A Facebook Crackdown, Amazon Facial Recognition, and More Security News This Week

Security News This Week: Facebook Takes Down Hundreds of Fake Pages From Iran

Simon Dawson/Bloomberg/Getty Images

As happens infrequently—but definitely not never—Apple wrestled with an embarrassing and problematic security bug this week in its iOS FaceTime group calling feature. The flaw was bad enough that Apple took the drastic step of pulling group FaceTime functionality altogether. A full fix will come next week. Meanwhile, Facebook faced criticism for paying users as young as 13 to download a mobile research app that gave the company invasive access to all sorts of user data and activity, including web browsing. The app didn't meet Apple's privacy standards for iOS, and Facebook was distributing it through a loophole in the platform. Google was soon found to be doing roughly the same thing; Apple revoked both of their enterprise certificates.

With its epic privacy-fail spree still going, Facebook has hired three prominent privacy advocates over the last few weeks, who are all critics of the company, as part of ongoing attempts to reform. And Google is still working on its quest to reduce phishing and other online fraud by overhauling how browsers display URLs.

Outside of the tech behemoths, hackers are distributing a trove of 2.2 billion stolen user records for free—showing just how plentiful credentials compromised in past data breaches have become. The US Intelligence Community and the Trump administration are not on the same page about a variety of global threats, which itself creates another danger. And one watchdog researcher is advocating for a new mentality in which tech companies are not only responsible for defending their users, but must actively consider how their own platform or product can be abused.

But wait, there's more! Each week we round up all the news we didn’t break or cover in depth. Click on the headlines to read the full stories. And stay safe out there.

Facebook Removes Cluster of Disinformation-Spewing Iranian Accounts

On Thursday, Facebook removed yet another batch of inauthentic pages spreading misinformation on the platform. The perpetrators once again came from Iran, this time targeting people worldwide, with a special focus on the Middle East and South Asia, according to Facebook. The group included 783 pages, groups, and accounts across Facebook and Instagram, some of which dated as far back as 2010. Each was dedicated to spreading Iranian state media reports under a false guise. Two million accounts followed at least one of the pages, and the imposters hosted eight events between May 2014 and May 2018. This will continue to be a pressing issue for Facebook, which at least has shown more commitment to transparency of late.

Amazon's Law Enforcement Client Isn't Using the Company's Facial Recognition Tool Properly

Amazon's "Rekognition" facial recognition system has come under fire repeatedly for unreliability and potential biases. And the stakes are high, since the company has been marketing the system for an array of impactful uses, including law enforcement. When researchers have pointed out problems with Amazon's tool, the company has consistently responded that the issues don't occur if you calibrate the system to certain specifications. And Amazon says that its law enforcement clients use these optimal settings. But sources at the Washington County Sheriff’s Office in Oregon, the only law enforcement agency that Amazon publicly cites as using Rekognition, told Gizmodo this week that the department doesn't follow Amazon's guidelines and didn't receive training to implement them. This doesn't necessarily mean that the Washington County Sheriff’s Office is doing anything wrong, but it does undermine Amazon's position that the problems researchers have found in Rekognition wouldn't apply to law enforcement usage.

Attackers Exploit Telephony Protocol Flaw to Drain Accounts in UK's Metro Bank

A fundamental telephony routing protocol called SS7 has had known flaws for years, and has been increasingly attacked by state-sponsored hackers and other highly-resourced adversaries. But the exploits are starting to trickle down to more average criminals, and Motherboard reports that they're now affecting the UK's Metro Bank as part of a larger wave. Most SS7 attacks work by allowing hackers to intercept users' SMS text messages, specifically the texts that contain two-factor authentication codes. This then allows attackers to control user accounts and everything in them more easily. Telecom companies have been slow to address SS7 insecurity, leaving consumers vulnerable to various types of attacks across a number of industries.

Japanese Government Plans to Hack Hundreds of Millions of IoT Devices

This month, the Japanese federal government will begin a survey to attempt to hack 200 million Internet of Things devices within the country, including in citizens' homes. The hacking spree isn't an act of aggression, though. It's meant to demonstrate how vulnerable embedded devices are to attack, because of things like weak (or nonexistent) login credentials, difficulty with patching, and overly trusting relationships between devices on the same Wi-Fi network. Japan approved the initiative as part of preparations for the 2020 Tokyo Summer Olympics. Hackers, including Russian state-sponsored attackers, targeted the 2018 Pyeongchang Winter Olympics and took down the event's Wi-Fi and database systems at one point. Internet of Things device insecurity is a major problem with no easy solution. So you've got to admire the Japanese government's dedicated (if arguably deranged) plan to call attention to the issue.

  • Finding Lena, the patron saint of JPEGs
  • The WIRED guide to commercial human space flight
  • The world’s fastest supercomputer breaks an AI record
  • Google takes its first steps toward killing the URL
  • Goodbye doggos, hello exotic pet Instagram
  • 👀 Looking for the latest gadgets? Check out our picks, gift guides, and best deals all year round
  • 📩 Get even more of our inside scoops with our weekly Backchannel newsletter