Around 1.4 million customers of a number of UK clothing and accessories websites have had their personal information exposed following a security breach at an IT services provider that they were sharing. Brands such as Jaded London, AX Paris, Elle Belle Attire, Perfect Handbags, DLSB (Dirty Little Style Bitch), and Traffic People were affected. Lee Munson, Security Researcher at Comparitech.com: “Data breaches of differing magnitudes are almost a daily occurrence and I’m sure many people have sympathy for the affected companies to some degree, more so if their response is quick and transparent in nature. So, the fact that a number…
ISBuzz Team
It has been reported today that Dixons Carphone has announced that the huge data breach that took place last year involved 10 million customers, which is significantly up from its original estimate of 1.2 million. The company said personal information, names, addresses and email addresses may have been accessed, however no bank details were taken and it had found no evidence that fraud had resulted from the breach. The hackers also got access to records of 5.9 million payments cards, but nearly all of those were protected by the chip and pin system. IT security experts commented below. Bill Evans, Senior Director at One Identity: “It…
In every theatre performance, we cheer and clap for the leads on stage, but how often do we give credit to those working behind the scenes? Without them though, the show couldn’t go on, and the same is true for any organisation when it comes to SysAdmins. SysAdmin Day provides us with an opportunity to shine the limelight on those working in the background on all aspects of an organisation’s IT. Below, industry CTOs provide their thoughts on why we should cheer for the important work SysAdmins do for businesses on a daily basis, and not only heckle them when…
Researchers have found 20 flaws in Samsung’s SmartThings Hub controller – opening up supported third-party smart home devices to attack. Commenting on the news are the following security professionals: Craig Young, Principal Security Researcher at Tripwire: “For an attacker, smart home hubs are an ideal point of attack. A compromised hub can not only give a foothold into a home network and expose usernames and passwords, it can also allow an attacker to control devices and to generally spy on victims. Depending on the types of gadgets linked to it, a smart home hub can reveal when people are home…
Graz University has just published findings on a new type of Spectre attack – NetSpectre: Read Arbitrary Memory over Network. – which attacks through network connections, without code on a target victim’s machine. This new type of Spectre threat does not require malware on a victim’s machine or a click on malicious JavaScript. Two security experts with Juniper networks offer perspective in response. Craig Dods, Distinguished Engineer – Security at Juniper Networks: “Spectre has been elevated from a class of vulnerabilities that requires local code execution privileges to one that can be conducted against remote targets. And, this first cacheless version of Spectre relies on AVX state and…
In response to a new Trend Micro survey, which found among other things that only half of IT and security decision-makers believe IoT-related attacks are a threat to their organizations, and that 43% view IoT security as an afterthought, an expert with Corero Network Security offers commentary. Sean Newman, Director Product Management at Corero Network Security: “Responses to the recent Trend Micro survey of IT and security decision makers shows a disappointing disregard for IoT security, combined with a certain level of naivety. With the focus around data breach and the associated impact, there was no recognition of other key IoT…
Rapid7 conducted hundreds of simulated cyberattacks, and recently published the results in a study that showed at least one vulnerability was exploited in 84% of engagements. The study, titled “Under the Hoodie,” reflects 268 tests conducted across a number of industries. Justin Jett, Director of Audit and Compliance at Plixer: “With the latest results from Rapid7’s Under the Hoodie 2018 penetration tests, it is clear that network vulnerabilities are still a major security issue for organizations. It is especially concerning that when a hacker has access to the local network, they are able to capture at least one credential 86 percent of the…
New Fortinet findings show that the P2P Hide ‘N Seek (HNS) botnet now also includes exploits to target home automation systems and devices, noting: “Hide ‘N Seek authors recently included an exploit for a HomeMatic Zentrale CCU2 remote code execution vulnerability, the malicious code allows the botnet to target devices in smart homes controller by the HomeMatic central unit.” In response, a botnet expert with Corero Network Security offers perspective. Sean Newman, Director Product Management at Corero Network Security: “The continued evolution of the Hide ‘N Seek botnet, gathering up new IoT vulnerabilities which enable it to ensnare devices from an ever-expanding list…
A new hacking campaign aims to use old vulnerabilities in Microsoft Office software to create a backdoor into Windows systems to spy and steal files. Dubbed Felixroot, the malware is delivered to individuals in Ukraine using a weaponised phishing email claiming to contain seminar information on environmental protection, indicating that the selected victims are likely to be highly targeted. Liron Barak, CEO and Co-founder at BitDam: “Logical exploits like CVE-2017-0199 and CVE-2017-11882 have become increasingly popular in recent months. Compared to macro attacks, which require user interaction, these types of vulnerabilities allow hackers to launch highly targeted attacks with very little effort. “Even though organisations…
At the Node Summit in San Francisco, attendees were delivered a stark reminder that despite being among the most technical members of organisations, developers still pose a significant phishing risk. Tim Helming, Director of Product Management at DomainTools: “This is a timely reminder that no one, no matter how technically sophisticated or security-savvy they are, is ‘unphishable.’ Moreover, good social engineering preys upon assumptions and patterns that are particular to the victim. If an attacker knows how a given class of victims tends to think about content (for example, how and where security or technical personnel get information germane to their fields), then…