Spear Phishing Attacks in Malaysia

The integrity of Malaysian commercial and government computer systems continues to be threatened by the increase of spear phishing attacks by groups based overseas.

Phishing attacks occur where mass emails are sent out to multiple users enticing them to click on a link or open an attachment – which releases a malware payload to infect the smart phone, computer or IT system. Phishing messages often appear to come from a large and well-known company or website with a broad membership base, such as Google or PayPal; seeking to play on numbers with the larger the audience, the higher the chances of victims being successfully duped.

Spear Phishing Attacks
In the case of spear phishing attacks, the apparent source of the email is likely to be an individual within the recipient’s own professional or social group – generally someone in a position of authority or else from someone the target knows personally. The term `spear’ indicates that the target has been selected and their background researched, to increase the chances of success or else because the target is significant.

The main delivery vector for spear phishing attacks over the past few years has been via email. In Malaysia, email attacks were the most favoured weapon for a wide range of cyber-attacks in the country. During 2016, authorities discovered that one out of every 130 emails sent to users in Malaysia contained a malicious link or attachment. This has been an increase of four times in one year, indicating the growing problem for companies to protect their systems.

Spear Phishing Attack in Malaysia
An example of a successful spear phishing attack occurred in 2014 when around 30 computers at Malaysian law enforcement agencies covering the disappearance of Malaysian Airlines MH370 airplane were reportedly hacked, with perpetrators making off with confidential data on the missing aircraft.

Asia News Network reported in 2014 that the computers of ‘high-ranking officials’ in several Malaysian aviation and security agencies were hacked with classified information removed. The point-of-entry for the compromise was said to be a spear phishing attack, with a malicious executable file in the format of a PDF file. When the attachment was opened, the user’s machine would be infected with malware, allowing the hacker to gain access to their PC from outside and send stolen information back to an IP address in China.

The spear phishing email, with the subject line ‘Over the South China Sea’ and dated on 09 March 2014 – just one day after the Malaysian Airlines MH370 aircraft went missing – contained ‘sophisticated’ malware that was disguised as a news article reporting on the missing Boeing 777.

The timing of the email indicates that the malware was prepared prior to MH370 disappearing and launched by persons unknown to break into Malaysian government systems to extract information. Some Malaysian government agencies reported that their network was congested with email transmitting out of their servers – The emails contained confidential data from the officials’ computers including the minutes of meetings and classified documents. Due to the nature of cyberattacks, it is difficult to be certain who exactly was behind the attack and though the exfiltration IP address was in China, the attackers could be located anywhere around the globe.

Spoofed Email Addresses
Another phase of spear phishing attacks has been users receiving spoofed emails instructing targets to reset their Gmail or other online email password – diverting the target to a spoofed site where they enter their username and password. This information is captured by the attackers, allowing them access to the online email account. This method was used by attackers to access the Gmail account of John Podesta, former chairman of the 2016 Hillary Clinton presidential campaign. The hackers then downloaded emails, attachments, reports etc – details from Podesta’s emails were later leaked online to upset the Clinton campaign.

As the email attack vector is expected to continue to expand, employees and systems administrators should be aware that caution needs to be used before opening attachments or clicking on spurious web links. Effective filters and email security programs for effective Secure Email Gateway such as MailMarshal should be implemented as a first step to prevent users receiving infected emails.

Recent industry surveys in Malaysia have indicated that five out of every six large companies have been targeted with spear-phishing attacks. Small scale businesses also saw an increase with spear phishing attacks – often with attacks seeking access to online bank account details.

Current studies in Malaysia and the USA have noted that attackers were using stolen email account details from one corporate victim to spear-phish other victims within the company – often moving on to access those with higher administration permissions and so access more of the network and databases.

Ongoing Threat
Spear phishing attacks present a real and current danger to company, organisation and government computer systems – only effective filtering tools, education of users to the threats and continued vigilance can prevent these attacks.

Ransomware attacks surge in Malaysia

Ransomware has become a critical threat for small and medium sized businesses in Malaysia and across South East Asia due to the ease with which Bitcoin makes extracting ransoms from their victims.

Ransomware is simple but toxic. Malicious software is inadvertently installed on the victim’s computer by way of hoodwinking the victim into clicking on an unsafe link or attachment to an email. Once downloaded, the software then starts to encrypt files on the computer system – ranging from documents through to data sets. Once the software has encrypted enough files, these files are locked to the user and a message is displayed with instructions demanding a ransom be paid to unlock the files. A failure to pay the ransom means the files remain locked and essentially are useless.

Over the past year, Ransomware has emerged as one of the most significant attacks in the hacker arsenal to small and medium sized businesses. Unlike other forms of cyber theft, which often involve stolen credit card numbers or healthcare information, Ransomware acts directly on the victim, locking down their system or data hostage until a ransom payment is made.

Recent Ransomware Attacks
The Hollywood Presbyterian Medical Centre in Los Angeles paid around $17,000 to unlock files in February 2016, following an attack that paralysed a large amount of the hospital’s computer systems. This attack was sophisticated; cybercriminals broke into a hospital server the month before. After two weeks of reconnaissance of the system, the hackers struck on a Friday night, when the hospital’s IT staff was off for the weekend, encrypting data on 800 computers and 130 servers; rendering documents and data unreadable, ranging from patient records through to prescriptions.

In Canada, the University of Calgary paid a demanded $20,000 after a Ransomware cyberattack on its computer systems. The University IT team noticed certain files had become encrypted and managed to quarantine other files and systems from the attack. However, certain valuable files containing research data had already been locked down and so the University opted to pay the ransom to recover the files.

Ransomware Figures
According to Symantec Corporation, Malaysia ranks as 47th globally, and 12th in the Asia Pacific, for Ransomware attacks. In 2015, Malaysians experienced around 5,000 ransomware attacks – or 14 attacks per day.

Recent research conducted by a Cyber Security Research Centre indicated that around half of the victims infected with Cyptolocker agreed to pay the ransom demanded. Though it is understandable that they wanted to retrieve their locked down data files, the payment of such ransoms spurs other hackers to jump in to the activity and create new forms of Ransomware.

Once considered a consumer problem, Ransomware has morphed to target entire networks of computers at hospitals, universities and businesses. That has made it a far more serious and costly threat.

Different Types of Ransomware
Cyptolocker was the first successful Ransomware – able to be used by hackers with medium capability but managed to fleece victims of millions of dollars in 2013 and 2014.

Newer versions of Ransomware include CryZip, Locky, Zepto, Cerber and CryptXXX and UltraCrypter

Many Ransomware attacks exploit known `zero day’ errors in software on computer systems. These holes and vulnerabilities can be found in operating systems or else individual programs, such as web browsers.

The software companies often release updates and patches to close these holes but the hackers depend on owners not installing updates – so the Ransomware can squeeze through and infect the system

Common ways of Ransomware Infection
The traditional and most effective way for a hacker to infect a computer system is by way of email attachments with malware contained inside. Often these attachments are apparently benign Microsoft Office files such as Word or Excel but can include photos or PDFs.

Effective hackers spend some time researching their victim to create emails from spoofed addresses they may trust or else name documents which use a project name or location the victim is familiar with. The victim is then tricked in to opening the document as the name of the document appears real or else they trust the sender, not knowing the sending email address has been faked.

Other hackers may try to infect a computer system by way exploit kits on infected webpages which the victim may use – often on pornographic sites or other sites which pop up and attract visitors.

Once the attachment is unzipped and run or the exploit kit runs, the infection process follows these steps:

1. During the encryption process, the malware generates the public key based on the encrypted private key
2. The malicious software begins encrypting accessible files [often the targeted extensions such as .docx or .xls
3. Once enough files have been processed, the malicious software locks all encrypted files with a private key
4. The computer system still works but cannot access these locked files
5. A ransom note is presented in three formats: text, image, and web page informing the victim of the attack and the need to make a Bitcoin transfer to obtain the encryption key to unlick the targeted files

Use of Bitcoin
The utilisation of Bitcoin has also fuelled the spread of Ransomware. Bitcoin is now the preferred payment method of most Ransomware infections because it allows users to send and receive money from anywhere in the world, often anonymously.

What Can You Do If You’re Infected by Ransomware?
Unfortunately, there is little you can do to recover your files once your system is infected with a Ransomware attack and the files are encrypted. The best defence is to have a full back up stored on a separate drive so that you can reinstall the data. However, make sure to isolate your backup to prevent these files also being encrypted and locked down.
1. Isolate the infected machine
It’s important that the system is taken offline, as the hackers essentially control your computer and could use it to gain access to other systems on the network.

2. Weigh up the pros and cons of paying a ransom
As with any form of ransom, you are not guaranteed to obtain cooperation from the hackers – they may demand further payment or else you may be the target of a repeat (and potentially more costly) ransom attack in the future.

Can you be sure that the Ransomware will indeed be unlocked? If it is unlocked, can you be sure that it hasn’t been pre-programmed to repeat its encryption and demand a higher ransom?

[However, anecdotal information indicates that the hackers want their business model to work and thus do release the data upon payment].

3. Recovery
Run endpoint security software to discover and remove the Ransomware software. If it cannot detect the threat, wipe the machine and remove the operating system.

4. Restore
Review your recent data backups and restore files and operating systems with the most recent back-up.

5. Alert Law Enforcement
In Malaysia the agency is CyberSecurity Malaysia and can be contacted via website www.cybersecurity.my

In Singapore the agency is the Cyber Security Agency of Singapore – see
https://www.csa.gov.sg/singcert/about-us/faqs for details

Though they probably won’t be able to provide immediate assistance, such attacks need to be reported in an effort to track the hackers.

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Digital photocopiers pose security threat for identity theft

The digital photocopier being used in your home or office may offer an identity thief or fraudster gateway direct to your personal or sensitive data. Though most users are unaware, nearly all digital copiers sold since 2002 contain a digital hard drive — similar to the one in a personal computer or laptop — that stores images of every document copied, scanned or emailed by the photocopier.

Please note that digital photocopiers differ from standard digital scanners in that digital photocopiers are usually known as a MFP (multi function product / peripheral / printer) or else as a MFD (multi function device) and are able to function as stand alone without having to be hooked up to a computer. [The main difference is that a digital scanner requires an explicit PC connection to function].

Most offices and home users are unaware of the potential risks involved with digital photocopiers. Security surveys regarding photocopiers by a University found that more than 60 percent of users were unaware that copiers store images of all documents on a hard drive which could be accessed later by technicians or outsiders.

Manufactures of the digital photocopiers do caution consumers about the default settings that result in all images being saved to the internal hard drive for later review. However, these warnings have mainly fallen on deaf ears with offices not treating the data with the proper security protocols. The digital photocopiers do also have encryption packages to protect the data but few users know to, or can be bothered to, engage the system so that the images are protected by a password. Some machines do have a product that will automatically erase images from the hard drive but these come as costly extras.

Therefore the average business or home user remains oblivious to the dangers posed by these digital copiers. As digital copiers are often used in offices to copy items such as passports, credit cards, IC cards, driving licences, utility bills etc; this data on a hard drive can be a goldmine for identity thieves and fraudsters. Investigations organised by a leading university in New York found that it’s easy to buy an old digital copier loaded with images of data such as social security numbers, driving licences, bank records and income tax forms. Two digital copiers were found to have been used in government offices including a Police Department.

The team simply pulled out the hard drives from the digital copiers and used free forensic software tools on the Internet so that tens of thousands of documents were recovered within one day. A leading expert on digital security commented that any company needs to conduct a review of all IT equipment storing data as part of the business and take steps to ensure the data is encrypted or else destroyed via standard forensic IT steps to ensure security.

Do you need to know more about our services and how Regents can assist you with preventing information loss and securing your computer network? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Theft of military data drive exposes security flaws


Top secret defence documents belonging to the commander of Australian operations in the Middle East stored on a USB drive went missing from the backpack of a military aide travelling on a commercial flight from Dubai to Pakistan.

It is believed the USB went missing after the flight arrived in Kuwait for a scheduled stop over. When the flight arrived in Islamabad it was disclosed by the commercial that a number of the checked in bags had been lost and it took several days for them to be all located.

The loss of the material was considered to be a major security incident by defence authorities and highly likely to be the product of a deliberate theft operation by undisclosed foreign agencies. The incident highlights the risks of transporting sensitive information stored on a USB drive without proper risk assessments or security protocols in place and being undertaken.

Australian Defence has declined to reveal what exactly what was on the drive but it appears that it did contain the emails of Major-General Cantwell and the aide, downloaded from the Defence Secret Computer Network. An intelligence source said the increasing use of powerful electronic storage devices to contain classified material has become a particular concern for governments worldwide.

Though your organisation may not have military secrets stored on devices or laptops, it is fair to state that they do contain information that would be of use to a competitor and the inadvertent leaking of information would harm your company. Some of the data may be commercially sensitive whilst others you are obligated to store securely such as names and addresses of clients, credit card numbers, financial information, medical information etc.

Prevention is far better than cure in this situation; in fact, once the data is loose on the web or being sold to other parties there is no real cure. Loss of client confidence and crippling costs to remedy the situation such as offering free credit check updates and cancelling accounts means that if this situation can be avoided, it should.

Therefore, it is recommended that a company or organisation should take at least the following steps in regards to information security for transported data:

  1. Conduct a risk review as to what type of company or organisation data is likely to be transported on a drive or laptop
  2. Draw up a security policy determining who should be authorised to transport sensitive data and what precautions must be taken
  3. Identify the individuals [salesmen, executives, managers] whom are most likely to be transporting the data – decide whether benefits outweigh risks of data loss
  4. Ensure that these individuals have been full briefed as to company security policies including complex password protection on all devices
  5. Prevent unauthorised personnel from being able to copy or duplicate sensitive data onto drives via IT protocols
  6. Consider having all  data stored on external drives being encrypted using standard software such as True Crypt
  7. Consider having all laptops and smart phones link to servers via Citrix or VPN so that minimal data is stored on the device
  8. Create an emergency system to track any stolen or missing devices with a regular asset review to ensure all data is being maintained
  9. Implement a data clean up system so that all drives are sterilised when are no longer needed

Data loss can occur due to bad luck through to being the victim of a targeted operation by a third party. At best there is severe embarrassment but worst case scenario can lead to loss of clients and hefty fines from regulators. Creating an atmosphere of data protection among the organisation can go a long way to preventing such losses.

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.


‘Flash robs’ create new challenge to retailers

Just as Twitter, face book and other social networking sites have allowed dissidents to plot the overthrow of dictators in the Middle East, groups of criminals are utilising these tools to plan coordinated thefts from stores in the USA.

`Flash mobs’ was the term given to groups of people who communicated via the internet to create harmless if strange activities such as all standing on one leg in unison outside a subway station. The mob would then disperse peacefully and there was an element of intrigue and fun to the event.

But `Flash robs’ are far from fun and have a sinister criminal intent. Flash robs are reported to be swarms of teenagers and young adults who plot via Twitter, phone texts and facebook to descend on stores together and steal any valuable  merchandise they can get their hands on.  They then disperse before the Police or security can apprehend them.

The use of new media and communications devices to organise robbing sprees was underlined during the recent riots in England when criminals were using Blackberries and FaceBook to organise mobs to break in and loot shops.

Though information is scant as to the identities of the flash rob members, it is believed that these groups maintain contact via social networking and do meet on occasions to plan upcoming robberies. They are wary of sharing personal information to avoid undercover police or informers and may be members of criminal gangs. According to media reports, such “flash rob” incidents have occurred this year in Cleveland, Chicago, Las Vegas, Boston, Philadelphia and St. Paul as well as in Canada.
The National Retail Federation monitors such activity and said those most at threat were department stores and big-box chains, as well as grocery and drugstore operators. Those that have experienced a flash rob, sales assistants and other shoppers, have been intimidated by the antics of the mob as they seek to disorientate people as they grab merchandise before fleeing. The National Retail Federation has published a white paper on the problem and issued the following advice for retailers:

  • As with other crimes, retailers, mall security and law enforcement agencies should continue to share intelligence about anticipated incidents.
  • Sales assistants should report to store management or Loss Prevention whenever they see unusually large gatherings of people inside or directly outside the stores.
  • If safe to do so, use customer service techniques to discourage crime activity.
  • Attempt to discourage the thefts by re-positioning associates near key areas of the store and high-value merchandise.
  • Instruct employees and customers to retreat into a secure part of the store.
  • Any CCTV video of the event can assist in the documentation process and should be readily available for law enforcement officials (following company protocols for release).

Monitoring of the internet
It is recommended that all retailers which may be at threat should create Business Intelligence program to monitor social networks and websites for indications of a planned event at their outlets. The program should include tracking the brand names and locations of the outlets with a daily report to update management as to any issues.

The program should regularly be reviewed for any changing trends as well as monitoring national media for reports on flash rob incidents. Use of free services such as Google or Yahoo alerts is a start but other sources should be used including Factiva and other contacts recommended by the National Retail Federation.

Information sharing with local law enforcement agencies is an imperative as they may already have intelligence on these mobs as well as able to deploy officers to apprehend the mob and arrest them for organised theft and larceny.

Hacking of White House Gmail accounts

The recent announcement by Google that a number of users Gmail accounts have been hacked into has ratchet up the debate on cyber war between China and the US. The importance of this report relates to the fact that these Gmail accounts were held and sued by senior US and South Korean government officials as well as Chinese political activists.

Google claims that it had discovered and alerted hundreds of users who had been duped by a carefully targeted “phishing” scam. The method used – called spear phishing – is not new but can be particularly successful when targeted properly.

A spear phishing attack occurs when a victim receives an email from a familiar address of a close associate or a collaborating organisation/agency. However, the address has been spoofed [falsely generated] and the email comes from the hackers. Usually the email has some form of attachment which needs a viewer – when clicked on, the user is directed to a fake Gmail login page for harvesting login details of the user.

Once the hackers had the password details of the user, the hacker would log into the Gmail account and create rules to forward all incoming mail to another account without the user’s knowledge. Often the other Gmail account ID is made to closely resemble the victim’s ID so as to reduce suspicion. From that point on, the spurious Gmail account is frequently accessed remotely and all incoming emails downloaded to a central location and the emails deleted from the Gmail account.

By this method, the hacker(s) can begin to create a patchwork of communications between various users and organisations. It has been indicated that these hacking attempts originated from Jinan, the capital of Shandong province. While there is no direct evidence that the hackers are located in Jinan or are in the pay of the Chinese government, the dedication of the attacks and their highly targeted nature eliminates direct financial gain as a motive. Technology watchers haven’t ruled out the possibility of the attack being state-sponsored.

However, it should be noted that the main reason that the Gmail accounts were selected in the first place is that they were thought to have contained some useful information related to the users work. Though we don’t know the identity of the users, it has been suggested that elements within the White House and Senate have been users plus South Korean government officials.

It is a fact that many White house officials choose to use external email accounts rather than the government approved ones for certain emails. The users are aware that government emails are archived and my be the subject of later legal actions, investigations or being placed in public archives. For this reason, they have chosen to use Gmail addresses for certain subjects or contacts. This happened during the Bush presidency too so that many subjects are absent from official correspondence.

What does this mean for your business or organisation? We are all prone to hacking attempts though mainly for commercial gain for scammers seeking bank account numbers, credit cards, passwords etc.

You need to brief email users as to the perils of `spear phishing’ attacks and the spoofing of addresses. One negligent click on a smart phone could expose company details to the outside world.

And what are your corporate policies on people using Gmail, Yahoo etc accounts for business or organisation communications? Is this acceptable? What happens when a smart phone is lost or the user leaves the business? Those email may be lost with no auditable trace of what was agreed with clients, customers etc

It’s not just the White House that needs to review policy and security – these hackers may be targeting you.

Do you need to know more about our services and how Regents can assist you with computer forensics and data recovery? Simply go to our Contact Us page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.


Securing smartphones data

Recent sales figures indicating that worldwide sales for smartphones will increase by 60% and top half a billion units in 2011 confirms what most people already knew; smartphones are no longer just for top executives or city hopping businesspeople.

Smartphones – notably the iPhone and those running the Android OS – allow a user to check multiple email accounts, browse the web, track appointments, record video and voice, use the GPS function, online banking, tinker with a host of free Aps and, oh, make phone calls.

This means that smartphones now hold intricate data about the user of the phone; details of their emails, web surfing history, calls made to and from the phone, SMS messages sent and received, where the phone may have travelled just for starters. Most of this information may be unique to the user but much of it belongs to the company or organisation that the phone belongs to. In the event that the phone is lost or stolen, this creates a serious security issue should it fall into the wrong hands.

In an effort to reduce the risk to the data of the company organisation, the IT Department issuing the smart phones should co-operate with senior management and the risk / security officer to address the basics of smart phone security:

  • Anti-virus response – This should be the same for as for emails received on a PC – If you don’t recognise the sender, or there is a suspicious attachment, don’t open / download it.
  • Bluetooth – this can be an open door with a welcome mat! Select disable unless highly conversant with password / encryption settings
  • Run frequent asset checks to ensure that all smart phones are being used properly – they haven’t been passed to a spouse / partner for their use to watch movies
  • Solicit information from similar sized companies who have already implemented smartphones for feedback on security issues
  • Look to selecting only a handful of models of smartphones so as to avoid excessive efforts on support and updating for the fleet of phones
  • Prefer to select smart phones which can support key features like encryption, remote wipe, and password locking
  • Develop a written security policy and procedure items for smartphone that governs acceptable use, monitoring, responsibilities of user (e.g. what to do if device is lost or stolen)
  • Actively monitor security vulnerability for the smartphones and any reported new attacks on these types of devices
  • Ensure that the devices in the field can be updated quickly to fix security issues once discovered

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Better password protection by `Naked Password’

Most people are lazy when it comes to using computers properly. People are even lazier when to comes to selecting a password for accessing their computer or web service. Computer security seems to be a keyboard type too far.

The more complex a password is by incorporating the use of upper and lower case letters, numbers and symbols the better. This will protect the password from a brute force or dictionary attack by a hacker or unauthorised use. Alas, most people either don’t realise the importance of choosing a complex password or are just not motivated enough to come up with a suitably complex password.

Enter a useful little plug-in called “Naked Password” which could make choosing a password a whole lot more interesting.

“Naked Password” rewards the selection of more secure passwords with images of an attractive, sexy woman named `Sally’. As the user types in each irregular character such as an upper case letter, `Sally’ removes one more item of clothing. It will certainly work with some of the people I know working in our office. “Naked Password” is a jQuery plug-in with a racy 8-bit striptease,

Of course, an image of a stripping model may not motivate everyone, women for example. With some tweaking to offer a different image, such a handsome male or else something like a seal doing tricks, may make “Naked Password” a viable offering for all genders and age types.

“Naked Password” is certainly onto something and if by adding some fun by viewing a reward image and generating some proper excitement to lessen the chore of entering long and variable passwords then it should be welcomed.

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Mobile phone hacking scandal rumbles on

It is four years since the phone-hacking scandal at the News of the World newspaper [the leading UK Sunday newspaper] saw the newspaper’s former royal correspondent, Clive Goodman, jailed for his part in hacking into the mobile phone voicemails of Princes William & Harry. It appears that Clive Goodman was so desperate for a `story’, he resorted to engaging a Private Investigator, Glenn Mulcaire, to hack into the voicemail messages of the Princes for leads and gossip.

The two were found out when members of the Royal household noticed that messages they had yet to access were marked as `read’ plus Clive Goodman published a vanilla story in the News of the World about one of the Princes having medical treatment for his knee – almost word for word from a voice mail left for the Prince.

Four years ago the  News of the World  claimed that the phone hacking was the product of one misguided journalist and the private investigator, Glenn Mulcaire. An investigation was undertaken by the Metropolitan Police and there was enough evidence to prosecute these two. They both went to gaol. That was the end of that.

But it wasn’t. Rumours swirled around that in fact many of the journalists at the News of the World had used Glenn Mulcaire to gain access to the voicemail of celebrities and even senior politicians. Further allegations surfaced that in fact the Metropolitan Police had stacks of evidence that showed the phone hacking went far beyond the two Princes and also involved far more journalists within the News of the World. But the Metropolitan Police were flaccid in their investigation – followed by suggestions that senior Police officers had relationship with the publishers of the News of the World. Lord Prescott, Former Deputy Prime Minister and alleged victim of the phone hacking scam, is now seeking a judicial review into Scotland Yard’s handling of the investigation.

But the matter was kept alive by the Guardian and New York Times newspapers– both direct competitors to the publishers of the News of the World. Things were further complicated when Andy Coulson, former editor of the News of the World, was promoted to be a media advisor to David Cameron, the newly elected Prime Minister.

Coulson has denied knowing of the hacking but many doubt how valid this claim is. In court testimony for another matter, Andy Coulson said under oath the refrain that the phone hacking was due to one isolated journalist. However, Coulson must have known that Glenn Mulcaire was officially being paid ₤100,000 per year plus additional cash handouts – for doing what exactly? Some wonder whether any fresh evidence could disprove the sworn testimony of Andy Coulson and expose him to the charge of perjury. Stranger things have happened.

And now the stonewall put in place by the News of the World has some serious cracks in it. Each week in the UK another celebrity announces legal action against the News of the World, claiming that their privacy has been invaded by the phone hacking.

Some celebrities are taking separate legal action against Glenn Mulcaire directly for the phone hacking whilst he in turn is appealing against a decision to make him divulge which journalists on the News of the World hired him to hack the  phones.

The Police have now admitted that they had seized multiple pages of phone details from Glenn Mulcaire with first names handwritten on each – supposedly by Mulcaire indicating which journalist within the News of the World was requesting the information. Will Mulcaire declare who ordered what phones to be hacked? Will he name names? The News of the World news editor, Ian Edmondson, had been suspended amid allegations relating to the phone hacking of actress Sienna Miller’s phone.

Lawyers acting for alleged victims of the phone hacking suggest that there may have been thousands of victims. Around 3,000 phone numbers were listed in documents seized by Police back in 2006 and telephone records for Glenn Mulcaire show multiple calls from his own phone to the numbers used by celebrities – the path of evidence should be fairly easy to follow. How vigorously will the Police pursue it this time round?

This one will run and run.

How was the phone hacking conducted?
For some mobile phones, it is possible to listen to any voicemails by dialing an access number, enter the mobile phone number followed by the PIN.

Often the user either leaves the PIN as the default – usually `0000’ – or else chooses a simple PIN like 1234 or 1111. On some occasions, the hacker may get the PIN via dumpster diving or else under pretext – calling the phone provider pretending to be the owner and asking for the PIN.

How to protect yourself from phone hacking?

  • Choose an irregular PIN such as 4729 or 8147
  • Do not record the PIN in an accessible place i.e. a post-it note on your desk or in your diary
  • Change your PIN every few months
  • Observe whether any voicemail messages have been designated as accessed before you have viewed them
  • Report any suspicions you may have to your mobile phone provider and insist that they investigate the matter
  • Do not pass your PIN to anyone else

In the meantime, wasn’t it The Jam that sang the lines:

Each morning our key to the world comes through the door
More than often its just a comic, not much more
Don’t take it too serious – not many do
Read between the lines and you’ll find the truth

Read all about it, read all about it – news of the world

Read all about it, read all about it – news of the world

Do you need to know more about our services and how Regents can assist you with mobile phone forensics or computer forensics? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Vodafone Australia hit by privacy breach

VODAFONE Australia launched an internal investigation into a security breach that has put invoicing and call records on a publicly accessible website protected only by passwords that are changed monthly. Allegedly, anyone with a Vodafone login could view sensitive personal data.

A Vodafone spokesperson claimed that customer details were not available on the internet. “Customer information is stored on Vodafone’s internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password”.

Vodafone also faces the prospect of privacy concerns being investigated by the Office of the Privacy Commissioner. The commissioner has the power to conduct an investigation on behalf of affected customers and direct that compensation be paid to those affected. However, it appears that Commissioner doesn’t have the power to fine Vodafone directly for any data breach.

The main issue from preliminary reports is the fact that Vodafone allowed details of their customers including names, addresses, calls records and charges to be accessible via a public website. This data could be accessed by the use of passwords. It is unclear whether separate individuals were issued with the same log in details and password. This would cause difficulties in back tracking as to who exactly accessed which data and whether they had reasonable cause to do so.

A further issue is the extent of the records for the activity of those logging in to the system. Without a robust record to perform audits on, Vodafone will be unsure as to how many records have been accessed without authority and complicate any possible compensation issues. Vodafone declined to specify what logs are maintained, stating that they did not want to hand out information that could help hackers.

This incident came at a difficult time for Vodafone as it faces several possible lawsuits relating to alleged quality of service issues for customers in Australia, outages supposedly as a result of Vodafone’s 3G network upgrade.

System logs & Auditing
Keeping track of what your IT system is actually doing is one of the most important, but tedious, processes of good IT security management. Without sufficient logs as to the activity on your system [log-ins, activity, accessing files & DBs, downloads, change of data, emails etc], an effective and meaningful audit is not possible.

A suitable depth of logs is also a priority – if the logs are kept for just four weeks but the suspicious activity occurred two months ago, then again no useful audit can be undertaken. As the cost and physical size of storage media continues to drop dramatically, any security process should include a suitable catchment and depth of log activity.

The need for an audit is usually triggered by the following:

  • A reported security lapse from an investigation, physical inspection or alert from a third party, as was the case for Vodafone being tipped off by a journalist
  • Activity hits a specified event trigger – such as spike in activity for certain usernames or accessing areas which are not normally permitted
  • As required by the CIO or else an external audit team reviewing the system in line with procedures

Whenever a data breach is alleged or detected, one of the first steps for investigators is to review the logs for access to the system and data. Matching event logs to suspicious log-ins and activity is part and parcel of an audit. Other information such as physical access to buildings or certain offices, originating IP addresses and MAC addresses for machines may also be cross referenced as part of the audit to determine the nature and extent of the security breach.

Other important security steps for being able to mount an effective audit include:

  1. Passwords – all passwords should be changed periodically and previous passwords cannot be recycled
  2. Usernames – all usernames should be unique and utilise letters and numbers e.g. ANART22 or 25-IPIO to discourage guessing by hackers
  3. Usernames – they should also avoid being obvious, such as a users’ first or last name or else the name of the town or branch – e.g. David or Auburn.
  4. Log access errors – all incidents of unsuccessful log-ins should be conveyed to the user and administrator for review and detection of attempted hacking
  5. IP address – recording all originating IP addresses for log-ins and plot them geographically [though they may be spoofed]
  6. Account management – indicates when user accounts are added, modified or deleted in any way
  7. Object access – responds when certain sensitive files, folders and other system objects are opened, closed or otherwise “touched”
  8. Privilege use- records when users exercise privileges assigned to them beyond regular activity

Do you need to know more about our services and how Regents can assist you with preventing information loss and investigations into security breaches? Simply go to our Cyber Threats page or else our Contact Us for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.