Weekly podcast: Windows zero-day vulnerability and MySpace account details for sale, and GDPR

This week, we discuss a Windows zero-day vulnerability on sale for $90,000, hundreds of millions of MySpace, Tumblr and LinkedIn account details on the dark web, and consider the implications of the new EU GDPR.

Hello and welcome to the IT Governance podcast for Friday, 3rd June. Here are this week’s stories.

A zero-day local privilege escalation vulnerability that gives hackers admin rights to Windows machines from Windows 2000 all the way to the newest version of Windows 10 is apparently on sale on the dark web. Trustwave’s SpiderLabs blog reports that the listing was placed on 11 May for US$95,000; an update posted by the seller on 23 May reduced that price to $90,000, stating “that the exploit will be sold exclusively to a single buyer”. Two proof videos were supplied, one of which shows the successful exploitation of a fully updated Windows 10 machine with the latest patches applied. TrustWave commented: “the price here seems on the high end but still within a realistic price range, especially considering the return on investment criminals are likely to make using this exploit in any campaign”. Microsoft has been informed.

Also for sale on the dark web are “hundreds of millions of hacked account details from social networks MySpace and Tumblr”, according to the BBC. 360 million MySpace account details and 65 million email and password combinations from Tumblr were listed only weeks after 117 million LinkedIn users’ data was listed for sale, apparently by the same criminal hacker. A statement from MySpace explained: “We believe the data breach is attributed to [the] Russian Cyberhacker ‘Peace.’ This same individual is responsible for other recent criminal attacks such as those on LinkedIn and Tumblr, and has claimed on the paid hacker search engine LeakedSource that the data is from a past breach. This is an ongoing investigation, and we will share more information as it becomes available.”

If you reuse the same credentials to sign into numerous accounts, a single data breach will jeopardise the security of all of them. In an enterprise context, one lazy user could cause a massive corporate data breach. If you think you’ve been affected, or are in the habit of reusing passwords across multiple sites, reset your passwords immediately. And if you’re a manager, train your staff to be aware of the risks, and ensure you have proper access management policies to ensure the only people who can access your networks and systems are the ones who should.

Last week, if you recall, we asked if you had any IT governance, risk management or compliance queries. Well, we’ve had an overwhelming number of responses (none).

Mr Madeupname writes: “Dear Podcast, could you tell me more about this new European data protection law I’ve been hearing so much about? Do I still have to worry about it if we vote to leave the EU this month?”

Well, Mr Madeupname, the EU has two types of legislative act – directives and regulations. Directives do as their name suggests and direct – they provide guidance for member states to create their own laws. (The UK’s 1998 Data Protection Act, for instance, is based on EU Directive 95/46/EC.) Regulations, on the other hand, apply automatically – once passed, they’re law across the whole of the EU, and supersede any national laws dealing with the subject they cover. The EU GDPR – or General Data Protection Regulation – is one of these, and will supersede the DPA.

The GDPR will introduce, among others, new rules on international data transfers, documenting data processing activities, performing data protection impact assessments (DPIAs), obtaining consent for data processing and appointing data protection officers (DPOs). It will also mandate notifying the local data protection authority of data breaches within 72 hours of their discovery (in the UK, this is the Information Commissioner’s Office).

Brexit or not, you’re still going to have to deal with the GDPR.

The GDPR is concerned about the personal data of European residents – wherever it is held or processed. This means it will apply to all organisations outside the EU that process European residents’ personal information, as well as in each of the EU member states themselves.

When the Regulation was published in April this year, it provided a period of two years and two weeks until all organisations must comply. Organisations that aren’t compliant by 25 May 2018 will face fines of up to €20 million or 4% of global annual turnover – whichever is the greater – as well as potential legal action from affected parties if they suffer a data breach.

For many businesses, then, the threat of insolvency – or even closure – as a result of GDPR penalties will soon be very real, which is why it’s essential to start preparing for GDPR compliance now. There’s loads of free information on how to do so on our website: itgovernance.co.uk/gdpr.

And if you’d like a more personal explanation of what the new regulation will mean for your business, Alan Calder – IT Governance’s founder and executive chairman – is currently hosting a series of free webinars on the GDPR. The next one, Data breaches and the EU GDPR, is on 30 June. Visit itgovernance.co.uk/webinars for more information.

Well, that’s it for this week. Don’t forget to comment below, telling us a bit about yourself and what you want to hear more of – otherwise I’ll turn to Mr Madeupname for suggestions once again.

Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.