Weekly podcast: Australian Cabinet Files, Matt Hancock MP’s app and Monero mining

This week, we discuss the Australian government’s loss of thousands of classified documents, DCMS Secretary of State Matt Hancock’s buggy new app and the growing trend of cybercriminals using cryptocurrency miners.

Hello and welcome to the IT Governance podcast for Friday, 2 February 2018. Here are this week’s stories.

Data breaches don’t just occur when cyber criminals hack your systems, and it’s as well to remember that sensitive information in all forms – including hard copy records – should be afforded appropriate protection.

The Australian government was given a timely reminder of this principle this week when two locked filing cabinets that were sold cheaply at an ex-government sale in Canberra because no one could find the keys were drilled open and found to contain a trove of government documents that ought, by law, to have remained secret for 20 years. The Australian Broadcasting Corporation, which now possesses the documents, dubbed them the Cabinet Files.

According to the ABC reporters Ashlynne McGhee and Michael McKinnon, “The thousands of pages reveal the inner workings of five separate governments and span nearly a decade. Nearly all the files are classified, some as ‘top secret’ or ‘AUSTEO’, which means they are to be seen by Australian eyes only.”

The Australian government has begun an urgent investigation into the incident.

The new Secretary of State for Digital, Culture, Media and Sport, Matt Hancock – who was the Digital Minister until last month’s cabinet reshuffle – has become the first MP to launch his own app: a social network called Matt Hancock MP, which is available on iOS and Android.

Unfortunately, however, the BBC reports that there are a few “teething troubles […] with some users saying their privacy has been compromised after responding to an on-screen prompt asking for access to their photo library. The app then still […] accesses the photo library whether the user denies access or not.”

The Telegraph is more damning, saying that the app breaks data protection rules by failing to link to its privacy policy on the App store and only providing it to iOS users once they’ve downloaded the app and their data has been accessed. iOS users also “unwittingly allow third parties to contact them directly about marketing, competitions and offers”.

In its guidance for app developers, the Information Commissioner’s Office advises that: “Users of your app must be properly informed about what will happen to their personal data if they install and use the app. This is part of Principle 1 in the Data Protection Act, which states that ‘Personal data shall be processed fairly and lawfully’. For processing to be fair, the user must have suitable information about the processing, and they must be told about the purposes. Fairness is also about using information in ways that people would reasonably expect.”

The Guardian, meanwhile, observes that “the choice to name the app Matt Hancock creates some awkward moments, with system alerts noting that ‘Matt Hancock would like to access your photos’, ‘Matt Hancock would like to access your camera’ and, on the buggier Android version of the app, ‘Matt Hancock keeps stopping’.” So far, “Most of the users are political journalists, people trolling Matt Hancock, or both. The top five posts on the section are four journalists commenting on the app, and one user pretending to be Ed Balls, who has posted the words Ed Balls. It is the second most-liked post on the app.”

(Ed Balls day is 28 April.)

Finally, have we reached ‘peak ransomware’? Betteridge’s law of headlines says no, but according to an interesting blog from Cisco’s Talos Intelligence Group this week, criminals eager to cash in while the cryptocurrency bubble continues to inflate are increasingly taking a different approach: cutting out the middleman and using cryptominers. After all, why lock users’ machines and demand a ransom that they might not even pay when you can just infect their machine with software that mines for cryptocurrency without their knowledge?

Wait a moment – cryptocurrency mining? What’s that? Well… with the warning that, no matter how much I try to understand blockchain technology, there always comes a point at which my eyes glaze over, my jaw hangs slack and my brain says ‘uh-uh’, here’s a brief explanation.

Cryptocurrency software runs on powerful computers known as nodes, which send transaction information around the network. Some of these nodes, known as miners, add transactions to the blockchain (the continuously growing record of cryptocurrency transactions) by solving complex mathematical calculations and including the solutions in a block (effectively a file of transaction data). The solutions are called nonces (nonce being a portmanteau of ‘number used once’) and when they’re added to the blockchain the miners that found them are allocated a block reward or subsidy… I’d better stop there; I’m confusing myself. Let’s just say mining entails solving complex mathematical calculations for a cryptocurrency reward and it requires a lot of processing power because it’s complicated. (Please comment below if you can explain it better – I’m sure you can.)

According to Talos, “the most valuable currency to mine with standard systems is Monero (XMR)” – whose value has increased by 3000% in the last 12 months – and criminals are increasingly infecting Internet of Things devices with mining software and using their processing power collectively – as they might use a botnet to carry out DDoS attacks, for instance – to mine it.

An average victim machine could “generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which […] could be leveraged to generate more than $100 million per year theoretically”.

If you don’t like the sound of your processing power being used to line the pockets of others, scan your systems for miners and remove or quarantine them.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.


One Response

  1. Bernard Cogan 3rd February 2018