Cyber Week in Review: Disqus, Etherparty & Irish Companies

cyber security and malware

When Thomas L. Friedman said in 2005 that, “the world is flat,” he may have had an inkling of the state of things today: the world is decentralized. The leveled playing field brought on by a digital age has now taken to the skies: the cloud, blockchains, cryptocurrency, and other networked and interconnected solutions to everyday business operations have made for a decentralized state of operations, where national borders not only no longer matter, they barely exist.

This week in the cyberverse, we take a look at three top stories which speak to both the advantages of decentralized computing and the risks we take in a digital era. Companies both large and small, connecting across space, no longer tied to the earth and yet penetrable.

We’ll learn a few lessons along the way. So here’s this week’s cyber week in review.

The Larger Disqus-sion

In the information age, we’ve gotten accustomed to instantaneous response.  Few people under thirty have any memories from the era when you were not reachable by phone unless you were at home or at work. It’s doubtful that anyone will soon remember T9 texting (though, fortunately, you can still find “how to” guides online, should you decide to revert to a flip-phone!). Soon, there will likely be no more voicemail at all (particularly for personal use, where it’s already fallen out of fashion) — the future contains just texting, email, and chatting services.

So it may come as some surprise, that in such a fast-paced world it could still take years to learn of a security breach. Well, unfortunately, that kind of time delay is actually not that unusual. What is actually unusual is learning of a data breach and getting a rapid response. Disqus (pronounced “discuss”) is currently sitting in that particular hot seat.

The data breach itself, recently announced on their website, took place way back in 2012 and included data back to 2007 (when Disqus got their start as a leading commentary support service for websites, now used by billions in 191 countries). Security researcher Troy Hunt discovered the breach and notified Disqus. They gave him a shout-out in their announcement, which was a smart move. In fact, they made several smart moves, including how quickly they reacted to the breach which leaked credentials of approximately 17.5 million users. Here’s what got leaked:

  • Disqus user email addresses
  • Usernames
  • Last login dates
  • Hashed passwords for approximately ⅓ of those leaked

Though the passwords were not in plaintext, they used the SHA1 algorithm. If you’ve been in tech for awhile you know that SHA1 was the industry standard for a long time, but hasn’t been for several years now because of the ease with which it is cracked. Disqus admits that fact, stating, “Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012, we changed our password hashing algorithm from SHA1 to bcrypt.” All of that means that if you joined Disqus after 2012, your credentials are safe.

Looking at the whole thing, several lessons can be learned:

  1. Never ever, and we’ve said this before so seriously never, reuse passwords between sites. A data breach at Disqus could lead to hacking your Amazon password or banking information if you are the type to reuse passwords. Every leak makes your data less secure unless you follow this crucial advice.
  2. Stolen or leaked credentials often lead to socially engineered malware–targeted phishing aimed at you. So, as always, get smart about phishing scams and malware protection.
  3. If you’re the type to admire excellent PR, take a page from the Disqus book. They were in an unfortunate position but openly acknowledged it, acted quickly, and are doing their best to do right by their customers. Mitigating an attack involves that kind of coordinated and intelligent response.

The Ether-after-Party

Imagine a scenario in which you throw a housewarming party and your guests are all set to arrive, but someone hijacks the GPS coordinates to your house and leads them to their house instead, stealing your friends and presents? It would be strange and rude, but it’s about what happened over at Etherparty.io. (Yes, that’s a British Indian Ocean territory extension, popular among so many startups).

Etherparty launched their marketplace crowdsourcing as an ICO. Initial coin offerings, the cryptocurrency version of IPO’s (initial public offerings), come with inherent risks as an unregulated marketplace. This isn’t the first time an ICO has been hijacked. The possibility of “going public” in an unregulated free market enchants some investors, but federal regulators have started basically freaking out.

  • In the US: The US Securities and Exchange Commission has issued an alert bulletin warning investors about ICO scams and suspensions.
  • In China: A ban has been issued against raising money through ICO’s and an investigation is underway relating to 60 platforms.
  • In Russia: News sources report that “The mood on cryptocurrencies has gone sour in Russia.”

More of this sort of attitude toward ICO’s can be expected, especially after this latest hack.  So what happened to the party at Etherparty?

Etherparty is a contracting agreement service, built on blockchain technology (like Bitcoin itself, still the reigning cryptocurrency).  Remember life before Google Docs, the old method of file sharing? You would receive an attachment (always a dubious enterprise in the days of malware), and make edits, then email it back and that person would make edits, on-and-on. Along came Google Docs and suddenly the world experienced simultaneous viewing and real-time updates. There’s no going back once you’ve converted. Well, Etherparty wants to convert people to a Google spreadsheet-style contract method: where contracts can be negotiated, edited and agreed upon by multiple simultaneous parties.

If you think that sounds cool, you’re not the only one.  Though the ICO of Etherparty launched on October 1st using Fuel tokens, as of press time it’s already got nearly 4,000 contributors (and counting). But not long after the launch, the party took a wrong turn. After only about an hour, Etherparty was forced to shut down their site for about an hour and a half.  Some hackers had compromised the site and rerouted contributions to their wallet. Though the perpetrators have not yet been identified, Etherparty announced a restitution plan. Lisa Cheng, the founder of the Vancouver, Canada-based company said in a statement, “We do acknowledge and apologize for the temporary disruption to our otherwise successful launch day. Etherparty is eager and committed to compensating all affected contributors for the inconvenience.” That means that if you purchased Fuel tokens in that first hour, you’re still entitled to be an investor in their (decentralized) public offering.

There are lessons to be learned here, as well. For starters, another case of excellent PR. In an era where Equifax majorly blundered their data breach handling, it’s nice to see another example of an appropriate, rapid, intelligent response to an attack. However, you can also learn to always check the routing when clicking on a link before sending coins or tokens, should you operate in the cryptocurrency world — just as you check the change handed to you by a cashier, or verify an attachment’s sender before opening an unexpected document.

It pays to be safe, maybe not in tokens, but in reality.

The Un-luck of the Irish (Companies)

What’s it like to live in Ireland?  Rolling mists, epic pubs, and…massive cyber attacks? Yes, our last stop on our global cyber insecurity tour stops in Ireland, where nearly half of all companies report having no cybersecurity policy whatsoever. Here are a few other concerning statistics:

  • 81% of Irish businesses had a cyber incident in a 12-month period, but only 26% think they did (another 18% reported being unsure).
  • Nearly every day, North Korea executes cyber attacks on Irish companies.
  • Large swathes” of Irish national hospitals fell victim to recent global attack, but system updates would have prevented that entirely.

“The cost of cyber raids on Irish businesses has soared from €498,000 in 2014 to €1.7m in 2016 — with analysts warning it is likely to increase exponentially over future years,” the Independent reports.  Small businesses are at even greater risk — even fewer have any cybersecurity policy and technology personnel rare. But cyber attacks are on the rise around the entire globe, so why the concern over an island nation of less than 33,000 square miles?

Several reasons. Mostly to do with that thing about the world being flat, small and decentralized.

  1. Just as an Irish seismology school was able to detect nuclear testing going on in North Korea, the world is big, but not that big. What goes on one continent can have an impact around the globe.
  2. Viruses have earned that moniker because they do spread, and holes in security create opportunities for the further spread of malware and other types of attack. (Honestly, if malware were not such a lucrative business, people would likely give up the enterprise altogether.)
  3. Though small, Ireland has a population of nearly 5 million and an incredibly rich legacy. Preserving Ireland then could, in a way and by that logic, affect us all.

When the global-scale malware attacks Wannacry and NotPetya circulated the globe, Ireland got hit hard. Recently, the Irish National Lottery’s website experienced a major DDoS attack. One Irish county got hit with a sophisticated cyber attack that nearly cost €4.3 million until the attack was thwarted (at last report the funds were still locked down in Hong Kong, but the plan is to return them to their homeland).

As is clear by now, Ireland, in general, has been a little late to the game on a few cybersecurity advances and needs to do more.  Just last year they hosted their first annual cyber security conference, which may provide an invaluable opportunity for the nation’s most concerned and active cyber professionals to interact, talk about risks, and share best practices. Last year, at the inaugural event, Thycotic cyber security strategist Joseph Carson spoke to the added risks of Ireland’s physical location. “Ireland is at risk of cyber attack because of its key Atlantic position,” he warned conference attendees.

So what are some of the lessons learned from the state of the Irish? For one, you are never too small to not be at cyber risk, since malware has no such sensitivity settings. Secondly, a lack of awareness is a poor excuse for a lack of preparedness (ignorance is not, in fact, bliss).  Lastly, that utilizing existing resources and supporting one another is key to turning the tides on the global cyber war.

Stay Ahead of the Game

Thanks for tuning in to this week’s edition of Cyber Week in Review. Join us next week as we continue to explore the cyberverse, learn from malware intelligence, and otherwise continue to enjoy the headlines, but stay out of them.

Leave a Reply