Here’s a look at some of the important security news from last week.
Facebook hacked, using 2FA phone numbers to help target ads, but at least Messenger wasn’t wiretapped.
Let’s start with Facebook, since as many as 90 million people were forced to login after Facebook admitted it was hacked. The social network claimed nearly 50 million of its users were directly affected by hackers stealing access tokens after exploiting Facebook’s code, the other 40 million forced logins were a “precautionary” step.
The buggy code had been around since July 2017, but Facebook didn’t realize attackers were exploiting the vulnerability – the result of three separate bugs – through the “View As” option until this week. The flaw allowed hackers “to steal Facebook access tokens which they could then use to take over people’s accounts.”
Facebook fixed the vulnerability, temporarily disabled the View As feature and contacted law enforcement. At this point in the investigation, Facebook claims it doesn’t know much – like who was behind the attacks and if “accounts were misused or information accessed.”
It also came to light that if you cared enough about security to setup two-factor authentication, then Facebook used those phone numbers to help target ads. Researchers from Northeastern University and Princeton University spelled out the technical details in a paper (pdf), but Gizmodo summed it up as:
Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all.
If you are looking for the silver lining in that Facebook gloom and doom cloud, then at least Messenger calls aren’t being wiretapped – yet at least. The US government had tried to force Facebook to wiretap Messenger calls, which are not end-to-end encrypted, but those courtroom efforts failed, according to Reuters.
Ransomware attack hits Port of San Diego
Following reports of the Port of Barcelona being hit with a ransomware attack, the Port of San Diego admitted that it too was a victim of a ransomware attack; it is not, however, disclosing the amount of the bitcoin payment demanded in the ransom note or the ransomware variant used in the attack.
The Port of San Deigo said the ransomware attack “is mainly an administrative issue and normal Port operations are continuing as usual.” The public would feel the impact of the attack when it came to issuing park permits, public records requests, and business services. Some IT systems were compromised, but other systems were proactively shut down “out of an abundance of caution.”
Roundup of other notable security news
Linux kernel bugs: There were not one, but two different Linux kernel bugs which could allow root access revealed last week. A local privilege of escalation vulnerability, disclosed by Qualys, could give an attacker “full root privileges.” Details about the second, a use-after-free vulnerability, were released by Google Project Zero researcher Jann Horn. The proof-of-concept exploit “takes about an hour to run before popping a root shell,” Horn said, but Linux fixed the issue within two days. That doesn’t mean everyone affected has the patch; Horn pointed out that Debian stable and Ubuntu hadn’t yet patched and Android only patches once a month.
In-the-wild UEFI rootkit survives hard drive replacement: ESET researchers revealed details about a UEFI rootkit, dubbed LoJax, which was likely developed by Fancy Bear to spy on governments in the “Balkans as well as Central and Eastern Europe.” The researchers warned, “This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement.”
Telegram patches IP leak: A bug in Telegram desktop clients allowed for the opposite of anonymity as it was revealing IP addresses. Telegram issued a fix, adding a “Nobody” option so voice calls will not be made via a peer-to-peer connection, and awarded a bug bounty to researcher Dhiraj Mishra.
Chrome about-face: Google “appreciated” the feedback from Chrome users and decided against the creepy auto-login of Chrome 69. Chrome 70, coming in October, will reportedly delete all cookies when you attempt it, instead of keeping Google cookies in play.
Careful what you tweet: This reminder comes from the Securities and Exchange Commission after Elon Musk agreed to step down as chairman of Tesla and fork out a $20 million fine to settle charges brought by the SEC. In August, Musk had tweeted that he could take Tesla private at $420 a share; Bloomberg reported that the false assertion was really about weed and impressing his girlfriend, the rapper Grimes.
SEC’s Steven Peikin said, “While leading Tesla’s investors to believe he had a firm offer in hand, we allege that Musk had arrived at the price of $420 by assuming 20 percent premium over Tesla’s then existing share price then rounding up to $420 because of the significance of that number in marijuana culture and his belief that his girlfriend would be amused by it.”
Tim Berners-Lee proposes plan to start new internet: Lastly, Tim Berners-Lee, the dude who invented the World Wide Web, has a plan to fix it as users have little choice in handing over their personal data to tech giants. He wants to give users back the control of their data with an open-source projected dubbed Solid.
Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance — by giving every one of us complete control over data, personal or not, in a revolutionary way.