Facebook told to stop tracking users that aren’t logged in

By John E Dunn

In late 2015, a Belgian court ordered Facebook to stop tracking internet users in the country, even when they were not logged into – or even members – of its site.

Failure to comply within 48 hours would result in a €250,000 a day ($267,000) fine by the Belgian Privacy Commission (BPC), which brought the case.

Last week, in an eerie case of déjà vu all over again, a Belgian court ordered Facebook to stop tracking users not logged into its site or face a fine of €250,000 (now $315,000) per day up to a maximum of €100m. It must also delete data it had gathered from Belgians in this way.

Same issue, same result against Facebook more than two years on – what gives?

The legal answer is Facebook appealed against the 2015 judgement, winning in 2016 on the basis that because Facebook’s European HQ was in Ireland, the company should not be regulated by a court decision made in Belgium.

That appeal has, in turn, now been overturned, leaving the case more or less back at square one. Not surprisingly, Facebook said it will appeal yet again, which means the case trundles on.

The dispute is over the way Facebook is said to have carried out commercial surveillance on internet users who come into contact with the site with, but often without, their explicit consent.

It’s not the only company that does such things, of course, but it has become the European test case for where the acceptable lines should be drawn.

Most Facebook users might expect the company to track what they do on Facebook and other sites while logged into Facebook according to the company’s published ad policy.

Read more at https://nakedsecurity.sophos.com/2018/02/20/facebook-told-to-stop-tracking-users-that-arent-logged-in/

Google drops new Edge zero-day as Microsoft misses 90-day deadline

By Paul Ducklin

Google’s Project Zero team has dropped a Microsoft Edge bug for the world to see.

Google originally shared details of the flaw with Microsoft on 17 November 2017, but Microsoft wasn’t able to come up with a patch within Google’s non-negotiable “you have 90 days to do this” period.

Ironically, Google may give you a 14-day grace period to extend the deadline to 104 days, but if you admit you aren’t going to make it within 104 days, you don’t get any of the extra 14 days of non-disclosure.

Last week, right at the 90-day deadline, Google quoted Microsoft as saying:

The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th [2018-03-13], however this is beyond the 90-day SLA [service level agreement] and 14-day grace period to align with Update Tuesdays.

As a result, Google published details of the bug immediately, so Microsoft Edge users are now adrift without a patch for nearly a month.

How bad is it?

Fortunately, this bug isn’t a remote code execution exploit all on its own.

It’s a security bypass that could allow an attacker who has already wrested control from your browser to vault over Microsoft’s second layer of defense, known as ACG, short for Arbitrary Code Guard.

ACG is supposed to head off remote code execution attacks before they can make any headway.

Even if a booby-trapped web page, image or script manages to wrest the CPU away from Edge in an effort to grab control, ACG means that the attack can’t easily transfer control to malware of its own choice.

That’s a bit like having a backup security system at home that throws a net over crooks who manage to pick your front door lock and get into your house: they’re already in, which is bad, but their hands are pinned to their sides, so they can’t pick anything up or open any more doors, which is good.

Very simply put, ACG works by locking down the memory that Edge uses to run its own software code.

Read more at https://nakedsecurity.sophos.com/2018/02/19/google-drops-a-new-edge-zero-day-as-microsoft-misses-90-day-deadline/

Broadband network plagued by wheezy old cryptomining gadget

By Lisa Vaas

Cryptocoin mining, how do you ruin our day?

Let us count the ways, because hastening global warming and hoovering up all the graphics processing units (GPUs) apparently isn’t enough.

Now, we have method #1583: a mining device with halitosis, breathing out interference emissions that befogged T-Mobile’s broadband network in Brooklyn.

Knock it off, the Federal Communications Commission (FCC) told Brooklyn resident Victor Rosario on Thursday. The FCC’s letter said that if Rosario didn’t turn off the mining device, and if the interference kept up, he’d be in danger of incurring “severe penalties,” including, but not limited to, stiff fines, seizure of the offending radio equipment, and potentially jail time.

How did they test whether the device in question was really screwing up T-Mobile’s broadband? They either turned it off or told Rosario to turn it off. Presto! No more “spurious emissions” were found when the gadget was powered down, the FCC said.

David C. Dombrowski, regional director of the FCC’s Enforcement Bureau, said that agents had used direction-finding techniques to trace radio emissions in the 700 MHz band and found they were emanating from Rosario’s home in Brooklyn, New York.

Read more at https://nakedsecurity.sophos.com/2018/02/19/t-mobile-plagued-by-wheezy-old-cryptomining-gadget/

US and UK condemn Russia for NotPetya worm attack

By John E Dunn

When it comes to pointing the finger for last year’s historically-disruptive NotPetya cyberattack, nobody could accuse the US and UK of dodging the issue.

First the UK, and then the US, named their chief suspect – Russia – in near-synchronized statements that set out to dissolve the secrecy and confusion that cloaks many cyber-incidents.

UK Defense Secretary Gavin Williamson said at the time:

Russia is ripping up the rule book by undermining democracy, wrecking livelihoods by targeting critical infrastructure, and weaponising information.

Which echoed White House Press Secretary Sarah Sanders:

This was also a reckless and indiscriminate cyberattack that will be met with international consequences.

In a possible first, the three other members of the Five Eyes intelligence alliance – Australia, Canada and New Zealand – also put out statements blaming Russia too.

We’ve heard US-led condemnations before. Examples include that Russia hacked the Democratic National Committee in 2016, that North Korea was behind WannaCry and, further back in time, a lot of fuss about China’s APTs stealing intellectual property from US companies.

The problem is accusations only get you so far: no technical evidence against Russia has been offered beyond noting that NotPetya appeared to have been aimed at arch-Russian foe, Ukraine.

Inevitably – whether Russia was behind the attack or not – it can dismiss the accusation as “Russiaphobia” in a way that makes that defense sound plausible.

Read more at https://nakedsecurity.sophos.com/2018/02/19/us-and-uk-condemn-russia-for-notpetya/

Hackers sentenced for SQL injections that cost $300 million

By Lisa Vaas

Heartland Payment Systems: remember that decade-old breach?

What was then the sixth-largest payments processor in the US announced back in 2009 that its processing systems had been breached the year before.

Within days, it had been classified as the biggest ever criminal breach of card data. One estimate claimed 100 million cards and more than 650 financial services companies were compromised, at a cost of hundreds of millions of dollars. Prosecutors have said that three of the corporate victims reported $300m in losses.

The “biggest ever” designation applied to Heartland, but it was one of many corporate victims in a worldwide hacking and data breach scheme that targeted major networks. In total, the hacking ring responsible for the Heartland attack compromised 160 million credit card numbers: the largest such scheme ever prosecuted in the United States. Individual consumers also got hit, incurring what court documents said were “immeasurable” losses through identity theft, including costs associated with stolen identities and false charges.

It might be an old breach, but it hasn’t been collecting dust.

On Wednesday, the US Attorney’s office of New Jersey announced that two Russians belonging to the hacking ring that gutted Heartland, other credit card processors, banks, retailers, and other corporate victims around the world have been sent to federal prison.

Both had pleaded guilty in 2013.

Russian national Vladimir Drinkman, 37, had previously pleaded guilty to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud. He’s been sentenced to 12 years in prison. Dmitriy Smilianets, 34, of Moscow, had previously pleaded guilty to conspiracy to commit wire fraud against a financial institution and was sentenced to 51 months and 21 days in prison: time served.

Read more at https://nakedsecurity.sophos.com/2018/02/19/hackers-sentenced-for-sql-injections-that-cost-300-million/