Welcome to Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
Currys PC World issues Customer update on Dixons Carphone breach
Today customers of Currys PC World (part of the Dixons Carphone group) have received email updates on the continued investigation into the massive data breach that was disclosed earlier this year.
Dixons Carphone now believe that approximately 10 million records that contain personal customer information, may have been accessed during the breach that occurred in 2017. Recent evidence now shows that data was exfiltrated from their systems, but they have confirmed that this data did not include any bank or payment card details.
Email received by customers:
The link below provides an account of the update from Dixons Carphone and also includes an FAQ of what happened and how customers may be affected.
During the initial disclosure on 13th June, NCSC provided a statement on their involvement with investigating the breach, along with guidance for any customers that may be affected.
Butlins confirm hackers gained access to guest records
The data breach bad news just keeps on flowing, this time with Butlins the holiday camp chain. A report by City AM states that up to 34,000 guests may have had their details accessed by unauthorised third party.
At this point details are very limited, but it is understood that name, holiday booking details, postal and email addresses and phone numbers have been accessed. Butlins are in the process of contacting those customers that may have been affected but they believe that no payment related data has been exposed.
Butlins provided the following response:
“Butlin’s take the security of our guest data very seriously and have improved a number of our security processes. A dedicated team has been set up to contact all guests who may be affected directly. I would like to personally reassure guests that no financial data has been compromised.”
Salesforce API Data Leak
This week saw Salesforce report an issue with potential access and data leakage between customer accounts on their platform.
Salesforce, the cloud-based CRM (Customer Relationship Management) software provider, posted a warning notice, indicating that a marketing cloud related change to their system, had introduced a bug that meant certain REST APIs could retrieve or write data from one customer account to another.
The change was carried out between 4th June and 7th July, with the Salesforce Security team being made aware of the issue on 18th July. An emergency change was made on the same day to resolve the issue.
Although it is unclear whether any malicious activities took advantage of this flaw, or whether it resulted in any personal information being disclosed, it is recommended that Salesforce customers using REST APIs review their data and its integrity.
Official notice from Salesforce: https://help.salesforce.com/articleView?id=Email-Studio-and-Predictive-Intelligence-REST-API-Issue&language=en_US&type=1
NCSC report commitment to the CCP Scheme
For any fellow CCP’s out there the NCSC have finally released an update on the future of the Cyber Certified Professional scheme. The CCP scheme formerly known as the CESG Certified Professional was created by CESG as a replacement for the CLAS (CESG Listed Advisor Scheme) consultant certification.
Since the CESG became the National Cyber Security Centre in 2016, the CCP certification has been left in limbo, with no clear direction on the future of the scheme. Thankfully a year on since the last update, NCSC have confirmed their commitment to the CCP program.
The CCP was created to clearly identify Cyber professionals with the necessary skills, knowledge and industry experience to carry out the specific roles defined in the scheme (e.g. IA Auditor, Accreditor, Architect etc.).
NCSC have realised that overall the CCP needs to be reviewed and updated. Several planned changes are aimed at making the CCP less government specific, which will align it to the general Cyber security community. The roles are expected to change along with the application process which will move away from the levels of practitioner, senior and lead roles, in order to recognise specialists in each new role.
These changes are already underway, but don’t expect to see any immediate changes to the scheme, as the plan is to have a pilot ready for some time in 2019.
Further updates are due to follow from NCSC next month, so stay posted.
Let’s Encrypt now trusted by Major Root providers
Let’s Encrypt released some great news this week, that their Root Certificate Authority is now trusted across all the major root providers.
Let’s Encrypt is an automated and open certificate authority, that was established to assist the public to enable the adoption of secure websites (using HTTPS), all free of charge. Basically, if you own a website / domain name you can use LE to obtain a trusted certificate at zero cost.
LE were just waiting on Microsoft to complete the list, which along with Google, Apple, Mozilla, Oracle and Blackberry, now means they no longer need to purely rely on their third-party trust association with IdenTrust.
For a website certificate to be secure it needs to be issued by a Certificate Authority that is trusted globally by mainstream products and services. This meant that in the early days LE had to use an existing trusted CA source (IdenTrust) to be indirectly trusted and issue their certificates, while they established their own global trust.
Now that all the major browsers, operating systems and devices directly trust the Let’s Encrypt CA, they have an easier path to continuing their journey of securing the internet. Although, as there is still a large number of old devices out there, it may still take several years before this trust process is fully completed.
Microsoft TLS Certificate change
Microsoft Office 365 – Exchange Online are making some changes to the certificates used by their servers. Stating on 3rd September Microsoft will being rolling out the new TLS certificate to its services.
If your organization has not taken intentional steps to restrict your on-premises mail servers from accessing non-authorized domains and has not enabled extra validation of the Exchange Online certificate issuer, this will not impact you.
If you have made such restrictions, you will need to ensure that your mail servers are able to access the following endpoints from your network as part of validating the new certificate:
If you or your organization’s partners perform extra validations, those details such as the Certificate authority root issuer can be found by clicking on the Additional Information link below.
That’s it for this edition but please stayed tuned for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList
You can also follow us using the social media links provided.
If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReview
Ironshare – Security Simplified
Edition #3 – 10th August 2018