One was not sure about the reason behind the outage, and with cyberattacks being the order of the day, there was high speculation of a possible cyberattack responsible for disrupting the services.

Competing platforms like Twitter, Snapchat, Telegram witnessed a traffic surge with people seeking clarification, poking fun, and sharing updates on the outage.

Facebook itself had to resort to tweeting to reach out to its user base and update on the unavailability of the service.

We’re aware that some people are having trouble accessing our apps and products. We’re working to get things back to normal as quickly as possible, and we apologize for any inconvenience.

— Facebook (@Facebook) October 4, 2021

The Technical Fallout

Facebook soon came up with an apology and an update on the technical reason behind the outage. The company said the problem was due to faulty configuration changes made to Facebook routers. These are the routers that coordinate the network traffic between their data centers. The routers could not communicate and hence caused the services to halt. In technical terms, this concerns the Border Gateway Protocol (BGP).

What is BGP?

Border Gateway Protocol is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP is classified as a path-vector routing protocol, and it makes routing decisions based on paths, network policies, or rulesets configured by a network administrator.

In plain English, BGP routes information between networks across the Internet. BGP interconnects various networks and facilitates communication between networks and the rest of the Internet.

Santosh Janardhan, VP Infrastructure, Facebook, shared on his page, “Our services are now back online and we’re actively working to fully return them to regular operations. We want to make clear that there was no malicious activity behind this outage — its root cause was a faulty configuration change on our end. We also have no evidence that user data was compromised as a result of this downtime.

We’ve been working as hard as we can to restore access, and our systems are now back up and running. The underlying cause of this outage also impacted many of the internal tools and systems we use in our day-to-day operations, complicating our attempts to quickly diagnose and resolve the problem.”

Industry experts and sources are voicing it as a DNS issue where BGP routes (or maps) have vanished.

Cloudflare, an American web infrastructure and website security company, in its blog described it as a BGP problem.

From trusted source: Person on FB recovery effort said the outage was from a routine BGP update gone wrong. But the update blocked remote users from reverting changes, and people with physical access didn’t have network/logical access. So blocked at both ends from reversing it.

— briankrebs (@briankrebs) October 4, 2021

In the most recent update, Facebook attributed the problem to an internal command error.

“During one of these routine maintenance jobs, a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all the connections in our backbone network, effectively disconnecting Facebook data centers globally. Our systems are designed to audit commands like these to prevent mistakes like this, but a bug in that audit tool prevented it from properly stopping the command,” Facebook shared.

There has been an internal and an external view of the reason behind the outage and this instance leads to numerous other issues related to security and vulnerability.

Per Forrester Senior Analyst, Alla Valente, Security & Risk (Risk Management), “In Facebook’s quest to integrate its products and underlying technical infrastructure into a single platform is the concentration risk it creates for the company, where a single risk event that produces a cascading effect – in this case, the inability of their machines to talk to one another brought the company to a standstill. Concentration risk is one of the top systemic risks for 2021 that Forrester identified early this year. And Facebook’s size, market share, and ubiquity make it a system into itself. If the company doesn’t get better at managing its risks across the organization, it stands to lose its tight hold it’s been struggling for years to maintain.”

The post Facebook Outage – Was it a BGP hijack? appeared first on CISO MAG | Cyber Security Magazine.

Surprisingly, TikTok, which has been banned by India and came under severe criticism of the former U.S. President Donald Trump, shares only 36% of data with third parties and ranks 12^th on the list.

 Key Highlights 

• 52% of all the apps share your data with third parties.
• Instagram shares 79% of your data including browsing history and personal information with others online.
• When it comes to collecting your data, social media platforms are the worst offenders. On average 80% of apps use your data to market their products in their respective apps.
• Netflix, Signal, Microsoft Teams, Skype, and Clubhouse top the list of safest to use apps.

Instagram: The Most Invasive App?

Did all these numbers break your heart? Well, if not, then be prepared for one more strike of lightning. A study by cloud storage platform, pCloud, has dubbed Instagram as the most invasive app. Instagram shares this title with its parent company Facebook since both use 86% of its users’ data to sell more of their products and serve relevant ads to them on behalf of their clients.

Also, when it comes to the percentage of data shared with third parties and used to target users for marketing purposes, Instagram again takes the first spot here with 62%.

Mirror-Mirror on the Wall, Who is the Safest of them All?

pCloud’s study was mainly based on the new Apple privacy labels that are featured in the App Store and aimed at finding how and where users’ private data is being gathered and used. In doing so, the company also found the safest apps which collect the least data from users and/or share or use it for marketing purposes.

Statistics revealed that privacy-centric messaging apps like Signal and Telegram, video conferencing and calling platforms like Zoom, Skype, and Microsoft Teams as well as streaming giant Netflix top the list of the safest to use apps. Clubhouse, Google Classroom, Shazam, Etsy, BooHoo, Amtrak, Shop, and IRS2Go are the list of other apps that do not share any data with third parties.

Related News:

WhatsApp vs Signal vs Telegram: Which is More Viable and Secure?

Data Scraped from Instagram, TikTok and YouTube Exposes 235 Mn Social Media Profiles

The post Wait! Read This Before You Post a Story on Instagram appeared first on CISO MAG | Cyber Security Magazine.

Possible Links to Chinese Hackers

According to an investigation from ProofPoint, CopperStealer operates similar to SilentFade malware, which is linked to Chinese hackers that targeted Facebook’s ad platform between late 2018 and February 2019.  “Proofpoint believes CopperStealer to be a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot, and Scranos,” Proofpoint said.

How CopperStealer Spreads

It was found that threat actors behind the CopperStealer malware campaign are leveraging compromised accounts to run malicious ads and deliver additional malware on targeted sources.

The researchers identified certain suspicious websites, advertised as KeyGen, Crack, keygenninja, piratewares, startcrack, and crackheap, which hosted CopperStealer malware samples. All these sites have advertised themselves as software crack services to evade licensing restrictions and ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run malicious exploits to install additional malware payloads.

Proofpoint’s researchers stated that CopperStealer malware can find and send saved browser passwords. The multiple browsers searched by malware operators to get Facebook saved credentials are:

• Chrome
• Edge
• Yandex
• Opera
• Firefox

Once downloaded, CopperStealer sends the exfiltrated data to the C2 server via a POST request to several targeted URIs. The exfiltrated data is then stored in the info key and is encrypted in the C2 Traffic encryption section.

“In addition to the saved browser passwords, the malware uses stored cookies to retrieve a User Access Token from Facebook.  Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional context, including a list of friends, any advertisement accounts configured for the user, and a list of pages the user has been granted access to,” Proofpoint explained.

Malware Analysis

The CopperStealer malware used various basic anti-analysis techniques to avoid running within researcher systems. These include:

• IsDebuggerPresent() check
• GetSystemDefaultLCID() == 0x804 (Chinese (Simplified, PRC)   zh-CN) check
• Window/class enumeration looking for common analysis tools:
• TCPViewClass
• TStdHttpAnalyzerForm
• HTTP Debugger
• Telerik Fiddler
• ASExplorer
• Charles
• Burp Suite
• Device enumeration looking for indicators of virtualization
• VMware
• virtual
• vbox

“While CopperStealer isn’t the most nefarious credential/account stealer in existence, it goes to show that even with basic capabilities, the overall impact can be large.  Findings from this investigation point towards CopperStealer being another piece of this ever-changing ecosystem. CopperStealer’s active development and use of DGA based C2 servers demonstrate operational maturity as well as redundancy,” Proofpoint added.

The post New Chinese Malware “CopperStealer” Thieving Credentials Saved by Browsers appeared first on CISO MAG | Cyber Security Magazine.

According to the researchers from Safety Detectives, an unsecured ElasticSearch database leaked the personal data of over 214 million social media users, globally, including celebrities and social media influencers. The database was left online without password protection, allowing anyone in possession of the server IP-address to access it.

The researchers found that the exposed data was illegally scraped from various social media profiles on Facebook, Instagram, and LinkedIn.

What Data are Exposed?

While the researchers found 318 million records in the exposed 408GB data dump, the exact number of affected users remains unknown. The leaked database contains:

• More than 11 million Instagram user profiles, including names, phone numbers, usernames, profile pictures, email addresses, average comment count, number of followers and following count; country of location, frequently used hashtags, and locations
• Nearly 82 million Facebook profiles including full names, contact details, email addresses, Messenger IDs, Like, Follow and Rating count; Facebook link with profile pictures, website link, profile description, and pictures
• Around 66 million LinkedIn user profiles containing full names, email addresses, employment details, job profile including job title and seniority level, LinkedIn profile link, user tags, domain name, connected social media account login names, company name, and revenue margin

What’s the Impact?

Cybercriminals often exploit scraped or leaked content for various malicious operations.  “In some cases, scraped data can be weaponized to carry out a specific goal of extracting personal information for criminal purposes. Potential ramifications of exposing personal information include identity theft and financial fraud conducted across other platforms including online banking. Contact information can be harnessed to target people with targeted scams including sending personalized emails containing other personal information about the target, thereby gaining their trust, and setting the stage for a deeper intrusion into their privacy,” Safety Detectives said.

What is Data Scraping?

Data scraping is extracting users’ private information from a website or social media platform without their knowledge, which is against the data privacy policy.

The post Unprotected Server Exposes Scraped Data of 214 Mn Social Media Users appeared first on CISO MAG | Cyber Security Magazine.

Microsoft’s Rise to the Top

In the Q3 2020 report, the tech giant rose from the fifth place (relating to 7% of all global brand phishing attempts) to become the table topper (with 19% in the overall share). The researchers at Check Point are attributing this sudden rise to the continued growth of the remote workforce in the ongoing pandemic.

Complete the Endpoint Security Survey and win lots of amazing goodies!

Take the Survey Now!!!

Threat actors are taking advantage of the mass migration to a remote workforce. They are targeting employees with fake emails asking them to reset their Microsoft Office 365 credentials.

Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point said, “In this past quarter, we saw the highest increase in email phishing attacks of all platforms compared to Q2, with Microsoft being the most impersonated brand. This has been driven by threat actors taking advantage of the mass migration to remote working forced by the Covid-19 pandemic, to target employees with fake emails asking them to reset their Microsoft Office 365 credentials. As always, we encourage users to be cautious when divulging personal data and credentials to business applications, and to think twice before opening email attachments or links, especially emails that claim to be from companies, such as Microsoft or Google, who are most likely to be impersonated.”

As per Check Point researchers, Microsoft phishing email aims at stealing credentials. During mid-August, they witnessed a malicious phishing email trying to steal credentials of Microsoft accounts. The attacker was trying to lure the victim into clicking on a malicious link, which redirects the user to a fraudulent Microsoft login page.

Another surprise entry to this list was the first-time entrant for 2020, DHL. It has made it to the top 10 rankings, taking the second spot with 9% of all phishing attempts related to the company. The list of the top phishing brands in Q3 2020, based on their overall appearance in brand phishing attempts, includes:

1. Microsoft (related to 19% of all brand phishing attempts globally)
2. DHL (9%)
3. Google (9%)
4. PayPal (6%)
5. Netflix (6%)
6. Facebook (5%)
7. Apple (5%)
8. WhatsApp (5%)
9. Amazon (4%)
10. Instagram (4%)

Other Findings

In other findings from the research, the most likely industry to be targeted by brand phishing is technology, with banking and social network following closely. It illustrates a broad spread of some of the best-known and most-used consumer sectors, particularly during the COVID-19 pandemic, wherein individuals are grappling with remote working technology, potential changes to finances, and increased use of social media.

Top phishing brands by platform

During Q3 2020, email phishing was the most prominent type of brand phishing platform, accounting for 44% of the attacks, followed by web and mobile phishing. The top phishing brands exploited by email, web, and mobile phishing attacks are displayed below in ascending order.

Email (44% of all phishing attacks during Q3)

1. Microsoft
2. DHL
3. Apple

Web (43% of all phishing attacks during Q3)

1. Microsoft
2. Google
3. PayPal

Mobile (12% of all phishing attacks during Q3)

1. WhatsApp
2. PayPal
3. Facebook

The post Microsoft Tops the Chart for Being Most Imitated Brand for Phishing Attacks appeared first on CISO MAG | Cyber Security Magazine.

How Does the “Rights Manager” Work

To access the “Rights Manager” tool, Facebook Page admins first need to apply for the content they’ve created and want to protect. Rights Manager will find matching content on Facebook and Instagram.

1. Upload a CSV file to Facebook’s Rights Manager that contains all the image’s metadata. Adjust settings to match things like ownership applicable worldwide or only in certain locations and so on.
2. Once you hit “Apply for Rights Manager” the internal algorithm verifies the metadata and matches the image.
3. Once the process is complete it then displays the image and pages where it is showing up.

What if two parties claim ownership?

If another person claims ownership of the same image, then the two parties can dispute the claim. However, if no settlement is agreed upon, Facebook will eventually bestow it to the one who filed first. This decision can again be appealed in Facebook’s IP reporting forms.

Copyright and ownership of content has been a prolonged issue especially on social media platforms where sharing and posting is just two-clicks away. However, Facebook acknowledges the fact that quality content creation is a cumbersome task and thus, it is clearly the intellectual property of its creator. It believes that upending such solutions will put content creators in charge of their content and help clear the clutter of aggregated content (image) sharing and publishing, which at times robs them of their ownership, attribution, and credit.

The post Are You a Content Creator? Facebook’s New “Rights Manager” is for You! appeared first on CISO MAG | Cyber Security Magazine.

Information Exposed

Diachenko found three identical copies of the scraped data from social media pages, which were hosted at three separate IPv6 addresses. The datasets include:

• 96,714,241 records scraped from Instagram
• 95,678,713 records scraped from Instagram
• 42,129,799 records scraped from TikTok
• 3,955,892 records scraped from YouTube

The records contain personal information like profile name, full real name, profile photo, account description, whether the profile belongs to a business or has advertisements. It also includes statistics about follower engagement, including number of followers, engagement rate, follower growth rate, audience gender, audience age, audience location, likes, last post timestamp, age, and gender.

The misconfigured database is said to have come from now-defunct company called Deep Social, however the database is presently owned by a company named Social Data. Social Data acknowledged the exposure but has denied any connection with Deep Social.

“Evidence suggests that much of the data originally came from a now-defunct company: Deep Social. The names of the Instagram datasets (accounts-deepsocial-90 and accounts-deepsocial-91) hint at the data’s origin. Based on this, Diachenko first contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later,” Comparitech stated in its report.

Fate of the Exposed Data

Attackers could take advantage of the exposed data to launch credential stuffing attacks. “The information stored in this database is vulnerable to spam marketing and phishing campaigns. Users of Instagram and TikTok should be on the lookout for scams and phishing messages either sent directly or posted in comments. Even though the information is publicly available, the size and scope of an aggregated database makes it more vulnerable to mass attacks than it would be in isolation,” Comparitech added in its report.

While the unsecured database was discovered on August 1, 2020, the Comparitech researchers stated that they do not know how long the data was exposed before the disclosure, and it is unclear whether any unauthorized party accessed it or not.

The post Data Scraped from Instagram, TikTok and YouTube Exposes 235 Mn Social Media Profiles appeared first on CISO MAG | Cyber Security Magazine.

“Some of our corporate social accounts were briefly hacked but we have secured and restored access,” Facebook said in a media statement.

OurMine hacking group claimed that they attacked Facebook to expose potential vulnerabilities in the system. The group posted a statement on Facebook’s official Twitter account stating, “Hi, we are OurMine. Well, even Facebook is hackable but at least their security is better than Twitter.”

Twitter confirmed that the intrusion occurred through a third-party. The microblogging site stated, “As soon as we were made aware of the issue, we locked the compromised accounts and are working closely with our partners at Facebook to restore them.”

OurMine’s High-Profile Targets

Based out in Dubai, OurMine is an infamous cybercriminal group that attacked multiple social media accounts of high-profile individuals and enterprises in the past.

Recently, OurMine hacked 15 Twitter accounts of the U.S. National Football League (NFL) teams including NFL’s handle and posted a message, “Hi, we’re back. We are here to show people that everything is hackable.”

The details of the account hijacking remained unclear, however, most of the tweets posted by the OurMine operators on the hijacked accounts came from Khoros. It is a web-based third-party application used by the organization’s digital marketing and public relations departments to manage their social media accounts and gain useful insights into public engagements across different platforms.

In 2017, OurMine operators hacked Twitter handles of Futbol Club Barcelona and Real Madrid Club de Futbol. The hackers sent out tweets from Real Madrid Club de Futbol’s Twitter account in English and Spanish, which announced the joining of major rival player Lionel Messi. They also posted video footage from an earlier match, which showed Messi scoring for Barcelona against Real Madrid. The tweets were visible for almost 90 minutes on the football club’s handle but were later removed. The welcoming post of Messi had grabbed the attention of the fans by then, as the tweet received almost 2,800 likes and 3,100 retweets.

The post OurMine Group Hacks Facebook’s Official Twitter and Instagram Accounts appeared first on CISO MAG | Cyber Security Magazine.

Security experts have observed that Android app makers have not patched the old security flaws, many of which even dates back to 2014. According to Check Point Software Technologies, most of these vulnerabilities exist in popular Android apps on the Google Play Store, including Facebook, WeChat, Facebook Messenger, Instagram, and Yahoo.

Source of Security Flaws

The researchers stated that app developers manage to copy code from vast code libraries while developing an application. Here, security bugs which existed in these code libraries get carried over to new Android apps.

“A popular mobile app typically uses dozens of reusable components written in a low-level language such as C. These components, called native libraries, are often derived from open-source projects, or incorporate fragments of code from open-source projects. When a vulnerability is found and fixed in an open-source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using these native libraries. This is how an app may keep using the outdated version of the code even years after the vulnerability is discovered,” Check Point said in a statement.

“It may be overstating matters a bit to declare such an app vulnerable, as its flow may never reach the affected library code, but it certainly warrants an in-depth investigation by the app maintainers,” the statement added.

Check Point opined that while mobile app stores and security researchers scan applications for malware, they often give less attention to long-known critical flaws.

In its similar research, Check Point discovered that more than half of modern Android smartphones, including models by Sony, LG, Samsung, and Huawei are vulnerable to a text-based phishing attack.

Malicious actors are using fake phone provisioning messages to trick Android phone users into accepting new settings that provide access to attackers. The researchers stated that the phishing attack is performed through a process called over-the-air (OTA) provisioning, according to Check Point.

Check Point detailed the attack process as OMA CP (Open Mobile Alliance Client Provisioning) instructions, which is a special SMS sent by a mobile operator to new devices for network connection. Attackers sending fake OMA CP messages to users, which allow them to allegedly access the victim’s email and web traffic.

The post Previous Security Vulnerabilities Still Exist in New Android Applications appeared first on CISO MAG | Cyber Security Magazine.

The researcher said that he found the vulnerability while investigating how the account recovery process of the photo-sharing application allows the user to regain access to your account when you’ve forgotten the password.

According to Muthiyah, the Instagram server uses device ID as a unique identifier to validate password reset codes. “When a user requests a passcode using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the passcode,” Muthiyah said in a statement.

The researcher found that the same device ID can be used to request passcodes for multiple Instagram accounts of different users, allowing an attacker to breach multiple accounts with a single device ID.

“There are one million probabilities for a 6-digit passcode (000001 to 999999). When we request passcodes of multiple users, we are increasing the probability of hacking accounts. For example, if you request passcodes of a hundred thousand users using the same device ID, you can have a 10 percent success rate since 100k codes are issued to the same device ID.  If we request passcodes for one million users, we would be able to hack all the one million accounts easily by incrementing the passcodes, one by one. Therefore, an attacker should request codes of one million users to complete the attack with a 100 percent success rate. We should also note the 10 minutes expiry of the code, so the entire attack should happen within 10 minutes,” Muthiyah explained.

Recently, an unprotected server containing personal information of millions of Instagram influencers, celebrities, and brand accounts was found online without password protection. According to security researcher Anurag Sen who discovered the leak, the database had over 49 million records exposed online, allowing anyone to access it. The exposed data included users’ biodata, profile picture, the number of followers they have, their location by city and country, and contact information like the Instagram account owner’s email address and phone number.

Anurag stated the leaky database belongs to a social media marketing firm Chtrbox, which is based in Indian state Mumbai. The database was taken offline and called for an investigation on the incident, Chtrbox stated.

The post Indian Security Researcher exposes a flaw in Instagram, wins $10,000 bug bounty appeared first on CISO MAG | Cyber Security Magazine.