Weekly Podcast: Russian cyber crimes, Facebook breach and Tory conference app

This week, we discuss Russian cyber crime, the Facebook breach affecting 90 million users and the Conservative Party’s conference app breach

Hello and welcome to the IT Governance podcast for Friday, 5 October. Here are this week’s stories.

The NCSC (National Cyber Security Centre) has accused the Russian military intelligence service – the GRU – of a campaign of “cyber attacks targeting political institutions, businesses, media and sport”.

According to the NCSC, well-known threat actors that have carried out numerous cyber attacks around the world – including the groups known as APT 28, Fancy Bear, Sofacy, Sednit and CyberCaliphate – are in fact associated with the GRU.

The attacks are “in flagrant violation of national law”, the NCSC said, and have cost “national economies millions of pounds”.

The Foreign Secretary, Jeremy Hunt, commented:

“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens.  This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.

“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”

The Kremlin is yet to comment.

At the end of last week, Facebook admitted that the accounts of nearly 50 million users had been exposed by a vulnerability in its “View as” function – a feature that lets users see how other people view their profiles.

The security flaw allowed attackers to steal access tokens (digital keys that keep people logged into Facebook), which they could then use to take over accounts – and third-party platforms that used Facebook logins.

Facebook has fixed the vulnerability and reset the access tokens of the 50 million affected users. A further 40 million users were also logged out as a precaution.

Guy Rosen, the social network’s vice president of product management, provided an update in a blog on Tuesday, in which he reassured users that Facebook’s investigators had analysed “logs for all third-party apps installed or logged in during the attack” but, so far, there was “no evidence that the attackers accessed any apps using Facebook Login”.

Facebook’s European subsidiary is based in Ireland, so has notified the Irish Data Protection Commission, as required by the GDPR (General Data Protection Regulation).

Following last year’s embarrassments, the Tories were presumably hoping that their conference would pass without major incident this year.

Brandon Lewis, the Conservative Party chairman, even planned to demonstrate how modern and innovative the party was by promoting a new app, designed to let conference attendees give feedback on speeches.

However, the Guardian’s Dawn Foster found that a major security flaw in the app exposed the personal data of the conference’s attendees – including cabinet ministers’ phone numbers – to anyone who could guess the email addresses with which they had registered. Given that all MPs’ parliamentary email addresses are publicly available, this wasn’t exactly difficult.

Worse still, it soon became apparent that MPs’ details could be edited – with inevitable results. According to the Guardian, some Twitter users claimed that Boris Johnson’s picture was “briefly changed to one featuring a pornographic image [and Michael] Gove’s picture was changed to Rupert Murdoch, his previous employer at the Times.”

Lewis apologised for the “concern caused”, but this didn’t satisfy some MPs: the New Statesman reports that some ministers are “now considering changing” their personal phone numbers after receiving prank calls”.

CrowdComms, the Australian company that made the app, soon updated it to remove the login function and issued an apology.

The Information Commissioner’s Office is investigating. A spokesperson said: “We are aware of an incident involving a Conservative Party conference app and we will be making enquiries with the Conservative Party.

“Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach, if it could pose a risk to people’s rights and freedoms.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.