Weekly podcast: ICO GDPR campaign, Gwent Police, Binance and MediaGet

This week, we discuss the ICO’s new GDPR campaign for micro businesses, a potential data breach at Gwent Police, a US$250,000 reward from Binance and Windows Defender stops a massive malware campaign

Hello and welcome to the IT Governance podcast for Friday, 16 March 2018. Here are this week’s stories.

With just over two months until the General Data Protection Regulation (GDPR) comes into effect, the Information Commissioner’s Office this week launched an awareness campaign aimed at businesses that employ fewer than 10 people.

The campaign, Making data protection your business, involves radio advertisements, a self-assessment test, and eight steps that organisations can follow to prepare for the new law. The Information Commissioner, Elizabeth Denham, said:

“All organisations have to be ready for the new data protection rules, but we recognise that micro-businesses in the UK face particular challenges. […]

“For the large majority of micro businesses, the steps towards GDPR compliance can be practical and achievable without costly or expensive external support.

“It’s also worth noting that many sector and industry groups and associations are offering help to micro businesses about the GDPR and can be a good starting point for industry-specific advice.”

If you need more guidance on GDPR compliance for your micro business, you can find a host of help on our GDPR resource page.

Gwent Police employs rather more than ten people, but would do well to follow the ICO’s guidance.

Sky News reported this week that the force is being investigated after failing to inform up to 450 people who used an online tool to file reports over a two-year period that criminal hackers may have accessed their information.

According to Sky News, the tool was “decommissioned after an internal security review discovered that confidential information was being exposed”, but Gwent Police failed to inform the people who were affected, nor did it notify the Information Commissioner’s Office until Sky News approached it – a year after the breach was discovered.

This week, a spokesperson for the force said: “Gwent Police has recently contacted the Information Commissioner’s Office (ICO) and confirmed that formal notification will be provided for consideration.

“Data integrity is of paramount importance to Gwent Police and we continually review our governance procedures to minimise the risk of data breaches.”

They added: “in mitigation, for someone to access this data, they would have had to been actively looking on the specific area of the site, had a reasonable level of technical skill and known a complex URL (which was long in length and a mixture of random characters).

“There has been no other form of communication (complaints or any malicious activity on our security system). It was concluded that there was a high probability no data had been accessed and no risk to any individuals.”

The ICO said: “We’ve been made aware of an incident involving Gwent Police and will be making enquiries.”

Cryptocurrency is still very much in the news at the moment. This week, the largest cryptocurrency exchange by volume, Binance, announced that it was offering a US$250,000 bounty – in Binance Coin (BNB), naturally – following a thwarted hacking attack last week in which fraudsters attempted to steal users’ funds with account credentials they’d stolen via phishing attacks.

The phishing attacks relied on a malicious site that masqueraded as binance.com but used Unicode homographs in its domain name – such as the character for the Cyrillic small letter ‘а’ (Unicode character U+0430) in place of the Latin lower-case ‘a’ (U+0061) – so that it appeared as ‘binance.com’, when it was actually ‘binаnce.com’. (This explanation makes more sense on the page – have a look at the transcript on our blog to see what I mean.)

Having acquired user account credentials, the attackers created a trading API key for each account, which they then used to attempt to buy large quantities of Viacoin (VIA), thereby inflating its price. They then attempted to cash out at the new, higher price, but the abnormal trading activity triggered Binance’s automatic risk management system and all withdrawals were immediately halted.

Binance’s CEO Changpeng Zhao tweeted that, ironically, the hackers actually lost some of their own coins during the attempt, which Binance would donate to charity.

Binance advises traders to “take special precaution to secure their account credentials”.

Still on cryptocurrency, Microsoft reports that Windows Defender has halted a ‘massive’ malware campaign attempting to use the Dofoil or Smoke Loader trojan to infect hundreds of thousands of machines with a cryptocurrency miner – something we’ve heard rather a lot about so far this year. Nearly 500,000 instances were recorded, the majority of which (73%) were in Russia. Other activity was detected in Turkey and Ukraine.

According to Microsoft, the outbreak was caused by what it calls an “update poisoning campaign” affecting the BitTorrent client MediaGet, which is “often used by people looking to download programs or media from websites with dubious reputation”. The trojanised version of MediaGet, which was 98% identical to the original MediaGet binary but with “additional backdoor capability”, was installed on computers in mid-February, about a fortnight before the malware was distributed.

Once updated, the malicious version of MediaGet dropped the Dofoil/Smoke Loader malware, which then downloaded the CoinMiner component from the C&C server and attempted to use victims’ machines to mine cryptocurrency for the attackers.

What was unusual, Microsoft observes, is the sophistication of this multi-stage attack, demonstrating that “Commodity cybercrime threats are adopting sophisticated methods that are traditionally associated with more advanced cyberattacks”. In other words, the script kiddies (ugsome phrase) appear to have a few more tools at their disposal. You have been warned.

Windows 10, Windows 8.1, and Windows 7 users running Windows Defender AV or Microsoft Security Essentials are all protected from this latest outbreak.

Finally, it was Patch Tuesday this week. Microsoft’s updates for March fix 75 vulnerabilities, 15 of which are critical. Test and apply.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.