Carphone Warehouse hack via an IP security device?
Have you started the move to IP security systems? If so you may want to read this article.
The UK Information Commissioner’s Office (ICO) says it’s investigating a recent breach at UK and Ireland phone retailer Carphone Warehouse. It is believed that this breach may have exposed as many as 2.4 million customers’ names, addresses, birthdates and bank information, along with up to 90,000 customers’ encrypted credit card data.
The Guardian reported that approximately 480,000 of those affected are TalkTalk Mobile customers, and 1.9 million are direct customers of Carphone Warehouse.
A spokesperson for the ICO said, “We have been made aware of this incident at the Carphone Warehouse and are making enquiries. Any time personal data ils are lost there can be a risk of identity theft. There are measures you can take to guard against identity theft, for instance being vigilant around items on your credit card statements or checking your credit ratings.”
However, what has not been said and, if you examine hundreds of other data breaches, is how it was done. An assumption is that the network had been penetrated by some form of injected malware.
Egress Software Technologies, a leading provider of encryption services, has released figures from a Freedom of Information (FOI) request to the Information Commissioner’s Office (ICO) that demonstrate a concerning 183% rise in reported Data Protection Act (DPA) breach investigations within the financial services industry in the last two years. This increase saw an alarming 585 incidents reported to the ICO during 2014 alone – more than three times the amount of incidents reported by the legal sector for the same period, which reported 187. In total, 791 incidents have been investigated since the start of 2013.
Phil Barnett, EMEA VP and GM of Good Technology, said, “Many companies are still flying blind when it comes to security, because 60 percent think it doesn’t affect them.”
Informatica, a leading independent software provider of all things data, revealed that only a quarter of UK businesses believe their organisation could detect a data breach at any time, and just 33 percent say their organisation is ‘very good to excellent’ at detecting and containing breaches. Meanwhile, nearly half (49 percent) of respondents admit to having experienced a breach in the past 12 months.
So how do the data thieves get access to the system to cause so much havoc? In reality, there are many different vulnerabilities and it is becoming increasingly more complex to stay ahead of those who seek to exploit them. Once a data breach has happened, companies, quite understandably, are very reluctant to say how someone got into their system. Therefore, trying to pull together a comprehensive list of lessons learned in order to educate others, and look to counter the problem, is near impossible.
In 2013, Reuters reported that Craig Heffner, a US security expert, said he had identified ways to remotely attack high-end surveillance cameras used by industrial plants, prisons, banks and the military - something that potentially would allow hackers to spy on facilities or gain access to sensitive computer networks. On claiming that he had discovered the previously unreported bugs in digital video surveillance equipment, he stated, “It’s a significant threat. Somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems.”
Reported in Wired.com, Justin Cacak, Senior Security Engineer at Gotham Digital Science, and his team were able to view footage as part of penetration tests they conducted for clients to uncover security vulnerabilities in their networks. The team found that more than 1,000 closed-circuit TV cameras, that were exposed to the internet, were susceptible to remote compromise.
Earlier this year researchers from Rapid7 found similar vulnerabilities in video- conferencing systems. The researchers found they were able to remotely infiltrate conference rooms in some of the top firms in the US, including the boardroom of Goldman Sachs.
At the London InfoSecurity Europe conference and expo held in June, David Lodge and his team from Pen Test Partners demonstrated a live hack of a commercially available IP CCTV camera. “I came across a popular “security” camera; it boasts outdoor design, wireless connectivity, infra-red mode, cloud access, and mobile app control. All of this functionality came at a semi- decent price,” he said.
As the SecurityNewsDesk team watched, Lodge and his team demonstrated how they had identified and then exploited some dodgy ports and a default administrator password on a web interface. “Too easy” was the cry, so they went on to crack the camera’s firmware, web firmware and then had a go at the cloud features. All they used were a few tools that had been downloaded from the web and a bit of research (as well as a bit of knowledge in how to crack systems).
What the demonstration showed is how easy it was to break into a network from outside through an IP device. The worrying message that comes out of this is that any IP system is a potential route into a network - and network breaches are resulting in massive data loses.
The question is, how secure are your IP devices?