New Facebook privacy features and bug bounty aim to repair damage
News roundup: New Facebook privacy features and updates to the company's bug bounty program are being rolled out. Plus, Drupalgeddon 2.0 threatens over 1 million sites, and more.
Facebook is making some changes following the Cambridge Analytica data privacy scandal, including new privacy features and additions to its bug bounty program.
The new Facebook privacy features will roll out to the mobile app "in the coming weeks" and aim to make privacy controls easier to find and use, according to a blog post from Erin Egan, vice president and chief privacy officer of policy and Ashlie Beringer, vice president and deputy general counsel at Facebook.
Going forward, the privacy settings on Facebook will be on one central menu, rather than spread around different areas of settings. Users will also now have the option to turn on two-factor authentication and set preferences for the ads they see. Facebook also promises users the ability to better control what they share and with whom -- with the option to delete posts, likes, comments and so on.
"It's one thing to have a policy explaining what data we collect and use, but it's even more useful when people see and manage their own information," Egan and Beringer wrote in the blog post announcing the new Facebook privacy features.
The new feature called Access Your Information will enable users to see and manage the data they've shared with Facebook, as well as download a secure copy of it.
"It's also our responsibility to tell you how we collect and use your data in language that's detailed, but also easy to understand," the blog post said. "In the coming weeks, we'll be proposing updates to Facebook's terms of service that include our commitments to people. We'll also update our data policy to better spell out what data we collect and how we use it. These updates are about transparency -- not about gaining new rights to collect, use, or share data."
Facebook's new bug bounty
Beyond the new Facebook privacy features, the company also announced that, after the data misuse debacle, it plans to expand its bug bounty program to include rewards for finding third-party applications that misuse user data.
"Facebook's bug bounty program will expand so that people can also report to us if they find misuses of data by app developers," Ime Archibong, vice president of partnerships at Facebook wrote. "We are beginning work on this and will have more details as we finalize the program updates in the coming weeks."
The new Facebook privacy features and the updated bug bounty program are only two of the steps Facebook is taking in an attempt to recover from the revelation that an app created by a professor at the University of Cambridge collected data from the profiles of over 270,000 uses and then sold the data to commercial data analytics firm Cambridge Analytica -- which in turn allegedly used the information to target U.S. voters during the 2016 presidential election.
In other news
- A critical vulnerability in the Drupal content management system has opened over one million websites up to attack. Attackers can exploit the vulnerability to take control over the websites. Jasper Mattsson, security researcher for the company Druid, discovered the vulnerability while testing the general security of Drupal. The vulnerability affects Drupal versions 6, 7 and 8 and was assigned a 21/25 on the NIST Common Misuse Scoring System scale, making it "highly critical." Version 6 was moved to end of life in 2016 and hasn't received patches, but the security advisory from Drupal said that patches are available for that version. So far, Drupal is not aware of any active exploits of the vulnerability in the wild; however, this is not the first security issue the content management framework has encountered. Drupal 7 had a critical SQL injection vulnerability in 2014, which researchers dubbed "Drupalgeddon" because of its severity.
- Cisco disclosed three critical vulnerabilities in its operating system IOS XE this week, two of which are remote code execution flaws. Cisco disclosed the flaws in a batch of 22 -- the other 19 are rated "High" impact. Cisco flagged one of the critical vulnerabilities as caused by the improper validation of packet data. An attacker could send a crafted message through TCP port 4786 to cause a buffer overflow and trigger a device reload, execute arbitrary code or cause an indefinite loop that triggers a "watchdog crash." The second critical vulnerability is in the quality of service subsystem of IOS and IOS XE and could enable an attacker to trigger a denial-of-service attack or execute arbitrary code. The third critical vulnerability enabled unauthenticated attackers to log in to the device remotely. Cisco has released patches for all three vulnerabilities.
- A new study says that Americans spent $1.4 billion on credit freezes following the massive Equifax data breach last year. According to security journalist Brian Krebs, nearly 20% of Americans froze their credit with a major credit bureau after the Equifax data breach was disclosed. Out of 1,000 adults, 32% spent $10 or less on a credit freeze and 38% spent $30 or more. The people who froze their credit were also mostly younger with only 12% of baby boomers freezing their credit compared to 32% of millennials. Credit freezes were recommended by Equifax after it disclosed the breach that affected 147.9 million U.S. consumers. The information exposed included names, Social Security numbers, birthdates, addresses, driver's license information and tax identification numbers.