Weekly podcast: Yahoo hacker sentenced, acoustic DoS attack and GDPR compliance fails

This week, we discuss the sentencing of one of the perpetrators of the 2013 Yahoo breach, a new type of denial-of-service attack that can crash computers just using sound and how not to email your customers

Hello and welcome to the IT Governance podcast for Friday, 1 June 2018. Here are this week’s stories.

Twenty-three-year-old Karim Baratov, the hacker-for-hire who helped perpetrate the 2014 Yahoo data breach, was sentenced to five years’ imprisonment this week, and ordered to pay restitution to his victims and a fine encompassing his remaining assets. (To clarify, this is the data breach that saw half a billion accounts compromised in 2014, not the 2013 breach in which all 3 billion customer records were stolen.)

Baratov and another criminal hacker, Alexsey Belan, were charged for the 2014 incident in March 2017 along with two FSB agents, Dmitry Dokuchaev and Igor Sushchin, but Baratov – a Canadian – was the only conspirator to be arrested. He pleaded guilty, although according to Toronto Life he had no idea he was working for Russian spies.

According to a Department of Justice announcement this week, Baratov hacked into at least 80 webmail accounts of individuals who were of interest to Dokuchaev, and sent him the accounts’ passwords in exchange for money. He also hacked into a further 11,000 accounts between 2010 and his arrest in 2017.

Acting U.S. Attorney Alex G. Tse for the Northern District of California said: “The sentence imposed reflects the seriousness of hacking for hire. Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them. These hackers are not minor players; they are a critical tool used by criminals to obtain and exploit personal information illegally.  In sentencing Baratov to five years in prison, the Court sent a clear message to hackers that participating in cyber attacks sponsored by nation states will result in significant consequences.”

To me, Blue Note is a jazz label – and a mighty fine one at that. But now it’s also the name of a curious type of attack, described by researchers from the University of Michigan and Zhejiang University, which can cause errors in magnetic hard disk drives through acoustic interference.

Presenting at the 39th IEEE Symposium on Security and Privacy in San Francisco last week, Conor Bolton of the University of Michigan, one of the authors of Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems, explained how it is possible to carry out a denial-of-service attack by using certain audible and ultrasonic frequencies to vibrate the read/write heads and disk platters on magnetic hard disk drives and cause them to fail, which in turn causes the operating system and applications using them to crash. It’s even possible to do this using a computer’s own speakers.

According to the paper, “Defenses include mitigating attacks in vulnerable frequency bands with attenuation controllers, using sensor fusion to detect attacks, and noise dampening materials to attenuate the signal.”

Finally, a week into the GDPR’s application, a number of organisations have been in the news after their efforts to comply with the new law went awry.

For example, the browser extension Ghostery, which aims to improve its users’ privacy and security, emailed account holders in batches of 500 to reassure them “that it held itself to a high standard when it comes to users’ privacy”, but mistakenly added the email addresses to the ‘To’ field instead of the ‘Bcc’ field, so each recipient saw 499 other customers’ contact details. Ghostery apologised for the error, saying it was “horrified and embarrassed”. It will be reporting the incident, as mandated by the GDPR.

If you’re in the habit of sending mass emails to your customer database, please check and double check before you press ‘send’. It’s also worth reminding you that, as well as ensuring you comply with the GDPR, it’s worth checking you comply with the PECR (that’s the Privacy and Electronic Communications (EU Directive) Regulations 2003). Remember Honda and Flybe, who were fined a total of £86,000 last March for emailing their customers asking them to update their marketing preferences. The irony of breaking one law while trying to comply with another is almost too much to bear. Ahhh… compliance. You can, of course, find more information about the PECR and their forthcoming replacement, the ePrivacy Regulation (ePR), on our website >>

Well, that’ll do for this week. I’m going to go back to reading the new Data Protection Act, but until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.