Weekly podcast: The AA, MPs’ emails and Petya/NotPetya

This week, we discuss a password reset at the AA, a cyber attack on parliamentary emails and the NotPetya malware attack.

Hello and welcome to the IT Governance podcast for Friday, 30 June 2017. Here are this week’s stories.

We start with incident response management. Members of the popular British motoring association the AA were perturbed when they received an email on Monday telling them that their passwords had been changed.

Fearing a data breach, customers turned to social media for information, but the AA’s Twitter feed did little to reassure them, only interrupting its driving guidance for Glastonbury visitors to comment: “We’re aware an email has been sent to members re password change Please don’t ring the number in the email. We’re looking into this urgently”.

Many customers, understandably, thought that this meant a phishing attack was underway and rushed to log into the AA’s site, but this sudden spike in traffic overloaded servers, effectively causing a denial-of-service condition, which, in turn, prompted customers to believe that criminals had indeed hacked the AA.

The AA’s Twitter account did little to allay fears, simply repeating to concerned members: “If you’re unable to log in, please don’t worry. We’re working to resolve this and to let members know exactly what’s happened.

No more details were forthcoming until, a few hours later, it admitted: “The email was sent by us, but in error. Your password hasn’t been changed, and your data remains secure. Sorry for any confusion.

For members who don’t use Twitter, the AA also released a fuller version of the statement on its website (at theaa.com/about-us/we-sent-an-email-in-error), but, as if to compound the confusion, later deleted the web page. Fortunately, infosecurity magazine quotes the statement in full.

“Some Members and customers have received an email from the following address – email@info.theaa.com, incorrectly stating their password had been changed.” (It said.)

“This email was sent by us in error. We would like to reassure everyone that passwords have NOT been changed and personal data remains secure. We’re sorry for any confusion.

“Please bear with us as this has generated an unusually high number of login requests that are slowing down our system. If you don’t need to log on urgently, we recommend you try again later. We apologise for any inconvenience.”

So, there you go. The only incident was the one the AA caused itself.

A genuine incident struck parliament at the weekend, when a “sustained and determined cyber attack” compromised nearly 90 parliamentary email accounts. According to the BBC, “The hack prompted officials to disable remote access to the emails of MPs, peers and their staff as a safeguard”, leaving many MPs unable to access their email accounts. The National Cyber Security Centre is investigating the incident.

The International Trade Secretary, Liam Fox, commented: “We have seen reports in the last few days of even cabinet ministers’ passwords being for sale online.

“We know that our public services are attacked so it is not at all surprising that there should be an attempt to hack into parliamentary emails.

“And it’s a warning to everybody, whether they are in Parliament or elsewhere, that they need to do everything possible to maintain their own cyber-security.”

A statement from the Commons Press Office said: “Investigations are ongoing, but it has become clear that significantly fewer than 1% of the 9,000 accounts on the parliamentary network have been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service.”

That’s guidance from the Parliamentary Digital Service. Guidance. Frankly, the PDS is remiss if it’s only issuing guidance – it should be enforcing a strong password policy and, ideally, using multi-factor authentication. This is a basic precaution.

According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches took advantage of stolen and/or weak passwords. This is hardly surprising – Microsoft’s Security Intelligence Report, Volume 17 noted that “98.8 percent of users chose a password that was on the list of the most common 10,000 passwords and were therefore easily cracked using off-the shelf password hash-cracking software”.

Finally, I obviously can’t ignore the massive malware attack that rampaged through Europe, Russia and the US earlier this week. Researchers initially thought it was a new version of the Petya ransomware that first spread in 2016. Except… it wasn’t Petya. It wasn’t even a ransomware attack. It was a wiper. In other words, even if you pay the 300 bitcoin ransom, your data can’t be recovered.

NotPetya, as it’s inevitably been called, spreads via the same Server Message Block exploit – EternalBlue – used by the WannaCry ransomware that continues to cause havoc around the world, including in Japan, where Honda was forced to halt production at its Sayama plant, and Australia, where nearly 100 speed cameras in Melbourne were infected, prompting police to withdraw up to 8,000 fines in case they were incorrect.

NotPetya can also spread via another SMB exploit leaked by the Shadow Brokers – EternalRomance, a remote code execution vulnerability targeting Windows XP to Windows 2008 systems over TCP port 445. Patches for both vulnerabilities are available.

As Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov explain, NotPetya “victims will not be able to decrypt any of the encrypted disks […] the main goal of the […] attack was not financially motivated, but destructive”.

Matt Suiche from Comae Technologies came to the same conclusion as the Kaspersky researchers and believes a nation-state attacker was to blame. He said: “the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents [,] to attract the attention on some mysterious hacker group rather than a national state attacker”.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.