Make Chiangmai Mail | your Homepage | Bookmark

Chiangmai 's First English Language Newspaper

Pattaya Blatt | Pattaya Mail |

 

Copyright 2018 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

 
Technology
 

October 13, 2018 - October 19, 2018

What comes next in Facebook’s major data breach?

Matt O’Brien & Mae Anderson

New York (AP) - For users, Facebook’s revelation of a data breach that gave attackers access to 50 million accounts raises an important question: What happens next?

For the owners of the affected accounts, and of another 40 million that Facebook considered at risk, the first order of business may be a simple one: sign back into the app. Facebook logged everyone out of all 90 million accounts in order to reset digital keys the hackers had stolen - keys normally used to keep users logged in, but which could also give outsiders full control of the compromised accounts.

Next up is the waiting game, as Facebook continues its investigation and users scan for notifications that their accounts were targeted by the hackers.

What Facebook knows so far is that hackers got access to the 50 million accounts by exploiting three distinct bugs in Facebook’s code that allowed them to steal those digital keys, technically known as “access tokens”. The company says it has fixed the bugs.

Users don’t need to change their Facebook passwords, it said, although security experts say it couldn’t hurt to do so.

Facebook, however, doesn’t know who was behind the attacks or where they’re based. In a call with reporters on Friday, CEO Mark Zuckerberg - whose own account was compromised - said that attackers would have had the ability to view private messages or post on someone’s account, but there’s no sign that they did.

“We do not yet know if any of the accounts were actually misused,” Zuckerberg said.

The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues. So far, though, none of these issues have significantly shaken the confidence of the company’s 2 billion global users.

This latest hack involved bugs in Facebook’s “View As” feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal access tokens from the accounts of people whose profiles came up in searches using the “View As” feature. The attack then moved along from one user’s Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.

One of the bugs was more than a year old and affected how the “View As” feature interacted with Facebook’s video uploading feature for posting “happy birthday” messages, said Guy Rosen, Facebook’s vice president of product management. But it wasn’t until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Rosen said.

“We haven’t yet been able to determine if there was specific targeting” of particular accounts, Rosen said in a call with reporters. “It does seem broad. And we don’t yet know who was behind these attacks and where they might be based.”

Neither passwords nor credit card data was stolen, Rosen said. He said the company has alerted the FBI and regulators in the United States and Europe.

Jake Williams, a security expert at Rendition Infosec, said he is concerned that the hack could have affected third party applications.

Williams noted that the company’s “Facebook Login” feature lets users log into other apps and websites with their Facebook credentials. “These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user’s account on a third party site,” he said.

Facebook confirmed late Friday that third party apps, including its own Instagram app, could have been affected.

“The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves,” Rosen said.

News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, Zuckerberg appeared at a congressional hearing focused on Facebook’s privacy practices.

The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised 3 billion accounts - enough for half of the world’s entire population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers. It was among a series of Yahoo hacks over several years.

U.S. prosecutors later blamed Russian agents for using the information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses.

In Facebook’s case, it may be too early to know how sophisticated the attackers were and if they were connected to a nation state, said Thomas Rid, a professor at the Johns Hopkins University. Rid said it could also be spammers or criminals.

“Nothing we’ve seen here is so sophisticated that it requires a state actor,” Rid said. “Fifty million random Facebook accounts are not interesting for any intelligence agency.”


October 6, 2018 - October 12, 2018

Beyond fake news? Facebook to fact check photos, videos

Facebook says it’s expanding its fact-checking program to include photos and videos as it fights fake news and misinformation on its service. (AP Photo/Marcio Jose Sanchez, File)

New York (AP) - Facebook says it is expanding its fact-checking program to include photos and videos as it fights fake news and misinformation on its service.

Malicious groups seeking to sow political discord in the U.S. and elsewhere have been embracing images and video to spread misinformation.

The company has been testing the image fact-checks since the spring, beginning with France and the news agency AFP. Now, it will send all of its 27 third-party fact-checkers disputed photos and videos to verify. Fact-checkers can also find them on their own.

Facebook will label images or video found to be untrue or misleading as such.

Facebook says the fact-checkers use visual verification techniques such as reverse image searching and analyzing image metadata to check the veracity of photos and videos.


How Apple’s Safari browser will try to thwart data tracking

This March 19, 2018, file photo shows the Safari app on an iPad in Baltimore. New privacy features in Apple’s Safari browser seek to make it tougher for companies such as Facebook to track you. (AP Photo/Patrick Semansky)

Anick Jesdanun

New York (AP) - New privacy features in Apple’s Safari browser seek to make it tougher for companies such as Facebook to track you.

Companies have long used cookies to remember your past visits. This can be helpful for saving sign-in details and preferences. But now they’re also being used to profile you in order to fine-tune advertising to your tastes and interests.

Cookie use goes beyond visiting a particular website. As other sites embed Facebook “like” and “share” buttons, for instance, Facebook’s servers are being pinged and can access your stored cookies. That means Facebook now knows you frequent celebrity gossip sites or read news with a certain political bent. Ads can be tailored to that.

Here’s how Safari is getting tougher in dealing with that.

No more grace period

Safari used to wait 24 hours from your last visit to a service before blocking that service’s cookies on third-party sites. That effectively exempted Facebook, Google and other services that people visited daily. Now, Safari will either block the cookie automatically or prompt you for permission.

Apple says Safari will still be able to remember sign-in details and other preferences, though some websites have had to adjust their coding.

Thwarting
fingerprinting

Browsers typically reveal seemingly innocuous information about your device, such as the operating system used and fonts installed. Websites use this to make minor adjustments in formatting so that pages display properly.

Browsers have historically made a lot of information available, largely because it seemed harmless. Now it’s clear that all this data, taken together, can be used to uniquely identify you. Safari will now hide many of those specifics so that you will look no different from the rest.

It’s like a system that digitally blurs someone’s image, said Lance Cottrell, creator of the privacy service Anonymizer. “You can tell it’s a person and not a dog, but you can’t recognize a person’s face,” he said.

For instance, Safari will reveal only the fonts that ship with the machine, not any custom fonts installed.

Masking web
addresses

When visiting a website, the browser usually sends the web address for the page you were just on. This address can be quite detailed and reveal the specific product you were exploring at an e-commerce site, for instance.

Now, Safari will just pass on the main domain name for that site. So it would be just “Amazon.com” rather than the specific product page at Amazon.

Closing a loophole

Some ad companies have sought to bypass restrictions on third-party cookies - that is, identifiers left by advertisers - by using a trick that routed them through a series of websites. That could make a third-party cookie look like it belonged to a site you’re visiting. Safari will now try to catch that.

Many of the safeguards will be limited to cookies that Apple deems to be trackers. That’s being done to reduce the likelihood of inadvertently blocking legitimate third-party cookies.
 


DAILY UPDATE

|

Back to Main Page

HEADLINES [click on headline to view story]

What comes next in Facebook’s major data breach?


Beyond fake news? Facebook to fact check photos, videos

How Apple’s Safari browser will try to thwart data tracking