This week, we look back at the big news from last year, and consider what the next 12 months have in store
Hello and welcome to the first IT Governance podcast of 2018. Happy new year. As it’s the first one, let’s have a brief recap of some of last year’s biggest stories, and then look ahead to what we can expect from the next 12 months.
The three biggest infosec stories of 2017 were, arguably, the Yahoo data breach, the WannaCry ransomware outbreak and the Equifax data breach.
Let’s start with Yahoo.
Back in December 2016, Yahoo admitted that more than 1 billion customers’ records had been compromised by an unauthorised third party in 2013. According to an FAQ page, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, passwords hashed using the unsecure MD5 algorithm and, in some cases, encrypted or unencrypted security questions and answers. Cleartext passwords, payment card data, and bank account information were not affected.
Yahoo account holders were advised to change their passwords and security questions, review their accounts for suspicious activity, and beware of phishing attempts.
This was undoubtedly the biggest data breach in history, but, extraordinarily, it wasn’t the only breach Yahoo announced in late 2016. Only a few months previously, in September 2016, Yahoo had revealed that 500 million customer accounts had been breached in a separate incident in 2014, which it attributed to state-sponsored attackers. The two incidents were, it seems, connected, although it wasn’t clear if there was any overlap between the two datasets.
The story developed throughout 2017, thanks in no small part to Yahoo’s acquisition by Verizon Communications. Two FSB agents, Dmitry Dokuchaev and Igor Sushchin, and two hackers, Alexsey Belan and Karim Baratov, were charged for the 2014 incident in March 2017, but Baratov – a Canadian – is the only conspirator to have been arrested. According to Toronto Life, he had no idea he was working for Russian spies. He is due to be sentenced in February 2018.
By October 2017, Yahoo had been bought by Verizon for $4.48 billion, the price having been reduced by $350 million because of the security incidents, and integrated into Verizon’s new Oath subsidiary. Verizon was obviously keen to conduct its own investigation. It found that the actual number of Yahoo accounts breached in 2013 was… 3 billion. In other words all of them – definitely the biggest data breach in history.
In May, cyber criminals associated with North Korea’s Lazarus group used so-called ‘cyber weapons’ stolen from the US National Security Agency (NSA) to spread ransomware to unsupported and unpatched Windows systems, encrypting files and locking down machines until a bitcoin ransom was paid. The attack was dubbed WannaCry, WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor or Wcry.
A bit of background: the NSA’s EternalBlue exploit and DoublePulsar payload were stolen by a group of criminal hackers known as The Shadow Brokers in August 2016 and dumped online in April 2017 after attempts to auction them – and others – were unsuccessful. EternalBlue exploited a number of remote code execution vulnerabilities in version 1 of Microsoft’s Server Message Block protocol, which Microsoft patched in March. However, older, unsupported systems, such as the defunct but still popular Windows XP, remained vulnerable.
WannaCry spread quickly from its initial outbreak in Spain, affecting victims in 150 countries – including the UK’s NHS, 42 of whose trusts still use Windows XP, according to a 2016 Freedom of Information request from Motherboard, despite the fact Microsoft stopped supporting XP in 2014 and a custom 12-month support deal arranged by the government ended in May 2015, leaving any NHS organisation using the defunct operating system vulnerable to attack.
In an unprecedented move, Microsoft issued patches for unsupported versions of its products in an attempt to stop WannaCry spreading further. Meanwhile, 22-year-old security researcher Marcus Hutchins – who was later arrested in Las Vegas in connection with the creation and distribution of a different strain of malware – activated a convenient kill switch in WannaCry by registering a domain that stopped further infections and ‘sinkholing’ it to a server in California.
In September, the consumer credit reporting agency Equifax admitted that, from mid-May to July, criminals had accessed its systems by exploiting an unpatched remote code execution vulnerability in Apache Struts 2, an open-source framework for developing Java web apps. This vulnerability had been identified two months earlier, in March 2017, when users were recommended to upgrade to Struts 2.3.32 or 2.5.10, but Equifax hadn’t deployed the patch. As a result, it suffered a data breach that potentially affected approximately 143 million US customers’ “names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed”. Nearly 700,000 UK customers’ personal information was also compromised.
Equifax’s CEO Rick Smith, its CIO David Webb and CISO Susan Maudlin all ‘retired’ after the breach was reported. However, these ‘leadership changes’ were the least of Equifax’s worries. Among other agencies, the FBI, the Federal Trade Commission and the Securities and Exchange Commission launched investigations, and several state attorneys general filed lawsuits against the company. On top of this, the US Department of Justice launched a criminal investigation into alleged insider trading after three top executives – John Gamble, Rodolfo Ploder and Joseph Loughran – sold almost $2 million worth of Equifax stock shortly before the breach was made public, apparently with no knowledge of the incident.
Appearing before a congressional hearing in October, Rick Smith said that human error and technology failures had led to the Apache Struts vulnerability not being patched. He apologised profusely.
So, what can the average business learn from these stories?
Mitigating cyber risks is a constant battle, but the vast majority of attacks exploit known vulnerabilities and can be prevented by getting the basics right. Ensuring you run the latest versions and apply patches when they are released is essential, as is conducting regular penetration testing to determine the presence of vulnerabilities in your networks and applications. The Equifax breach was the result of an unpatched vulnerability and WannaCry spread via known SMB vulnerabilities. Both could have been prevented with a patch management programme.
Secondly, the Yahoo breach illustrates the importance of proper password management. It’s absolutely fundamental to use different passwords for each of your online accounts, especially if they’re linked to the same username – often your email address. When a service, such as Yahoo, is compromised and login details have been stolen, criminals will automate attacks using the username and password combinations they have gained to see what else they can access.
SplashData released its annual list of the 100 worst passwords a couple of weeks ago, culled from the previous 12 months’ publicly disclosed data breaches, and it seems that the likes of ‘123456’, ‘password’, ‘qwerty’ and ‘letmein’ are still inexplicably popular. ‘Starwars’ joins the list this year, but that’s still an absolutely feeble effort. If that’s the sort of password you use – perhaps because you find it difficult to select and recall suitably complex passwords – there is a simple solution available to you: use a password manager.
Don’t let your login on all of your accounts be your email address and the password ‘qazwsx’. You might as well just set your username as ‘root’ and have no password at all.
Onward, then! What can we expect from 2018?
The year has started dramatically enough, with the discovery of major security flaws in CPUs made by Intel, AMD and ARM. Dubbed Meltdown and Spectre, the vulnerabilities affect almost every system, including desktops, laptops, servers and smartphones. A number of patches are already available. You’re advised to update as soon as you can.
And in less than five months – on 25 May – the EU’s General Data Protection Regulation (GDPR) will come into effect. If your organisation hasn’t started its compliance project yet, time is very much running out. Remember that every organisation that processes EU residents’ personal data – and that includes employee data, for which consent will no longer be a lawful basis for processing – needs to take action in order to comply with the new law. Visit our GDPR resource page for more information.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.
Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.