Updates

Facebook revealed it had discovered a security issue affecting millions of accounts on 25 September. The attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets users see what their own profile looks like to someone else. When composing a birthday wish message with video, as of July 2017 the attacker could exploit 'View as' option of the video uploader to get access to the profile of the user being looked up, including their log-in details. The access token was then available in the HTML of the page and extracted by the attackers who exploited it to log in as another user. Facebook reset the access tokens of the almost 50 million accounts thought to be affected and temporarily disabled the “View As” feature. On 12 October, Facebook announced hackers actually stole access tokens for about 30 million people, 20 million less than previously thought. For 15 million people, attackers accessed name and contact details (phone number, email, or both). For 14 million people, the attackers accessed name and contact details, as well as other details people had on their profiles, including username, gender, religion, birthdate, etc. For 1 million people, the attackers did not access any information.

The National Cyber Security Centre (NCSC) of the United Kingdom has attributed a “campaign of indiscriminate and reckless cyber attacks” to the GRU, the Russian military intelligence service. UK Foreign Secretary Jeremy Hunt stated that the GRU’s actions demonstrate “their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences”. The NCSC associated 12 threat groups with the GRU, among them APT 28, Fancy Bear, Sofacy, Voodoo Bear and CyberCaliphate (previously thought to be affiliated with ISIS). NCSC assessed with “high confidence” that the GRU was “almost certainly responsible” also for the BadRabbit ransomware of 2017, the release of confidential files of international athletes stolen from the World Anti-Doping Agency (WADA) in 2016, and attacks on the servers of the US Democratic National Committee in 2016. The NSCS also claimed the GRU attempted to compromise the UK Foreign and Commonwealth Office (FCO) computer systems via a spearphishing attack and gain access to the UK Defence and Science Technology Laboratory (DSTL) computer systems. At the same time, the UK Prime Minister May and The Netherlands Prime Minister Rutte issued a joint statement attributing the cyber attacks on the Organisation on the Prevention of Chemical Weapons (OPCW) to the GRU. Australia and New Zealand supported NCSC’s findings. The Russian Ambassador in London has denied the claims since. As some specialists point out, the attributions come at time of heated debates at the UN General Assembly around Russian proposals for the future of the UN Group of Governmental Experts and possible international treaties on cybersecurity and cybercrime.

Microsoft has launched Digital Peace Now initiative, inviting citizens to sign the petition and call upon world leaders to create rules to protect the global digital society. The initiative highlights the weaponization of the shared cyberspace and technology by governments, cautioning that these attacks may be devastating and may spread from the digital to the physical world. It therefore aims to stop cyberwarfare, underlining that there is no peace without digital peace. The initiative follows Microsoft’s call to governments for the Digital Geneva Convention, and its commitments to the principles of the Cybersecurity Tech Accord drafted by tech companies.

The Privacy International, an international NGO, published a press release stating that the UK’s intelligence agency, MI5, has admitted unlawfully collecting and examining private data from the Privacy International or their staff members through two of their surveillance programmes, Bulk Communications Data (BCD) and Bulk Personal Datasets (BPD). Privacy International’s executive director, Gus Hosein, sent a letter to the Home Secretary and Investigatory Powers Tribunal (IPT), expressing concern and requesting urgent action over the documents revealed during the course of Privacy International’s challenge to the BPD and BCD powers, which show that Privacy International was part of MI5's investigations because its data was part of the UK intelligence agencies vast databases. The case is currently pending before the IPT. In the letter, the NGO also asks about the changes to be made in the Investigatory Powers Act, the so-called Snoopers’ Charter, provisions as a result of the recent ECHR judgment.

During the press briefing, European Commissioner for Competition, Margrethe Vestager, announced that a preliminary antitrust investigation over Amazon has been opened in order to gather information about ways the company uses data. More specifically, it aims to examine how the company uses data that it gathers through transactions and from sellers on their marketplace, as well as to see if that data potentially gives Amazon a competitive advantage over merchants by having an insight into consumer behaviour. Questionnaires have been sent to merchants in order to ‘get the full picture’, however Vestager underlined: ‘We are at very early days, there are no conclusions yet, and the case has not been formally open yet.’ The media reports that the Amazon refused to comment.