A Hidden Nest Secure Mic, Facebook’s Dead VPN, and More Security News This Week
Credit to Author: Brian Barrett| Date: Sat, 23 Feb 2019 14:00:00 +0000
The Mueller investigation has lasted so long, it's easy to forget that it'll end at some point. In fact, according to recent reports, it may wrap up as early as next week. But what does that mean exactly? We took a look at seven distinct possibilities, from fizzle to fireworks. As though the border wall "national emergency" wasn't enough to worry about.
Speaking of Russia, we profiled Roman Dobrokhotov, an investigative journalist in Moscow who risks everything in pursuit of unmasking members of the Kremlin's GRU intelligence agency. And we looked at how, by at least one metric, Russian hackers dominate the competition.
It wouldn't be a week in security without Facebook news. The company introduced a new location privacy setting for Android users that you should not hesitate to toggle. And it's so hard to tell fact from fiction these days, in no small part because Facebook pushes both to its billions of users.
We had some good ol' fashioned hacking, too. ATM malware is so easy to write that criminals have basically turned it into a slot machine. We took a look at credential stuffing, which is how hackers turn those huge breaches into gold (or stolen identities, at least). And NATO catfished soldiers to prove a point about, well, how easy it is to catfish soldiers, apparently.
But wait, there's more! Each week we round up all the news we didn’t break or cover in depth. Click on the headlines to read the full stories. And stay safe out there.
Nest Secure owners got an unpleasant surprise this month when Google announced that the Nest Guard hub could now double as a Google Assistant. Why the concern? Because Google never mentioned that the Nest Guard had a microphone in the first place. Google has since called the omission "an error on our part," which, yes, it sure is! It also clarified that the microphone was off by default, and only activated if a user enabled it specifically. Still, though, it's hard enough for most people to sort through the various issues of knowingly letting a microphone-enabled device into your house. Finding one there by surprise—in something intended to keep you secure, no less—erodes trust at a time when Google and other voice assistant purveyors have precious little of it to spare.
Facebook's Onavo VPN app was always a transparently bad idea, a privacy-eroding market research tool masking as protection. Which is why Apple banned it last summer. And yet Facebook persisted, skirting the App Store's rules and hiding its involvement, relaunching Onavo as a research app that paid kids as young as 13 a small amount of cash to spy on everything they do online. No thanks! Anyways, after getting caught, again, for malfeasance, Facebook has finally pulled Onavo VPN from the Google Play Store as well, and shut off the data spigot it enabled. We'd say better late than never, but none of this should have happened in the first place.
Researchers at Oracle this week detailed an ad fraud operation that impacts apps with a combined 10 million Android downloads, including Draw Clash of Clans and Solitaire: 4 Seasons. The infected code sends invisible video ads to the device, which play undetected, draining your battery and using up as much as 10 gigabytes of data each month. You don't even have to have the app open to be affected. Ad fraud is a an ever-present scourge, but it's rare to see one of quite this scale and impact on your device. At least it's not cryptojacking?
Chrome extensions can be wonderful time savers and productivity tools. They can also be scary malware pits. But somewhere in between are the Chrome extensions that ask for a disconcerting amount of information about your browsing habits. When security firm Duo Labs surveyed 120,000 extensions, it found that one in three asked permission to access and read all of your data across every website you visit. Nearly nine in 10 had no privacy policy. That doesn't mean each of those is explicitly malicious. But take it as a good reminder to only install extensions from companies you trust, and only grant them permissions that they need to complete their purported task.
If for some reason you thought that attempts by Russia and others to influence US politics ended in 2016, well, friend, where have you been! But let this most recent news disabuse you of that notion. A "coordinated barrage" of disinformation has targeted leading Democrats, including Kamala Harris, Elizabeth Warren, Bernie Sanders, and Beto O'Rourke. It's not clear who's behind this flourish of activity, but with the presidential election still nearly two years away, expect it only to get worse from here. And for some deepfakes to enter the mix at some point as well.
https://www.wired.com/category/security/feed/