Cybersecurity news headlines 1-15 October

Cybersecurity news headlines 1-15 October

Continuing our series of cybersecurity news headline articles, we have the headlines from the last two weeks. The cybersecurity news headline articles report on data breaches, malware attacks and all other major cybersecurity incidents. In this addition, we report on Facebook’s use of 2FA phone numbers for advertisements, an arrest of 7 Russian GRU officers, and a bug that could have exposed 500,000 Google+ accounts. We also provide more information on the Facebook data breach 2018 and how it could have affected you. Here are the cybersecurity news that made the biggest headlines in October 1-15.

Facebook is using users’ 2FA phone numbers to make targeted ads

Two-factor-authentication (2FA) provides a second layer of security for online accounts, and users are always encouraged to enable it if a platform has integrated it. Facebook users who have 2FA enabled can choose from a couple of authentication methods. There are login codes from a third party authentication app, recovery codes, approving a login attempt from a recognized device, and SMS codes. In order to set up SMS 2FA, users have to provide their phone numbers, to which the codes would be sent to when a new login needs to be confirmed. Unfortunately, researchers have found that the phone numbers provided for the purpose of using 2FA via SMS are being used by advertisers to target ads.

Researchers from Northeastern University have uncovered that the phone numbers users give to Facebook to enable 2FA are added to Custom Audience, Facebook’s advertising program. Custom Audience is a tool that allows advertisers to upload customer information (email addresses, phone numbers, etc.) which is then matched to the information Facebook has about those customers. That information is then used to make targeted advertisements. While it’s not a secret that the information users provide in their profiles is used for targeted ads, it was perhaps naive to think that data provided for security reasons would not be used for the same thing. Facebook has admitted that they do, in fact, do this but claim that it is done to personalize the experience. What Facebook does not seem to get is that not everyone wants that personalized experience. And with how Facebook has mishandled users’ data in the past, there is a reason for concern.

Facebook’s response to this revelation is certainly not earning the company any points, as a spokesperson told media company Tech Crunch that users can opt out of this ad-based repurposing of their security digits by not using phone number based 2FA. Facebook is essentially asking users to choose between their privacy and their security. While Facebook does provide 2FA via other means, this revelation may influence users to switch off 2FA or not turn it on in the first place, which could result in easily hacked accounts.

No evidence found that hackers accessed Facebook connected third-party apps

At the end of September, Facebook announced a data breach that involved around 50 million accounts (now reduced to 30 million). Hackers used a vulnerability in Facebook’s “View as” feature to steal access tokens, which could have essentially given the attackers access to the accounts. When Facebook noticed the attack, they reset the tokens for 90 million accounts, 40 million of which were a precaution. While the attackers did not get access to any login details, many feared that the stolen tokens may have been used to access third-party services, like Instagram or Tinder to which people can log in via Facebook.

Facebook’s VP of Product Management Guy Rosen explained that after analyzing their logs for all third-party apps installed or logged in when the attack happened, there has been no evidence found that attackers could have accessed apps via Facebook Login.

“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens. However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out,” Rosen said.

The attackers responsible for the hack are yet to be identified. According to the Data Protection Commission Ireland, less than 10% of the affected 50 million users were based in European Union, where General Data Protection Regulation (GDPR) is in place. If Facebook is found to not have ensured users’ security, the social media giant could be facing a fine of as much as $1.63 billion under GDPR.

30 million, not 50 million users affected by Facebook’s data breach

When Facebook’s reported the data breach last month, the social media giant believed that around 50 million users may have had their accounts accessed by attackers. VP of Product Management Guy Rosen has said in a blog post that the initial number of affected users was incorrect, instead of 50 million, around 30 million users had their personal information accessed.

According to the blog post, 15 million people had their name and contact details (phone number, email, or both, depending on what people had on their profiles) accessed, and 1 million users had no information accessed. The remaining 14 million users had a wide range of information accessed, including name and contact details, as well as details they had on their profiles (username, gender, religion, hometown, birthday, device type used to access Facebook, education, work, the last 10 places they checked into or were tagged in, websites, pages and people followed, and 15 most recent searches).

How to check if you are part of the Facebook data breach

People can check whether their accounts have been accessed by going to Facebook’s Help Center. Users need to be logged into Facebook in order to be able to check whether they were impacted by the security issue.

Rosen also reassures that the attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.

The attackers remain unidentified but Facebook is working with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities in order to identify who is behind the security breach.

Seven Russian GRU officers charged over international hacking

7 Russian Main Intelligence Directorate (GRU) officers have been formally accused by the US for cyberattacks targetting individuals and organizations involved in international anti-doping efforts. The 7 individuals, Aleksei Sergeyevich Morenets, Ivan Sergeyevich Yermakov, Oleg Mikhaylovich Sotnikov, Alexey Valerevich Minin, Artem Andreyevich Malyshev, Dmitriy Sergeyevich Badin and Evgenii Mikhaylovich Serebriakov, are believed to have performed sophisticated attacks that affect US citizens, corporate entities, international organizations and their respective employees.

It is believed that the 7 officers hacked anti-doping officials’ accounts with the intention of stealing information and ruining their reputation.

“Among the goals of the conspiracy was to publicize stolen information as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize the efforts of international anti-doping organizations and officials who had publicly exposed a Russian state-sponsored athlete doping program and to damage the reputations of athletes around the world by falsely claiming that such athletes were using banned or performance-enhancing drugs,” a press release by The United States Department of Justice states.

The press release further states that from 2016 through 2018, the conspirators contacted 186 reporters via Twitter and email with the stolen information. They also released the stolen information under the alias “Fancy Bears’ Hack Team” on social media.

Silk Road admin may be facing 20 years in prison after pleading guilty

Gary Davis (also known as Libertas), an admin for Silk Road, one of the largest Internet underground marketplaces, has pleaded guilty to drug trafficking charges and is now facing 20 years in prison. Silk Road was infamous for essentially being a marketplace for illegal drugs, operational for two years by the time it was shut down by the FBI in 2013. Founder Ross William Ulbricht (who also used the username Dread Pirate Roberts) is currently serving a double life sentence plus 40 years without the possibility of parole over counts related to the Silk Road marketplace.

According to United States Department of Justice, Gary Davis served as an administrator who helped run the Silk Road marketplace.

“In his role as a site administrator, DAVIS’s responsibilities included (1) responding to customer support requests from Silk Road users who needed assistance with their buyer or seller accounts on the marketplace; (2) serving as an arbitrator by resolving disputes that arose between drug dealers and buyers on the site; and (3) enforcing the rules for doing business on Silk Road, which had been set by Ulbricht,” the press release states.

Davis has pleased guilty to one count of conspiracy to distribute narcotics, a crime that carries a maximum sentence of 20 years in prison. The sentencing is scheduled for January 17, 2019. Silk Road is believed to be responsible for selling illegal drugs and contraband worth more than $200 million.

Google+ to shut down after API bug exposes information of 500,000 accounts

Tech giant Google is shutting down its social media service Google+ after it was revealed that an API bug could have allowed third-party apps to access private profile data of around 500,000 Google+ users. According to blog post by Ben Smith, Vice President of Engineering, up to 438 different third-party apps could have gained access to personal information because of the bug. However, Smith says that developers were not aware of the bug and no evidence about misused profile data has been found. And since Google+ does not keep API logs for longer than two weeks, it’s impossible to confirm the number of affected users.

According to Google, the bug was first discovered in March 2018 and was immediately patched. However, a report by Wall Street Journal says that the API bug could have been leaking user data from as far back as 2015. Reportedly, Google only discovered it after it started preparing for the GDPR. Allegation have also been made that Google covered up the incident instead of disclosing the breach to the public.

It’s difficult to not draw parallels between this and the Facebook’s Cambridge Analytica scandal, and it seems Google came to the same conclusion. In the same month Google became aware of the bug, Facebook data scandal happened, and the social media was facing serious outrage after it was revealed that unauthorized developers were able to access private data of Facebook users. According to an internal memo cited in the Wall Street Journal article, Google may have made the decision to not disclose the incident for fear of immediate regulatory interest. Had Google disclosed the bug, it would have brought Google into the spotlight along or even instead of Facebook.

It does not seem that the incident is going away any time soon, despite Google’s intentions to stay under the radar. Three US senators are requesting that Google hand over the memo Wall Street Journal reported on. The senators also criticise Google’s decision to not disclose the incident, particularly because Google’s chief privacy officer testified before the Senate Commerce Committee on privacy issues two weeks prior and did not provide information on the incident.

In the same blog post announcing the incident, Smith also revealed that Google has made the decision to shut down Google+ for consumers. It’s no secret that the social media platform never really took off, and Google themselves admit that despite the efforts of Google+ engineers, the platform has very low usage and engagement, with 90% of user sessions lasting less than five seconds. Google+ for consumers will be closing over a 10 month period, with full shutdown expected by the end of August 2019. In the future, Google+ will be focusing on Enterprise users.

Pentagon security breach

The Pentagon has revealed that a cyber breach of the Department of Defense (DOD) travel records could have compromised personal and credit card information of U.S. military and civilian personnel. As many as 30,000 personnel are believed to have been affected but the number may grow as the investigation continues. However, according to an anonymous official, classified information was not compromised.

Not much information is available but the breach was reportedly discovered on October 4, and it is believed that the attackers may have compromised a third-party contractor to access the Pentagon network and steal travel data of DOD personnel.

The third-party contractor’s name has not been revealed as the investigation is still in progress, but Pentagon did confirm that attackers made off with personal and payment information. The Department of Defense will notify impacted personnel, as well as provide free fraud protection services.