This week’s security news includes hackers exploiting SS7 flaws to rob banks, Japan focusing on IoT vulnerabilities, and more.
Apple’s iOS FaceTime group calling feature was plagued by an embarrassing and problematic security flaw this week, as is rare but not unheard of. Apple took the drastic step of completely disabling group FaceTime because the flaw was so severe. The complete fix will arrive next week. In the meantime, Facebook was criticized for paying users as young as 13 to download a mobile research app that granted the company intrusive access to all user data and activity, including web browsing. The app did not meet Apple’s iOS privacy standards, and Facebook was distributing it via a platform flaw. Apple revoked both Google’s and Apple’s business certificates after it was discovered that both companies had engaged in a similar practice.
Facebook has hired three prominent privacy advocates, all of whom are critics of the company, as part of its ongoing efforts to reform, even though its epic privacy failure spree is still ongoing. Google continues its efforts to reduce phishing and other forms of online fraud by modifying how browsers display URLs.
Outside of the tech behemoths, hackers are distributing a cache of 2,2 billion stolen user records for free, demonstrating how prevalent compromised credentials have become as a result of previous data breaches. The US Intelligence Community and the Trump administration disagree on several global threats, which creates additional risk. And one watchdog researcher is advocating for a new mentality in which tech companies are not only responsible for defending their users, but also must consider how their platform or product can be abused.
However, there is more! Each week, we compile the news that we did not break or extensively cover. Click on the headlines to view the complete articles. And remain safe outside.
Facebook Removes a Cluster of Iranian Accounts Spreading Disinformation
On Thursday, Facebook removed an additional batch of fake pages that spread misinformation on the platform. According to Facebook, the perpetrators once again originated from Iran and this time targeted individuals worldwide, with a particular emphasis on the Middle East and South Asia. The group comprised 783 Facebook and Instagram pages, groups, and accounts, some of which dated back to 2010. Each was dedicated to disseminating false Iranian state media reports. Two million accounts followed at least one of the pages, and between May 2014 and May 2018, the imposters hosted eight events. This will remain a pressing issue for Facebook, which has recently demonstrated a greater commitment to transparency.
Amazon’s Client in Law Enforcement Is Not Utilizing the Company’s Facial Recognition Tool Properly
Amazon’s “Rekognition” facial recognition system has received repeated criticism for unreliability and possible bias. And the stakes are high, given that the company has marketed the system for a variety of consequential applications, including law enforcement. When researchers have pointed out issues with Amazon’s tool, the company has consistently responded that the problems do not occur if the system is calibrated to specific parameters. According to Amazon, law enforcement clients utilize these optimal settings. However, sources at the Washington County Sheriff’s Office in Oregon, the only law enforcement agency publicly cited by Amazon as using Rekognition, told Gizmodo this week that the department does not follow Amazon’s guidelines and has not received training to implement them. This does not necessarily imply that the Washington County Sheriff’s Office is doing anything wrong, but it does undermine Amazon’s claim that the issues discovered by researchers with Rekognition would not apply to law enforcement applications.
Attackers Use Telephony Protocol Flaw to Empty Metro Bank Accounts in the United Kingdom
SS7, a fundamental telephony routing protocol, has known vulnerabilities for years and has been increasingly targeted by state-sponsored hackers and other adversaries with extensive resources. The exploits are now affecting the UK’s Metro Bank, according to Motherboard. The majority of SS7 attacks function by enabling hackers to intercept SMS text messages sent by users, particularly those containing two-factor authentication codes. This allows attackers to easily control user accounts and their contents. The reluctance of telecom companies to address SS7 insecurity has left consumers vulnerable to attacks from a variety of industries.
The Japanese government plans to hack tens of millions of Internet of Things devices
This month, the Japanese government will launch a nationwide survey to hack 200 million Internet of Things devices, including those in citizens’ homes. However, the hacking spree is not an act of aggression. It is intended to illustrate how susceptible embedded devices are to attack, due to factors such as weak (or nonexistent) log in credentials, patching challenges, and overly trusting relationships between devices on the same Wi-Fi network. Japan approved the initiative in preparation for the 2020 Summer Olympics in Tokyo. At one point, Wi-Fi and database systems for the 2018 Winter Olympics in Pyeongchang, South Korea, were taken offline by hackers, including state-sponsored Russian hackers. Internet of Things device insecurity is a serious issue for which there is no simple solution. Consequently, one must admire the Japanese government’s (arguably insane) plan to bring attention to the issue.