April 30, 2019

Docker breach of 190,000 users exposes lack of two-factor authentication

By John E Dunn

Containerization platform Docker has asked 190,000 developer users to change their account passwords after hackers gained access to a database containing personal data.

According to an advisory on the company’s website, the incident happened on 25 April when for a “brief period” attackers accessed a single Docker Hub repository used to store the accounts.

Exposed data included usernames, an unknown number of hashed passwords and, inconveniently, API tokens used by developers with GitHub and Bitbucket (which, when embedded in scripts, perform the same function as passwords for Docker autobuilds).

When Docker discovered the breach it acted quickly, adding:

No Official Images have been compromised. We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image.

Data breaches are always bad news but the possible compromise of 190,000 accounts (about 5% of the service’s user base) on a development system used by businesses heaps additional worries on top of the usual workload.

Read more at https://nakedsecurity.sophos.com/2019/04/30/docker-breach-of-190000-users-exposes-lack-of-two-factor-authentication/

Facebook under investigation for harvesting 1.5m users’ contact lists

By Lisa Vaas

The New York Attorney General’s office announced last week that it’s launched an investigation into Facebook’s harvesting of 1.5 million users’ email address books without their consent.

Earlier this month, a security researcher had noticed that Facebook was asking some new users for their email passwords when they signed up: what he called “a HORRIBLE idea from an #infosec point of view”…

…particularly from a company that’s mishandled the passwords we use in two-factor authentication (2FA) and which saved hundreds of millions of users’ passwords to disk in raw, unencrypted form.

But Facebook wasn’t just asking for some new users’ email passwords, the company would go on to admit: it was also sucking up their contacts, popping up a message saying the platform was “importing” their contacts without asking for permission first, nor offering any way for users to cancel the process.

Facebook admitted it had “unintentionally uploaded” 1.5 million contact databases of new Facebook users since May 2016. But as noted in a press release issued on Thursday by the office of New York Attorney General Letitia James, the number of emails drawn into this filter feeder’s baleen is bound to be orders of magnitude higher, as in, hundreds of millions, given that the affected people could have hundreds, if not thousands, of contacts in their contact databases.

While Facebook claims that 1.5 million contact databases were directly harvested by its email password verification process for new users, the total number of people whose information was improperly obtained may be hundreds of millions.

Well, isn’t it just typical, AG James said. It’s just the latest demonstration of how Facebook “does not take seriously its role in protecting our personal information,” she was quoted as saying. She added…

It is time Facebook is held accountable for how it handles consumers’ personal information.

Read more at https://nakedsecurity.sophos.com/2019/04/30/facebook-under-investigation-for-harvesting-1-5m-users-contact-lists/

Man posing as Hollywood superstar scams woman out of a ‘fortune’

By Lisa Vaas

What action-thriller car-chase fan wouldn’t be star-struck if Hollywood actor/stuntman/producer/eye candy Jason Statham were to personally reach out from a fan page to chat with them?

…and to invite her to join him to chat on WhatsApp?

…and to subsequently claim to have fallen in love with her, sending hundreds of messages, and to confide in her that he needed help with some “financial difficulties,” given that a film payment was delayed (in spite of the fact that Statham is reportedly worth an estimated $70 million)?

You and I can likely see the marquee blinking “conman” from a mile away, but a British woman who was grieving over the deaths of both her mother and fiancé says that she did not. The woman, who requested anonymity, told BBC Radio Manchester that she sent the fraudster a fortune. She wouldn’t say exactly how much; besides that it was hundreds of thousands of pounds.

It was a substantial amount, which would have made a difference to my life and my family.

Posing as Statham, the scammer first reached out to her via Messenger while she was on a Facebook fan-page dedicated to the Fast & Furious star. The message showed his face. Or, rather, the message showed a photo of Statham, which of course anybody can find online and throw onto an account to make them look like whoever they want.

At any rate, the woman didn’t suspect that a crook was contacting her. Rather, she thought that the star had a nice, personal touch:

I thought ‘Oh, that’s nice of him, talking to his fans’. I might have been star-struck then, I don’t know.

Read more at https://nakedsecurity.sophos.com/2019/04/30/man-posing-as-hollywood-superstar-scams-woman-out-of-a-fortune/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation