We round up reporting and research from across the web about the latest security news. This month: privacy palaver at Facebook, a cyberattack with explosive intent, securing the IoT, sportswear maker uncovers data breach, and authorities arrest an alleged cybercrime mastermind.
Facebook shook by reverberations and revelations
The worlds of privacy and security collided last month after revelations that consulting group Cambridge Analytica had obtained records of 86 million Facebook users. It then used the data to target voters with pro-Trump messages during the 2016 US presidential election campaign. Scientists working on profiling technology had developed a free personality quiz app that harvested the friend information of users who downloaded the app via Facebook. They then provided this data to Cambridge Analytica. The New York Times reported that the idea for building the app came via Palantir, the data analysis company that works with intelligence agencies.
Facebook initially argued that it didn’t consider this as a breach, because anyone using the app had consented to the terms of service. Such semantic gymnastics didn’t cut much ice with commentators who considered it a ‘breach of trust’ – or worse. The scandal seemed to grow ever more complex as more details emerged. At one point, Facebook saw more than $50 billion wiped off its share price. When CEO Mark Zuckerberg eventually broke his silence days later, his response was “evasive and disingenuous”, wrote Karlin Lillington. Facebook has since suspended another data analytics firm, CubeYou, whose tactics were similar to those of Cambridge Analytica.
Sarah Clarke has written a nuanced perspective on the original story and its privacy implications on her Infospectives blog. Meanwhile, SANS published a guide for infosec professionals on communicating to staff about protecting privacy and deactivating social media profiles.
Life’s a breach
Staying with breaches of a different kind, Verizon has just published its 2018 Data Breach Investigations Report. Now in its 11th year, the DBIR is one of the most widely respected and authoritative sources of security research. Here are some of the key findings: financial gain is the motivation behind 76 per cent of incidents. Outsiders conducted 73 per cent of cyber attacks – mostly organised criminal groups. Ransomware’s unstoppable rise continues: it was the leading malware type last year, responsible for 39 per cent of all infections. The report analyses nine industry sectors and looks at the specific security risks facing each one. The full report is here, with an executive summary available here. The 2018 edition draws on more than 53,000 real-world incidents and 2,347 confirmed data breaches. Ireland’s IRISS-CERT was among 67 agencies contributing to the research.
Security experts have long argued that before long, a cyber-attack that began in the virtual world would have real-world consequences. Now there’s an example. News emerged that a petrochemical plant in Saudi Arabia suffered a malware intrusion designed to set off an explosion. The only thing that stopped the explosion from triggering was an error in the computer code, the New York Times reported. The attackers reportedly compromised controllers made by Schneider, which are used in 18,000 plants around the world. The NYT quoted an expert who said a technique that worked against Schneider controllers in Saudi Arabia could also be used in the United States. In separate but related news, the US Department of Homeland Security and the FBI accused Russian hackers of attacking energy companies. The attackers reportedly used spear-phishing to compromise networks in small organisations that are part of US critical infrastructure.
Embedded devices to get embedded security
The UK Government has published a proposed code of practice aimed at improving security for the Internet of Things. The ‘Secure By Design’ report aims to encourage manufacturers and service providers to embed security at the earliest stages of developing IoT products and services. Recommendations include not allowing universal default passwords, securely storing sensitive data, and making it easier for consumers to configure the devices. The average UK household owns at least 10 connected devices. This blog from the Information Commissioner’s Office covers the main points. James Lyne, head of R&D at SANS Institute, described the development as “positive and much needed”. The issue also came into focus after a fatal collision in Arizona last month, involving a self-driving car. After all, what is an autonomous car but a very large connected device? The Electronic Frontier Foundation called for sharing data as a way to improve both safety and security.
Under Armour doesn’t run for cover after breach
Under Armour disclosed that its MyFitnessPal app and website was hacked, exposing personal information about almost 150 million accounts. The incident occurred in February and affected usernames, emails and passwords, but not payment data. Under Armour said it used strong encryption to protect the passwords. This story is important for two reasons. It’s less a finger-pointing exercise at a data breach victim; more a testament to Under Armour’s transparency. The company informed affected users quickly, and was on the front foot when dealing with media questions. Security experts praised the company’s proactive steps to deal with the fallout: it had a plan and executed against it. Financial markets weren’t so forgiving, though. Shares in Under Armour fell 3.8 per cent after the company disclosed the breach.
A win for the good guys as Carbanak chief cuffed
Let’s wrap up this roundup with a good news story for a change. Law enforcement agencies arrested the alleged ringleader behind the Carbanak and Cobalt attacks. The arrest was a complex operation conducted by Spain’s National Police, supported by Europol, the FBI, and authorities in Romania, Moldova, Belarus and Taiwan, along with private cybersecurity companies. Since 2013, the gang had targeted banks worldwide with a combination of spear phishing and malware like Carbanak and Cobalt. The phishing emails contained a malicious attachment that, when downloaded, gave criminals remote control of the infected machines. Europol said this gave the gang access to the internal banking network and infected the servers controlling the ATMs. As the agency’s infographic shows, the group’s ill-gotten gains amounted to more than $1 billion.