Facebook Hacked, Claims “No Evidence of User Data Compromised”

Facebook announced on Friday that it had been the target of a series of attacks from an unidentified hacker group, which resulted in the installation of malicious software onto Facebook employee laptops.

“Last month, Facebook security discovered that our systems had been targeted in a sophisticated attack,” the company said in a blog post. “The attack occurred when a handful of employees visited a mobile developer website that was compromised.”

Facebook says that these employees then had malware installed on their laptops as a result of their visiting the web site. The hack used what is called a “zero-day Java exploit,” a known vulnerability in Oracle’s software which has gained much attention in recent months. Essentially, anyone visiting a website using this attack who also has Oracle’s Java enabled in their browser was vulnerable. As a result, hackers inserted malware onto the laptops of multiple Facebook employees.

“As soon as we discovered the presence of malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day,” the post read.

In the company’s post, Facebook notes that it had “found no evidence that Facebook user data was compromised.”

Facebook did not say what the hackers did have access to, however, after the installation of said malware.

Facebook’s announcement comes on the heels of a string of recent attacks on other major Web sites. Twitter, the microblogging social network that hosts more than 200 million active users on its service, announced it had been hacked two weeks ago, and that upwards of 250,000 user accounts may have been compromised as a result.

Other targets have included the Washington Post, The New York Times and the Wall Street Journal, all of which have said they believe that the Chinese government was somehow involved in their system infiltration.

But both Facebook and Twitter, in their respective blog posts, make no direct comparison or accusation to the hacks made on the Times, the Journal or the Post.

Facebook declined to comment when asked if the company suspected the Chinese government was involved.

Something to note, however; Facebook directly points to the zero-day exploit, which takes advantage of Oracle’s Java vulnerability, as the root cause of the attack. While Twitter did not detail the exact methods of how its systems were infiltrated, Twitter director of information security Bob Lord reminded users that security experts strongly recommend turning off the problematic Java inside of their browsers.

That could suggest that the two attacks were connected, though neither company says as much outright. But both Facebook and Twitter included language in their posts that their respective companies were part of a larger series of attacks on multiple companies over the past few months.

“Facebook was not alone in the attack. It is clear that others were attacked and infiltrated recently as well,” the company’s post says.

Twitter did not immediately respond to a request for comment.

The string of hacks also come as U.S. President Barack Obama recently released an executive cybersecurity order during his State of the Union address earlier this week, which would better allow government agencies to share information related to cyber-espionage and attacks within the private sector, while avoiding many of the unpopular concessions that the previously proposed CISPA made.

For now, however, Facebook will continue its investigation with law enforcement, as well as pursue its own “informal” cooperative investigation with others in the space.

“As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected. We plan to continue collaborating on this incident through an informal working group and other means.”

Source: All Things D


iOS 6 Bug Lets Institutional Users Bypass “Don’t Allow Changes” Account Restriction, Install Unapproved Apps

For those of you that are unfamiliar, iOS 6 received some beefed up Restriction settings when it was released, allowing users to select “Don’t Allow Changes” for an entire account linked to an iOS device. This option was particularly useful for schools and other organizations that wanted to limit a device to a specific account and keep students and others from installing apps not approved by the institution. Without the restriction, students or employees could easily change the iTunes account linked to the iOS device. Unfortunately, as noticed by one frustrated 9to5Mac reader, it appears there is several backdoor methods of bypassing the setting…

As highlighted in the video, while users can no longer change the account in the Settings app after enabling the “Don’t allow changes” setting, they can still change accounts directly in the App Store and iTunes apps. For teachers and organizations trying to prevent users from installing unapproved content, the bug is clearly an oversight on Apple’s part.

Apple has confirmed to our source that the problem is indeed a bug that needs to be fixed. However, Apple didn’t confirm when a fix for the “Don’t allow changes” bug would arrive. Apple’s temporary solution is to turn off the “Installing Apps” option within Restrictions. Unfortunately, as noted in the video above, that prevents organizations from pushing apps and allowing users to update apps.

We’ve reached out to Apple and will update if we hear back.

A number of other bugs have popped up in recent weeks, including the “Continuous Loop” Exchange bug and a passcode vulnerability both related to iOS 6.1 bugs. Apple has confirmed fixes for these issues are in the works and a 6.1.2 software update is expected as early as next week. 

For more and to watch a video demonstration click the source link below:

Source: 9 to 5 Mac

Homeland Security Approves Their Right To Search and Seize Your Electronics Without Suspicion

Four years ago, Agnieszka Gaczkowska, a 29-year-old doctor and entrepreneur from Poland, was travelling through Detroit’s airport on her way to Boston when her bag was selected for random inspection.  The inspection officer asked her if she had any documents with her. Exhausted after a long journey, she replied that she did not, forgetting that she had put a few outstanding bills in one of her textbooks.

Suddenly, she found herself in serious trouble. The inspection officer found the bills and accused her of “lying to a federal officer.” They held her for two hours as she was interrogated about the details of her life. The officer ordered her to turn her phone on, and then proceeded to read her e-mails, texts, and Facebook messages without her permission.  She was shocked. Eventually, Gaczkowska was released, but she wondered if this was a common practice.

As it turns out – it is; thousands of people every year face a similar situation.  Our government agencies have allowed themselves the right to search and seize your electronic devices with stunning impunity.

Just two weeks ago, the Department of Homeland Security quietly released a strangely worded document reaffirming their own right to search and seize your electronics without suspicion or cause, anywhere along the United States border (which they define as 100 miles in from the border – an area twice as long as Rhode Island).  In reality, this is nothing new, Homeland Security been doing this since at least 2009; That’s when Secretary Napolitano put her stamp on the Bush-era practice, and promised an impact assessment within 120 days. Over two years later, it’s finally here, and it is nothing more than a poorly written press release.

Having a government official force their way into your laptop is fundamentally different from having them inspect your suitcase.  Our hard drives contain personal correspondence, intimate details, deep logs of our activities, and sensitive financial or medical information.  Yet we still give this less legal privacy protection than a sealed envelope with a stamp on it.

For now, the business community has figured out a way around having the government search and confiscate devices with company secrets – give their employees blank laptops, and put the important information in the cloud. This subject is much bigger than how Homeland Security does its job. There is a deeper issue here that is not going away any time soon: our electronics, and the data they hold, have become extensions of who we are.

The Fourth Amendment of the Constitution already provides us with protection against unreasonable search and seizures for people in their “persons, houses, papers, and effects” – is it time that we add “data” to this list?

The way in which we go about answering this question will have enormous ramifications for our entire legal system. Courts around the country are struggling to decide how to balance security with privacy.  From school to the workplace, this question is popping up in different ways almost every day.

In the meantime, the government has accelerated their pursuit of our digital breadcrumbs. In 2011, mobile companies received a staggering 1.3 million law enforcement requests for data, including text messages and location information. It has been over 25 years since Ronald Reagan signed sweeping digital privacy protections into law. In today’s world of cloud computing and ubiquitous screens, these protections are horribly inadequate. We should not have to continue to rely on protections passed in an age where the Internet was a military project and the personal computer was just becoming a common thing.

Eventually, the Supreme Court will have to step in to settle the issue, and they are not exactly known for their technological expertise.  It might not be long before we are asked at the airport whether we packed our own devices, if we were asked to bring anyone else’s files, and if we know if anyone has placed any data on our devices without our knowledge.  At least then, it might seem polite; for now, they don’t even have to bother with the questions.

Source: Forbes