Weekly podcast: Dyn DDoS attack, Mirai botnet and more mega breaches

This week, we discuss theMirai botnet DDoS attack that affected the Dyn Managed DNS service and, with it, many household names, plus mega breaches compromising the personal data of millions of Weebly, Modern Business Solutions and FourSquare users.

Hello and welcome to the IT Governance podcast for Friday, 28 October. Here are this week’s stories.

Last Friday (21 October) saw two gargantuan DDoS attacks wallop the websites of such household names as GitHub, Netflix, Spotify, Reddit, Twitter, and even the British government when Dyn – the managed DNS service they all use – was attacked by the Mirai botnet. (Distributed denial of service attacks, in case you’ve forgotten, basically see web servers bombarded with traffic from multiple sources until they crumple under the pressure. Botnets are large networks of compromised Internet-connected devices that are engineered by cyber criminals to work together, usually to send spam or, as in this case, carry out DDoS attacks. And DNS is the domain name system – the mechanism by which domain names are resolved into IP addresses. All clear?)

In the wake of this attack, Forbes reported that, on the dark net, criminal hackers are advertising access to huge botnets based on Mirai, created days after its source code was made publicly available. The cost? Just $7,500 for 100,000 hacked devices. At that price, it wouldn’t be surprising if more DDoS attacks were forthcoming.

Botnets such as Mirai rely on poorly secured devices that contain known vulnerabilities. Increasingly, these are Internet of Things devices rather than computers.

One firm whose devices were reported to have been used as part of the Mirai botnet is the Chinese electronics company Hangzhou XiongMai, which this week recalled a number of webcam models, strengthened its devices’ security functions to require customers to change default passwords, and said it would issue patches for affected devices made before last April.

In a statement quoted by Reuters, XiongMai denied that its webcams comprised the majority of the Mirai botnet. “Security issues are a problem facing all mankind,” it said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

Massive data breaches seem to be the norm this year, so I suppose it’s not entirely surprising that news of another one has emerged, this one compromising the personal information of more than 43 million users of website builder Weebly. According to LeakedSource, information on 43,430,316 Weebly users was “leaked from its main database in February of 2016.” Each record “contains a username, email address, password, and IP address.” Fortunately, the passwords were encrypted using a salted Bcrpyt hash with a cost factor of 8 – which Weebly has since increased to 10.

Weebly told The Hacker News: “At this point, we do not have evidence of any customer website being improperly accessed. We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident.”

As if that weren’t bad enough, LeakedSource also published details of a data breach affecting nearly 59 million users of Modern Business Solutions this month – and a 2013 breach that compromised the details of just over 22.5 million users of FourSquare.

Well, that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And don’t forget to check out our book of the month, Insider Threat: A Guide to Understanding, Detecting, and Defending Against the Enemy from Within by Dr Julie Mehan. Every type of organisation is vulnerable to insider abuse, errors or malicious attacks. This book shows how a security culture based on international best practice can help mitigate them.

Head over to our webshop to find out more.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.