Weekly Podcast: 2015 end-of-year round-up part one

This week’s podcast is slightly different. Rather than covering the events of the past week, we take a look back at the major information security events of 2015. A transcript of the podcast is available below.

>> Part two is now available <<

Welcome to the first part of the special festive edition of the IT Governance podcast, in which we discuss the year in cyber security. You’ll find nibbles and amontillado on the credenza. Don’t hog the mince pies – pass them around. Then park yourself on the fender and warm yourself by the fire and we can crack on. Why yes, that is a cheese-and-pineapple hedgehog next to the pile of PCI DSS pocket guides. Ahem.

Here are the stories from the first half of 2015…

January

2015 got off to a flying start when it was reported that personalised card company Moonpig’s Android app had a vulnerability that allowed attackers to access users’ accounts just by changing the customer ID number in an API request. Attackers could then place orders on other customer accounts, add or retrieve card information, view saved addresses and orders, and much more.

Shoe retailer Office was warned by the Information Commissioner’s Office following a hacking incident that exposed more than a million customers’ details. Office signed an undertaking to resolve the problems that led to the breach, and confirmed that no payment card or bank details were compromised.

And Adobe issued security updates to address 12 vulnerabilities in Flash Player.

February

In February, popular WordPress plugin FancyBox issued a patch to fix a vulnerability that allowed the delivery of a malicious iframe through persistent cross-site scripting. Many sites were apparently compromised. The plugin, which had over half a million downloads, was temporarily withdrawn from the WordPress plugin directory.

Celebrity chef Jamie Oliver’s website was compromised through a Flash vulnerability,  redirecting visitors to a WordPress site that forced malware to run on visitors’ computers.

In the US, health insurer Anthem suffered the first large-scale data breach of the year, which affected the personal information of some 80 million people – including 18.8 million who weren’t even Anthem customers. Worse, the information was apparently unencrypted.

And Adobe issued security updates to address 19 vulnerabilities in Flash Player.

March

March marks the first mention of the year for TalkTalk, which confirmed that leaked customer data was being used by criminals to defraud its customers of thousands of pounds. The personal information – including customers’ phone numbers, addresses and account details – was lost when a third party suffered a data breach in 2014.

A global phishing campaign targeting iPhone and iPad users was discovered. Thieves used iOS’s Find My iPhone feature to contact the owners of lost devices, then tricked them into handing over their credentials and accessed their iCloud accounts.

Apple devices’ passwords were cracked by a device that exploited a known iOS vulnerability. The IP-Box tool – yours online for about £170 – was shown to crack the four-digit passcode on any iPhone up to iOS 8 in under 17 hours.

Tech companies scrambled to address an encryption vulnerability affecting many Apple and Android devices, as well as Windows Secure Channel. Factoring RSA Export Keys – or FREAK, as it became known – exploited a decades-old US policy banning the export of strong cryptography. Many products that came into existence long after the restrictions were lifted were nonetheless found to have weakened encryption and to be susceptible to man-in-the-middle attacks as a result. Over five million websites were also found to be vulnerable, including well-known brands and government sites.

11 million customer records were exposed when US health insurer Premera Blue Cross was hacked. Customers’ names, dates of birth, email and postal addresses, telephone numbers, Social Security numbers, bank account information and more were affected.

Jamie Oliver’s website was once again found to be serving up malware.

And Adobe issued security updates to address 11 vulnerabilities in Flash Player.

April

In April, more information emerged about the Russian attack on the White House’s unclassified network in October 2014, including the revelation that some of President Obama’s emails were hacked. Sensitive information including the president’s schedule was accessed, but deputy national security advisor Ben Rhodes was quick to reassure the public that nothing classified had been exposed. It also transpired that the hackers gained access to the White House network via a phishing attack on the State Department.

IBM researchers identified a criminal campaign, which delivered the Dyre or Dyreza banking Trojan via phishing to bypass two-factor authentication and transfer money out of bank accounts. The campaign had a formidable success rate, netting the criminals behind it about $1 million.

A critical security flaw in eBay’s Magento e-commerce platform was made public. A patch to address the remote code execution vulnerability was issued in February, but some 200,000 e-commerce sites were still vulnerable in April because their owners had not applied it.

And Adobe issued security patches to address 22 vulnerabilities in Flash Player.

May

In May, criminals gained access to the tax returns of 320,000 US citizens via the Get Transcript application on the Internal Revenue Service’s website. They then managed to file numerous false tax returns, defrauding the IRS of nearly $50 million in refunds before it detected the criminal activity, shut down the Get Transcript app, and started investigating.

In Germany, the Bundestag (the lower house of Germany’s parliament) suffered a cyber attack on its Parlakom network, affecting an estimated 20,000 accounts. The Trojan used in the attack was said to resemble malware that was deployed in 2014 in a cyber attack on an unnamed German network, which was thought to be state-sponsored by Russia.

The Hard Rock Hotel & Casino in Las Vegas revealed that it had suffered a seven-month long data breach in which customers’ credit card numbers and CVV security codes, names, and addresses were stolen by criminals.

Jamie Oliver’s website was found to be dishing up malware for the third time in four months.

And Adobe issued security patches to address 18 vulnerabilities in Flash Player.

June

June’s biggest story was the OPM hack. The United States Office of Personnel Management confirmed this month that it had suffered two major data breaches that compromised the personal data of 22.1 million past and present federal employees – and their families. White House officials revealed that the attackers accessed a document called ‘Standard Form 86’, which is completed by people applying for national security positions. These forms hold a wealth of sensitive information, including drug and alcohol use, mental illness, bankruptcy and arrests, as well as a list of contacts and relatives. OPM Director Katherine Archuleta resigned when it emerged that the inspector general had warned about OPM security failings since 2007, and recommended that the OPM’s systems be shut down – not least because the data they held was unencrypted. She’d ignored these recommendations.

eBay’s Magento e-commerce platform was in the news again when it emerged that criminal hackers were stealing payment card data using a variety of code injection attacks.

And Adobe issued security patches to address 15 vulnerabilities in Flash Player.

Well, that’s it… for the first half of 2015.

Join us on Monday for July to December’s cyber security news. And in the meantime, for the latest information security stories – and more – visit our blog.

Remember too that whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.