It was the week of Zuck. As Facebook founder and CEO Mark Zuckerberg slogged through more than 10 hours of testimony in front of two different Congressional committees, privacy and security advocates were listening for anything they could glean about how Facebook manages data, implements privacy protections, and helps users make informed choices—or doesn’t. Neither session delved as deeply as it could have into specific information about Russian goals and strategies in conducting information operations on Facebook during the 2016 US elections. And Facebook admitted this week that the data consulting firm Cambridge Analytica could have accessed private Facebook messages, on top of everything else, for the 87 million users that were in its reach. Here’s how to check if you were one of the users caught in Cambridge Analytica’s dragnet.
Meanwhile, researchers have found a troubling “patch gap” in the software updates many Android handsets will claim to have installed versus what patch code is actually present on the phone. In other words, your Android phone may be lying to you about being fully up to date. A new report indicates that attackers are actively exploiting a vulnerability in devices like routers and video game consoles that researchers have been warning about, in vain, since 2006. And it turns out that emergency siren equipment sold by the Boston-based company ATI Systems and used in municipalities around the US isn’t adequately encrypted to protect against system tampering or even sabotage.
The internet infrastructure company Cloudflare announced this week that it is expanding its DDoS defense and other web security protections onto corporate networks beyond the public internet. The nonprofit Mozilla Foundation assessed the state of the internet in its first “Internet Health Report,” and found that while more people around the world are gaining web access—and those connections are becoming more secure—internet censorship is also on the rise and online harassment is more severe than ever. And hackers infiltrated the YouTube accounts of the music video distribution group Vevo on Tuesday, defacing numerous videos and taking down the most-viewed offering currently on YouTube, “Despacito.” Don’t worry, it’s back up now.
And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
On Friday, a Russian court gave the communications oversight body Roskomnadzor authority to ban the secure messaging app Telegram, because the app has not provided a backdoor for the Russian government to decrypt and surveil messages sent on the platform. Telegram’s lawyers did not appear at the hearing, and the court made its decision in 18 minutes.
Telegram, which has 200 million users and is favored by extremists from groups like ISIS, has pushed back against Russian laws that mandate cooperation with the country’s invasive surveillance regime. Telegram argues that it cannot offer a backdoor, because the service is designed such that there is no master-key that can decrypt communications sent on the platform. The company’s founder, Pavel Durov, is Russian and left the country in 2014. Meanwhile, Telegram’s trustworthiness is controversial in the security community. Critics argue that its encryption schemes have not been fully vetted and that the app may not actually be secure.
Ransomware causes all sorts of ills—technological, emotional, monetary—but one new strain seems relatively harmless. Playful, even, to the extent that malware that encrypts all of your files until you meet its demands can be playful. Rather than demanding money, the so-called PUBG simply asks that you play one hour of the popular video game PlayerUnknown’s Battlegrounds for an hour. And in actuality, it appears to unlock your files after you’ve played for three seconds. Or, if you don’t want to play at all, you can just enter the unlock code it gives you. Inconvenient and invasive? Yes! But also kind of quirky in a way you can’t get toooooo made at? Maybe yes to that, too.
If you’re wondering how China’s surveillance state is coming, the latest out of Nanchang might interest you. Police reportedly picked up a criminal suspect at a concert thanks to the use of facial recognition technology, which picked the man out of a crowd of 60,000 people. China has an estimated 170 million CCTV cameras installed throughout the country, with 400 million more expected to go online over the next several years.
Exploiting a well-known vulnerability in Cisco routers, someone last weekend hacked Iranian systems and put up a message reading “Don’t mess with our elections” along with an American flag. The attack affected computers in the US and China, as well. And while it’s not clear who was responsible, you can at least be fairly certain that it wasn’t the US, which typically doesn’t use access into nation-state systems for random trolling. That’s more Russia’s gig.