In this week’s podcast, we look at Paul Moore’s discovery of a vulnerability in Asda’s website, malvertising, and the RSA conference’s odd choice of keynote speakers.
Hello and welcome to the IT Governance podcast. We’re well into January now (yes, brrr, it is a bit chilly) and the data breach news has started. Here we go…
Asda, the second largest supermarket in the UK by market share, reportedly suffered vulnerabilities in its online grocery store that exposed customers’ personal information and payment details for nearly two years. Information security consultant Paul Moore, who discovered the issue, estimates that over 19 million transactions were potentially at risk in that period. Mr Moore first contacted Asda in March 2014 “to report several security vulnerabilities” that he’d discovered in its website, but nothing was done to fix them until he blogged about the issue earlier this week – 677 days later. He explained his proof of concept in a video, saying: “all that’s required for this exploit to be successful is for you to be signed in and browsing the web. If, at the end of your shop, you search for a voucher or discount code and that website contains the same malicious payload, you could potentially lose your card details.” Asda fixed the vulnerability shortly after Mr Moore published his blog, telling the BBC: “Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website.”
The Malwarebytes blog reports that malvertisers have been abusing ad platform AdSpirit to expose visitors to MSN’s homepage to malware again, this time using the RIG and Neutrino exploit kits to deliver the malware payload rather than the more common Angler EK. Caution when clicking links isn’t the only way to protect yourself. Remember that malvertising no longer requires victims to click: drive-by downloads deliver their payloads as soon as victims visit an infected page. A combination of awareness and technological solutions is therefore paramount – and remember to keep your software up to date.
Every year, the password manager software company SplashData compiles a list of the 25 most common stolen passwords from the previous 12 months’ publicly disclosed data breaches. 2015’s results have now been published, and they demonstrate one thing: people are still no good at choosing passwords. The top five ‘worst’ passwords in 2015 were 123456, password, 12345678, qwerty, and 12345. Weak – and reused – passwords are a common point of intrusion for cyber criminals. Remember that you should use a unique alphanumeric password for each online account you have, and ideally employ two-factor authentication for added security. (Think of your bank card and PIN combination as an example: you need both factors to access your account at a cash machine.)
And finally… Charley Koontz and Shad Moss – actors in CSI: Cyber, the much-mocked American television drama that stretches the capability of cybercrime beyond the bounds of plausibility for your entertainment – and Anthony E. Zuiker – the creator and executive producer of the CSI franchise – are to speak at the RSA conference in San Francisco in March. Yup, TV stars, whose programme has been described by Gizmodo as “the best-worst show about technology”, and by Wired as “magnificently absurd” and “brain-dead”. Should be fun.
That’s it for this week. Remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.