This is your Shared Security Weekly Blaze for April 22nd 2019 with your host, Tom Eston. In this week’s episode: Microsoft email services hacked, the Instagram “Nasty List” phishing scam, and Facebook’s attempted deals to sell your data.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Microsoft was in the hot seat this past week with the announcement that email services on Outlook.com, MSN, and Hotmail were breached from January to late March this year. This breach was due to the compromise of a support agent’s privileged credentials, most likely due to a targeted social engineering attack. The attackers apparently had access to email addresses, subject lines, names of people within conversations, and custom folder names. Accounts affected were only free consumer accounts and not accounts that businesses pay for. According to Motherboard, who broke the story, Microsoft has confirmed the breach and have sent breach notification emails to customers that have been affected but didn’t say how many users were impacted by the breach. Other details show that the source, who was used for the Motherboard story, noted that the attacker appeared to have used this access for what are called “iCloud unlocks”. This is where attackers will compromise a victim’s email or iCloud account to remove Apple’s ‘Activation Lock’ from a stolen iPhone. This security feature was implemented to prevent thieves from resetting stolen iPhones and selling them.
My take is that this is one of those attacks that as users, is very hard, if not impossible to prevent. Even if you secure your account with multi-factor authentication, you’re still at the mercy of Microsoft and the administrators that may have their credentials compromised. In these cases, it comes down to how quickly a company can respond to a breach to limit impact to it’s customers.
Have you been receiving strange messages on Instagram from your followers about you being on something called the “Nasty List”? If so, the message is actually a massive phishing campaign that is being spread though hacked Instagram accounts. The message will say something like quote “OMG your actually on here, @TheNastyList_(some number), your number is 15! Its really messed up” end quote. Grammar Nazis, your first clue that is that this is a scam is the spelling of “your” which should be “you’re”. Unless, of course, your friends naturally have bad grammar. Now if you visit the profile you will see an interesting URL in the profile link which will, you guessed it, take you to a fake Instagram login page. If you happen to enter in your Instagram credentials, you’ll be hacked yourself and your account will then become another zombie also sending out the same message to your followers. For more details on this scam check out the link in our show notes for a great article from Bleeping Computer.
Hopefully, as a listener of this podcast, you didn’t fall for this scam but if you did change your password, re-edit your profile, and profusely apologize to your followers that you were hacked.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
I think I’m starting to sound like a broken record here but surprise, surprise, Facebook was in the news once again this week when NBC News reported that Facebook CEO Mark Zuckerberg once considered making deals with third-party developers to find out how much users’ data might actually be worth. In the report over 4,000 leaked pages of internal Facebook documents show that there were potentially 100 deals with third-party app developers for selling them access to Facebook user data. Zuckerberg reportedly even said that these deals would help decide the “real market value” of Facebook user data and help set a “public rate” for developers.
This recent reveal of information comes from a court case in California between Facebook and a company called Six4Three. This company created a creepy app called “Pikinis” which allowed users to find pictures of people in bikini’s and swimsuits. This app was shut down in 2015 once Facebook changed its data sharing policies with developers which is what spurred the lawsuit from Six4Three. Facebook, of course, says that this information only tells one side of the story and have never sold user data. Regardless, this is yet another example that shows Facebook has always looked for ways to monetize the massive amount of data that they hold on all of us.
Oh, and if that wasn’t enough last Thursday Facebook confirmed that it “unintentially” uploaded email contacts belonging to 1.5 million new users without their knowledge since May of 2016. All I’ll say, it’s not a great time to be Facebook or a user of Facebook.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.