Door Dash hacked, Facebook ready to face the music and Sephora agrees to pay a $1.2 million penalty.
Welcome to Cyber Security Today. It’s Monday August 29th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The text-based phishing campaign against Twilio and CrowdStrike users I told you about last week continues to have a wider impact. Food delivery service Door Dash has acknowledged personal information of what it says is a small number of its users was recently stolen. How did it happen? According to the TechCrunch news site, the hackers got into Door Dash’s IT system after stealing the usernames and passwords of Twilio employees. Those credentials were then used to access some of Door Dash’s internal tools. Twilio and CrowdStrike staff are getting text messages with links to phony websites that mimic their companies’ login authentication pages. If they click on the links and log in the hackers get their usernames and passwords. The names, email addresses, delivery addresses and phone numbers of some Door Dash users were stolen. In addition, the hackers got the last four digits of payment cards of an unnamed number of people,
The last chapter of the Facebook-Cambridge Analytica scandal may be coming to an end. According to the Associated Press news agency, Facebook’s parent company, Meta Platforms, has reached a tentative settlement in a class action privacy lawsuit launched by American and British Facebook users. Terms of the settlement haven’t been disclosed in court documents. However, a San Francisco court has been asked to allow a 60-stay of proceedings in the suit while lawyers finalize the deal.
The four-year-old lawsuit alleges that the personal information of Facebook users was released to third parties, including Cambridge Analytica, without their consent. That now-defunct consulting company had data on 87 million Facebook users, collected when some 300,000 users responded to questions about their digital life in an app. Unknown to that group of people, the app also collected data on their Facebook friends. The data was used in a number of political campaigns in the U.S. and the United Kingdom spawning an uproar in those countries and in Canada. In 2019 Facebook agreed to pay US$100 million to settle allegations by the U.S. Securities and Exchange Commission that it knew for two years Facebook data had been misued by Cambridge Analytica and didn’t tell users or the public.
Meanwhile, California says cosmetics retailer Sephora has agreed to pay US$1.2 million to settle allegations the company violated its tough Consumer Privacy Act by not telling consumers it was selling their personal information to third parties. Sephora allowed third parties like marketing firms to install cookies on their website and in their app to track customers’ actions. According to NBC News, Sephora says this isn’t an objectionable “sale” of data. It’s common to allow the installation of cookies to provide consumers more personalized shopping and ads, the company said.
One of the most common commercial tools used by threat actors is called Cobalt Strike. Actual or illegally copied versions of the tool are used by threat actors for maintaining access to their command and control servers. But IT defensive systems are increasingly looking for signs of unwanted Cobalt Strike Beacons on their networks. So threat actors are turning to a new tool called Sliver. In a column last week Microsoft pointed out that Sliver is either being used as a replacement for or in conjunction with Cobalt Strike. Cybersecurity teams should be scanning their networks for signs of Sliver including unique HTTP headers, JARM hashes and evidence of process injection. They should also turn on Windows’ network protection, filter email to block messages with malware that can lead to downloading of Sliver and CrowdStrike, and make sure employees use multifactor authentication to protect against stolen credentials
There’s a link to the detailed Microsoft report here.
Atlassian has found a critical vulnerability in the on-premise versions of its Bitbucket Server and Data Center. This is a Git-based code hosting and collaboration tool used by developers using Atlassian’s Jira and Trello applications. All on-premise instances running any versions between 7 and 8.3.0 inclusive must be patched.
Finally, experienced privacy-minded individuals worried about email trackers hidden in links and images in email they get, or who want to hide their email address, can consider a service from those behind the DuckDuckGo browser. The organization has been testing an Email Protection service for some time. It’s a free email forwarding service that removes some hidden email trackers. Now that beta test is being opened to everyone. You can use Email Protection with your current email provider. The service also allows users to create a private Duck Address when you enter an email address in a form for signing up to newsletters and such. Remember, it’s still a beta service.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.