CategoriesData BreachesSocial Media

Facebook Scrambles to Restrict Access to your Data

Facebook released a newsroom update today outlining their new plan to restrict data access going forward.

A Month of Scandals

It has been a turbulent month for the social media company. First, it was announced that Cambridge Analytica had performed a breach on Facebook. They did this by obtaining data from an app that tricked users into giving up personal information for “academic research”. This app harvested not only users’ data, but also the data of their friends. It has been said that over 80 million people were affected by this breach. This information was handed over to Cambridge Analytica, a British data mining firm, who used it to influence voter opinion on behalf of their political clients.

Additionally, Mark Zuckerburg recently said in a call to reporters that every user of Facebook can assume they have had their data scraped by third parties. All two billion of us.

In the wake of these scandals, there was a lot of public outcry, and Facebook’s stock prices were greatly lowered. Facebook is now scrambling to secure the privacy holes that have been left gaping for so long.

What Next?

In their newsroom update, Facebook’s Chief Technology Officer outlines the main changes they will be making over the next few months:

Soon, apps will no longer be allowed to access the same amount of data related to events, groups, pages, logins, and the Instagram API. Facebook will also restrict the ability to search phone numbers and email addresses. Doing that should help prevent malicious actors from searching and scraping public profiles based on information they already own.

If you have an Android device, Facebook would keep track of call and text history, such as the date and time of calls. They say the reason for doing this was to keep those closest to you at top of your contact list. The new plan for storing call history is to only “upload to our servers the information needed to offer this feature”.

You’ll soon have easier access to your apps, and a better understanding of the information you are sharing with these apps. Facebook stated, “People will also be able to remove apps that they no longer want. As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica.”

To read the entire update at the Facebook Newsroom, please visit https://newsroom.fb.com/news/2018/04/restricting-data-access/

Photo Credit: Book Catalog

CategoriesData BreachesNewsSecurity

Panera Bread Ignored Data Breach Warning, Said it was a “Scam”

Panera Bread has suffered a major data breach, affecting potentially 7 million customers. The data is said to include names, email addresses, and credit card information. What’s worse – the data could have been crawled and indexed with simple automated tools.

This wasn’t news to those at the top at Panera Bread. Last summer, a security researcher told Panera Bread that their website was exposing this sensitive data. When Panera was made aware of the flaw, they dismissed it as a scam or sales pitch. After months of the flaw continuing to be exposed and unpatched, the security researcher decided to go public with evidence of the vulnerability.

“I am not exaggerating when I say you have a massive sensitive data exposure issue,” he said, “and I’d simply like you to be made aware of it so you can quickly resolve it.” -researcher Dylan Houlihan (in response to Panera Bread maintaining that he was giving a sales pitch).

Panera Bread is now downplaying the security of the breach, telling Fox News they have secured the breach and only ten thousand records were exposed. Krebs on Security is not buying it, especially considering Panera’s commercial division which serves countless catering companies which may run on the same software.

As of this writing, Panera has not made any statement on their website (it was recently taken down) nor on Twitter about the breach.

Photo Credit: Mike Mozart

CategoriesHackingSecurity

Are The Shadow Brokers Like Snowden? Theory Suggests Insider Hack

By now, most of our readers have heard of the Shadow Brokers, the hacker group who obtained a large trove of data from the National Security Agency (NSA) and leaked information about the NSA’s cyber tools. The cyber tools were apparently stolen from the Equation Group, a cyber attack operation who experts believe are part of the NSA.

(Watch a quick overview about the NSA hack – “NSA Reportedly Hacked By Group Called The Shadow Brokers”):

Initially, evidence suggested that the Shadow Brokers were Russian, but a new theory is emerging that whoever is leaking this data might be “a second Edward Snowden… albeit one with different motives” (Fortune). James Bamfield, a journalist who is well known for his publications about United States intelligence agencies, believes that Russia would not want to publish these hacks if they obtained them, because companies would quickly patch their vulnerabilities and the information would soon be worthless to anyone trying to sell the data. He also brings up that the bad English used by the hackers seems to be phony. Furthermore, he suggests that the hacker(s) could be linked to the NSA’s Tailored Access Operations (TAO) which is a unit of the surveillance agency that gathers intelligence related to cyber-warfare. He states:

“Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents.

So, if Snowden could not have stolen the hacking tools, there are indications that after he departed in May 2013, someone else did, possibly someone assigned to the agency’s highly sensitive Tailored Access Operations” (Reuters).

As of now, the “second Snowden” theory is just that – a theory. Most experts still say Russia is behind the hacks. Nevertheless, as Bamford puts it in his commentary – the “NSA may prove to be one of Washington’s greatest liabilities rather than assets.”

CategoriesHackingInternetPrivacy

Fans of Hello Kitty Experience Data Breach

3.3 million people could be affected by a recent data breach of Hello Kitty fans’ information from the website SanrioTown.com. The data included usernames passwords hints, email addresses and other sensitive information like names, birth dates and more.

The breached data was publicly available, there was no actual hacking done to obtain this information. A security researcher, Chris Vickery, notified Sanrio about the hole in their database and it has since been patched. Sanrio has made a statement that there is no evidence that any data was actually stolen. Vickery has gone to the press about this because he believes companies too easily have the ‘Oh, it won’t happen to me’ mentality”. This may bring to mind the case of the grey-hat hacker, Andrew Auernheimer (weev), who found similar flaw that displayed personal information on AT&T iPad users on public URLs. Auernheimer was later brought up on charges for conspiracy to access a computer without authorization.

Another concern about this breach is whether or not children’s information was exposed.

“Sanrio said it doesn’t create accounts for children under 13. However, the leaked information, which came from users all over the world, appears to include accounts for those under age 18.” –CNET

Sanrio hosts popular children’s games such as Hello Kitty Online.