Tag: Technology News

Facebook Users Should Assume Their Public Has Been Scraped

First it was 55 million.  Then 77 million.  Now, it’s 2.2 billion, or pretty much every user on Facebook.  That’s how many people should assume that their public profile information has been scraped.

The conversation began when it came to light that Cambridge Analytica (a political research firm) had misused Facebook’s search function to scrap profile data for tens of millions of Facebook’s users to help the Trump campaign win the recent presidential election.

As research into the matter has continued. However, it has become clear that Cambridge Analytica wasn’t the only group misusing the search feature, and that before Facebook disabled it, more than two billion of Facebook’s users had seen their public profile information scraped.

Essentially, Facebook was used to paint a more complete picture of users to build a profile which could be sold on the Dark Web.

Starting with stolen phone numbers or addresses, hackers developed automated routines that fed this information into Facebook’s search function, enabling them to link these bits of information with the names and locations of specific people.  Having a more complete profile in hand made the data that much more valuable on the Dark Web, where it is currently being resold.

At 2.2 billion impacted users, it’s certain that this will be the year’s largest data breach. In fact, this one is likely to hold the world record for quite some time.

Facebook’s CEO, Mark Zuckerberg issued an apology to the company’s massive user base.

Mike Schroepfer, the company’s Chief Technology Officer, had this to say:

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them.  This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name.  However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery…we believe most people on Facebook could have had their public profile scraped in this way.”

Microsoft Helping With Ransomware In Office 365

Microsoft recently made small but significant changes to its Office 365 subscription service and to OneDrive, which are often used in tandem.  The goal is to make it easier for users whose files have been encrypted by ransomware (or otherwise corrupted) to recover them.

The most significant of the changes is a new button that Office 365 users will see a new “File Restore” function in both applications.  If you’ve saved your Office 365 files to OneDrive, you’ll be able to restore files in a thirty-day window.  In the event that your files are accidentally deleted or corrupted, getting them back is as simple as pressing the button and selecting the files to be restored.

That’s a huge win for Office 365 and OneDrive users, but there’s more.

The additional changes include:

  • A mobile alert sent to the phone number you select, which will inform you if your files may have been encrypted or otherwise tampered with
  • Support for end-to-end email encryption in their mail service (Outlook), including the web version of the mail app
  • Office now scans all links embedded in PowerPoint, Excel and Word documents to check if they point to malicious content on the web
  • All file attachments and links embedded in emails are now scanned for known phishing threats and viruses
  • Outlook.com now gives users the ability to prevent email recipients from forwarding your emails
  • The ability to password protect OneDrive shared links

That last one is also significant, and is a feature that OneDrive’s user base has been clamoring on about for quite some time.  OneDrive has made it incredibly easy to share files via a link-based system, but unfortunately, never offered users a way to secure those links.  That, thankfully, has now changed.

Individually, all these changes are quite good, but taken together, they represent a significant step in the right direction.  Kudos to Microsoft for taking the threat of ransomware so seriously, and adding specific features to help protect their users.

Passwords May Be Dead Soon If Microsoft Gets Its Way 

Karanbir Singh (a program manager at Microsoft) is on a mission:

Kill the password.

As he said in a recent blog post:

“Nobody likes passwords.  They are inconvenient, insecure, and expensive.  In fact, we dislike them so much that we’ve been busy at work trying to create a world without them–a world without passwords.”

The company’s stated goal is to make it possible that an end user will never have to bother with passwords on a day to day basis and would instead provide credentials that are virtually impossible for hackers to crack or breach.

To accomplish this goal, the company is looking at a number of options, including biometrics and multi-factor authentication schemes.

Singh notes that this isn’t just blue-sky thinking, either.  Already, more than 47 million users and more than five thousand businesses are utilizing “Windows Hello for Business.”  Another solution currently in use is the Microsoft Authenticator app, which allows users to access their Microsoft accounts via their smartphones.

Additionally, as part of the Windows 10 update issued in April (2018), any user with a Managed Service Account or Azure Active Directory can now access their Windows 10 PC without having to enter their password, via the authenticator app and Windows Hello (provided that S-mode is enabled).

The company is also taking advantage of the newly ratified Fast Identity Online (FIDO2) security protocol, and is in the process of updating Windows Hello to enable secure authentication across a wider range of scenarios.  For example:  The company is currently working on a proof of concept for shared PCs that will allow users to log on via FIDO2 security keys, which will allow employees to carry their credentials with them.

They envision a scenario in which any user can simply walk up to any device the organization controls and authenticate without ever having to enter their username or password. This would be especially useful for analysts, help desk personnel, and anyone working in the medical profession.

Obviously no firm timeframes have been given, but as mentioned, some of these technologies are already in use and will be refined in the months ahead.

No Spectre Fix For Certain Intel Processors

The bad news just doesn’t seem to stop where Intel and the Speectre vulnerability are concerned.  The latest bit of news comes directly from Intel, as the company admits that it’s just not possible to address the Spectre vulnerability in some of its older hardware. This means that nine families of chips and more than 230 models of computers (mostly manufactured between 2007 and 2011) will remain vulnerable to Spectre forever.

The company has stopped Spectre mitigation development on the following families of chips:

  • Bloomfield
  • Clarksfield
  • Gulftown
  • Harpertown Xeon
  • Jasper Forest
  • Penryn
  • SoFIA 3GR
  • Wolfdale
  • Yorkfield

A company spokesman had this to say about the recent announcement:

“We’ve now completed the release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google.  However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.”

It’s unfortunate, but not entirely unexpected.  If you have any older Intel equipment still in service at your company, have your IT group check the processor family. If it’s one of the above, it’s well worth marking those systems high priorities for upgrades, and limiting their use until you can.

Spectre is a devastating flaw, and it’s just not worth the risk to leave exposed systems connected to your network and in service. This is especially true now that it’s official that no help is coming for certain older systems.

Even worse, AMD chips, which are not impacted by Spectre and Meltdown, have since been found to have their own critical security flaws.  While not as bad or as pervasive as the two Intel is facing, they will nonetheless require the company to issue its own microcode updates, which they are currently scrambling to do.

The long and the short of it is that there really are no safe harbors anymore.

Latest IPhone Update Syncs Messages Across All Devices

If you use Apple products, you may have noticed an annoying “feature”.  If you’re using the messaging app on your phone and texting someone and then you move to your Mac and access the same program there, the conversation you were having on your phone isn’t present.  The two devices are messaging islands that can’t reliably communicate with each other. Since they can’t, you can’t start a conversation on one device and then pick it up later on another.

True, Apple fans have found workarounds for the issue, but these are far less than perfect.

There’s good news, though.  As of the latest iPhone update, your phone will now synchronize your messages across all Apple devices you own.

It’s a small thing, but you’d be amazed at how often it matters.  Back in the “good ol’ days” most people just had one computer they used for everything.  We no longer live in that world.  Today, there are more active smartphones than there are people living on the planet, and the smartphone is just one of the many computing devices we use.

The advent of cloud-based technologies made accessing data across multiple devices possible, allowing you to work seamlessly on the same project with whatever device you have in hand at the moment. However, some things (like messaging) have been impossible, or at least highly inconvenient to access across multiple devices. That is, until now.

Granted, this improvement won’t change the world, but it will serve to make your world more seamless, convenient, and efficient. That makes it worth talking about.

In a lot of ways, the upgrade is like tabbed browsing.  Until you start using it, you cannot fully appreciate just how awesome it is. By the time you realize how great it is, you’re hooked and can’t imagine messaging any other way.  Kudos to Apple for an excellent enhancement!

Panera Bread Customer Accounts Exposed To Threats

Panera Bread company is the latest to find itself in hot water.  Recently, security researcher Dylan Houlihan discovered that the company had failed to encrypt (or otherwise protect) a file containing usernames, email addresses, physical addresses, phone numbers and loyalty account numbers for a staggering thirty-seven million of its customers.

The file was found stored as plain text, and accessible to anyone who bothered to go looking for it. The good news is that no one appears to have absconded with the data, so odds are that even if you’re a Panera customer, you’re not at risk. The bad news is that Panera’s handling of the incident to this point has been dreadful, to say the least.

First, the company was slow to even acknowledge that there was a problem, and when they did, they attempted to downplay the number of users the oversight impacted.  Second (the truly disturbing part of the ongoing story), even when the company did acknowledge the scope and scale of the incident, they left the plain text file on the website. It was completely unsecured until the security professional (Houlihan) contacted them a second time.

To date, their most detailed response has been that the investigation into the matter is ongoing.

There’s a harsh lesson here for any business owner.  This is a textbook example of how not to respond to an incident like this.  There are so many different things Panera could have done to make this a non-issue. The first of which would have been to immediately take the file down or secure it. Next, to immediately notify all the customers on the list (just in case the file had been downloaded by hackers). Lastly, issue a detailed action plan that assured customers that the company was taking steps to make sure something like this would happen in the future.  Sadly, exactly none of that has happened.

Be Careful, Searches May Provide False Download links

If you’re downloading software from the web, be careful.  Take the extra step of verifying that you’re on the developer’s website, because the hackers have a new trick up their sleeve.  It’s actually a deceptively simple one.

Hackers are buying ads on Google and Bing’s search engines, with the links in their ads pointing to malicious sites they control.

This is an almost shockingly simple technique, and broadly speaking, it works like this:

Searches are keyword-based.

Anyone can bid for advertising space on the major search engines.  The higher you bid on any given search term, the more often your ad gets displayed.

Ads are always displayed at the top of the search results, with the organic results coming below them.  Bid high enough on a high traffic keyword, and your ad gets seen by lots of people.

The danger, of course, is that people tend to trust search engine results to take them where they want to go. Often, users won’t pay much attention to the site URL they’re being directed to.  Hackers take advantage of that fact, putting poisoned sites literally right under the noses of unsuspecting users.

Recently, researchers discovered that if you search the term “Chrome download” on Bing, the ad that most commonly gets displayed doesn’t take you to Google’s download area. It takes you to a poisoned site that offers malware disguised as Chrome, and a high percentage of users are clicking the link and downloading without paying attention to where they are.

This kind of campaign is possible because hackers are making tons of money elsewhere, stealing personal information and reselling it.  They’ve got money to spend, and are spending it to further extend their reach.

The lesson here is simple: Even if you’re on a popular search engine, pay close attention to where the links are leading on the search results page.  Failing to do so can have tragic and expensive consequences.

T-Mobile Site Leaked Data On Millions Of Customers

<img class=”alignnone size-full wp-image-7947 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/t-mobile-site-resized.jpg” alt=”” width=”300″ height=”225″ />ZDNet Researcher Ryan Stevenson recently found a big problem on T-Mobile’s website regarding an unprotected API.  As a result of the flaw, untold millions of T-Mobile’s customers’ account information was left exposed and completely unprotected.  Literally anyone who stumbled across the site and tried to abuse it could access a wide range of customer information with no password required.

<strong>This includes, but is not limited to:</strong>
<ul>
<li>Customer name</li>
<li>Phone number</li>
<li>Mailing Address</li>
<li>Account Number</li>
<li>The status of the account (current, past due, suspended, etc.)</li>
</ul>
In an unknown number of cases, tax IDs and PINs were also exposed.

T-Mobile has a bug bounty program and pays a bounty to anyone who discovers a flaw that impacts the company.  Stevenson received a $1,000 reward for discovering the issue, and subsequent research revealed that the flaw had been present on the company’s website since October, 2017 or prior.

T-Mobile’s handling of the incident has been less than stellar so far.  Although they have acknowledged the existence of the issue and have already moved to correct it, the company has issued no information relating to how many customer records were exposed.

There is no evidence that any of the exposed records were inappropriately accessed. Typically, when an incident like this occurs, the company in question provides details relating to the scope and scale of the incident, informs all potentially impacted customers and usually provides a year of free credit and identity monitoring.  So far, none of that has occurred.

While it’s certainly possible that the company may take these steps in the future, we were both surprised and disappointed that they had not already done so, especially given the fact that this was essentially a self-inflicted wound.  Here’s hoping that in the days ahead, they do something to earn back the lost trust.

Google Wants Children Watching YouTube Kids App

More often than not, Google is seen as a force for good on the internet. However, in one area in particular, their actions and words haven’t been in alignment, and it’s gotten them in trouble.

Here’s Google’s official statement about their YouTube Kids service:

“Protecting kids and families has always been a top priority for us.  Because YouTube is not for children, we’ve invested significantly in the creation of the YouTube Kids app to offer an alternative specifically designed for children.”

That statement is true as far as it goes, but there’s an important catch.  The YouTube Kids app is frustratingly difficult to get.  You can’t install it on your Xbox.  Most smart TV’s on the market today don’t support it, and you can’t put it on a PC.  Aside from a few models of LG and Sony smart TVs, and smartphones, it’s just not an option.

Contrast that with the regular YouTube app, which has been rolled out to just about every platform there is, and it’s easy to see where Google’s primary focus is.

It’s not hard to understand the reasoning behind the difference in availability.  One of the key differences between YouTube and YouTube Kids is that the latter doesn’t have targeted advertising, while the former does. Google makes a lot of money on YouTube ads.  It’s simple economics.

Unfortunately, it’s also gotten the company into hot water.  They’ve had complaints from more than 20 consumer advocacy groups, who have banded together and taken their case to the FTC.

In part, the complaint reads as follows:

“Google has made substantial profits from the collection and use of personal data from children on YouTube.  Its illegal collection has been going on for many years and involves tens of millions of US children.”

Ultimately, what the advocacy groups want is for Google to move all kid-centric content over to YouTube kids. However, the company would be extremely reluctant to do that because their kid-friendly app has such limited availability.

This is a thorny issue with no easy answers, and at this point, it’s unclear how Google is going to respond to the complaint.

FBI Advises Users To Reboot Their Routers

Cisco’s Talos Security Team has identified a new threat, and it’s a nasty one impacting more than half a million consumer-grade routers in the US.  According to the Talos Team’s report, the new malware is impacting a broad cross-section of routers made by TP-Link, QNAP, Netgear, Mikrotik, and Linksys.

Known as “VPNFilter,” the malware currently infecting routers appears to be the first stage in a multi-phase attack, with the first segment allowing the hackers to collect a wide range of communications data and slave the device to launch attacks on others.  The code also contains a kill command that allows the hackers to destroy the device at will.

As of now, the FBI has already taken swift action and has seized a domain used by the hackers as a means to deliver the later stages of the attack. They report that the primary and secondary means of further infection have been dismantled.  They also report, however, that the hackers still have a fallback method of infection, which relies on sending “poisoned” data packets to each infected device.

Based on an evaluation of the code and the presence of redundant mechanisms for delivering the later stages of the infection, the code has been traced to a Russian hacking group with deep ties to the Russian government.  The group is known by a variety of names, including Fancy Bear, Sofacy, APT 28, and Pawn Storm.

On the heels of seizing the domain, the FBI released a statement that includes:

“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices.  Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled.  Network devices should be upgraded to the latest available versions of firmware.”