This week, we discuss a security flaw affecting 1Password, Dashlane, KeePass and LastPass; the prevalence of historic vulnerabilities in corporate IT systems; the increase in formjacking attacks; and Wendy’s $50 million data breach settlement.
Hello, and welcome to the IT Governance podcast for Thursday, 21 February 2019. Here are this week’s stories.
Researchers at ISE have identified security flaws affecting four popular password managers on the Windows 10 platform, which could allow malware to access the master password and/or the individual passwords stored in them, even when the password managers are locked.
1Password, Dashlane, KeePass and LastPass – and their 61.5 million users – are all potentially affected.
The researchers explain that:
“All password managers [they] examined sufficiently secured user secrets while in a ‘not running’ state. That is, if a password database were to be extracted from disk and if a strong master password was used, then brute forcing of a password manager would be computationally prohibitive.
“Each password manager also attempted to scrub secrets from memory. But residual buffers remained that contained secrets, most likely due to memory leaks, lost memory references, or complex GUI frameworks which do not expose internal memory management mechanisms to sanitize secrets.”
In other words, if a password manager is running – even if locked – it is possible in some circumstances to extract cleartext passwords from memory.
This is not to say you should abandon your password manager. As the researchers are at pains to point out, “password managers are a good thing”, and are certainly better than nothing – even if they fail to properly sanitise secrets.
Some of the affected password managers have already addressed the vulnerabilities.
Moreover, the paper lists a number of security practices that all users should employ as a precaution, including:
- Keeping their operating system updated;
- Using antivirus solutions;
- Using a strong password as their master password to mitigate brute-force attacks on compromised database files;
- Using full-disk encryption; and
- Shutting their password manager down completely when not in use.
Talking of vulnerabilities, new research has found that the vast majority of organisations are leaving themselves open to attack by failing to keep their IT systems up to date.
According to Edgescan’s 2019 Vulnerability Statistics Report, more than 81% of systems have at least one known vulnerability for which there is an available patch or workaround. More than 72% had more than one and, alarmingly, more than 20% had at least 10 known vulnerabilities.
Many vulnerabilities date back to the turn of the century. The oldest, CVE-1999-0017, which, as its CVE number indicates, was first identified in 1999, was present in over 3,000 IT systems.
As soon as vulnerabilities are made public – for instance when patches are released – cyber criminals will try to exploit them. If you don’t update to the latest versions or apply vendors’ patches as they are released, the vulnerabilities in your systems will remain exploitable, increasing the risk of compromise. And you’re unlikely to notice that a vulnerability has been exploited until it’s far late. The majority of intrusions are not detected for months.
Patch management isn’t trivial, but it is essential – which is why it’s one of the five controls listed in the UK government’s Cyber Essentials scheme, which sets out the basic measures that every Internet-connected organisation should implement to mitigate the majority of cyber attacks.
According to the newly released 2019 edition of Symantec’s annual Internet Security Threat Report, formjacking has overtaken ransomware and cryptojacking as cyber criminals’ attack vector of choice.
“Formjacking attacks are, “the ISTR says, “simple and lucrative: cyber criminals load malicious code onto retailers’ websites to steal shoppers’ credit card details”. It’s essentially a virtual form of card skimming.
More than 4,800 websites are compromised each month, from high-profile targets such as Ticketmaster and British Airways, which were attacked by Magecart, down to small and medium-sized enterprises.
Symantec continues: “This is a global problem with the potential to affect any business that accepts payments from customers online.”
Organisations that accept cardholder data must comply with the Payment Card Industry Data Security Standard, which requires them to implement numerous measures to secure cardholder data.
And on the subject of compromised payment information, the US burger chain Wendy’s has agreed to pay a $50 million settlement after its 2015/16 data breach in which payment card information was compromised at more than 1,000 locations. Wendy’s expects to pay $27.5 million of this amount, the rest being covered by insurance.
Wendy’s said: “With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks. We look forward to putting this behind us”.
Last October, the restaurant group agreed to pay $3.4 million to settle a class action brought against it for allegedly failing to protect customer information.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.