Robin’s Newsletter #90

8 March 2020. Volume 3, Issue 10
Cashing in on loyalty points; scam certificate pages and the CIAs password
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Cydea needs you help to develop a better way to measure and manage cyber risk: check out the blog post on

This week

It’s International Women’s Day

Some gains in improving gender diversity within information security have been made in the last couple of years and some estimates now suggest women make up 20% of the cyber workforce.

I’ve had the privilege of working with some amazing people over my career and I wanted to take a brief moment to list some of their fields as proof that you don’t need to be a white dude with a bachelors in computer science to make it in cyber (or tech, for that matter): Psychology, Linguistics, Archeology, War Studies, (Astro)Physics, Astronomy, Criminology/Law, Philosophy.

That diversity of thought and experience makes us safer and more secure. If you’re a woman looking to get into security, I’d strongly recommend Ladies Hacking Society (monthly meet-ups in London; other locations coming soon) and Jane Frankland’s book, and broader #INsecurity movement.,,

Loyalty points mean cash prizes for cyber-criminals

Two UK retailers both announced moves this week to curb fraudulent activity in their loyalty programmes. Supermarket Tesco and chemists Boots (owned by Walgreens for my American readers) reissued 600,000 loyalty cards and suspended redemption of points respectively.

Credential stuffing - where username and password combinations from previous breaches are tried against other websites - is thought to be behind both announcements.

If attackers manage to find an account where the username and password have been re-used then they may sell this ‘verified’ information on - for as little as £2.70 (see The Register) - or keep it for themselves.

The end-game is to gain access to the loyalty points and redeem these for gift cards or other goods that are easy to resell on auction sites and make cash for the cyber-criminals.

People often do not equate a significant monetary value to their loyalty points - as they often are earned just pennies/cents at a time - however, they do add up over years of purchases and even a £10 balance is sufficient for the criminals to ‘cash out.’

Air miles and hotel points have similar repercussions although other forms of identity are often required when travelling and making these ‘currencies’ less easy to liquidate.

Many loyalty card schemes are mature and users will have signed up for the scheme many years ago before public awareness of password complexity and re-use became more prevalent.

Getting a password manager and using unique passwords is the order of the day to keep yourself protected.

Tesco:,, Boots:

Interesting stats

  • 0.5% (or 50 / 10,000) Office 365 accounts using Azure AD are compromised each month, almost all of them without having multi-factor authentication enabled

  • 4/10 are the result of password spraying

  • 4/10 are password replay attacks

  • 2/10 are other forms types, like phishing, in all cases there is a

  • 67% reduction in likelihood of compromise is you disable legacy authentication, according to Microsoft

  • 51% of attacks in 2019 did not use malware, up from

  • 40% of attacks in 2018, according to CrowdStrike, as attackers increasingly just make use of existing password breach data (see the previous two items!)

Other newsy bits

Wrong place at the wrong time?

Google knows. And so does their tool that allows them to comply with warrants from law enforcement for Google account details based on location, date and time. So is the case of Zachary McCoy who was tracking his cycle ride with RunKeeper and had the misfortune to cycle passed a house around the time it was burgled. It’s an interesting read and, thankfully, the same data was able to clear McCoy of any wrong-doing. (H/T Glenn Costa)

New scam pages pretend to be ‘security certificate updates’

Attackers are using jQuery to render full-page iframes over the top of compromised websites that mimic browser security certificate warnings. In this case, rather than the onus being on the website owner to fix the certificate issue (probably being out of date) the page ‘recommends’ that visitors install updates to their security certificates to visit the site. Of course, it’s all nonsense and instead, they’re given a downloader for either the Mokes or Buerak trojans. A fix to browser UI could make this sort of scam less convincing to the user.

US ‘EARN IT’ act is the next crypto wars battleground

A new bill brought by US senators would require tech companies to ‘scrutinise on-demand’ content for child sexual abuse material. A problem with that would be the end-to-end encryption that currently protects the contents of messages being sent using services like WhatsApp or iMessage. That’s led many to see this as slightly cynical attempt to use child exploitation — which for the record is abhorrent — as a lever to progress an anti-encryption agenda.

Secure your ‘smart’ security cameras

Amazon’s Ring cameras have been in the news a lot over the last few months following a series of pranksters and hackers accessing poorly secured home security cameras. Now NCSC and consumer magazine Which? Have released advice on securing smart home camera systems. The advice includes: changing the default password; regularly applying firmware updates; turning off features you don’t use.,

In brief

Attacks, incidents & breaches

Quite a few this week…

  • Virgin Media announced a data breach affecting 900,000 people…,
  • …then blamed their staff, and it also came to light data included details on gambling and pornography
  • It was a bad weeks for the other side of the Walgreens Boots Alliance as Walgreens announced their mobile app had allow ‘a small percentage’ of users to see messages, including health data, intended for other users
  • Rail station wi-fi provider C3UK exposed 146 million records of traveller data
  • T-Mobile US announced its third hack in as many years
  • Carnival Cruise Line Operator Discloses Potential Data Breach

Threat intel

  • Great read from Microsoft, Human-operated ransomware attacks: A preventable disaster
  • New Evasion Encyclopedia Shows How Malware Detects Virtual Machines
  • Sodinokibi ransomware crew sifting victims data for ‘dirty’ financial secrets, threatening release
  • Justice Department clarifies how threat researchers should work with law enforcement

Security engineering

  • Intel CSME bug is worse than previously thought

Internet of Things

  • Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys
  • Singapore to introduce security label for smart home devices
  • FDA warns patients about Bluetooth flaws affecting pacemakers, glucose monitors
  • More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates


  • DuckDuckGo Tracker Radar Exposes Hidden Tracking
  • Cathay Pacific fined £500,000 for failing to secure its customers’ personal data
  • Facebook’s Download-Your-Data Tool Is Incomplete

Public policy

  • (Unsurprisingly) Huawei execs admit they don’t know whether their tech is used for surveillance

Law enforcement

  • US charges two Chinese nationals over North Korea cyber attack / How an Elaborate North Korean Crypto Heist Fell Apart

Mergers, acquisitions and investments

  • Context Information Security acquired by Accenture

And finally

Want to hack the CIA?

Thanks to the trial of Joshua Schulte, accused of leaking the ‘Vault 7’ trove of CIA hacking tools we now know to try the password 123ABCdef. I mean, they may have changed it, but then you’d have expected them to have picked a better password to begin with. (I would laugh a lot of that turned out to be the final answer to the Crypto’s sculpture in Langley.), Wikipedia: Kryptos


  Robin's Newsletter - Volume 3

  INsecurity LLHS Cyber-crime Loyalty Cards Location Privacy Law Enforcement Certificate Scam Smart cameras US EARN IT Crypto-wars