News roundup: Facebook data breach puts social media giant in hot water

A roundup of this week’s technology news including Chinese spy chips, Amazon pay disputes and insecure political party mobile apps.

A roundup of this week's technology news including Chinese spy chips, Amazon pay disputes and insecure political party mobile apps.

Facebook gets hacked

For all of you that have been in outer space/under a rock/stopprf reading the news because every time you do it makes you a little bit sad, the biggest news story from the last seven days is undoubtedly the small matter of 50 million Facebook users having their accounts compromised.

The breach was discovered by Facebook engineers on 25th September and disclosed to the public a GDPR-compliant three days later, after the vulnerability had been patched. Thought to be the biggest breach in the social media platform's history, the attacks stole ‘access tokens' from users, meaning they could stay logged into compromised accounts without the need to enter a password. Possessing said token also allows the hacker to take full control of the compromised account and even log in to third party applications.

In addition to the 50 million users who had their tokens stolen, a further 40 million who had used the ‘view as' privacy tool since July were also logged out of their accounts on a precautionary basis.

It is not yet known who is responsible for the hack or the extent to which the stolen tokens were used.

Amazingly, hackers gaining access to 50 million accounts wasn't the biggest beef people had with Facebook on Thursday. As news outlets rushed to publish stories about the breach, users who tried to post links to the stories on their newsfeed found they were being actively stopped from doing so.

The main victims of this apparent censorship attempt appeared to be The Guardian and the Associated Press, with users who attempted to post the link being met with the following message:

Facebook were quick to report the links were blocked due to an unfortunate issue with the automated moderation system that flagged the link as spam due to the high volume of users posting it in such a short space of time.

Almost a week on from the disclosure, several government agencies including the Irish Data Protection Commission and the Spanish Data Protection Agency have announced they've launched an official investigation into the breach.

As the accounts were compromised post GDPR, Facebook could be facing fines totally up to $1.63 billion. Ouch.

The spy who hacked me

A Bloomberg investigation has discovered that Chinese spy chips were embedded into Super Micro motherboards and sold to major US companies such as Amazon and Apple. Both companies independently discovered the rouge chips back in 2015, reporting their findings to the FBI who then launched an investigation that is still ongoing.

The chips were disguised to look like other components and connected to the management processor meaning they had wide-ranging access to both system and network memory. By connecting to certain remote systems, the chip would be able to open up the device to remote attackers.

It's also now believed that Amazon's move to sell off its physical server business in China last year was due to the unit being compromised by government-sanctioned Chinese spies.

 In other spy-related news, seven Russian Intelligence officials were indicted by the US government this week for hacking a number of American targets. According to the report, Russian spies raged a long-running campaign against the investigations being carried out into the Russian doping scandal at the 2014 Winter Olympics.

Russian spies have also been exposed by the UK and Dutch governments for attempting to hack into the Organisation for the Prohibition of Chemical Weapons, amongst other things. Surprisingly, the intelligence officials involved made a number of reckless and sloppy mistakes; including having fake diplomatic passports issued with sequential passport numbers and with one setting up a dating profile using his real name and photo.

Security roundup

Tl;dr: you're probably being hacked this very second.

  • Are you an ordinary member of the public? Bad news then, my friend. A report out this week says that 25% of all of all cyberattacks are now aimed at the ordinary user. Cyber attacks were reportedly 47% higher during Q2 of 2018 than they were in the same period the previous year, with 765 million ordinary users being victimised during those three months.
  • Bad news for the UK Conservative Party this week. To try and prove to the yoot they understand the importance of tech, they launched a mobile app for attendees of their conference to use. Great in theory however, the reality was whoever designed the application forgot that passwords exist, allowing users to log into an account via an email address. This meant that accounts belonging to politicians that were registered using their publicly available Parliamentary email address, could be logged into by anyone with the ability to use Google. Worse still, once logged in, users could then gain access to a whole host of personal information about the account holder, including non-publicly available mobile phone numbers.
  • Threat management company Cofense reported that this year's World Cup probably played a role in distracting hackers from updating TrickBot malware. While sustained attacks perpetrated by the malware were reported throughout April to July, the start of the World Cup apparently coincided with a significant drop off in the sophistication of TrickBot's phishing lures.
  • The Financial Conduct Authority has taken a no-nonsense approach to the 2016 Tesco Bank breach, fining the supermarket £16.4 million. According to a statement provided by the Authority, the breach was preventable and the whole thing could have been avoided if the bank had exercised "sufficient rigour, skill and urgency". Despite the hefty fine, the FCA actually reduced the initial sum as a result of the bank's openness and cooperation in preventing the attack from escalating at the time.
  • California has passed a law banning electronics companies from using weak passwords. Coming into force in 2020, the bill demands that each gadget be given a unique password when it is made and making default passwords such as "admin" and "password" illegal. The bill also allows customers who suffer harm when a company ignores the law to sue for damages.

ZTE back on probation

A US judge ruled this week that Chinese telecom company ZTE have breached the terms of its probation. According to the ruling, the company lied about discipling 35 employees back in April, resulting in the company being observed by a court appointed monitor until 2022; a two-year extension on the original surveillance period.

M&A

Global M&A activity reaches record levels for first nine months of 2018, with deals this year so far being worth nearly $3.3 trillion. So, on that note, here's a roundup of this week's mergers and acquisitions.

Google has acquired AI chatbot Onward, Palo Alto has snapped up RedLock, Cloudera and Hortonworks have put aside their differences and announced a merger; as have social intelligence platforms Brandwatch and Crimson, and Bharti Airtel buys AI startup AuthMe.

Net neutrality

On 30th September, California Governor Jerry Brown signed a net neutrality bill into law, prohibiting internet providers from blocking or regulating any legal apps and websites whilst also banning the paid prioritization of content.

However, not everyone is best pleased with the bill. Case in point, the US Justice Department who, on October 1st, announced they were filing a lawsuit against the state legislators for attempting to "subvert the Federal Government's deregulatory approach."

California is not the only state to have passed legislation to roll back the FCC's reversal of the previous administration's net neutrality rules. Six state Governors have signed their own executive orders and Oregon, Vermont, and Washington have already adopted their own net neutrality rules.

This lawsuit by the Department of Justice is now likely to become a key test of the federal government's net neutrality legislation.

Amazon

Richest man alive and real-life super villain Jeff Bezos this week announced he is adding ‘Ghost of Christmas Present-era Scrooge' to his repertoire by announcing a pay rise for workers in the UK and US. The company's minimum wage is now set at $15/hr in the US, £10.50/hr in London and £9.50/hr in the rest of the UK.

The cynics out there see the move as little more than a PR stunt, designed to placate the growing number of anti-Amazon critics (including Bernie Sanders and the Archbishop of Canterbury) that have become emboldened in recent months after a flurry of reports about the poor workplace conditions in Amazon warehouses.

However, Amazon employees are now saying this new pay structure has removed monthly bonuses and stock option awards, leaving some workers financially worse off than they were before the pay rise was announced.

Let's not forget the real loser in all this is Bezos himself. With the average wage for Amazon employees now increasing, it's now probably going to take him longer than nine seconds to earn what just one of his workers takes home in an entire year. Will no one think of the billionaires?!

Related: