Facebook Wants Access to Your Nude Photos to “Protect You”!

In a somewhat strange proposal, Facebook wants you to send it sexually explicit photos of yourself to prevent revenge porn.

“It’s demeaning and devastating when someone’s intimate images are shared without their permission, and we want to do everything we can to help victims of this abuse. We’re now partnering with safety organizations on a way for people to securely submit photos they fear will be shared without their consent so we can block them from being uploaded to Facebook, Instagram, and Messenger.”

The idea was already trialed in Australia and is being rolled out in the UK this week. Facebook says that the US and Canada also will be included in the trial program, which goes something like this:

• If you find a revenge photo of yourself on the internet, then you can send a copy of it to Facebook.

• The picture will be reviewed by “one of a handful of specifically trained members of our Community Operations Safety Team”. This team member will create a unique fingerprint of the photo known as a hash.

• This hash is stored in a database. If anyone else uploads the same image to Facebook, Instagram and Messenger (i.e., an image that has the same unique hash “fingerprint”) then it will be recognized and automatically removed.

Users can also pro-actively send photos they dread being posted as revenge porn.

The idea sounds reasonable at the beginning but has two significant issues.

It is Unconvincing

The data from Australia’s trials has not been publicized yet, but Facebook stresses similar schemes have had success at checking the spread of terrorist propaganda and child abuse images.

The problem lies in the fact that hashes are very particular to the data being hashed. Guardian reports the hashes are good enough not to “get fooled by simple alterations such as color tweaks, watermarks or crops.” But there are doubts.

The fact that even the tiniest change to the input data will create a non-identical hash is the cornerstone of internet security: hashes are used to ensure the integrity and authentication of data.

Even if true, it would still be quite easy to modify an image adequately to “fool” Facebook’s hash detection software. There are numerous combinations of changes that could render hashing ineffective.

Other problems include distribution as by the time you discover revenge porn of yourself on the internet; it will probably have been shared already ruining your life.

The proactive uploading of images can work if you have possession of the comprising images. But in most revenge porn scenarios, this just isn’t the case.

Facebook Scandal! Remind You of Something?

Facebook’s total business model is based around finding as much information as it can about you to target even more personalized ads at you.

We are talking about a company that was recently in the news for a privacy disaster and this week a new court summoning for reading messages, tracking peoples’ location, and accessing photos on phones. The gathering of data from users without their consent is something well documented, but it is the collection of data about people who have never signed up to Facebook that make it outright creepy.

This scheme is contradictory in itself because of what Facebook is!

If you have concerns about or have been a victim of revenge porn, then you should contact an organization such as one of those listed below:

National Network to End Domestic Violence (NNEDV) (US)

Cyber Civil Rights Initiative (US)

Revenge Porn Helpline (UK)

Office of the eSafety Commissioner (Australia)

YWCA Canada(Canada)

 

SS7 Cell Network Extensively Exploited by “Nefarious Actors”

“I don’t think most Americans realize how insecure US telephone networks are. If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC, and wireless companies do something about it. These aren’t just hypotheticals.”

The above statement was made last week by Senator Ron Wyden (D-Ore.) after getting a letter from the Department of Homeland Security warning that “nefarious actors may have exploited” worldwide cellular networks “to target the communications of American citizens.”

Wyden on Tuesday explained the issue in a separate letter to Ajit Pai, chairman of the Federal Communications Commission (FCC) responsible for regulating interstate communications:

“Hackers can exploit SS7 flaws to track Americans, intercept their calls and texts, and hack their phones to steal financial information, know when they are at home or away, and otherwise prey on unsuspecting consumers. Moreover, according to multiple news reports, SS7 spying products are widely available to both criminal and foreign governments.”

Disturbingly, the letter reveals that:

“This threat is not merely hypothetical – malicious attackers are already exploiting SS7 vulnerabilities. One of the major wireless carriers informed my office that it reported an SS7 data breach, in which customer data was accessed, to law enforcement.”

There is no clarity whether the warning refers to state-sponsored entities acting for political gain or criminal hackers for financial benefit. It is also unclear who the wireless carrier is and the extent of the breach.

What is SS7?

Signaling System No. 7 (SS7) is a set of signaling protocols that provide the backbone for all mobile phone communication everywhere in the world. It enables phone networks to communicate among themselves to connect users and pass messages between systems, ensure correct billing, and to grant users to roam on other networks.

Image result for ss7

 

SS7 system, first developed in the 1970s is old in technological terms. Critically, no-one at the time thought of building any security measures into it.

It was known to be insecure at least 2008 onwards, and the situation has worsened in recent years. Previously there were only a few mobile networks, and now there are literally thousands worldwide. The industry made no changes as the risks were accepted to be purely theoretical.

This altered in 2014 when vulnerabilities in SS7 enabled hackers to record a somewhat embarrassing secret unencrypted phone conversation between the US ambassador to Ukraine, Geoffrey Pyatt, and US Assistant Secretary of State, Victoria Nuland, in which Pyatt was highly critical of the EU.

It was believed that using encrypted messaging apps such as WhatsApp, Facebook Messenger, Google Hangouts, and Viber, would secure communications.

However, in 2016, a security researcher showcased how hackers with access to the SS7 network could spoof users’ identities and set up fake accounts which would grant them access to messages belonging to users of many messaging apps that rely on phone numbers to authenticate users.

In 2017 O2 Telefonica in Germany confirmed that criminals used the SS7 network to bypass SMS-based two-factor authentication (2FA) to steal money from bank accounts.

Action Time?

Wyden lettered to the FCC urging the regulator to address the problem accurately and to compile a list of SS7 violations known to have happened over the last five years.

This is not the first instance for a call-to-action as in 2016, US congressman Ted Lieu (D-Calif.) made a similar plea, calling for an oversight committee investigation into SS7:

“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials. … The vulnerability has serious ramifications not only for individual privacy but also for American innovation, competitiveness, and national security. Many innovations in digital security – such as multi-factor authentication using text messages – may be rendered useless.”

The investigation took place, but the FCC working group responsible for it mainly comprised of telecoms industry lobbyists and not a single academic expert.

The SS7 -Spies Love It!

Initial concerns over the SS7 network was tracking; now there are fears of personal data being accessed from just about every phone user in the world.

As said earlier, it can be used to intercept encrypted communications and 2FA security measures.

According to the Washington Post, “American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance.”

Just this month news came out that US police can find the location of any phone in the country in seconds thanks to SS7. Worse still, barely days after this revelation came to light it was reported that this information was quite easy for hackers to access.

SS7 is a double-edged sword because security companies around the world thrive selling SS7 hacking tools to governments, police forces, and criminals with even benefitting from it. Brian Collins, chief executive of AdaptiveMobile Security, told the Washington Post about this.

Even with the knowledge of SS7 being a threat to US national security, it appears that the US government is least bothered about the problem. The driving factor could be that of SS7’s mass-surveillance capabilities which are too precious to kill off.

 

FBI Takes Control of Russian Botnet

The FBI took control of a massive botnet believed to have been run by hackers working for the Kremlin. The Malware, known as VPNFilter, was found by researchers working at CISCO Talos. VPNFilter grants hackers to hijack routers turning them into a malicious VPN network used by hackers to mask their actual IP address during subsequent attacks.

According to a report released on 23 May, the payload has been in the wild since 2016 at the very least. It is suspected to have infected around 500,000 machines covering 54 countries. Talos stated that the intricacy of the modular malware system likely means it was a state-sponsored attack.

FBI agents have stated that the threat actor is probably Sofacy – a collective hacking run by the Kremlin that has been notorious under a multitude of names over the past five years like APT28, Sednit, Fancy Bears, Pawn Storm, Grizzly Steppe, STRONTIUM, and Tsar Team. Affidavit Excerpt:

“The Sofacy group is a cyber-espionage group believed to have originated from Russia. Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value.”

Image result for fancy bears

VPNFilter uses a multi-stage attack vector similar to other router based exploits. Once it accesses a victim’s router, it communicates with a Command and Control (CnC) server to download additional payloads.

The secondary stage of the exploit grants the hackers to intercept traffic, steal data, perform file collection, and execute commands. There is also the possibility that additional payloads may have been delivered infecting network devices attached to the router.

Image result for fbi

FBI Takes Control

After months of monitoring the situation, security researchers working with the FBI were successful in pinpointing the domain name used by the advanced hackers.

In an affidavit filed on 23 May, it has been revealed that agents were on it since August when they were willingly given access to an infected router by a Pittsburgh resident.

When news of the infection became public, the FBI acted swiftly to get a warrant from a Pennsylvania judge to take control of the toKnowAll.com domain.

With CnC domain under FBI control, consumers around the world have been asked to reboot their device so that it can phone home. It will help the feds have a clear view of exactly how many devices were affected around the world. The FBI stated that it intends to make a list of all infected IP addresses in order to contact ISPs, private, and public sector partners, to clean up after the global infection – ahead of the setup of a new malicious CnC server to reestablish the botnet.

 

 

BPI Calls for Piracy Crackdown Under New UK Internet ‘Clean-Up’ Laws

This week, Matt Hancock, Secretary of State for Digital, Culture, Media, and Sport, stated new measures would be taken to clean up the ‘Wild West’ elements of the Internet.  Music group BPI responded by saying says the government should use the opportunity to tackle piracy with advanced site-blocking measures, repeat infringer policies, and new responsibilities for service providers.Image result for bpi

The UK Government has for the past several years expressed a strong desire to “clean up” the Internet.

There has been an intense emphasis on making the Internet safer for children, but that’s just the tip of the iceberg.

This week, the Government responded to the Internet Safety Strategy green paper, stating unequivocally that more needs to be done to tackle “online harm”

Considering every six out of ten people face “online harm”, the government while working with social media companies to protect users had seen positive results but the overall outlook has been below par.

For this reason, the Government will introduce new legislation, albeit with the assistance of technology companies, children’s charities and other stakeholders.

The Government has cleared that it wishes to tackle “the full range” of online harms, even though the emphasis is being placed on cyberbullying and online child exploitation. This move has been warmly received by UK music group BPI and thereby requesting the Government to introduce new measures to tackle Internet piracy.

BPI chief executive Geoff Taylor in a statement issued this week welcomed the move towards legislative change and urged the Government to encompass the music industry and beyond.

The BPI has published four initial requests.

  • Establish a new fast-track process for blocking unauthorized sites.
  • Compel online platforms to stop content from being re-posted after it’s been taken down while removing the accounts of repeat infringers.
  • Fines for “online operators” who do not give “transparent contact and ownership information.”
  • Pass laws for a new “duty of care” for online mediators and platforms.

To be published later this, the Department for Digital, Culture, Media & Sport and the Home Office will work on a White Paper to pass laws to tackle “online harms”. The BPI and similar entities will hope that the Government will also do the same.

 

New Zealand’s New Privacy Bill

A new privacy bill is going through the parliament in New Zealand with the legislation initially proposed back in March. The bill aims to revoke the Privacy Act of 1993 which is outdated.

This Thursday, May 24, public submissions for the new bill will end, and it will be inspected by the Select Committee to determine whether amendments are necessary. The government is hoping the new law will “promote people’s confidence that their personal information is secure and will be treated properly”.

Enhanced Privacy for New Zealanders

John Edwards, New Zealand’s Privacy Commissioner did go on record stating that he hopes the new privacy law will give the government “meaningful enforcement powers, such as an ability to seek fines for serious non-compliance”.

Edwards believes much like European counterparts New Zealand too should make it mandatory for companies to disclose when data violations occur. Any failure to report violations will result in fines reaching $10,000 for businesses that do obey.

This will be critical in making New Zealand based firms alert to data breaches and cyber-attacks.

Edwards also wants the new legislation to address automated processes “that can affect access or entitlement to goods and services”.

Why Not Before?

New Zealand Law Commission in 2011 had recommended an update to the Privacy Act, but nothing happened. So, one could suggest the EU’s GDPR legislation played its part in making this bill a reality.

This is a good sign for digital privacy around the world.

Immaculate Timing

The timing couldn’t have been any better considering the ongoing revelations about corporate data mining such as Facebook.

The recent Cambridge Analytica disaster shed light on how corporations are mining data through social media.

Taking into consideration the many other incidents that have taken place over the years it is safe to say that New Zealand’s legislation bill is so vital.

What’s Next?

This Thursday, the bill will go back to the select committee to address any pending issues. After that, the legislation will be revised for a second reading. Then, the Committee of the Whole House will go through the bill before third reading. In this stage, the bill will get Royal Assent and be passed into law.

Internet Association Criticizes MPAA’s ‘Crony Politics’

The Internet Association consisting of several large technology companies criticized the MPAA. They accused MPAA of using Facebook’s controversy for “rent seeking” and “accomplice politics” to promote its own interests in a letter to the House Energy and Commerce Committee.

In April, MPAA Chairman and CEO Charles Rivkin used Facebook’s privacy disaster to scrutinize Internet’s current state.

Rivkin wrote “The Internet is no longer nascent – and people around the world are growing increasingly uncomfortable with what it’s becoming,” when lettering it to several Senators, connecting Internet-related privacy violation to regulation, immunities, and safe harbors.

The head of Hollywood’s chief lobbying group concerned about Facebook users is a good thing, but not everyone is convinced.

For some, the MPAA is merely exploiting the fiasco to grow its own unrelated interests.

The Internet Association is a US-based organization comprising many prominent members including Amazon, Facebook, Google, Reddit, Twitter, and Yahoo.

The MPAA criticized these companies, named or not, which made the Internet Association respond.
Internet Association president and CEO, Michael Beckerman, in a public letter to House Energy and Commerce Committee Chairman Greg Walden, scourged the MPAA and similar lobbying groups by stating these groups hijack the regulatory debate with anti-internet propaganda.

Beckerman writes “Look no further than the gratuitous letter Motion Picture Association of America, Inc. Chairman & CEO Charles Rivkin submitted to the Energy and Commerce Committee during your recent Zuckerberg hearing.”

Beckerman: “The hearing had nothing to do with the Motion Picture industry, but Mr. Rivkin demonstrated shameless rent-seeking by calling for regulation on internet companies simply in an effort to protect his clients’ business interest.”

The Internet Association CEO added rent-seeking efforts are part of the “crony politics” used by “pre-internet” companies to protect their old business models.

“This blatant display of crony politics is not unique to the big Hollywood studios, but rather emblematic of a broader anti-consumer lobbying campaign.

Many other pre-internet industries —telcos, legacy tech firms, hotels, and others — are looking to defend old business models by regulating a rising competitor to the clear detriment of consumers.”

The crack between Silicon Valley and Hollywood is wide open.

The MPAA and other copyright industry groups want stricter regulation so that Internet companies are held accountable. However, privacy is not their primary focus.

They want internet giants to prevent privacy and compensate rightsholders. But, to use Facebook’s privacy disaster to bring this message forward was a good thing or not is something up for debate.

The Internet Association hit back at the MPAA’s efforts, but it did admit that more has to be done for internet privacy.

Forecasting Online Privacy After Facebook’s Senate Investigation

Mark Zuckerberg was brought before the United States Senate for an investigation into how his company handles its users’ confidential data a few weeks back. It seems apart from Mr. Zuckerberg being shred into by enraged Senators nothing much came out of it. In this report, we’ll hypothesize on how internet privacy rules may or not change as a result of this trial.

Reactive Encouragement by Social Media

It was apparent, and in the days since the Senate investigation, it has happened as expected. Facebook, Instagram, Reddit, Twitter, and other social media sites have put up notifications and statements to comfort you that they do care about your privacy and security. Facebook’s “Privacy Commitments” and Security Check-Ups have been appearing more on users’ timelines, Twitter displayed a notice at the page top, and other websites are doing the same. It is merely a knee-jerk PR move since the users now all of a sudden care about their online privacy. Before you know it, the public will have moved on to the next issue as it’s highly doubtful whether anything groundbreaking will come out of this.

Short Notice from Lawmakers Prior to Moving On

Political figures at all levels are speedily capitalizing on the latest controversial issue by taking a leaf out of the Senate’s denouncement of Facebook’s practices. Hollow clichés and assurances can be found on the Twitter feed of ex-presidential candidates, governors, and even down to local city council members. But, like social media platforms, it’s unlikely these political figures will do anything of value to back up their claims. The only thing that has come of it is that Net Neutrality has gained a slight momentum, but no new laws were passed or introduced.

How Can I Take Action on this Matter?

How can you emphasize and muster support for online privacy as public attention is fading away quickly? Write to your government representatives at every tier as this is the first and most natural step. Start with your city council, mayor, and state representatives and senators, then move up to the governor, federal representatives and senators, and a Change.org petition if need be. Do it yourself! Don’t wait on others.

Millions of accounts went dark in a week as #deletefacebook movement garnered tremendous support. One less account equals one less revenue from ads and selling your data.

To close, it’s apparent nothing significant has come out of Facebook’s investigation, but there are still things you can do even though it’s losing public attention.