Connect Now

Security failure at Facebook – what we know

Posted on October 5, 2018 // Leave a Comment

Facebook said up to 50 million accounts were directly affected. Hackers swiped digital keys, called ‘access tokens’, which let users stay connected to their accounts without having to enter passwords anew. — AFP Relaxnews

The security breach revealed on Sept 28 by Facebook affected tens of millions of accounts at the social network, which boasts more than 2.2 billion monthly users.

On Oct 3, the Irish data authority said it was opening up a formal investigation into whether the world’s biggest social network complied with tough new EU privacy regulations.

What happened?

Hackers took advantage of a “complex interaction” between three software bugs, which required a degree of sophistication.

The vulnerability was created by a change to a video uploading feature in July 2017.

It involved a flaw in a “See As” feature that showed Facebook what their profiles look like to other people at the social network.

Using the feature generated digital keys, called “access tokens”, which let users stay connected to their accounts without having to enter passwords anew.

Hackers were able to steal copies of the digital keys, giving them the same access and control of accounts as their legitimate owners.

On Sept 16, Facebook noticed a spike in activity that prompted it to investigate.

On Sept 25, Facebook engineers determined hackers had launched a sophisticated attack exploiting the vulnerability. A fix was in place two days later and stolen tokens rendered useless.

Facebook did not disclose when hackers first took advantage of the flaw, saying the investigation was early.

What data was leaked?

Information hackers appeared interested in included names, genders, and home towns, but it was not clear for what purposes, the executives said in a telephone briefing.

Facebook said it was still trying to figure out what, if anything, hackers did in violated accounts. It did not seem at the outset that messages or posts were tampered with, and there was no access to banking or password information, according to the social network.

Given that digital keys opened Facebook doors wide to hackers, they would have had the ability to reach into third party applications linked to social network accounts.

They would have been able to get into linked accounts including Messenger or Instagram, both owned by Facebook, but not into the social network’s WhatsApp service.

An analysis of logs of third-party applications turned up no sign they were meddled with by the hackers, Facebook said on Oct 2.

Who should worry?

Facebook said that “up to 50 million accounts” were directly affected, meaning hackers swiped digital keys.

According to the Data Protection Commission in Ireland, five million or fewer European users were among those affected.

An additional 40 million accounts that used the “View As” feature had tokens reset although it didn’t appear they were targeted by hackers.

Measures taken by Facebook?

Facebook said it sealed the breach late on Sept 27 in California, where it has its headquarters, and alerted US law enforcement authorities as well as regulators in Ireland.

Facebook invalidated “access tokens” at issue in the breach, requiring people to log in anew with passwords. The social network informed those involved by posting messages atop news feeds.

What is the risk to Facebook?

The risks for Facebook depend on how it complied with various laws and regulations, including the new General Data Protection Regulation in Europe.

Questions likely to be asked will include whether Facebook was fast enough notifying users of the breach and how well it protected accounts.

Protection of people’s data falls under the purview of the Federal Trade Commission in the United States, but states could also be interested in making sure local privacy or data protection laws were not violated.

In Europe, the Facebook breach and how it was handled would be examined through the lens of the GDPR, which strengthened protection for personal data.

Companies can now be fined a percentage of annual revenue if they break GDPR rules. Facebook appeared to have complied with a 72-hour deadline regarding publicly disclosing a hack, which could spare it a fine of more than a billion dollars. – AFP Relaxnews

Source: The Star Online

Filed Under: Security //

Hackers infect thousands of websites to mine cryptocurrencies

Posted on February 13, 2018 // Leave a Comment

Researchers warn about a kind of malware that can deliver profits without being obvious to users. — AFP Relaxnews

The attack is the first major incident made public in which a new breed of hackers took over a large numbers of websites to effectively create currencies like bitcoin which are generated by using computing power.

The attacks made public over the weekend by British security researcher Scott Helme showed more than 4,000 website were infected in this manner, including those of the British data protection and privacy watchdog and the US federal courts system.

Unlike traditional attacks, these infections do not contain “ransomware” or steal data, but operate in stealth mode to make profits from the shadowy world of cryptocurrencies.

Helme said in a blog post that the hackers were able to reach large numbers of websites by infecting a commonly used “plug-in,” or software which helps a site run better. In this case, the hackers used the malicious software to create Monero, one of several new cryptocurrencies which are making a splash in financial markets.

“If you want to load a crypto miner on 1,000 websites you don’t attack 1,000 websites, you attack the one website that they all load content from,” he said.

The creator of the plug-in, the British software firm TextHelp, said it took the affected software offline after it discovered the “attempt to illegally generate cryptocurrency”. “This was a criminal act and a thorough investigation is currently underway,” the company said in a statement.

Researchers have been warning in recent weeks about this kind of malware, which can deliver profits without being obvious to users. Security researchers at Cisco Talos warned last month that this kind of hacking activity “has exponentially increased”.

Because of the huge financial gains in cryptocurrencies, Cisco researchers said this has become a prime target for hackers. “At a high level mining is simply using system resources to solve large mathematical calculations which result in some amount of cryptocurrency being awarded to the solvers,” Cisco researchers wrote in a research note.

Security researcher Graham Cluley said the latest attack highlights vulnerabilities in websites which may have weaknesses in third party components.

“Things could have been much worse,” Cluley said in a blog post. “Imagine if the plug-in had been tampered with to steal login passwords rather than steal CPU resources from visiting computers.” — AFP Relaxnews

Source: The Star Online

Filed Under: Security, Technology //

Meltdown & Spectre – Computer chip ‘flaw’ sparks security debate amid scramble for fix

Posted on January 5, 2018 // Leave a Comment

Intel said it was working with AMD and ARM Holdings and with the makers of computer operating software “to develop an industry-wide approach to resolve this issue promptly and constructively.” — Reuters

WASHINGTON: A newly discovered vulnerability in computer chips raised concerns Jan 3 that hackers could access sensitive data on most modern systems, as technology firms sought to play down the security risks.

Chip giant Intel issued a statement responding to a flurry of warnings surfacing after researchers discovered the security hole which could allow privately stored data in computers and networks to be leaked.

Intel labelled as incorrect reports describing a “bug” or “flaw” unique to its products.

Intel chief executive Brian Krzanich told CNBC that “basically all modern processers across all applications” use this process known as “access memory,” which was discovered by researchers at Google and kept confidential as companies work on remedies.

Google, meanwhile, released findings from its security researchers who sparked the concerns, saying it made the results public days ahead of schedule because much of the information had been in the media.

The security team found “serious security flaws” in devices powered by Intel, AMD and ARM chips and the operating systems running them and noted that, if exploited, “an unauthorised party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications.”

“As soon as we learned of this new class of attack, our security and product development teams mobilised to defend Google’s systems and our users’ data,” Google said in a security blog.

“We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web.”

Spectre and Meltdown

The Google team said the vulnerabilities, labelled “Spectre” and “Meltdown,” affected a number of chips from Intel as well as some from AMD and ARM, which specializes in processors for mobile devices.

Intel said it was working with AMD and ARM Holdings and with the makers of computer operating software “to develop an industry-wide approach to resolve this issue promptly and constructively.”

Jack Gold, an independent technology analyst, said he was briefed in a conference call with Intel, AMD and ARM on the issue and that the three companies suggested concerns were overblown.

“All the chips are designed that way,” Gold said.

The companies were working on remedies after “some researchers found a way to use existing architecture and get into protected areas of computer memory and read some of the data,” he added.

Microsoft said in a statement it had no information suggesting any compromised data but was “releasing security updates today to protect Windows customers against vulnerabilities.”

But an AMD spokesman said that because of the differences in AMD processor architecture, “we believe there is near zero risk to AMD products at this time.”

ARM meanwhile said it was “working together with Intel and AMD” to address potential issues “in certain high-end processors, including some of our Cortex-A processors.”

“We have informed our silicon partners and are encouraging them to implement the software mitigations developed if their chips are impacted,” the SoftBank-owned firm said.

Slowdown?

Earlier this week, some researchers said any fix – which would need to be handled by software – could slow down computer systems, possibly by 30% or more.

Intel’s statement said these concerns, too, were exaggerated.

“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,” the company statement said.

Tatu Ylonen, security researcher at SSH Communications Security, said the patches “will be effective” but it will be critical to get all networks and cloud services upgraded, Ylonen said.

British security researcher Graham Cluley also expressed concern “that attackers could exploit the flaw on vulnerable systems to gain access to parts of the computer’s memory which may be storing sensitive information. Think passwords, private keys, credit card data.”

But he said in a blog post that it was “good news” that the problem had been kept under wraps to allow operating systems such as those from Microsoft and Apple to make security updates before the flaw is maliciously exploited. — AFP

Source: The Star Online

Filed Under: Security, Technology //

China forbidding anonymous online posts

Posted on August 30, 2017 // Leave a Comment

China’s crackdown on Internet freedom is getting even more intense. Last Friday, the country’s top Internet censor announced a new set of regulations meant to eliminate posts by anonymous users on Internet forums and other platforms. The Cyberspace Administration of China will start enforcing those rules on Oct. 1.

According to the new regulations, Internet companies and service providers are responsible for requesting and verifying real names from users when they register and must immediately report illegal content to the authorities. Tech firms, including Baidu, Alibaba and Tencent, are under more pressure to serve as the government’s gatekeepers as China prepares for the 19th National Congress of the Communist Party this fall, which is expected to place new people in several key leadership positions.

Furthermore, a new cybersecurity law that went into effect at the beginning of June requires tech companies to store important data on servers within China. While this is supposedly meant to protect sensitive information, it can also make it easier for the government to track and persecute Internet users.

Along with announcing its new regulations about anonymous posts on Friday, the CAC also specified what content is forbidden from being published online (link and translation via Google Translate), citing a passage from a bill that was passed in 2000 to regulate Internet information services in China. The list is so broad that it can cover almost anything:

Article 15 of the Measures for the Administration of Internet Information Services stipulates that Internet information service providers shall not make, reproduce, publish or disseminate information containing the following: (1) opposing the basic principles as defined in the Constitution; (2) endangering national security (3) to damage national honor and interests; (4) to incite national hatred, ethnic discrimination and undermine national unity; (v) to undermine national religious policies and to promote cults and (6) spreading rumors, disrupting social order and destroying social stability; (7) spreading pornography, pornography, gambling, violence, murder, terror or abetting a crime; (8) insulting or slandering others and infringing upon others (9) Any other content that is prohibited by laws and administrative regulations.

While China has issued various rules requiring online real-name registration for years, the CAC’s new regulations are another sign that the government is becoming increasingly stringent about censorship. For example, using VPNs to access blocked sites like Facebook and Twitter was relatively easy until earlier this year when the government began a crackdown that many observers believe is much more serious than previous attempts to enforce the ban.

As The Diplomat notes, China is taking a multi-pronged approach as it doubles down on censorship, placing more pressure on international publishers as well.

Source: TechCrunch

Filed Under: Business Tech, Security //

Hackers deface Malaysian sites

Posted on August 22, 2017 // Leave a Comment

At least 33 local websites have been hacked and defaced by Indonesian hacker group KidsZonk, who are ostensibly unhappy by the flag blunder in the official souvenir booklet of the Kuala Lumpur SEA Games 2017.

Clicking on the sites redirects users to a splash page which features the booklet that carried the Indonesian flag upside down, along with a message “Bendera Negaraku Bukanlah Mainan” (My national flag is not for playing).

Indonesia’s patriotic song “Indonesia Pusaka” will also play in the background, with users having no option but to exit the website.

However, no official government pages or websites belonging to large corporations were affected, with the hacked sites primarily private and business blogs.

CyberSecurity Malaysia (CSM) chief executive officer Datuk Amirudin Abdul Wahab, in a statement, confirmed the attacks, claiming that 33 sites have been defaced as of 3.40pm today.

“CSM has been receiving several reports of incidents targeting Malaysian websites, confidential information leaks and possible distributed denial of services (DDOS) attacks.

“The incident is real and we are conducting an investigation, monitoring and working closely with other agencies to mitigate this incident,” he said.

CSM, through the Malaysian Computer Emergency Response Team (MyCERT), has also released an advisory for system administrator to take the necessary measures to secure their systems, which can be found on its website.

Following the flag blunder, which was first raised by Indonesian Youth and Sports Minister Imam Nahrawi on Saturday, Youth and Sports Minister Khairy Jamaluddin had publicly apologised for the incident.

Foreign Minister Datuk Seri Anifah Aman, in a statement, had also said Malaysia regretted the error made by the Malaysian Organising Committee (Masoc).

Source: Daily Express Online

Filed Under: Security //

‘Dronejacking’ may be the next big cyber threat

Posted on December 5, 2016 // Leave a Comment
Next targets: Companies like Amazon, DHL and UPS are expected to use drones for package deliveries – becoming potential targets for criminals, the report said. — Deutsche Post/DHL

test

WASHINGTON: A big rise in drone use is likely to lead to a new wave of “dronejackings” by cybercriminals, security experts warned.

A report by Intel’s McAfee Labs said hackers are expected to start targeting drones used for deliveries, law enforcement or camera crews, in addition to hobbyists.

”Drones are well on the way to becoming a major tool for shippers, law enforcement agencies, photographers, farmers, the news media, and more,” said Intel Security’s Bruce Snell, in the company’s annual threat report.

Snell said the concept of dronejacking was demonstrated at a security conference last year, where researchers showed how someone could easily take control of a toy drone.

”Although taking over a kid’s drone may seem amusing and not that big of an issue, once we look at the increase in drone usage potential problems starts to arise,” he said.

The report noted that many consumer drones lack adequate security, which makes it easy for an outside hacker to take control.

Companies like Amazon and UPS are expected to use drones for package deliveries – becoming potential targets for criminals, the report said.

”Someone looking to ‘dronejack’ deliveries could find a location with regular drone traffic and wait for the targets to appear,” the report said.

”Once a package delivery drone is overhead, the drone could be sent to the ground, allowing the criminal to steal the package.”

The researchers said criminals may also look to steal expensive photographic equipment carried by drones, to knock out surveillance cameras used by law enforcement.

Intel said it expects to see dronejacking “toolkits” traded on “dark web” marketplaces in 2017.

”Once these toolkits start making the rounds, it is just a matter of time before we see stories of hijacked drones showing up in the evening news,” the report said.

Other predictions in the report included a decrease in so-called “ransomware” attacks as defences improve, but a rise in mobile attacks that enable cyber thieves to steal bank account or credit card information.

The report also noted that cybercriminals will begin using more sophisticated artificial intelligence or “machine learning” techniques and employ fake online ads. — AFP

Source: The Star Online

Filed Under: Security, Technology //