Apple, Amazon in a Tussle with Bloomberg over Spy Chips Report

In our latest security news digest, we delve into the brouhaha over Chinese spy chips, check out the latest in Facebook’s investigation of its recent hack, and look at Google’s controversial decision to delay disclosing a potential data breach.

Bloomberg’s spy chip report stuns tech industry, then draws skepticism

The hyperactive cyber security news cycle reached another intensity level when Bloomberg reported the presence of Chinese spy chips in servers used by Apple, Amazon and other major U.S. companies. But did the global news agency get the story right?

Citing numerous anonymous sources, Bloomberg stated that China surreptitiously modified server hardware and embedded tiny chips in motherboards to snoop on about 30 large American businesses.

The Chinese government reportedly did this by tampering with parts built in China by suppliers of Supermicro, a U.S.-based Fortune 1000 designer and maker of servers.

“In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies,” Bloomberg’s article reads.

But Bloomberg, which doubled-down on the original article with a follow-up, has become part of the story, as more and more parties question the accuracy of its bombshell reports.

Apple, Amazon and Supermicro immediately issued strongly-worded denials. But the drumbeat of skeptics has been growing. It now includes the U.K.’s national cyber security agency, the U.S. Homeland Security Department, one expert quoted in the article, and a variety of industry observers.

“The Cybersecurity World Is Debating WTF Is Going on With Bloomberg’s Chinese Microchip Stories,” reads the headline of a Motherboard article.

As the security industry debates the Bloomberg reports, the larger issue of supply chain risk, whose reality no one questions, has been placed in the spotlight.

“It is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter,” wrote Brian Krebs in a post titled “Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It?”

Bruce Schneier, CTO at IBM Resilient, called supply-chain security “an insurmountably hard problem,” and pointed out that the U.S. IT industry is “inexorably international.”

“Anyone involved in the process can subvert the security of the end product. No one wants to even think about a US-only anything; prices would multiply many times over,” he wrote. “We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.”

So what should companies do to protect themselves against spy chips? Writing in Sophos’ Naked Security blog, Paul Ducklin recommends partitioning networks, using two-factor authentication and keeping and using logs.

More information:

The tech giants, the US and the Chinese spy chips that never were… or were they? (The Guardian)

Doubts Swirl Around Bloomberg’s China Chip Hack Report (Fortune)

The security community increasingly thinks a bombshell Bloomberg report on Chinese chip hacking could be bogus (Business Insider)

Why I don’t believe Bloomberg’s Chinese spy chip report (CSO Magazine)

Facebook’s data breach: Not as bad as originally thought, but still very bad

In a much awaited update about its recent hack, Facebook said attackers stole personal data from about 29 million account holders.

The type and amount of data nabbed by the hackers varied. In all cases, it included names and contact details, such as phone numbers and email addresses.  For 14 million, the breach was deeper, including their current city, birthdate, work information, recent location check-ins, and latest search queries.

Attackers also fully took over 400,000 accounts. This allowed them to see those users’ posts, friends, groups, and Messenger chat names, including in some cases Messenger chat content. The hackers got access tokens for another 1 million accounts but didn’t access any of their information.

When it disclosed the breach in late September, Facebook preliminarily said as many as 90 million accounts could have been accessed.

While the number of compromised accounts is lower than originally feared, the swiped data is the type that can be used to steal identities and carry out scams. It’s also the type of personal information increasingly protected by severe privacy regulations worldwide, such as the EU’s General Data Protection Regulation (GDPR).

The data breach, possibly Facebook’s worst ever, was made possible by a software bug introduced by the company in July 2017 that allowed attackers to obtain account access tokens. The vulnerability is triggered in a specific scenario involving the “View As” feature and a video uploader.

Facebook first noticed suspicious activity more than a year later, in mid-September of this year, and confirmed the attack a week or so later.

Here’s what didn’t happen. Attackers didn’t access third-party accounts into which affected users log using their Facebook credentials, like AirBnB. They also didn’t gain access to passwords nor credit card data.

Other Facebook properties weren’t attacked, such as Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, advertising and developer accounts.

The investigation is ongoing, with law enforcement agencies, including the FBI, participating.

More information:

How Facebook Hackers Compromised 30 Million Accounts (Wired)

Facebook Hack Included Search History and Location Data of Millions (New York Times)

In Facebook’s massive breach, the hackers’ friends were the first victims (Cnet)

Google catches flak over personal data exposure

Facebook isn’t the only tech giant that’s been dealing with a security issue in its social network. Shortly after Facebook disclosed its breach, Google announced its decision to shut down its Plus social network for consumers, and said a leaky API had exposed personal data of users.

The API bug, discovered and patched in March but disclosed this month, gave developers of third-party apps access to Google Plus profile information that was supposed to be private, including the user’s name, email address, occupation, gender and age.

Because the API’s log data is kept for two weeks, Google said it can’t confirm which users were impacted, but said up to 500,000 Plus accounts were potentially affected, and that as many as 438 apps may have used the API.

An internal Google investigation yielded no evidence that developers were aware of the bug, that the API was abused, or that any profile data was misused.

Google has been criticized for not disclosing the API bug sooner. Citing internal Google sources and documents, The Wall Street Journal reported that the search giant kept quiet “in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.” Google maintains it acted appropriately.

“Nobody was using Google Plus so there will not be an impact to users. Not sure what will happen with GDPR fines,” wrote SANS Institute instructor Stephen Northcutt.

Google Plus will live on as an enterprise social network, to be used in work settings for collaboration and communication.

More information:

RIP Google Plus: Shutdown announced after API bug exposes 500,000 users’ details (CSO Magazine)

Exclusive: Audit cleared Google privacy practices despite security flaw (The Hill)

Google chose not to go public about bug that exposed Google Plus users’ data (Graham Cluley)

In other news …

• A phishing scam that leverages PDFs and public cloud services from Microsoft and Google has been detected by Netskope, whose researchers call it “particularly convincing and difficult to recognize as phishing.”

• The group behind the notorious Magecart credit card skimming malware struck again, this time affecting Shopper Approved. Other recent victims include Ticketmaster, British Airways and NewEgg.

• Home and office routers are a vulnerable bunch, with 83% containing bugs that could be exploited by attackers, according to a study from the American Consumer Institute.

• Webcams made by Xiongmai are vulnerable to remote code execution, according to SEC Consult.

• A lost USB stick found by a passerby in London contained confidential and extremely critical security information about Heathrow Airport. “Using authorized USB flash drives which are both encrypted and password-protected is a good way to mitigate the risks of both lost drives and insertion of unauthorized devices,” wrote SANS Institute analyst Lee Neely.

• U.S. weapons systems developed in recent years contain software vulnerabilities that make them relatively easy to hack, the U.S. Government Accountability Office (GAO) has found.

• The major browser makers — Apple, Google, Mozilla and Microsoft — have announced they’ll be pulling support for TLS 1.0 and 1.1 by early 2020.