Security

Facebook bans fake Israel-based accounts that spent $812,000 on ads

By on November 13, 2021

Facebook continued its crackdown on inauthentic activity on its social media platforms with the removal of hundreds of pages and accounts originating in Israel that targeted several African nations.

 

The social media platform removed 265 Facebook and Instagram accounts, pages, events and groups for ‘coordinated inauthentic behavior,’ according to a blog post on Thursday by Nathaniel Gleicher, head of cybersecurity policy for the company. This behavior originated in Israel and targeted Nigeria, Senegal, Togo, Angola, Niger and Tunisia along with some activity in Latin America and Southeast Asia using $812,000 of Facebook ads paid for with Brazilian, Israeli and US money from December 2012 to April 2019.

 

 

These accounts were behind various political activities and attempt to spread disinformation in the targeted countries. Facebook said some of the actions were committed by an Israeli commercial entity known as Archimedes Group, which was a repeat offender for this kind of behavior and is now banned from the social network.

 

Facebook has been trying to weed out misinformation campaigns that aim to deepen political divisions using its platforms. In March, the social media platform took down 2,632 Russian and Iranian accounts because of ‘coordinated inauthentic behavior.’ Then in April, Facebook removed 687 pages based in India and Pakistan for similar activity.

Continue Reading

Security

Weather Channel app accused of deceptively amassing user location data

By on November 12, 2021

Partly cloudy with a chance of lost privacy. That might be the forecast if you’re using an app to check the weather.

 

The city attorneys of Los Angeles on Thursday sued the developer of the Weather Channel app for allegedly collecting, sharing and profiting from user location data without users’ permission. Roughly 45 million people use the app every month, and it was the most downloaded weather app from 2014 to 2017, according to the lawsuit.

 

The suit alleges that IBM subsidiary The Weather Company, the outfit behind the app, used the program to ‘amass its users’ private, personal geolocation data’ while making users believe their data was used only to provide accurate local weather forecasts.

 

IBM says The Weather Company has always been transparent with its use of location data.

 

‘The disclosures are fully appropriate, and we will defend them vigorously,’ Edward Barbini, vice president of corporate communication at IBM, said in an emailed statement.

 

 

The Weather App tracks users’ movements in minute detail and sells this data to third parties without users’ knowledge or permission, the lawsuit alleges.

 

The app collects location data on where users live and work, as well as the places they visit throughout the day and night, according to the suit. It also gathers info on how much time users spend at each place, the suit says. The data can allegedly be analyzed to understand a specific user’s daily habits, shopping preferences and even unique identity.

 

‘This case goes to the core of one of today’s most fundamental issues, how do we maintain our privacy in the digital age? We chose this defendant because this app touches all demographics,’ Mike Feuer, LA city attorney, said at a press conference on Friday. ‘This app seems to be benign; how many of you would suspect that to get a weather app, we would be tracked 24/7?’

 

The Weather Channel app isn’t the first program to face scrutiny in regard to user location data. The New York Times in December revealed how free apps like GasBuddy are programmed to track users in homes, hospitals, schools and offices.

 

‘I hope every company can be truly transparent and disclose to users what’s at stake,’ said Feuer. ‘That’ll be the right thing to do.’

 

Continue Reading

Security

Facebook discloses bug that exposed 6.8 million people’s photos

By on November 8, 2021

 

 

Even if you didn’t post a photo on your Facebook timeline, a software flaw could have shown it to app developers.

 

The social network disclosed a photo API (application program interface) bug on Friday that affected up to 6.8 million people on 1,500 apps connected to Facebook, the company said in a blog post. The flaw is related to the permission you give for an app to access your photos on Facebook — like when dating app Tinder uses your photos to set up your profile.

 

The bug was caused by an error in a code update in September, Facebook said.

 

The API is only supposed to allow the third-party app to access photos that you share on your timeline, but the bug gave app developers complete access to other pictures, such as those uploaded to Facebook Stories or even ones that you uploaded but never posted.

 

‘For example, if someone uploads a photo to Facebook but doesn’t finish posting it — maybe because they’ve lost reception or walked into a meeting — we store a copy of that photo so the person has it when they come back to the app to complete their post,’ Tomer Bar, Facebook’s engineering director, said in the blog post.

 

The issue didn’t affect photos in Messenger, Facebook said.

 

The bug lived for 12 days, between Sept. 13 and Sept. 25, according to Facebook. The social network said that it would be rolling out a tool next week for app developers to determine whether their users were affected by the security flaw. Facebook will also notify via alert the millions of people whose photos were exposed, the company said.

 

‘We’re sorry this happened,’ Bar said.

 

Although Facebook discovered the flaw in September, it didn’t notify the public for nearly three months because it was investigating the issue to find out how many people were affected, the company said.

 

A spokesperson said Facebook notified the Irish Data Protection Commission as soon as it figured out the breach was considered reportable under the European Union’s data protection laws, or GDPR.

 

‘We’ve heard loud and clear that we need to be more transparent about how we build our products and how those products use people’s data — including when things go wrong. These types of notifications are designed to do just that,’ a Facebook spokesperson said in a statement.

 

You can check which apps have access to your photos on Facebook in your privacy settings.

 

The flaw is Facebook’s latest security blunder. The company has been hit with multiple screwups related to privacy this year, and a loss of public trust has pushed Facebook to make efforts like hosting privacy pop-up events.

 

 

Facebook dealt with other controversies this year as well, including the massive Cambridge Analytica data abuse scandal, foreign influence campaigns and a major breach affecting 29 million accounts. That breach, announced in September, was also an issue with Facebook’s API, related to birthday videos on the social network.

 

Continue Reading

Security

Huawei founder says ‘there’s no way the US can crush us’

By on September 30, 2021
Huawei founder says 'there's no way the US can crush us' - CNET

 

Ren Zhengfei, Huawei’s founder and president, reckons the world needs his company’s ‘more advanced’ technology.

The saga of the Chinese telecom has led the US to pressure its international allies to drop Huawei from their 5G rollouts, but Ren told the BBC on Monday that this tactic won’t work.

‘There’s no way the US can crush us,’ he said in a rare interview. ‘The world cannot leave us because we are more advanced. Even if they persuade more countries not to use us temporarily, we can always scale things down a bit.’

He noted that the Huawei has plenty of options for expanding its business.

‘If the lights go out in the West, the East will still shine,’ he said. ‘And if the North goes dark, there is still the South. America doesn’t represent the world. America only represents a portion of the world.’

The founder addressed the December arrest in Canada of Meng Wanzhou, his daughter and Huawei’s chief financial officer. He called the arrest a ‘politically motivated act’ that he objects to. However, he wants to let the court system iron things out.Huawei founder says 'there's no way the US can crush us' - CNET

Ren also strongly denied that his company spies on China’s behalf — the main reason why Huawei networking equipment has been banned in the US since 2012.

‘Our company will never undertake any spying activities,’ he said. ‘If we have any such actions, then I’ll shut the company down.’

He reinforced this point in a separate CBS News interview that will air Wednesday — an excerpt was released Tuesday. In the interview, he was asked whether Huawei’s products could have a backdoor that shares customer data with China without his knowledge.

‘It is not possible. Because across our entire organization, we’ve stressed once and again that we will never do that. If we did have that, with America’s advanced technology, they would found that already,’ he told CBS News.

In the BBC interview, Ren promised Huawei would ‘continue to invest in the UK,’ which reportedly went against the US in concluding that using the company’s equipment in its 5G networks is a manageable risk.

‘If the US doesn’t trust us, then we will shift our investment from the US to the UK on an even bigger scale,’ he said.

Ren seldom speaks to foreign media, but he’s already done so several times in 2019. In January, he praised President Donald Trump and said that Huawei is ‘only a sesame seed’ in the China’s trade war with the US.

 

Continue Reading

Security

Equifax has a plan to win your trust back. It’ll take three years.

By on September 10, 2021
Zero Trust technology works; excuses don't | ZDNet

Until last September, many people didn’t know what Equifax was, or why it had all their information.

But after the credit-monitoring company announced its breach on September 7, 2017, with hackers stealing social security data on 147.7 million Americans, Equifax quickly became a household name in the worst possible way. The hack affected more than half of the American population, including Jamil Farshchi, who would become Equifax’s chief information security officer six months later.

Farshchi has a history of rebuilding cybersecurity from rubble: he became Home Depot’s CISO after a hack exposed more than 50 million credit card accounts. He aims to do the same for Equifax.

Since then, he’s laid out a three-year plan for Equifax to regain your trust, and made security every person’s job at the company.

CNET sat down with Farshchi at the Black Hat cybersecurity conference in Las Vegas on Thursday to discuss his plans, and the hardest part about trying to fix Equifax. Here’s an edited transcript.   

I know you were one of the victims affected by the Equifax breach. What was your reaction to it?

Like anyone, you’re disappointed. For me, it was concerning because I just had my daughter, so at the time I wasn’t sure how it mapped out.

My view is my data’s already been stolen, I have zero sense of any level of privacy, but I do care about my daughter. So I was worried about that. Fortunately, the timing didn’t work out, she was not a victim, so that’s great.

Just like anyone, it impacts you and it’s something you obviously feel would never have occurred.

Do you think that the other 147 million Americans had this ‘my data is already stolen’ reaction that you had?

It’s hard for me to speculate on the population, but I’m sure it varies.

What was your reaction when Equifax reached out to you to fix its security problems?

What compels me and motivates me is the challenge of the opportunity. One of my previous bosses gave me a great piece of advice one time. He said, ‘Jamil, never take a job, that when you take it, you’re not a little bit nervous about that goal. That you’re really stretching yourself and taking yourself to the next level.’

When I was discussing the Equifax opportunity, that’s how I felt. This is a big challenge, I feel like it’s going to make a difference, if I’m successful, and it’s going to impact a lot of people.

How do you expect anyone to trust Equifax again after a breach like this?Zero Trust technology works; excuses don't | ZDNet

I think we’re putting our best foot forward in a variety of areas.

From a culture perspective, they made my role report directly to the CEO, that’s a very meaningful change that very few organizations in the Fortune 100, 1000 or 2000 (don’t) even have.

We have built-in incentives for shared faith and security throughout the entire organization. We have tied in to the annual bonus structure a specific security goal that if not reached, then it deducts the bonus for all bonus-eligible employees.

We’re investing heavily, over $200 million this year, so we have the resources necessary to deliver. We have tremendous support from the entire executive leadership team. We have a new CTO who comes from IBM with an outstanding philosophy, which is, ‘technology, if done right, should eliminate the vast majority of security risks,’ which I think most of my colleagues agree with.

We build security from the get-go and you shouldn’t have to worry about it later on. We have a CEO who is infinitely focused and personally vested in ensuring that we protect all the data that is entrusted to us.

All the pieces are in place, and if you truly build a world-class security organization — Yes, we learned a lot, yes we made a mistake, but if we turn this around and build one of the best organizations out there from a security standpoint, I think that warrants a level of building trust.

You were also called in to fix Home Depot’s cybersecurity problems in 2015. With Equifax, are you running the same playbook?

In broad strokes, it’s the same approach. Specifically though, because it’s a completely different type of business, where Home Depot is a B2C (business to consumer), we’re a B2B (business to business) here at Equifax. We’re more regulated than Home Depot was.

There’s different dynamics within the organization, and I fundamentally believe that if you want to build a world-class security organization, it has to align with the business itself.

In terms of risk treatment strategy,  those change with a broad brush approach. From a talent, leadership, risk management, control frameworks systems like that. I’m using the same playbook that I used there. Because it helps us to accelerate and realize improvements in risk reduction in a much shorter fashion.

We’re coming up on a full year since Equifax announced its breach last September. The response to the disclosure was very critical. Had you been CISO during that time, what would you have done differently?

It’s hard for me to speculate on things. I’m not a huge fan of doing the Monday morning quarterbacking.

Mark Zuckerberg said that Facebook would take about three years to fix. What’s Equifax’s timeline?

We have a three-act plan that we’ve established. Year one is build, year two is mature, and year three is when we believe we’ll become leaders in the space. By 2020, we fundamentally believe that we will be in that position.

Your plan to fix Equifax will take three years. How long will it be to fix its broken trust with the public?

It’s hard for me to speculate on that one. My focus is on making us a world-class security organization, and we’re going to deliver on that promise.

When you were CISO at Home Depot, and Time Warner, you had to build everything from the ground up. Was that the case at Equifax, too?

This is one of the great things that I was pleasantly surprised by when I joined Equifax. There actually is a strong team there. We have a lot of meaningful technologies that are bleeding edge tech security capabilities and so-forth.

One of the things that impressed me the most is that very few organizations detect the breach themselves. We didn’t when I was at Home Depot, it was a third party that told us about it. Equifax discovered it ourselves. We knew we were breached. And that’s a testament to the level of technical skill sets we have, coupled with the infrastructure as well.

There has been a good foundation built on in certain key areas that’s allowed us to build our security up.

What’s been the hardest thing for you to drill into Equifax’s security culture?

I wouldn’t say there’s anything that hasn’t stuck. The thing about culture change is that it’s hard. It takes a while, it’s not like implementing a tool. Technology is pretty easy, it’s the people, the culture point that’s hard.

There’s nothing that hasn’t been adopted or well-received, the key message I have is shared fate. If I talk to someone who’s not in security, and they go, ‘You’re talking about security, that’s your job,’ if there’s not that sense of shared fate where they go, ‘OK, I own this as well, I’m also a part of this,’ then ultimately we’re going to fail.

My goal is to make sure that we drive that sense of ‘shared fate’ across the entire company.

What’s different when you’re running security post-breach and pre-breach?

There’s a huge difference. The role of post-breach CISO is really a change leader. You’ve got to pull in all these pieces and parts, you’ve got to manage the culture aspects, you’ve got to manage the regulators, and all the different priorities that are ongoing, including the implementation and executions that you typically don’t have to.

It’s a whole different set of skills you need than pre-breach. Pre-breach, what you’re doing is trying to sell security. You’re trying to have those risk dialogues, to communicate, ‘hey, we really do need more budget.’

In a post-breach environment, everyone already knows. They know how important security is, because they’ve felt it, they’ve witnessed it first-hand. You have less of a salesmanship aspect, it’s about delivering and executing.

Wouldn’t it make more sense if everyone just acted as if they were in a post-breach environment to be more proactive?

Yes.

I was just in Australia a couple of weeks ago, and I spoke on exactly what you just said. There is a new paradigm of CISOs that embody a lot of these post-breach attributes. They have built-in deep relationships with the board of directors. They’re leveraging talent across their organizations.

If you act like a post-breach CISO, if you do the things that have allowed Home Depot and will allow Equifax to get past this situation, I would argue that you probably will not have to deal with a breach at all. Those skill sets will keep you out of the doghouse. 

Continue Reading

Security

Microsoft patches Internet Explorer to stop PC takeover attacks

By on August 31, 2021

Microsoft has urged people to update Internet Explorer after finding a major flaw.

 

The browser’s memory corruption vulnerability lets attackers remotely execute code as if they were the computer’s user, essentially giving them control of the computer, Microsoft wrote in a Wednesday security notice.

 

An attacker could set up a fake website designed to exploit the flaw and entice you to visit by emailing a link. The vulnerability is tied to how Microsoft’s scripting engine handles objects in Internet Explorer’s memory, a process the update modifies.

 

The company said it’s being used in targeted attacks, but didn’t offer further details. If you have Windows Update enabled (as Microsoft suggests you do), the latest security updates should have downloaded to fix this issue automatically.

 

 

Microsoft noted that Clement Lecigne of Google’s Threat Analysis Group discovered the vulnerability, according to Ars Technica.

 

The company didn’t immediately respond to a request for further comment.

 

Internet Explorer was the world’s most popular browser until 2016, when Google Chrome swept past it. Its popularity has plummeted since then — it accounted for less than 3 percent of website usage in November, according to analytics firm StatCounter.

 

Microsoft has shifted its browser focus to Edge, which is getting a Chromium-based refresh.

 

Continue Reading