Facebook Fiasco - 50 Million User Accounts Compromised, Child Abuse Images on Bitcoin Blockchain
Infosec News
INFORMATION SECURITY NEWS
For The Week of 3/13-3/20 2018
The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.
CURRENT NEWS
The Facebook Fiasco - 50 Million User Accounts Compromised
Cambridge Analytica is an offshoot of the UK-based SCL Group, and was created to participate in American politics. Since its inception in 2013, it has been involved with many campaigns, including those of Ted Cruz and Donald Trump in the 2016 election. The company joined the Trump campaign in June of 2016, and former Cambridge Analytica Vice President Steve Bannon was later made campaign manager. The company says it uses “unconscious psychological biases” to create extremely targeted ads.
A Cambridge psychology professor had created an “personality test” app, which worked by harvesting users’ data and creating some “profile” for them. Using the Facebook API, he was able to access information about all 270,000 users who downloaded the app, as well as information about their friends (ultimately, about 50 million people!). This information was all acquired legitimately by the professor, under the guise of “academic research”. However, he then shared this data with Cambridge Analytica. When Facebook discovered this happened, they removed the app and asked Cambridge Analytica to delete the data. However, they allowed a delay of a few weeks, and did not follow up to verify that the data was actually deleted. In fact, according to the New York Times, Cambridge Analytica may still be in possession of the data.
Facebook definitely hasn’t handled the situation gracefully from a PR perspective, either. They are insisting that this is not a breach, but rather a “leak”. Technically, they are right - their systems weren’t breached, but the data was stolen either way. It might actually be worse that this isn’t a breach - this indicates that Facebook willingly gave up the data of 50 million users as a feature! They are suing the Guardian over this difference of terminology too, likely to prevent the legal fallout that will come down if it is ruled a breach. They also banned Cambridge Analytica from the platform before the stories broke, claiming that they received reports that the data hadn’t been deleted. The reports were simply the news stories Facebook knew would drop the next day. Facebook stock has dropped around 10% since the stories broke.
https://www.theverge.com/2018/3/20/17140490/facebook-cambridge-analytica-data-crisis
Child Abuse Imagery Found Within Bitcoin’s Blockchain
The Bitcoin blockchain doesn’t explicitly support storing files, but files can be put on the blockchain by adding them to transaction metadata. Researchers have discovered that around 1,600 files are currently stored on the blockchain. One is alleged to be an image of child abuse, and two files contain 274 links to child abuse content. The content can’t be removed from the blockchain, because it is an immutable ledger. The problem these files present is that anyone downloading the blockchain (mostly miners) will also be downloading these files. Since the files are illegal to possess, the entire blockchain might become illegal to possess as well.