Security Bits Logo

Security Bits – Bad Times for Facebook, Data Transfer Project, Bluetooth Bugs, Malware in the Mail

Pre-amble (by Allison) — Bad Times for Facebook

  • Facebook lost $120B in value after their July Earnings call, which is the biggest one-day stock fall in history — marketwatch.com/…
  • One root cause is that European advertising growth in Europe “decelerated more quickly than other regions” because of GDPR.
  • Facebook Chief Financial Officer David Wehner said, “The implementation of GDPR gave a large number of Facebook users control over their privacy, and it should have been patently obvious to investors (and to us) that allowing users control would result in slightly lower engagement,” — cbsnews.com/…
  • Note that after the $120B loss in value, Facebook was back to where it was in May after it recovered from the Cambridge Analytica débâcle.

<!–more–>### Followup
* Another week, another Spectre variant! This one is named NetSpectre (though it comes in two flavours), and initially sounds very scary because it can be exploited remotely over the network. No need to panic though, it’s very slow, allowing bit rates of just a few bytes per hour! Also, existing counter-measures protect against this new variant — arstechnica.com/…

Security Medium — The Data Transfer Project

Helped along by the GDPR, all the major internet companies now provide mechanisms for exporting your data. You end up with a massive ZIP file that contains all your stuff. That’s a lot better than nothing, but it’s not much use if you want to move your data to another service. You now have to manually re-upload the lot!

Imagine if there was an agreed-upon mechanism that could be used to connect any cloud service to any other so you could transfer your data directly between providers without ever having to use any of your own time, effort, or network bandwidth. Real pie-in-the-sky stuff right? Wrong!

The tech industry has banded together to create an open-source project do do just that, and they’ve very imaginatively named it the Data Transfer Project!

The spec defines a number of common data models, and the APIs for connectors to export and import data to and from those models. Users of any service that provides a connector for any given model can then trivially request their data be migrated to any other service that has a connector for the same model. The connectors don’t even have to be written by the service owners themselves. As long as the service provides an API, anyone can write a connector for it.

What is a data model? Well, it’s a specification for the storage of a particular type of data, e.g. photos & videos, or music playlists, or blog posts, or files and folders etc..

The project website gives many example of how this mechanism can be used, and it’s really not just about leaving one service and moving to another, though that is one thing this kind of mechanism makes easier. It can also be about getting up and running on an additional new service with way less effort.

The fact that the industry was able to get together and build this spec is great. The fact that they are doing all this as open source is even better. But, we’re not quite living in utopia yet — the connectors still have to get written!

Links:

Notable News

  • Security researchers have released details of a bug in many Bluetooth firmwares that allowed attackers within Bluetooth range to decrypt the data flowing between affected Bluetooth devices. Thankfully the bug was responsibly disclosed, so all the major desktop and mobile OSes have already been patched (though many Android users will of course never get the patch). Thankfully the bug can only be exploited by an attacker who is within Bluetooth range when the victim is pairing their bluetooth device, so the real-world risk is low — nakedsecurity.sophos.com/… & www.bleepingcomputer.com/…
  • As planned, the latest version of Google’s Chrome browser has pro-actively started to label HTTP sites as not securenakedsecurity.sophos.com/…
  • Security researchers warn that when you leave a Venmo transaction in its default public state it really is public, and permanently so, with a web API that makes it easy to access every public Venmo transaction there has ever been — nakedsecurity.sophos.com/…
  • 🇺🇸 The US Department of Justice (DOJ) have announced a new policy for this year’s elections — it will inform the targets of tampering that they are being targeted as they discover the attacks are happening — nakedsecurity.sophos.com/…
  • A timely reminder never to just blindly say yes when your iPhone asks you to agree to something: MDM Hack Targeted 13 iPhones With Malicious Apps — www.macobserver.com/…
  • A timely reminder to be careful where you place your IoT cameras: following a bizarre incident where a security camera emailed video to the wrong person a few weeks ago, security researchers dug deeper and found that, contrary to the manufacturer’s claims, it was not a one-off freak occurrence, but instead, a symptom of a catastrophic security bug that allowed the security researchers to trick company’s cloud app into thinking any other camera on the services belonged to them, allowing them to stream the video from any camera at will. (Editorial by Bart: the brands involved in this case were Swann & OzVision, but IMO that’s not the point, this is just the latest example of a much bigger problem – many IoT devices are a security train-wreck, so treat carefully!) — nakedsecurity.sophos.com/…
  • A timely reminder that all digital evil is not online, it can even arrive by snail mail: 🇺🇸 State Governments Warned of Malware-Laden CD Sent Via Snail Mail from China — krebsonsecurity.com/…
  • Google have provided an interesting case-study in the power of 2-factor authentication. Since enforcing the use of hardware security keys in early 2017 (using the open-source U2F protocol), none of their 85K user accounts have been successfully taken over — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
  • Related (probably): Google announced their own U2F hardware tokens a few days after they reached out to security reporters to wax lyrical about how great 2FA is — nakedsecurity.sophos.com/…
  • 🇺🇸 Senator Ron Wyden has written to the three government agencies that set IT policy for most of the US government (NIST, NSA & DHS) urging them to mandate that all US government agencies remove Flash from their websites by 1 August 2019 so Flash does not become the next Windows XP — nakedsecurity.sophos.com/…

Suggested Reading

Leave a Reply

Your email address will not be published.

Scroll to top