Raspberry Pi used to steal Nasa data
A recent audit report has revealed that a Raspberry Pi was used to take data from Nasa’s Jet Propulsion Laboratory, stealing around 500MB of data.
The attacker who used the device to hack the network was undetected for around 10 months. The hacker accessed the internal network by hijacking a user account. The Raspberry Pi device had been attached to the network by an employee, but lax security controls and logging meant that Nasa administrators did not know that the device was in use.
The vulnerable device was left unmonitored and was then controlled by the hacker to steal data. The hacker moved around the internal network and took advantage of weak security controls between different department systems.
Two of the files that were taken were said to be about the international transfer of restricted space and military technology. The hacker has not been identified or caught at present.
WeTransfer security incident
File sharing service, WeTransfer, had a security incident last week where user file links were sent to incorrect recipients over a two day period. The company informed the affected users that that files had been incorrectly sent and informed the relevant authorities.
They stated in their correspondence to affected users that “we have learned that a transfer that you sent or received was also delivered to some people that it was not meant to go to.” They also warned that as the user’s email address was included in the transfer email, users should keep an eye out for any suspicious emails or activity.
WeTransfer is unsure what caused the security incident, but they posted a security notice on their website which explained that some accounts had been logged out and others had their passwords changed for additional protection. The company also blocked access to all of the transfer links that were involved in the security incident.
Time will only tell if anyone’s data was breached as a result of this security incident.
EE fined £100k for promotional texts
The Information Commissioner (ICO) has fined mobile network EE £100,000 for sending text messages to customers without their consent. It is estimated that 2.5 million messages were sent in 2018.
The text messages were sent to existing EE customers to encourage them to use the EE app and to upgrade their handset to the latest offerings. EE said that they thought that the text messages were service messages as opposed to direct marketing, but the ICO has stated that EE’s text messages included promotional material, so electronic marketing rules applied. Additional texts were sent to customers who did not respond or engage with the first text message, which reinforces the fact that it was part of a direct marketing initiative.
The ICO deemed EE responsible for deliberately contravening regulations when they sent the messages. The fine for not complying with this legislation can be up to £500,000, but EE was charged only a fifth of this amount. The fine will be paid into the Consolidation Fund and returned to the government.
Two Florida towns pay ransom to hackers
Over the past two weeks, two towns in Florida have paid a total of $1.1m to ransomware attackers.
Officials in Lake City voted to pay hackers $500,000 (equivalent to 42 Bitcoins) after their computer systems were taken offline for two weeks in a ransomware attack. This comes shortly after Riviera Beach officials paid hackers $600,000 after a similar incident, which locked staff out of important computer files.
Reports stated that IT staff in Lake City disconnected staff computers within minutes of the attack, but it was too late. Staff were locked out of email accounts and the public were not able to make payments via the website.
Officials in both locations decided that paying the ransom to the attackers was the best way to regain access to their computer systems. Their insurance would cover a majority of the ransom payments, but around $10,000 would have to be incurred by the taxpayer.
We’ll be back next week with more tech news!