Facebook staff’s private emails published by fake news inquiry

By Lisa Vaas

Want to know what Mark Zuckerberg and his underlings really think about us users?

Get ready to read ’em and weep: against the wishes of the Facebook CEO, the UK parliament’s inquiry into fake news has published confidential correspondence between Zuck and his staff.

That correspondence has some revealing stuff in it. But first, how did the Parliament’s Digital, Culture, Media, and Sport (DCMS) committee – which has been overseeing inquiries into Facebook’s privacy practices – get their hands on it?

Well, it has to do with bathing suit photos. A now-defunct app called Six4Three that searched for Facebook users’ bathing suit photos is embroiled in a years-long lawsuit against Facebook.

Six4Three alleges that Facebook suddenly changed the terms of how it allowed developers to access Facebook’s Graph API generally, and its Friends’ Photos Endpoint, specifically. Six4Three made an app known as “Pikinis” that specifically sought out bikini photos across Facebook users’ friends pages. In April 2015, Six4Three sued Facebook, claiming that Facebook’s sudden yanking of access rendered both the app and the company itself “worthless.”

According to a court filing from last week, Six4Three managing director Ted Kramer met with MP Damian Collins in his London office on 20 November. Collins told Kramer that he was under active investigation, that he was in contempt of parliament, and that he could potentially face fines and imprisonment.

Read more at https://nakedsecurity.sophos.com/2018/12/06/facebook-staffs-private-emails-published-in-press/

Patch now (if you can!): Latest Android update fixes clutch of RCE flaws

By John E Dunn

Android’s December security bulletin arrived this week with another sizable crop of vulnerabilities to add to the patching list for devices running version 7.0 Nougat to version 9.0 Pie, including Google Pixel users.

Overall, December sees a total of 53 separate flaws and 21 assigned CVE numbers. (Qualcomm components add another 32 CVEs in mainly closed-source components.)

If there’s a theme this month, it’s probably remote code execution (RCE), which accounts for five of the 11 critical flaws listed, plus one flaw marked high.

Four of these were discovered in the Media Framework with another two in the core system, which could, in Google’s words:

Enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

This means that an attacker exploiting the flaws could remotely take over a vulnerable Android device – for example by sending you a booby-trapped image or talking you into clicking on a this-is-not-the-video-you-wanted-to-watch link.

Fortunately, according to Google, none of the listed flaws is being exploited in the wild.

Read more at https://nakedsecurity.sophos.com/2018/12/06/patch-now-if-you-can-latest-android-update-fixes-clutch-of-rce-flaws/

Google’s private browsing doesn’t keep your searches anonymous

By Lisa Vaas

New research has found that it doesn’t matter what you do to burst out of Google’s search filter bubble: you can log out of Google, then enter private browsing mode, but those precautions won’t render your search anonymous. Google’s search engine will still tailor results to the personal information the company has on you, including search, browsing and purchase history.

Granted, the research comes from search competitor DuckDuckGo, which draws search results from third-party sites such as Bing, Yahoo and Yandex without tracking you. The research is still eye-opening, though, in spite of DuckDuckGo being a competitor.

In order to test whether a search engine is really profiling you or not, it helps to keep in mind that a search engine that doesn’t profile users should show all users who search at the same time the same search results for a given search term, without tweaking the results based on things like an individual’s previous search history.

Google has claimed to have taken steps to reduce the filter bubble problem – a problem that’s been implicated in influencing US presidential election outcomes both in 2016 and in the 2012 Romney-Obama bout. The thinking is that profiling search users and feeding them tailored search results essentially surrounds them with a walled garden of information they already agree with, thereby silencing new information or differing opinions.

Read more at https://nakedsecurity.sophos.com/2018/12/06/googles-private-browsing-doesnt-keep-your-searches-anonymous/

Chrome 71 stomps on abusive advertising

By Danny Bradbury

Google shipped version 71 of its Chrome browser earlier this week, alongside fixes for 43 security issues. The latest Chrome version also introduces several new security measures.

Perhaps the biggest new security feature in Chrome is its anti-abuse technology, which focuses on ads that deliberately mislead users. These sites use a range of techniques such as presenting buttons that purport to do one thing like playing video or closing a window, but which actually do another like opening advertising windows.

Such sites are also known to use fake chat messages, transparent areas that are clickable without the user’s knowledge, auto-redirects without user interaction, and ads that use fake moving mouse cursors to try and make users click on a certain area. Scammers and phishers sometimes use these techniques to steal personal information, the company said.

Google is stepping up the anti-abuse measures that it launched last year by identifying sites that persist in using these abusive techniques to serve ads, and blocking advertising from them altogether. Site owners will get a 30-day warning.

Read more at https://nakedsecurity.sophos.com/2018/12/06/chrome-71-stomps-on-abusive-advertising/

Kubernetes cloud computing bug could rain data for attackers

By Danny Bradbury

Kubernetes, a tool that powers much modern native cloud infrastructure, just got its first big security bug – and it’s a mammoth one. The flaw could give an attacker unfettered access to the software applications that rely on the tool to operate.

Kubernetes is a software tool that manages large numbers of containers. These are similar to the virtual machines that run multiple operating systems on the same physical computer, but they have a key difference. Instead of housing a complete operating system, containers house only what’s needed for a particular application to run (such as software dependencies, system libraries etc), while sharing a host operating system with other containers.

Containers are small, nimble operating environments that are designed to run the same way across multiple computing environments, removing “but it worked when we tested it!” issues. Companies can run tens or even hundreds of thousands of containers, and that can make deploying, updating and managing them all a serious challenge. That’s where Kubernetes comes in. It manages containers in groups called pods.

The program, which originally started as an open-source project from Google and is now managed by the Linux Foundation’s Cloud Native Computing Foundation (CNCF), sprang its first serious leak with the flaw, which gives an attacker deep access to a Kubernetes installation. It enables a specially crafted request to connect with Kubernetes servers and make their own requests.

Read more at https://nakedsecurity.sophos.com/2018/12/05/kubernetes-cloud-computing-bug-could-rain-data-for-attackers/

Quora.com admits data breach affecting 100 million accounts

By John E Dunn

Hackers have compromised data from the accounts of 100 million users of question and answer site, Quora.com.

The bad news arrived in emails sent to the affected users – half its estimated 200 million account base – and through a public announcement made on Monday on its website.

The company discovered the breach on 30 November, finding that “data was compromised by a third party who gained unauthorized access to our systems,” wrote Quora CEO, Adam D’Angelo.

Data accessed included private information such as name, email address and encrypted (hashed) passwords, and any data imported from linked networks as authorized by account holders.

Also taken was “Non-public content and actions, e.g. answer requests, downvotes, direct messages,” however the company believes only a low percentage of users had such data in their accounts.

In addition, the hackers got hold of any questions, answers and upvotes posted by users, although these would also have been publicly available on the site itself.

Anyone who posted anonymously to the site over the years is not affected as Quora does not store data from these users, the company said.

Read more at https://nakedsecurity.sophos.com/2018/12/05/quora-com-admits-data-breach-affecting-100-million-accounts/

Those are NOT your grandchildren! FTC warns of new scam

By Lisa Vaas

Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the Federal Trade Commission (FTC) warned on Monday.

The FTC says that its Consumer Sentinel Network has noticed a “striking” increase in the median dollar amount that people 70 and older report losing to fraud. When they started to peel back the layers, the Commission found a number of stories that involve people of that age group having mailed “huge” amounts of cash to people who pretended to be their grandchildren.

People from all age groups report having fallen for phony family and friends: the reported median loss for individuals is about $2,000, which is more than four times the median loss of $462 reported for all fraud types.

But that’s nothing compared with how much money is being bled out of the elderly: those who send cash reported median losses of a whopping $9,000. About one in four of the ripped-off elderly who report that they lost money to a family or friend imposter say that they sent cash: a far higher rate than the 1 in 25 of people who sent cash for all other frauds.

CBS News talked to one man who got scammed in a way that the FTC says is a common ploy.

Read more at https://nakedsecurity.sophos.com/2018/12/05/those-are-not-your-grandchildren-ftc-warns-of-new-scam/