Weekly podcast: Guardian Soulmates, Persirai botnet, ‘crazy bad’ Microsoft RCE vulnerability

This week, we discuss a data breach affecting the Guardian Soulmates dating site, a new IoT botnet potentially affecting 120,000 IP cameras, and the worst Windows remote code execution vulnerability ‘in living memory’.

Hello and welcome to the IT Governance podcast for Friday, 12 May 2017. Here are this week’s stories.

Users of the Guardian newspaper’s dating site, Guardian Soulmates, have been bombarded with explicit spam emails following a data breach in which their contact information was exposed. Human error was apparently to blame. According to Guardian News and Media, which operates the service, usernames and email addresses were compromised by a third-party technology provider. Attackers could then use this information to harvest further details from users’ profiles.

One anonymous victim told the BBC they’d alerted Guardian Soulmates last November, having received spam “directly referencing information that could only have come from the Soulmates database”. What was particularly surprising was the fact that “they had not used the site for several years and were no longer paying a membership fee.”

Guardian News and Media said: “We take matters of data security extremely seriously and have conducted thorough audits and are confident that no outside party breached any of these systems. We have taken appropriate measures to ensure this does not happen again.”

The ICO is aware of the incident and “will be looking into details”.

Third-party information security is of paramount importance to all organisations – especially as many large-scale data breaches occur via smaller incidents affecting the supply chain.

It’s also worth bearing in mind that in just over a year’s time the GDPR will be enforced, and organisations’ legal obligations will be substantially increased.

Among the Regulation’s many requirements, the ‘storage limitation’ principle mandates that personally identifiable information is kept for no longer than is necessary for the purposes for which it is processed.

If you suspect your organisation retains personally identifiable information that you no longer need, now’s the time to carry out an audit to identify the type of data you hold, where it’s held, who owns it, who has access to it, and who it’s shared with.

Trend Micro has discovered a new Internet of Things botnet – which it has dubbed Persirai – targeting more than 1,000 models of internet protocol (IP) camera. Approximately 120,000 individual IP cameras are vulnerable, according to a Shodan search, and many users are unaware that their devices are exposed.

(Botnets, as I’m sure you know, are large networks of compromised Internet-connected devices that are engineered by cyber criminals to work together, usually to send spam or carry out DDoS attacks.)

As Trend Micro explains, IP cameras typically use Universal Plug and Play (UPnP) – “network protocols that allow devices to open a port on the router and act like a server”. This makes them highly visible targets for malware.

Once logged into a vulnerable interface, attackers “can perform a command injection to force the IP Camera to connect to a download site”, which will then “download and execute malicious shell script”. A command and control centre can then instruct the camera to attack other cameras by exploiting a recently discovered zero-day vulnerability. Infected cameras will then receive a command instructing them “to perform a DDoS attack on other computers via User Datagram Protocol (UDP) floods.”

As Trend Micro points out, “A large number of these attacks were caused by the use of the default password in the device interface [so] users should change their default password as soon as possible and use a strong password for their devices.”

The same is true of any Internet-connected device. The emergence of Mirai-based botnets at the end of last year accentuated the damage that can be wrought by criminals exploiting poorly secured devices. And as the IoT continues to grow in popularity, the number of poorly secured devices will only increase in number.

Google’s security wunderkind Tavis Ormandy has been at it again. Last Friday he announced that he and fellow Project Zero researcher Natalie Silvanovich had “discovered the worst Windows remote code exec[ution vulnerability] in recent memory.” It was, he said, “crazy bad”. Given the speed with which Microsoft patched it, he could well have been right: an emergency update was issued on Monday.

The critical vulnerability (CVE-2017-0290 for all you fans of CVE IDs) can be exploited just by sending an email to users. What’s more, the emails don’t even have to be read or any attachments opened – any file that is scanned by an affected version of Microsoft Malware Protection Engine will do.

According to Microsoft, attackers could then “execute arbitrary code in the security context of the LocalSystem account and take control of the system.” They could then “install programs; view, change, or delete data; or create new accounts with full user rights.”

As Ormandy explains, Microsoft Malware Protection Engine is enabled by default in Windows 8, 8.1, 10, Windows Server, and others. Numerous Microsoft security products, including Microsoft Security Essentials and System Centre Endpoint Protection, also share the same core engine. Vulnerabilities affecting it are among the most severe in Windows, on account of its “privilege, accessibility, and ubiquity”.

The new version of Microsoft Malware Protection Engine – version 1.1.13704.0 – should be installed automatically but some admins might have to install it themselves, depending on their infrastructure configuration. (To verify the version number that your software is currently using, see the section ‘Verifying Update Installation’ in Microsoft Knowledge Base Article 2510781.)

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s May book of the month is EU General Data Protection Regulation – An Implementation and Compliance Guide, an in-depth guide to the changes your organisation needs to make to comply with the GDPR before its enforcement next May. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.