My Weekly RoundUp #106
A lot of interesting topics in the last week!
No, XKCD too?
XKCD Forum Breach Exposes Emails, Passwords of 562,000 Users
The forums of the XKCD webcomic created by Randall Munroe in 2005 are currently offline after being impacted by a data breach which exposed the information of 561,991 users on July 1.
The compromised user information including usernames, emails, and IP addresses, as well as hashed and salted passwords stored in MD5 phpBB3 format, was added to Have I Been Pwned's database on September 1, after being provided by security researcher and data analyst Adam Davies.
As Have I Been Pwned said in a tweet, 58% of addresses part of this data breach have already been added to the platform's database as part of previous database dumps.
New frontiers of social engineering!
Cybercriminals Impersonate Chief Exec's Voice with AI Software
Fraudsters are constantly looking for new ways to scam their victims. One unique case gives the security industry a glimpse of what they could do with artificial intelligence (AI) and voice recording.
As part of an incident in March, an attacker called the CEO of a UK-based energy business pretending to be the head of its German parent company. Analysts believe AI-based software was used to impersonate the chief executive's voice, as it had the slight German accent and other qualities the UK CEO recognized in his boss's voice — qualities that led him to believe the call was legitimate. The caller issued an "urgent" request to the CEO, demanding he transfer $243,000 to a Hungarian supplier within an hour's time.
The transfer went through and the money was later moved to other countries. Scammers continued to contact the UK company and make additional payment requests, according to Euler Hermes, the organization's insurer. However, the CEO grew suspicious and did not transfer the funds.
Just some throughts about...
DDD 101 — The 5-Minute Tour
During a conference in Paris, after the organizers asked me to fulfill a missing-speaker slot for a lightning talk (an hour before the presentation time), not only did I accept, but I decided that an introduction to DDD (Domain Driven Design) was a good choice. Yes, DDD — the discipline that was born in a 560-page book.
Unfortunately, even if I had managed to get the attention of a room crowded with (PHP!) developers to talk about a topic that was dear to my heart, I don’t know if the presentation insisted enough on the two key aspects that are DDD.
My goal with this article is to give it another try, with more time to prepare.
Another week, another leak!
A huge database of Facebook users’ phone numbers found online
Hundreds of millions of phone numbers linked to Facebook accounts have been found online.
The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.
But because the server wasn’t protected with a password, anyone could find and access the database.
Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username.
But phone numbers have not been public in more than a year since Facebook restricted access to users’ phone numbers.
What have you done, you rascal?
Brave uncovers Google’s GDPR workaround
The new evidence reveals a surreptitious mechanism that raises additional data protection concerns about Google’s “DoubleClick/Authorized Buyers” advertising system. This system is active on 8.4 million websites.
Google claims to prevent the many companies that use its real-time bidding ad (RTB) system, who receive sensitive data about website visitors, from combining their profiles about those visitors. It also announced that it had stopped sharing pseudonymous identifiers that could help these companies more easily identify an individual, apparently in response to the advent of the GDPR.
But in fact, Brave’s new evidence reveals that Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.
One step at a time, Facebook!
Facebook now asks for consent to scan your photos (but only on new accounts)
Facebook today announced it’d be rolling out its facial recognition settings to everyone — and that and that it’d be turned off by default for new users. Anyone who doesn’t already have this setting will be able to notified and asked if they want to turn it on.
The new Face Recognition setting will replace Tag Suggestions, which ostensibly notified you if someone uploaded a photo of you (or who Facebook presumed was you) and offered to automatically tag you in it. The feature was first introduced in 2017, but not everyone got it at the time. Now Facebook is switching over for everyone, and those who’re getting the new setting will have it turned off.
Firefox’s latest version blocks third-party trackers by default for everyone
You’ve had the ability since October, and in June they made it official, but it’s only today that Mozilla’s Firefox web browser will protect your privacy by blocking third-party tracking software for all its users by default — theoretically keeping companies from keeping tabs on your online activity and potentially selling it to others.
That’s because with Firefox version 69, Mozilla just flipped the switch to turn on its Enhanced Tracking Protection for all users, instead of just new users (as it did in June) or making you opt-in if you want to try it (as it did last October).
“Currently over 20% of Firefox users have Enhanced Tracking Protection on. With today’s release, we expect to provide protection for 100% of ours users by default,” reads the company’s Tuesday blog post.
Amazon, have you not paid the bill or something?
Amazon AWS Outage Shows Data in the Cloud is Not Always Safe
A recent power outage outage at an Amazon AWS data facility and the resulting data loss for some customers shows that storing data in the cloud does not mean you do not also need a backup.
On August 31st, 2019, an Amazon AWS US-EAST-1 datacenter in North Virginia experienced a power failure at 4:33 AM, which led to the datacenter's backup generators to kick on. Unfortunately, these generators started failing at approximately 6:00 AM , which led to 7.5% of the EC2 instances and EBS volumes becoming unavailable.
Tesla owners reportedly got locked out of their cars because the app was down
Connected things are wonderful until they fail on you. Numerous Tesla owners allegedly experienced this today as they got locked out of the car because the app was apparently down for maintenance. Several users took Twitter to pour out their agony. Some of them were logged out of the app and weren’t able to use it to unlock their cars. @Tesla @elonmusk i am locked out of my car and been on hold now for 12 minutes. Why is it so difficult to talk to a Tesla trained human for support?
95-Droid Orchestra Perform the Star Wars Theme
Creative wiz Sam Battle partnered with LEGO to create this epic electronic orchestra that perform John Williams’ iconic Star Wars theme on 42 musical instruments with the help of 95 LEGO Boost droids and 30 iPads.