With so much happening in cyber security around the world lately, we're going to start highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week, we're in South Korea and Russia.
A couple of weeks ago, South Korea's Financial Services Commission (FSC) announced that over 20 million credit cards in the country had been compromised – the country's entire population is only 50 million. As a result, the FSC is stepping up its investigations into data security, particularly data sharing between financial institutions and their subcontractors who were to blame for the major breach. Just this week, the FSC announced that insurance information was leaked from Prudential Life Insurance, also due to illegal data sharing between the insurance company and an outside firm.
Under Korea's Personal Information Protection Act, personal data such as credit card and insurance information should be encrypted and secured. Whilst the offending companies didn't take security threats and data protection seriously enough, could lack of enforcement also be to blame? Currently, the maximum fine for personal information leakage in the financial industry is only 6 million won or just over $5,500 USD – loss of face and jobs is probably a greater penalty (CEOs of the credit card issuers have publicly apologized and offered their resignation). With such a low cost for failure, and a high price for the stolen information, the major credit card hack was inevitable.
Side note: With Nexpose 5.8, you can now share critical asset, vulnerability and remediation information with your Korean-speaking security teams by using the new multi-language reporting features. Find out more at www.rapid7.com/products/nexpose
NBC reporter Richard Engel described being hacked in Russia during the Sochi Olympic Games. Within a minute of connecting to the Internet, Engel received a phishing email addressed to him. After clicking on a link embedded in the message, Engel's computer was “hijacked” almost immediately. While Engel alludes to this being the work of “professional hackers” from Russia's “strong criminal underworld”, some security researchers have since questioned the accuracy of this story. These skeptics claim that Engel initiated the attack by visiting a fraudulent website and visitors are no more likely to get hacked while in Russia.
We would like to get more technical details of the NBC experiment before picking a side but either way if you're at the Olympics, it's best to apply some basic security best practices:
- Don't connect to public Wi-Fi, particularly networks that you don't recognize, but if you absolutely need to, then connect using a VPN.
- Don't open emails from people you don't know, and more importantly, don't click on any links or open any files inside these emails.
- Keep your operating system, internet browsers, Flash, Java and Adobe Reader up-to-date with the latest software patches.