"A 17-year-old male has been arrested as part of the investigation into a cyber security incident affecting Transport for London (TfL).

The teenager was detained in Walsall on suspicion of Computer Misuse Act offences in relation to the attack, which was launched on TfL on 1 September.

He has been questioned by officers from the National Crime Agency (NCA) and has been bailed.

TfL runs the capital's public transport network, including buses and the Tube.

It is understood some customer data was compromised, including customer names and contact details.

Some Oyster card refund data may also have been accessed. This could include bank account numbers and sort codes of around 5,000 customers.

The NCA has said it is working alongside TfL and the National Cyber Security Centre to manage the incident and minimise risk to customers..."

"Datacentres in the UK are to be designated as critical national infrastructure in an effort to protect them from cyber-attacks and IT blackouts, the government has said.

The buildings store much of the data generated in the UK, including photos taken on smartphones, financial information and NHS records.

The critical national infrastructure (CNI) categorisation means datacentres will be on the same footing as water, energy and emergency service systems, and therefore receive greater government support to anticipate and recover from adverse incidents such as cyber-attacks, outages or environmental disasters.

The government said the move – the first CNI designation in almost a decade – would help protect critical data infrastructure and provide businesses with reassurance to help bolster economic growth in an increasingly digital world..."

"A Gloucestershire council has declared a major incident and is working with GCHQ to assess the full extent of a cyber attack by “hostile actors”. Tewkesbury Borough Council shut down all of the services they provide online yesterday (Wednesday, September 4) after they identified “hostile actors” within their IT systems.

Council leaders say the full extent of the cyber security breach and the motive of the attack is currently unknown. But they are redeploying staff to towns and large villages across the Borough to ensure the most vulnerable have access to the services they rely on.

Chief Executive Alistair Cunningham said: “With all our systems shut down, our main focus is around the vulnerable people we serve in this community.

"We are currently dealing with an IT incident. Our systems have been compromised.

“We were alerted to unknown user accounts accessing our systems yesterday afternoon. We are clearly at an early stage of our investigation but as of today we are saying there is no evidence of data exfiltration from the organisation.

“Yesterday we thought data had been removed from the organisation which would be of serious concern to our residents. We have been analysing the movement of data in and out. The data leaving the system was through bonafide user accounts.”

“The accounts we have identified have not been taking data out of the organisation. That is the situation which is reassuring to ourselves and partners and clearly the public in terms of the data we hold.”

He said the authority has taken the necessary cyber response steps including informing the National Cyber Security Centre who are supporting them with their investigation..."

"Workers will have greater protection against being snooped on by their bosses under plans by the Government to boost employment rights.

Tracking of staff members’ computer and phone activity has increased rapidly since the pandemic, which triggered a rise in people working from home.

But ministers and unions are concerned that surveillance of workers is taking place without their consent, and could breach their privacy if used incorrectly or even be used to discriminate against some staff..."

"Many of us are aware that being watched is no longer an Orwellian paranoia, but a contract we’re signed into when using and consenting to digital technology. The transformation of digital technology has been widely recognised for its ability to track, document and observe trends. But what this means for us collectively is that surveillance methods are routinely seized and weaponised by those in power.

The uses of surveillance technology are spreading far and wide, from being introduced in schools without parents’ knowledge to monitor pupils and families to spying on vulnerable people in NHS mental health wards around the clock. Even group chats are being used to punish and prosecute young people. But it’s not only coming from above.

In the digital age we have all become immersed into the society of the spectacle and mutual surveillance is higher than ever. From filming strangers becoming completely normalised to everyone you know having a Ring doorbell – we have all become little brothers, and smartphones are the all seeing eye..."

"Earlier this year, Russia’s foreign intelligence service stole internal emails and data on individuals from the UK government. The news was first reported by Recorded Future News, which obtained an official description of the incident report.

The description of the report was obtained under the Freedom of Information Act, it revealed that the incident follows an attack carried out by a nation-state actor on a supplier of the department’s corporate systems, and linked the security breach to Microsoft’s January announcement.

In January, Microsoft warned that some of its corporate email accounts were compromised by a Russia-linked cyberespionage group known as Midnight Blizzard. The company notified law enforcement and relevant regulatory authorities.

Microsoft also announced that the Russia-linked APT Midnight Blizzard that hit the company in late November 2023 has been targeting organizations worldwide as part of a large-scale cyberespionage campaign..."

"The UK's Information Commissioner's Office (ICO) has announced a provisional decision to impose a fine of £6.09M ($7.74 million) on Advanced Computer Software Group Ltd (Advanced) for its failure to protect the personal information of tens of thousands when it was hit by ransomware in 2022.

Advanced, an IT service and hosting provider contracted by the United Kingdom's National Health Service (NHS), was compromised by threat actors on August 4, 2022.

The incident impacted hundreds of public and private entities, including NHS 111, and various healthcare products such as Adastra, Caresys, Odyssey, Carenotes, Crosscare, Staffplan, and eFinancials.

As a result of the breach, the personal information of nearly 83,000 people was exposed, including instructions on how to access homes for 890 people receiving care at home..."

"The codes look like they are part of the council's payment system, but instead lead to a phony website.

Motorists who think they have paid for their parking via a fake QR code also risk parking fines, the council added..."

"Social media is now undeniably a significant part of many of our lives, in the UK and around the world. We use it to connect with others and share information in public and private ways. Governments and companies have, of course, taken note and built fortunes or extended their power by exploiting the digital information we generate. But should the power to use the information we share online be unlimited, especially for governments who increasingly use that information to make material decisions about our lives?

At Privacy International (PI), we think the answer to that question is a resounding no. That is why we have been examining the use of social media monitoring by governments and companies. The practice is an increasingly prevalent one, and as this article explores, largely unregulated. That needs to change..."

"Civil liberties campaigners have said that a proposal made by Keir Starmer on Thursday to expand the use of live facial recognition technology would amount to the effective introduction of a national ID card system based on people’s faces.

Silkie Carlo, the director of Big Brother Watch, said it was ironic the new prime minister was suggesting a greater use of facial matching on the same day that an EU-wide law largely banning real-time surveillance technology came into force..."

We're happy to announce that BusKill is presenting at DEF CON 32.

What: Open Hardware Design for BusKill Cord
When: 2024-08-10 12:00 - 13:45
Where: W303 – Third Floor – LVCC West Hall

BusKill is presenting at DEF CON 32

via @[email protected]

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

What is DEF CON?

DEF CON is a yearly hacker conference in Las Vegas, USA.

Watch the DEF CON Documentary for more info youtube.com/watch?v=3ctQOmjQyYg

What is BusKill presenting at DEF CON?

I (goldfishlaser) will be presenting Open Hardware Design for BusKill Cord in a Demo Lab at DEF CON 32.

What: Open Hardware Design for BusKill Cord
When: Sat Aug 10 12PM – 1:45PM
Where: W303 – Third Floor – LVCC West Hall

Who: Melanie Allen (goldfishlaser) More info

Talk Description

BusKill is a Dead Man Switch triggered when a magnetic breakaway is tripped, severing a USB connection. I’ve written OpenSCAD code that creates a 3D printable file for plastic parts needed to create the magnetic breakaway. Should anyone need to adjust this design for variations of components, the code is parameterized allowing for easy customization. To assemble a BusKill Dead Man Switch cord you will need:

1. a usb-a extension cord,
2. a usb hard drive capable of being attached to a carabiner,
3. a carabiner,
4. the plastic pieces in this file,
5. a usb female port,
6. a usb male,
7. 4 magnets,
8. 4 pogo pins,
9. 4 pogo receptors,
10. wire,
11. 8 screws,
12. and BusKill software.

Golden DIY BusKill Print

Full BOM, glossary, and assembly instructions are included in the github repository. The room holds approx. 70 attendees seated. I’ll be delivering 3 x 30 min presentations – with some tailoring to what sort of audience I get each time.

Meet Me @ DEF CON

If you'd like to find me and chat, I'm also planning to attend:

• ATL Meetup (DCG Atlanta Friday: 16:00 – 19:00 | 236),
• Hacker Kareoke (Friday and Sat 20:00-21:00 | 222),
• Goth Night (Friday: 21:00 – 02:00 | 322-324),
• QueerCon Mixer (Saturday: 16:00-18:00 | Chillout 2),
• EFF Trivia (Saturday: 17:30-21:30 | 307-308), and
• Jack Rysider’s Masquerade (Saturday: 21:00 – 01:00 | 325-327)

I hope to print many fun trinkets for my new friends, including some BusKill keychains.

Come to my presentation @ DEF CON for some free BusKill swag

By attending DEF CON, I hope to make connections and find collaborators. I hope during the demo labs to find people who will bring fresh ideas to the project to make it more effective.

Hi. Trying to avoid giving my number out especially after i found it got pwned.

Does anyone know of cheap ways to port over to VOIP in UK? Don't think Google voice is available here yet? Also anyone know how to get multiple Voip numbers for relatively cheap.

Thanks.

I have not always had an interest in data privacy. Actually, it took me moving in to being a data engineer in the marketing world to really realise the intense nature of data capture.

Like, I am sure, a large proprotion of the privacy aware population, it is not that there is anything to hide, just that privacy of data should be a right. It is one of the reasons I stepped away from most social networks, try to de-Google as much as I can and take care in my data landscape.

But, how does everyone else manage theirs? It would be good to share some useful tips, resources, tools, etc. that the wider community (as it grows) can use.

For me, I use:

• A VPN (Mullvad in this case)
• Firefox with 'some' hardening (don't want to totally cripple the online experience)
• Windows OS with telemtry disabled across the system (never perfect but I am happy)
• Simplewall (Windows App) to manage some outbound traffic
• Random password generators (exact logic is incredibly unique to me)
• Android (mobile) with as much telemetry disabled as possible
• Privacy Guides, a great website to keep atop of new updates
• Various threat landscape blogs and podcasts

Listing it out, it sounds like I do a lot but this is pretty tame. I accept that there is a balance between user experience and privacy. Yes, I could totally de-Google my phone but then a lot of useful functionality is lost. Same with Windows, I could move to Linux full-time (and would if I could) but I am a gamer and, while Linux is improving in that landscape, it ain't great just yet.