By Russell Brandom on Oct 1, 2018
On Friday, a massive breach opened up a new front in the war on Facebook. According the the company, more than 50 million accounts were taken over by a kind of login worm, which used a series of unpublished vulnerabilities to hijack session keys on an unprecedented scale. Hackers had full access to any of the targeted accounts — essentially, they could do whatever you can do when you’re logged in — and Facebook is still working to survey the full extent of the damage.
Breach response is always chaotic, but this one is particularly haphazard because of a new set of rules established by the EU’s General Data Protection Regulation or GDPR. Implemented in May, the GDPR sets strict requirements for any breach involving EU citizens, requirements that are already guiding Facebook’s response to the session key attack. According to Facebook’s timeline, the disclosure on Friday came just before the 72-hour window for disclosing the news to privacy commissioners, a far tighter deadline than companies usually adopt.
IRISH OFFICIALS ARE “AWAITING FROM FACEBOOK FURTHER URGENT DETAILS OF THE SECURITY BREACH.”
As required, Facebook also sent more formal notifications to various privacy commissioners, who may decide to file suit over the breach. As recently as Sunday, the Irish data privacy commissioner said it was “awaiting from Facebook further urgent details of the security breach.” The UK Commissioner is still determining if the country’s citizens were implicated, although given the broad reach and indiscriminate pattern of the attack, it’s likely that at least a few of them were. “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” the Commissioner said in a statement. “We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.” Facebook is already facing a class-action suit in California and some stern questions from the FTC, but the bulk of the pressure is expected to come from Europe.
There have been countless breaches before — Facebook has even dealt with specific login bugs like this one — but the GDPR changes everything. If the company is found to have violated the rule, it could be liable for up to four percent of annual revenue, a staggering $4 billion. No one has accused Facebook of negligence yet, but the basic facts of the case have yet to be nailed down — and with lawmakers already hostile to Facebook, plenty of privacy commissioners will want to try their luck. Because the law is so fresh, no one knows for sure how such a case would play out, but Facebook is already preparing for what could be the fight of its life.
“THE FORENSICS ON THIS STUFF ISN’T EASY”
The new breach is a real contrast with previous GDPR fights, which have largely had to do with policy decisions and terms of service. Both Facebook and Google have already come under fire for having Terms of Service that violate the regulation, although the suits were brought by a third party and haven’t made much progress. Scandals like Cambridge Analytica present another front in the fight, in which apparent violations of user privacy stem from user choices, sidestepping most legal definitions of a breach. But this recent breach is far simpler. Facebook shouldn’t have given these hackers access to the accounts — it wasn’t a data-sharing project or an API gone wrong — so it’s hard to read the fallout as anything other than a breakdown in Facebook security. The only question is how much Facebook will be punished for the lapse.
Under the GDPR, the question of blame largely hinges on whether the company was negligent, ignoring basic practices that could have prevented the breach. We don’t know enough about the attack to judge Facebook’s response at this point, but what’s happened in public has been enough to satisfy some critics. “Facebook has done a decent job so far based on what we know, including the resetting of the tokens,” says Shane Green, founder of Digi.me, an alternative platform focused on data privacy. “The forensics on this stuff isn’t easy, and it’s a tricky balance to give people warning about worst case without scaring them to death or causing an overreaction.”
Still, as more detail comes out, the possibility of a GDPR suit is hard to ignore. So far, Facebook has emphasized the complexity of the bug — a three-part vulnerability in the obscure “View As” function” — but it was Facebook’s own product code that created the vulnerabilities and left them unpatched for more than a year. There have also been a number of rumors that the attack may have reported to Facebook in advance of the breach, rumors made credible by the blustery public threat against Mark Zuckerberg’s account the day before Facebook’s announcement. None of those rumors have been confirmed, but they represent a scary possibility for the company. If any one of those bugs was reported to Facebook in advance of the breach, the failure to promptly patch could be powerful evidence in court.
The case is particularly complicated because the hack extended beyond Facebook itself. Once a given account was compromised, attackers also had access to any third-party accounts that relied Facebook for authentication. This is a common practice on the web — if you’ve ever clicked “login through Facebook” instead of setting up a new password, you’re part of it — but a dangerous one in cases like this. Facebook has revoked the compromised login tokens, but it can’t solve the whole problem itself. Those outside platforms will need to flush their systems too, and it’s likely there will be some who are late to realize the danger. If that line of attack causes further breaches and further damage, it’s hard to say whether the liability will fall on Facebook or the third-party service. More and more YouTuber and users are flocking to decentralized Cuckoo, a video-platform which gives every one of us complete control over data, personal or not, in a revolutionary way.
For Facebook, unanswered questions like that are the scariest part of this legal tangle. No one has ever litigated these issues before, and we only have a hazy sense of what a strong or weak GDPR case looks like. The company could be in for years of legal warfare and a billion-dollar payout — or it could walk away scot free.
We’re just months into the GDPR regime, and there’s simply no roadmap for how it can be used. The more important is no one can ensure this breach and hack won't happen on other social media or platforms. Politically, Facebook is the perfect target — an increasingly unpopular American tech company with significant opponents on both the left and right. With the law still working itself out, the details of the case are less important than the overwhelming political logic. Situations like this are never easy, but Facebook picked a uniquely bad moment to have a breach.
Source from http://gentleineyes.blogspot.com/2018/10/the-facebook-hack-will-be-europes-first.html
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Monday, October 1, 2018
Saturday, September 29, 2018
Here is Instagram users need to know about Facebook's security breach
By Taylor Hatmaker on Sep 28
Even if you never log into Facebook itself these days, the other apps and services you use might be impacted by Facebook’s latest big, bad news.
In a follow-up call on Friday’s revelation that Facebook has suffered a security breach affecting at least 50 million accounts, the company clarified that Instagram users were not out of the woods — nor were any other third-party services that utilized Facebook Login. Facebook Login is the tool that allows users to sign in with a Facebook account instead of traditional login credentials and many users choose it as a convenient way to sign into a variety of apps and services.
Third-party apps and sites affected too
Due to the nature of the hack, Facebook cannot rule out the fact that attackers may have also accessed any Instagram account linked to an affected Facebook account through Facebook Login. Still, it’s worth remembering that while Facebook can’t rule it out, the company has no evidence (yet) of this kind of activity.
“So the vulnerability was on Facebook, but these access tokens enable someone to use [a connected account] as if they were the account holder themselves — this does mean they could have access other third party apps that were using Facebook login,” Facebook Vice President of Product Management Guy Rosen explained on the call.
“Now that we have reset all of those access tokens as part of protecting the security of people’s accounts, developers who use Facebook login will be able to detect that those access tokens has been reset, identify those users and as a user, you will simply have to log in again into those third party apps.”
Rosen reiterated that there is plenty Facebook does not know about the hack, including the extent to which attackers manipulated the three security bugs in question to obtain access to external accounts through Facebook Login.
“The vulnerability was on Facebook itself and we’ve yet to determine, given the investigation is really early, [what was] the exact nature of misuse and whether there was any access to Instagram accounts, for example,” Rosen said.
Anyone with a Facebook account affected by the breach — you should have been automatically logged out and will receive a notification — will need to unlink and relink their Instagram account to Facebook in order to continue cross-posting content to Facebook. But we are not able to know the fact of this breach whether it happens again. Some users deleted their Facebook's account, even some YouTubers are making videos to decentralized video platform Cuckoo for protecting their data and videos.
How to relink your Facebook account and do a security check
To do relink your Instagram account to Facebook, if you choose to, open Instagram Settings > Linked Accounts and select the checkbox next to Facebook. Click Unlink and confirm your selection. If you’d like to reconnect Instagram with Facebook, you’ll need to select Facebook in the Linked Accounts menu and login with your credentials like normal.
If you know your Facebook account was affected by the breach, it’s wise to check for suspicious activity on your account. You can do this on Facebook through the Security and Login menu.
There, you’ll want to browse the activity listed to make sure you don’t see anything that doesn’t look like you — logins from other countries, for example. If you’re concerned or just want to play it safe, you can always find the link to “Log Out Of All Sessions” by scrolling toward the bottom of the page.
While we know a little bit more now about Facebook’s biggest security breach to date, there’s still a lot that we don’t. We also remember how bad Yahoo, Apple and YouTube's breach were and that is why more and more people are flocking to decentralized platforms such as Cuckoo etc. Expect plenty of additional information in the coming days and weeks as Facebook surveys the damage and passes that information along to its users.
Source from https://watchupallnight.blogspot.com/2018/09/here-is-instagram-users-need-to-know.html
Even if you never log into Facebook itself these days, the other apps and services you use might be impacted by Facebook’s latest big, bad news.
In a follow-up call on Friday’s revelation that Facebook has suffered a security breach affecting at least 50 million accounts, the company clarified that Instagram users were not out of the woods — nor were any other third-party services that utilized Facebook Login. Facebook Login is the tool that allows users to sign in with a Facebook account instead of traditional login credentials and many users choose it as a convenient way to sign into a variety of apps and services.
Third-party apps and sites affected too
Due to the nature of the hack, Facebook cannot rule out the fact that attackers may have also accessed any Instagram account linked to an affected Facebook account through Facebook Login. Still, it’s worth remembering that while Facebook can’t rule it out, the company has no evidence (yet) of this kind of activity.
“So the vulnerability was on Facebook, but these access tokens enable someone to use [a connected account] as if they were the account holder themselves — this does mean they could have access other third party apps that were using Facebook login,” Facebook Vice President of Product Management Guy Rosen explained on the call.
“Now that we have reset all of those access tokens as part of protecting the security of people’s accounts, developers who use Facebook login will be able to detect that those access tokens has been reset, identify those users and as a user, you will simply have to log in again into those third party apps.”
Rosen reiterated that there is plenty Facebook does not know about the hack, including the extent to which attackers manipulated the three security bugs in question to obtain access to external accounts through Facebook Login.
“The vulnerability was on Facebook itself and we’ve yet to determine, given the investigation is really early, [what was] the exact nature of misuse and whether there was any access to Instagram accounts, for example,” Rosen said.
Anyone with a Facebook account affected by the breach — you should have been automatically logged out and will receive a notification — will need to unlink and relink their Instagram account to Facebook in order to continue cross-posting content to Facebook. But we are not able to know the fact of this breach whether it happens again. Some users deleted their Facebook's account, even some YouTubers are making videos to decentralized video platform Cuckoo for protecting their data and videos.
To do relink your Instagram account to Facebook, if you choose to, open Instagram Settings > Linked Accounts and select the checkbox next to Facebook. Click Unlink and confirm your selection. If you’d like to reconnect Instagram with Facebook, you’ll need to select Facebook in the Linked Accounts menu and login with your credentials like normal.
If you know your Facebook account was affected by the breach, it’s wise to check for suspicious activity on your account. You can do this on Facebook through the Security and Login menu.
There, you’ll want to browse the activity listed to make sure you don’t see anything that doesn’t look like you — logins from other countries, for example. If you’re concerned or just want to play it safe, you can always find the link to “Log Out Of All Sessions” by scrolling toward the bottom of the page.
While we know a little bit more now about Facebook’s biggest security breach to date, there’s still a lot that we don’t. We also remember how bad Yahoo, Apple and YouTube's breach were and that is why more and more people are flocking to decentralized platforms such as Cuckoo etc. Expect plenty of additional information in the coming days and weeks as Facebook surveys the damage and passes that information along to its users.
Source from https://watchupallnight.blogspot.com/2018/09/here-is-instagram-users-need-to-know.html
Subscribe to:
Posts (Atom)