At a glance.
- Privacy dimensions of the Facebook anti-trust suit.
- WhatsApp challenges Apple's privacy labels.
- Notes on the FireEye breach.
- Skimmer software hides in compromised e-commerce sites.
- Netgain takes services offline after ransomware incident.
Facebook faces antitrust lawsuit.
Social media giant Facebook is being sued by a bipartisan coalition of US attorneys general from forty-six states, the District of Columbia, and the US territory Guam for anti-competitive practices and endangerment of user privacy, reports the New York Law Journal. The lawsuit claims that Facebook’s dominance of the social media market, heightened by the acquisition of platforms WhatsApp and Instagram, is bordering on monopoly and gives Facebook too much control over how user data are collected and shared. According to Letitia James, New York Attorney General and spokesperson for the suit, “No company should have this much unchecked power over our personal information and our social interactions.” As the Washington Post reports, when Facebook first purchased WhatsApp in 2014 they claimed they would maintain the messaging app’s privacy protections, but Facebook later reversed its stance. In the end the deal served to remove a more privacy-focused competitor, leaving users who desired more data protection with no alternative. Facebook’s stance is that the lawsuit is “revisionist history,” pointing out that federal regulators had the opportunity to prevent the acquisitions and are now essentially punishing Facebook for its success.
WhatsApp challenges Apple privacy nutrition labels.
Perhaps substantiating the aforementioned lawsuit’s claims, Axios reports that the Facebook-owned messaging platform WhatsApp is contesting Apple’s requirement that all apps in its App Store disclose user data privacy policies in the form of “nutrition labels.” The regulation is the result of Apple’s effort to improve user privacy after its September system update to iOS 14. WhatsApp claims that the rule is anti-competitive, as Apple’s messaging app, Messages, doesn't display a label because it is automatically included on Apple devices and therefore not sold in the App Store. Though WhatsApp did in fact deliver its label info on Monday as required, a spokesperson argued “we believe it’s important people can compare these 'privacy nutrition' labels from apps they download with apps that come pre-installed." It’s important to note, however, that apps like Messages do, in fact, publish privacy policies, not in the store, but on the Apple website.
FireEye breach: Who watches the watchmen?
Other watchmen do, of course.
Cybersecurity company FireEye announced they’ve experienced a data breach in which state-sponsored threat actors stole hacking tools that could be used against the very community FireEye works to protect, reports Reuters. These “red team” tools -- scripts, scanners, and techniques that are designed by cybersecurity researchers to test a client’s ability to defend itself against attackers could become dangerous if in the wrong hands. The sophistication of the breach indicates that it was likely backed by a nation state, and Russia is a possible suspect. In an effort to help organizations protect themselves, FireEye is releasing a set of countermeasures to detect and defend against the tools. The US Federal Bureau of Investigation is investigating the attack.
While the stolen red-teaming tools could show up in commodity-level attacks, it would be unwise to exaggerate the risks, particularly the risks to privacy. FireEye has shared details on the stolen tools in its GitHub repository that should help organizations secure themselves against misuse.
Hiding in the CSS files.
BleepingComputer reports that new criminal skimming software is now concealing itself in the CSS files of compromised online stores. We received some notes from Ameet Naik, security evangelist at PerimeterX, who sees the evasiveness as standing in a long tradition that includes such deceptive techniques as steganography:
“Digital skimming attackers have developed innovative ways to evade detection by obfuscating the code or hiding the malicious code in images (steganography), social media buttons and favicons. Traditional application security approaches like static code analysis are ineffective in finding and stopping such attacks. Runtime analysis using client-side application security solutions can catch the malicious script in the act by observing behavioral signals and flagging anomalies.
"Businesses need to be vigilant about increasingly sophisticated digital skimming and Magecart attacks that could strike during the busy holiday shopping season. Consumers need to be careful with online payments and use alternative payment methods where available that don’t require them to type in credit card numbers.”
Cloud provider down after ransomware attack.
BleepingComputer reports that hosting service Netgain is sustaining outages as it copes with an unspecified ransomware attack. Little is known about the incident except that it's believed to have begun on November 24th, with outages continuing into this week. We heard from Trevor Morgan, comforte AG product manager, who sees the attack as a lesson to users of cloud services: they remain responsible for protecting their own data.
“The ransomware attack affecting the cloud hosting service provider Netgain must be of concern to its customers. All indications show that Netgain has been working very proactively to isolate and mitigate the situation while keeping the customer base fully informed. This response is appropriate and admirable given the situation. In the wake of these types of data security incidents, the best-case scenario is that the service disruptions are a nuisance but that sensitive data remains protected.
"All enterprises should take away from this incident a very simple lesson. If your business relies on cloud services for data handling, processing, and storing, you are responsible for the protection of sensitive data. If regulations are broken, your business must answer for the way that you handle and protect peoples’ sensitive data in the cloud. This should not inspire fear but rather should encourage you to reassess how you are protecting your customers’ most sensitive, private information no matter where that data is. Are you relying on more traditional perimeter- and access-focused methods of data protection, or are you taking a more data-centric approach that protects the data itself? If incidents like this can cause you to rethink your strategy and ask yourself questions like this, then that is a good outcome for your business.”