Latest News

As if it wasn’t bad enough that they had been storing millions of users’ passwords in plaintext, with over 2000 internal employees having access to them, Facebook have made another whoopsie.

It has been revealed that Facebook are using pretty much the worst user-verification available, adding more of a security risk for their users. When you sign up from a non-standard email address, for example not using gmail or Hotmail email address, and the circumstances seem a little suspicious, such as using a VPN, Facebook tries to verify you are legitimate by asking for your email password.

This was discovered by Twitter user @originalesushi, who said, “Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know!”

We couldn’t agree more. You definitely wouldn’t find this in any other company’s best practice handbooks. Perhaps they read from the worst practice handbook by mistake!

Of course, Facebook came out with their shields up, stating that it was possible to bypass this by clicking the “need help?” button to select a different method, although that is not clear at all on the login form. They also said that the password is not stored on any Facebook servers and that it is “automatically verified” instead, however they did agree that it is not the best method of verification and have removed it as an option completely, leading us to think that maybe they weren’t so confident it was 100% above board.

Just to confirm, best practice is to never give your email password to anyone, for any reason. They are normally phishing attempts to gain access to your accounts. Of course, we wouldn’t insinuate that Facebook are trying to get hold of more data than they need, but it is yet another dubious practice and users’ faith in the company has been dwindling enough recently already. Surely it must be time to eradicate these security issues once and for all to make a point!

EDIT:

It’s hard to keep up with Facebook’s woes! Yet more news has come out before I even managed to get this one up.

Over 540 million users’ data has been discovered on unprotected Amazon cloud servers. Data includes 146GB of data collected by a third party developer from Mexico called Cultura Colectiva. Amongst the details collected are comments, likes, reactions, names, user IDs and more.

A second dataset contained records on much fewer people at 22,000, but actually contained email addresses and passwords for their linked account on an app called “At the Pool” which may correspond to their Facebook passwords as around 70% of internet users reuse the same passwords across many accounts.

It is worth noting that Facebook have tightened control over what third-party developers have access too, but it seems to be a little too late for many users as their details are already out there and spread across the web.

An arrest has been made at Trump’s Mar-a-Lago resort in Florida in a suspected cyber-security attack on the President.

Yujing Zhang, a Chinese woman, tried to talk her way into Mar-a-Lago and got surprisingly far before being detained. Claiming that her father was a member at the club, she managed to get past club security, a secret service checkpoint and three secret service agents by feigning a language barrier and claiming not to know where she needed to go.

After a golf-cart valet dropped her off at the main reception area, Zhang started to change her tune. The receptionist asked several times why she was visiting the club, eventually determining that she was not on the club’s access list when Zhang claimed that she was there for an event centered around Chinese-American foreign relations. An event that did not exist.

Zhang was escorted off the premises by security and was then further questioned. At this time they discovered that she had two different passports and several electronic devices, including a USB hard drive which was discovered to be infected with Malware.

During the questioning she claimed, in fluent English by this point, that she was told by a man called “Charles” to travel from Shanghai to the Palm Beach resort for the United Nations event. She also claims that she was told that she would be speaking to a member of Trump’s family to discuss the economic relationship between China and the United States, which, to be fair, doesn’t sound completely unbelievable with the current administration. Well, if the event had existed of course.

Seeing as Trump has spent nearly 3 months at the resort during his presidency and has used it for official political events several times already, we can (relatively) safely assume that Trump was the target. We do not know if this would have been through the malware disrupting Trump services or perhaps snooping on private conversations or a multitude of other things. Perhaps it was ransomware intended to hold the president’s data ransom, similar to the recent attack on Norsk Hydro, which has currently racked up in excess of $40,000,000 in losses?

It is currently unknown what Zhang’s exact motives were, but it will be interesting to see if we find out anymore about the plans with the malware-ridden hard drive in her hearing, which is scheduled for April 8th.

Surprise, surprise, Facebook are at the centre of yet another security fiasco. Someone needs to give their security team a poke and tell them to start following best practices! Is poking even still a thing on Facebook?

I just Googled it and it’s still a thing, but it was made a little less obvious nearly 8 years ago now. However redundant poking is, it seems Facebook aren’t doing too good at hiding their peeking. Back in January they were caught snooping on users’ private conversations on messenger… again. Of course it goes without mentioning the debacle with Cambridge Analytica too.

Even more recently, however, it seems their security hasn’t improved all too much, with the report that they had mistakenly stored hundreds of millions of users’ passwords in plaintext. In other words, it wasn’t encrypted.

To make it even worse, this wasn’t just on Facebook, but also on Instagram. Obviously this list isn’t available anywhere publicly, but there are several internal engineers at Facebook that would have had access to this database through the servers.

The error was discovered in January during routine security checks and they then performed an internal investigation to find out if any employees abused their access to this data. They found no evidence to suggest that this was the case, but of course there is no way to know for sure that your password hasn’t been compromised.

In a statement from Facebook’s Vice President of Engineering, Pedro Canahuati, he said, "To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them."

Exact numbers have not been confirmed, nor how to know if you have been affected, but as always in cases like this, it’s probably best to change your password again. Better to be safe than sorry!

World Backup Day?

That's right, it may be Mother's Day this Sunday in the UK (Quick, grab a card!), but the rest of the world are celebrating World Backup Day! The day to remind everyone how important it is to backup their data, be it your friends, families, colleagues, customers or whoever!

 

What is backup?

Backup is a copy (or several copies) of your important files that are stored in different places to keep them safe, just in case anything happens to the originals. Better to be safe than sorry!

 

But why bother?

Why bother backing up your data? Quite simply, there are so many ways data can be lost you are likely to experience many of them throughout your working life. For example, you may accidentally delete your files, be it from saving over them, updating them or even a slip of the finger! On top of that you have viruses, malware, hardware failure, power failure and in some environments fires/explosions or even natural disasters like floods and earthquakes.

There are so many things that could go wrong so instead of “Why bother?” you should be asking, “Why risk it?”

 

How risky is it to not back up data?

The amount of risk varies from company to company, factoring in company size, volume of data, industry, etc. but a certain amount of risk is real for everyone. These 21 cybersecurity statistics should give you a good idea on how much risk is involved.

World Backup Day infographic

Norsk Hydro, the £10 billion/year power and manufacturing giant headquartered in Oslo have been hit with ransomware, causing a shutdown of its global IT network.

This has lead to their plants around the world halting production or switching to a manual system, greatly slowing them down. The ransomware is malware known as LockerGoga, a relatively new ransomware that was used in a similar attack on Altran Technologies earlier this year.

LockerGoga changes user passwords on infected systems and also tries to force them to log off. Once the user has been successfully locked out the malware relocates to a temp folder and changes it’s name using the command line.

It then starts encrypting files, be it on servers or the machine itself. Every time it encrypts a file it modifies a registry key (HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session00{01-20}).

After LockerGoga finishes encrypting all the files it leaves a text file, in a folder on the desktop, containing a ransom note that says the following:

lockergoga screenshot

Cleverly, LockerGoga attempts to disable network adapters too, locking off the computer from the network and making it harder for security systems to pick up. It also has processes to avoid virtual machines and sandboxes, which can both be used to alert users and help contain the threat posed by malware. One example is that in some instances the Malware can lay dormant for 100 boot ups before activating.

How much is this costing Norsk Hydro?

This cyber attack is likely costing Norsk Hydro a great deal. There is no question of actually paying the ransom though. For starters, why would you trust someone that has attacked your systems to go through with their word and decrypt your files?

You may also think that their stock value would decrease as a result of the attack, but due to their response so far, their stock price has actually gone up since the attack. They have been very open about what has happened and have even hosted two webinars to discuss it and take questions from staff. This coupled with their efforts to fight the cyber attack, including flying in security experts from Microsoft and their cooperation with the government’s cybersecurity law enforcement has lead to a relatively positive perception of events. Especially considering their new CEO had only been in place for one day when the planned attack hit.

The costs will actually be coming from the amount of downtime they have as a result of the attack. To reduce the impact their focus should be on having a very short RTO and RPO. To help with this their data backups should be as close to realtime as they can realistically afford. This gives them the highest availability for data restoration. If they used replication with Veeam, for example, they could have access to all of their data within minutes and then all they would have to do is wipe the infected machines and restore the data. It would probably take longer to find when the malware got into the system than it would to restore the data!

Phil Neray, veep of industrial cybersecurity at factory and industry specialist CyberX, has stated, "These attacks are especially serious for metal or chemical manufacturers because of the risk of serious safety and environmental incidents, and the bottom-line impact from spoilage of in-process materials and clean-up costs."

With attacks like this becoming more frequent, especially for manufacturers, power companies and companies that use chemicals in their processes, it is absolutely vital to decrease their downtime and the amount of data that they would lose in the event of an attack.

MySpace says, "Hi, space!" after clearing off more than 50 million songs from 14 million artists in server migration failings.

Not only that, but all your cringey photos, videos and quotes of emotional song lyrics are gone too! Well, if you uploaded them between the launch of MySpace in 2003 and their server migrations in 2015 that is. If you posted those photos from the hen night and Katy Perry quotes in the past few years you can sleep easy; they'll still be there in the morning, unless Myspace decide to do another server migration and deletes everything again.

For those that may not remember, seeing as MySpace hasn't been at the forefront of anyone's thoughts for at least 10 years, MySpace is/was a social media platform where you could customise your profile to show the world what you were about. Some people used it for networking, keeping up with their friends and following celebrity pages, but one of the main attractions was for musicians to try and get their names out there, leading to a huge amount of pictures and songs getting uploaded on a daily basis.

Surely you can recover all of those old songs and photos of your youth though, right? There's no way a company holding on to the cherished memories of happier times would risk losing the data without a backup, right? Right? Well, of course they would. You wouldn't be reading this blog post if they had cared enough.

What could they have done to avoid this? Backup backup backup! Three times, at least. It has been said that "data doesn't exist unless it is backed up 3 times."

I mean, that's obviously not true, but it certainly isn't as secure as possible without the data backup rule of three, otherwise known as the 3-2-1 backup. At least 3 copies of your data, 2 of which should be backups on different types of storage locally and at least 1 backup offsite.

Granted, the sheer volume of data that MySpace held could have made the process fairly expensive, but this could ultimately be the downfall of the social media giant that has been gradually hemorrhaging visitors and downsizing over the past 10 years. Will MySpace survive this PR hit? Only time will tell!

MySpace have given a couple of statements on this matter. Initially they commented that the lack of access was a technical issue that they were working on. After a few months they altered their response to: "As a result of a server migration project, any photos, videos, and audio files you uploaded more than three years ago may no longer be available on or from Myspace. We apologize for the inconvenience and suggest that you retain your back up copies."

That last line reads more like, "Don't trust us to look after your data, back it up yourself." which is kind of fair enough, seeing as they aren't a backup service. Also, it isn't bad advice, although I wouldn't recommend pushing blame onto users for not having data backed up. It's still MySpace's server migration and lack of backup that failed them and it will be hard to bring back trust in the service.

In any case, they have since changed up the message and simply say, "Due to a server migration, files were corrupted and unable to be transferred over to our updated site. There is no way to recover the lost data."

Even a cursory glance towards Twitter and Reddit threads will show you how devastated some users are at this loss, despite most people not even realising everything has been missing for quite a long time now. I imagine it's like the feeling you would get if you lost family photo albums. Sure, you might not look at them every day. Maybe you only think about them every couple of years, but it would be a big blow to know you could never see them again.

This whole debacle highlights two main things for us. One, for users, don't just backup to the cloud. If the service is down or they lose your files, you are at their mercy. Two, for businesses, BACK UP YOUR DATA!

 

shutterstock 9833917

About Us

VSL Net is a division of Lane Telecommunications Inc. VSL are an experienced, ISO 9001 accredited Cloud services provider  offering innovative backup and email business solutions supported by traditional service to a loyal direct customer base and a large reseller channel.

VSL Net is an ISO9001 accredited company. Since our certification in 2013 the standard has provided the tools and guidance for us to implement a structure which has enhanced our quality management. Through continual monitoring across all operations and measurement against predefined standards, we consistently exceeded our published service level agreements.

The primary recipients of this consistency has been our customers who come to expect and enjoy the high standards we set ourselves and are not surprised when we exceed their expectations.

EMEA

VSL Net U.K.

Europe, Middle East & Africa

+ 44 (0)845 258 1500

+44 (0) 1256 301555

info@vsl-net.com

America & Asia

VSL Cloud U.S.A.

10 Lanidex Plaza West Ste 213
Parsippany, NJ 07054

+1 973 526-2979

+1 973 526-2988

info@vsl-cloud.com

 

Asia Pacific

+65 6353 0555

+65 6353 7448

info@vsl-net.com

Newsletter Optin

Sign up to our newsletter for the latest in backup and data protection solutions. No spam - we promise!

 

Sign Up Here