Much more significant than that 50 million number
suggests.
An estimated 50 million Facebook user profiles
were affected by a security breach, the company confirmed in a blog
post
today. The breach could have allowed attackers to take over the
accounts of affected users, as well as login
into a vast number of external sites using Facebook’s single
sign-on feature. The full extent of the attack, however,
remains unknown.
The breach, which the company says it discovered
on Tuesday, “exploited a vulnerability in Facebook’s code that
impacted ‘View As’, a feature that lets people see what their own
profile looks like to someone else.”
… The vulnerability allowing the exploit,
according to Facebook, “stemmed from a change we made to our video
uploading feature in July 2017.”
(Related) Noticing that something unusual is
happening is a sign of good management and by extension, good
security.
Facebook
says it detected security breach after traffic spike
An unusual traffic spike is what alerted Facebook
engineers that something might be wrong, and it was an investigation
into this heightened activity that led engineers to discover a
massive security breach this week.
… The access token harvesting operation
triggered the massive traffic spike on Facebook servers. Sifting
through the traffic, Facebook engineers realized what was happening
on September 26, and rushed to put together a patch for the
vulnerability last night, on September 27, before going public with
their findings this morning.
(Related)
Facebook
Data Breach – What To Do Next
… If you’ve been affected by the breach,
Facebook logged you out of your account yesterday.
… However, an important thing to note: If you
were logged out, you weren’t necessarily breached. Facebook has
also logged out everyone who used the ‘View As’ feature since the
vulnerability was introduced as a “precautionary measure”. The
social network says this will require another 40 million people or
more to log back into their accounts, adding: “We do not currently
have any evidence that suggests these accounts have been
compromised.”
… It believes it has fixed the security
vulnerability, which enabled hackers to exploit a weakness in
Facebook’s code to access the ‘View As’ privacy tool that
allows users to see how their profile looks to other people.
Attackers would then be able to steal the access
tokens that allow people to stay logged into their accounts. Then,
Facebook admits, they could use these to take over people’s
profiles.
… it can be hard to know what you’ve logged
into using your account. This information can be found in your
settings. First, go to ‘apps and websites’, then ‘logged in
using Facebook’.
… Does
this breach come under GDPR?
Many of the 50 million customers breached will
reside in Europe, so their data does fall under the EU general update
to data protection regulation (GDPR). We don’t know exactly what
information has been impacted - fines are applicable for sensitive
and personal data such as credit card details, which Facebook
initially said has not been affected. However, if attackers have
accessed personal messages, all kinds of sensitive information could
have been breached.
(Related)
Earlier today, Facebook announced
to the public that a series of vulnerabilities had allowed
hackers access to an estimated 50 million user profiles. The company
now faces its first class-action lawsuit over its apparent inability
to protect this data, likely the first of many such suits to come if
the legal fallout after the Cambridge
Analytica scandal serves as any indicator.
Carla Echavarrai and Derrick Walker—both average
Facebook users by their descriptions in the suit, filed today in
California’s Northern District Court—accuse the social network of
violating its home state’s unfair competition law, negligence, and
of concealing its “grossly inadequate” security measures.
… Read the full suit below:
Very smart organizations can still fall for a good
bit of social engineering.
What Happened? On August 27, 2018, personal information of 73 residents of Washington was acquired by unauthorized persons from computer systems maintained by attorney Matt Rovner in Seattle, Washington. The information was acquired when administrative access to the systems was provided to persons fraudulently pretending to be a computer support services firm.
What Information Was Involved? The personal information was principally from records of Social Security disability matters and included names and Social Security numbers and medical records of 6 individuals in records dating from October 2009 through June 2010, January 2013, and March 2017. In most cases no contact information is available for the individuals.
What We Are Doing. Access to the systems was shut off within 40 minutes when the fraud was discovered and the systems were reviewed to determine the scope of the access and ensure no unauthorized software or access channels remained. Reports were filed with the Federal Bureau of Investigation. The systems have since been shut down.
… For more information about this breach
e-mail Matt Rovner at rovnermatt@hotmail.com.
Posted Seattle
Times – September 26, 2018
How “normal” can this be if this is the only
place in the US where DHS is doing this?
More security theatre? Or more opportunity to
try to surveill law-abiding citizens? What is going on?
Lauren Hernandez reports:
Uniformed Department of Homeland Security officers seen patrolling BART trains and stations this week are members of a Transportation Security Administration team, according to BART and Department of Homeland Security officials.
Photos posted to social media, including a tweet by Janice Li, a San Francisco resident running for the Bay Area Rapid Transit Board of Directors, show a line of at least eight armed, uniformed DHS officials walking in the aisle among seated passengers on a train bound for the Civic Center BART station in San Francisco.
Read more on San
Francisco Chronicle.
There is nothing in the TribLive article to
explain why “taxpayers” would pick up the tab for a political
group. Perhaps they are all Democrats?
Deb Erdley reports:
Pay
now, or pay later.
Leaders
of the Pennsylvania Senate Democratic Caucus faced those options when
hackers
infected their computer system in March 2017, holding it hostage
with ransomware.
Officials
at the Westmoreland County Housing Authority faced the same dilemma
when hackers held their computers and phones hostage in July. The
Housing Authority paid a ransom of $6,500 through a single Bitcoin, a
digital currency that allows users to exchange money anonymously over
the internet.
Senate
Democrats balked at a demand for 28 Bitcoin — valued at just over
$30,000 when the lockout began — and adhered to the FBI’s advice
against paying ransom.
Instead,
state records released to the Tribune-Review through a Right-to-Know
request revealed taxpayers
underwrote the $703,697 Microsoft charged to rebuild and enhance the
system.
Read more on TribLive.
How would an individual know his thermostat is not
in compliance?
California
just became the first state with an Internet of Things cybersecurity
law
California Governor Jerry
Brown has signed a cybersecurity law covering “smart” devices,
making California the first state with such a law. The bill, SB-327,
was introduced last year and passed the state senate in late August.
Starting on January 1st,
2020, any manufacturer of a device that connects “directly or
indirectly” to the internet must equip it with “reasonable”
security features, designed to prevent unauthorized access,
modification, or information disclosure. If it can be accessed
outside a local area network with a password, it needs to either come
with a unique password for each device, or force users to set their
own password the first time they connect. That means no more generic
default credentials for a hacker to guess.
Perspective. Perhaps the judge understands that
the encryption is done on the user’s phone and can not be decrypted
by Facebook. (This makes news in Europe, but not in the US? Fake
News by omission?)
Exclusive:
In test case, U.S. fails to force Facebook to wiretap Messenger calls
- sources
U.S. investigators failed in a recent courtroom
effort to force Facebook to wiretap voice calls over its Messenger
app in a closely watched test case, according to two people briefed
on the sealed ruling.
Members of a joint federal and state task force
probing the international criminal gang MS-13 had tried in August to
hold Facebook in contempt of court for failing to carry out a wiretap
order, Reuters reported last month.
Arguments were heard in a sealed proceeding in a
U.S. District Court in Fresno, California weeks before 16 suspected
gang members were indicted there, but the judge ruled in Facebook’s
favor, the sources said.
The details of his reasoning were not available.
An explanation of risk.
Not Too Big
To Fail: Why Lehman Had to Go Bankrupt
… “It’s pretty clear in my mind why AIG
had to be saved and why Lehman should have been let go, because they
(Lehman) could have helped themselves, but they failed,” said
Antoncic. “Lehman basically put the nail in [its own] coffin.”
No comments:
Post a Comment