Weekly podcast: Android security, deleted websites, Pentagon bug bounty and jailed Russians

This week, we consider 400 million vulnerable Android devices, a hosting firm that mistakenly deleted its customers’ websites, a chance to hack the Pentagon, and the sentencing of three Russians on cyber crime charges.

Looking for the audio only version? Click here.


Hello and welcome to the IT Governance podcast for Friday, 22nd April. Here are this week’s stories…

Google has just released its 2015 annual Android security report. There’s a lot of good news, including the fact that there was no “significant or widespread exploitation of remote vulnerabilities in Android devices” last year – and that includes Stagefright, which reportedly affected 95% of all Android devices and got us all rather worried last summer. Looking to the negative, one stat leapt out. On page 31, the report states: “70.8% of all active Android devices are on a version that we support with patches.” So, with an estimated 1.4 billion active Android devices in the world, the 29.2% running out-of-date code amounts to some 400 million vulnerable devices. If yours is one of them, or your business issues Android devices to staff or has a BYOD policy that enables staff to use their own Android devices to access corporate data, make sure they are updated to the newest software versions available. The Android security team patched 69 critical vulnerabilities in 2015, and if you or your staff are running a version of Android that’s older than 4.4.4, you’re leaving yourself vulnerable to attack.

Bad news for customers of web hosting provider 123-reg this week: a “rogue script”, run as part of a virtual private server (VPS) clean-up operation, “effectively deleted” an unspecified number of customers’ websites. To exacerbate the situation, customers who hadn’t backed up their VPS might not be able to recover their data – 123-reg doesn’t hold backup copies itself. In a series of online updates, 123-reg said that it “would like to extend our apologies to all customers who are still affected by the VPS outage. We understand how important your website is to you and we are doing everything to restore service to normal levels.” It’s to be hoped that they manage a full recovery. Hindsight won’t help the online businesses that can no longer trade as a result of this error, but it’s a timely lesson for everyone else that information security isn’t just about protecting yourself from criminal hackers; you also need to consider the damage that can be wrought by your own service providers, suppliers and staff. Creating and maintaining a business continuity management system will allow you to prepare for such threats to your business’s operations.

Ever wanted to hack the Pentagon? Now’s your chance of doing so without landing up in a federal jail: the US Department of Defense has announced a bug bounty programme – the first in the history of the federal government – to test and find vulnerabilities in its “applications, websites and networks”. Participants “will be required to register and submit to a background check” before they start – so don’t do anything silly at home. The ‘Hack the Pentagon’ programme will run from 18 April to 12 May.

Aleksandr Panin, a 27-year-old Russian responsible for the SpyEye banking malware trojan, which infected “over 50 million computers, causing close to $1 billion in financial harm to individuals and financial institutions around the globe” has been sentenced to nine-and-a-half years’ imprisonment in the United States. His accomplice, Hamza Bendelladj, was sentenced to 15 years’ imprisonment.

Meanwhile in Russia, the creator of the Blackhole exploit kit, Dmitry ‘Paunch’ Fedotov, has been sentenced to seven years in a Russian penal colony. Brian Krebs reports that “According to Russian security firm Group-IB, Paunch had more than 1,000 customers and was earning $50,000 per month from his illegal activity.”

Well, that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.