The security firm that disclosed a security hole in a Facebook feature that allows users to download their own data file says the social network giant still has questions to answer about the extent of the data breach. Writing on their blog, researchers at Packet Storm Security said that Facebook has underestimated the extent of the breach, which affected around six million users of the social networking site and an unknown number of non-Facebook users. Packet Storm says that Facebook’s analysis of the breach failed to account for ways in which it could be exploited, in an iterative fashion, to glean information on Facebook users beyond the individual pieces of data that may have been viewed by users who used the Download Your Information (DYI) feature. The firm also called Facebook to task for failing to notify non-users whose information was exposed in the incident. On Monday, Security Ledger wrote […]
Technologies
Facebook Mum On Future Of Ghost User Accounts
Facebook acknowledged on Friday that a flaw in a feature that lets users download their own profile information exposed personal information on approximately six million users, including phone numbers and e-mail addresses that were not shared with the site, but is staying mum on the future of wide ranging information harvesting practices revealed by the bug. In a blog post, the social networking giant said the security hole was disclosed by an independent security researcher and forced the company to disable the Download Your Information (DYI) feature until it could be fixed. Despite the large number of people affected, Facebook said individual pieces of private data like an e-mail address or telephone number were only exposed to one or two other Facebook users. However, Facebook has not said whether it will cease using non-public data from users’ contacts to fill out dossiers on other Facebook users, a practice that has […]
HBR: Internet Of Things Has ‘Profound’ Impact On Risk
The advent of a global network of Internet connected devices – sometimes referred to as the “Internet of Things” will bring about a “data democratization” that will upend traditional IT security models and pose considerable risks for organizations. That’s the conclusion of two leading authorities on the so-called “Internet of Things” (IoT), Christopher J. Rezendes and W. David Stephenson, who write that its impact on businesses will be “profound,” and that cyber security will be one of the biggest challenges that organizations must address. In a guest post on the Harvard Business Review blog on Friday, Rezendes, the president of INEX Advisors, and Stephenson, an author and consultant specializing in the Internet of Things argue that “the very principle that makes the IoT so powerful — the potential to share data instantly with everyone and everything (every authorized entity, that is) — creates a huge cybersecurity threat.” The authors predict […]
Fraud Analytics: You’re Doing It Wrong!
One of the most vexing problems in computer security today is distinguishing malicious from legitimate behavior on victim networks. Sophisticated cyber criminals and nation-backed hacking groups make a point of moving low and slow on compromised end points and networks, while victim organizations are (rightly) wary of disrupting legitimate business activity for the sake of spotting a breach. In this Security Ledger Podcast, Paul interviews Jason Sloderbeck, Director of Product Management at RSA, EMC’s security division. Jason talks about RSA’s Silvertail fraud analytics technology, and the organizational and technology issues that keep victims from spotting attacks. One of the big mistakes organizations make when they investigate attacks, Sloderbeck said, is focusing too narrowly on a point in time during a web session that is felt to be a good indicator of compromise – like when a user authenticates to a service or “checks out” on an e-commerce web site. “There’s a whole […]
FDA: Medical Device Makers, Hospitals Need To Boost Cyber Security
The U.S. Food and Drug Administration (FDA) has issued guidance to medical device makers and hospitals that use their products to pay more attention to cyber security and the potential for cyber attacks on vulnerable medical instruments. The FDA released its “Safety Communication for Cybersecurity for Medical Devices and Hospital Networks” on Thursday – the same day that the Department of Homeland Security’s ICS (Industrial Control System) CERT issued a warning about the discovery of hard coded “back door” passwords in some 300 medical devices from 40 separate vendors, including drug infusion pumps, ventilators and patient monitoring systems. The FDA said it expects device makers to “review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device. Hospitals were instructed to harden […]
