This week, we discuss the exposure of millions of Facebook users’ data, security failings in train passenger networks and Kaspersky Lab’s relocation to Switzerland
Hello and welcome to the IT Governance podcast for Friday, 18 May 2018. Here are this week’s stories.
New Scientist magazine reports that data relating to millions of Facebook users who used a personality quiz app was exposed online for four years.
The myPersonality app was created by David Stillwell of Cambridge’s Psychometrics Centre in 2007 and was active until 2012, during which time it collected data from more than 6 million volunteers. Around 40% of them opted to share data from their Facebook profile with the project.
According to the Psychometrics Centre’s website, “This data was anonymised and samples of it were shared with registered academic collaborators around the world”. New Scientist found that ”more than 280 people from nearly 150 institutions did this, including researchers at universities and at companies like Facebook, Google, Microsoft and Yahoo”.
However, a username and password for the data set were uploaded to GitHub by some students who were given the credentials by a university lecturer “for a course project on creating a tool for processing Facebook data”.
These easily discoverable credentials gave access to the personality scores of 3.1 million users and “allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people”. With this information it would be relatively easy to de-anonymise the data and identify individual users.
Facebook suspended myPersonality on 7 April as part of its crackdown on third-party apps following the Cambridge Analytica scandal.
Dr Stillwell told New Scientist that “Cambridge Analytica approached the myPersonality app team in 2013 to get access to the data, but was turned down because of its political ambitions”.
He also said that Facebook had been aware of the myPersonality project for a long time, even holding meetings with him and his collaborator Michal Kosinsky from 2011 onwards.
He commented: “It is therefore a little odd that Facebook should suddenly now profess itself to have been unaware of the myPersonality research and to believe that the use of the data was a breach of its terms.”
The Information Commissioner’s Office is investigating.
Have you ever used – or perhaps, given its reliability, I should say tried to use – Wi-Fi on a train? If so, you might be interested in a recent blog post by Ken Munro of Pen Test Partners about vulnerabilities in passenger networks.
According to Munro’s research, a lack of segregation between passenger, staff and train control networks, combined with the use of default admin credentials, means that passengers could theoretically interfere with wireless ticketing devices and, potentially, train systems.
According to The Register, Munro said “it might be possible, and this is speculation, to lock the braking system”.
In another exercise, Munro found it was possible to bridge the wireless network to the wired network and access a database server to gain access to the payment card details used by standard-class customers to pay for on-train Wi-Fi.
The issues could be fixed by segregating the passenger Wi-Fi network and ensuring the wireless router admin interface is inaccessible to passengers; using strong admin credentials on wireless routers instead of weak or default ones; keeping routers physically secure and their software up to date; ensuring satellite terminals for passenger Wi-Fi networks aren’t on the public Internet; and securing trackside equipment and media servers.
Munro concludes: “All it takes are some simple oversights and your train control and ticketing networks can be exposed.”
You may remember that, last September, the US Department of Homeland Security banned the use of Kaspersky products in US government departments after classified documents that a former NSA employee took home were stolen by Russian spies via Kaspersky’s antivirus software. And here in the UK last December, the chief executive of the National Cyber Security Centre (NCSC), Ciaran Martin, warned civil servants about using Russian antivirus software in government departments.
“As well as keeping this guidance under review, we are in discussions with Kaspersky Lab, by far the largest Russian player in the UK, about whether we can develop a framework that we and others can independently verify, which would give the Government assurance about the security of their involvement in the wider UK market. In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state.”
This week, Kaspersky Lab announced that, as part of the ‘transparency initiative’ it launched last October, it was moving its core processes from Russia to Switzerland – including “customer data storage and processing for most regions, as well as software assembly, including threat detection updates”.
According to Kaspersky, “This move further demonstrates our enduring commitment to assuring the integrity and trustworthiness of Kaspersky Lab solutions in the service of our customers, and to addressing any concerns outlined by regulators.”
SC Magazine reports that the NCSC “said the move doesn’t change their stance on the firm’s products but did say it was a move in the right direction.”
Meanwhile in the Netherlands, the justice minister, Ferdinand Grapperhaus, this week issued a letter warning that using Kaspersky products represented a national security risk and saying that the Dutch government’s use of Kaspersky antivirus software would be phased out.
Well, that’ll do for this week. As ever, until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.