Posts Tagged ‘Personal privacy’
Vtech, the provider of tech and toys to kids, have confirmed that they’ve suspended trading after a hack that saw 4.8 million customer details stolen. A spokesperson said that an “unauthorised party” accessed the data that was in VTech’s Learning Lodge app store last month.
The information that was included was profile info, which includes names, addresses, IP addresses, email addresses, history of downloads and secret answers to security questions. No password information was taken, and no credit card info was affected either.
Security analyst Troy Hunt, has looked into all this, and said that the passwords were not encrypted, like Vtech claimed: “Once the passwords hit the database, they’re protected with nothing more than a straight MD5 hash, which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered. The kids’ passwords are just plain text.”
“The vast majority of these passwords would be cracked in next to no time; it’s about the next worst thing you do next to no cryptographic protection at all.”
This follows what seems to be an endless series of hacks, with the most notable happening with TalkTalk.
Hunt continued: “Despite the frequency of these incidents, companies are just not getting the message; taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.”
Obviously, you should change your passwords and the like if you think this affects you. If you have any queries, Vtech’s UK number is 01235 546810.
Fax: (01235) 546804
Hungryhouse has reset the passwords of thousands of their customers, after what was thought to be a data breach.
On Twitter this morning, the fastfood service said: “Hungryhouse have ourselves re-set a number of customer’s passwords as a preventative security measure against a 3rd party.”
If that doesn’t clear it up for you, then the email they sent around today should.
See? Nothing to worry about at all. Now you don’t have to worry about bored teenagers or terrorists knowing about how much pizza you can put away on a weekend.
Anyway, go and reset your password.
We’ve shrieked hysterically about Google’s smart thermostat – Nest – before, likening it to sci-fi horror where remote companies watch your every move, before ultimately singing ‘Daisy Daisy’ while trying to oversee your untimely death.
We might be overdoing it a bit. However, what doesn’t help, is that Nest has a camera that watches you in your home, and a team at ABI Research found that, even when the camera is “off,” it still draws around the same amount of info it does, as when it is fully powered.
Basically, you might think you’ve turned it off, but you haven’t. Kill it with fire. Or throw some undercrackers over it.
A spokesperson for Nest Labs told the BBC: “When Nest Cam is turned off from the user interface (UI), it does not fully power down, as we expect the camera to be turned on again at any point in time.” So, standby mode then. Either way though, this is an ‘always on’ camera in your house, and this is Google (or Alphabet if you prefer) we’re talking about here. A company that not only wants to watch you at home, but also wants to store your DNA through the chilling 23ANDMe wing.
The Nest spokesperson continued: “When Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings.” While that may do for some, there’s going to be concerns over Google storing hours of footage of you at home in their cloud. Imagine the outpouring of hate that’ll happen if their servers get hacked.
For a slightly longer answer, May thinks that some websites are ‘safe havens’ for criminals, and now she wants to see new laws which give authorities the chance to access everyone’s information. It looks like she’ll want to get rid of encryption, and that all your internet history would be recorded, so authorities can look at it whenever they want, without having to get permission from anyone. They want to keep everything you do online, on record, for a year.
They also want to be able to see who you’ve texted and emailed too. If your messages are encrypted, the company keeping your messages private, must hand over data to authorities if asked.
With the hacks and leaks that have been doing the rounds lately, there’s just concern about anyone holding all this private information on everyone with an internet connection.
The draft bill underlines a want for powers for the bulk collection of large volumes of communications and other personal data by MI5, GCHQ, MI6, and for the introduction of “equipment interference powers”. This all means that computers and phones can be hacked whenever they want, in the name of national security.
Of course, the stupid thing here, is that actual criminals won’t be arranging serious crimes on Facebook Messenger or anything like that, so it looks like they just want to snoop on everyone else, which is going to worry many. It won’t worry the kind of people who say “well I’ve done nothing wrong, so they can look through all my stuff if they want”, but you can’t do anything about those people.
The Home Office has published the Investigatory Powers Bill in the House of Commons, which means it’ll be examined both Houses of Parliament. There’ll be a final vote on the whole thing at some point in 2016. We suspect there’s be some legal action thrown at the government before then.
How To Stay Anonymous Online
If you want to browse the internet anonymously, the first place to start is with the free Tor Browser. We won’t bore you with the ins-and-outs of the whole thing, but basically, it puts your web traffic through Tor’s network, and makes it anonymous and encrypts the shit out of it. It isn’t wholly anonymous, but it isn’t far off.
You can send emails through web services in Tor Browser too, but you’d need an email account that doesn’t reveal any personal information about you. One to look at is Guerrilla Mail.
As for instant messaging, there’s Pidgin, Wickr, and Tor who have just released their own. You know how to work a phone or search engine, so get on those. As for your phone itself, there’s an app called Orbot that runs Tor on Android.
If you want to set up a VPN (Virtual Private Network), then click here for a VPN how to guide. There’s loads of tutorials online, if you want to vanish from the eyes of the government.
Vodafone are the latest to fall victim to a hack, with nearly internet scallies getting access to around 2,000 customers’ details. We hope that the hackers aren’t doing this for attention, because we’re kinda bored by all these hacks now – they’ve lost their edge somewhat.
Anyway, Vodafone said that 1,827 accounts have been accessed, and they fear that criminals have customers’ names, mobile numbers, bank sort codes and the last four digits of their bank accounts, which is no good.
A Vodafone spokesman said: “This incident was driven by criminals using email addresses and passwords acquired from an unknown source external to Vodafone. Vodafone’s systems were not compromised or breached in any way.”
Vodafone started an investigation over the weekend, and have informed the National Crime Agency, Ofcom and the Information Commissioner’s Office. They’re not mucking about, like TalkTalk have been (and if you’re unimpressed with TalkTalk and want to leave them, check out our letter template so you can get out of your contract).
“Whilst our security protocols were fundamentally effective, we know that 1,827 customers have had their accounts accessed, potentially giving the criminals involved the customer’s name, their mobile telephone number, their bank sort code, the last four digits of their bank account,” continued Voda.
“Our investigation and mitigating actions have meant that only a handful of customers have been subject to any attempts to use this data for fraudulent activity on their Vodafone accounts. However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts. These customers’ accounts have been blocked and affected customers are being contacted directly to assist them with changing their account details.”
As well as telling all the relevant authorities, Vodafone have also contacted all the banks of affected customers. Even if you think Vodafone are run by a bunch of gits, this is a fine way to deal with a crisis compared to some of their peers.
Visa, Sky TV, Amazon and Ticketmaster, are also being targeted – busy time for the hackers, eh?
Now, British Gas are the latest to get in on the act, and have had to get in touch with around 2,200 people after account passwords and email addresses appeared online. The company say that their systems are secure and no payment info is at risk, but still, this doesn’t look very good does it?
The details of this leak will now be sent over to the Information Commissioner’s Office, so they can investigate what’s going on.
British Gas posted on Twitter: “A small number of customer details briefly appeared online but our systems are secure.” The follow-up email states that the information had not come from the company themselves.
Next week, we assume we’ll be writing an article about a massive bank keeping customers’ personal details in a brown paper bag which they’ve hidden behind a plant-pot, and a massive supermarket that keeps customer data safe behind a chocolate fire-guard.
The auditor in question is Andrew Skelton, who just so happens to have been sent to prison for eight years after he was convicted for a number of charges, including fraud by abuse of position.
He sent data to newspapers and uploaded information on 100,000 people to file-sharing sites. Why? He wanted revenge after he was told off at work. A fully grown adult there, getting revenge for being told off. Honestly.
According to JMW Solicitors, there’s over 2,000 personnel participating in the joint case. Their data-specialist, Nick McAleenan, said: “My clients’ position is that Morrisons failed to prevent a data leak which exposed tens of thousands of its employees to the very real risk of identity theft and potential loss.”
“In particular, they are worried about the possibility of money being taken from their bank accounts and – in the case of younger clients – negative consequences for their credit rating. Whenever employers are given personal details of their staff, they have a duty to look after them.”
Morrisons aren’t commenting on the case as yet, but this is more trouble for a supermarket that isn’t having the best of times at the moment. The chain dropped their nonsensical price match deal, but they did make a pizza that looked like a vagina, which is nice.
Now, M&S said that no-one’s details were compromised by the ‘internal technical problem’, but they said sorry, given that everyone is particularly jumpy about such things at the moment. Some people said they logged in and could see other people’s orders and payment details.
A spokesperson for M&S said that the whole thing was a “technical issue” and that customers may have been able to see the last four digits of another person’s payment card “for a brief moment”, but the actual card details are encrypted, so there’s no need to worry.
“There were no financial details compromised at all,” the spokesperson said; “We weren’t hacked by a third party. It was an internal technical problem.”
Another spokesperson added: “Due to a technical issue we temporarily suspended our website last night. This allowed us to thoroughly investigate and resolve the issue and quickly restore service for our customers. We apologise to customers for any inconvenience caused.”
This is all a bit embarrassing, seeing as there’s likely to be a number of new customers signing up to the site, thanks to the Sparks scheme.
The police have taken a 15-year-old boy in for questioning over the hack of the TalkTalk website, and he was held on suspicion of offences under the Computer Misuse Act. The police are also searching the kid’s home in County Antrim.
Imagine that. Being a massive company with loads of sensitive information, and having spent loads of money on various forms of security, some teenager in his bedroom manages to pull the rug from under it all.
TalkTalk said that they’d been the target of a ransom demand by the hackers, and what with it being someone so young, we can imagine that the demands were brilliant: “We want some new Jordans, a year’s supply of Wotsits, a can of Lynx, and an Olympic sized swimming pool full of Jagerbomb.”
Anyway, the customers of TalkTalk aren’t finding this very funny, as the company not only show a disregard for the private details of their customers, but also, a remarkable lack of ability when it comes to managing a crisis. Still, at least TalkTalk told their customers to change their passwords, eh? That’ll comfort people who give money and personal details to a company that has had three cyber attacks in a year.
If you think you’ve been affected by the TalkTalk hack, you need to visit http://help2.talktalk.co.uk/oct22incident.
Following the arrest, TalkTalk said: “We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist in the ongoing investigation.”
After the TalkTalk hack, customers are rightly looking at taking their business elsewhere. Too frequently, people are looking at TalkTalk like they’re not taking security seriously enough, after a spate of breaches over the year.
So what happens if you want to leave? Well, as you know, most mobile companies will charge you a fee for leaving your contract early, but this is exceptional circumstances. A spokesperson for the firm told ThisIsMoney that those who wish to exit their contract early because of the hack will be ‘considered on an individual basis.’
With around 4 million potentially falling victim to the cyber attack, there’s a good chance that there’ll be something of an exodus on the cards.
The TalkTalk spokesperson said: “We are not going to be able to make a decision on a compensation today. The police are still carrying out their investigation to establish what has happened and the extent of information accessed.”
Dido Harding, chief executive of TalkTalk, said: “TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cyber-crime, impacting an increasing number of individuals and organisations. We take any threat to the security of our customers’ data extremely seriously and we are taking all the necessary steps to understand what has happened here.”
“As a precaution, we are contacting all our customers with information, support and advice around Wednesday’s attack.”
TalkTalk is pointing customers in the direction of a special site if there are any questions: http://help2.talktalk.co.uk/oct22incident. If you’d prefer to ring someone, then the number is 0800 083 2710, or 0141 230 0707, but remember, they’re likely to be extremely busy today.
Let us know how you get on.
TalkTalk customers have had their personal information hacked in what the police are calling a “significant and sustained” cyber-attack on the company’s website. This is the third data breach in a year for TalkTalk.
“We are continuing to work with leading cybercrime specialists and the Metropolitan police to establish exactly what happened and the extent of any information accessed,” said TalkTalk.
The company’s chief executive, Dido Harding, said: “We take any threat to the security of our customers’ data extremely seriously, and we are taking all the necessary steps to understand what has happened here.”
The way TalkTalk has been handling this has angered some customers. Looking through Twitter, it seems that TalkTalk’s customer service lines have been downed by the volume of people trying to get answers about what exactly has gone missing.
One of the things that will worry TalkTalk customers, is that the last time they were scammed out of money after a hack, TalkTalk refused to accept any liability, and blamed one victim for being tricked. They said, after one of their customers was scammed out of nearly £3,000, that because the customer gave details to the fraudster, he was “validating and authorising the transfer of funds”.
So what about this hack? Well, TalkTalk said that it is possible that credit card and bank account details could’ve been swiped, as well as personal info like names, addresses, dates of birth, email addresses and telephone numbers. Here’s the kicker – TalkTalk have said that “not all of the data was encrypted” but that they think “our systems were as secure as they could be”.
Basically, customers need to keep an eye on their accounts and keep checking for any odd behaviour or payments being made from it. If you do see something odd going on, you need to report it to ActionFraud. Obviously, like always, if anyone rings you up asking for your passwords and the like, tell them to piss off. No legit business ever asks for your passwords and bank details.
Until then, wait for TalkTalk to get in touch and they should tell you more in due course.
UPDATE: TalkTalk is pointing customers in the direction of a special site if there are any questions: http://help2.talktalk.co.uk/oct22incident. If you’d prefer to ring someone, then the number is 0800 083 2710, or 0141 230 0707, but remember, they’re likely to be extremely busy today.
UPDATE 2: Ebuyer.com have published some figures to show how many people were supposedly affected. They’ve said:
- less than 1.2 million customer email addresses, name and phone numbers
- less than 28,000 obscured credit and debit card details
- less than 21,000 bank account numbers and sort codes
- less than 15,000 customer dates of birth