Weekly Podcast: cyber security in review

This week, we look at the biggest stories of the year.

Cast your mind back, if you’d be so very kind, dear listener, to our first podcast of 2016, in which we revealed that some 480 million records had been lost, stolen, or otherwise compromised in data breaches in 2015. “As this podcast continues throughout the year,” I said, “I want to be reporting stories of organisations that have mitigated the threats they face, protected their systems from attack, thwarted criminal hackers and defended their and their customers’ data. I’m not going to hold my breath, though. So the countdown to the year’s first big data breach story starts now.” (How cynical January 2016 me was.) So, how did 2016 fare compared with 2015? Well… Badly. This year, the number of compromised records so far stands at more than 3 billion. True, 1.5 billion of those relate to recently discovered attacks on Yahoo dating from 2013 and 2014, but that still leaves another 1.5 billion compromised records that we learned about this year. (For reference, there are about 3.5 billion Internet users in the world right now.) Oof!

Hello and welcome to the last IT Governance podcast of the year. Merry Christmas if you do, happy holidays if you don’t. Here are this year’s stories…

2016 started predictably enough with the spate of malvertising and ransomware attacks that had plagued the latter half of 2015 – and the healthcare sector in particular – continuing. Indeed, according to analysis by Infoblox, there was a 3,500% increase in ransomware domains in the first quarter of 2016 compared with Q2 of 2015, as ransomware attacks increasingly targeted organisations rather than individuals.

In January, Malwarebytes reported that malvertisers were abusing ad platform AdSpirit to expose visitors to MSN’s homepage to malware again, this time using the RIG and Neutrino exploit kits to deliver their malicious payload rather than the more common Angler EK.

In February, Lincolnshire Council was forced to use pen and paper after an employee opened a ransomware-infected email, forcing it to shut down its systems. In the same month, Hollywood Presbyterian Medical Center in Los Angeles paid criminal hackers a ransom of $17,000 to regain control of its computer systems when it was hit by a ransomware attack.

In March, two German hospitals and three more US hospitals – Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, California – succumbed to infection. Later in the month, MedStar Health – the operator of ten hospitals and 250 outpatient clinics in Maryland and Washington, DC – announced that its “IT system was affected by a virus that prevents certain users from logging-in”. Trustwave warned of “huge volumes of JavaScript attachments being spammed out”, which led to the download of a new strain of ransomware called Locky. Cisco Talos announced that it was “observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant”, which spreads via compromised servers – particularly in the healthcare industry – and Trend Micro reported that another new strain of ransomware, Petya, which spread via phishing emails that purported to link to job applicants’ CVs stored on Dropbox, was encrypting hard drives rather than files. Fortunately, it took less than a month for kindly Twitter user @leo_and_stone to create a tool that enabled Petya victims to access their files.

In a break from ransomware stories, Bangladesh’s central bank lost US$81 million in March to criminals who used stolen payment transfer credentials to move money from its account with the Federal Reserve Bank of New York – a sum that would have been considerably higher had they not misspelled the name of the NGO they were impersonating, prompting the Deutsche Bank officials who were routing the transfer to raise the alarm. An investigation later found that the Bangladesh bank had no firewalls and used second-hand routers to connect to global financial networks.

In April, the European Parliament voted to approve the General Data Protection Regulation – the biggest shake-up of data protection laws in about 20 years. All organisations that process EU residents’ data (whether those organisations are based in the EU or not) have until May 2018 to comply with the law or risk fines of up to 4% of their annual global turnover or €20 million – whichever is higher. More information is available at itgovernance.co.uk/gdpr.

The same month saw the so-called Panama Papers leak from law firm Mossack Fonseca. According to Wired, Mossack Fonseca’s front-end computer systems were “outdated and riddled with security flaws”, and one security expert said the firm had “shown an ‘astonishing’ disregard for security”.

In May, another new strain of ransomware – CrpytXXX – was discovered, but the biggest story was the sale of a four-year-old database containing 117 million LinkedIn members’ email addresses and passwords, acquired by criminals in 2012. LeakedSource, which got hold of a copy of the breached data, said it managed to crack 90% of the passwords in 72 hours – no great stretch when the most popular password was ‘123456’, the second most popular was ‘linkedin’ (yes, really), and the third was ‘password’.

Soon after the LinkedIn database appeared online, hundreds of millions of account details from MySpace and Tumblr also appeared for sale on the dark web. Again, data breaches a few years ago were to blame. MySpace said: “We believe the data breach is attributed to [the] Russian Cyberhacker ‘Peace.’ This same individual is responsible for other recent criminal attacks such as those on LinkedIn and Tumblr”.

With so many compromised records now public, and knowing that most people are pretty lazy if not downright reckless when it comes to password security, other major companies – including Netflix and Facebook, sensibly took the precaution of resetting users’ passwords in June.

Ransomware continued to trouble a number of institutions – the University of Calgary admitted that it had stumped up C$20,000 to regain control of its critical systems – and more than a dozen law firms were held to ransom. A Malwarebytes survey found that 54% of organisations in the UK had been targeted by ransomware attacks, and in 20% of cases the attack halted business immediately.

In July, O2 customer credentials appeared on the dark web, but it soon transpired that O2 hadn’t suffered a breach – customers had simply been reusing login details again. A Check Point report into the HummingBad strain of malware found that 10 million Android devices had been infected, netting the criminal gang behind it some $300,000 a month, and the developers of the Petya and Mischa ransomware strains made their malicious software available to the public as part of a“ransomware as a service” programme that paid distributors based on how many bitcoins they managed to extort from their victims.

In August, a group of cyber criminals calling themselves the Shadow Brokers claim to have hacked Equation Group – a hacking team linked to the NSA, according to Kaspersky Lab – and tried to sell off US “cyber weapons” to the highest bidder. Cisco confirmed that two of the exploits in the leaked archive – EPICBANANA and EXTRABACON – were legitimate. Whistle-blower Edward Snowden claimed that Russia was behind the malware leak.

August also saw Motherboard obtain the email addresses and (hashed and salted) passwords of 68,680,741 Dropbox accounts, nabbed in a 2012 hack in which a Dropbox employee’s password – which he also used on LinkedIn and which was stolen in the LinkedIn breach we learned about in May – was used to access Dropbox’s corporate network.

In September, the email addresses and passwords of approximately 800,000 users of adult website Brazzers were found online. Brazzers confirmed the data was compromised in a forum breach in 2012.

A 25-year-old man was jailed after hacking a bullion firm and using the data he illegally accessed to steal nearly £90,000 worth of gold.

We also learned about the first of Yahoo’s two mega-breaches, in which “information associated with at least 500 million” account holders was stolen in 2014. Yahoo CEO Marissa Mayer came in for considerable criticism: according to the New York Times she “repeatedly clashed” with Yahoo’s then-chief information security officer Alex Stamos about security spending, denied the security team financial resources and put off “proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. […] Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach.”

Donald Trump’s hotel chain also agreed to pay a $50,000 penalty and upgrade its information security practices after data breaches exposed 70,000 customers’ credit card numbers and other personal data.

In October, two gargantuan DDoS attacks walloped the websites of such household names as GitHub, Netflix, Spotify, Reddit, Twitter, and even the British government when Dyn – the managed DNS service they all use – was attacked by the Mirai botnet. According to Forbes, criminal hackers were advertising access to huge botnets based on Mirai, created days after its source code was made publicly available, for just $7,500. Botnets rely on devices that contain known vulnerabilities; increasingly, these are Internet of Things devices, whose owners fail to change default passwords such as ‘user’, ‘password’ and ‘admin’.

And Czech police, in conjunction with the FBI, arrested a Russian citizen –Yevgeniy Nikulin – over his involvement in a number of high-profile cyber attacks, including the ones that hit LinkedIn and Dropbox. Remember MySpace’s statement following its breach? “We believe the data breach is attributed to [the] Russian Cyberhacker ‘Peace.’ This same individual is responsible for other recent criminal attacks such as those on LinkedIn and Tumblr.” If they’re right, Nikulin was a busy man.

November saw the biggest hack of the year so far when a data breach at FriendFinder Networks – the popular purveyor of pornography and ‘casual dating’ services – exposed 412,214,295 accounts. As if this weren’t bad enough, 15,766,727 details related to ‘deleted’ accounts weren’t actually removed from company databases. Moreover, thanks to poor password security practices, 99% of all available passwords were visible in plaintext.

Tesco Bank froze all online transactions in November after a total of £2.5 million was stolen from several thousand customers’ accounts.

And a remote jackpotting malware attack caused cash machines across Europe to issue money to cyber criminals.

In December, video sharing platform Dailymotion advised its users to change their passwords after more than 87 million account details, including usernames and email addresses belonging to approximately 85 million users were discovered online. 18 million compromised records had passwords listed.

And, as if saving the biggest till last, Yahoo disclosed this month that one billion customer records were breached in 2014. Yahoo’s chief information security officer Bob Lord said:

“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

Barring any new incidents before the new year, that’s it.

So, what have we learned this year?

Automated cyber attacks, especially ransomware and online extortion campaigns, are a huge threat to all organisations – so be sure to train your staff to be aware of phishing campaigns, be careful about the links they click, and not open dubious emails.

The rise of the Mirai botnet – and the disruption DDoS attacks cause – illustrates the increased weaponisation of IoT devices. This, with the number of large-scale historic data breaches we learned about this year, highlights the importance of password security.

According to a survey conducted by LastPass, 95% of people share up to six passwords with their colleagues, friends and family, and 59% reuse passwords for multiple logins. We frequently counsel against using weak passwords but it is equally important to remember that you shouldn’t share or reuse your login information either. After all, even the strongest password, if it becomes widely known, offers no barrier to access. If you share your information or reuse the same credentials to sign into numerous accounts, a single data breach will jeopardise the security of all of them. In an enterprise context, one lazy user could cause a massive corporate data breach. You don’t want that. Use a password manager to generate strong passwords for each account, don’t tell anyone your passwords, and employ two-factor authentication where you can. And if you’re a manager, train your staff to be aware of the risks, and ensure you have proper access management policies to ensure the only people who can access your networks and systems are the ones who should.

Well, that’s it for this year. If you’ve made it this far, thank you for listening. We’ll be back in January, but until then you can keep up to date with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.

Merry Christmas, and a happy New Year.