22 March 2018
50 million Facebook profiles harvested for Cambridge Analytica in major data breach
The data analytics firm that worked with Donald Trump’s election team harvested millions of Facebook profiles of US voters, in one of the tech giant’s biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box. A whistleblower has revealed to the Observer how Cambridge Analytica used personal information taken without authorisation in early 2014 to build a system that could profile individual US voters, in order to target them with personalised political advertisements. Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.” The firm is under pressure to explain how it came to have unauthorised access to millions of Facebook profiles. Politicians in the US and UK have accused it of giving misleading statements about its work, and the information commissioner has demanded access to the company’s databases. In the UK, the Electoral Commission and the Information Commissioner’s Office are investigating the firm for breaches of electoral and data protection law.
WhatsApp signs pledge not to share data with Facebook
The Information Commissioner's Office is claiming a major victory for UK consumers after WhatsApp signed a public commitment not to share personal data with Facebook until data protection concerns are addressed. WhatsApp was first ordered to stop sharing personal data with Facebook in November 2016 after the ICO, which opened an investigation into the issue in August that year, said it had concerns that Facebook was not being "fully transparent". The ICO announced today that it has completed its 14-month investigation, which concluded that the practice would have been unlawful, even though WhatsApp has consistently denied any wrongdoing. Information Commissioner Elizabeth Denham said: "WhatsApp has not identified a lawful basis of processing for any such sharing of personal data. If they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act." The ICO said WhatsApp had "failed to provide adequate fair processing information to users in relation to any such sharing of personal data", adding that the sharing of such data "would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained". WhatsApp has agreed to sign the undertaking not to share personal data with Facebook until it can do so in compliance with GDPR, which comes into force in May.
Stay safe in a cyber digital world with the Digital Cyber Safety course.
880,000 At Risk In OnlSSine Travel Agency Hack
Expedia Inc. said hackers may have accessed 880,000 credit-card numbers used to book travel through the site and other companies serviced. In addition to the cards, hackers may have stolen names, dates of birth, phone numbers and addresses of consumers who booked through Orbitz in 2016 and 2017. Orbitz also provides a back-end booking system for other companies, which may also have been affected, Orbitz said in an email. American Express said that could include people who booked through Amextravel.com. The hack is the latest headache for Expedia stemming from its $1.6 billion acquisition of Orbitz in 2015, a deal that cemented the company’s position as one of two global travel-booking giants, along with Booking Holdings Inc. While Expedia was integrating Orbitz’ back-end system with its own, the network crashed, causing downtime that affected sales enough to cut into quarterly revenue, the company said in July 2016. Expedia shares have declined more than 8 percent this year as extra spending on improving its HomeAway short-term rental site and marketing its various brands around the world eats into profit.
AMD Acknowledges Newly Disclosed Flaws In Its Processors — Patches Coming Soon
AMD has finally acknowledged 13 critical vulnerabilities, and exploitable backdoors in its Ryzen and EPYC processors disclosed earlier this month by Israel-based CTS Labs and promised to roll out firmware patches for millions of affected devices ‘in the coming weeks.’ According to CTS-Labs researchers, critical vulnerabilities (RyzenFall, MasterKey, Fallout, and Chimera) that affect AMD's Platform Security Processor (PSP) could allow attackers to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems. Although exploiting AMD vulnerabilities require admin access, it could help attackers defeat important security features like Windows Credential Guard, TPMs, and virtualization that are responsible for preventing access to the sensitive data from even an admin or root account. In a press release published by AMD on Tuesday, the company downplays the threat by saying that, "any attacker gaining unauthorised administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research."
OilRig APT Significantly Evolves in Latest Critical Infrastructure Attacks
OilRig APT attacks are back, using a significantly more advanced malware toolkit than has been seen in the wild to date. An Iran-linked APT group has been using OilRig to compromise critical infrastructure, banks, airlines and government entities since 2015 in a range of countries, including Saudi Arabia, Qatar, United Arab Emirates, Turkey, Kuwait, Israel, Lebanon and the United States. According to fresh analysis by Nyotron, the latest spate of attacks has been focused on a number of organizations across the Middle East and shows that the OilRig group has significantly evolved its tactics, techniques and procedures to include next-generation malware tools and new data exfiltration methods. Some of the new tools are off-the-shelf, dual-purpose utilities, but others are previously unseen malware using Google Drive and SmartFile, as well as internet server API (ISAPI) filters for compromising Microsoft Internet Information Services (IIS) servers. Nyotron said that for one, the group has built a sophisticated remote access Trojan (RAT) that uses Google Drive for command-and-control (C&C) purposes. It supports a variety of configuration settings, uses encryption and registers as a service: The malware simply retrieves commands from the attacker’s account on Google Drive and exfiltrates files to it. Worryingly, at the time of the research, this RAT was not detectable by any antivirus engine that is part of VirusTotal. The attackers also used a crafted RAT that leverages the public APIs of SmartFile.com, a file-sharing and transfer solution, as a C&C. This allows attackers to upload and download files to and from infected machines, as well as to run ad-hoc commands. At the time of the research, this tool generated just 1 out of 68 VirusTotal detections.
Cyber Security training from QA
QA have uniquely positioned themselves to help solve the Cyber skills gap from our CyberFirst and Cyber Apprenticeship programmes and Cyber Academies to Cyber Challenges, Training and Certifications and Consultancy for Cyber Security.
They offer end-to-end Cyber training and certifications from Cyber Awareness to deep dive Cyber Programmes and solutions; from Cyber Investigations, Cyber Crisis Management, Proactive Security to Offensive Defence. QA only employ world leading Cyber trainers who have the expertise to deliver bespoke Cyber solutions, GCHQ accredited courses and proudly the CyberFirst programme. This is all to support in tackling the UK's National Cyber Security skills shortage.
QA also have state-of-the-art CyberLabs, where companies can simulate real-life Cyber-attacks on their infrastructure, helping them to prevent & combat breaches without risking their own network.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.