Tag: security breach

WhatsApp is hacked

Source: BBC

WhatsApp has confirmed that a security flaw in the app let attackers install spy software on their targets’ smartphones.

That has left many of its 1.5-billion users wondering how safe the “simple and secure” messaging app really is.

On Wednesday, chip-maker Intel confirmed that new problems discovered with some of its processors could reveal secret information to attacks.

How trustworthy are apps and devices?

Was WhatsApp’s encryption broken? No. Messages on WhatsApp are end-to-end encrypted, meaning they are scrambled when they leave the sender’s device. The messages can be decrypted by the recipient’s device only.

That means law enforcement, service providers and cyber-criminals cannot read any messages they intercept as they travel across the internet.

However, there are some caveats.

Messages can be read before they are encrypted or after they are decrypted. That means any spyware dropped on the phone by an attacker could read the messages.

What is encryption?
On Tuesday, news site Bloomberg published an opinion article calling WhatsApp’s encryption “pointless”, given the security breach.

However, that viewpoint has been widely ridiculed by cyber-security experts.

“I don’t think it’s helpful to say end-to-end encryption is pointless just because a vulnerability is occasionally found,” said Dr Jessica Barker from the cyber-security company Cygenta.

“Encryption is a good thing that does offer us protection in most cases.”

Cyber-security is often a game of cat and mouse.

End-to-end encryption makes it much harder for attackers to read messages, even if they do eventually find a way to access some of them.

What about back-ups?
WhatsApp gives the option to back up chats to Google Drive or iCloud but those back-up copies are not protected by the end-to-end encryption.

An attacker could access old chats if they broke into a cloud storage account.

How to stay safe on WhatsApp
WhatsApp discovers ‘targeted’ surveillance attack
Of course, even if users decide not to back up chats, the people they message may still upload a copy to their cloud storage.

Should people stop using WhatsApp?
Ultimately, any app could contain a security vulnerability that leaves a phone open to attackers.

WhatsApp is owned by Facebook, which typically issues software fixes quickly.

Of course, even large companies can make mistakes and Facebook has had its share of data and privacy breaches over the years.

There is no guarantee a rival chat app would not experience a similar security lapse.

At least, following the disclosure of this flaw, WhatsApp is slightly more secure than it was a week ago.

Signal is an open-source project
Some rival chat apps are open-source projects, which means anybody can look at the code powering the app and suggest improvements.

“Open-source software has its value in that it be can tested more widely but it doesn’t necessarily mean it’s more secure,” said Dr Barker.

“Vulnerabilities can still be found with any tech, so it’s not the answer to our prayers.”

And if someone did decide to switch to a rival chat app, they would still have to convince their contacts to do the same. A chat app without friends is not much use.

Is any device ever safe?
In theory, any device or service could be hacked. In fact, security researchers often joyfully pile in on companies that claim their products are “unhackable”.

They quickly discover vulnerabilities and the embarrassed companies retract their claims.

If people are worried data may be stolen from their computer, one option is to “air gap” the device: disconnect it from the internet entirely.

That stops remote hackers accessing the machine – but even an air gap would not stop an attacker with physical access to the device.

Dr Barker stressed the importance of installing software updates for apps and operating systems.

“WhatsApp pushed out an update and consumers might not have realised that security fixes are often included in updates,” she told BBC News.

WhatsApp did not help the cause, however, by describing the latest update as adding “full-size stickers”, and not mentioning the security breach.

“People need to be made aware that updates are really important. The quicker we can update our apps, the more secure we are,” said Dr Barker.

As always, there are simple security steps to remember:

  • Install app and operating system security updates
  • Use a different password for every app or service
  • Where possible, enable two-step authentication to stop attackers logging in to accounts
  • Be careful about what apps you download
  • Do not click links in emails or messages you are not expecting

Liberty Life hacked, user data exposed

Financial services group Liberty Life sent out an SMS to their clients on Saturday evening informing them of a major security breach.

Liberty launched an investigation after its systems were hacked, and said the hackers alerted the company to potential vulnerabilities in its systems and were now demanding compensation.

The Sunday Times reported that the hackers obtained sensitive information about some top clients and have demanded payment of millions of rand not to release the data.

Liberty has communicated with its customers regularly, advising them to change passwords as applicable.

Liberty Life hack could be ‘an inside job’: expert

A security expert has questioned how hackers gained access to Liberty Life clients’ information, suggesting it could have been an inside job.

The financial services provided confirmed on Saturday that its information technology system was hacked last week, by people who demanded payment. It has since regained control of the system.

“It most likely happened in one of two ways: it was either an inside job or someone with the correct privileges was hacked, which means that they could have used that person’s permissions to get into the system,” said managing director of Ukuvuma Cyber Security, Andrew Chester.

He said the hack could have been avoided by applying general data security practices such as encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.

“Why did Liberty have unstructured email data and attachments that were left unmonitored and more importantly, why was this sensitive data not encrypted? When doing threat-hunting or a security analysis for any company, the first thing one looks for is how easy it is to extract data without being detected.

“Additionally, how did the hackers know where to find the data? If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming,” he said.

Chester said it was also concerning that no-one detected the breach until the hackers themselves informed the company.

“There’s a common saying that you sometimes don’t know you’ve been hacked until law enforcement comes knocking at your door, but in this case, Liberty only found out once the criminals had contacted them,” he said.

The company said its investigation into the breach was at an “advanced stage”.

Source: eNCA 

Fin24 recently publishing article with the headline: “Massive Afrihost security flaw exposed”.
The article stated that “a massive security flaw” left the ADSL credentials of users vulnerable. The situation was brought to light by a Durban software expert, Taylor Gibb, who recently posted on Facebook that “Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk”.

Afrihost has released the following statement:

1. There was no breach of data at any time

No databases, personal information, payment information or account details have been breached or hacked in any way. The article is based on hypothetical scenarios conceived by the author of the article, who was never (at any time) in possession of the data mentioned.

2. Our clients are not at risk

Since no data was actually obtained, our clients are not at risk at all. We have also now ensured that consultants cannot view encrypted data, so there is no risk to clients whatsoever (based on the scenario in this article).

3. Passwords were never stored in plain text

The writer makes several assumptions regarding the state of personal data, such as passwords being stored in plain text, which are inaccurate. Passwords are encrypted.

4. The information relates ONLY to ADSL usernames and passwords

No payment information, personal information or ClientZone user login information were ever at risk. At absolute worst, the information in question could only be used to login to an ADSL account (and one that allows concurrent logins). Any client could still view their ADSL sessions via their ClientZone and request any unknown numbers be blocked from accessing their account. There would be zero possibility that these details could ever lead to obtaining payment or personal information.

5. Our team of staff are trustworthy

The article only refers to scenarios where a staff member of Afrihost could access vulnerable information. Our staff have no motivation to steal data from our clients, as they receive free internet for both fixed line (DSL or Fibre) and Mobile Data. In many cases, our staff give out their personal accounts to help our clients test their connectivity. While we did trust our staff with access to passwords – this ability has since been removed – this was always subject to identity verification. However, we have removed this feature for our client’s peace of mind and will find new ways to ensure that our clients enjoy the same level of convenience when interacting with our consultants.

We’ve always had to balance our need for increased security and safeguards with our client’s convenience. Changes to our security is in ongoing development at all times, and we had planned to devise a convenient way to roll these out with minimal impact to our clients.

As mentioned, no data was breached, no personal information was compromised and not a single client was adversely affected in any way.

The cost of a data breach in South Africa

Source: IBM

In 2017, the average total organisational cost of data breaches in South Africa was R32.36-million. The average per capita cost was R1 632 ZAR.

These are the major takeaways from the 2017 Cost of Data Breach Study: South Africa, the second annual research conducted by IBM Security and Ponemon Institute.

The 2017 study examines the costs incurred by 21 South African organisations from nine different industry sectors, following the loss or theft of protected personal data and the notification of breach victims as required by various laws.

An increase of 12% in the total cost of data breach was recorded compared to the previous year, while the cost per lost or stolen data record went up by 5%.

The report identified the most common root causes of data breaches in South Africa, and pointed to trends in practices to reduce the risk and consequences of a data breach.

Source: IBM

A huge trove of data, containing the personal information of millions of South Africans, including property ownership, employment history, income and company directorships, has been discovered by information security researcher Troy Hunt.

Hunt, the founder of HaveIbeenPwned.com, said the breach contains data of more than 30-million unique South African ID numbers.

The data trove was discovered among a large dump of other breaches, and Hunt could identify it as South African source by the personal address details contained in it. He said that to date he hasn’t seen it offered for sale, but that “it is definitely floating around between traders”.

The date of the database file indicates that the breach took place in March 2017, or perhaps before. The actual data includes information from at least as far back as the early 1990s.

Hunt is now attempting to identify the source of the database and has shared its headers to help get to the bottom of it. The headers can be viewed here.

Some of the data headers seem to indicate that the source may be government, but this is not definitive. It may be that this information is from a commercial entity such as a bank or credit bureau.

Once the owner of the data is identified and informed, Hunt will upload the info to his HaveIbeenPwned service (although he notes that the data only includes around 2,2-million valid e-mail addresses).

By Andrew Fraser for Tech Central 

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top