Weekly podcast: Yahoo breached (again), university attacked by lampposts, and WordPress blogs defaced

This week, we discuss yet another Yahoo breach, a university attacked by its own Internet of Things network, and a WordPress vulnerability that leaves blogs open to defacement.

Hello and welcome to the IT Governance podcast for Friday, 17 February 2017. Here are this week’s stories.

Last December, as I’m sure you remember, Yahoo announced that at least 1 billion customer records had been stolen in 2013 – this on top of its admission in September that 500 million accounts were breached in 2014. Within the December announcement was a paragraph that the majority of readers – including me – overlooked because we were too distracted by news of the biggest data breach in history. It said: “outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password”.

(Basically, criminal hackers accessed Yahoo’s proprietary code and used it to create forged cookies that tricked browsers into telling Yahoo that users were logged in when they weren’t – much easier than stealing passwords.)

This Wednesday, Yahoo emailed users to remind them of what it had said last year: “As we have previously disclosed,” it said, “our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”

We don’t yet know the number of users who were affected by this particular issue, but it’s pretty likely that there’s some overlap with the 1.5 billion Yahoo customers who’ve already lost personal information.

Verizon is currently in the process of buying Yahoo and is, understandably, renegotiating the terms of its acquisition in the wake of all these incidents. According to Bloomberg, the renegotiated deal reduces “the price of the $4.8 billion agreement by $250 million”. The Wall Street Journal reckons it’s about $300 million. The deal is yet to be finalised, but an announcement is expected soon.

Talking of Verizon, its newly released 2017 Data Breach Digest includes a curious case study that emphasises the growing importance of securing Internet of Things (IoT) devices – something I touched on last week after restaurant point-of-sale machines around the world started printing robots instead of receipts.

According to the report, a university recently fell victim to a cyber attack from its own vending machines, lampposts and other IoT devices, when a large number of unusual domain name system (DNS) lookups caused legitimate lookups to be dropped – “preventing access to the majority of the internet”.

A member of the university’s IT team explains that more than “5,000 discrete systems [were] making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure.”

Analysis of the firewall and DNS logs revealed that “of the thousands of domains requested, only 15 distinct IP addresses were returned. Four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet. This botnet spread from device to device by brute-forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password – locking us out of the 5,000 systems.”

The good news for the university is that the devices did not need to be replaced, but could be recovered by using a packet sniffer to intercept a cleartext malware password for a compromised IoT device, and using this to change the infected devices’ passwords before the next malware update.

An easy lesson to learn in hindsight: if your IoT devices use weak or default passwords, change them.

Tens of thousands of WordPress blogs have been attacked and defaced by criminal hackers after a privilege escalation vulnerability affecting WordPress 4.7 and 4.7.1 was disclosed last week.

Although many blogs automatically upgraded to version 4.7.2 on 26 January, which fixed the vulnerability, tens of thousands did not, leaving them open to attack. Indeed, soon after the bug was disclosed, multiple public exploits were shared and posted online, fuelling over 800,000 attacks in a 48-hour period – a number that Bleeping Computer estimates has now risen to over 1.5 million.

The attack was traced to a flaw in an add-on that was introduced in versions of WordPress released at the end of last year. According to security firm Sucuri, which told WordPress about the vulnerability on 20 January, attackers were able to craft simple HTTP requests that allowed them to bypass authentication systems and edit the titles and content of WordPress pages.

Many websites use common, off-the-shelf CMS platforms, software, applications and plugins – such as WordPress. When a vulnerability like this one is announced – and it’s worth emphasising that they’re announced pretty often; new vulnerabilities are discovered almost every day – criminals will work quickly to exploit it before it’s patched, using bots to crawl the Internet, looking for instances of the vulnerability. Automated attacks are cheap and easy to run, and by their nature are indiscriminate, looking only to exploit known weaknesses – not specific sites. Every website is therefore equally at risk, including ones that might not immediately appear valuable to criminals. If you’re using unsupported or vulnerable versions, then your website will be compromised – unless you act quickly to install a patch or update.

This is why it’s so important to implement patch management and software update programmes, and use regular penetration testing and vulnerability scans to determine the strength of your networks and web apps. The Cyber Essentials scheme is a good place to start.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s February book of the month is The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour. Drawing on the experience of industry experts and academic research, this book considers information security both from end users’ and from security professionals’ perspectives, providing valuable insight into security issues relating to human behaviour, and explaining how a security culture that puts risk into context promotes compliance. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.