Connect with us

Cyber Security News

‘Cyber-attack’ on Labour digital platforms



Media playback is unsupported on your device
Media captionJeremy Corbyn: “A cyber attack against a political party in an election is suspicious”

The Labour Party says it has successfully defeated a cyber-attack targeted at its digital platforms.

Labour said the attack “failed” because of the party’s “robust” security system and no data breach had occurred.

The Distributed Denial of Service (DDoS) attack floods a computer server with traffic to try to take it offline.

A Labour source said that attacks came from computers in Russia and Brazil but the BBC’s Gordon Corera has been told the attack was not linked to a state.

Our security correspondent said he had been told the attack was a low-level incident – not a large-scale and sophisticated attack.


A National Cyber Security Centre spokesman said the Labour Party followed the correct procedure and notified them swiftly, adding: “The attack was not successful and the incident is now closed.”

Meanwhile, Labour has denied that there has been a data breach or a security flaw in its systems after the Times reported the party’s website had exposed the names of online donors.

DDoS attacks direct huge amounts of internet traffic at a target in an effort to overwhelm computer servers, causing their software to crash.

They are often carried out via a network of hijacked computers and other internet-connected devices known as a botnet.

The owners of which may be unaware their equipment is involved.

DDoS attacks are not normally recognised as being a hack as they do not involve breaking into a target’s systems to insert malware.

They can vary in sophistication and size, and are sometimes used as a diversionary tactic to carry out a more damaging attack under the radar.

Several companies provide services to repel DDoS attacks, but they can be costly.

The BBC has confirmed that Labour is using software by the technology company Cloudflare to protect its systems.

The US-based company boasts it has 15 times the network capacity of the biggest DDoS attack ever recorded, meaning it should be able to absorb any deluge of data directed at one of its clients.

BBC political correspondent Jessica Parker said “Labour Connects”, a tool for campaigners to design and print materials was disrupted and remains “closed for maintenance”.

A message on the site on Monday said it was experiencing issues “due to the large volume of users”.

Media playback is unsupported on your device
Media captionEXPLAINED: What is a DDoS attack?

Labour leader Jeremy Corbyn said the cyber-attack was “very serious” and also “suspicious” because it took place during an election campaign.

“If this is a sign of things to come, I feel very nervous about it,” he said.

In a letter sent to Labour campaigners, Niall Sookoo, the party’s executive director of elections and campaigns, said: “Yesterday afternoon our security systems identified that, in a very short period of time, there were large-scale and sophisticated attacks on Labour Party platforms which had the intention of taking our systems entirely offline.

“Every single one of these attempts failed due to our robust security systems and the integrity of all our platforms and data was maintained.”

Labour’s general secretary Jennie Formby said on Twitter the attack was a “real concern” but she added she was proud of the party’s staff who “took immediate action to ensure our systems and data are all safe “.

Emily Orton, from Darktrace, an AI company for cyber-security, told BBC Radio 4’s The World at One: “Really this is the tip of the iceberg in terms of the types of threats that, not just the Labour Party, but all political parties are going to be without a doubt experiencing on a daily basis.”

“I think anyone involved in politics and in government need to be preparing themselves for a lot more stealthy, sophisticated attacks than this,” she added.

Donors leak

Image copyright Labour Party

By Leo Kelion, Technology desk editor

The Times has revealed that Labour exposed the names of people who had donated money via an online tool.

The details could be found via an RSS web feed generated by the site’s code, which most browsers provide a way to inspect.

In most cases the information was limited to the donors’ first names and the sums given.

But because some people had mistakenly added their surname to the first name input box, this too was disclosed.

Labour denies this represented a security flaw or that a reportable data breach had occurred. It also believes that only a small number of full names were exposed.

However, it made changes to shut down the RSS feed last night.

“The Labour Party takes its responsibilities for data protection extremely seriously,” a spokesman said.

“If any concerns are raised, we assess them in line with our responsibilities under GDPR [General Data Protection Regulation ] and the Data Protection Act.”

The Information Commissioner’s Office told the BBC: “We will not be commenting publicly on every issue raised during the general election.

“We will, however, be closely monitoring how personal data is being used during political campaigning and making sure that all parties and campaigns are aware of their responsibilities.”

Over the next five weeks, we want to help you understand the issues behind the headlines.

Keep up to date with the big questions in our newsletter, Outside The Box.

Sign up to our 2019 election newsletter here.

Related Topics

Read more:

Cyber Security News

Capital One replaces security chief after data breach




Capital One has replaced its cybersecurity chief four months after the company disclosed a massive data breach involving the theft of sensitive data on more than 100 million customers.

A spokesperson for Capital One confirmed the news in an email to TechCrunch.

“Michael Johnson is moving from his role as chief information security officer to serve as senior vice president and special advisor dedicated to cyber security,” said the spokesperson.

Mike Eason, who served as chief information officer for the company’s commercial banking division, has replaced Johnson as interim cybersecurity chief while a permanent replacement is found.

The Wall Street Journal first reported the news.

Capital One continues to assess the aftermath from its July data breach, which saw a hacker take millions of credit card application data between 2005 and 2019 from customers applying for credit cards. The data leaked also included names, addresses, postal addresses, phone numbers, email addresses, dates of birth and self-reported income, as well as credit scores and credit limits.

Paige Thompson, a Seattle resident, was taken into custody by the FBI following the disclosure, accused of breaking into the banking giant’s cloud-based environment. Subsequent research showed that the alleged hacker and former Amazon Web Services employee may have obtained sensitive corporate data on other companies, including Vodafone, Ford and Ohio’s Department of Transportation.

It was reported this week that Thompson would be released from custody, pending trial.

Read more:

Continue Reading

Cyber Security News

Why passwords don’t work, and what will replace them




Image copyright Getty Images

“Sarah”, an actor based in London, had her identity stolen in 2017. “I got home one day and found my post box had been broken into,” she says.

“I had two new credit cards approved which I hadn’t applied for, and a letter from one bank, saying we’ve changed our mind about offering you a credit card.”

She spent £150 on credit checking services alone trying to track down cards issued in her name.

“It’s a huge amount of work and money,” says Sarah, who asked the BBC not to use her real name.

Identity theft is at an all-time high in the UK. The UK’s fraud prevention service CIFAS recorded 190,000 cases in the past year, as our increasingly digitised lives make it easier than ever for fraudsters to get their hands on our personal information.


So how should we keep our identities secure online? The first line of defence is, more often than not, a password.

But these have been in the news lately for all the wrong reasons. Facebook admitted in April that the passwords of millions of Instagram users had been stored on their systems in a readable format – falling short of the company’s own best practices, and potentially compromising the security of those users.

Late last year, question-and-answer website Quora was hacked with the names and email addresses of 100 million users compromised. And Yahoo! recently settled a lawsuit over the loss of data belonging to 3 billion users, including email addresses, security questions and passwords.

Image copyright Getty Images
Image caption Microsoft is moving toward password-free products

No wonder that Microsoft announced last year that the company planned to kill off the password, using biometrics or a special security key.

IT research firm Gartner predicts that by 2022, 60% of large businesses and almost all medium-sized companies will have cut their dependence on passwords by half.

“Passwords are the easiest approach for attackers,” says Jason Tooley, chief revenue officer at Veridium, which provides a biometric authentication service.

“People tend to use passwords that are easy to remember and therefore easy to compromise.”

Not only would getting rid of passwords improve security, it would also mean IT departments would not have to spend valuable time and money resetting forgotten passwords.

“There is an annual cost of around $200 (£150) per employee associated with using passwords, not including the lost productivity,” says Mr Tooley.

“In a large organisation that’s a really significant cost.”

More Technology of Business

‘New risks’

Philip Black is commercial director at Post-Quantum, a company designing powerful encryption systems for protecting data.

He agrees that passwords are already a weak point. “You have to create and manage so many passwords. That’s unmanageable, so people end up using the same passwords, and they become a vulnerability.”

New rules laid down by the EU are designed to deal with that issue. The updated Payment Services Directive, known as PSD2 , require businesses to use at least two factors when authenticating a customer’s identity.

These can be something the customer has in their possession (such as a bank card), something they know (such as a PIN), or something they are, which includes biometrics.

Image copyright Getty Images
Image caption Natwest is trialling debit cards with fingerprint scanners

Overlooked in the past in favour of tokens, passwords, and codes sent by SMS, interest in biometrics is growing. According to the 2019 KPMG International Global Banking Fraud Survey, 67% of banks have invested in physical biometrics such as fingerprint, voice pattern and face recognition.

This year, NatWest began trialling debit cards with a fingerprint scanner built directly into the card itself.

Biometrics offer a more frictionless consumer experience, but has been held back by the need for specialised equipment. With the latest smartphones, many of us now carry the necessary hardware in our pockets. Research by Deloitte has found that a fifth of UK residents own a smartphone capable of scanning fingerprints, and that number is rising fast.

Yet just as our personal data is vulnerable to thieves, biometric information can also be stolen. In September, Chinese researchers at a cybersecurity conference in Shanghai showed it was possible to capture someone’s fingerprints from a photo taken from several metres away.

If you think resetting your password is difficult, try changing your fingerprints.

To boost security, companies are increasingly relying on multiple factor authentication (MFA) which seeks to identify people using as many different ways as possible.

This can include not just explicit measures such as PINs and fingerprint scans, but background familiarity checks such as your location, purchase history, keystrokes, swiping patterns, phone identity, even the way in which you hold your phone.

Image copyright Bunq
Image caption Bunq says a combination of authentication is going to replace passwords

“Is biometrics going to replace passwords? No, a combination of factors is going to replace passwords, we are and we should be moving toward this,” says Ali Niknam, chief executive of Bunq, a mobile banking service.

Yet there is a risk of that this sort of multi-factor authentication, while secure, will make the authentication process even more opaque. If you don’t know what is being used to identify you online, how can you protect that information?

“I’m careful about internet security – my date of birth isn’t anywhere, my address isn’t anywhere,” says Sarah.

“I’m 33, relatively young and tech-savvy, but I’m not sure I’d know how to be more careful.”

She does remember, however, that one bank initially refused to cancel the account the thief had opened in her name, because she didn’t know the password.

Read more:

Continue Reading