Hello and welcome to the IT Governance podcast for Friday, 16 June 2017. Here are this week’s stories.
Gloucester City Council has been fined £100,000 by the Information Commissioner’s Office after its employees’ personal data was compromised in a hacking attack in 2014. More than 30,000 emails containing financial and sensitive information relating to around 30 to 40 staff members were downloaded from council mailboxes by an attacker who claimed to be part of the Anonymous group.
The attack exploited the Heartbleed bug – a well-publicised information disclosure vulnerability affecting OpenSSL’s implementation of the TLS and DTLS heartbeat extension that allows remote attackers to read the contents of up to 64KB of server memory.
At the time the bug was disclosed, 17.5% of the world’s ‘secure’ websites were estimated to be vulnerable.
A patch was made available soon after the vulnerability’s discovery, but Gloucester City Council failed to apply it as it “was in the process of outsourcing its IT services to a third party company […] and updating the software to address the vulnerability was overlooked.” This left personal information at risk, in breach of the Data Protection Act 1998.
ICO Group Enforcement Manager Sally Anne Poole said: “A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack. […] Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty.”
Here at IT Governance, our penetration testers still occasionally see instances of the Heartbleed bug when testing clients’ systems. If you’re affected by this vulnerability, upgrade to OpenSSL 1.0.1g or later, or recompile OpenSSL with the ‘–DOPENSSL_NO_HEARTBEATS’ flag to disable the vulnerable functionality.
Following last month’s WannaCry ransomware attack, which combined the stolen NSA EternalBlue and DoublePulsar exploits, a bumper Patch Tuesday this month: Microsoft issued patches for 94 vulnerabilities, including – unusually – more patches for unsupported versions of Windows systems affected by three more NSA ‘cyber weapons’ leaked by the Shadow Brokers:
- ExplodingCan, which exploits a remote code execution vulnerability in Internet Information Services (IIS),
- EsteemAudit, which exploits a vulnerability in Remote Desktop Protocol (RDP), and
- EnglishmanDentist, which exploits a vulnerability in Object Linking and Embedding (OLE).
Microsoft explained: “[Owing] to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to [WannaCry].”
Updates for unsupported versions, such as Windows XP and Windows Server 2003, can be downloaded manually.
If you run supported versions of Windows and have Windows Update enabled, you don’t need to take any action.
WannaCry may have put the wind up a lot of people, but Mac users, who tend to believe that their machines are unaffected by malware, weren’t among them. However, the recent discovery of two free Mac malware-as-a-service offerings on the dark web should put paid to that notion – even if they are rather unsophisticated when compared with other ransomware strains.
According to Catalin Cimpanu of Bleeping Computer, who discovered them, both portals were launched on 25 May: “The first site is named MacSpy and peddles Mac spyware, while the second is named MacRansom, and is renting ransomware in a classic [ransomware-as-a-service] scheme,” he said. Neither of the malware programs is directly available – they can only be obtained by emailing the authors.
Fortinet, which got hold of a copy of, and analysed, MacRansom, said: “It is not every day that we see new ransomware specifically targeting [the] Mac OS platform. Even if it is far inferior from most current ransomware targeting Windows, it doesn’t fail to encrypt victim’s files or prevent access to important files, thereby causing real damage.”
According to AlienVault, which analysed MacSpy, although it “may not be the most stealthy program, it is feature rich and it goes to show that as OS X continues to grow in market share […] we can expect malware authors to invest greater amounts of time in producing malware for this platform.”
In short: Mac users should take the same precautions as PC users. It’s only a matter of time before more variants emerge.
Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.
Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.