Weekly Security News for the Week Ending December 20, 2019
Retailer LightInTheBox Exposes 1.6 Billion Customer Records
The challenge with today’s big data world is that the breaches are enormous. LightInTheBox left customer transaction data exposed due to, apparently, a server misconfiguration. They effectively breached themselves. The data was a web server log with dates from Aug 9 to Oct 11 of this year. It appears that there was no payment data in the log files, which is a good thing. Also, they did not figure it out; a security researcher told them about it. 1.6 billion records will cause them some pain. The good news is that this happened before CCPA went into effect. This time next month and it would have been a much, much more expensive breach. Source: SC Mag
Facebook, Twitter Disable Sprawling Pro-Trump Disinformation Operation
Facebook and Twitter this week disabled a global network of hundreds of fake accounts distributing pro-Trump messages which used AI to generate fake photographs to cover its tracks. The accounts, they say, were associated with two media groups, the BL and Epoch Media. They said that the accounts were suspended because of their tactics and not because of their content.
Facebook said the BL was linked to hundreds of fake accounts that posted political messages at high frequencies and attempted to direct traffic to their web sites.
On Facebook alone, the disabled network had more than 600 accounts and had purchased $9 million in advertisements. Twitter deleted 700 accounts.
Some of these activities were linked to the countries of Georgia and Saudi Arabia.
It looks like 2020 election engineering activities have already begun. Source: WaPo
Business Email Compromise Scams Google and Facebook out of $120 Million
While $120 million to Facebook and Google is kind of like $120 to you and me, still, it is impressive that the hackers were able to present $120 million of fake invoices and fake supporting documents like contracts.
One of the hackers was caught and made a plea deal for 60 months in jail and fined $26 million. Source: The Register
While British Politicians Demand Facebook Doesn’t Encrypt Your Messages, They Switch to Signal So Their Messages Can’t Be Read
At the same time that the Brits, Australians and U.S. are demanding that Facebook doesn’t encrypt Messenger messages in a way they can’t read them, they are shifting their own messages from WhatsApp to Signal. The reason? They don’t want their messages to be intercepted. Source: The Register
Credentials Can Now Be Extracted From iPhones
iPhones have a well deserved reputation for being secure, but now the Russian software company Elcomsoft says that they can extract some information from iPhones, even before its first login after power up, the most secure state.
They are using the Checkm8 vulnerability in the boot ROMs of most iPhones before the iPhone 11 that, it appears, will be impossible to fix. If you have $1,495, you, too, can hack into anyone’s iPhone that you can physically get your hands on. In theory, they only sell to good guys, but that definition is probably a bit loose. Based on the price, the cops probably love it as they have complained that encrypted devices stop them from solving crimes. Source: 9to5Mac