Skip to content

Monthly Archives: September 2018

Trump’s axing of cyber czar role has left gaping holes in US defence

Damning report shows Uncle Sam falling behind

Quote

Is this stupid or deliberate? I mean, more lax security makes it easier for others to hack and influence US opinion and elections.

A cybersecurity czar has been a long-established presence in US government – until recently. Against a rising tide of attacks on the nation’s infrastructure and election systems, Donald Trump eliminated the post through an executive order in May.

As if to highlight the deficiency of such a move, just two months later the US Government Accountability Office (GAO) told politicians that Uncle Sam had failed to implement 1,000 cyber protection recommendations from a list of 3,000 made since 2010 that it said are “urgent to protect the nation”. Further, 31 out of a total of 35 more recent priority recommendations were also not acted upon. That testimony was released in a report (PDF) this month.

In the infosec arms race, this does not make comfortable reading, particularly since the US cybersecurity coordinator post has been axed.

Despite progress in some areas such as identifying (if not yet filling) gaps in cybersecurity skills, the GAO reckoned that the security holes have left federal agencies’ information and systems “increasingly susceptible to the multitude of cyber-related threats”.

It told the Office of the President, the US Congress and federal agencies of all stripes to shape up and take cybersecurity seriously.

These omissions include having a more comprehensive cybersecurity strategy, better oversight, maintaining a qualified cybersecurity workforce, addressing security weaknesses in federal systems and information and enhancement of incident response efforts.

Nick Marinos, director of cybersecurity and data protection issues, and Gregory C Wilshusen, director of information security issues, signed off September’s report with a stark warning:

Until our recommendations are addressed and actions are taken to address the challenges we identified, the federal government, the national critical infrastructure, and the personal information of US citizens will be increasingly susceptible to the multitude of cyber-related threats that exist.

The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing as security threats continue to evolve and become more sophisticated. These risks include insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks.

The GAO also blasted the IT sector for compounding these risks: “IT systems are often riddled with security vulnerabilities – both known and unknown.”

The report said in 2017 more than 35,000 cybersecurity incidents at civilian agencies had been reported by the Office of Management and Budget to Congress. A breakdown of these figures revealed that 31 per cent of these attacks were listed as “other”, saying: “If an agency cannot identify the threat vector (or avenue of attack), it could be difficult for that agency to define more specific handling procedures to respond to the incident and take actions to minimize similar future attacks.”

Other incidences listed were improper usage (22 per cent), email/phishing (21 per cent), loss or theft of equipment (12 per cent), web site or web app origin based attacks (11 per cent).

Attacks cited include a March 2018 threat when the Mayor of Atlanta, Georgia, reported that the city was being victimised by a ransomware attack.

In March the Department of Justice indicted nine Iranians for conducting a “massive cyber security theft campaign” on behalf of the Islamic Revolutionary Guard Corps. That indictment alleged they stole more than 31TB of documents and data from more than 140 American universities, 30 US companies, and five federal government agencies.

The Russians were also called out for targeting critical systems in nuclear, energy, water and aviation.

But, of course, Trump is a little confused when it comes to Russia’s cyber-dabbling in the US.

You can argue the US government fell behind under the watch of the cyber czar and that action was needed, but that hardly necessitated the elimination of this central post.

The GAO testimony and this month’s report rightly questions whether the US was doing enough to protect its citizens and critical infrastructure. The answer seemed to be a “must try harder” – but that’s OK, because improvement can only come through such transparency and self-assessment.

Trump’s May decision and this report taken together suggest that if the West was already slipping behind in the cyber war, things can only get worse now that the supposed leader of the free world has deliberately, and carelessly, taken his eye off the ball on the home front.

Facebook targets ads using phone numbers submitted for security purposes

Quote

If you sometimes — or often — wonder how or why you’re seeing a certain ad online, here’s a possible answer.

Most Facebook users know the company targets ads based on information they willingly give the company, but researchers have found that the social media giant also targets ads based on information users may not know is being used to target them — or information they did not explicitly give the company.

For example, phone numbers provided for two-factor authentication are also being used to target ads on Facebook, according to a new report that cites a study, titled “Investigating sources of PII used in Facebook’s targeted advertising,” by researchers from Northeastern and Princeton universities.

When a user gives Facebook a phone number for two-factor authentication or for the purpose of receiving alerts about log-ins, “that phone number became targetable by an advertiser within a couple of weeks,” Gizmodo reported.

A company spokeswoman told Gizmodo that “we use the information people provide to offer a more personalized experience, including showing more relevant ads.” The spokeswoman pointed out that people can set up two-factor authentication without offering their phone numbers.

However, the study also shows — and Gizmodo tested, by successfully targeting an ad at a computer science professor using a landline phone number — that contacts of Facebook users can be targeted without their consent. Facebook users who share their contacts are exposing those contacts to potential ad targeting.

This means that, as a Facebook spokeswoman told Gizmodo, “We understand that in some cases this may mean that another person may not be able to control the contact information someone else uploads about them.”

A Facebook spokeswoman told this news organization Thursday: “We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”

In the study, the researchers said Facebook’s use of personally identifiable information in this way is to be expected, given that it’s the business the company is in. “This incentive is exacerbated with the recent introduction of PII-based targeting, which allows advertisers to specify exactly which users to target by specifying a list of their PII,” they said.

Facebook Does it Again! 50 million Facebook accounts breached

Quote

Facebook reset logins for millions of customers last night as it dealt with a data breach that may have exposed nearly 50 million accounts. The breach was caused by an exploit of three bugs in Facebook’s code that were introduced with the addition of a new video uploader in July of 2017. Facebook patched the vulnerabilities on Thursday, and it revoked access tokens for a total of 90 million users

In a call with press today, Facebook CEO Mark Zuckerberg said that the attack targeted the “view as” feature, “code that allowed people to see what other people were seeing when they viewed their profile,” Zuckerberg said. The attackers were able to use this feature, combined with the video uploader feature, to harvest access tokens. A surge in usage of the feature was detected on September 16, triggering the investigation that eventually discovered the breach.

“The attackers did try to query our APIs—but we do not yet know if any private information was exposed,” Zuckerberg said. The attackers used the profile retrieval API, which provides access to the information presented in a user’s profile page, but there’s no evidence yet that Facebook messages or other private data was viewed. No credit card data or other information was exposed, according to Facebook.

Regardless, the breach could do further damage to Facebook’s reputation as the company continues to attempt to regain public trust after a recent string of security and privacy issues. In addition to revelations about the misuse of Facebook user data by Cambridge Analytica during the run-up to the 2016 US presidential election, there have been questions about how Facebook itself uses customer data, including the discovery that Facebook had been routinely collecting full call logs and other data from some mobile users.

And if there were not 100 other reasons to ditch facebook, how about this?

Earlier this week, Facebook acknowledged that it provided phone numbers used for two-factor authentication to advertisers for the purpose of targeting users with advertisements. And Facebook’s Onavo virtual private network application was yanked from Apple’s App Store in August because it was being used by Facebook to collect data about users’ mobile application usage.