Weekly podcast: Password security, new JavaScript ransomware, and vulnerable toys

In this week’s podcast, we discuss new statistics on password sharing, a recent spike in ransomware, and a newly discovered vulnerability affecting a children’s tablet


Hello and welcome to the IT Governance podcast. Here are this week’s stories.

First, password security. Again. According to a recent survey conducted by LastPass, 95% of people share up to six passwords with their colleagues, friends and family, and 59% reuse passwords for multiple logins. We frequently counsel against using weak passwords – and I could bang on about it at great length – but it is equally important to remember that you shouldn’t share or reuse your login information either. After all, even the strongest password, if it becomes widely known, offers no barrier to access. If you share your information or reuse the same credentials to sign into numerous accounts, a single data breach will jeopardise the security of all of them. In an enterprise context, one lazy user could cause a massive corporate data breach. You don’t want that. Use a password manager to generate strong passwords for each account, don’t tell anyone your passwords, and employ two-factor authentication where you can. And if you’re a manager, train your staff to be aware of the risks, and ensure you have proper access management policies to ensure the only people who can access your networks and systems are the ones who should.

Trustwave has warned that it is “currently seeing [extraordinarily] huge volumes of JavaScript attachments being spammed out”, which lead to the download of a new strain of ransomware called Locky. Ransomware is becoming increasingly popular for cyber criminals: you accidentally download malware, your files are encrypted, and a ransom demand is made – usually in Bitcoin, and usually within the bounds of what you’d willingly pay. (Locky is currently asking for 3 Bitcoins or about £885.) If you haven’t backed up your data – or can’t wait – you have little choice but to cough up to get the decryption key. No one is immune from ransomware attacks, either – councils and police forces are among those organisations known to have paid ransoms in recent months. In the current Locky campaign, which is spread via the same botnet that spread the Dridex trojan that proved so pervasive last year, traffic has hit peaks of 200,000 emails an hour. Worse, the use of JavaScript attachments means the ransomware is much better at getting past antivirus software. Our advice? Train your staff to be aware of the risks of opening email attachments, back up your data, and consider blocking inbound email with JavaScript attachments. Oh, and back up your data. Again.

Following the data breach that hit toy manufacturer VTech last November, in which millions of children’s details were exposed, parents have been understandably wary about their kids’ electronic toys. Now, a security expert has found that a popular toy made by LeapFrog is susceptible to attacks that exploit – quelle surprise – Adobe Flash vulnerabilities. Mark Carthy explained in a blog post entitled Beware: How Hackers Can Monitor Your Children that the LeapPad ULTRA – a tablet aimed at children – was running an old version of Flash (19.0.0.185, since you ask) that contained a vulnerability that could allow attackers to execute arbitrary code on the device. As he warns: “any malware exploiting these vulnerabilities would be able to gain full access to the device – allowing an attacker [to] activate the built-in microphone, monitor your child’s activity and even take pictures of them using both the front and rear facing cameras on the device.” And he only discovered this having connected the LeapPad to his computer, when he was prompted to update Flash – something many parents wouldn’t think to do. Bring back wooden children’s toys, eh?

And that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.

DailySentinel-Subscription