Does Facebook even know what data it has about you? Or where it is stored? Cyberwar breaking out from the Russia Ukraine conflict hits many Ukraine supporters – most recently a full assault on Japan’s e-government. All this and more on the back to school edition of CyberSecurity Today.
The Los Angeles Unified School District, which is the second-largest public school district in the United States, reported it was targeted by a ransomware attack over the Labor Day weekend. It what is becoming a recurrent theme, the Alberto Carvalho, superintendent of the board announced “It does appear at this point that this incident originated beyond our borders,” though he did not name any foreign actor or country.
U.S. government agencies issued a public advisory saying a new ransomware gang known as Vice Society, had been “disproportionately targeting” the education sector with ransomware attacks.
Presumably, school boards are a relatively easy target, with a wide area of remote sites, tight budgets and relatively small IT staff and of course – a lot of data on one of the things we hold most precious – our children.
There is some good news in this story, unless you are a kid looking to make the summer break longer – is that the schools remained open, although some activities were rescheduled.
Speaking of children and cyber safety
We’ve covered the story about Meta, the former Facebook being fined 400 million dollars for issues related to children’s data on Instagram.
We would all agree that Facebook/Meta/Instagram – should all do more to protect children’s data online. But can they?
Can Facebook (Meta) find all your data?
A story in an online journal called “the Intercept” caught my eye this week. It was reporting on the lawsuit related to Facebook (now Meta’s) alleged mishandling of personal data related to the Cambridge Analytica scandal.
In the discovery hearings, where both sides find out what evidence the other has before proceeding to trial, Facebook senior engineers made a shocking statement. No one person at Facebook could actually tell you where all your data is stored.
The question came about because when the company was ordered to produce the information that it has collected about the people involved in the lawsuit Facebook produced the information that could be downloaded using the publicly available “Download Your Information” function.
The judge in the case ruled that the information provided was insufficient – ‘too sparse’ considering the ocean of data that Facebook appeared to have on each person. Many might have assumed that Facebook was holding back or “stonewalling.”
But there may be another answer and it’s equally or perhaps more troubling. According to engineers who were being deposed under oath, they knew of no documentation that would tell them how to find all of the information on a particular person.
Bearing in mind these are very senior engineers. Their answer to why they could not produce the information. “We have a somewhat strange engineering culture compared to most where we don’t generate a lot of artifacts during the engineering process. Effectively the code is its own design document often.” He quickly added, “For what it’s worth, this is terrifying to me when I first joined as well.”
As strange as it might seem, this echos a leaked internal Facebook document from 2021 published by the online journal Motherboard, which stated “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’”
Which raises a question. How can they protect your data or abide by any privacy policies if they don’t know where it is or how it might be used in their programs?
And before we all dump on the evil Facebook, we might all be challenged to ask ourselves – in our complex corporate world with multiple applications – have we adequately documented all of the data we have and where it is used? How can we be sure that we are onside with our policies? Or that we are offering adequate protection for out data?
Killnet strikes Japan with DDoS attack
Checkpoint Software contacted us this week when Howard was away. Sergey Shykevich, Threat Intelligence Group Manager, at Check Point Software gave us a statement on the attack on e-government in Japan:
“Killnet (the Russia-affiliated hacktivist group) yesterday launched a massive attack on Japan, claiming to have taken down the e-government of Japan, which delivers administrative information from government organizations as well as applications to local governments for public services. Killnet have also claimed to have done the same with the online tax portal, the JCB payment system and Mixi, the 2nd biggest social media in Japan, which is still unreachable as of (Wednesday afternoon).”
Sergey goes on to explain that:
“Killnet used DDoS, a category of malicious attacks by cybercriminals to take down these sites, which effectively makes an online service, network resource or host machine unavailable to its intended users on the internet by overwhelming the servers with thousands and millions of requests. Killnet’s reasoning for these attacks is due to Japan’s support of Ukraine in the ongoing Russia-Ukraine war…”
Killnet has also mounted attacks on Italy, Lithuania, Estonia, Poland and Norway, and according to our sources at Checkpoint, “more planned attacks can be expected in the future.”
Which raises the question – as our governments become increasing digital, how well are they prepared not just for cyberattacks – but for state sponsored cyber warfare. We know that Lloyd’s of London is so concerned about this that any new policies issued after this year must have an exclusion for state sponsored “acts of war.”
There will be more on this in the coming days and weeks. Stay tuned.
Follow Cyber Security Today where ever you get your podcasts – Apple, Google or other sources. You can also have it delivered to you via your Google or Alexa smart speaker.
Till next time – stay safe.