This week, we discuss a vulnerability that’s caused $280 million of the cryptocurrency Ethereum to be frozen, the cost of NotPetya to AP Moller-Maersk, the data breach at law firm Appleby, and the former Yahoo and Equifax CEOs’ grilling by Senators.
Hello and welcome to the IT Governance podcast for Friday, 10 November 2017. Here are this week’s stories.
Users of the digital currency Ethereum are more than a little annoyed this week after a vulnerability in its Parity Wallet allowed one user to accidentally take control of about $280 million of the cryptocurrency and then freeze it – perhaps permanently.
584 wallets, owned by 573 people, have been affected.
After a criminal managed to exploit vulnerabilities in Parity’s multi-signature code and steal about $30 million worth of Ethereum in July, Parity updated its Parity Wallet library. “Unfortunately,” as Parity explained in a security alert issued on Wednesday, “that code contained another vulnerability which was undiscovered at the time – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It is our current understanding that this vulnerability was triggered accidentally on 6th Nov 2017 […] subsequently a user deleted the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable and funds frozen since their logic (any state-modifying function) was inside the library. […] This means that currently no funds can be moved out of the multi-sig wallets.
“We are analysing the situation and will release an update with further details shortly.”
The Danish shipping giant AP Moller-Maersk has reported that June’s NotPetya ransomware infection cost it between $250 and $300 million, in line with its August forecast. “The cyber-attack primarily impacted July and August, while contingencies related to recovery from the cyber-attack resulted in a negative development on volumes, utilisation and unit cost performance throughout the quarter,” it said in its financial report for Q3 2017.
The incident highlights a worrying trend in the industry. According to a recent survey by Futurenautics, 39% of ship operators experienced a cyber attack in the past 12 months, and 44% think their current defences aren’t effective at repelling cyber attacks.
Peter Broadhurst of Inmarsat Maritime told shipping news site ship-technology.com this week that “The connected ship is becoming more of a normality and the use of IT and more importantly OT [operational technology] on ships is starting to take a hold. What we’ve not been very good at is securing those services”, instead “treating cyber security as a bolt-on to what we’ve got, as opposed to designing it in”.
He added: “The mindset of maritime is that you build a ship and it lasts fifteen or twenty years, and so you don’t need to upgrade it, when actually from an IT perspective that’s not the way it works.”
Indeed not. Keeping your software up to date is essential to mitigating security vulnerabilities and avoiding data breaches.
Talking of data breaches, the acquisition of the so-called Paradise Papers by the German newspaper Süddeutsche Zeitung and the International Consortium of Investigative Journalists (ICIJ) – a trove of 13.4 million financial documents detailing the tax-avoidance arrangements of the rich and powerful, mostly originating from the law firm Appleby – have garnered considerable press coverage this week.
Appleby insists that there was no leak, but that it was the victim of a ‘serious’ act of criminal hacking, and that there’s no evidence that any data left its systems – which is obviously rather surprising given that millions of its documents are now in the hands of the ICIJ. I mean, the information must’ve got out somehow.
Still, however the breach occurred, law firms everywhere should take it as a wake-up call: the information you hold is sensitive, valuable, and likely to be targeted by cyber criminals, and you need to take action to secure it properly. You can find more information about best-practice information security for law firms on our website.
Yahoo’s former CEO Marissa Mayer testified before the Senate Committee on Commerce, Science, and Transportation this week – apparently only after being subpoenaed, according to The Hill. Mayer, who was in charge of Yahoo when all 3 billion of its customer accounts were compromised, apologised once again for the incident.
“As you know,” she said, “Yahoo was the victim of criminal state-sponsored attacks on its systems resulting in the theft of certain user information. First and foremost, I want to reiterate how sorry I am for these incidents. We worked hard over the years to earn our users’ trust, and we fought hard to preserve it. As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users.”
Another pair grilled by the committee on Wednesday were Paulino de Rego Barros, the Interim CEO of Equifax, and his predecessor, Rick Smith. Senator Brian Schatz told them: “People […] cannot understand how the CEO of Equifax and the CEO of Yahoo walked away with $90 million and $27 million and possibly a quarter of a billion dollars in stocks – this is unfathomable to the average person. […] You harm consumers and you walk away with the amount of money that a small city or county uses for their annual operating budget. It’s not fair and it’s why this dais has an obligation to make a law and not just drag you back and forth and wave our fingers at you.”
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.
Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.