In our latest security news digest, we delve into the brouhaha over Chinese spy chips, check out the latest in Facebookâs investigation of its recent hack, and look at Googleâs controversial decision to delay disclosing a potential data breach.
The hyperactive cyber security news cycle reached another intensity level when Bloomberg reported the presence of Chinese spy chips in servers used by Apple, Amazon and other major U.S. companies. But did the global news agency get the story right?
Citing numerous anonymous sources, Bloomberg stated that China surreptitiously modified server hardware and embedded tiny chips in motherboards to snoop on about 30 large American businesses.
The Chinese government reportedly did this by tampering with parts built in China by suppliers of Supermicro, a U.S.-based Fortune 1000 designer and maker of servers.
âIn Supermicro, Chinaâs spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies,â Bloombergâs article reads.
But Bloomberg, which doubled-down on the original article with a follow-up, has become part of the story, as more and more parties question the accuracy of its bombshell reports.
Apple, Amazon and Supermicro immediately issued strongly-worded denials. But the drumbeat of skeptics has been growing. It now includes the U.K.âs national cyber security agency, the U.S. Homeland Security Department, one expert quoted in the article, and a variety of industry observers.
âThe Cybersecurity World Is Debating WTF Is Going on With Bloombergâs Chinese Microchip Stories,â reads the headline of a Motherboard article.
As the security industry debates the Bloomberg reports, the larger issue of supply chain risk, whose reality no one questions, has been placed in the spotlight.
âIt is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter,â wrote Brian Krebs in a post titled âSupply Chain Security is the Whole Enchilada, But Whoâs Willing to Pay for It?â
Bruce Schneier, CTO at IBM Resilient, called supply-chain security âan insurmountably hard problem,â and pointed out that the U.S. IT industry is âinexorably international.â
âAnyone involved in the process can subvert the security of the end product. No one wants to even think about a US-only anything; prices would multiply many times over,â he wrote. âWe cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.â
So what should companies do to protect themselves against spy chips? Writing in Sophosâ Naked Security blog, Paul Ducklin recommends partitioning networks, using two-factor authentication and keeping and using logs.
More information:
The tech giants, the US and the Chinese spy chips that never were⊠or were they? (The Guardian)
Doubts Swirl Around Bloombergâs China Chip Hack Report (Fortune)
The security community increasingly thinks a bombshell Bloomberg report on Chinese chip hacking could be bogus (Business Insider)
Why I donât believe Bloombergâs Chinese spy chip report (CSO Magazine)
In a much awaited update about its recent hack, Facebook said attackers stole personal data from about 29 million account holders.
The type and amount of data nabbed by the hackers varied. In all cases, it included names and contact details, such as phone numbers and email addresses. For 14 million, the breach was deeper, including their current city, birthdate, work information, recent location check-ins, and latest search queries.
Attackers also fully took over 400,000 accounts. This allowed them to see those usersâ posts, friends, groups, and Messenger chat names, including in some cases Messenger chat content. The hackers got access tokens for another 1 million accounts but didnât access any of their information.
When it disclosed the breach in late September, Facebook preliminarily said as many as 90 million accounts could have been accessed.
While the number of compromised accounts is lower than originally feared, the swiped data is the type that can be used to steal identities and carry out scams. Itâs also the type of personal information increasingly protected by severe privacy regulations worldwide, such as the EUâs General Data Protection Regulation (GDPR).
The data breach, possibly Facebookâs worst ever, was made possible by a software bug introduced by the company in July 2017 that allowed attackers to obtain account access tokens. The vulnerability is triggered in a specific scenario involving the âView Asâ feature and a video uploader.
Facebook first noticed suspicious activity more than a year later, in mid-September of this year, and confirmed the attack a week or so later.
Hereâs what didnât happen. Attackers didnât access third-party accounts into which affected users log using their Facebook credentials, like AirBnB. They also didnât gain access to passwords nor credit card data.
Other Facebook properties werenât attacked, such as Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, advertising and developer accounts.
The investigation is ongoing, with law enforcement agencies, including the FBI, participating.
More information:
How Facebook Hackers Compromised 30 Million Accounts (Wired)
Facebook Hack Included Search History and Location Data of Millions (New York Times)
In Facebookâs massive breach, the hackersâ friends were the first victims (Cnet)
Facebook isnât the only tech giant thatâs been dealing with a security issue in its social network. Shortly after Facebook disclosed its breach, Google announced its decision to shut down its Plus social network for consumers, and said a leaky API had exposed personal data of users.
The API bug, discovered and patched in March but disclosed this month, gave developers of third-party apps access to Google Plus profile information that was supposed to be private, including the userâs name, email address, occupation, gender and age.
Because the APIâs log data is kept for two weeks, Google said it canât confirm which users were impacted, but said up to 500,000 Plus accounts were potentially affected, and that as many as 438 apps may have used the API.
An internal Google investigation yielded no evidence that developers were aware of the bug, that the API was abused, or that any profile data was misused.
Google has been criticized for not disclosing the API bug sooner. Citing internal Google sources and documents, The Wall Street Journal reported that the search giant kept quiet âin part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.â Google maintains it acted appropriately.
âNobody was using Google Plus so there will not be an impact to users. Not sure what will happen with GDPR fines,â wrote SANS Institute instructor Stephen Northcutt.
Google Plus will live on as an enterprise social network, to be used in work settings for collaboration and communication.
More information:
RIP Google Plus: Shutdown announced after API bug exposes 500,000 usersâ details (CSO Magazine)
Exclusive: Audit cleared Google privacy practices despite security flaw (The Hill)
Google chose not to go public about bug that exposed Google Plus usersâ data (Graham Cluley)