Tag Archives: Facebook

Security News for the Week Ending December 10, 2021

NEW LOG4J JAVA LIBRARY ZERO-DAY IS BEING EXPLOITED IN THE WILD

A proof of concept for a zero-day vulnerability in the very popular Apache Log4j Java library is being shared online. Log4j is used both in enterprises and in cloud services. Products from Apple, Amazon, Twitter and Steam, among others may be vulnerable to remote code execution exploits. All versions through 2.14.1 are vulnerable CISA and other government agencies have issued alerts. Many Managed Service Providers are finding themselves under attack. Find details at Bleeping Computer and US CERT and Huntress Labs.

Researcher Found Method to Brute Force Verizon PINs

A researcher discovered a bug that allowed him to brute force any customer’s Verizon security PIN. After reporting it to Verizon, Verizon told Vice that they solved the problem by taking down the vulnerable website pages. Hopefully, when those pages return, the bug will be fixed. Credit: Vice

US Military Admits to Offensive Hacking

Cyber Command, AKA the NSA, has confirmed that they have taken unspecified hacking to disrupt hackers ability to hack. This comes from none other than General Paul Nakasone, head of the NSA and CyberCom. While they know that they can’t shut down hackers, they also know that they can make it more costly. Nakasone said that a number of elements of the government (i.e. more than just the NSA) have taken actions and we have imposed costs. Just speculating, but hackers are often not good programmers and even worse at operational security, so it is not at all surprising that they can be hacked. Historically we haven’t done that, but it looks like now we are. Credit: CNN

A Camera the Size of a Grain of Salt

It can take better full color images than a camera 500,000 times its size. It even works in ordinary light. The surface is made from silicon nitride, meaning that it can be made in microchip manufacturing plants. It could be used in medicine (like in an endoscope), but think about the uses by spies. What an incredible spy cam. No one is going to see a grain of salt. Credit: Vice

In the Face of a $150 BILLION Lawsuit, Facebook Bans Myanmar Military

Facebook announced this week that it will remove pages, groups and accounts representing military controlled businesses. Many criticized it as a cynical ploy to deflect criticism coming from the billion dollar lawsuit. The US lawsuit illustrates how Facebook’s algorithms often recommend extremist groups and violent content in exchange for more customers. Credit: ZDNet

Security News for the Week Ending October 22, 2021

State Acknowledges Data Breach After 10 Months

I guess better late than never. Finally, the State of Illinois is admitting to a data breach, sort of. Here is what they are now saying. Check the dates below. Notice who was among the last to know – the victims. Can the state be fined for breaking the law? We shall see.

Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively the Departments) in conjunction with the Illinois Department of Innovation and Technology (DoIT) are notifying the media of an incident within the State of Illinois Integrated Eligibility System (IES).

IES is the eligibility system of record for State-funded medical benefits programs, the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). On November 24, 2020, the State discovered an issue within IES. Upon investigation, the Departments discovered that household members who were once on a case and had their access removed could still see information even after they were no longer part of that case.

In response to this incident, on January 8, 2021, IES was updated to limit case access to only the head of household, and prior and other current household members no longer have access. To date, the Departments are unaware of any actual or attempted misuse of personal information as a result of the incident and the number of potentially affected individuals was limited.

The Departments notified the members of the Illinois General Assembly on July 29, 2021, the potentially affected individuals on September 9, 2021, and the Office of the Illinois Attorney General on September 10, 2021.

Tesco Launches First Checkout-Free Store in London

Following in line with companies like Amazon, retailers like Tesco in London are working on letting customers shop in their stores and not having to stop at the checkout line. This is done with a crazy number of cameras and sensors. My guess is that they are willing to take some losses in the short term to try and figure out the weak spots and how people plan to game the system, but this is surveillance to the the max. It requires that you have their app and they will automatically charge your credit card, which has to be on file. Me, I’m okay with the checkout line. Credit: Computing

Facebook Plans to Rebrand Itself

Okay, this is not really security related, but fun for Friday. Facebook, apparently, wants to rebrand itself. They have been quiet about this but will announce the new name at their annual conference this month. Note that they didn’t ask for suggestions; they probably would have gotten a bunch that referred to different body parts than people’s faces. But, this is kind of like what Google did with Alphabet a couple of years ago. Facebook as a company has lots of brands and it probably doesn’t make sense, any more, for the parent company to still be called Facebook. Credit: Computing

CISA Wants the 24 Hour Breach Reporting Law for Incidents

There are bills working their way through Congress right now that would make it mandatory that certain companies report breaches and some attacks within either 24 or 72 hours, depending on the bill. CISA is putting its weight behind 24 hours. This probably will include anything designated as critical infrastructure, which is a lot, and possibly some others. Stay tuned to see what passes. Companies would rather keep hacks secret, if possible, but if the bill passes and companies might be fined or executives go to jail, they will probably disclose. The disclosure would be to the government, probably, and not publicly. Credit: FCW

CISA Says Ransomware Targeted SCADA Systems of 3 US Water Treatment Plants

The FBI, CISA, EPA and NSA issued a joint alert saying that cyberattacks against water and wastewater treatment plants are up. They revealed that the industrial control system (ICS) or SCADA systems at three plants had been hit by ransomware and that the malware had been lurking inside for about a month before it launched the attacks. They target the outdated software and poorly configured hardware of these systems and it is a pretty easy attack. Drinking water is the primary target, they say. My guess is that they do that because poisoning people will create more chaos. Credit: Hack Read

Security News for the Week Ending March 26, 2021

China Bans Military and Government from using Teslas – Due to ‘Spying’

The WSJ is reporting that the Chinese government has restricted the use of Tesla vehicles near or in sensitive installations like military and government facilities. The theory is that the cameras on Teslas could be used for spying. Tesla, of course, denies that they are spies, but consider this. What is to stop hackers or state intelligence agencies from hacking ANY self driving car and stealing the data. I am sure that Musk would say that his security is great, but is it perfect? This is not a Tesla problem, this is a ’20 cameras on 4 wheels with an Internet connection’ problem and this case, I would say the Chinese are correct. The problem is that with more and more self driving cars, do you ban all cars from sensitive places? What if you convince the owner to sell their data after driving around a sensitive facility? If someone offered you $50,000 to rent your car for a week, no questions asked, would you take it? Oh, yeah, it might back with less data than it went out with. Credit: ZDNet

Facebook Fails to Derail $15 billion Privacy Lawsuit

Facebook is being accused of violating wiretap laws because of the way the Facebook “Like” icons work to track even people who do not have Facebook accounts, never mind ones who do have an account but are not logged in. Of course, Facebook monetizes this data in a variety of ways. Facebook told the Supreme Court that if they allowed the California federal court decision to let the case proceed (which is different than saying the plaintiffs will win), that would have detrimental consequences. While $15 billion is a lot of money, remember that Facebook made $30 billion in PROFIT just last year and allowing the case to proceed, does not mean anyone will win or what the penalty might be. Surely if Facebook loses it will be detrimental – to them, but that is never been a reason to stop a lawsuit from moving forward. Credit: Security Week

Amazon Contractors Have to Sign a Biometric Consent Form or Lose Their Job

Amazon continues to ratchet down on their contract drivers (and probably their own too). They are installing AI based cameras in their delivery vehicles that watch both the road and the drivers. If a driver yawns, they see that. If the driver looks at his or her phone, they see that too. Not wearing your seatbelt? Problem. Too many negatives and they are history. Or, they can quit now. Oh, yeah, they can keep the data forever. Credit: Vice

Hackers Demand $50 Million Ransom from Acer – Threaten to Leak Data

In what is probably the largest ransom demand ever (at least that we know of), hackers encrypted systems at Acer on March 14th and demanded a $50 million ransom. The hackers posted on the dark web that negotiations had broken down. Acer, apparently, offered $10 million, but Acer is not confirming anything. Leaked documents are less sensitive financial info, so we don’t really know what they have. The compromise may have started with the Microsoft Exchange Server hack. The main risk factor here, likely, is the disclosure of whatever the hackers stole. Stay tuned. Credit: Hackread

After NSA Head Says NSA Missed SolarWinds Because it Can’t Spy in US, Administration Says It Does Not Plan to Increase US Surveillance

An administration official, earlier this month, said that the administration, worried about the political blowback of the NSA spying on Americans, was not CURRENTLY seeking additional laws to allow the NSA (or others) to do additional spying on Americans. Instead, they want to focus on tighter partnerships with the private sector and allow them to provide the data to the feds. This would give the feds a cover story that they are just using data that has already been collected. This is my de-spinning of what they said. Credit: Security Week

Facebook Considers Begging iOS Users: Let us Track You

Apple is preparing to add a new prompt to iOS that requires users to opt-in to tracking by app developers like Facebook. It used to be that you could opt-out — if you could find the place to do that.

Facebook is going to have its own screen telling you how wonderful it is to have your every website click tracked.

Here are sample mockups:

Facebook's message to users about privacy

Facebook’s reasoning is that you get better ads and it helps their bottom line. I am not sure that many people care about Zuckerberg’s income and how many people think that advertising of any type is a benefit.

Facebook’s beg screen is on the left and Apple’s do you really want to do this screen is on the right.

If you agree to this it does not mean that Facebook is going to collect more or different data – although it might if they find it beneficial to them. It means that they want you approve of them continuing to do what they have been doing for years – mostly silently.

This is a follow-on to Apple’s version of a food safety warning when they revealed how much data Facebook is collecting next to the app in their app store.

Since Apple earns no revenue from selling your data or serving up ads, screwing up the business model of a competitor like Facebook is perceived to be a good or at least not negative.

Neither Facebook nor Apple has said when these changes will roll out. Credit: The Register

Security News for the Week Ending December 25, 2020

First of all, Merry Christmas and a Happy New Year.

OCC, FRB and FDIC Propose New Rule – Tell Us If You Have a Security Incident

The federal banking regulators are proposing a new rule that banks and tech companies that service banks need to report to their regulator within 36 hours if the have a security incident (like ransomware) that impacts their operations. I suspect that banks have been hiding these in the large stack of forms they file daily, hoping their regulator doesn’t catch what is going on. In *MY* opinion – long past due. It covers everyone who is part of the Federal Reserve System or the FDIC, among others. Credit: FDIC

FBI Says Iran Behind pro-Trump ‘enemy of the people’ Doxing Site

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) say that Iranian actors are “almost certainly” behind the creation of the website (currently down), basing the assertion on “highly credible information.”

The agencies add that in mid-December 2020 the website contained death threats aimed at U.S. election officials. Among them are governors, state secretaries, former CISA Director Christopher Krebs, FBI Director Christopher Wray, and people working for Dominion, the company providing the voting systems. Credit: Bleeping Computer

Facebook and Google Get a Little Too Friendly on Ads

While Google and Facebook supposedly compete in the ad business, with the two of them controlling over half the market, there was a bit of preferential treatment. In 2018 they announced a deal where Facebook’s advertisers could buy ads within Google’s ad network. What they did not announce was a secret deal where Facebook would get preferential treatment if they backed down on getting their advertisers to switch to a Google competitor. These days it is hard to keep secrets that big secret. Credit: Cybernews

Microsoft and McAfee Join Ransomware Task Force

19 tech companies, security firms and non-profits have joined together to fight ransomware. The task force will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members. The result will be a standardized framework for dealing with ransomware attacks across verticals, based on industry consensus. They start playing together next month. Stay tuned to see what they produce. Credit: ZDNet

Homeland Security Releases Guide Warning About Chinese Equipment and Services

The Chinese government, along with Russia, has shown that it has a virtually insatiable appetite for stealing our stuff, whether that is personal information or trade secrets. This DHS document talks about the risks of partnering with Chinese firms and/or allowing your data to be stored in China or Chinese controlled data centers. It talks about how China has constructed it’s laws so that the government can get access to anything that it wants and what you can do to reduce the risk a little bit. A copy of the report can be downloaded here.

Security News for the Week Ending November 20, 2020

Oracle POS Back Door Discovered

Oracle bought the Micros Point of Sale System a few years ago and now needs to deal with the challenges from that. The newest challenge is a modular back door that affects the 3700 POS series. It is used by hundreds of thousands of hotels, restaurants, bars and other hospitality locations. The malware, which has been around for a year, can download new modules to increase the damage it can do. Credit: Help Net Security

New Facebook Feature

Okay, many people use Facebook a lot while others find it useless. Ransomware extortion artists have found a new use. Hack Facebook advertiser’s accounts and buy ads telling victims to pay up. These ads get taken down but not before someone (else) gets to pay for them and not before the victim gets outed very publicly. Credit: Brian Krebs

White House Fires Chris Krebs, As Expected

As anticipated, the White House fired Chris Krebs, head of DHS’s CISA unit. Krebs was the person who was in charge of protecting the 2020 elections and, by all accounts, did a great job. Part of the White House’s upset with Krebs is the web site he ran called rumor control where he debunked the myths about election fraud that the White House has been peddling. The good news is that he will be able to find a job at any number of consulting companies making double or triple what he was making at DHS. This is a loss for the country. Credit: Bleeping Computer

Ransomware: 56% of Organizations Get Hit

56% of organizations responding to a recent survey say that they have been hit by ransomware in the last year. 27% of those hit chose to pay the ransom with an average payout to the hackers of just over a million bucks.

87% of the respondents said that nation-state sponsored cyberattacks are far more common than people think, posing the single biggest threat (check your cyber insurance for an exclusion for that). Credit: Help Net Security