Tag Archives: Travelex

Security News for the Week Ending January 31, 2020

UK Proposes Weak Security Law for IoT Devices; Calls it Strong

The UK is proposing a law similiar to California’s existing IoT law and calls it strong security.  What makes it strong is that they call it strong, maybe?

The bill requires that default passwords on IoT devices be unique (likely part of the serial number) and not resettable to a single default password.  It also requires the manufacturer to provide a public point of contact for security researchers to report bugs and finally it requires manufacturers to tell consumers the minimum length of time they will provide security updates.

It does not require that they fix reported bugs at all and it doesn’t say how over the manufacturer will provide security updates.  It also doesn’t make manufacturers liable for the damage their bugs do.

All in all, it is a pretty weak bill and even so, it has not been enacted yet.  Source: The UK Gov web site.

 

Business Email Compromise victim sues MSP for Professional Negligence

A Business Email Compromise victim who paid fake invoices to the tune of $1.7 million to businesses in Hong Kong and Cambodia is suing it’s managed service provider (MSP) for messing up.  The fake invoices came from the business owner’s hacked email account which the MSP was supposed to protect.  Source: Channel Futures

 

Travelex Says They Are Back Online

After a MONTH of downtime, Travelex says they are now back online.  They are still saying that it won’t impact their 2019 or 2020 financials.  Sources say that part of the losses will be covered by insurance.  This calls out the importance of having a tested incident response, disaster recovery and business continuity program – and the importance of having cyber insurance.  Source: Reuters

 

Apple Dropped Plans to Encrypt Cloud Backup After FBI Complained

Apple dropped plans to fully encrypt iCloud backups after the FBI told them that it would harm investigations according to multiple sources.  They often turn over iCloud backups to help police investigate crimes.

While Apple publicly says it protects your privacy and in many ways they do, sometimes they make business decisions that they would prefer their customers not  know about.  Source: Reuters

 

Extradition Hearing for Huawei’s CFO has Begun in Canada

The extradition hearings for Huawei’s CFO and daughter of its founder, Meng Wanzhou, have begun in Canada.

The U.S. says that she and her company violated the U.S. ban on selling to Iran.  China says it is a political stunt.

Currently, she is free on bail and living in one of the mansions she owns in Vancouver.  If she gets extradited to the U.S. her accommodations will not be as comfortable.

On the other hand, President Trump has indicated that all things with China are bargaining chips.  Stay tuned;  it is a long journey.  Source: The L.A. Times

Security News for the Week Ending January 17, 2020

Orphaned Data in the Cloud

Researchers at security firm vpnMentor found an unsecured S3 bucket with passport, tax forms, background checks, job applications and other sensitive data for thousands of employees of British consultancies.  Many of the firms involved are no longer in business.

The researchers reported this to Amazon and the UK’s Computer Emergency Response Team (UK CERT) on December 9 and the bucket was taken offline by Amazon (likely at the request/order of UK CERT) on December 19th.

For people who were affected, if these companies are out of business, there is no one to sue.  Under GDPR, it is unclear who the government can go after if the companies no longer exist.  I suspect that the problem of orphaned data is only going to become a bigger problem over time.  This includes data stored by employees who have left the company and who did not “register” their data trove with their company’s data managers.  Another reason to get a better handle on where  your data is stored.  Source: UK Computing

 

Ransomware 2.0 Continues and Expands

I recently coined/used a term called ransomware 2.0 where the hackers threaten to publish and/or sell data exfiltrated during ransomware attacks.  While we saw threats in the past, we did not see any follow through.  In part, this is likely due to the fact that they did not, in fact, exfiltrate the data.

However, first with Maze and now with REvil, hackers are following through and publishing some data and selling other data.  REvil is the ransomware that is afflicting Travelex.

Companies will need to change their ransomware protection strategy in order to protect themselves against this form of attack.  Backups are no longer sufficient. Source: Bleeping Computer

 

The Travelex Saga (Continued)

FRIDAY January 17, 2019

Travelex says that the first of its customer facing systems in Britain is now back online.  The automated ordering system that some of its bank customers use is now working, but its public web site is still down.  Virgin Money, Tesco Bank and Barclays still say their connections are down.  Source: Reuters

WEDNESDAY January 15, 2019

Likely this incident falls under the purview of GDPR and  the UK’s Information Commissioner’s Office says that Travelex did not report this to them within the legally mandated 72 hour window.  Travelex says that no customer data was compromised  in the attack (even though the hackers were publicly threatening to sell and/or publish the stolen data and that Travelex was said to be negotiating with them).   When asked if they paid the ransom, Travelex said “There is an ongoing investigation. We have taken advice from a number of experts and we are not going to discuss this.”  Translated, this means that we know we are going to get our butts kicked in court and by the ICO, so we are just going to be quiet now.  If the ICO finds that they did not report and there was a GDPR covered event, they could fine them up to 4% of the global annual revenue OF THEIR PARENT COMPANY, Finablr.  Their revenue is estimated to be around $1.5 billion.  That of course, is just one of the costs.  Their public web site is still down and has been down for 16 days now.  Source: UK Computing

MONDAY January 13, 2019

Travelex says that they are making good progress with their recovery, whatever that means.  They say that services will be restored soon.  Their website, however, is still down. Trtavelex is still saying that they have not seen evidence that customer data that was encrypted was exfiltrated, although the hackers who say that they are responsible claim that they will be releasing the data on the 14th (tomorrow) if they don’t get paid.  Source: ZDNet

 

Nemty Ransomware Joins the Ransomware 2.0 Crowd

The ransomware 2.0 community (steal your data before encrypting it and threaten to publish it if you don’t pay up) is becoming more crowded every day.  Now Nemty says they are creating a website to post stolen data of companies that have the nerve not to pay them.  Backups are no longer sufficient.  Source:  SC Magazine

Security News for the Week Ending January 10, 2020

Albany Int’l Airport Hit By Ransomware via MSP

In what is becoming an all too common story, the Managed Service Provider that supported Albany, NY’s airport, Logical Net of Schenectady, NY, was hacked and from there, the hackers were able to connect to the airports administrative network and infect it with REvil ransomware, the same ransomware that hit Travelex (see below).  I say supported because after the airport paid the under 6 figure ransom (? $99,000), they fired the MSP.  The ransomware encrypted the airport’s backups in addition to the live data.  Given that we are hearing about these attacks against outsourced service providers almost weekly, customers need to start putting pressure on these providers to improve their security.  Source: Bleeping Computer

Cyber Attack Events From Iran Nearly Tripled

Soon after the attack that killed General Soleimani, attacks originating from Iran were up 50% and grew from there.  Cloudflare says that for their little piece of the world Internet, there were a half billion attack attempts in a 48 hour period.  Source: MSN

Info on 56 Million U.S. Residents Sits Exposed – On a Server in China

This does not appear to be a hack.  22 gigabytes of data on 56 million U.S. residents is sitting exposed on a server in China.  The data appears to belong to CheckPeople.com, one of those for a fee information sites;  It is hosted on a web farm run by the Chinese giant Alibaba.  While this data is not super valuable, it could be useful for any number of foreign adversaries because of the volume and that whoever created it did all of the work of aggregating and organizing it.  Did CheckPeople license it to the Chinese? Or did the Chinese steal it?  Or does CheckPeople use servers in China?   If so, that is something we should stop.  Source: The Register

Travelex Woes Continues

NOTE: I am providing a bit of a blow by blow of the Travelex attack because it is a useful learning lesson for everyone on what to do, what not to do and how to communicate about it.  We usually don’t get as much direct information about these attacks are as are seeing here, even though most of the information is NOT coming from Travelex.

 

This has got to be one of the worst incident response examples I have seen since, say Equifax.  Really, really bad and getting worse by the day. They said this won’t have a material effect on their business, but that is hard to believe.

FRIDAY January 10, 2020

As of Friday night, Travelex’s website is still down.

Given the size of the organization, it is surprising that 10 days into the ransomware attack, the company is still offline.

According to Bleeping Computer, the hackers originally demanded $3 million not to sell Travelex’s data but have now upped the number to $6 million.

While Travelex’s public position is that no “structured” personal data has been  stolen, the hackers say that Travelex is negotiating a price with them.

Hackers behind the REvil ransomware say, on a Russian hacker forum, that if Travelex does not pay the ransom, they will sell the data on the black market.

As we watch this dumpster fire of an attack from a distance, one of the many lessons to learn is about alternate providers.  Travelex provides services to a number of banks such as Barklays, Lloyds and Westpac.  Those banks have had to shut down currency services to their customers.

As part of your disaster recovery and business continuity plan, you need to consider the impact on YOUR business not only if you are hit by a ransomware attack but what if one of your key providers is taken offline for a week or two or more from an attack.

In this case, the banks have had to refund customer orders and customers have gone to competing banks for their currency needs, possibly never coming back.

THURSDAY January 9, 2020

The NY Times is reporting that the hackers claim to have uploaded 5 gigabytes of “sensitive customer information” and have been in Travelex for 6 months.  They say that if Travelex doesn’t pay them $6 million by January 14th, they will publish the data (AKA Ransomware 2.0).  Their web site is still down. Banks like Barclays and Royal Bank of Scotland that use Travelex as their foreign currency provider are also still down.

WEDNESDAY January 8, 2020

Travelex finally admitted they were hit by the REvil ransomware.  London’s Met (Metropolitan Police) said that their elite cyber team was not contacted until January 2, 3 days after the attack.

They are also saying that there is no EVIDENCE that STRUCTURED personal customer data has been encrypted.  I am not quite sure how to read between those lines.

They also say that, 9 days into the attack, they still don’t have a complete picture of all the data that was encrypted.

Their web site is still down, although there is a new press release on it, updated from the old one.

Finally, they say that they don’t currently anticipate any material financial impact from the breach.  (British Airways was fined $230 million for their breach – not counting lawsuits, remediation, etc.  Not sure what they are thinking).

TUESDAY January 7, 2020

The Travelex web site still shows the message that says they were hit by malware with no explanation and no expected up time.

MONDAY, January 6, 2020

I wrote in Last weekend’s newsletter that Travelex, who had an IT incident (likely ransomware, but unconfirmed), seemed to have recovered by last Sunday night.  At least their web site was back up.  It turns out that I spoke too soon and as of Monday, their website is still/again down.

Still being tight-lipped about things, information is leaking out around the edges – something that businesses would be well advised to understand.   They cannot keep these things under wraps.

What we do know is that booths at airports are still operating, although they are doing it with a pen and a pocket calculator.

Travelex says that they don’t know when things will be back online.  I assume this means that people who took Travelex’s advice and put their money in a Travelex cash card still do not have access to their money.  This is the perfect stuff for lawsuits – actual harm.

The Register is reporting that Travelex had/has public facing Windows servers with Remote Desktop Protocol (RDP) enabled with no network authentication.  This is kind of like playing Russian Roulette with 5 live bullets – not recommended.

The servers are running Windows Server 2008 R2, which will be officially unsupported on January 15th – just a few days from now.  The servers are also running .Net 4.0.30319, which is also “rather old”.

I am sure that regulators on both sides of the Atlantic will be asking some uncomfortable questions.  This may also be a GDPR violation.

Stay tuned for details.  Source: The Register

Computer Weekly says the attack is ransomware, specifically the REvil Ransomware and the bad guys are asking $3 million for the decryption key.   They are also saying that Travelex waited 8 months to patch a critical flaw in Pulse VPN servers. Source: Computer Weekly.

Security News for the Week Ending January 3, 2020

Starbucks Leaves Their API Key in a Public Github Repository

Vulnerability hunter Vinoth Kumar found a Starbucks API key in a public Github repo.

The flaw was set to CRITICAL after they verified that the key gave anyone access to their Jumpcloud (An AD alternative) directory.

The problem was reported on October 17th and it took Starbucks several weeks to understand how bad the damage was.  The key was revoked within 4 days, but still, best practice would like that to be more like 60 minutes.  That, to me, is a failure on Starbucks’ (and probably most company’s) part.  After all, the key, as demonstrated in a proof of concept, would have allowed a hacker to take over Starbucks AWS account.  They paid Kumar a bug bounty of $4,000.  They definitely got away cheap.  Source: Bleeping Computer

 

Location Data Can Put Employee Safety At Risk

On the heels of a story that reporters were able to identify Secret Service agents who were travelling with the President, including figuring out where they lived, using available location data (see story from earlier this week about colleges collecting thousands of location data points per day on each student), comes another story regarding the hazards of location data.

As companies isolate teams to mask R&D, M&A and other sensitive activities, location data that is being sent by apps allows anyone with access to that data to de-compartmentalize those activities and understand exactly what companies are doing, who they are talking to, who their vendors are, possibly what technology areas they are interested in, etc.  Executives are often the worst behaved users and often generate the biggest digital exhaust because of lack of understanding of how the apps work and the consequences.

Since companies have moved to BYOD devices and can no longer control what apps a user installs or what data those apps exhaust, they have very little control over the problem.  Some apps have been found to send out over a thousand data points per app, per person, per day.  To servers in China.  What could possibly go wrong.

The only way to counteract this is via employee education.   Source: ZDNet

 

Travelex Knocked Offline by Cyber Attack

Travelex, the currency exchange company, was knocked offline by some sort of cyber attack.  As seems to be the case much of the time, the company decided that staying silent and not telling anyone what is going on will make things better.  In one way they are right since they are not giving the lawyers who will be suing them any information now.  That will wait until the lawsuits are filed.

One of the services that Travelex offers is stored value credit card called the Money Card.  They sell it to travelers as the safest to travel with money.  Only for current Travelex Money Card customers, it is super safe, because they cannot get their money.  Which could be a problem if you are traveling and need access to your cash.

In addition, banks that use Travelex as their currency exchange service are also offline.  Travelex is a huge player in this space, so their being down is a big problem.

The attack hit them on New Year’s eve and as of the night of January 3rd, they are still offline.  This could have a long term impact on their business and some commercial customers might choose to leave them.

The silence only makes it worse.  They likely did not have a disaster recovery/business continuity plan – at least not one that works.  And, I am sure that regulators in many, many countries will be asking questions.  Source: Threatpost

 

Guess How Long It Takes For Hackers to Test Your Stolen Credit Card Once it is on the Dark Web?

A researcher decided to test how long it takes for your credit card to be tested after it is posted for sale on the dark web.  It turns out the test was a little harder to conduct than the researchers thought since everyone buying and selling on the dark web is, how shall I say this, A TAD BIT SUSPICIOUS OF EVERYONE ELSE.

Once he got past that problem, it turns out the answer is about two hours.  That is not very comforting.  Hackers buying the stolen cards want to know if they are any good, so they make very small purchases, thinking most people won’t bother to trace down a $0.50 transaction that they don’t recognize.

Two Hours is not very long and a bit of a surprise to me.  Source: Bleeping Computer