Researchers at security firm UpGuard have found a significant number of Facebook users’ records exposed on a public storage server.  

According to the researchers, two batches of scraped user records were collected and exposed from two third-party companies.  

Mexico-based digital media company Cultura Colectiva left more than 540 million records, including comments, likes, reactions, and account names stored on the Amazon S3 storage server without a password.  

Separately, a backup file from Facebook-integrated app “At the Pool” was also found exposed to the public via an Amazon S3 bucket. The data exposed included user’s friends lists, interests, photos, group memberships, check-ins, and plaintext passwords for more than 22,000 users.  

According to UpGuardCultura Collective failed to respond to requests to have the data removed, however the data was eventually secured. The “At the Pool” dataset was taken offline prior to a formal notification email being sent, and the app itself is no longer active.  

The NCSC has published a blog post discussing the risks associated with leaving sensitive data exposed in unprotected AWS S3 buckets. We also recommend policies that organisations can implement to make it easier to be secure. 

36 vulnerabilities in LTE 4G standard could enable data interception

A team of researchers with the Korea Advanced Institute of Science and Technology Constitution (KAIST) have discovered a collection of flaws in the Long-Term Evolution (LTE) standard, which could allow an attacker to send spoof messages and intercept data traffic.

The team have discovered 51 vulnerabilities with the 4G standard, including 15 known issues and 36 previously undiscovered flaws.

The researchers discovered the vulnerabilities using a code-testing technique known as ‘fuzzing’ and a tool of their own making dubbed ‘LTEFuzz’. Fuzzing is performed by feeding large amounts of structured and unstructured data into processes to test them for potential anomalies

The team plan to share LTEFuzz with mobile network operators and device vendors to help improve network security.

The full list of vulnerabilities discovered can be found here.

You can read more about the UK’s approach to telecoms security in a recent blog post written by the NCSC’s Technical Director, Ian Levy.  

Hacker who blackmailed porn users jailed following cyber crime investigation

A hacker who made hundreds of thousands of pounds blackmailing the users of porn sites around the world as part of the UK’s most serious cyber crime case, has been jailed for six-and-a-half years following a National Crime Agency investigation.

Zain Qaiser, 24, was a member of an international, Russian-speaking organised crime group that targeted victims in more than 20 countries. He bought advertising traffic from pornographic websites on behalf of the group, using fraudulent identities and companies to pose as legitimate online advertising agencies. Once advertising space was secured, the crime group would host and post advertisements laced with malware.

Once victims clicked on the ads they were redirected to another website, hosting highly-sophisticated malware strains including the infamous Angler Exploit Kit (AEK). Users with any vulnerabilities would subsequently be infected with a malicious payload.

One of those malicious payloads was a piece of software called Reveton – a type of ransomware that would lock a user’s access to the desktop. Once locked, the infected device would display a message purporting to be from a law enforcement or a government agency, which claimed an offence had been committed and the victim had to pay a fine of anything between $300-$1,000 in order to unlock their device.

The campaign infected millions of computers worldwide across multiple jurisdictions.