Facebook's *ahem* 'data scraping' incident sets the stage for debate on responsible design and engineering. AWS bomb threat. Censorship by QoS. TUI's algorithm gender bias led to 'serious incident' calculating takeoff loads.
Vol. 4 Iss. 15 11/04/2021 Robin Oldham ~8 Minutes
Subscribe to Robin's Newsletter
data breach, sorry, ‘data scraping’ incident
Facebook fanned the flames of critics this week with their response to the details of 533 million users being posted publicly online. The data includes full name, email, telephone, date of birth and location, and counts 30 million American and 11 million UK Facebook users. You can check if your data is present by searching for your email or phone number at haveibeenpwned.com. A Facebook spokesperson said the company had no plans to notify users, as they were unsure exactly which users needed notifying, and that they could take no action to address the issue (i.e. change your name or DOB) and that it was “public information”. The data appears to have been acquired before September 2019 and so will likely have been being traded amongst cybercriminals for a year.
The vacuum of information left by Facebook trying to downplay the breach has led to significant confusion. It’s tiring and confusing for users to sort through the coverage and speculation. If it is related to an issue covered in 2019, Facebook didn’t make a formal notification at that time either, and that may come back to bite: they admit to not notifying customers and making official filing at that time.
The source of the information appears to be the result of poor design and engineering practices. The ‘contact importer’ feature allowed users to upload their address book and find other people they know on the social network. (Side note: this also creates ‘shadow profiles’ for people not on Facebook). Here’s the thing: you could just put every possible phone number (+44 0000 000001, +44 0000 000002, …, +44 9999 999999) in your phone book, keep resubmitting it, and Facebook would tell you if it matched and who that user is.
Unless you’re Tom from MySpace, you probably aren’t friends with everybody.
Facebook’s engineers didn’t see that as an issue that needed worrying about though: it was reported to them in 2017 but the company decided that it was ‘public information’ as users had opted to let themselves be matched via phone number.
This is why Facebook is saying this isn’t ‘a hack’ but instead is just ‘scraping’ of profile information.
That seems at odds to some users who claim their phone numbers are set to private, though Joseph Cox at Vice Motherboard is reporting on a second Telegram bot that appears to offer a similar service, and contains a seemingly different set of user information.
Again, the lack of clear info and ownership from Facebook is clouding the issues.
Data sets are merged and resold by cybercriminals and a seemingly inconsequential series of data breaches may add up to a significant profile on an individual. We’re only just beginning to have to deal with the long-term consequences of data breaches (hacked, or scraped). Amassing vast quantities of data has long been favoured by Silicon Valley however perhaps tech companies will start to see data less as ‘the new oil’ and more as potential ‘radioactive waste’.
The outcome of this - and Facebook’s success or failure to cast this as information voluntarily shared by users that it isn’t responsible for - will colour that debate.
That debate, and more details on this, will eventually come to light as Ireland’s Data Protection Commission (DPC) has opened an investigation on behalf of EU countries. Russia’s telco watchdog, Roskomnadzor, has also requested ‘complete information about the leak’ affecting Russian users.
200 large-scale cyber attacks on ‘Operators of Vital Importance’ in France during 2020, out of ~250 finance, health, energy and other critical infrastructure organisations designated as such by ANSSI, the French cyber security agency ft.com
39% of Bring Your Own Device policies created in response to COVID remote working will remain permanent, according to Verizon scmagazine.com
15% of people made up passwords containing their pets name, 14% use the name of a family member, and 13% use a significant date (such as birthday or anniversary), while 6% use their favourite sports team, according to research by the U.K. National Cyber Security Centre (NCSC) ncsc.gov.uk
Other newsy bits
FBI arrest far-right extremist for bomb-plot against AWS Virginia data centre
Physical, rather than a cyber threat, though ultimately targeting the digital world: Seth Pendley, known by his handle Dionysus, was arrested by the FBI this week after trying to buy C4 explosives from an undercover agent. Pendley had posted on far-right message board that the Capitol rioters “went into this with the intentions of getting very little done,” asking “how much did you expect to do when we all willingly go in unarmed.” His posts were reported to the FBI who began investigating him. Pendley believed a successful attack on AWS’ Virginia data centre would “kill off about 70% of the Internet”. AWS accounts for less than 30% of the cloud market, and the Internet itself is more than just cloud services. wired.com, theregister.com
Unexpected side-effects of censorship by degrading service
Research published this week shows that starting a month ago, Russia began ‘censoring’ Twitter. The method is novel though: rather than completely blocking access, they appear to be limited connections to the company’s URL shortening service (t.co) to a meagre 128kpbs. The implementation appeared to be looking for ’t.co’ in the URL and unintentionally resulted in slow-downs to microsoft.com and reddit.com. The thinking seemingly being that users will become frustrated with the app’s performance and gradually reduce their usage. It’s also less easy to attribute: is it just a problem with the site or app itself? However the thing that caught my attention was the rather unintended side-effect: increased processing and memory requirements on popular websites as they need to keep connection requests open longer to serve Russian users. arstechnica.com
Apple white paper on app privacy and data tracking
Apple released a white paper titled “A Date in the Life of Your Data” this week that sets out how the upcoming changes to app policies and ‘do not track’ features will work. It (obviously) sings the praises of Apple’s approach to minimising data collection - though something laudable shouldn’t distract from the importance of the subject matter. While many of you will already have an appreciation of how app tracking, profiling and online advertising works, the ‘day in the life’ is a great example to use with less tech-savvy colleagues, friends and family. (Especially those “how does Facebook know I want that?!” Qs…) The descriptions of ad auctions and ad attribution are also good.
Attacks, incidents & breaches
- Manufacturing at two sites in Italy disrupted as new Cring ransomware encrypted production database cyberscoop.com, vulnerability in Fortinet VPN may have been gateway, though victim also didn’t keep anti-virus up-to-date or apply least privilege arstechnica.com
- French pharmaceutical group Pierre Fabre receives $25M ransom demand from REvil attack bleepingcomputer.com
- German phone manufacturer Gigaset suffers compromise, malware pushed to customer’s Android handsets as software update theregister.com
- U.S. Mobile carrier Q Link Wireless allowed access to account information with just a valid mobile number (no password) arstechnica.com
- Auction alleges sale of $38M worth of gift cards bleepingcomputer.com
- EU investigating ‘IT security incident’ affecting multiple agencies cyberscoop.com
- Vulnerabilities against SAP enterprise applications are weaponised within 72 hours, according to new research from SAP and Onapsis, with six older vulnerabilities still playing important roles in attacks zdnet.com, cisa.gov
- Example of the messages that Clop ransomware gang have started sending to the customers and partners or their victims, amping up the press on them to pay the ransom demands krebsonsecurity.com
- New banking trojan targeting corporate banking accounts in Brazil zdnet.com
- EtterSilent malicious document generator gaining popularity, evades detection by many mail and host filters, mimics DocuSign and uses XML macros (rather than VBA) to infect Windows devices bleepingcomputer.com
- Vyveva backdoor attributed to North Korea’s Lazarus group, used in attack against South African freight company zdnet.com
- Attackers are using Slack and Discord’s file sharing mechanisms to host files and circumvent corporate domain and file transfer blocks cyberscoop.com
- Cisco patches remote code execution vuln in SD-WAN vManage software bleepingcomputer.com
- Okta announces expansion into privileged access management and identity governance techcrunch.com
- Microsoft open sources ‘CyberBattleSim’ code that generates virtual environments using Python’s OpenAI Gym to simulate and study attacks using machine learning theregister.com
- Max Schrems files legal complaint in France over ‘hidden’ advertiser tracking ID in Google’s Android OS arstechnica.com
- U.S. intelligence four-yearly Global Trends report points to nations increasingly conducting operations via proxies and below the level of armed conflict over the next twenty years cyberscoop.com
- “We know that china is capable of launching cyber-attacks against us and disrupt a large number of systems” — General Bipin Rawat, India’s chief of defence staff theregister.com
Gender bias in TUI algorithm results in ‘serious incident’
Finishing full-circle on the theme of flawed engineering decisions: systems developed for airline TUI underestimated the load on a flight from Birmingham to Majorca after it assumed any passengers using the title ‘Miss’ were children and assigned them a 35kg mass instead of the 69kg adult average. An investigation by the Air Accidents Investigation Branch (AAIB) identified the issue after the aircraft took off with less thrust than required because the pilot thought the plane was a 1,200kg lighter than it was and described it as a “serious incident”. TUI has introduced ‘manual checks’ to ensure that adult females are referred to as ‘Ms’ - hopefully as a stop-gap until the flawed logic in the system can be addressed. theguardian.com
Get this weekly information security newsletter of cyber security and privacy articles, events and topics that have caught my eye, some intersting stats, plus a summary of other news.
There are hundreds of subscribers who get it direct to their inbox, every Sunday, at 7:00pm. They tell me it's pretty good, is an interesting read, and saves them time.