Weekly podcast: Onliner Spambot, Notts County Council and WikiLeaks

This week, we discuss the exposure of 711 million email addresses by a spambot’s server, a £70,000 ICO fine for Nottinghamshire County Council, and a cyber attack on WikiLeaks.

Hello and welcome to the IT Governance podcast for Friday, 1 September 2017.

There’s only one place to start this week, isn’t there? Spam, spam, spam, spam, spam.

Last week, a Parisian security researcher who uses the moniker benkow_ discovered a badly configured web server hosted in the Netherlands that contains a database of some 711 million unique email addresses – including, I have to say, a couple of mine – that have been involved in a campaign by a spambot known as Onliner to spread the Ursnif banking Trojan.

benkow_ has been analysing Ursnif and Onliner for nearly a year, so this discovery was something of a breakthrough for him. He wrote up his findings in a blog post, and contacted Troy Hunt, the owner of Have I Been Pwned, who analysed the data.

The database lists about 631 million email addresses to send spam to, and about 80 million email addresses and associated credentials – including account passwords, and details of SMTP servers and ports – from which spam is sent.

Many of these 80 million email and password combinations have been collated from other sources, including 2 million from a Facebook phishing campaign and many others from the 2012 LinkedIn breach.

The spam emails themselves seem fairly innocuous – and illiterate – at first glance, but they contain a 1×1 pixel gif. When you open one of these so-called ‘fingerprinting emails’, a request with your IP and your user agent will be sent to the server that hosts the gif, telling the spammer when you opened the email, and the device and platform you used. It also lets them know that your email address is valid. Congratulations – you’ve now identified yourself as a soft target. You’ll soon receive malware-laden spam.

The Onliner database is now searchable on Have I Been Pwned, where Troy Hunt offers this reassurance: “For this particular incident, if you’re creating strong, unique passwords on each service (get a password manager if you don’t have one already) and using multi-step verification wherever possible, I wouldn’t be at all worried. If you’re not, now’s a great time to start!”

Nottinghamshire County Council has been fined £70,000 by the Information Commissioner’s Office (ICO) for exposing 3,000 vulnerable people’s personal information online for five years, in breach of the Data Protection Act. According to the ICO, the council “posted the gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory which didn’t have basic security or access restrictions such as a username or password”.

The data breach was discovered when a member of the public inadvertently found the information via a search engine and “was concerned that it could be used by criminals to target vulnerable people or their homes – especially as it even revealed whether or not they were still in hospital”.

The ICO’s head of enforcement, Steve Eckersley, said:

“This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.

“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”

You’ll remember that last week, in a rare foray into football news, I described how the Saudi hacking group OurMine had hacked FC Barcelona’s Twitter account to provide some less than accurate transfer news. Well, the group hasn’t been resting on its laurels. This week, it had a go at WikiLeaks, carrying out a domain name system (DNS) poisoning attack to divert visitors to wikileaks.org to another site, which bore the message: “Hi, it’s OurMine (Security Group), don’t worry we are just testing your…. blablablab, oh wait, this is not a security test! Wikileaks, remember when you challenged us to hack you?”

According to the Guardian, this is the third time OurMine has gone after WikiLeaks, having launched distributed denial of service (DDoS) attacks in December 2015 and July 2016.

It’s only fair to point out that – even if WikiLeaks did challenge OurMine to hack it – DNS poisoning doesn’t really count. DNS is the mechanism by which domain names are resolved into IP addresses. When compromised, DNS servers direct visitors to fake sites – so WikiLeaks itself wasn’t compromised in any way.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.