Facebook Gave Device Makers Deep Access to Data on Users and Friends*:
- As Facebook sought to become the world’s dominant social media service, it struck agreements allowing phone and other device makers access to vast amounts of its users’ personal information.
- Facebook has reached data-sharing partnerships with at least 60 device makers -including Apple, Amazon, BlackBerry, Microsoft and Samsung - over the last decade, starting before Facebook apps were widely available on smartphones.
- The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as “like” buttons and address books.
- Facebook allowed the device companies access to the data of user’s friends without their explicit consent, even after declaring that it would no longer share such information with outsiders.
- Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing.
- Most of the partnerships remain in effect, though Facebook began winding them down in April.
- The company came under intensifying scrutiny by lawmakers and regulators after news reports in March that a political consulting firm, Cambridge Analytica, misused the private information of tens of millions of Facebook users.
- Facebook officials defended the data sharing as consistent with its privacy policies, the F.T.C. agreement and pledges to users.
- They said its partnerships were governed by contracts that strictly limited use of the data, including any stored on partner’s servers.
- The company views its device partners as extensions of Facebook, and partners can obtain data about a user’s Facebook friends, even those who have denied Facebook permission to share information with any third parties.
- Several former Facebook software engineers and security experts said they were surprised at the ability to override sharing restrictions.
- Facebook began moving to wind down the partnerships in April, after assessing its privacy and data practices in the wake of the Cambridge Analytica scandal.
- Facebook officials said the private data channels for device partners did not violate the 2011 consent decree because the company viewed its hardware partners as “service providers,” akin to a cloud computing service paid to store Facebook data.
*Source: NY Times, June 4, 2018
Lawsuit Filed in Wake of Under Armour Data Breach*:
- A lawsuit seeking class action status has been filed in the aftermath of a data breach impacting 150 million users of Under Armour's MyFitnessPal mobile application and website.
- The apparel maker – pointing to the app’s terms and conditions of use – has filed a motion for the court to compel arbitration of the case and to dismiss or stay the lawsuit.
- The class action lawsuit comes in the wake of Under Armour disclosing in March that during February, an unauthorized party acquired data associated with the company's MyFitnessPal user accounts.
- MyFitnessPal is a free smartphone app and website that enables users to track diet and exercise to help with weight loss.
- Maryland-based Under Armour had said in a statement in March that while exposed passwords were protected by the strong hashing algorithm bcrypt, other exposed information, including usernames and email addresses, was protected by easier-to-crack SHA-1 hashing.
- The breach did not impact government-issued identifiers (such as Social Security numbers and driver's license numbers) or payment card data.
- The lawsuit, however, says that Under Armour "also collects credit/debit numbers from its users in order for those users to access premium features of these websites and apps."
- In addition to seeking damages, the lawsuit seeks to have the court compel Under Armour to improve its consumer data collection and storage practices.
- On May 29, Under Armour filed a motion asking a California U.S. district court for an order "compelling individual arbitration of plaintiff's claims and dismiss the action with prejudice or, in the alternative, staying this action pending the completion of individual arbitration proceedings."
- Under Armour's motion "is made under the Federal Arbitration Act on the grounds that the plaintiff expressly agreed to arbitrate her claims with Under Armour on an individual basis when she agreed to Under Armour's “Terms and Conditions” of Use.
- It is difficult to predict the fate of the lawsuit, but the court may examine how the arbitration agreement clause was presented in the company's "terms and conditions" for using the MyFitnessPal app.
- Even if the lawsuit is compelled to arbitration, it's possible that one or more state attorneys general could decide to pursue a public policy lawsuit against Under Armour related to the data breach.
- But if the court allows the case to proceed as a class action lawsuit, it would be among the largest data breach cases in terms of the number of victims impacted.
- The suit alleges that the data breach was "a direct and proximate result of Under Armour's failure to properly safeguard and protect plaintiffs' and class members personally identifiable information from unauthorized access, use and disclosure."
- A potential security issue in the case is whether Under Armour was, indeed, negligent or was exercising reasonable care to secure consumers’ information by protecting some information with SHA-1 hashing, which is considered easier to crack.
*Source: Bank Info Security, June 4, 2018
- In January, Colorado lawmakers on both sides of the aisle introduced a ground-breaking new bill requiring “reasonable security procedures and practices” for protecting personal identifying information, limiting the time frame to notify affected Colorado residents and the Attorney General of a data breach, and imposing data disposal rules.
- The new law will take effect September 1, 2018, and has significant implications for certain private and public sector entities in Colorado.
- Key updates to Colorado’s new law include: expansion of breach notification requirements and requirements for reasonable security procedures and data disposal.
- Under the new law, “personal information” (PI) means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.
- PI also includes a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers that would permit access to an online account.
- Finally, PI includes a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.
- In addition, businesses that have to report a data breach affecting Colorado residents will have to notify affected residents and, if more than 500 Colorado residents are affected by the incident, the state’s Attorney General not later than 30 days after the date of determination that a security breach occurred.
- The new law adds requirements for businesses to implement reasonable safeguards to protect personal identifying information (PII), as well as to have procedures for disposing of PII that is no longer needed.
- More specifically, covered entities in Colorado that maintain paper or electronic documents that contain personal identifying information must develop and maintain a written policy for the destruction and proper disposal of those documents.
- Additionally, covered entities that maintain, own, or license personal information, including those that use a non-affiliated third party as a service provider, shall implement and maintain reasonable security procedures and practices to protect PII that are appropriate to the nature of the PII and the nature and size of the business and its operations.
- Moreover, unless the covered entity agrees to provide its own security protection for the information it discloses to a third party, the covered entity “shall require” the third party service provider to implement and maintain reasonable security procedures and practices as appropriate.
- This is a significant expansion of Colorado’s data breach notification law and the state’s rules for safeguarding personal data.
*Source: Nat Law Review, June 4, 2018
Attackers Can Hide Malware in Archive Files with Zip Slip Flaw*:
- A recently disclosed vulnerability in how open source software libraries handle archive files reveals that it only takes a malicious archive and a lack of validation checking to give total control of a victim machine to an attacker.
- Dubbed Zip Slip, the vulnerability was discovered by researchers from software firm Snyk, and it affects multiple ecosystems and thousands of projects, including those from major companies like HP and Amazon.
- Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution.
- How Zip Slip works: It's a directory traversal attack that tries to sneak code into a hidden location when the file is decompressed.
- Directory traversal attacks rely on the use of ".." instead of particular directory names in code to move files to the root directory of a machine.
- If the decompression software uses validation checking it won't allow traversal attacks and will stop Zip Slip.
- The problem is that many open source software libraries don't validate directories when decompressing, allowing Zip Slip to freely drop off its malicious payload.
- Once decompressed Zip Slip's malicious code can "overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim's machine”.
- If you’ve determined you’re vulnerable you can find links to updated versions by following the GitHub link to the Zip Slip project.
*Source: Tech Republic, June 7, 2018
Ticket Site Hack Leaves 26 Million Users Exposed*:
- Since its founding in 2008, upstart Ticketfly grew rapidly into a legitimate challenger in the ticketing business, and was acquired by Eventbrite in 2017.
- With tens of millions of registered users and sensitive personal data on file, a breach of Ticketfly's servers would be a major score.
- On June 1st, personally identifiable information on 26 million customers and employees was taken.
- The hacker demanded 1 Bitcoin (currently about $7,600) from Eventbrite in exchange for information about how the attack went down.
- A number of cyber security researchers believe that unauthorized access was gained by exploiting a vulnerability in Ticketfly's WordPress-based website.
- Hackers often scan WordPress sites looking for evidence of third-party plugins that can be attacked.
- Even though Automatic, the company behind WordPress, provides regular patches for its own software it can't ensure that users are installing those patches in a timely manner.
- Third-party plugins are also beyond its control and it's all too common that those plugins get forgotten and wind up woefully out-of-date.
- Ticketfly breach wasn't as disastrous as it might have been; the attacker did not gain access to user passwords, and payment card details don't appear to have been compromised.
*Source: Forbes, June 7, 2018
How Hackers Can Mine Cryptocurrency in Your Serverless Computing Environment*:
- Security researchers at PureSec have discovered an attack method that enables hackers to mine cryptocurrency in hijacked serverless computing environments.
- A successful attack would leave an affected organization with a massive bill for all the resources used by the crypto hijacker.
- All an attacker requires to start mining cryptocurrency in a serverless environment is a single vulnerable serverless function.
- If the attacker can use remote code to gain access to one function, researchers found, they could scale the attack up to eat all available resources.
- Serverless cryptomining can also be done under the radar, meaning that the victim would be unaware that their serverless environment was affected until the bill comes at the end of the month.
- The team from PureSec said that it was able to exploit serverless functions from three leading cloud providers, tricking them via remote code execution into downloading off-the-shelf cryptomining software during function execution, install it, and run it alongside the function's normal tasks.
- Serverless environments are designed to scale based on computing needs, but there's no way for those environments to tell what a legitimate need is and what's being performed for a hijacker.
- By exploiting the autoscaling nature of serverless computers the PureSec team was able to force the cryptomining function to scale until the instance reached its computing power limit.
- Many serverless consumers are still struggling with application security of their serverless functions, which allows attackers to perform crypto-mining activities under the radar, without being spotted.
- The only current way to mitigate the attack is by using a Serverless Security Runtime Environment (SSRE).
- Custom-built serverless computing security suites are necessary, and if you're not running one you should highly consider it.
*Source: Tech Republic, June 7, 2018