Cyber Security News Update 12/14/2018

China has arrested another Canadian citizen, and it continues to claim that the arrests are not in response to the detention of the Huawei CFO by Canadian authorities at the behest of the United States. Michale Spavor was arrested by the Chinese intelligence agency for partaking in actions that “threaten the safety of China” and no other information has been provided. Mr. Spavor works in China running a company that organizes trips into North Korea and has managed trips for people such as Dennis Rodman into the region. The PRC claims that these arrests are unconnected with the arrest of the Huawei CFO, but also issued a warning of “dire consequences” and “paying a heavy price” to Canada if it continued to uphold the US’s request. Ms. Meng continues to remain in Canadian custody while she is involved in an extradition trial, as Canadian authorities required one before the hand over Ms. Meng to the United States. The United States claims that Ms. Meng helped evade the sanctions against Iran by providing products made in the United States to Iran. Despite the Chinese government not officially claiming the arrests as retaliation for Ms. Meng’s arrest, their news agencies have been quick to make the statement and praise it. These new agencies are calling for Meng to be released so that the Canadians who have been arrested can return home.
Source: China confirms arrest of second Canadian

Facebook has had another breach of their user’s data due to poor API coding, this time allowing approximately 5.6 million user’s photos to be viewed without their permission. This includes photos that users had uploaded to Facebook but never shared with anyone else, as well as Facebook Market photos and photos with a restricted audience. Facebook has merely commented that they “are sorry” for the inconvenience but has done little else in the way of actually apologizing. If any of those affected were from the EU then Facebook may be in for another GDPR fine to come down on them. This is especially true because Facebook waited until after it had patched the issue to report it, which took longer than the 72 hours permitted by GDPR although Facebook can file a reason for why it might they took longer than 72 hours to report. If the ICO accepts this answer then Facebook will avoid a fine, though with Facebook’s string of data issues lately and general ignorance of the European Union they may not get off that lightly. Facebook has had several breaches and security incidents this year, and there are fears that Facebook is simply too large to secure. There are very few organizations, or countries, with as much data to protect as Facebook has. A question of scale is one to consider, although Facebook’s own design process has repeatedly been stated to be “fast with broken things” instead of slow and safe. It seems that it is time for a change of culture at Facebook, though whether or not they sings that way is a question we can’t answer.
Source: Facebook bug exposed up to 6.8M users’ unposted photos to apps