New York, Canada, Ireland Launch New Investigations Into Facebook Privacy Breaches

facebook privacy investigation fine

Facebook has a lot of problems, then there are a lot of problems for Facebook—and both are not going to end anytime sooner.

Though Facebook has already set aside $5 billion from its revenue to cover a possible fine the company is expecting as a result of an FTC investigation over privacy violations, it seems to be just first installment of what Facebook has to pay for continuously ignoring users’ privacy.

This week, Facebook has been hit with three new separate investigations from various governmental authorities—both in the United States and abroad—over the company’s mishandling of its users’ data.

New York Attorney General to Investigate Facebook Email Collection Scandal

New York Attorney General is opening an investigation into Facebook’s unauthorized collection of the email contacts of more than 1.5 million users during site registration without their permission.

Earlier this month, Facebook was caught practicing the worst ever user-verification mechanism by asking users new to its social network platform for their email account passwords to verify their identity.

However, just last week it turned out that the social network “unintentionally” uploaded email contacts from up to 1.5 million new users on its servers, without their consent or knowledge, Facebook admitted while saying the data was reportedly used to “build Facebook’s web of social connections and recommend friends to add.”

According to the New York Attorney General Letitia James, the harvested email addresses may have exposed hundreds of millions of Facebook users to targeted advertisements.

“Facebook has repeatedly demonstrated a lack of respect for consumer information while at the same time profiting from mining that data,” James said in a statement, adding that now it’s time that the social media company should “held accountable for how it handles consumers’ personal information.”

In response to the news, a Facebook spokesperson told The NY Times that the company is “in touch with the New York State attorney general’s office and are responding to their questions on this matter.”

Ireland Investigating into Facebook Over Plaintext Passwords Scandal

The Irish Data Protection Commission had begun an investigation into a separate Facebook’s privacy bunder exposed last month when the social network revealed that it left hundreds of millions of passwords of Facebook, Facebook Lite and Instagram users exposed in plain text on company servers.

At the time, it was reported that the incident exposed “tens of thousands” passwords of Instagram users in plaintext, while just last week it was revealed that the actual number of affected Instagram users were not in hundreds of thousands but millions.

The exposed passwords were potentially dated back to 2012 and were accessible to up to 2,000 Facebook employees.

In a statement on Thursday, the Irish Data Protection Commissioner said it has launched “a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions” of the European Union’s General Data Protection Regulation (GDPR) designed to protect people’s data.

Canada to Sue Facebook Over Cambridge Analytica Scandal

Canadian regulators are also suing Facebook for allegedly violating the country’s privacy laws following their investigation into the March 2018’s Cambridge Analytica scandal and its impact on Canadians.

A joint report published Thursday from Canadian privacy commissioner Daniel Therrien and his British Columbia counterpart said lax security practices at the company allowed personal information of hundreds of thousands of Canadians to be used for political purposes.

The watchdogs started investigating Facebook last year after it was revealed that a UK political consultancy Cambridge Analytica harvested data from about 87 million users and then used it for political gain without their knowledge or permission.

The report said Facebook committed a “major breach of trust” and “abdicated its responsibility for personal information under its control, effectively shifting that responsibility to users and apps.”

The United States FTC is also investigating Facebook over the Cambridge Analytica scandal, and the company has already kept aside $5 billion from its revenue in anticipation of the settlement with the commission.

Docker Hub Suffers a Data Breach, Asks Users to Reset Password

docker hub data breach

Docker Hub, one of the largest cloud-based library of Docker container images, has suffered a data breach after an unknown attacker gained access to the company’s single Hub database.

Docker Hub is an online repository service where users and partners can create, test, store and distribute Docker container images, both publicly and privately.

The breach reportedly exposed sensitive information for nearly 190,000 Hub users (that’s less than 5 percent of total users), including usernames and hashed passwords for a small percentage of the affected users, as well as Github and Bitbucket tokens for Docker repositories.

Docker Hub started notifying affected users via emails informing them about the security incident and asking them to change their passwords for Docker Hub, as well as any online account using the same password.

docker

“On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site.”

“For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place.”

The company has not revealed any further details about the security incident or how the unknown attackers gained access to its database.

docker security

Docker says the company is continuing to investigate the security breach and will share more information as it becomes available.

The company is also working to enhance its overall security processes and reviewing its policies following the breach.

Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension

wordpress woocommerce security plugin

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store.

A WordPress security company—called “Plugin Vulnerabilities“—that recently gone rogue in order to protest against moderators of the WordPress’s official support forum has once again dropped details and proof-of-concept exploit for a critical flaw in a widely-used WordPress plugin.

To be clear, the reported unpatched vulnerability doesn’t reside in the WordPress core or WooCommerce plugin itself.

Instead, the vulnerability exists in a plugin, called WooCommerce Checkout Manager, that extends the functionality of WooCommerce by allowing eCommerce sites to customize forms on their checkout pages and is currently being used by more than 60,000 websites.

The vulnerability in question is an “arbitrary file upload” issue that can be exploited by unauthenticated, remote attackers if the vulnerable sites have “Categorize Uploaded Files” option enabled within WooCommerce Checkout Manager plugin settings.

“From the more technical aspect, vulnerability occurs inside ‘includes/admin.php’ file at line 2084 on which application is moving given files to a directory using ‘move_uploaded_file’ without prior proper check for allowed files,” explains a blog post published Thursday by web application security platform WebARX, who warned their users after Plugin Vulnerabilities made the flaw public.

If exploited, the flaw could allow attackers to execute arbitrary server-side script code in the context of the web server process and compromise the application to access or modify data or gain administrative access.

wordpress woocommerce security plugin

WooCommerce Checkout Manager version 4.2.6, which is the latest available plugin at the time of writing, is vulnerable to this issue.

If your WordPress website is using this plugin, you are advised to either disable “Categorize Uploaded Files” option in the setting or disable the plugin completely until a new patched version becomes available.

This is not the first time when the company called Plugin Vulnerabilities inappropriately disclosed an unpatched flaw in the public.

The company has continuously been disclosing vulnerabilities in various WordPress plugins since after they had issues with the WordPress forum moderators.

Since at least past two years the team behind Plugin Vulnerabilities has deliberately been releasing details of newly discovered vulnerabilities directly on the WordPress Support forum, instead of reporting them to the respective plugin authors directly, violating the forum’s rules.

In response to this inappropriate behavior, the WordPress.org moderators eventually blacklisted Plugin Vulnerabilities from their official forum after multiple warnings and banning all their accounts.

However, this did not stop Plugin Vulnerabilities, who since then started disclosing details of new, unpatched WordPress plugin vulnerabilities on their own website, putting the whole ecosystem, websites and their users at risk.

Facebook Could Be Fined Up To $5 Billion Over Privacy Violations

facebook fine ftc cambridge analytica

Facebook expects to face a massive fine of up to $5 billion from the Federal Trade Commission (FTC) as the result of an investigation into its privacy policies—that’s about one month’s revenue for the social media giant.

To be clear the amount of fine is not what the FTC has announced or hinted yet; instead, it’s an estimated due that Facebook disclosed on Wednesday in its first quarter 2019 financial earnings report.

In its earnings report, Facebook said the company had set $3 billion aside in anticipation of the settlement with the FTC, who launched a probe into Facebook following the Cambridge Analytica scandal.

The probe centers around the violation of a 2011 agreement Facebook made with the FTC that required the social media to gain explicit consent from users to share their data.

The FTC launched an investigation into Facebook last year after it was revealed that the company allowed Cambridge Analytica access to the personal data of around 50 million Facebook users without their explicit consent.

Now, both parties are nearing a settlement, with Facebook anticipating the fine to between $3 billion and $5 billion.

“In the first quarter of 2019, we reasonably estimated a probable loss and recorded an accrual of $3.0 billion in connection with the inquiry of the FTC into our platform and user data practices,” Facebook said in its earnings report.

“We estimate that the range of loss in this matter is $3.0 billion to $5.0 billion. The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” Facebook noted.

If Facebook agrees, the fine will be a record for the FTC, which has never imposed such a massive fine on any tech company till the date and represents one month’s revenue for the social media giant.

UK’s Information Commissioner Office (ICO) has also imposed £500,000 fine on Facebook over the Cambridge Analytica scandal.

The FTC fine on Facebook will also surpass the $22.5 million civil penalties Google paid in 2012 to settle FTC charges for allegedly violating an agreement to improve privacy practices.

Despite all criticisms Facebook have recently faced over its mishandling of users’ data, Facebook earning and the user base is continually increasing, with the company bringing in more than $15 billion in revenue the first quarter of 2019 alone. It also added 39 million daily active users to its platform.

‘Highly Critical’ Unpatched Zero-Day Flaw Discovered In Oracle WebLogic

oracle weblogic server vulnerability

A team of cybersecurity researchers today published a post warning enterprises of an unpatched, highly critical zero-day vulnerability in Oracle WebLogic server application that some attackers might have already started exploiting in the wild.

Oracle WebLogic is a scalable, Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud. It’s popular across both, cloud environment and conventional environments.

Oracle WebLogic application reportedly contains a critical deserialization remote code execution vulnerability that affects all versions of the software, which can be triggered if the “wls9_async_response.war” and “wls-wsat.war” components are enabled.

The vulnerability, spotted by the researchers from KnownSec 404, allows attackers to remotely execute arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization.

oracle weblogic server vulnerability

“Since the WAR package has a defect in deserializing the input information, the attacker can obtain the authority of the target server by sending a carefully constructed malicious HTTP request, and execute the command remotely without authorization,” explains Chinese National Information Security Vulnerability Sharing Platform (CNVD).

The researchers also shared details of the zero-day vulnerability, tracked as CNVD-C-2019-48814, with the Oracle’s team, but the company has not yet released a patch. The affected Oracle WebLogic versions are as follows:

  • WebLogic 10.X
  • WebLogic 12.1.3

According to the ZoomEye cyberspace search engine, more than 36,000 WebLogic servers are publicly accessible on the Internet, though it’s unknown how many of these have the vulnerable components enabled.

A maximum number of Oracle WebLogic servers are deployed in the United States and China, with a lesser number in Iran, Germany, India, and so on.

oracle weblogic server vulnerability

Since Oracle releases security updates every three months and had already released a Critical Patch Update just this month, this zero-day issue is unlikely to be patched anytime soon (i.e., not before July), unless the company decides to roll out an out-of-band security update.

So, until the company releases an update to patch the vulnerability, server administrators are highly recommended to prevent their systems from exploitation by changing either of the two following settings:

  • Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service, or
  • Preventing access to the /_async/* and /wls-wsat/* URL paths via access policy control.

Since Oracle WebLogic servers are an often target of attackers, there will be no surprise if attackers have already started exploiting this zero-day and then use vulnerable servers for their nefarious purposes.

‘Karkoff’ Is the New ‘DNSpionage’ With Selective Targeting Strategy

Karkoff DNSpionage malware

The cybercriminal group behind the infamous DNSpionage malware campaign has been found running a new sophisticated operation that infects selected victims with a new variant of the DNSpionage malware.

First uncovered in November last year, the DNSpionage attacks used compromised sites and crafted malicious documents to infect victims’ computers with DNSpionage—a custom remote administrative tool that uses HTTP and DNS communication to communicate with the attacker-controlled command and control server.

According to a new report published by Cisco’s Talos threat research team, the group has adopted some new tactics, techniques and procedures to improve the efficacy of their operations, making their cyber attacks more targeted, organised and sophisticated in nature.

Unlike previous campaigns, attackers have now started performing reconnaissance on its victims before infecting them with a new piece of malware, dubbed Karkoff, allowing them to selectively choose which targets to infect in order to remain undetected.

“We identified infrastructure overlaps in the DNSpionage and the Karkoff cases,” the researchers say.

During Reconnaissance phase, attackers gather system information related to the workstation environment, operating system, domain, and list of running processes on the victims’ machine.

“The malware searches for two specific anti-virus platforms: Avira and Avast. If one of these security products is installed on the system and identified during the reconnaissance phase, a specific flag will be set, and some options from the configuration file will be ignored,” the researchers say.

Developed in .NET, Karkoff allows attackers to execute arbitrary code on compromised hosts remotely from their C&C server. Cisco Talos identified Karkoff as undocumented malware earlier this month.

What’s interesting is that the Karkoff malware generates a log file on the victims’ systems which contains a list of all commands it has executed with a timestamp.

“This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat,” the researchers explain.

“With this in mind, an organisation compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them.”

Like the last DNSpionage campaign, the recently discovered attacks also target the Middle Eastern region, including Lebanon and the United Arab Emirates (UAE).

Besides disabling macros and using reliable antivirus software, you should most importantly stay vigilant and keep yourself informed about social engineering techniques in order to reduce the risk of becoming a victim of such attacks.

Due to several public reports of DNS hijacking attacks, the U.S. Department of Homeland Security (DHS) earlier this year issued an “emergency directive” to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains.

Learn Ethical Hacking With 180 Hours of Training — 2019 Online Course

Ethical Hacking Course, Learn Penetration Testing Online

The world of cybersecurity is fast-paced and ever-changing.

New attacks are unleashed every day, and companies around the world lose millions of dollars as a result.

The only thing standing in the way of cybercrime is a small army of ethical hackers. These cybersecurity experts are employed to find weaknesses before they can be exploited. It’s a lucrative career, and anyone can find work after the right training.

The 2019 Ethical Hacker Master Class Bundle offers the perfect education for aspiring professionals, with 10 courses and over 180 hours of video tutorials. Right now, you can get lifetime access to this huge learning library for just $39 — that’s over $4,800 discount the face value.

According to the Bureau of Labor Statistics, demand for cyber security experts will expand rapidly over the next three or four years. If you want to build a career in the industry, now is the time to take action.

The 2019 Ethical Hacker bundle helps you master all the fundamentals of cybersecurity and prepare for important exams.

Ethical Hacker Training

You learn through concise video lessons, and each course provides plenty of hands-on experience.

Along the way, you learn how to set up your secure workflow and perform penetration tests on multiple platforms. The training also looks at intrusion detection, policy creation, social engineering, DDoS attacks, and much more. You even pick up some useful Python programming skills along the way.

Just as importantly, this bundle helps you stand out in the jobs market. The training includes full prep for three CompTIA exams: A+, Security+ and Network+. These certificates are essential for anyone who wants to work in cybersecurity and are highly valued in other technical roles.

There is no time limit on any of the courses, and you can stream the tutorials on both mobile and desktop devices.

The training is worth $4,883 in total, but you can get lifetime access now for only $39.

Congress Asks Google 10 Questions On Its Location Tracking Database

google location database

U.S. Congress has sent an open letter to Google CEO Sundar Pichai asking for more information about its Sensorvault database that’s reportedly being used by law enforcement agencies to solve crime cases.

Last week, we reported a story based upon NY Times findings that revealed how using a “geofence” warrant, authorities obtain location history of all devices from Google’s Sensorvault database that pass through a crime scene over a certain time period.

For those unaware, Google maintains Sensorvault database over nearly the past decade which contains precise location information from hundreds of millions of smartphones around the world and shares it with authorities to help in criminal cases.

However, Google does not share identifiable information on all devices after receiving a warrant. Instead, authorities have to first narrow down their list of suspects using the location history data, only after which Google shares further information about a few selected users (suspects or witnesses).

Now top U.S. lawmakers from the U.S. House Energy and Commerce Committee on Tuesday wrote an open letter to Google raising concerns about the database and seeks a briefing on how it is used and shared by the company.

“The potential ramifications for consumer privacy are far-reaching and concerning. We would like to know the purposes for which Google maintains the Sensorvault database and the extent to which Google shares precise location information from this database with third parties,” the letter reads.

The letter contains 10 detailed questions, mentioned in-brief as below that the company has been asked to answer by May 7, 2019:

  • What information Google stores in the Sensorvault database, why and how does Google use it?
  • Which affiliate and subsidiaries of Alphabet company have access to this database?
  • Does Google maintain any other database on users’ location information, and if yes, how it is different from Sensorvault?
  • Who within Google can access the Sensorvault database and what are their job roles?
  • What are the sources from which Google collects information contained in Sensorvault database?
  • Can users opt-in or opt-out to allow or prevent Google from collecting information stored in the Sensorvault database?
  • What’s Google’s retention policy with respect to the information the company collects on its customers?
  • Does Google share, sell or disclose customers location information with any third-party other than law enforcement?

Besides this, the members of Congress—including Committee Chairman Frank Pallone, a Democrat from New Jersey, and ranking Republican Greg Walden—have also requested Sundar Pichai to issue a briefing on these topics by May 10.

Source Code for CARBANAK Banking Malware Found On VirusTotal

carbanak source code

Security researchers have discovered the full source code of the Carbanak malware—yes, this time it’s for real.

Carbanak—sometimes referred as FIN7, Anunak or Cobalt—is one of the most full-featured, dangerous malware that belongs to an APT-style cybercriminal group involved in several attacks against banks, financial institutions, hospitals, and restaurants.

In July last year, there was a rumor that the source code of Carbanak was leaked to the public, but researchers at Kaspersky Lab later confirmed that the leaked code was not the Carbanak Trojan.

Now cybersecurity researchers from FireEye revealed that they found Carbanak’s source code, builders, and some previously unseen plugins in two RAR archives [1, 2] that were uploaded on the VirusTotal malware scanning engine two years ago from a Russian IP address.

“CARBANAK source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code,” researchers say. “Our goal was to find threat intelligence we missed in our previous analyses.”

FireEye researchers have plans to release a 4-part series of articles detailing CARBANAK features and analysis based upon its source code and reverse engineering.

carbanak source code

First uncovered in 2014 by Kaspersky Lab, Carbanak is one of the most successful malware attacks in the world launched by a highly organized group that continually evolved its tactics to carry out cybercrime while avoiding detection by potential targets and the authorities.

The hacker group started its activities almost six years ago by launching a series of malware attacks using Anunak and Carbanak to compromise banks and ATM networks worldwide, and thereby stealing over a billion euros from more than 100 banks across the globe.

To compromise banks, hackers sent malicious spear-phishing emails to hundreds of employees at different banks, which infected computers with Carbanak malware if opened, allowing attackers to transfer money from affected banks to fake accounts or ATMs monitored by them.

According to the European authorities, the criminal group later developed a sophisticated heist-ready banking trojan called Cobalt, based on the Cobalt-Strike penetration testing software, which was in use until 2016.

The group was first exposed in 2015 as financially-motivated cybercriminals, and three suspects—Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30—all from Ukraine were arrested last year in Europe between January and June.

All the three suspects, one of which (Kopakov) is believed to be the alleged leader of the organised criminal group, were indicted and charged with a total of 26 felony counts in August 2018.

Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress

wordpress plugin hacking

Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin.

The vulnerable plugin in question is Social Warfare which is a popular and widely deployed WordPress plugin with more than 900,000 downloads. It is used to add social share buttons to a WordPress website or blog.

Late last month, maintainers of Social Warfare for WordPress released an updated version 3.5.3 of their plugin to patch two security vulnerabilities—stored cross-site scripting (XSS) and remote code execution (RCE)—both tracked by a single identifier, i.e., CVE-2019-9978.

Hackers can exploit these vulnerabilities to run arbitrary PHP code and take complete control over websites and servers without authentication, and then use the compromised sites to perform digital coin mining or host malicious exploit code.

However, the same day when Social Warfare released the patched version of its plugin, an unnamed security researcher published a full disclosure and a proof-of-concept for the stored Cross-Site Scripting (XSS) vulnerability.

hacking wordpress website

Soon after the full disclosure and PoC release, attackers started attempting to exploit the vulnerability, but fortunately, it was only limited to the injected JavaScript redirect activity, with researchers finding no in-the-wild attempts to exploit the RCE vulnerability.

Now, Palo Alto Network Unit 42 researchers found several exploits taking advantage of these vulnerabilities in the wild, including an exploit for the RCE vulnerability which allows the attacker to control the affected website and an exploit for the XSS vulnerability which redirects victims to an ads site.

Though both flaws originated because of improper input handling, using a wrong, insufficient function eventually made it possible for remote attackers to exploit them without requiring any authentication.

“The root cause of each of these two vulnerabilities is the same: the misuse of the is_admin() function in WordPress,” the researchers say in a blog post. “Is_admin only checks if the requested page is part of admin interface and won’t prevent any unauthorized visit.”

At the time of writing, more than 37,000 WordPress websites out of 42,000 active sites, including education, finance, and news sites (some Alexa’s top ranking websites), are still using an outdated, vulnerable version of the Social Warfare plugin, leaving hundreds of millions of their visitors at the risk of hacking through various other vectors.

Since it is likely the attackers will continue to exploit the vulnerabilities to target WordPress users, website administrators are highly recommended to update the Social Warfare plugin to 3.5.3 or newer version as soon as possible.