So much is going on each month in the world of cybersecurity, online privacy, and data protection. It’s difficult to keep up!
Our monthly security digest will help you keep tabs on the most important security and privacy news every month. Here’s what happened in September.
1. 50 Million Facebook Accounts Hacked
The last week of September threw up one of the biggest pieces of news: 50 million individual Facebook user accounts were hacked. Facebook reset the passwords of 90 million accounts, just to be sure, indicating that the final number of compromised accounts could rise.
Attackers exploited a vulnerability in Facebook’s “View As” feature, which allows users to see what their own account looks like to others. Facebook’s vulnerability stems from three bugs. The first allows the Facebook video upload tool to appear on the View As page. The second lets the upload tool generate an access code. A final bug lets the View As page generate an access code for whichever user the hacker wants.
If you were asked to re-login to Facebook today it's likely you are among the 90 million Facebook users potentially impacted by this hack.
50 million users impacted + 40 million Facebook says as added precaution.
— Donie O'Sullivan (@donie) September 28, 2018
The issue isn’t confined to the Facebook site, either. Other Facebook services such as Instagram are also vulnerable, along with sites and services using the now ubiquitous Facebook Login. (This is how you secure your accounts when using social login.)
Initially, the only way to tell if you are a victim is if Facebook signed you out of your account without warning. However, Facebook now says it will post a message at the top of your News Feed if your account was involved.
The Facebook hack holds special significance for MakeUseOf’s European readers; this is the first significant data breach from a major tech company since the EU enacted the General Data Protection (GDPR) law in May 2018
As Facebook is registered in Ireland, the Irish Data Protection Commission could issue Facebook with a huge fine under the terms of the GDPR, but as yet the Commissioner hasn’t clarified “the nature of the breach and the risk for users.”
If you are a Facebook hack victim, here are four things you need to do immediately.
2. Five Eyes Governments Attack Encryption
“The governments of the United States, the United Kingdom, Canada, Australia, and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights.”
Ministers from the Five Eyes governments—the U.S.A., United Kingdom, Canada, Australia, and New Zealand—met in Australia for the annual FCM. It was at this Five Country Ministerial that the above statement was drafted.
However, further inspection of the joint statement reveals that the Five Eyes allies are threatening to introduce legislation compelling tech giants such as Apple, Facebook, and Google to provide “lawful access solutions” to their products. In other words: the governments of Five Eyes countries want encryption backdoors, and they want them now.
My feelings on the recent Five Eyes Encryption Backdoor quagmire are simply this: Power Corrupts. Absolute Power Corrupts Absolutely.
Any technology that permits unfettered access to encrypted data of the citizenry can and will be abused by governments.
— Keith Hoodlet (@andMYhacks) September 5, 2018
Unfortunately, it is just not possible. Creating a backdoor for one person doesn’t stop it existing for others. Once the encryption backdoor is open the security of hundreds of millions of other law-abiding users evaporates.
It isn’t an issue that’s going away any time soon. Furthermore, there are numerous arguments against breaking encryption, but very few for. At times, encryption breaking tools such as GrayKey pop-up to give law enforcement a break, but they are few and far between. Other countries are considering an alternative approach. For instance, German Interior Ministry documents reference the use of Remote Communication Interception Software to target iOS, Android, and Blackberry devices without having to rely on service providers like Apple, Google, Facebook, and so on.
Police installing backdoors on the devices of their suspects? That’s another story.
3. British Airways Breach: 300,000 Customers Affected
UK flag carrier British Airways (BA) revealed that during the period from 22:58 on 21st August 2018 to 21:45 on 5th September 2018, the payment details of 300,000 customers were breached. (Yes, these oddly specific times come from BA.)
The stolen information contained the personal and financial information of any customers who booked with BA during that period. It didn’t, however, include the passport or identification document data for those customers. Speaking on BBC Radio 4’s Today on Friday program, BA chairman and CEO Alex Cruz said the hack was “a sophisticated, malicious criminal attack” and that BA are “extremely sorry for what has happened.” Cruz also promised that BA was “100 percent committed” to compensating any affected customers.
“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection.”
Researchers traced the hack to a group called Magecart who are also responsible for recent attacks on Ticketmaster and Newegg.
This #BritishAirways hack sounds exactly like the #Ticketmaster hack etc. They probably loaded a (.js) script from somewhere that was compromised and loaded it on the payment pages. CSPs wouldn’t even mitigate this sort of attack either. Don’t load scripts on payment pages!
— Daniel James (@danieltj27) September 7, 2018
4. ESET Discover First UEFI-Based Rootkit
Security researchers at ESET discovered the first-ever UEFI-based rootkit in the wild. The rootkit allows a hacker to install persistent malware on a vulnerable system with the potential to survive a full-system format.
The discovery of a UEFI rootkit is particularly galling as UEFI systems have traditionally remained secure against such threats. However, the rootkit presents a significant problem as it requires a full motherboard firmware flash to remove; your regular antivirus and antimalware programs won’t get near the rootkit.
“While it is hard to modify a system’s UEFI image, few solutions exist to scan system’s UEFI modules and detect malicious ones,” reads the ESET blog. “Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems’ UEFI.”
The rootkit, known as LoJack, is thought to be the work of the infamous Russian-government linked hacking group, Fancy Bear. The hackers modified Absolute Software’s legitimate LoJack laptop anti-theft tool. The tool installs to the system BIOS to survive a system wipe. The modification replaces parts of the original LoJack code to rewrite vulnerable UEFI chips.
How do you protect against the UEFI rootkit? The easiest method is keeping UEFI Secure Boot turned on. Your system firmware will then reject any file without a proper verification certificate, keeping your system safe from harm.
5. North Korean Hacker Charged in WannaCry and Sony Hacks
The US government charged and sanctioned a North Korean hacker for the 2017 WannaCry global ransomworm attack, as well as the 2014 Sony Pictures hack that forced the company to withdraw its then-upcoming film, The Interview. (The Interview is a comedy about a plot to assassinate the North Korean leader, Kim Jong-un.)
The indictment alleges that North Korean programmer, Park Jin Hyok, worked for a government front company with offices in China and the DPRK. Park and his colleagues are alleged to have engaged in malicious activity on behalf of the North Korean military.
“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said assistant attorney general John Demers. “The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage.”
The hacking group is also thought to be responsible for the unsuccessful hack attempt against Lockheed Martin. The group is also responsible for attacks against the Bank of Bangladesh, the Banco del Austro in Ecuador, Vietnam’s Tien Phong Bank, and a number of cryptocurrency exchanges.
The North Korean government hit back at the US indictment, labeling it a “smear campaign”. It also claims that Park is a “non-entity”. Understandable, given the circumstances.
Security News Roundup: September 2018
Those are five of the top security stories from September 2018. But a lot more happened; we just don’t have space to list it all in detail. Here are five more interesting security stories that popped up last month:
- The US State Department confirmed a security breach affected the email of “less than 1% of employee inboxes.”
- Data management firm, Veeam, exposed 445 million records for around ten days.
- The US Attorney’s Office revealed how the Mirai botnet creators are helping the FBI investigate “complex” cybercrime cases. Their assistance keeps them clear of prison.
- Uber picked up a $148 million fine for their 2017 data breach.
- The average DDoS attack size has quintupled in size, to 26Gbps, according to Nexusguard.
A huge amount happens every month in cybersecurity, privacy, data protection, malware, and encryption. Check back next at the beginning of next month for your October 2018 security roundup. In the meantime, check out these five security breaches that might have put your data at risk!
Image Credit: Thought Catalog Books/Flickr