Easily the headline for this week. In bullet points:
- Cambridge Analytica had an app called "thisisyourdigitallife" . It was installed by about 300.000 people who gave it access to their data.
- At the time any Facebook app could also access data from friends of their users. As such they gathered info on 50 million people, mostly US citizens.
- Later, after that data-from-friends policy was changed, Facebook got wind of the data harvesting that occurred. They 'made' the people responsible delete the data, but apparently they didn't comply.
- Facebook never disclosed that it knew of the breach/leak, and apparently even lied about it in hearings related to the Russia election meddling investigation.
The above article by the Guardian gives a very good overview.
Patches will be made available in the coming weeks. It's now clear that the vulnerabilities aren't on the same level as Spectre/Meltdown, since one needs admin rights to exploit them. But once exploited the machines are very hard to clean up.
This article explains in plain(er) English what the flaws mean.
The company, called Orbitz, disclosed the breach after investigating a legacy system. The breach included payment card information, dates of birth, phone numbers, addresses and more.
It sure makes for fun headlines, but it's still interesting. Once in a compromised database they append the coinminer binary to a legit image and download the image, fooling most antivirus software.
Imperva has a good deep dive on the attack.
This sound like a very nice update with features such as expanding short URL's to detect malicious links, flag emails with encrypted attachments and embedded scripts, and more. They also improved mobile device management (MDM).
They think there might be more issues out there, and want to stimulate research with bug bounties up to $250.000. The program will run till end of 2018.
A total of $267.000 was paid out, of which $127.000 went to a single researcher :-)
Their bug bounty program was previously private. They've now opened it up, widened the scope and set the maximum payout per bug to $15.000.
Pretty great list of security measures to take, divided in sections of 'seed', 'series A' and 'post series A', although the divisions are very debatable. Lots of inspiration to be had though. Good discussion on Hackernews too.
Nice piece on Marcus Hutchins aka 'MalwareTech', who stopped WannaCry but was also arrested for his alleged role in the Kronos malware.
Use the dead accurate Netsparker web application security scanner to do the work for you, including eliminating false positives.
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.