It looks like the Meltdown and Spectre fiasco is only just getting warmed up. Security researchers at antivirus testing firm AV-TEST have discovered more than 130 samples of malware that attempts to leverage the Meltdown and Spectre vulnerabilities. The malware samples analysed by AV-TEST appear to be mostly Poof-of-Concept code, and still in the research phase, however, it is believed that cyber criminals will be similarly experimenting with malware that utilises these vulnerabilities.
Norton has just released their annual Cyber Security Insights Report, which analyses the effects of cyber crime around the world. One of the key findings of this report is that when it comes to cyber security, “consumers are overconfident in their security prowess, leaving them vulnerable and enabling cyber criminals to up the ante this year, which has resulted in record attacks”. Over the course of 2017, the report estimates that over 978 million adults in 20 countries around the world experienced cyber crime. These attacks cost consumers an estimated €150 billion.
While most people stated that cyber security was important to them, one third of people stored their passwords insecurely and one fifth admitted to using the same password across all sites they use. Over half of the respondents reported either they or someone they knew had been a victim of cyber crime, with the average cyber crime victim spending almost three full working days recovering from the attack.
“When it comes to cyber security, consumers are overconfident in their security prowess, leaving them vulnerable and enabling cyber criminals to up the ante this year, which has resulted in record attacks.”
Carphone Warehouse have been ordered to pay a fine of £400,000 (over €450,000) to the UK Information Commissioner’s Office, one of the largest fines the ICO has ever issued to a company. A data breach at Carphone Warehouse occurred in 2015, which subsequently led the ICO to investigate the company and discovered a series of “systematic failures” in security practice. The severity of the fine reflected the fact that up to 3 million customers’ data was compromised, in addition to the data of a further 1000 employees. The data itself was also considered extensive by the ICO, as names, addresses, phone numbers, marital status and dates of birth were all leaked. It is further believed that some 18,000 customers had payment card details leaked as well.
The £400,000 fine issued to Carphone Warehouse was one of the largest issued by the ICO. Over 3 million records were compromised in the breach.
2018 certainly knows how to make an entrance. The Christmas turkey has barely been finished and we’re told that nearly every electronic device on the planet with an Intel processor (from servers to PCs, smart devices and more) are susceptible to not one, but possibly two of the worst critical hardware related flaws ever known (Meltdown & Spectre). Flaws that can allow a hacker to steal your data without a hint of detection. In cases like these we often hear “but I have the latest next generation antivirus software”, but it’s not going to help you here I’m afraid. “And I have the latest next generation firewall and a state of the art SIEM solution just installed” – no good for fixing this either. You may even be really good and have your staff trained in security awareness and your systems backed up offsite – but unfortunately neither will address the root cause of this global issue. Even Santa couldn’t help fix this one – that’s how serious this is.
The hardware flaws have been aptly named “Meltdown” and “Spectre”. They sound like something straight out of a James Bond spy movie – and to be honest – the names aren’t far off, given if exploited, spying on you is exactly what a hacker could do. Predictions have already come in from experts that this could be the biggest disaster in IT history, and similar to the KRACK WiFi vulnerability of last year, Meltdown and Spectre could take years to fully fix. While important workarounds are available in some cases and must be put in place (see below) , only a hardware redesign in processor architecture will truly lay these bugs to rest.
To make matters worse, now that the crafty hackers know about it and with the EU GDPR data protection regulation coming into force on the 25th May – we predict, this year is going to see some considerable cyber-attacks that will try to take advantage of at least one of these flaws which may result in some pretty serious data breaches and some serious GDPR related fines. Its time like these one would think “Why did we ever go paperless?”.
Dublin Zoo has admitted it has been hit by a scam in which cyber criminals were reportedly able to steal up to €500,000. The zoo has stated that they are cooperating with the Garda National Economic Crime Bureau in a case of invoice redirect fraud. While neither the Gardaí nor Dublin Zoo revealed the amount of money taken, sources have reported that it was up to €500,000, most of which was successfully recovered.