Weekly podcast: Instagram vulnerabilities, Mumsnet attacker charged, phishing up 250%

This week, we discuss two vulnerabilities in Instagram’s Android app and website, a teenager charged with attacking parenting forum Mumsnet, and a massive increase in phishing attacks. We also ask what you want.

Hello and welcome to the IT Governance podcast for Friday, 27th May. Many thanks to Lewis for standing in last week while I was on holiday.

Regular listeners will know that we’ve used the podcast over the last few months simply to highlight data breaches and report information security news stories. While this is, I hope, interesting enough on its own – and importantly reinforces the unpleasant truth that information security is a critical issue that every business faces – it doesn’t actually help you to deal with the problem.

Outsourcing and expanding supply chains, untrained users and poor password security policies, the misconfiguration of systems and absence of patch management – and a whole lot more besides – combine to make you and your organisation vulnerable. And it’s high time I provided a bit more information on how to deal with this sort of thing, whether it’s determining the basic security measures you need to take before any others, or persuading your board that you need a bigger budget.

Sure, our main website, itgovernance.co.uk, is full of free information, but who’s got the time to read nowadays? So, what we aim to do in the podcast from now on is mention a few stories that have been in the news – just to keep reminding you that data breaches happen and keep you abreast of the issues you need to be aware of – and then briefly discuss information security issues from a business point of view, explaining how you can better protect yourself. Sound good?

Now, I don’t know who you are, so I’m working on assumptions, which is never a good thing (it makes an ass out of u and… ‘mption, after all). Two questions, then: who are you and what do you want? If you could comment below – anonymously if you prefer – telling me your job role or the industry you work in and the sort of information you’d like, I’ll do my utmost to answer your questions.

Whether you’re a small-business owner who just wants to know where to start with information security, a merchant who needs guidance on implementing technical measures to comply with the PCI DSS, a data processor who needs more information on the new EU General Data Protection Regulation – and that’ll be most businesses – or are in charge of compliance for a large organisation and need more information on building an integrated management system, let me know.

Until then, here are this week’s stories…

Belgian security researcher Arne Swinnen has netted a $5,000 bug bounty after discovering two Instagram vulnerabilities – one in the Android app, one on the website – that could have allowed attackers to easily hack into Instagram accounts – especially those with weak passwords.

He explained in a blog that Instagram’s password policy “only enforced a minimum length of 6 characters, allowing choices such as “123456” and “password”,  and there was no account lockout policy or any other mitigating security controls – effectively allowing infinite password guesses.

Swinnen used what he calls a “quick & dirty python script” to submit the 10,000 most popular passwords until a reliable guess was made on his test account.

Facebook, Instagram’s owners, fixed both vulnerabilities by addressing the endpoint rate-limiting. The password policy was also improved.

Last August, we reported that popular parenting forum Mumsnet was hit by denial-of-service attacks that crashed the site, armed police were called to Mumsnet founder Justine Roberts’s house in a swatting attack, and the site was hacked, redirecting users to a now suspended Twitter profile. Mumsnet commented at the time that login details were compromised in phishing attacks, forcing it to reset its 7.7 million registered users’ passwords. The BBC reports that a Surrey teenager has now been charged with two “counts of hacking and one of impairing the operation of or hindering access to a computer.”  David Buchanan, 18, will appear at Guildford Magistrates’ Court on 7 June.

A new report from APWG (the Anti-Phishing Working Group) has found that there were “more phishing attacks in the first quarter of 2016 that at any other time in history”, and the number of phishing websites increased 250% from Q4 2015 to Q1 2016. APWG chairman Dave Jevans said: “Globally, attackers using phishing techniques have become more aggressive in 2016 with keyloggers that have sophisticated tracking components to target specific information and organizations such as retailers and financial institutions that top the list.” If you’re concerned about your staff’s increased exposure to phishing attacks, a phishing staff awareness course is a must.

Well, that’s it for this week. Don’t forget to comment below, telling us a bit about yourself and what you want to hear more of. And until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.