Facebook User Data Stolen In Hack. Facebook Offers No Protection.

In a recent breach of Facebook it is suspected that approximately 29 million users had their data stolen, with the most severely affected being a group of 14 million. The attack is currently being attributed to spammers pretending to be a digital marketing firm. According to Facebook, Data stolen includes: “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches”. News of the hack first surfaced on October 5th when it was suspected that 50 million users were affected, a number that has since been lowered.

Facebook first shared details of the attack last week, fearing as many as 50m people had been affected

Usually, companies in such a predicament offer access to credit protection agencies and other methods of identity theft prevention like in the case of the 2013 Target breach. However, Facebook declared that it would not be taking such steps, and would instead direct users to help pages where they could learn how to avoid phishing. Experts worry about the potential for smaller scale attacks. Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, believes that though no financial data was captured, information gathered could still be used in knowledge based authentication to break into accounts. He believes that the best move for Facebook would be to offer free access to password managers and other similar software to help combat this.

In Europe, the breach is costing Facebook about $1.6 billion, or 4% of its yearly revenue. This case is being recognized as the first major test of the General Data Protection Regulation which was enacted in May.

  • Nicholas Antiochos

Sources:

https://www.businessinsider.com/facebook-thinks-spammers-responsible-hack-stole-info-from-29-million-users-2018-10

https://www.bbc.com/news/technology-45845431?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-correspondent

Web Injects Used to Steal Bitcoin Money

With the increased use of cryptocurrency, hackers have started employing the use of Web injects to intercept payments and acquire user information.  Of course when it comes to hacking there are many ways, but this report is intended to inform readers of how Web injects work and why they can be hard to identify.  What a Web inject does is while the page loads, malware that changes the web page before the user sees it.  In this article, two website Web injects are used for Coinbase and Blockchain.info.  With Coinbase, the inject disables the enter key forcing the user to press a fake submit button, thus giving the user credentials to the hacker.  Likewise, the Web injects for Blockchain.info changes the web page so that the payment transaction goes to the hacker.

In the future, the use of online websites for bitcoin transactions (or payment transactions in general) will continue to increase.  A study claimed that by 2024, the number of bitcoin users will reach 200 million (RT news).  Therefore, hackers will always try to exploit the user’s information.  So in the future, companies with online payment platforms and bitcoin wallets will need to continue to research hacker attacks and stay up to date with security.  Also, users should be more aware of the how hackers use Web injections.  So for example, if a button does not work or there is a strange error, they should notify the companies.  This is all that companies and users can really do in this situation.  Just continue to develop security tools and pay attention to details on the webpages.

-Jamie Smith

https://www.darkreading.com/attacks-breaches/criminals-using-web-injects-to-steal-cryptocurrency/d/d-id/1331350

https://www.ccn.com/exponential-growth-number-bitcoin-users-reach-200-million-2024/

 

OURSA Conference

One of the worlds largest computer security conferences, RSA, has recently been in the spotlight for all of the wrong reasons. The conference, which is six weeks away, just released their lineup of keynote speakers, which contains 22 individuals, and only one of those are female. Even worse, the one female speaker, Monica Lewinsky, is not even in the security field, she is speaking about anti-bullying. There was a large uproar regarding this which resulted in the foundation of a new conference, ironically named OURSA, which was formed in a mere 5 days. It is a predominantly female created conference, with the help of allies, that will take place at the same date and time as RSA. The lack of representation isn’t a new issue though, since over many different conferences there has been a collective loss of inclusion of different minorities, including women. RSA responded to the conference by saying the keynote speaker list is not final, and “…it also blamed the lack of women in the field, where just 11% of positions worldwide are held by women.” Firstly, that is an extremely sexist response, but second, if the percentage of positions held by women are so low, wouldn’t it be inspiring to see more female keynote speakers to inspire the next generation? This will only be a one time event and will only be able to host 1000 people instead of the 43,000 that RSA hosted last year. Nevertheless, this will be a groundbreaking conference that will hopefully shed light upon the issues with diversity in the community and the promotion of inclusion within all groups.

 

Source:

https://www.usatoday.com/story/tech/news/2018/03/05/women-create-alternate-tech-conference-protesting-snub-big-security-confab/395323002/

 

-Becca Fried

Extended Validation is Broken

Extended Validation is a tool that can be used by site owners in order to prove the identity of their site beyond a standard HTTPS certificate.  While an HTTPS certificate proves that the server you are communicating with is the site identified by the domain name, it can be easy to spoof domain names for some sites (like facebok.com).  If a site is verified, a person may be likely to trust it without verifying the domain name.

In order to receive an Extended Validation certificate, one must prove to a Certificate Authority that they “are” that name, rather than just owning the domain name.  Most commonly, this is done by proving that you own a company by that name – which is a fairly secure system.  However, in this report, Ian Carroll exploits a vulnerability not in the technical system, but in the United States.

In America, the same company name can be registered in different states (since, for all practical purposes, we are 50 separate countries that are just really friendly).  Carroll takes advantage of this fact by registering the company name “Stripe, Inc.” in Kentucky (Stripe is a popular payment platform, registered in Delaware).  He uses the site registered with this certificate not for malicious purposes but in order to spread awareness of the vulnerability, hosting his whitepaper on the vulnerability there.

This issue raises many questions on how we should be verifying identity, as well as how browsers should deliver verification information to the client.  The entire vulnerability is completely technically sound in that the entire process does what it should (the company named “Stripe, Inc.” has been verified to serve this content).  There is, unfortunately no simple way to solve this problem.  Should the certificate authority only issue these certificates for companies that are “big” or, even more ambiguously, “well-known”, and deny verification to startups?  Should the browser also display the state name of registration along with the certificate (assuming that the common citizen knows the state name of every website he or she visits)?  These are not difficult answers, but their answers are fundamental to the future of identification in an increasingly automated world.

 

– Ryan Volz

Identity Security Against New Algorithms

Recently there was a new piece of software developed that is able to hauntingly transpose any celebrities face onto another’s body and compellingly copy their facial movements. It has been about 2 years since this was technically possible with hardware processing limitations as well as research limitations. Now, a tool has been released that is able to automate this process for anyone with a sufficiently powerful computer. Previously anyone who would want to perform such a seemingly impossible task would have to have a lot of domain knowledge about machine learning hand data sciences. Or alternatively, they could also produce similar results with a huge CGI budget and many technically skilled artists. Currently, there is a tool available that is able to automate this entire process with varying results.

This brings up obvious security implications. If fake video of someone is produced without their consent or knowledge, this can be used for blackmail. Currently, there are few methods to authenticate footage that is used for judicial verification and such to prove a video’s validity. There troubling implications of using machine learning to produce these hauntingly realistic results. Currently, there are no methods that detect fake videos that can be used to verify videos produced via this machine learning algorithm.

Lucky for us, the internet is currently distracted by Nicolas Cage and putting his face on anything and everything else. However, Nicolas Cage never agreed to have his likeness handled in such a way. Even if it is only for the amusement of others, he has not been paid or anything for his image to be used in these videos. I think this technology with have severe implications for the movie industry and the security of one’s likeness being used. One recent example is the Star Wars Rogue One. Industrial Light and Magic did the CGI work for Star Wars Rogue One. ILM used both Carrie Fischer and Peter Cushing’s likenesses to produce new scenes with the now deceased actor’s likenesses using CGI. The producers asked for consent from both of the actor’s families, but Cushings and Fischer never agreed to such things themselves. It is terrifying to see the ability to make such convincing fakes fall into the hands of anybody with a computer.

It is clear that two things need to happen to keep people’s likenesses safe. One, everyone should stop trusting videos they see, especially containing celebrities, immediately. This is important because there is no way to tell if a video is real or fake anymore given the results produced by this technology. Two, additional securities need to be put in place to verify the integrity of a video. Currently, there aren’t any compelling ways to see if a person actually is in a video or not. Everyone knows what it is like to have seen a viral video and recognized that it was set up or faked. But when you saw someone’s face clearly in a video you knew that it was them. Now, there are no grounds to trust videos just because you can see someone’s face.

– Cameron Knight