Roundup of notable security and privacy news.
Here’s a look at some of the important security news from last week.
Let’s start with Facebook, since as many as 90 million people were forced to login after Facebook admitted it was hacked. The social network claimed nearly 50 million of its users were directly affected by hackers stealing access tokens after exploiting Facebook’s code, the other 40 million forced logins were a “precautionary” step.
The buggy code had been around since July 2017, but Facebook didn’t realize attackers were exploiting the vulnerability – the result of three separate bugs – through the “View As” option until this week. The flaw allowed hackers “to steal Facebook access tokens which they could then use to take over people’s accounts.”
Facebook fixed the vulnerability, temporarily disabled the View As feature and contacted law enforcement. At this point in the investigation, Facebook claims it doesn’t know much – like who was behind the attacks and if “accounts were misused or information accessed.”
It also came to light that if you cared enough about security to setup two-factor authentication, then Facebook used those phone numbers to help target ads. Researchers from Northeastern University and Princeton University spelled out the technical details in a paper ( pdf), but Gizmodo summed it up as:
Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all.
If you are looking for the silver lining in that Facebook gloom and doom cloud, then at least Messenger calls aren’t being wiretapped – yet at least. The US government had tried to force Facebook to wiretap Messenger calls, which are not end-to-end encrypted, but those courtroom efforts failed, according to Reuters.
Following reports of the Port of Barcelona being hit with a ransomware attack, the Port of San Diego admitted that it too was a victim of a ransomware attack; it is not, however, disclosing the amount of the bitcoin payment demanded in the ransom note or the ransomware variant used in the attack.
The Port of San Deigo said the ransomware attack “is mainly an administrative issue and normal Port operations are continuing as usual.” The public would feel the impact of the attack when it came to issuing park permits, public records requests, and business services. Some IT systems were compromised, but other systems were proactively shut down “out of an abundance of caution.”
SEC’s Steven Peikin said, “While leading Tesla’s investors to believe he had a firm offer in hand, we allege that Musk had arrived at the price of $420 by assuming 20 percent premium over Tesla’s then existing share price then rounding up to $420 because of the significance of that number in marijuana culture and his belief that his girlfriend would be amused by it.”
Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance — by giving every one of us complete control over data, personal or not, in a revolutionary way.