Easily the headline for this week. In bullet points:
- Cambridge Analytica had an app called "thisisyourdigitallife" . It was installed by about 300.000 people who gave it access to their data.
- At the time any Facebook app could also access data from friends of their users. As such they gathered info on 50 million people, mostly US citizens.
- Later, after that data-from-friends policy was changed, Facebook got wind of the data harvesting that occurred. They 'made' the people responsible delete the data, but apparently they didn't comply.
- Facebook never disclosed that it knew of the breach/leak, and apparently even lied about it in hearings related to the Russia election meddling investigation.
The above article by the Guardian gives a very good overview.
Mark Zuckerburg wrote a post outlining the story from his point of view here. He also says they will look for similar instances of data harvesting and implement stricter app controls.
Patches will be made available in the coming weeks. It's now clear that the vulnerabilities aren't on the same level as Spectre/Meltdown, since one needs admin rights to exploit them. But once exploited the machines are very hard to clean up.
This article explains in plain(er) English what the flaws mean.
The company, called Orbitz, disclosed the breach after investigating a legacy system. The breach included payment card information, dates of birth, phone numbers, addresses and more.
It sure makes for fun headlines, but it's still interesting. Once in a compromised database they append the coinminer binary to a legit image and download the image, fooling most antivirus software.
Imperva has a good deep dive on the attack.
This sound like a very nice update with features such as expanding short URL's to detect malicious links, flag emails with encrypted attachments and embedded scripts, and more. They also improved mobile device management (MDM).
They think there might be more issues out there, and want to stimulate research with bug bounties up to $250.000. The program will run till end of 2018.
A total of $267.000 was paid out, of which $127.000 went to a single researcher :-)
Their bug bounty program was previously private. They've now opened it up, widened the scope and set the maximum payout per bug to $15.000.
Pretty great list of security measures to take, divided in sections of 'seed', 'series A' and 'post series A', although the divisions are very debatable. Lots of inspiration to be had though. Good discussion on Hackernews too.
Nice piece on Marcus Hutchins aka 'MalwareTech', who stopped WannaCry but was also arrested for his alleged role in the Kronos malware.