Facebook monetizes 2FA, Singapore monetizes hacker, and ransomware creeps monetize US Democrats

Roundup One or two things happened this week on the security front, like the elimination of the White House cyber czar, the massive leak of code from Aeroflot , and the debut of UEFI rootkits.

A few other stories may have slipped your radar this week. Such as:

The (other) Facebook privacy fsck up

When they weren't losing tens of millions of user account log-ins this week, the folks over at the house of Zuck were taking heat for another privacy blunder, this time involving two-factor authentication.

It seems Facebook has been using the phone numbers users submit for two-factor authentication to help target ads, using numbers intended for account recovery to also help narrow down a user's location and interests.

It should be noted that Facebook isn't actually selling or providing any advertisers with the numbers (which is why you're reading this in the roundup and not a banner story, or possibly a report on legal action).

Rather, when an advertiser submits ads to run on the social network, Facebook itself uses your phone number to help target the ads, selecting places you have shopped at (and given your phone number) or nearby services and companies. Still, not a great look, and a huge disincentive for customers to set up a 2FA option that should be a no-brainer.

BBFC: Brit Bureaucrats' Files Compromised

Hat tip to Reg reader Colin McDermott for discovering and reporting this incident with the British Board of Film Classification. McDermott said the BBFC along with a few other sites had apparently been compromised to serve up spammy search result links:

Did a little security research tonight, letting sites know they have been hacked. A few schools, an NHS site, and probably most interestingly I just discovered the British Board of Film Classification site is currently hacked. Will let someone know about that in the morning... pic.twitter.com/c8HMyT3lWq

— Colin McDermott (@colinmcdermott) September 28, 2018

The BBFC tells us it got McDermott's report and the offending code has since been scrubbed, though the damage may have already been done.

"From what I can see Google first cached some of the content on the 8th of August," our man tells us.

"So it has been live for quite a long time, potentially nearly two months."

$700k bill for Penn Dems in ransomware outbreak

This year, the Democratic party has been racking up record amounts of money in its fundraising efforts.

That is good news for the Pennsylvania branch of the party, who finds itself faced with a $700,000 bill from Microsoft to restore its systems in the wake of a massive ransomware attack.

According to TribLive the attack occurred in March 2017, with an infection encrypting the party's PCs and data with the demand of around $30k worth of Bitcoin.

Instead, the party opted not to pay the ransom, lost their data, and called in Redmond to come clean up the mess, to the tune of nearly three-quarters of a million.

Let's not make this a lesson on whether or not you should pay ransomware operators (that doesn't always work either). Rather, it should be a lesson to make regular backups and be ready to restore data when something like this happens.

I was born a coal miner's DDoSer

Did you know that there's a big coal controversy in Germany? Well, you do now, as the battle has been taken to cyberspace.

Energy company RWE says its site was taken offline earlier this week in a distributed denial of service attack from an unknown source intent on crippling access to its site for an extended period of time.

As Heise notes, the attack is likely the work of people allied with environmental activists who have opposed to the company's controversial mining activities in the Hambach Forest.

For now, it appears the attack was limited to the DDoS, and no other intrusions or data theft was reported.

Qualys surfaces EoP bug in Linux

Researchers with Qualys this week disclosed a potentially nasty elevation of privilege vulnerability in Linux.

The security company says the flaw, designated CVE-2018-14634, would potentially allow an attacker to gain root privileges.

"We discovered an integer overflow in the Linux kernel's create_elf_tables() function: on a 64-bit system," Qualys explains. "A local attacker can exploit this vulnerability via a SUID-root binary and obtain full root Privileges."

Fortunately, Ovum said that most Linux builds have already patched the bug, making real-world export pretty unlikely. Still, users and admins will want to keep an eye out for any updates and apply them when need be.

Hacking pays (the government)

File this to: could have been worse. Tencent researcher Zheng Dutao has been hit with a fine by the government of Singapore for hacking the Wi-Fi network at his hotel.

Apparently, Dutao had been staying at the Fragrance Hotel in Singapore for this year's Hack-in-the-Box conference when he decided to break into the hotel's network gateway (via a default password) and take a look around, eventually finding and re-posting the login credentials for the hotel's telnet and MySQL database.

After authorities found out, they arrested Dutao and, last week, handed down a bill for $5,000 Singapore (about $3,600 USD). ®