Security summary – December 2018

Our short monthly review summarises important news and blog posts, which focus on IT security, cloud computing and privacy protection.

1. Facebook bug leaks 6.8 million private user photos

Facebook has affirmed that a bug in their system may have exposed private photos of millions of users to third-party apps. Furthermore, 1,500 apps build by several hundred different developers may also have been affected by the bug. The photos were exposed for a 12-day period between September 13 and 25 and affected users should receive a notification alerting them to the breach.

Source in English: theverge.com

2. Hotel Marriott loses sensitive data of millions of guests

500 million customer data entries were stolen in a historically large data breach hitting the global hotel chain Marriott. Since 2014, unauthorized parties have had access to hotel guests’ data through the so-called Starwood Preferred Guest Program. Amongst the stolen data types are highly sensitive information such as passport and credit card numbers. Anyone booking a room in select hotels between 2014 and mid-September 2018 is affected.

Source in German: security-insider.de

3. Insider attacks in 2018: every second company hit?

The conclusion of the “Insider Threat 2018 Report” is clear: Companies should pay more attention to the threat of insider attacks carried out by malicious or reckless employees, partners and clients. More than 90% of the surveyed companies feel vulnerable to such attacks and 53% have experienced an insider attack within the past 12 months.

Source in German: security-insider.de

4. Trojan “Emotet” spreads to paralyze entire companies

The German Federal Office for Information Security (BSI) warns against the malware Emotet after receiving reports of severe attacks on companies that had their IT infrastructure paralyzed and could no longer carry out essential business processes. Emotet is spread through seemingly innocent, but well-engineered emails, which appear to come from a friend, colleague or business partner.

Source in German: heise.de

5. Australian Anti-Encryption Bill voted through

The Australian House of Representatives has passed the so-called “Anti-Encryption Bill” enabling Australian law enforcement to require Google and other tech companies to provide access to encrypted customer communications. The law is to support investigations of terrorist attacks and drug trafficking. The law does not specify concerns of citizens’ digital privacy but can require a tech company to “build a new capability” to decrypt communications for Australian law enforcement.

Source in English: thehackernews.com

6. Anti-Encryption Bill may apply to Australian employees of 1Password

Australian 1Password employees are technically subject to a newly passed Anti-Encryption Bill, which is yet to be specified and implemented. The law has been criticized by major IT companies such as Google, Apple and Facebook because it allows Australian authorities to require that tech companies decrypt encrypted customer communications as part of ongoing crime investigations.

Source in German: heise.de

7. U.K. Parliament accuses Facebook of leveraging user data

250 pages of internal Facebook discussions have been released wherein the company evaluates the value of users’ personal information. U.K. Parliament now accuses the social media platform of having “whitelisted” select companies such as AirBnb and Netflix for a privileged access to users’ friends despite an official 2015 statement to defer from such agreements. "The idea of linking access to friends' data to the financial value of the developers' relationship with Facebook is a recurring feature of the documents," the committee chair, Damian Collins, states.

Source in English: securityweek.com

8. EU worried about mandatory backdoors in Huawei devices

European Commission Vice President Andrup Ansip expresses clear concern that Huawei and other Chinese companies are forced to implement so-called backdoors in their devices, which may allow Chinese intelligence access to customer data.

Source in English: securityweek.com

9. Artificial intelligence could enable cyber criminals to falsify x-rays

Researches of the University Hospital of Zurich (USZ) have proved that it would be possible for cyber criminals to manipulate x-rays. Specifically, the researchers designed a program, which successfully manipulated x-rays so that healthy patients appeared to have cancer and vice versa. However, an actual cyber-attack of this kind is still only possible in theory.

Source in German: computerworld.ch