This Week in Security: Facebook Hacked your Email, Cyber on the Power Grid, and a Nasty Zero-day

Ah, Facebook. Only you could mess up email verification this badly, and still get a million people to hand over their email address passwords. Yes, you read that right, Facebook’s email verification scheme was to ask users for their email address and email account password. During the verification, Facebook automatically downloaded the account’s contact list, with no warning and no way to opt out.

The amount of terrible here is mind-boggling, but perhaps we need a new security rule-of-thumb for these kind of situations. Don’t ever give an online service the password to a different service. In order to make use of a password in this case, it’s necessary to handle it in plain-text. It’s not certain how long Facebook stored these passwords, but they also recently disclosed that they have been storing millions of Facebook and Instagram passwords in plain-text internally.

This isn’t the first time Facebook has been called out for serious privacy shenanigans, either: In early 2018 it was revealed that the Facebook Android app had been uploading phone call records without informing users. Mark Zuckerberg has recently outlined his plan to give Facebook a new focus on privacy. Time will tell whether any real change will occur.

Cyber Can Mean Anything

Have you noticed that “cyber” has become a meaningless buzz-word, particularly when used by the usual suspects? The Department of Energy released a report that contained a vague but interesting sounding description of an event: “Cyber event that causes interruptions of electrical system operations.” This was noticed by news outlets, and people have been speculating ever since. What is frustrating about this is the wide range of meaning covered by the term “cyber event”. Was it an actual attack? Was Trinity shutting down the power stations, or did an intern trip over a power cord?

The Car that Runs Windows

Do you drive a 2015 Hyundai Tucson? The good news is that you probably have a very hackable infotainment center. The bad news is that you have a very hackable infotainment center that is running Windows CE. [James] has shared some of his ongoing research on Twitter, and it’s as entertaining as it is worrying. The jawdropping revelation is that when a flash drive is plugged in, the infotainment system automatically executes “HyundaiUpdate.exe” without any verification. Keep in mind that the first high profile vehicle exploit was pulled off through the infotainment center, as well.

Java Deserialization Zero-Day

What happens when a cloud provider gets hit by a ransomware attack? That’s what some users of Oracle’s WebLogic Server get to decide after a severe 0-day vulnerability surfaced in the wild, CVE-2019-2725. It all boils down to how Java does deserialization, unpacking flat data back into objects. While outside data must always be viewed with suspicion, Java has a long-standing problem with deserialization, in that the serialized data can overwrite other variables in scope during deserialization. There is an obvious security weakness here, but a fix in the Java language would break untold deployed applications.

The short story is that a server that exposes WebLogic is vulnerable, and likely already compromised with a ransomware attack. Oracle has already released an emergency patch fixing this particular issue.

Check out the presentation below for a detailed introduction to Java deserialization attacks:

Errata

Last time we discussed the ShadowHammer attack, and since then Kaspersky Lab has released their technical report of their findings. There are some more juicy details contained there, so go check it out.

Remember, send us your tips for the next installment of This Week in Security.

30 thoughts on “This Week in Security: Facebook Hacked your Email, Cyber on the Power Grid, and a Nasty Zero-day

  1. The Facebook thing has been obvious for YEARS. LinkedIn does EXACTLY the same thing. In case it’s not obvious, people in your “extended network” or “your contact” are people that gave Facebook/LinkedIn their email credentials, then they downloaded the headers for all the emails in their account, scraping the addresses.

    I get 50 levin notifications about real estate agents that I had contact with in 2007-2008, and they continue to pop up in my feed on LinkedIn. I never gave LinkedIn my email credentials, so they connected me to them by accessing their email accounts.

    You shouldn’t suddenly be outraged that Facebook and LinkedIn have prescient knowledge about who you know, if you gave them your email account credentials.

    1. Exactly. Wasn’t it purported that Mark Zuckerberg bragged to his college buddies (or whatever he called his friends) that he could get into anybodies email because the students willingly gave Facebook their passwords. This was back when you had to have a college email address to get on Facebook.

      I figured out the scam out the very moment my (then) girlfriend asked me to help her sign up on Facebook and it was asking for her email password.

      The sad part about all of this is is Facebook has been doing this for 15 years.

      1. Yes, while it may not be a literal “grid”, producers and consumers are interconnected through circuit breakers and producers are connected to share/sell/buy excess power.
        So, it might be considered a “power web” if “power grid” is too much for your tastes.

      2. A power grid is a LOCAL power distribution network that has multiple feed points and many outputs. Rather than a tree topology, where each power source gets split and split again until it reaches every customer, a grid involves literally a grid of power lines in roughly the 10 kV to 30 kV neighborhood, to supply power to, um, neighborhoods. Different sources tie into the grid at different points, with the result being that losing any one source (providing there’s sufficient excess power available from remaining sources) doesn’t cause any customers to lose power. Long-distance power networks are NOT arranged as grids – they are generally tree topologies that have interties placed strategically to allow for re-routing power when necessary.

        “The Power Grid” is a fiction, but in the U.S., there are a few (three, last time I looked) major networks that cover most of the country. Again, these are not grids.

        “Power Grids” in power distribution are like “Tarmac” at airports. They are terms that were made up by people who know nothing about them. (“Tarmac” is a type of pavement, having nothing to do with the function of that pavement.)

  2. You know who else used this kind of verification step the last time I checked? Several Bitcoin services. When you reach the step to link a bank account to Glidera, they ask you to enter the username and password you use at your financial institution. So does Circle.

    I think they are freaking insane. I don’t understand a world where you think you can become a trusted financial institution by asking your customers to comprmise the security of another financial institution.

    When I brought it to the attention of one of these companies they tried to explain that it was okay because they never had access to the credentials themselves, a third party verified it for them instead! Great, it’s secure because those credential are shared with someone I don’t even know. Absolute incompetence.

        1. A “typo” is when a writer makes a spelling or grammatical error. A stupid “smart” phone auto-spell checker/corrector is an entirely different thing. Either way if the error gets through to the post we can be sure of one thing; the writer was too lazy to proofread what was written.

  3. I had fun with a site called Upwork. They weren’t satisfied with my bank account information and wanted additional
    information I wasn’t willing to provide. I warned them if they kept asking for that information I would close my account
    and their site would no longer be making money from me. Well, they kept insisting, I followed through and closed the
    account. Sites need users more than users need sites. Farcebook wanted a copy of my ID card because I wasn’t using
    my real name etc. I declined to provide it and told them the same thing. Haven’t been on either site since and don’t miss it.
    A lot of these sites are now demanding information from users. Well, as far as I’m concerned, my information is MINE.
    They’re in no position to demand anything. As far as Farcebook, I told them, the people I’m connected to already know
    who I am. Same with my SS number. No one gets that. I have one of the older cards that say “Not to be used for identification”
    When a store asks for my phone number, I tell them I don’t have one. They see the ham radio and think it’s a phone.
    I tell them, use the store’s number. I always have the option of taking my business elsewhere.
    Bottom line, don’t bother me with asking for info. End result, you won’t get it.

  4. They demand more and more personal information because the majority of people accept the practice and surrender that information at anyones demand. It is actually illegal to refuse service in america for someone refusing to provide their social security #, but it happens routinely. And all of this information collected has one purpose and one purpose only: to track you down and harass you for payment later. Thats it. For identification purposes or internal recordkeeping they could simply assign you an ID# in their own system.

    The sad truth is, hackers are not the great pros at social manipulation we like to believe ourselves to be. Corporate america is the all time heavyweight champion of social manipulation raised to the level of organized religion. Hackers cant even hold a candle to that. Those of us who choose to safeguard our information are shunned as the crazies and suffer denial of services, in many cases life saving services, because of it. And I have no idea what its going to take to swing the pendulum back the other way, but whatever it is, it isnt going to be pretty.

    1. “It is actually illegal to refuse service in america for someone refusing to provide their social security #”. EXCEPT… And the exceptions are innumerable, and have been for a long time. The privacy act of 1974 was purported to be a way of informing people about how their information was used. It required that anybody asking for an SSN had to tell the customer why they needed it and what the consequences would be for not providing it.

      It was a total joke. Privacy Act statements always had some made-up excuse, and the consequence was ALWAYS “if you don’t provide your SSN, you won’t be able to use our service.” It had no effect at all, aside from causing most transactions to require the customer to sign the Privacy Act Statement.

  5. How is any of this “this” week in security? This year. Maybe. Some of it. Maybe.

    Also, what do you need the email address when commenting for? Have your made up one

    1. Hah, I just a conversation about this. We’re going to work on keeping the news truly weekly in the future.

      I assume the email address is primarily to fight spam.

  6. I think that all that you need to know about face book and its intentions comes from reading in between the lines of the head narcissist himself. The entire bable of nonsensical idiocy seems to ignore the fact that security is based upon trust. There is no reason to trust Facebook, they have abused the data that was handed to them and consistently tried every trick in the book to make money from that data. He keeps writing about what people want, things like security and privacy and non permanence, yet he seems to miss the biggest one there is: choice. If he actually understood this then things would have never gotten this bad in the first place, the fact is that he has meticulously taken away our choices about how to use his services, both through buying up competing services (Instagram and whatsapp) as well as constantly changing and removing privacy settings. Then we can talk about how any new settings that were introduced after being removed always defaulted to being as open as possible in hopes that users will forget to change those settings and they can make more money (microsoft does this as well, clearly learning from facebook).

    In the end the problem is that as much good intentions as that clown may have, nothing will actually change at the core. This is because facebook makes money off of our data and even if he is a majority shareholder that doesnt have to listen to the rest of the share holders, he isnt going to tank his personal investment in the company by having the company do something that will cause them to lose revenue.

    If i was ever able to talk to him one on one, my reply to all of this would be: “its too late to close pandoras box, if you want to be taken sincerely then divest and use that money to fight back against the devils you have created”

    from the last paragraph of his rant: “I believe we should be working towards a world where people can speak privately and live freely knowing that their information will only be seen by who they want to see it and won’t all stick around forever. If we can help move the world in this direction, I will be proud of the difference we’ve made.”

    BWAHAHAHAHAHAHA, sure after you took it and ran in the other direction, NOW you want to nudge the pendulum back the other way just a smidge so you can be filthy rich and slightly proud. Virtue signaling at its finest, those are the words of a man who has truly lost touch with reality.

    1. Also, a lot of people need to tell him to his face to rein in the far leftist friendly way suspensions and bans are applied. It’s getting so bad that conservative Facebook users are getting bans merely for posting links to news articles on CNN and other left leaning sites. I’m facebook friends with one of the most often banned ScFi authors on there. Despite the limits he’s applied to his account, Facebook has been digging up stuff from long ago and re-banning him for it. He even got a ban for posting a picture that had “nudity”. It was a photo of his fully clothed toddler drinking chocolate milk. Several other people got bans for the same BS reason when they re-posted the picture.

      The short of it is he’s an outspoken critic of all things socialist, communist, Democrat, and Zuckerberg – and they can’t take the heat.

  7. Is ‘This Week in Security” destined to be a Hackaday feature? Respectfully, IMO this contains a lot of editorializing tossed into something packaged as news report. As written, the cyber paragraph had little value, pertaining to security.

    1. This one was heavier on editorializing, yep. The “cyber” story was talked about in a few different places, but so far there is absolutely nothing of substance to go along with it. I was making a very tongue-in-cheek reference to the non-story nature of the whole thing.

  8. Well, being an old school hacker from days gone by, I’m always suspicious of people’s motives and agendas.
    You want to give me something for free? What do you get out of it? No one in this world does anything for free.
    The bill always comes due at some point in time. At a store, I was once told “We need this info”.
    My reply was, I’m a computer programmer, computers don’t have needs. When it comes right down to it, the only
    person you can truly trust is yourself. Even though I don’t use Farcebook anymore, I don’t miss it.
    Companies want your email address so they can send you crap you didn’t ask for.
    Nowadays, a lot of places want your phone number. What if you really don’t have a phone? What do they do then?
    I’m of the school of thought that the less people know about me, the more advantageous it is for me.
    Those store rewards cards? I don’t use them. It all boils down to what I said above, you want to give me something
    for free? Then you want something in return. Look at all the data breaches that companies have had over the last
    five years, and those are just the ones that have been publicized. What about the ones you don’t hear about?
    I can understand places that deal with domestic violence that hide their number, but these robocallers that spoof numbers
    to try to get you to answer, they want something. If you want me to buy something, use your real number.
    Why would I buy something from someone who doesn’t know me, who lies to me at first contact?
    A scammer doesn’t care who you are, they don’t care who they hurt, all they care about is how much money they can
    scam. Security begins with you. It takes 21 days to form a habit. If you form a habit of thinking to yourself, what does
    [insert here] want [this information] for? What do they get out of it? As far as denying me services, fine, there’s always
    somewhere else to go. I once had a cashier ask me why I still used cash, my answer, it’s anonymous, accepted anywhere
    and no one asks questions. So next time someone says “We need this info” ask, “Who’s we?” and watch the flustered
    look on their face. It’s comical and priceless. Once about 30 years ago I got a call from a telemarketer and one thing
    he said gave me pause. He said “we thought you’d like” and my interruption to him was, so you get paid to think for me?
    Wow, I’d like a job like that? Does it pay well? Threw him off his script and he disconnected the call.
    A lot of scams rely on a knee-jerk reaction. It needs to be done “now” or else. That’s what scammers hope for, and once
    you get duped once, you get put on a “sucker list” and your info is sold for pennies on the dollar.
    Lastly, my phone number is mine, not to be used to try to sell me something I didn’t ask for. I’d think after over half a century
    on this planet, I can think for myself and decide if I want something, and getting that something while protecting my privacy.

  9. “Don’t ever give an online service the password to a different service.”
    Not to disagree (I do agree with you), but that rules out services like Mint.
    Yes, it is something everyone SHOULD evaluate before giving financial login information to some such site, but if you decide you trust them enough (Intuit has a lot of people’s tax information, they OUGHT to be trustworthy), then using Mint violates the rule for a (arguably) good purpose. Following the rule means you cannot really use Mint. It is a decision you have to make for yourself, informed.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.