Weekly podcast: National Lottery, Russian cyber warfare and Cambridge Analytica

This week, we discuss a credential-stuffing attack on Camelot, heightened fears over Russian cyber attacks and, inevitably, Cambridge Analytica/Facebook

Hello and welcome to the IT Governance podcast for Friday, 23 March 2018. Here are this week’s stories.

Camelot has asked all 10.5 million National Lottery account holders to change their passwords after what it described as a low-level cyber attack compromised 150 accounts. According to the BBC, the attackers “used credentials gleaned from a list circulated on the internet to get into the accounts” – in other words a credential-stuffing attack using login details that had been breached elsewhere.

Very limited information may have been viewed and no National Lottery account holder suffered any financial loss. Camelot has reported the incident to the Information Commissioner’s Office and is liaising with the National Cyber Security Centre.

At first glance this seems like an admirable ‘abundance of caution’ – to use the phrase trotted out by every company that suffers a breach – but a moment’s reflection makes me a little dubious about the response.

150 out of 10.5 million accounts is 0.0014%. To me, it seems like overkill to ask every account holder to change their password when such a small proportion was affected, especially as fewer than ten accounts actually suffered any unauthorised activity. And why ask people to change their passwords instead of forcing them to? How effective is that going to be? I’d warrant that the sort of people who exhibit poor password practices are precisely the ones who’d also ignore a request to change their login details.

Also, as the security researcher Troy Hunt has observed, it’s more than a little implausible that only 150 accounts were affected by a credential-stuffing attack when password reuse is so rife, so perhaps there’s something Camelot hasn’t disclosed yet – or perhaps I’m being needlessly cynical, having been ground down by years of news of companies mishandling security incidents. We shall find out, I suppose.

In the meantime, as if you need telling again, it’s a terrible idea to reuse your credentials across multiple sites and accounts. Use a unique, complex password for each, ideally generated by a password manager.

From small-scale attacks to large ones…

This week, according to the Guardian, the UK’s “banks, energy and water companies are on maximum alert over the threat of a serious cyber-attack from Moscow”, and “fears that Russia will target Britain’s critical national infrastructure have prompted round-the-clock threat assessments by the UK’s financial sector, energy firms and GCHQ, the UK’s largest intelligence agency, along with the security services MI5 and MI6”. The Daily Telegraph, meanwhile, quotes Cambridge University’s Julius Weitzdörfe, who claims that the UK is only four meals from anarchy if there is such an attack.

The UK’s defence secretary, Gavin Williamson, has been vocal about Russia’s cyber warfare capabilities since he took office last November, warning in the Telegraph in January that Russia “could cause ‘thousands and thousands and thousands’ of deaths in Britain with an attack that would cripple the UK’s infrastructure and energy supply” and claiming that “Russia has been researching the UK’s critical national infrastructure and how it connects to continental power supplies with a view to creating ‘panic’ and ‘chaos’” – something the Russian defence ministry spokesman Igor Konashenkov dismissed, saying Mr Williamson had “lost his grasp on reason”.

The UK isn’t the only country worried about Russian cyber attacks. Last Thursday, Palo Alto Networks blogged about the Russian cyber espionage group Sofacy (aka Fancy Bear, APT28, Pawn Storm, Iron Twilight, Sednit and STRONTIUM) carrying out a phishing attack on an unnamed European government agency and using a new version of the DealersChoice Adobe Flash exploit to drop malware.

And the US has accused Russia of launching cyber attacks on its government agencies and “organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors”. According to a US-CERT alert, “Russian government cyber actors” have targeted the US since at least March 2016 via “peripheral organizations such as trusted third-party suppliers with less secure networks”, which they use as “staging targets” to compromise their intended targets.

Finally, I obviously can’t ignore the biggest information security story of the week: the Guardian and the New York Times‘s exposé of Cambridge Analytica’s misuse of some 50 million Facebook users’ data, but to be perfectly honest I’m not sure there’s much I can add that hasn’t been said a hundred times over by countless better informed sources or will be repeated in the coming weeks as this story inevitably continues to develop.

All I would say is that, personally, I’m unsurprised by the news that Facebook users’ data was processed in this way. After all, it always used to be said in the context of the Internet that if you weren’t paying for a service it was a sure sign that you were the product rather than the consumer. Haven’t we always suspected that this sort of thing was happening?

In the meantime, the company’s share price is showing slow signs of recovery even though the #deletefacebook movement gathers apace. Mark Zuckerberg, having been castigated for his silence following the scandal, commented on Wednesday that Facebook would “investigate all apps that had access to large amounts of information before […] 2014” when Facebook changed its rules on the data that third parties could collect, and would “conduct a full audit of any app with suspicious activity” and ban any developer that doesn’t agree to a “thorough audit”.

There’s a lesson to be learned for data controllers, especially with the GDPR only nine weeks away: always make sure you know what your data processors are up to.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.