Facebook let Netflix, Spotify read your private messages

After interviewing over 60 people, ranging from former Facebook employees and partners, as well as reviewing over 270 internal Facebook documents, The New York Times discovered that Facebook offered its users’ data to more than 150 companies. Those companies, the investigation revealed, ranged from tech and entertainment companies to online retailers, automakers, and even banks.

Without first obtaining users’ permission, Facebook “allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread.” It let Bing “see the names of virtually all Facebook users’ friends without consent.” Amazon could “obtain users’ names and contact information through their friends.” Yahoo could view streams of friends’ posts. The list goes on and on.

Despite a 2011 agreement with the FTC, Facebook didn’t get better about protecting users’ privacy or completely come clean about its data-sharing deals. From Facebook’s skewed outlook, all that data sharing with partners was covered by an exemption.

Other cybersecurity news:

Security firm handed over Chinese-hacked diplomatic cables to reporters

The security firm Area 1 recovered emails that had been stolen from European Union diplomats by Chinese cyber-espionage hackers over a period of years; over 1,100 cables were then passed on to reporters for The New York Times. Some of the more than 100 organizations and institutions had been targeted years ago, but didn’t know they were breached until a few days ago.

So a sec company found Chinese state actors had stolen classified diplomatic cables & the company decided to download all the data they knew to be stolen & send it to the press? Call me old fashioned but we used to avoid trafficking in stolen data & reported to victims, not press https://t.co/dRGnAzX5dc

— Artturi Lehtiö (@lehtior2) December 19, 2018

The hackers are believed to work for the “Strategic Support Force of the People’s Liberation Army.” After gaining access to the European network COREU, “the hackers had the run of communications linking the European Union’s 28 countries, on topics ranging from trade and tariffs to terrorism to summaries of summit meetings, from the vital to the insignificant.”

The EU had reportedly been warned time and again that its communications system was “highly vulnerable to hacking by China, Russia, Iran and other states.”

NASA admits it was hacked

NASA admitted to its employees that it had been hacked. While it doesn’t believe NASA missions were jeopardized, a server containing Social Security numbers and other personally identifiable information (PII) may have been compromised. Not only does that include current employees, but also “NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected.” An investigation into the breach began in October, but is still ongoing.

Remotely bricking a server

Researchers from Eclypsium published a proof-of-concept hack accompanied with a video showing a remote attack with five steps that bricks a server that has a Baseboard Management Controller (BMC). They used the Keyboard Controller Style (KCS) to interact with the BMC.

In our demonstration, we use normal update tools to pass a malicious firmware image to the BMC over this interface. No special authentication or credentials are required for this. This malicious BMC firmware update contains additional code that, once triggered, will erase the UEFI system firmware and critical components of the BMC firmware itself. These changes to the host and BMC will cause all attempts to boot or recover the system to fail, rendering it unusable. These firmware images cause all attempts to boot or recover the system to fail, rendering it unusable.

Hola VPN to be flagged as unwanted, unsafe software by Trend Micro

If you use the free Hola VPN and also Trend Micro, then be prepared to see the VPN detected as unwanted, unsafe, high-risk software. Trend Micro researchers looked into (pdf) how access from Hola VPN was used by its sister service Luminati before warning that Hola VPN offers no encryption when you connect to the peer-to-peer network.

“Eighty-five percent of the traffic in the dataset was directed to mobile advertisements and other mobile-related domains and programs — an indication that cybercriminals could use the service for large-scale click fraud schemes. We have also found a link to the former KlikVip actors and websites with traffic routed through Luminati,” Trend Micro said.