InfoSec News Nuggets – October 1, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – October 1, 2018

Facebook Security Breach Exposes Accounts of 50 Million Users

Facebook, already facing scrutiny over how it handles the private information of its users, said on Friday that an attack on its computer network had exposed the personal information of nearly 50 million users. The breach, which was discovered this week, was the largest in the company’s 14-year history. The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them. Three software flaws in Facebook’s systems allowed hackers to break into user accounts, including those of the top executives Mark Zuckerberg and Sheryl Sandberg, according to two people familiar with the investigation but not allowed to discuss it publicly. Once in, the attackers could have gained access to apps like Spotify, Instagram and hundreds of others that give users a way to log into their systems through Facebook.

DEF CON hackers’ dossier on US voting machine security is just as grim as feared

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms. The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies. In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware.

Feds warn of RDP woe

The FBI and the US Department of Homeland Security have added their voices to warnings of insecure deployments of Remote Desktop Protocol (RDP) services. Of the RDP-spread ransomware infections the FBI’s advisory highlighted on Thursday, probably the one striking the most fear into sysadmin hearts was SamSam, a campaign that started in 2015 and has since then earned its operators an estimated US$5.9m in illicit gains. The FBI/DHS public service announcement reiterates what sysadmins (and home users) should know, but all too often aren’t acting on. Whether business or home, the statement said, you should “review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.”

Secret Service Warns of Surge in ATM ‘Wiretapping’ Attacks

The U.S. Secret Service is warning financial institutions about a recent uptick in a form of ATM skimming that involves cutting cupcake-sized holes in a cash machine and then using a combination of magnets and medical devices to siphon customer account data directly from the card reader inside the ATM. According to a non-public alert distributed to banks this week and shared with KrebsOnSecurity by a financial industry source, the Secret Service has received multiple reports about a complex form of skimming that often takes thieves days to implement. This type of attack, sometimes called ATM “wiretapping” or “eavesdropping,” starts when thieves use a drill to make a relatively large hole in the front of a cash machine. The hole is then concealed by a metal faceplate, or perhaps a decal featuring the bank’s logo or boilerplate instructions on how to use the ATM.

Mattis predicts DoD will one day offer cyber protection to private sector

Secretary of Defense Jim Mattis predicted the U.S. government will one day offer cyber protection to businesses that work with critical infrastructure and may even extend such a buffer to some individuals. The top Pentagon official said during a Sept 25. speech at the Virginia Military Institute that he envisions a voluntary program that would be spurred by the rapid change in technology. “Because the Department of Defense has about 95 percent more of the capability to protect the country on cyber, we are probably going to have to offer to banks, to public utilities, (to) electrical generation plants and that sort of thing, the opportunity to be inside a government protected domain,” Mattis said. “It’s not going to be forced and there are constitutional issues, but I think we should also offer it to small businesses and individuals.”

Robocallers slapped with huge fines for using spoofed phone numbers

Wednesday was a busy day for the Federal Communications Commission (FCC) when it comes to putting some pecuniary hurt on marketing companies for illegally spoofing millions of calls. One of the fines – a proposed one – was a first for the Commission, in that it’s the first major enforcement action against a company that apparently “commandeered consumers’ phone numbers,” the FCC said in its announcement. The FCC is looking to penalize Affordable Enterprises of Arizona for more than $37.5 million for what it says are more than 2.3 million illegally spoofed robocalls that pretended to be from consumers’ phone numbers. Affordable Enterprises was at it for 14 months, starting in 2016. Its shtick was to sic its robots on unsuspecting people in order to telemarket home improvement and remodeling services.

SEC fines Voya $1M for cybersecurity failures

Almost eight years after the Identity Theft Red Flags rule went into effect, the SEC announced its first enforcement of the law. The Des Moines, Iowa-based broker-dealer and investment advisor Voya Financial Advisors will pay $1 million to settle charges that it failed to adopt procedures that protected customer records and address weaknesses in its cybersecurity policy after cyber intruders gained access to the personal information of several thousand customers.