Skip to content

Facebook mass hack last month was so totally overblown – only 30 million people affected

Abusing privacy is Facebook’s number one business!

QUOTE

Good news: 20m feared pwned are safe. Bad news: That’s still 30m profiles snooped…

Facebook users can relax and get back to interacting with quality content and authentic individuals on the social network.

Last month’s deliberate theft of private account records from the internet giant, initially believed to affect 50 million or maybe 90 million accounts, turns out to be nowhere near that bad. Cough.

On Friday, the data-harvesting biz said a mere 30 million people were robbed of their authentication tokens – which could and were used to log into their Facebook accounts. That’s only 1.34 per cent of Facebook’s total active users – which says more about the out-of-control size of the antisocial network than anything else.

“We now know that fewer people were impacted than originally thought,” said Guy Rosen, VP of product management, during a conference call for the media on Friday morning, Pacific Time.

Initial worries that the token pilfering might have led to the compromise of third-party apps implementing Facebook Login turn out to be completely unfounded. Rosen said Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, advertising and developer accounts were not affected. Bullet dodged.

For one million of the token deprived, the attackers took no information. For 15 million, they obtained names, phone numbers, and email addresses, if present in their profiles. For the remaining 14 million, they accessed not only profile data fields, but quite a bit more:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
Facebook users can relax and get back to interacting with quality content and authentic individuals on the social network.

Last month’s deliberate theft of private account records from the internet giant, initially believed to affect 50 million or maybe 90 million accounts, turns out to be nowhere near that bad. Cough.

On Friday, the data-harvesting biz said a mere 30 million people were robbed of their authentication tokens – which could and were used to log into their Facebook accounts. That’s only 1.34 per cent of Facebook’s total active users – which says more about the out-of-control size of the antisocial network than anything else.

“We now know that fewer people were impacted than originally thought,” said Guy Rosen, VP of product management, during a conference call for the media on Friday morning, Pacific Time.

Initial worries that the token pilfering might have led to the compromise of third-party apps implementing Facebook Login turn out to be completely unfounded. Rosen said Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, advertising and developer accounts were not affected. Bullet dodged.

For one million of the token deprived, the attackers took no information. For 15 million, they obtained names, phone numbers, and email addresses, if present in their profiles. For the remaining 14 million, they accessed not only profile data fields, but quite a bit more:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

….

“People’s privacy and security is incredibly important and we’re sorry this happened,” said Rosen.

That sorrow has limits. The Register asked Facebook whether it intends to pay for identity theft monitoring for the 30 million people affected, a common act of contrition following data thefts.

A Facebook spokesperson said, “Not at this time; the resources we are pointing people toward are based on the actual types of data accessed – including the steps they can take to help protect themselves from suspicious emails, text messages, or calls.”

Nonetheless, Facebook may end up opening the corporate coffers to make things right. The company offered no details about how many of those affected reside in the EU where the data protection regime (GDPR) allows for penalties that bring tears to the eyes of accountants.

“We’ll have to see what Facebook discloses about potential liability if any exists,” said Pravin Kothari, CEO of CipherCloud, in an email to The Register. “The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.

Made and Distributed in the U.S.A.: Online Disinformation

with Facebook’s help of course!

QUOTE

SAN FRANCISCO — When Christine Blasey Ford testified before Congress last month about Justice Brett M. Kavanaugh’s alleged sexual assault, a website called Right Wing News sprang into action on Facebook.

The conservative site, run by the blogger John Hawkins, had created a series of Facebook pages and accounts over the last year under many names, according to Facebook.

After Dr. Blasey testified, Right Wing News posted several false stories about her — including the suggestion that her lawyers were being bribed by Democrats — and then used the network of Facebook pages and accounts to share the pieces so that they proliferated online quickly, social media researchers said.

The result was a real-time spreading of disinformation started by Americans, for Americans.

What Right Wing News did was part of a shift in the flow of online disinformation, falsehoods meant to mislead and inflame. In 2016, before the presidential election, state-backed Russian operatives exploited Facebook and Twitter to sway voters in the United States with divisive messages. Now, weeks before the midterm elections on Nov. 6, such influence campaigns are increasingly a domestic phenomenon fomented by Americans on the left and the right.

“There are now well-developed networks of Americans targeting other Americans with purposefully designed manipulations,” said Molly McKew, an information warfare researcher at the New Media Frontier, a firm that studies social media.

Politics has always involved shadings of the truth via whisper campaigns, direct-mail operations and negative ads bordering on untrue. What is different this time is how domestic sites are emulating the Russian strategy of 2016 by aggressively creating networks of Facebook pages and accounts — many of them fake — that make it appear as if the ideas they are promoting enjoy widespread popularity, researchers said. The activity is also happening on Twitter, they said.

Reverb Press’s logo on its Facebook page shows that it has been verified by the social network.

The shift toward domestic disinformation raises potential free speech issues when Facebook and Twitter find and curtail such accounts that originate in the United States, an issue that may be sensitive before the midterms. “These networks are trying to manipulate people by manufacturing consensus — that’s crossing the line over free speech,” said Ryan Fox, a co-founder of New Knowledge, a firm that tracks disinformation.

This month, Twitter took down a network of 50 accounts that it said were being run by Americans posing as Republican state lawmakers. Twitter said the accounts were geared toward voters in all 50 states.

On Thursday, Facebook said it had identified 559 pages and 251 accounts run by Americans, many of which amplified false and misleading content in a coordinated fashion. The company said it would remove the pages and accounts. Among them were Right Wing News, which had more than 3.1 million followers, and left-wing pages that included the Resistance and Reverb Press, which had 240,000 and 816,000 followers.

Facebook said this amounted to the most domestic pages and accounts it had ever removed related to influence campaigns. The company said it had discovered the activity as part of its broader effort to root out election interference. Also, the pages had become more aggressive in using tactics like fake accounts and multiple pages to make themselves appear more popular.

“If you look at volume, the majority of the information operations we see are domestic actors,” said Nathaniel Gleicher, Facebook’s head of security. He added that the company was struggling with taking down the domestic networks because of the blurry lines between free speech and disinformation.

Mr. Gleicher said that the accounts and pages that Facebook took down on Thursday violated its rules about online spam and that many of the domestic organizations probably had financial motivations for spreading disinformation. The organization can make money by getting people to click on links in Facebook that then direct users to websites filled with ads. Once someone visits the ad-filled website, those clicks means more ad revenue.

But while traditional spam networks typically use celebrity gossip or stories about natural disasters to get people to click on links that take them to ad-filled sites, these networks were now using political content to attract people’s attention.

Just say no to Facebook

Soldiers in Facebook’s War on Fake News Are Feeling Overrun

Facebook – the sharp tool of mob psychology

QUOTE

MANILA — The fictional news stories pop up on Facebook faster than Paterno Esmaquel II and his co-workers can stamp them out.

Rodrigo Duterte, the president of the Philippines, debated a Catholic bishop over using violence to stop illegal drugs — and won. Pope Francis called Mr. Duterte “a blessing.” Prince Harry and his new wife, Meghan Markle, praised him, too. None were true.

False news is so established and severe in the Philippines that one Facebook executive calls it “patient zero” in the global misinformation epidemic. To fight back in this country, the Silicon Valley social media giant has turned to Mr. Esmaquel and others who work for Rappler, an online news start-up with experience tackling fake stories on Facebook.

While Rappler’s fact checkers work closely with Facebook to investigate and report their findings, they believe the company could do much more.

Right – Facebook do more? Never – they rely on eyeballs for their advertising revenue. The best way to get more eyeballs/revenue is to allow spreading of sensationalist fake news.

“It’s frustrating,” said Marguerite de Leon, 32, a Rappler employee who receives dozens of tips each day about false stories from readers. “We’re cleaning up Facebook’s mess.”

On the front lines in the war over misinformation, Rappler is overmatched and outgunned — and that could be a worrying indicator of Facebook’s effort to curb the global problem by tapping fact-checking organizations around the world. Civil society groups have complained that Facebook’s support is weak. Others have said the company doesn’t offer enough transparency to tell what works and what doesn’t.

Facebook says it has made strides but acknowledges shortcomings. It doesn’t have fact checkers in many places, and is only beginning to roll out tools that would scrutinize visual memes, like text displayed over an image or a short video, sometimes the fastest ways that harmful misinformation can spread.

Paterno Esmaquel II, a Rappler reporter, said the false stories on Facebook just kept coming. “We kill one,” he said, “and another one crops up.”CreditJes Aznar for The New York Times

“This effort will never be finished, and we have a lot more to do,” said Jason Rudin, a Facebook product manager.

For fact checkers themselves, the work takes a toll. Members of Rappler’s staff have received death and rape threats. Rappler brought in a psychologist. It debated bulletproofing the windows and installed a second security guard.

The way to end this is to end Facebook and the way to end Facebook is to delete your account.

World’s largest CCTV maker leaves at least 9 million cameras open to public viewing

Made in China. Maybe it also has an ethernet hardware implant chip if all else fails. HHmmm I see a trend here.

QUOTE

Xiongmai’s cloud portal opens sneaky backdoor into servers

Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.

This time, it’s Chinese surveillance camera maker Xiongmai named and shamed this week by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.

As a result, SEC Consult warns, the cameras could be compromised to do everything from spy on their owners, to carry out botnet instructions and even to serve as an entry point for larger network intrusions.

“Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult recommended.

“The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version.”

Enabled by default, the P2P Cloud service allows users to remotely connect to devices via either a web browser or an iOS/Android app and control the hardware without needing a local network connection.

Unfortunately, SEC Consult explained, shortcomings in both the devices themselves and the service, such as unencrypted connections and default passwords (owners are not required to change the defaults when setting up the device) mean that in many cases, accessing and compromising camera could be a cinch.

Additionally, SEC Consult notes, the Xiongmai devices do not require that firmware updates be signed, meaning it would be possible for an attacker to install malware-laden firmware updates to build a botnet or stage further attacks on the local network.

“This is either possible by modifying the filesystems, contained in a firmware update, or modifying the ‘InstallDesc’ file in a firmware update file,” researchers explain.

“The ‘InstallDesc’ is a text file that contains commands that are executed during the update.”

On top of it all, SEC Consult accuses Xiongmai of a pattern of ignoring security warnings and failing to take basic precautions.

The research house claims that not only were its latest warnings to the company ignored, but Xiongmai has a history of bad security going all the way back to its days as fodder for the notorious Mirai botnet. As such, the researchers advise companies stop using any OEM hardware that is based on the Xiongmai hardware. The devices can be identified by their web interface, error page, or product pages advertising the EMEye service.

China back at hacking

Note to Trump – sometimes diplomacy is better than chest thumping.

QUOTE

The Obama-era cyber détente with China was nice, wasn’t it? Yeah well it’s obviously over now
Middle Kingdom is a rising threat once again – research

Infosec pros might have already noticed some familiar IP address ranges in their system logs – China has returned to the cyber-attack arena.

That’s the conclusion of threat intel outfit CrowdStrike, which released its midyear threat report this week (downloadable here with free registration). The firm’s Falcon OverWatch team said that from January to June, state actors were responsible for 48 per cent of intrusion cases, and China is climbing back up the charts.

CTO and co-founder Dmitri Alperovitch tweeted: “CrowdStrike can now confirm that China is back (after a big drop-off in activity in 2016) to being the predominant nation-state intrusion threat in terms of volume of activity against Western industry. MSS is now their #1 cyber actor.”

MSS refers to the Ministry of State Security, which will likely be even more motivated to digitally disrupt the US since a deputy division director was arrested in Belgium in April and extradited to face charges in America.

Alperovitch said that the 2015 Obama-era non-hacking pact had led to a decline in hostile activity, at least at the state level.

Alex Stamos, formerly CSO at Facebook, concurred with Alperovitch: “Most IR professionals I have spoken to believed that there was a real drop in commercially-motivated hacking from the Chinese after the deal.”

That was then. The increasing political hostility between China and the US (and countries like Australia which have followed the US’s lead) is reflected in the online world, CrowdStrike reckoned. “OverWatch data identifies China as the most prolific nation-state threat actor during the first half of 2018.”

Intrusions were attempted against “biotech, defence, mining, pharmaceutical, professional services, transportation, and more”, the report claimed.

The “Chinese threat” has been a CrowdStrike theme for some time: in September, Alperovitch made the same point to Fox Business in a TV interview. He said “every major sector of the economy is being targeted” by the Middle Kingdom.

“Primarily they’re focused on stealing intellectual property… in order to counteract in part the trade tariffs we’re putting into place on them.”

By comparison to the rising Chinese attack traffic, the report’s other key findings were relatively unremarkable: online crims are turning to crack networks to install cryptocurrency miners, with legal and insurance industries a favourite target; the biotech sector is a favoured target for industrial espionage; and criminal actors who once may have used less sophisticated tools are now adopting “tactics, techniques and procedures” learned from nation-state actors.

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

One needs to wonder about all those routers and firewalls from the majors that are produced in China.
Also, I think this will do more damage to “Brand China” than dubious tariffs.
And in case you missed it, Bloomberg’s original story “The Big Hack” (excellent read), can he had here

The discovery shows that China continues to sabotage critical technology components bound for America.

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That’s the problem with the Chinese supply chain,” he said.


The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.

….

The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI’s cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI’s most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations.

Appleboum said that he’s consulted with intelligence agencies outside the U.S. that have told him they’ve been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.
….
Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in such sabotage. The U.S. is known to have extensive programs to seed technology heading to foreign countries with spy implants, based on revelations from former CIA employee Edward Snowden. But China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.

Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio’s software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals — such as power consumption — that can indicate the presence of a covert piece of hardware.

In the case of the telecommunications company, Sepio’s technology detected that the tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.

In other words – by passing the firewall

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.

The goal of hardware implants is to establish a covert staging area within sensitive networks, and that’s what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client’s security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio’s team was not able to perform further analysis on the chip.

The threat from hardware implants “is very real,” said Sean Kanuck, who until 2016 was the top cyber official inside the Office of the Director of National Intelligence. He’s now director of future conflict and cyber security for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don’t.

“Manufacturers that overlook this concern are ignoring a potentially serious problem,” Kanuck said. “Capable cyber actors — like the Chinese intelligence and security services — can access the IT supply chain at multiple points to create advanced and persistent subversions.”

One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That’s why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

“For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits — we don’t know until we find some. It could be all over the place — it could be anything coming out of China. The unknown is what gets you and that’s where we are now. We don’t know the level of exploits within our own systems.”

Google Caught with Hand in Cookie Jar Backs Down

“Google backtracks—a bit—on controversial Chrome sign-in feature…Privacy-conscious users were unhappy at being signed in to browser without consent”

Look, just like Facebook, your private data is Google’s bread and butter. If people do not understand this by now, I am not sure what else will make them do so.
Quote

Google will partially revert a controversial change made in Chrome 69 that unified signing in to Google’s online properties and Chrome itself and which further preserved Google’s cookies even when users chose to clear all cookies. Chrome 70, due in mid-October, will retain the unified signing in by default, but it will allow those who want to opt out to do so.

Chrome has long had the ability to sign in with a Google account. Doing this offers a number of useful features; most significantly, signed-in users can enable syncing of their browser data between devices, so tabs open on one machine can be listed and opened on another, passwords saved in the browser can be retrieved online, and so on. This signing in uses a regular Google account, the same as would be used to sign in to Gmail or the Google search engine.

Prior to Chrome 69, signing in to the browser was independent of signing in to a Google online property. You could be signed in to Gmail, for example, but signed out of the browser to ensure that your browsing data never gets synced and stored in the cloud. Chrome 69 unified the two: signing in to Google on the Web would automatically sign you in to the browser, using the same account. Similarly, signing out of a Google property on the Web would sign you out of the browser.

Google’s Adrienne Porter Felt, an engineering manager on the Chrome team, tweeted that the change was made to address some confusion on shared systems such as family computers. Prior to the change, Chrome users would remember to sign out of Google’s Web properties but leave the browser itself signed in with their account and hence sync any browser data, even if it was generated by other users of the machine. With the change, merely signing out of Google on the Web is enough to prevent this syncing.

Felt stressed that actually enabling syncing required an additional step; merely signing in to the browser isn’t enough to have your browsing history sent to the cloud, so nobody should find their private browsing data sent to Google accidentally.
Nonetheless…

Nonetheless, some Chrome users were unhappy at the change. Chrome 69 offers no way to decouple this unified logging in, so one errant click would be enough to enable syncing and send a ton of personal data to Google’s servers.

On top of this, Chrome 69 handles Google’s own cookies specially. When choosing to clear all the browser’s stored cookies, those cookies used to sign in to Google on the Web were being preserved, rendering them unremovable.

In response, Google is making changes to Chrome 70. The default behavior will remain as it is in Chrome 69, with signing in to the Web having the effect of signing in to the browser. However, there will now be an option to separate the two, allowing those who never want the browser signed in to do so. Further, the Google sign-in cookies will no longer be given special treatment and will be removed as normal when choosing to clear all the cookies. Chrome 70 is also going to make it clearer when syncing has been enabled.

Google hopes that this change will retain convenience for most Chrome users while also providing the separation that its most privacy-conscious users require.

 

Yeah – right – until they sneak something else into chrome to spy

Trump’s axing of cyber czar role has left gaping holes in US defence

Damning report shows Uncle Sam falling behind

Quote

Is this stupid or deliberate? I mean, more lax security makes it easier for others to hack and influence US opinion and elections.

A cybersecurity czar has been a long-established presence in US government – until recently. Against a rising tide of attacks on the nation’s infrastructure and election systems, Donald Trump eliminated the post through an executive order in May.

As if to highlight the deficiency of such a move, just two months later the US Government Accountability Office (GAO) told politicians that Uncle Sam had failed to implement 1,000 cyber protection recommendations from a list of 3,000 made since 2010 that it said are “urgent to protect the nation”. Further, 31 out of a total of 35 more recent priority recommendations were also not acted upon. That testimony was released in a report (PDF) this month.

In the infosec arms race, this does not make comfortable reading, particularly since the US cybersecurity coordinator post has been axed.

Despite progress in some areas such as identifying (if not yet filling) gaps in cybersecurity skills, the GAO reckoned that the security holes have left federal agencies’ information and systems “increasingly susceptible to the multitude of cyber-related threats”.

It told the Office of the President, the US Congress and federal agencies of all stripes to shape up and take cybersecurity seriously.

These omissions include having a more comprehensive cybersecurity strategy, better oversight, maintaining a qualified cybersecurity workforce, addressing security weaknesses in federal systems and information and enhancement of incident response efforts.

Nick Marinos, director of cybersecurity and data protection issues, and Gregory C Wilshusen, director of information security issues, signed off September’s report with a stark warning:

Until our recommendations are addressed and actions are taken to address the challenges we identified, the federal government, the national critical infrastructure, and the personal information of US citizens will be increasingly susceptible to the multitude of cyber-related threats that exist.

The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing as security threats continue to evolve and become more sophisticated. These risks include insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks.

The GAO also blasted the IT sector for compounding these risks: “IT systems are often riddled with security vulnerabilities – both known and unknown.”

The report said in 2017 more than 35,000 cybersecurity incidents at civilian agencies had been reported by the Office of Management and Budget to Congress. A breakdown of these figures revealed that 31 per cent of these attacks were listed as “other”, saying: “If an agency cannot identify the threat vector (or avenue of attack), it could be difficult for that agency to define more specific handling procedures to respond to the incident and take actions to minimize similar future attacks.”

Other incidences listed were improper usage (22 per cent), email/phishing (21 per cent), loss or theft of equipment (12 per cent), web site or web app origin based attacks (11 per cent).

Attacks cited include a March 2018 threat when the Mayor of Atlanta, Georgia, reported that the city was being victimised by a ransomware attack.

In March the Department of Justice indicted nine Iranians for conducting a “massive cyber security theft campaign” on behalf of the Islamic Revolutionary Guard Corps. That indictment alleged they stole more than 31TB of documents and data from more than 140 American universities, 30 US companies, and five federal government agencies.

The Russians were also called out for targeting critical systems in nuclear, energy, water and aviation.

But, of course, Trump is a little confused when it comes to Russia’s cyber-dabbling in the US.

You can argue the US government fell behind under the watch of the cyber czar and that action was needed, but that hardly necessitated the elimination of this central post.

The GAO testimony and this month’s report rightly questions whether the US was doing enough to protect its citizens and critical infrastructure. The answer seemed to be a “must try harder” – but that’s OK, because improvement can only come through such transparency and self-assessment.

Trump’s May decision and this report taken together suggest that if the West was already slipping behind in the cyber war, things can only get worse now that the supposed leader of the free world has deliberately, and carelessly, taken his eye off the ball on the home front.

Facebook targets ads using phone numbers submitted for security purposes

Quote

If you sometimes — or often — wonder how or why you’re seeing a certain ad online, here’s a possible answer.

Most Facebook users know the company targets ads based on information they willingly give the company, but researchers have found that the social media giant also targets ads based on information users may not know is being used to target them — or information they did not explicitly give the company.

For example, phone numbers provided for two-factor authentication are also being used to target ads on Facebook, according to a new report that cites a study, titled “Investigating sources of PII used in Facebook’s targeted advertising,” by researchers from Northeastern and Princeton universities.

When a user gives Facebook a phone number for two-factor authentication or for the purpose of receiving alerts about log-ins, “that phone number became targetable by an advertiser within a couple of weeks,” Gizmodo reported.

A company spokeswoman told Gizmodo that “we use the information people provide to offer a more personalized experience, including showing more relevant ads.” The spokeswoman pointed out that people can set up two-factor authentication without offering their phone numbers.

However, the study also shows — and Gizmodo tested, by successfully targeting an ad at a computer science professor using a landline phone number — that contacts of Facebook users can be targeted without their consent. Facebook users who share their contacts are exposing those contacts to potential ad targeting.

This means that, as a Facebook spokeswoman told Gizmodo, “We understand that in some cases this may mean that another person may not be able to control the contact information someone else uploads about them.”

A Facebook spokeswoman told this news organization Thursday: “We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”

In the study, the researchers said Facebook’s use of personally identifiable information in this way is to be expected, given that it’s the business the company is in. “This incentive is exacerbated with the recent introduction of PII-based targeting, which allows advertisers to specify exactly which users to target by specifying a list of their PII,” they said.

Facebook Does it Again! 50 million Facebook accounts breached

Quote

Facebook reset logins for millions of customers last night as it dealt with a data breach that may have exposed nearly 50 million accounts. The breach was caused by an exploit of three bugs in Facebook’s code that were introduced with the addition of a new video uploader in July of 2017. Facebook patched the vulnerabilities on Thursday, and it revoked access tokens for a total of 90 million users

In a call with press today, Facebook CEO Mark Zuckerberg said that the attack targeted the “view as” feature, “code that allowed people to see what other people were seeing when they viewed their profile,” Zuckerberg said. The attackers were able to use this feature, combined with the video uploader feature, to harvest access tokens. A surge in usage of the feature was detected on September 16, triggering the investigation that eventually discovered the breach.

“The attackers did try to query our APIs—but we do not yet know if any private information was exposed,” Zuckerberg said. The attackers used the profile retrieval API, which provides access to the information presented in a user’s profile page, but there’s no evidence yet that Facebook messages or other private data was viewed. No credit card data or other information was exposed, according to Facebook.

Regardless, the breach could do further damage to Facebook’s reputation as the company continues to attempt to regain public trust after a recent string of security and privacy issues. In addition to revelations about the misuse of Facebook user data by Cambridge Analytica during the run-up to the 2016 US presidential election, there have been questions about how Facebook itself uses customer data, including the discovery that Facebook had been routinely collecting full call logs and other data from some mobile users.

And if there were not 100 other reasons to ditch facebook, how about this?

Earlier this week, Facebook acknowledged that it provided phone numbers used for two-factor authentication to advertisers for the purpose of targeting users with advertisements. And Facebook’s Onavo virtual private network application was yanked from Apple’s App Store in August because it was being used by Facebook to collect data about users’ mobile application usage.