The news last week continued to be dominated by the TalkTalk breach, or at least the aftermath, as detailed by Thom Langford. Though we learned that two teenage boys had been detained under the Computer Misuse Act, it was CEO Dino Harding’s actions that continued to attract attention.

Beyond that, RSS feeds and social media were abuzz with other equally important and conversation-worthy stories, my pick of which are summarised below:

British-Gas-leak

1. British Gas asks for customer help in plugging leak

Given all the fun and games at TalkTalk, and the computer glitch at M&S, I thought it was quite significant that we also saw problems at British Gas last week. Hopefully the bad news will have done much to wake up a British public that I feel is still far too unaware of the possible dangers that follow the publication of their personal data online.

Following a leak that was totally unlike the type it is usually called upon to fix, the utility company emailed around 2,200 of its customers, asking them to change their passwords.

That communication was necessary after the company learned that account details had been posted on Pastebin, a site which often finds itself used as a repository for hacked data.

In this case, customers‘ names, addresses and details of their previous bills found their way into the public domain – but the origin of that data is not so clear.

British Gas itself said its systems were not breached and, in any event, the personal data it does store is encrypted.

As hypothesised by Tripwire’s David Bisson, the actual origin of the data may have been another attack elsewhere which then gave an attacker a list of passwords to use on the British Gas site (did I mention how you should never use the same password twice?), or it could have been the result of login credentials phished from victims on a one-by-one basis.

2. Avoiding password laziness

Talking of passwords, Robert Sicilano, wrote a timely piece this week in which he reiterated the importance of making all of your passwords as strong and secure as possible.

Beyond mentioning sound tips such as mixing numbers, letters and characters, as well as avoiding passwords that are too short, Robert also underlined the importance of using different login credentials for every online account you own.

His tip for remembering them all, which I heartily agree with, is to use a password manager.

Robert recommends Roboform’s password manager which I’m not familiar with… yet.

I’d recommend KeePass myself, but then that may just be because I’ve recently written a detailed article, explaining how you can install and use it.

3. Social media and cyber scams; a marriage made in heaven

While we’re talking about protecting yourself, an article by Secure360.org explains how users need to be aware of the way in which social media can be used to perpetrate scams against unsuspecting victims.

The article lists the classic ruses used to trick people into taking surveys, unknowingly installing malware onto their system, give away personal information, accept yet more spam or simply waste their time, via the following social media classics:

  • „See who’s viewed your profile“
  • Facebook „dislike“ button
  • Fake celebrity news
  • „Your account has been cancelled“ or „confirm your email“
  • The fake friend request or follower

To learn more, or to read the tips on how to protect yourself from such scams, click here (it’s ok, our links are safe!).

4. WTApp are you doing with my data?

Popular messaging service WhatsApp has recently introduced a new calling feature but a detailed forensic examination has discovered how it may be collecting far more data than you are aware of.

A study conducted by the University of New Haven’s Cyber Forensics Research & Education Group reveals how the app collects data including the phone numbers called, the length of all calls, and more besides.

Revealing how the amount of data captured required further study, HelpNetSecurity thankfully points out how accessing network data isn’t particularly simple due to a level of encryption that requires both the device and the full network traffic to be made available to the examiner.

Phew!