Weekly podcast: Dropbox, G20 and financial cyber crime, and electoral fraud

This week we discuss the compromise of 68 million Dropbox accounts, cyber security in the international financial sector, and the illegal hacking of voter registration systems in the US

Hello and welcome to the IT Governance podcast for Friday, 2nd September. Here are this week’s stories.

I don’t know about you, but I got an email from Dropbox earlier this week, telling me I’d be prompted to change my password the next time I signed in. “We’re reaching out,” it said, “to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience.” Hello, I thought. Funny. Has Dropbox been hacked again?

Well, the answer is no. But, as you’ll no doubt remember, it was hacked in 2012, and it’s that breach which has prompted it to reset users’ passwords. Why the wait? Well, this week, Motherboard claimed to have obtained the email addresses and (hashed and salted) passwords of 68,680,741 Dropbox accounts. Dropbox has confirmed the data’s legit, nabbed in the 2012 hack.

So, what’s the big deal, you might ask. For one thing, not all of the 68 million credentials will still be valid – I know I’ve changed my Dropbox password since 2012. And if the data’s encrypted then no one can use it anyway. Well… yes. You’re right. As Dropbox’s head of trust and security, Patrick Heim, said: “Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.” If you or your staff have bad password habits, take this as a wake-up call. The next time a massive breach like this happens, you might not be so lucky. As Patrick Heim explained: “for any of you who’ve used your Dropbox password on other sites, we recommend you change it on Dropbox and other services. We also recommend that you enable two-step verification.”

Earlier this year, I discussed an online heist that cost Bangladesh’s central bank US$81 million – a sum that would have been more, but for the cyber criminals’ misspelling of the name of the NGO they were impersonating as they made fraudulent transfer requests through SWIFT, the global financial messaging system.

The following month, Bloomberg reported that three hacker groups, including two nation states (reportedly Pakistan and North Korea) were inside the bank’s network. Now, with concern among US legislators apparently growing, six US senators have urged President Obama to prioritise cyber crime at this weekend’s G20 meeting. According to Reuters, the senators told the president: “Our financial institutions are connected in order to facilitate global commerce, but cyber criminals – whether independent or state-sponsored – imperil this international system in a way few threats have. We strongly urge you to work with your counterparts and prioritize this discussion at the G20 leaders level in September.”

Zunaid Ahmed Palak, a junior minister for information and communications technology in the Bangladesh government, said he was in favour of the issue being raised. “In most cases, cyber attacks and crimes take place from outside the country,” he said. “So while addressing fast growing cyber attacks, there should be a coordinated approach involving global stakeholders.” SWIFT, meanwhile, is urging its members to prioritise cyber security and implement new security measures.

The FBI has warned US election officials to enhance their cyber security after foreign hackers accessed voter registration systems in Arizona and Illinois. Ken Menzel, general counsel for the Illinois State Board of Elections said the hack affected the personal information of fewer than 200,000 voters; the Arizona attack involved no data exfiltration. According to Yahoo News, which broke the story on Monday, Homeland Security Secretary Jeh Johnson offered his department’s help to secure voting systems, including by undertaking vulnerability scanning. An FBI Flash asked states to “contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected. Attempts should not be made to touch or ping the IP addresses directly”.

The state of Georgia, where Donald Trump and Hillary Clinton are apparently neck-and-neck, has declined the Homeland Security Department’s offer. Georgia Secretary of State Brian Kemp told Nextgov: “Designating voting systems or any other election system as critical infrastructure would be a vast federal overreach, the cost of which would not equally improve the security of elections in the United States.”

Well, that’s it for this week. I’m not here next week, but I’ll leave you in the more than capable hands of m’colleague Lewis. As ever, please feel free to comment below, telling us a bit about yourself and what you’d like more information on and we’ll do our best to answer in the coming weeks. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.