291 records breached per second in first half of 2018

By Danny Bradbury

Over 4.5 billion data records were breached in the first half of this year, according to a report from Gemalto’s Breach Level Index released this week. That’s the highest number of breaches ever in a single six-month time period, but a deeper dive reveals an even more worrying trend.

Gemalto, which sells authentication and data storage products, produces an analysis every six months of the reported breaches from each period. This total number of breached records in this year’s first half (1H) report equated 291 breached records every second, on average.

Records-per-breach is growing

The general rise in the volume of lost records is alarming enough (1H 2018’s figure is up 1,751% on 1H 2015), but what’s really scary is the average number of records per data breach incident. It’s growing quickly.

2015: 245.9m records across 999 incidents. That’s 276,936 records per incident.

2016: 554.5m records across 974 incidents. That’s 569,255 records per incident.

2017: 2.6bn records across 1765 incidents. That’s 1.47m records per incident.

2018: 4.5bn records across 945 breaches. That’s 4.8m records per incident.

The distribution of these compromised records on a per-breach basis isn’t equal, of course. There were some absolute whoppers in early 2018.

Read more at https://nakedsecurity.sophos.com/2018/10/10/291-records-breached-per-second-in-first-half-of-2018/

Cyber tormentor leaves a trail that lands him 17.5 years

By Lisa Vaas

He, along with others he’d recruited into his cyberstalking campaign, sent lewd pictures of pre-pubescent females to her mother, her former roommate, and two former college classmates. They sent messages encouraging her to kill herself and threatening to rape and/or kill her and her friends. They posed as her and contacted somebody to claim that she’d killed the animal she was pet sitting, triggering a confrontation with police.

They pretended to be her roommate and her mother and called in over 120 hoax bomb threats to schools and residences. They broke into her iCloud account, laptop and iPhone to steal her photos; videos; and medical, psychological, and sexual history. They pieced it all together in a collage and sent it to hundreds of people, including her roommates, co-workers, 13-year-old sister, parents, parents’ work colleagues, and former teachers and school administrators. They put up bogus profiles of her on adult sites and directed interested men to her home address. She said that three men, unknown to her, showed up.

The main cyberstalker behind all this thought the IP address-anonymizing TOR service would protect him. He thought virtual private networks (VPNs) would hide him. He also seemed to put his faith in anonymous overseas texting services and overseas encrypted email providers that don’t respond to law enforcement and/or don’t maintain IP logs or other records.

Read more at https://nakedsecurity.sophos.com/2018/10/10/cyber-tormentor-leaves-a-trail-that-lands-him-17-5-years/

Airport mislays world’s most expensive USB stick

By John E Dunn

Like so many stories of data disaster, this one started innocently enough.

In October 2017, a member of the public noticed a USB flash drive lying in the street in a London suburb.

After plugging the drive into a computer at their local public library, they discovered it contained 1,000 files held in 76 folders and a trove of data on security systems and procedures at one of the world’s largest airports, Heathrow.

Because we’re writing about this in the first place, you can already guess that none of the data was encrypted or password-protected.

The member of the public decided to tell The Sunday Mirror newspaper about the find, which days later published a story claiming the loss could potentially have compromised airport security, including putting Queen Elizabeth II, politicians and VIPs at risk.

Yesterday, the company with the job of looking after the data, Heathrow Airport Ltd (HAL), was fined £120,000 ($160,000) by Britain’s Information Commissioner (ICO) for allowing this to happen.

What was on the drive?

Heathrow Airport claimed that only 1% of the data on the memory stick was personal data, which would have been a good argument if that hadn’t included a training video exposing names, dates of birth, vehicle registrations, passport details, and mobile numbers for 10 people involved in important security procedures at the airport.

Read more at https://nakedsecurity.sophos.com/2018/10/10/airport-mislays-worlds-most-expensive-usb-stick/

Apple and Amazon hacked by China? Here’s what to do (even if it’s not true)

By Paul Ducklin

The past week has seen the beginning of a saga that feels as though it could end up like Homer’s Odyssey or Virgil’s Aeneid…

…a fascinating, entertaining, confusing, politically charged and unpredictable tale, littered with lyrical allusions and based on mysterious sources; a supposedly factual tale that the tellers nevertheless describe in mythological terms as “like witnessing a unicorn jumping over a rainbow” and as “a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle.”

(Actually, transporting a stick from the Yangtze and dumping it on a beach in Lake Washington isn’t a particularly difficult feat these days, thanks to long-haul air travel.)

This saga was years in the making and will probably end up as prescribed reading in years to come for any number of students who’d really rather be trying to fathom something altogether more straightforward, such as programming elliptic curve cryptography from scratch – or, for that matter, translating Homer from the original Greek.

We’re talking, of course, about the astonishing claims published by US technology publishers Bloomberg that Chinese military spies successfully infiltrated at least 30 major US companies, starting about three years ago, by covertly implanting ultra-tiny “zombie chips” onto server motherboards sold by a US server vendor called Supermicro.

Read more at https://nakedsecurity.sophos.com/2018/10/09/apple-and-amazon-hacked-by-china-or-perhaps-not/

Microsoft hits the brakes on latest Windows 10 update – what to do

By John E Dunn

Something has gone wrong with Windows 10 update 1809, codenamed ‘Redstone 5’.

The scheduled update (build 17763), is the second of two that Microsoft planned for 2018 offering new features. It appeared on 2 October, after which serious complaints started rolling in. The most common was that files and settings were being deleted. Wrote one user:

Logged in first time, all looked fine. After a reboot and subsequent logon, I came to find that my profile had been deleted! Nothing remained, no data on the desktop, no settings… nothing.

Problems after major Windows updates aren’t unheard of but the consistency of the problems eventually caught Microsoft’s attention. On 6 October, almost four days after the update appeared, Microsoft did something it has never had to do in the download history of Windows:

We have paused the rollout of the Windows 10 October 2018 Update (version 1809)* for all users as we investigate isolated reports of users missing some files after updating.

What went wrong?

All there is to go on right now are symptoms. The common thread is that files are being deleted, with one user mentioning the loss of 220GB of files dating back to Windows 95 from the default Documents folder.

Read more at https://nakedsecurity.sophos.com/2018/10/09/microsoft-hits-the-brakes-on-latest-windows-10-update-what-to-do/

Don’t fall for the Facebook ‘2nd friend request’ hoax

By Lisa Vaas

Are your Facebook friends bellyaching about having received another friend request from you? Specifically, sending you a message that reads uncannily like this one?

Hi … I actually got another friend request from you yesterday … which I ignored so you may want to check your account. Hold your finger on the message until the forward button appears … then hit forward and all the people you want to forward too … I had to do the people individually. Good Luck!

It doesn’t make sense if you stop and think about it.

Why would you have sent a friend request to somebody you’re already friends with? And then why in the world would you uncritically send this message to your Facebook friends?

The short answers are that you wouldn’t and you shouldn’t.

You should delete the message and ignore the instructions to forward it because it’s a hoax, trying to get you to believe that your account has been cloned.

Account cloning happens when somebody steals your profile pictures and your name to set up a new account. When the account is set up they send out friend requests that appear to come from you, pulling your friends into their web of lies.

Read more at https://nakedsecurity.sophos.com/2018/10/09/dont-fall-for-the-facebook-2nd-friend-request-hoax/