Weekly podcast: Skype, the $1 million ransom and the Queen

This week, we discuss a DDoS attack on Skype, a ransomware attack on South Korean web hosting firm Nayana, and the UK government’s new Data Protection Bill

Hello and welcome to the IT Governance podcast for Friday, 23 June 2017. Here are this week’s stories.

A group calling itself CyberTeam has claimed responsibility for an attack on Skype that prevented users from accessing the service earlier this week.

On Monday 19 June, Skype said it was “aware of an incident where users will either lose connectivity to the application or may be unable to send or receive messages.” It’s not known how many users were affected.

The next day, it said: “We have made some configuration corrections and mitigated the impact. We are continuing to monitor and we will post an update when the issue is fully resolved.” On Wednesday, it reported that the issue had been “fully resolved”.

On Twitter, CyberTeam calls itself a specialist in distributed denial of service (or DDoS) attacks, so it seems entirely likely that this was its modus operandi. The good news, then, is that if it was a DDoS attack, Skype wasn’t hacked and no data was breached – DDoS attacks overwhelm servers by bombarding them with traffic from various sources, causing them to slow down or collapse under the pressure. It’s annoying – it’s not hacking.

CyberTeam claims that Steam is next in its sights and another DDoS attack is apparently in the offing.

Nayana, a South Korean web hosting firm, has agreed to pay a record US$1 million after an attack by a strain of the Erebus ransomware encrypted data on 153 Linux servers, taking 3,400 customers’ websites offline for eight days.

According to the BBC, the criminals initially asked for $4.4 million, payable in bitcoin, but the fee was lowered to $1 million after negotiation.

A single vulnerable machine is often all it takes to infect an entire network, but Trend Micro reports that Nayana appears to have been running several old and vulnerable systems.

“For instance,” it said, “based on open-source intelligence, NAYANA’s website runs on Linux kernel, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.”

In addition, Nayana’s website apparently “uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006” and are affected by a number of well-known vulnerabilities.

The company’s chief executive has apologised for the incident, having learned the hard way why it’s so important to keep systems up to date. “Now I am bankrupt,” he said.

At the state opening of parliament this week, Her Majesty the Queen outlined the government’s plans for a new Data Protection Bill. In a speech inevitably dominated by Brexit, the queen said the new law would “ensure that the United Kingdom retains its world-class regime protecting personal data”.

Expanding on the speech, the government said the Bill would “implement the General Data Protection Regulation […], meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.”

The Regulation significantly extends the data rights of individuals, and mandates that organisations adopt “appropriate technical and organisational measures” to protect personal data. It also introduces mandatory data breach reporting.

For more information on the General Data Protection Regulation, visit our GDPR resource page.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.