Weekly podcast: i-Dressup breach, Yahoo aftermath and cyber security awareness

This week, we discuss the compromise of 2.2 million teens’ i-Dressup accounts, the aftermath of the massive 2014 Yahoo breach, and cyber security advocacy campaigns ECSM and NCSAM.

Hello and welcome to the IT Governance podcast for Friday, 30th September. Here are this week’s stories.

Ars Technica reported earlier this week that a hacker had used a SQL injection attack to download 2.2 million plaintext passwords from i-Dressup – a “social hangout website” used by teenage girls. The hacker told Ars and Troy Hunt of breach notification site Have I Been Pwned? that there was “nothing stopping him or others from downloading the entire database of slightly more than 5.5 million entries.” Ars privately notified the site’s “operators of the vulnerability, but more than five days later, no one [had] responded and the bug [remained] unfixed.”

On the FAQ section of i-Dressup’s site, the question “Is I-Dressup A Secure Site?” is evaded, with none of the four points given in response mentioning security in any way. As Ars Technica says: “It’s bad enough that a SQL-injection vulnerability that dumps passwords remained unfixed even after it was privately reported. It’s even worse that the database contained plaintext passwords. Industry standards dictate that passwords be converted into a cryptographic hash that requires an attacker to spend time and computing resources to restore to a human-readable form. Anyone who had an account on i-Dressup should strongly consider closing it.”

Last week’s news that “information associated with at least 500 million” Yahoo users’ accounts was stolen by “state-sponsored” hackers in 2014 has, understandably, caused many media outlets to turn their attention to the company’s security culture – and Yahoo CEO Marissa Mayer has come in for considerable criticism. The New York Times reported on Wednesday that Mayer “repeatedly clashed” with Yahoo’s then-chief information security officer Alex Stamos about security spending, denying the security team financial resources and putting off “proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. […] Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach.”

Stolen credentials are valuable to criminals for a reason. According to a survey conducted by LastPass earlier this year, 59% of people reuse their passwords for multiple logins. The problem with this is that a single data breach could have a serious knock-on effect – and with an incident of this scale there are bound to be ripples. Just consider the other major breaches that we’ve seen so far this year: in May, it was revealed that 117 million login credentials were stolen from LinkedIn in 2012. One set of credentials belonged to a Dropbox employee who reused their LinkedIn password at work. Earlier this month, we learned that criminals used it to access Dropbox’s corporate network and steal over 68 million login credentials. In June, we reported that hundreds of millions of account details for MySpace and Tumblr were also listed for sale on the dark web by the same criminal hacker, ‘Peace’, who was responsible for the LinkedIn hack. (Tumblr, you’ll remember, is owned by… Yahoo.) I wouldn’t be at all surprised if a few more breaches came to light in the coming weeks and months as a result of this one.

So, what can you learn from this story? First, stop reusing your passwords – and stop your employees from reusing theirs too. Secondly, employ two-factor authentication, wherever it’s available, to better secure your accounts. Thirdly, beware of phishing emails purporting to come from Yahoo. A phishing staff awareness course should help your employees recognise the risks.

October is European Cyber Security Month and National Cyber Security Awareness Month in the US. Both campaigns aim to raise awareness of cyber security issues.

One of European Cyber Security Month’s objectives is to “generate specific awareness on Network and Information Security (NIS), which is addressed in the […] NIS Directive”. You can find out more about the Directive by downloading our free green paper, The EU Network and Information Security (NIS) Directive: Compliance guidance, which is due to be published next week.

In the US, National Cyber Security Awareness Month’s first topic is “Every Day Steps Towards Online Safety with Stop.Think.Connect™”. Week 1 “reinforces basic topics for everyone to be safer online” – at home, at work, at school, or on the go. If you’re interested in learning more about the basics of online safety, you might be interested in IT Governance’s Information Security e-learning course.

Well, that’s it for this week. As ever, please feel free to comment below, telling us a bit about yourself and what you’d like more information on and we’ll do our best to answer in the coming weeks. Until next time, remember that you can keep up to date with the latest information security news on our blog.

And don’t forget to check out our book of the month, Nine Steps to Success – An ISO27001:2013 Implementation Overview by Alan Calder. Revealing the methodology used by IT Governance’s consultants in hundreds of successful ISO 27001-compliant ISMS implementations, this book will help you through every stage of your ISO 27001 project.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.