Yes, Mark Zuckerberg, You’ve Really Messed Up Another One

Cyberwarfare / Nation-state attacks , Data Loss , Fraud Management, Cybercrime

Yes, Mark Zuckerberg, You’ve Really Messed Up Another One Facebook CEO Pledges Changes, But User Outrage Continues

Yes, Mark Zuckerberg, You've Really Messed Up Another One
Facebook CEO Mark Zuckerberg (Photo: Facebook)

“We really messed this one up.”

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

That’s Facebook CEO Mark Zuckerberg writing in 2006, addressing concerns that the social networking company bungled privacy controls when it launched its News Feed.

Twelve years later, Zuckerberg could have written the same line again following the uproar over the acquisition of up to 60 million Facebook profiles by voter-profiling firm Cambridge Analytica (see Facebook and Cambridge Analytica: Data Scandal Intensifies).

On Wednesday, Zuckerberg broke five days of silence as pressure intensified on Facebook to account for what happened. In a lengthy post, Zuckerberg pledged to make changes to better protect personal data.

Mark Zuckerberg addresses the Cambridge Analytica scandal in a March 21 post.

“I started Facebook, and at the end of the day, I’m responsible for what happens on our platform,” he writes. “I’m serious about doing what it take to protect our community.”

In an interview with CNN, Zuckerberg said he suspects efforts are underway to influence the U.S. mid-term elections in November.

“I’m sure that there’s v2, version two, of whatever the Russian effort was in 2016, I’m sure they’re working on that,” he told CNN. “And there are going to be some new tactics that we need to make sure that we observe and get in front of.”

The reaction to Zuckerberg, as well as to a separate status update by Facebook COO Sheryl Sandberg on her personal page, was not kind, to say the least.

“In my opinion you should not hide behind a Facebook post when you lead a company with the data of 2.2 billion people that many of us now fear is jeopardizing democracy at a global scale,” one commenter wrote to Zuckerberg. “It’s sad to have to write it this way, but so it is.”

Another wrote to Sandberg: “I’m throwing up. You are not portraying the truth. FB is too big to control. Your backend technology is a mess, and you’ll never be able to fix the siphoning of data that Cambridge and other predators have been sucking from FB for years.”

App Changes Promised

Privacy activists have been justifiably honking their horns for a decade about Facebook’s ever-changing privacy settings and whether it was transparent in communicating to users what data its platform shared, and with whom. Also of concern: The liberal access it has granted to outside app developers via its API, offering them an incredibly valuable data set on more than 2 billion users.

As the Cambridge Analytica scandal continues to unfold, the U.S. Federal Trade Commission has launched an investigation, as have state attorneys general in New York, New Jersey and Massachusetts. The U.K.’s Information Commissioner’s Office and Canada’s privacy commissioner are also investigating.

Cambridge Analytica obtained the data set from Aleksandr Kogan, a lecturer at the University of Cambridge. He created an app called “thisisyourdigitallife,” which purported to be a personality quiz.

The app was deployed for at least two to three months in 2014. Under Facebook’s developer rules at the time, the app was allowed to scrape profile information and data from the friends of someone who used the app.

As many 270,000 people used “thisisyourdigitallife,” which opened the door for the collection of personal data on as many as 60 million other people without their permission.

Facebook contends Kogan lied to the company and passed the data to Cambridge Analytica, against its rules. Facebook discovered the situation in 2015, and Cambridge Analytica and Kogan then certified to the company that they had deleted the data.

But The New York Times, the Observer and Britain’s Channel 4 have cited insiders saying that at least some of the data was still available.

Facebook has taken steps designed to block these types of data grabs. Zuckerberg says that Facebook limited the amount of data that apps could access in 2014. Now, as a result of the Cambridge Analytica situation, Zuckerberg says that Facebook will “investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access.”

Facebook will request an audit of all apps that it flags, and if developers refuse, they will be banned, he writes. If personally identifiable information was misused by a developer, Facebook will also inform affected users.

The company is also promising to tighten its rules around apps. If someone hasn’t used an app for more than three months, Zuckerberg says Facebook will remove access to someone’s data. Also, when someone signs into an app, the app will only be able to access a person’s profile photo, name and email address. Facebook will also make it clearer what apps have been used and offer an easier way to revoke their permissions.

“We’ll require developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data,” Zuckerberg writes.

Facebook’s Terms: Unenforceable

Facebook has long made public commitments to privacy, and when the situation has gone south, issued the usual corporate bromides. But the technology giant seemed resistant to making drastic changes for fear of jeopardizing its ever-rising revenue.

The Cambridge Analytica situation highlights the company’s fundamental and avoidable error: It trusted app developers not to misuse data, but without any means of verifying or enforcing those assurances. Once Facebook allows access to personal data, as with any leak or data breach, there’s no way to reel it back.

But the data that app developers have had access to is what has made Facebook such a power in the digital advertising business. Without Facebook’s intimate knowledge of its users, micro-targeting people becomes less effective, and thus, much less profitable for Facebook.

Peak Privacy Debate

Privacy debates tend to fade quickly. Most users move on and accept the utility of Facebook and the deep connections it provides to community and friends rather than how it could potentially hurt them (see Facebook: Day of Reckoning, or Back to Business as Usual?). This episode, however, seems to have inspired the fiercest, most negative responses to corporate violations of people’s personal privacy since Cambridge Analytica was hired by the Trump campaign.

Facebook users also face potential long-term damage from the data losses. Many types of personally identifiable information never change. Even preferences – from political views to music to perspectives on social issues – are generally static. Hence the data that leaked through Kogan’s app – and perhaps through many more under examination now by Facebook – as well as social scientists’ resulting insights on individuals could float around for years or decades, providing detailed insights into how individuals could potentially be better targeted or manipulated.

Deleting a Facebook account stops future data collection and future micro-targeting, at least on the social network. But apologies and policy tweaks can’t fix the past. Zuckerberg has really messed up another one.

Lawmakers Tell Facebook’s Zuckerberg: You Will Testify

Leading the latest edition of the ISMG Security Report: As the Cambridge Analytica scandal continues to unfold, Congress seeks answers from Facebook.

In this report, you’ll hear (click on player beneath image to listen):

  • Facebook called to account: ISMG Executive Editor Jeremy Kirk describe how regulators and lawmakers are seeking answers from Facebook CEO Mark Zuckerberg about how London-based Cambridge Analytica was able to collect private data on tens of millions of Facebook users. Democratic Sen. Richard Blumenthal of Connecticut says he wants to hear directly from Zuckerberg about how the company plans to be more transparent with users (see Yes, Mark Zuckerberg, You’ve Really Messed Up Another One).

  • Election cybersecurity improvements lag: Homeland Security Secretary Kirstjen Nielsen testifying before the Senate Intelligence Committee that DHS is working overtime to assist state and local election officials to better secure their systems. But multiple senators have told Nielsen – and by extension her boss, President Donald Trump – that more needs to be quickly done (see Will Congress Lose Midterm Elections to Hackers?).
  • Building a secure cryptocurrency wallet: Nick Holland, ISMG’s director of banking and payments, discuss cryptocurrency wallets and why they remain so challenging to secure, with insights from Javelin Strategy and Research’s Al Pascual about the types of fraud facing cryptocurrency users (see Sizing Up Crypto Wallet Vulnerabilities).

The ISMG Security Report appears on this and other ISMG websites on Fridays. Don’t miss the March 9 and March 16 editions, which respectively analyze a warning from a top U.S. general that the government’s response to Russia is not unified, and the Trump administration finally imposing sanctions on Russians for election interference.

The next ISMG Security Report will be posted on Friday, March 30.

Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.

Atlanta Ransomware Attack Freezes City Business

Cybercrime as-a-service , Fraud Management, Cybercrime , Malware as-a-Service

Damage Assessment Is Underway, But Backups Are in Place, Officials Say

Atlanta Ransomware Attack Freezes City Business

Ransomware that struck the city of Atlanta early Thursday morning froze internal and customer-facing applications, but officials say backups are in place and they expect to pay city employees on time next week.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The ransomware has hampered citizens from paying bills and accessing court-related information, Mayor Keisha Lance Bottoms said at a press conference about 12 hours after the attack started. The city’s police department, water services and airport aren’t affected.

Atlanta Mayor Keisha Lance Bottoms.

The city is evaluating if personal data may be at risk, but is advising employees to monitor bank accounts, online statements and contact credit agencies, Bottoms says. The investigation should determine whether personal, financial or employee information has been compromised, she says.

Atlanta is working with FBI, the Department of Homeland Security and experts from Microsoft and Cisco.

“We have been working diligently all day long to come to some type of resolution,” Bottoms says.

The FBI says it is “coordinating with the city of Atlanta to determine what happened.”

Backups In Place

Atlanta COO Richard Cox – in his first week on the job – says the ransomware encrypted some city data, but experts are still evaluating the damage. He says the city has not received further communications from the attackers.

The city discovered the attack after the security team “noticed something that looked peculiar,” on a server, says Daphne Rackley, deputy CISO.

The city has been migrating applications to cloud services in part to mitigate risk, Rackley says. Backup systems are in place, which are helping with restoration, but the city is still investigating the scope of the attack.

“This is not a new issue to the state of Georgia or our country,” Rackley says. “We have been taking measure to mitigate risk.”

While the police department wasn’t affected, Chief Erika Shields says the department has reverted to a paper reporting system.

The attack had no other effect on the police department “other than not being able to spend time on the internet, which is probably a good thing,” Shields joked.

Suspected: SamSam Ransomware

Local news broadcaster Alive11 obtained a screenshot of an infected computer from a city employee. Although it did not publish the screenshot, the broadcaster reports the ransom note demands about $6,800 per computer or $51,000, payable in the virtual currency bitcoin, to unlock all of the city’s computers.

When asked if the city would pay the ransom, Bottoms said Thursday: “We can’t speak to that right now.” The city will consult with federal agencies on the best course of action.

Law enforcement generally advises infected organizations against paying ransom because it provides an incentive for future attacks. Businesses, however, sometimes do pay if there’s no other recourse to restoring systems. But there’s no guarantee that a decryption key will be delivered, making it a risky proposition (see Please Don’t Pay Ransoms, FBI Urges).

The city is due to pay its 8,000 employees on March 30. Bottoms says she doesn’t expect payroll payments to be disrupted.

Alive11 reports that it passed the screenshot to Andrew Green, a lecturer of information security and assurance at Kenneshaw State University. The ransom message appears similar to one affiliated with SamSam, also known as MSIL.

A SamSam ransomware notice published by Cisco Talos in January.

In January, Cisco’s Talos security group said SamSam has struck industrial control systems as well as healthcare and government organizations. SamSam has been around since at least 2015. Cisco says attacks using SamSam tend to be opportunistic rather than highly targeted.

The infection vector for SamSam attacks in 2016 was vulnerable JBoss application server installations (see JBoss Servers: Ransomware Campaign Alert). The attacks earlier this year may have been compromised remote desktop protocol or virtual network computing servers, Cisco says.

In January, Hancock Health in Greenfield, Ind., paid a $55,000 ransom after patient files were locked with a version of SamSam (see Why Some Healthcare Entities Pay Ransoms).

Hancock Health CEO Steve Long told the Daily Reporter that the company could have restored the files, but it would have been costly and taken days or weeks. Luckily after paying the ransom, the organization did receive working decryption keys.

“These folks have an interesting business model,” he told the newspaper. “They make it just easy enough [to pay the ransom]. They price it right.”

9 Iranians Indicted for Massive Hacking Scheme

Cybercrime , Cyberwarfare / Nation-state attacks , Fraud Management, Cybercrime

Thousands of Professors Worldwide Among Allegedly Those Targeted

9 Iranians Indicted for Massive Hacking Scheme

(Watch for updates on this developing story)

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The U.S. Department of Justice has announced the indictment of nine Iranians alleged to have penetrated systems belonging to hundreds of U.S. and foreign universities, government entities and private companies to steal more than 31 terabytes of documents and data.

Among those who were victims of the hacks were 8,000 professors at 144 U.S. universities and 176 foreign universities, the Justice Department said. Also targeted were 30 U.S. companies and five U.S. government agencies.

In addition to the indictments on multiple charges revealed Friday, the Justice Department announced that all of those charged, and the Mabna Institute, the company they worked for, will be designated for sanctions.

Iran Government Involvement

“The defendants conducted many of these intrusions on behalf of … Iran’s Islamic Revolutionary Guard Corps, one of several entities within the government of Iran responsible for gathering intelligence, as well as other Iranian government and university clients,” the Justice Department notes.

The hackers used stolen account credentials to obtain unauthorized access to professors’ accounts, which they used to steal research and other academic data and documents, including, among other things, academic journals, theses, dissertations and electronic books, prosecutors say.

According to the Washington Post, as a result of the indictments, the defendants cannot travel to more than 100 countries without fear of arrest and extradition to the United States. The sanctions block any transactions with those named and freeze any assets they may have under U.S. jurisdiction, the newspaper reports.

Commenting on the indictments, Rep. Jim Langevin, D-R.I., co-chair of the Congressional Cybersecurity Caucus and a senior member of the House Committees on Armed Services and Homeland Security, said: “Any actor, state, criminal or otherwise, must realize that malicious actions in cyberspace will have consequences. … The internet is not the “Wild West,” and when rogue institutions like the Iranian Revolutionary Guard Corps use illicit hacking campaigns to support their deeds, the United States will not sit idly by.”