What comes next in Facebook's major data breach

NEW YORK — For users, Facebook's revelation of a data breach that gave attackers access to 50 million accounts raises an important question: What happens next?

For the owners of the affected accounts, and of another 40 million that Facebook considered at risk, the first order of business may be a simple one: sign back into the app. Facebook logged everyone out of all 90 million accounts in order to reset digital keys the hackers had stolen — keys normally used to keep users logged in, but which could also give outsiders full control of the compromised accounts.

Next up is the waiting game, as Facebook continues its investigation and users scan for notifications that their accounts were targeted by the hackers.

What Facebook knows so far is that hackers got access to the 50 million accounts by exploiting three distinct bugs in Facebook's code that allowed them to steal those digital keys, technically known as "access tokens." The company says it has fixed the bugs.

Users don't need to change their Facebook passwords, it said, although security experts say it couldn't hurt to do so.

Facebook, however, doesn't know who was behind the attacks or where they're based. In a call with reporters on Friday, CEO Mark Zuckerberg — whose own account was compromised — said that attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did.

"We do not yet know if any of the accounts were actually misused," Zuckerberg said.

The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues . So far, though, none of these issues have significantly shaken the confidence of the company's 2 billion global users.

This latest hack involved bugs in Facebook's "View As" feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal access tokens from the accounts of people whose profiles came up in searches using the "View As" feature. The attack then moved along from one user's Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.

One of the bugs was more than a year old and affected how the "View As" feature interacted with Facebook's video uploading feature for posting "happy birthday" messages, said Guy Rosen, Facebook's vice president of product management. But it wasn't until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Rosen said.

"We haven't yet been able to determine if there was specific targeting" of particular accounts, Rosen said in a call with reporters. "It does seem broad. And we don't yet know who was behind these attacks and where they might be based."

Neither passwords nor credit card data was stolen, Rosen said. He said the company has alerted the FBI and regulators in the United States and Europe.

Jake Williams, a security expert at Rendition Infosec, said he is concerned that the hack could have affected third party applications.

Williams noted that the company's "Facebook Login" feature lets users log into other apps and websites with their Facebook credentials. "These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user's account on a third party site," he said.

Facebook confirmed late Friday that third party apps, including its own Instagram app, could have been affected.

"The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves," Rosen said.

News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, Zuckerberg appeared at a congressional hearing focused on Facebook's privacy practices.

The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised 3 billion accounts — enough for half of the world's entire population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers. It was among a series of Yahoo hacks over several years.

U.S. prosecutors later blamed Russian agents for using the information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses.

In Facebook's case, it may be too early to know how sophisticated the attackers were and if they were connected to a nation state, said Thomas Rid, a professor at the Johns Hopkins University. Rid said it could also be spammers or criminals.

"Nothing we've seen here is so sophisticated that it requires a state actor," Rid said. "Fifty million random Facebook accounts are not interesting for any intelligence agency."

___

O'Brien reported from Providence, Rhode Island. Frank Bajak in Boston contributed to this report.

source: philstar.com

Key points from Facebook-Zuckerberg hearings

WASHINGTON, United States — Facebook chief Mark Zuckerberg testified for nearly 10 hours over two days on Facebook's privacy and data protection issues before committees of the Senate and House on Tuesday and Wednesday (Wednesday and Thursday, Manila time).

Here are key points:

Protecting the platform

"It's clear now we didn't do enough," Zuckerberg said on the protection of private user data and to prevent the hijacking of data on millions by Cambridge Analytica.

Zuckerberg said Facebook was built as "an idealistic and optimistic company" to help people connect but failed "to prevent these tools from being used for harm... that goes for fake news, for foreign interference in elections, and hate speech, as well as developers and data privacy."


He said that by the end of the year Facebook would have 20,000 people working on security and content review and would also step up use of artificial intelligence to weed out fake accounts and inappropriate content.

Regulation

Zuckerberg said regulation of social media companies is inevitable, but warned that rules could also hamper the industry's growth.

"The internet is growing in importance around the world in people's lives, and I think that it is inevitable that there will need to be some regulation," he told lawmakers.

"But I think you have to be careful about putting regulation in place. A lot of times regulations put in place rules that a company that is larger, that has resources like ours, can easily comply with, but that might be more difficult for a smaller startup company."

Zuckerberg said the EU's General Data Protection Regulation (GDPR) to come into effect on May 25 was more stringent than what was currently in place at Facebook and suggested it could serve as a rough model for US rules in the future.

Facebook is implementing the GDPR standards for European users next month, and some of its rules will be extended to US and other users later, he confirmed.

"The GDPR requires us to do a few more things and we are going to extend that to the world," he said.

Facebook model

Zuckerberg maintained that Facebook users deserve protection of private data but appeared to argue that its controls make it possible to determine how information is shared.

He claimed that "there's a very common misperception... that we sell data to advertisers," adding that "we do not sell data to advertisers. We don't sell data to anyone."

But he maintained that advertising enables Facebookto offer a free service and that targeted ads based on user categories were more acceptable to users, even if they could opt out.

Zuckerberg also said the company believed in an ad-supported business model, but appeared to leave open the possibility of a paid version.

"There will always be a version of Facebook that is free," Zuckerberg told the hearing.

Russian manipulation

The 33-year-old CEO said Facebook was in a constant struggle to guard against Russian manipulation of the Facebook platform to influence elections in the US and elsewhere.

"There are people in Russia whose job it is to try to exploit our systems and other internet systems and other systems as well," he said.

"So this is an arms race. They're going to keep getting better and we need to invest in getting better at this too."

Zuckerberg has previously acknowledged the social network failed to do enough to prevent the spread of disinformation during the last US presidential race.

"One of my greatest regrets in running the company is that we were slow in identifying the Russian information operations in 2016," he said.

"We expected them to do a number of more traditional cyber attacks, which we did identify and notify the campaigns that they were trying to hack into them. But we were slow at identifying the type of — of new information operations."

He added that Facebook is cooperating with the special counsel investigation into Russian interference in the 2016 election.

"Our work with the special counsel is confidential. I want to make sure in an open session I don't reveal something that's confidential," he said.

source: philstar.com

Facebook cuts ties to data brokers in blow to targeted ads

Facebook Inc said on Wednesday it would end its partnerships with several large data brokers who help advertisers target people on the social network, a step that follows a scandal over how Facebook handles personal information.

The world’s largest social media company is under pressure to improve its handling of data after disclosing that information about 50 million Facebook users wrongly ended up in the hands of political consultancy Cambridge Analytica.

Facebook adjusted the privacy settings on its service on Wednesday, giving users control over their personal information in fewer taps.

Facebook has for years given advertisers the option of targeting their ads based on data collected by companies such as Acxiom Corp and Experian PLC.

The tool has been widely used among certain categories of advertisers – such as automakers, luxury goods producers and consumer packaged goods companies – who do not sell directly to consumers and have relatively little information about who their customers are, according to Facebook.


“While this is common industry practice, we believe this step, winding down over the next six months, will help improve people’s privacy on Facebook,” Graham Mudd, a Facebook product marketing director, said in a statement.

Shares in Acxiom traded down more than 10 percent to $25 after Facebook’s announcement after the bell. Shares in other data brokers were largely unchanged.

Acxiom said late on Wednesday it did not expect this change to impact its revenue or earnings for the year ending in March. The company currently expects revenue in the range of $910 million to $915 million in the 2018 fiscal year.

However, for the 2019 fiscal year, Acxiom expects total revenue and profitability to be negatively impacted by as much as $25 million.

Facebook declined to comment on how the change could affect its ad revenue.

Advertisers would still be able to use third-party data services to measure how well their ads performed by examining purchasing data, Facebook said.

Facebook’s website lists nine third-party data providers that it has worked with, including Acxiom, Experian, Oracle Data Cloud, TransUnion and WPP PLC.

Other companies, besides Acxiom, were not available for comment.

Facebook on Wednesday also put all its privacy settings on one page and made it easier to stop third-party apps from using personal information. Privacy settings had previously been spread over at least 20 screens, Facebook said.

Facebook said in a blog post it had been working on the updates for some time but sped things up to appease users’ anger over how the company uses data and as lawmakers around the globe call for regulation.

Facebook’s shares closed up 0.5 percent at $153.03 on Wednesday. They are still down more than 17 percent since March 16, when Facebook first acknowledged that user data had been improperly channeled in 2014 via a third-party app to Cambridge Analytica, which was later hired by Donald Trump’s 2016 presidential campaign.

The data leak has raised investor concerns that any failure by big tech companies to protect privacy could deter advertisers, who are Facebook’s lifeblood, and lead to tougher regulation.

SCRUTINY FROM LAWMAKERS

Facebook Chief Executive Mark Zuckerberg has repeatedly apologized for the mistakes the company made and has promised to crack down on abuse of the Facebook platform and restrict developers’ access to user information.
There is a new Facebook page – called Access Your Information – where users can see what they have shared and manage it.

“The biggest difference is ease of access in settings, which fulfills Mark Zuckerberg’s promise to make the privacy process and permissions more transparent to users,” Wedbush analyst Michael Pachter said.

It was uncertain whether the changes will satisfy lawmakers.

They were announced ahead of a stringent European Union data law which comes into force in May. It requires companies to give people a “right to portability” – to take their data with them – and imposes fines of up to 4 percent of global revenue for companies breaking the law.

Lawmakers in the United States and Britain are still clamoring for Zuckerberg himself to explain how users’ data ended up in the hands of Cambridge Analytica.

He plans to testify before Congress, a source briefed on the matter said on Tuesday. Facebook has said it has received invitations to testify and that it is talking to legislators.

Zuckerberg and the CEOs of Alphabet Inc and Twitter Inc have been invited to testify at an April 10 hearing on data privacy. The US House Energy and Commerce Committee and US Senate Commerce Committee have also asked Zuckerberg to appear at a hearing.

The US Federal Trade Commission has opened an investigation into Facebook, and attorneys representing 37 states are also pressing Zuckerberg to explain what happened.

source: interaksyon.com

Facebook made mistakes on user data — Zuckerberg

SAN FRANCISCO, CALIFORNIA — Facebook Inc Chief Executive Mark Zuckerberg said on Wednesday that his company made mistakes in how it handled data belonging to 50 million of its users and promised tougher steps to restrict developers’ access to such information.

The world’s largest social media network is facing growing government scrutiny in Europe and the United States about a whistleblower’s allegations that London-based political consultancy Cambridge Analytica improperly accessed user information to build profiles on American voters which were later used to help elect U.S. President Donald Trump in 2016.

Zuckerberg, in his first public comments since the scandal erupted at the weekend, said in a post on Facebook that the company “made mistakes, there’s more to do, and we need to step up and do it.” (bit.ly/2DHAlUJ)

He did not elaborate on what the mistakes were, but he said the social network plans to conduct an investigation of apps on its platform, restrict developer access to data, and give members a tool that lets them more easily disable access to their Facebook data.

His plans did not represent a big reduction of advertisers’ ability to use Facebook data, which is the company’s lifeblood.


Zuckerberg later told CNN, “This was a major breach of trust. I’m really sorry this happened. We have a basic responsibility to protect people’s data.”

He told CNN that Facebook was committed to stopping interference in the U.S. midterm election in November and elections in India and Brazil.

Zuckerberg said he was open to additional government regulation and happy to testify before the U.S. Congress if he was the right person.

“I’m not sure we shouldn’t be regulated,” he said. “I actually think the question is more what is the right regulation rather than yes or no, should it be regulated? … People should know who is buying the ads that they see on Facebook.”

Facebook shares pared gains on Wednesday after Zuckerberg’s post, closing up 0.7 percent. The company has lost more than $45 billion of its stock market value over the past three days on investor fears that any failure by big tech firms to protect personal data could deter advertisers and users and invite tougher regulation.

Facebook representatives including Deputy Chief Privacy Officer Rob Sherman met U.S. congressional staff for nearly two hours on Wednesday and planned to continue meetings on Capitol Hill on Thursday. Facebook was unable to answer many questions, two aides who attended the briefing said.

Zuckerberg told the website Recode that fixes to protect users’ data would cost “many millions of dollars.”

The whistleblower who launched the scandal, Christopher Wylie, formerly of Cambridge Analytica, said in a tweet that he had accepted invitations to testify before U.S. and UK lawmakers.

Facebook founder Mark Zuckerberg speaks during the Alumni Exercises following the 366th Commencement Exercises at Harvard University in Cambridge, Massachusetts, U.S., May 25, 2017. REUTERS/Brian Snyder
The German government said Facebook must explain whether the personal data of the country’s 30 million users were protected from unlawful use by third parties, according to a report in the Funke group of German regional newspapers.

‘Scapegoat’

On Tuesday, the board of Cambridge Analytica suspended its Chief Executive Alexander Nix, who was caught in a secret recording boasting that his company played a decisive role in Trump’s victory.

But the academic who provided the data disputed that on Wednesday.

“I think what Cambridge Analytica has tried to sell is magic, and they’ve made claims that this is incredibly accurate and it tells you everything there is to tell about you. But I think the reality is it’s not that,” psychologist Aleksandr Kogan, an academic at Cambridge University, told the BBC in an interview broadcast on Wednesday.

Kogan, who gathered the data by running a survey app on Facebook, also said that he was being made a scapegoat by Facebook and Cambridge Analytica. Both companies have blamed Kogan for alleged data misuse.

Only 300,000 Facebook users responded to Kogan’s quiz, but that gave the researcher access to those people’s Facebook friends as well, who had not agreed to share information, producing details on 50 million users.

Facebook has said it subsequently made changes that prevent people from sharing data about friends, and maintains that no data breach occurred because the original users gave permission. Critics say that it essentially was a breach because data of unsuspecting friends was taken.

source: interaksyon.com

Adultery website Ashley Madison in $11.2 million settlement over data breach

The owner of the Ashley Madison adultery website said on Friday it will pay $11.2 million to settle U.S. litigation brought on behalf of roughly 37 million users whose personal details were exposed in a July 2015 data breach.

Ruby Corp, formerly known as Avid Life Media Inc, denied wrongdoing in agreeing to the preliminary class-action settlement, which requires approval by a federal judge in St. Louis.

Ashley Madison marketed itself as a means to help people, primarily men, cheat on their spouses, and was known for its slogan “Life is short. Have an affair.”

But the breach cost privately held Ruby more than a quarter of its revenue, and prompted the Toronto-based company to spend millions of dollars to improve security and user privacy.

Last December, Ruby agreed to pay $1.66 million to settle a probe by the U.S. Federal Trade Commission and several states into lax data security and deceptive practices, also without admitting liability.


According to Friday’s settlement, users with valid claims can recoup up to $3,500 depending on how well they can document their losses attributable to the breach.

Layn Phillips, a former federal judge who mediated the settlement, said in a court filing that the accord offered “a valuable recovery for the class in the face of many obstacles,” including Ruby’s preference that victims arbitrate their claims.

Lawyers for Ashley Madison users may receive up to one-third of the $11.2 million payout to cover legal fees, court papers show.

The case is In re: Ashley Madison Customer Data Security Breach Litigation, U.S. District Court, Eastern District of Missouri, No. 15-md-02669.

source: interaksyon.com

Adobe says user forum was breached, takes site offline

BOSTON — Adobe Systems Inc shut down a website where customers share information about using its Connect online conferencing service after the software maker discovered it had been compromised in a data breach.

The company, whose software is frequently targeted by computer hackers because it is widely used to publish digital documents, said on Wednesday that it would reset passwords of the approximately 150,000 members of the site, Connectusers.com.

Adobe said its Connect web conferencing service and other company sites were not breached.

News of the breach surfaced on Tuesday when a hacker claimed in a posting on the Internet to have stolen log-in credentials of 150,000 Adobe customers and partners.

The hacker, who claimed to be from Egypt, released 644 records from the site, including emails, saying the release was done to point out that Adobe is slow in fixing security problems.

The hacker also promised to release data stolen from Yahoo Inc. A Yahoo spokeswoman did not respond to a request for comment.

The Adobe breach was discovered a week after Russian security firm Group-IB said it had uncovered a flaw in Adobe’s Reader software that criminals are currently exploiting to attack PCs by infecting them with malicious PDF documents.

Adobe spokeswoman Wiebke Lips said the company is still reviewing that report, though it has not yet received samples of malicious code discovered by Group-IB.

source: interaksyon.com

LinkedIn suffers data breach

BOSTON/NEW YORK — LinkedIn confessed it had a data breach that compromised the passwords of some of its members, the social networking site said on Wednesday.

LinkedIn engineer Vicente Silveira confirmed on the site’s blog that some passwords were “comprised.” (tinyurl.com/cxje9xo)

“We are continuing to investigate this situation,” he said.

LinkedIn said it sent emails to members whose passwords were affected explaining how to reset them, since they are no longer valid on the site.

It could take several days, or up to a week, for LinkedIn to identify the source, said Mary Landesman, security researcher with Cloudmark, a company that helps secure messaging systems.

LinkedIn, which made its stock debut last year, is a social media company that caters to companies seeking employees and people scouting for jobs.

It has more than 161 million members worldwide. One of the Mountain View, California-based company’s main initiatives is to grow internationally – 61 percent of its membership is located outside the United States.

Marcus Carey, security researcher at Boston-based Rapid7, said he believed the attackers had been inside LinkedIn’s network for at least several days, based on an analysis of the type of information stolen and quantity of data posted on the forums.

“While LinkedIn is investigating the breach, the attackers may still have access to the system,” Carey warned. “If the attackers are still entrenched in the network, then users who have already changed their passwords may have to do so a second time.”

Officials with LinkedIn declined to comment on whether an attack might still be in progress.

The breach is the latest in a string of high-profile hacks affecting companies and governments around the world, which have put the personal information of millions at risk.

With LinkedIn, computer security experts discovered files with some 6.4 million scrambled passwords on Tuesday, which they originally suspected belong to LinkedIn members because some of the passwords included the phrase “LinkedIn,” said Graham Cluley, a senior technology consultant with British computer security software maker Sophos.

When Sophos dug further, it found other passwords on the list belonged to Sophos employees, who only used them to secure their LinkedIn accounts, he said. But it is possible that all or just some of those 6.4 million passwords belong to LinkedIn members, Cluley added.

The data was found on underground websites where criminal hackers frequently exchange stolen information, including scrambled passwords.

The files included only passwords and not corresponding email addresses, which means that people who download the files and unscramble the passwords will not easily be able to access any accounts with compromised passwords.

Yet analysts said it is likely that the hackers who stole the passwords also have the corresponding email addresses and would be able to access the accounts.

Needs more salt?

At least two security experts who examined the files believed to contain the stolen LinkedIn passwords said the company had failed to use best practices for protecting the data.

The experts said that LinkedIn used a vanilla or basic technique for encrypting, or scrambling, the passwords which allows hackers to quickly unscramble all passwords after they figure out the formula by which any single password has been encrypted.

The social network could have made it extremely tedious for the passwords to be unscrambled by using a technique known as “salting,” which means adding a secret salt to each password before scrambling it.

“What they did is considered to be poor practice,” Landesman said.

Silveira said in the post that affected members who update their passwords and those members whose passwords were not comprised “benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”

Last year, a security researcher warned that LinkedIn had flaws that make users’ accounts vulnerable to attack by hackers because of the way it manages cookies.

Cookies are small pieces of data sent from a website and stored in a computer user’s Web browser. They are commonly used as a way to compile long-term records of individuals’ browsing histories, and have raised concerns about privacy.

LinkedIn was co-founded by former PayPal executive Reid Hoffman in 2002 and makes money selling marketing services and subscriptions to companies and job seekers.

source: interaksyon.com