Cyber Security Headlines – May 6, 2021

Facebook’s Oversight Board upholds Trump suspension

The board upheld Facebook’s decision to suspend former US President Donald Trump, saying his posts ahead of the January 6th Capitol riots created “an environment where a serious risk of violence was possible.” However the board ruled it was not appropriate for Facebook to impose the suspension indefinitely. The Board called on Facebook to review the decision within the next six months to “determine and justify a proportionate response.” Overall the Board ruled that world leaders should be held to the same standard as regular users, saying if a leader “repeatedly posted messages that pose a risk of harm under international human rights norms, Facebook should suspend the account for a period sufficient to protect against imminent harm.”

(The Verge)

Phishing for workplace credentials

Some workers in the US received emails from an organization called Workplace Unite, claiming to offer $500 for workplace login credentials and $25 a month as long as those credentials were active, claiming that providing payroll information would give them visibility into their peers. Motherboard reports these emails make HTTP requests to sites linked to the startup Argyle, which claims to act as a  “gateway to access employment records,” with access to 40 million records. Linked domains for Workplace Unite were taken offline after tweeted out by security researchers, although it’s unclear what is it’s exact relationship with Argyle. 

(Vice)

Report looks at third-party SDKs in school apps

A report from the nonprofit Me2b Alliance looked at 73 apps used by 38 schools in 14 US states using tools from the analytics firm AppFigure, finding that 60% of the apps used SDKs that could send student information to third-parties. SDKs from Google, Apple, and Facebook were the most commonly found, with an average of 10.6 SDKs per app. 18% of apps surveyed included SDKs classified as Advertising & Monetization SDKs by AppFigure, and all of those apps were used by public schools. The report did not look at if third-parties were following COPPA requirements when dealing with data of students under 13-years old. 

(The Record)

Signal ads booted from Facebook

The privacy-focused messaging app Signal intended to run an advertising campaign on Instagram explaining the data Facebook collects on users, by crafting extremely specific targeted ads using that information. Ad targeting examples included specific things like London-based divorcees with degrees in art history. Signal claims it’s Facebook ad account was suspended before running the ads, Facebook denied the account was suspended and called it a PR stunt. 

(Gizmodo)

Thanks to our episode sponsor, Boxcryptor

We think CISOs also have a right to sleep peacefully at night. Therefore, we recommend encrypting your sensitive business data for an extra layer of protection. Now in its 10th year, Boxcryptor offers strong end-to-end encryption “Made in Germany” for OneDrive, Dropbox, Google Drive, and Co. as well as for Microsoft Teams. For more information visit Boxcryptor.com.

Peloton API bug exposes personal data

Jan Masters, a security researcher at Pen Test Partners, discovered that the API for the popular fitness bike and service allowed for unauthenticated requests for user account data from third-parties. This let the researcher access a Peloton user’s age, gender, city, weight, workout statistics, and birthday even if accounts were set to private. Masters reported the bug on January 20, but it was not resolved after the standard 90-day disclosure window, although Pelaton did restrict API access to its members. Contacted by TechCrunch about the API issue, Peloton eventually resolved it.  

(TechCrunch)

Microsoft open-sources Counterfit

Counterfit is a tool to let devs test the security of ML and AI systems, originally written as a set of attack scripts written specifically to target AI models. In its current form, Counterfit offers an automated system to benchmark a variety of systems at scale for security and used as a part of Microsoft’s AI red team operations. It offers customizable or randomized parameters and logs attacks against models to help document potential failure modes of an AI system. A recent Microsoft survey found that 89% of organizations didn’t feel they had the right resources to secure AI systems.

(VentureBeat)

CISA contacts US companies vulnerable to hacking

Congress granted the Cybersecurity and Infrastructure Security Agency subpoena power this January, and the agency is using that power to contact companies at risk of security exploitation. CISA has now issued two subpoenas to obtain a list of vulnerable customers belonging to an ISP, allowing the agency to warn them directly of potential threats. The names of the companies were withheld, but CISA said they were “critical infrastructure entities” contacted about specific actively exploited vulnerabilities. 

(CyberScoop)

Most organizations experience third-party data breaches

A new report from the Ponemon Institute  found that 51% of surveyed organizations have been hit with a data breach caused by a third-party, with 44% experiencing one in the last 12 months. Organizations reported that 74% of those breaches were caused by giving third-parties too much privileged access. About half of respondents say they are not accessing security and privacy capabilities of third-parties before granting access. 

(VentureBeat)


Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.