News Opinions

The corporate response to hacks

In case you haven’t heard, EasyJet has recently been subject to a breach involving 9 million customer details, of which 2,200 credit cards were also accessed.

In a statement to the London Stock Exchange, EasyJet claimed they were a target of an attack from a “highly sophisticated source”.

EasyJet may or may not be wrong in their statement, but the words “highly sophisticated” appears to be the default corporate response given from large companies falling foul of a hacking attack. I seem to recall it was only a few years ago when TalkTalk were hacked. TalkTalk were giving off a similar spin: “cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming increasingly frequent”, only for a minor to be arrested a few weeks later.

The attack method used during the TalkTalk hack was an SQL Injection. As I am sure you’re aware, this is a really trivial vulnerability and is very well understood in the industry. It has also been a known attack vector for decades. It is completely inexcusable that a vulnerability of this nature existed in their systems. If they had taken just basic measures of security, this would have been mitigated.

I will be keen to see more technical detail from EasyJet as it emerges. Is this “highly sophisticated” attack going to be something equally trivial?
TalkTalk were fined £400,000 for their breach, but this was prior to GDPR legislation. The maximum fine allowed under GDPR is €20 million, or 4% of annual turnover (whichever is greater). There could be a fairly significant fine involved here. Fortunately, GDPR seems to have made cybersecurity a board room problem, but these attacks are definitely going to remain fairly common place. The real victims here are not the companies who are hacked, but the customers who entrust their data with a company who take relaxed measures in protecting it.

By the way, in case you didn’t know – Dido Harding (who was CEO of TalkTalk when they were breached), is now in charge of the “Track, Test and Trace” effort as part of the UK response to COVID19. Does this fill you with confidence?

CTF's My CTF's

Credit Card Scammers CTF

This is my first Capture the Flag exercise and covers a number of different techniques.

Download Now

The back story: Scammers are taking advantage of people and various fake shopping websites have been setup, but people are finding their orders never arrive. We have identified one scam website which we believe is harvesting credit card details from victims. Your objective is to take down the scam website by gaining root access, and identify the 3 flags on their server. Our intelligence suggests the scammers are actively reviewing all orders to quickly make use of the credit card information.

The types of vulnerability used in this CTF can be seen below (they are intentionally hidden by default):

You can download the Capture the Flag here. This has been tested using VirtualBox but may work with other virtualisation platforms. DHCP is enabled, and it is recommended you run this in host-only network mode.

Please feel free to leave me feedback in the comments. I am keen to see what people thought about it and how easy/difficult they thought it was.

SHA-256: e840abca18c81bb269a02247a99416b0f63261f3a62d4b17b9436fb3387f70e7