Facebook Wins, Facebook Losses, and More Security News This Week
Credit to Author: Wired Staff| Date: Sat, 29 Sep 2018 14:41:15 +0000
This week has been hard for lots of people, for lots of reasons, but at least it’s over. As a parting shot, though, Facebook announced a security breach that affected at least 50 million people—and possibly as many as 90 million. Or who knows! Maybe more. It’s early days yet.
Facebook hasn’t yet figured out who the hackers are—and may never—or the full extent of the damage, although the attackers could have gained full access to affected accounts. Oh, and also apparently to any account you used Facebook to login to. Not great!
In other concerning news, new research illustrates how mobile sites access some of your smartphone’s sensors—including motion and light—without asking permission or notifying you at all. Security researchers at ESET caught Russian hackers using a clever technique called a UEFI rootkit, which not even swapping in a new hard drive will fix. And while deputy attorney general Rod Rosenstein kept his job this week, don’t expect the Mueller investigation status quo to last much beyond the midterm elections regardless.
There was at least some good news to be found. The new series of YubiKey hardware authentication tokens will support the FIDO2 standard, which is a very jargon-heavy way of saying you’ll be able to plug them into your computer instead of using a password someday. And while Google introduced a very confusing, not great change to Chrome that made it look like people were logged in against their wishes, they ended up making it optional. Which is a partial win?
Elsewhere, DIY gun evangelist Cody Wilson resigned from the company he founded, Defense Distributed, amid unassociated legal turmoil. Don't expect that to slow the march of 3-D printed firearms, though. And remember how voting machine security was a mess before the 2016 election? Surprise! It's still very much a mess.
And there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
Over the last several weeks, Facebook has been fighting the US government in court over whether it has to wiretap an alleged gang member's Messenger account. It was seen as an important test case for preserving strong encryption; the feds were hoping for Facebook's help to access to Messenger calls they otherwise could not. On Friday, a judge ruled in favor of Facebook, preserving the privacy status quo, at least for now.
And then more bad Facebook news. What a rollercoaster! Gizmodo reporter Kashmir Hill confirmed this week that Facebook accesses “shadow contact information” to target ads at people. Specifically, in this case, the email addresses and phone numbers you hand over in answer to security questions to secure your account—think your two-factor phone number—as well as any contact info Facebook may have found of yours through your friends. By using only this shadow data, Hill was able to target a single security researcher with an ad for his eyes only. Hill reports that Facebook denied doing this last year when she asked the company about it. When confronted with Hill's evidence, Facebook finally acknowledged that it does..
Remember back in 2016 when Uber had a massive data breach—affecting 25 million customers—but didn’t tell anyone about it for more than a year? Of course you do. It was a huge scandal, not least because it came just two years after an earlier large breach and because rather than warn their customers, Uber paid the hackers to keep the breach a secret. Now the company has to pay a $148 million penalty–the largest ever for a data breach.
A puppet master for the long-running and beloved Broadway show “The Lion King” was arrested at the Minskoff Theater recently. Ilya Vett was charged with “attempted criminal possession of a firearm” after theater staff found at least part of a 3-D printed gun in his office. It’s illegal in the state of New York to print a revolver, assault rifle or pistol without a permit. When an NYPD police officer arrived at the theater, the officer wrote in the criminal complaint, he saw the 3-D printer in the theater’s prop room in the act of printing a revolver. Vett told cops he was making the gun for his brother who lives upstate, and who he claimed had a permit. He’d found the prints online. No word on whether Disney will allow Vett to return to building Mufasa and Pumba puppets.
https://www.wired.com/category/security/feed/