Cybersecurity news headlines (May 1 – May 31)

May was the month a lot of companies all over the world were dreading. May 25th marked the day when the new data protection laws in Europe come into place, the laws that were announced two years ago. Companies had two years to comply with the new regulations but many of them left it to the last minute, resulting in temporary or even permanent stops of services in European countries. On the first day, there were already lawsuits with Facebook and Google accused of violating the regulations.

We also saw a controversial teen monitoring app leaking children’s accounts, and Twitter recording plain text passwords. This among other news headlines can be found our in compilation of the cybersecurity news May 1 -May 31.

Facebook promises a Clear History tool in the coming months

Social media giant Facebook has announced that they are adding a new feature called Clear History. These past few months, Facebook has faced a lot of backlash over how it handles user data. The Cambridge Analytica scandal has caused many users to worry about their privacy and how easily their information can be shared with third-parties, with some thinking twice about using Facebook. As a result, Facebook is making some much needed changes. Thus comes the Clear History feature.

“In your web browser, you have a simple way to clear your cookies and history. The idea is a lot of sites need cookies to work, but you should still be able to flush your history whenever you want. We’re building a version of this for Facebook too. It will be a simple control to clear your browsing history on Facebook — what you’ve clicked on, websites you’ve visited, and so on. Once we roll out this update, you’ll be able to see information about the apps and websites you’ve interacted with, and you’ll be able to clear this information from your account. You’ll even be able to turn off having this information stored with your account, ” Zuckerberg wrote in a Facebook post.

He does warn that deleting the data or having it not stored could make the Facebook experience worse. “Your Facebook won’t be as good while it relearns your preferences,” Zuckerberg said.

The feature may take a few months to be built, but in the meantime Facebook users can check what data the social media company has about them by going to “Access your information” in their accounts.

DDoS attacks decrease 60% in Europe after WebStresser’s takedown

Since the takedown of WebStresser, the largest DDoS-for-hire portal on the market, a DDoS mitigation firm Link11 has noticed that DDoS attacks in Europe have gone down by 60%. Servers were seized, suspects were arrested and the website was shutdown following an Europol coordinated operation. The website allowed users to pay for a subscription and target other websites with DDoS attacks.

“The Link11 Security Operation Center (LSOC), which monitors DDoS attack activity on the internet 24/7, has registered lower attack activity, especially on April 25 and 26, presumably due to [the] elimination of the source,” a Link11 spokesperson said to Bleeping Computer.

However, the company says the decrease in attacks is only temporary. It’s likely that new DDoS services will take WebStresser’s place and attacks will rise again.

Twitter recorded plaintext passwords in internal logs

In the beginning of May, Twitter users were greeted with a notification warning them to change their passwords. The company revealed that they have identified a bug that stored users’ passwords in plain text, and while the bug was fixed, users are still cautioned to change passwords. After an investigation, Twitter also reassured its users that there is no evidence of a breach or anyone accessing the plain text passwords.

In the above linked blog post, Twitter’s CTO Parag Agrawal explains that the bug occurred because of an issue in the hashing process that conceals passwords by replacing them with random characters. This is a standard procedure and allows systems to validate account credentials without revealing passwords. The bug caused passwords to be written to an internal log before the hashing process was completed.

Twitter found the bug themselves, removed the passwords and sent out alerts to users to change their passwords. However, they did not specify how long the passwords were compromised or how many users were affected.

200 apps suspended by Facebook for possibly mishandling user data

After the whole Cambridge Analytica scandal, Facebook promised to investigate into apps that had access to large amounts of user data. As a result of the investigation, 200 apps were suspended. However, it is not clear yet whether the apps were in fact misusing data. Following the suspension, a thorough investigation will take place. Facebook will conduct interviews, make requests for information and perform audits that may include on-site inspections in order to find out whether user data was misused.

“To date thousands of apps have been investigated and around 200 have been suspended — pending a thorough investigation into whether they did in fact misuse any data,” Facebook’s VP of Product Partnerships Ime Archibong wrote in a blog post.

If these apps, or any other, are found to have misused users’ data, they will be banned, and users will be notified via this website. The investigations focus on apps from 2014 or earlier, when Facebook allowed apps to get information not only from the app’s user but also from people on said user’s friend list.

Teen phone monitoring app leaked thousands of user passwords

TeenSafe, the company providing controversial services allowing parents to monitor their children, has been revealed to have leaked tens of thousands of accounts of both parents and children. The mobile app allow parents to monitor children’s texts, phone calls, web history, location, app downloads, etc. Technology news website ZDNet, who were the first to cover the breach, report that the company left its Amazon cloud hosted servers unprotected and accessible by anyone without a password. Two servers leaking the data were found by security researcher Robert Wiggins, and both have since been pulled offline.

The database included information such as parent’s email addresses, children’s Apple ID email addresses, device names, device unique identifier and plaintext passwords for children’s Apple ID. Plaintext passwords are especially problematic in this case because in order for parent’s to be able to monitor their children’s activity two-factor authentication needs to be turned off, making children’s accounts particularly vulnerable to attack.

GDPR goes into effect

May 25, 2018 marks the day new user data protection laws go into effect in the EU. Known as General Data Protection Regulation, or just GDPR, the new regulations are intended to give EU citizens more rights over how their personal information is handled. GDPR was announced in 2016, giving businesses two years to prepare. Despite having two years to comply with the new regulations, many companies are cutting it close, which is why your email inbox was likely flooded with emails, asking you to confirm that you want to hear from services you have subscribed to over the years.

These regulations will affect all companies that have EU users, so even if a company is US based, if it has users from the EU it will have to abide by the regulations. Companies now have to get users’ consent in order to collect personal information. If they do not, they could be facing fines. Mishandling EU citizen personal information could result in fines up to 20 million euros, or 4% of a company’s global turnover.

In addition to having to give permission for companies to collect their information, EU users will also be able to see what information companies have about them. They could also request that information to be deleted. Another major change from previous regulations is that companies will now have to inform users, as well as authorities, about a data breach within 72 hours.

The new regulations have been met with mix reactions, some praising lawmakers for allowing people to have control over how their personal information is handled, while others criticize how strict the law is. Some non-EU companies have also resorted to simply banning EU users from using their services, some temporally, some permanently.

Facebook and Google hit with lawsuits over violations of GDPR

On day one of the new general data protection regulation (GDPR), and two major companies have already been slammed with lawsuits over violations. Crowdfunded group None Of Your Business (NOYB), led by privacy activist Max Schrems, have filed serious complaints against Facebook and Google for violating the new data protection law and forcing users into agreeing to the new terms of services.

While Facebook and Google have both revised their privacy policies, NOYB believes them still to be in violation to the GDPR. The group seeks to fine Facebook €3.9 billion and Google €3.7 billion. The four lawsuits each target different products, Facebook, WhatsApp, Instagram and Google’s Android. Schrems strongly criticizes the companies for forcing users to either accept the Privacy Policy or stop using the services, which is a violation of GDPR.

Schrems has been actively fighting over privacy for users for years, often criticizing the unfair data collection practices of companies. With the new regulations, companies dealing with EU citizens had to revise their Privacy Policies and give users control over how their data is collected and used. However, many companies are left uncertain and completely unprepared for the new laws. And these lawsuits are unlikely to be the last ones we see over violations.