NYU Researchers Decry Facebook's Decision to Disable Their Accounts, Cut Them Off From Essential Tools
Facebook is building a homomorphic encryption team, Flaws in NicheStack can affect OT devices sold by 200 vendors, Government uses pen registers to spy on WhatsApp, Facebook users, much more
Facebook Inc. disabled the personal accounts of a group of New York University researchers studying political ads on the social network, claiming they are scraping data in violation of its terms of service.
Facebook also cut the researchers off from Facebook’s APIs, a technology used to share data from Facebook to other apps or services, and disabled other apps and Pages associated with the research project, which is called NYU Ad Observatory. Facebook said it cut off the researchers to remain in compliance with a 2019 data privacy agreement with the Federal Trade Commission. The government punished the company for failing to police how outside developers collected data.
But Laura Edelson, a researcher at NYU’s Tandon School of Engineering, said, “Facebook is silencing us because our work often calls attention to problems on its platform.” (Kurt Wagner and Naomi Nix / Bloomberg)
Facebook is building a team of artificial intelligence researchers to study ways of analyzing encrypted data without decrypting it. Their research focuses on"homomorphic encryption, which allows companies to reach and access data while keeping it encrypted.
The research could enable the social media giant to target ads based on encrypted Facebook-owned WhatsApp messages, although Facebook said it's"too early for us to consider homomorphic encryption for WhatsApp at this time." (Sarah Krouse and Sylvia Varnham O'Regan / The Information)
Researchers from Forescout Research Labs and JFrog Security Research found fourteen critical and high-risk vulnerabilities in a proprietary TCP/IP stack called NicheStack that's widely used in operational technology (OT) devices from up to 200 vendors.
Among the devices affected are programmable logic controllers (PLCs), such as the Siemens S7, which are the building blocks of industrial automation and are used in critical infrastructure sectors. (Lucian Constantin / CSO Online)
The UK’s Ministry of Defense paid out its first bug bounties to ethical computer hackers who hunt for vulnerabilities following a months-long “hacker security test” conducted with HackerOne.
The contest focused on web-facing systems only, no automated mass-scanning, no phishing, among other criteria. The Ministry did not release information about the size of the bounties. (Gareth Corfield / The Register)
Pen registers are a little-understood, potentially privacy-endangering surveillance method that the U.S. government frequently uses on Facebook and its hugely popular messaging tool WhatsApp. This surveillance is evidenced by a July application by the Drug Enforcement Administration in Ohio to conduct surveillance on seven WhatsApp users.
The surveillance is legal under the Pen Register Act within the Electronic Communications Privacy Act of 1986. Courts have upheld that this Act does not violate Fourth Amendment, which protects Americans from unreasonable searches, obviating the need for law enforcement to show “probable cause” when seeking pen register surveillance. (Thomas Brewster / Forbes)
The local crime-tracking app Citizen, which advocates say already pushes privacy boundaries, is now offering customers access to a live safety agency when they are in “stressful or uncertain situations” in a service called Protect.
The new version can listen for user screams and offers a feature called Distress Detection that uses an algorithm to monitor a user’s mobile handset's microphone for sounds that “indicate trouble.” (Boone Ashworth / Wired)
Researchers at Sophos say that Raccoon Stealer, a stealer-as-a-service, has been upgraded by its developer to steal cryptocurrency alongside financial information.
Among the upgrades is the use of droppers disguised as installers for cracked and pirated software instead of the usual spam delivery method. (Charlie Osborne / ZDNet)
Researchers at the security consultancy Dolos Group says that hackers with access to a targeted laptop that meets prevailing security protocols can gain the ability to write not only to the stolen laptop but also to the fortified network it was configured to connect to, all within thirty minutes.
In an attack akin to the infamous “Evil Maid” attack, the intrusion works by exploiting the inadequacies of the trusted platform module or TPM, a heavily fortified chip installed on the motherboard that communicates directly with other hardware installed on the machine. (Dan Goodin / Ars Technica)
Related: Dolos Group
Facebook-owned WhatsApp unveiled View Once photos and videos, which vanish from a chat after they've been opened, "giving users even more control over their privacy."
WhatsApp says that View Once media is protected by end-to-end encryption (Abrar Al-Heeti / CNET)
Related: BusinessLine - Home, Pocket-lint, Phandroid, Silicon Republic, ZDNet Security, Android Authority, gHacks, The Sun, Information Security Newspaper | Hacking News, SlashGear, Memeburn, iPhone Hacks, TechWorm, SlashGear
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published a 59-page technical report containing guidance for hardening orchestration software Kubernetes’ clusters.
But because the container-oriented Kubernetes and Docker model is unlike traditional, monolithic software platforms, many system administrators have problems configuring Kubernetes to work securely. (Catalin Cimpanu / The Record)
Thoma Bravo-owned Sophos has announced its second takeover in as many weeks with the acquisition of Seattle-based DevSecOps startup Refactr, which offers an automation platform that helps cybersecurity and DevOps teams to operate collaboratively.
This deal follows Sophos’ announced acquisition of Braintrace, a cybersecurity startup that provides organizations visibility into suspicious network traffic patterns. The terms of the deal were not disclosed. (Carly Page / TechCrunch)
In its fifth cybersecurity acquisition so far in 2021, Deloitte & Touche said it acquired aeCyberSolutions, the industrial cybersecurity business of Applied Engineering Solutions, or aeSolutions.
The other Deloitte acquisitions this year include the assets of cyber threat hunting provider Root9B, LLC (R9B), cloud security posture management (CSPM) provider CloudQuest, Inc., digital risk protection company, Terbium Labs, and Zero Trust network access (ZTNA) provider TransientX. (Joseph F. Kovar / CRN)