender, spoken language and more, according to a Feb. 2 security blog post.

Many of the platform's web service application program interface (API) calls didn't appropriately verify the “sender” of messages and could allow a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions, according to the post.

In addition to compromising privacy, an attacker could use the bug to launch social engineering campaigns or to force the toy to perform actions that users didn't intend, the researchers wrote.

The platform in a GPS tracker that allows family members to share their location with each other was also vulnerable to outside manipulation.

The hereO GPS platform contained an authorization bypass vulnerability which could allow an attacker to access every family member's location, according to the post.

Once exploited, an attacker could discreetly add their account to any family's network and manipulate notifications through social engineering to avoid detection.

Researchers gave the example of an attacker adding themselves to a family's network under the “name” 'This is only a test, please ignore,' in an attempt to avoid raising suspicion.

Both vulnerabilities were reported to their respective vendors and have since been rectified. Rapid7's Security Research Manager Tod Beardsley told in an email correspondence that these issues didn't require patches or firmware upgrades.

Beardsley said that both vendors acted “reasonably and responsibly” during the disclosure process. It's nearly impossible to ship products without some bugs when dealing with the internet of things (IoT) or software in general, he said.

“The goals of companies dedicated to securing personal information should be twofold,” Beardsley said.

”One, make sure that bugs are found in the design and development phases, and two, once vulnerabilities are identified after launch, they are easily and quickly remediated without too much effort by the end users,” he said.

Other IoT toys have been found to pose risks to users as well.

Last year, researchers identified security concerns in Mattel's Hello Barbie that could allow an attacker to extract, internal Mac addresses, Wi-Fi network names, account IDs, and MP3 files from the popular doll.

ToyTalk, the company that operates the doll's speech services, reportedly admitted the doll could be hacked but said the vulnerable information did not identify children, nor did it compromise any audio of a child speaking.

Latest articles from SC Magazine News

Conficker data highlights infected networks
Robert Lemos, SecurityFocus 2009-12-16

Conficker may be under control, but the malicious family of programs is resident on more than 6.5 million computers worldwide, with more than 5 percent of some network's Internet addresses showing signs of infection.

On Wednesday, the ShadowServer Foundation took the wraps off a revamped statistics page, showing how far the three main variants of Conficker have spread and the degree to which the world's networks are infected. More than 12,000 networks, as represented by their autonomous system numbers (ASNs), show signs of infection by Conficker. The ShadowServer Foundation limited their displayed data to the top 500 networks.

"Our major goal is to show how far and wide Conficker has spread and where Conficker really has a foothold," said André DiMino, founder and director of the ShadowServer Foundation.

The team of volunteer researchers, which helped to establish the Conficker Working Group early this year, collects data from its member organizations.

The ShadowServer data groups Conficker into two classes. Conficker A+B consists of the first two variants of the program, which attempt to spread automatically. Conficker C, a variant that appeared in March, has no way to propagate unless it is updated. Overall, the number Internet addresses showing signs of infection by Conficker A+B are increasing, while signs of Conficker C infection are decreasing.

The data shows that, while large countries -- such as China -- have a large number of Conficker-infected machines, proportionally only 1 percent of the IP space of the country's largest network shows signs of infection. On the other hand, large networks in countries such as Vietnam, Indonesia and Ukraine have more than 5 percent of their address space showing signs of infection.

Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm initially spread using a vulnerability in Microsoft Windows and contacted 250 random domains to check for updates. By April, Conficker had morphed into a botnet that maintained peer-to-peer connections, but no longer spread automatically. Where the first versions of the program contacted 250 random domains, the latest version generates 50,000 random domains every day and contacts 500 of them for updates.

Since early this year, the Conficker Working Group has preregistered the domains to block the software from updating itself.

"Every day the security companies spend time and money to register domains," said Tom Cross, a security researcher with IBM's X-Force. "They are doing it altruistically. If they give up because no one cares, and they stop registering those domains, then the bot masters can start using the botnet again."

Yet, despite having infected 6.5 million systems, Conficker is a threat that is largely contained, said DiMino. In early October, the number of Internet protocol (IP) addresses showing signs of infection peaked at slightly more than 7 million, falling since then. Some countries -- such as Brazil -- have focused on identifying and cleaning compromised systems. The ShadowServer data shows that the country has had some success.

"Everyone is talking about Brazil (as a major source of Conficker traffic), but they have been working hard at reducing Conficker," DiMino said.

The ShadowServer Foundation will provide an in-depth report for free to any network operator that contacts them. The reports list the specific IP addressed from which Conficker traffic has been detected.

If you have tips or insights on this topic, please contact SecurityFocus.

SecurityFocus News

Greg Clarke, HPE; Mark Cowing, Shook, Hardy and Bacon; Michael Simon, Seventh Samurai; Barclay Blair, IG Initiative
Greg Clarke, HPE; Mark Cowing, Shook, Hardy and Bacon; Michael Simon, Seventh Samurai; Barclay Blair, IG Initiative

The advent of free, or very inexpensive cloud storage, is presenting organizations with the dilemma of what data to save and what to ditch in order to both save money and mitigate risk.

On the one hand holding the data forever may not cost much, but there is always the risk that the stored data could be stolen or used against a corporation causing a problem that could potentially cost it millions of dollars, the panel at LegalTech 2016's Ditch that Data to Mitigate Risk and Reduce Legal Spend told its audience.

To help figure out what to keep and what to toss the idea was broached of adding a new addition to executive boards who has a foot on the tech and legal side of the problem.

Barclay Blair, founder and executive director of the Information Governance Initiative said making the decision is tough because companies like Google and Apple want individuals to save their data, but this is an urge that has to be fought off. He suggested corporations need to create a new C-level executive position to handle data elimination.

“We need someone to own this problem,” Blair said.

Mark Cowing, Partner with Shook, Hardy and Bacon, agreed saying the person should bridge the gap between legal and IT who can help decide what information can be eliminated.

Latest articles from SC Magazine News