After anxious days awaiting Iran’s response to the US assassination of Qasem Soleimani, the country sent missiles flying at two Iraqi military bases that housed US troops—who knew about it well in advance, thanks to an early warning system that dates back to the Cold War. In a rare reversal from the norm, Donald Trump followed up by using Twitter to defuse tensions rather than escalate them further. Iran’s still on a path to developing nuclear capabilities, but they won’t get there any time soon.
As far as anyone knows, Iran hasn’t countered the US directly with a cyberattack, but a new report shows that they’ve spent the past year probing US critical infrastructure. All of which is to say, let’s hope both parties stick with deescalation.
On the home front, Amazon swatted at money-saving extension Honey just in time for the holidays, warning users that it was a security risk without specifying how. Google welcomed alleged spy app ToTok back into the Google Pay Store, while the jury’s still out for Apple. And TikTok recently patched bugs that could have let attackers take over a victim’s account. (No, that doesn’t mean it’s spying on you.)
It was an active week for Facebook; the company made its Privacy Checkup feature a wee bit more granular, acknowledged that encrypting Messenger end-to-end by default will take years, and suffered a bug that doxxed the admins of Pages. Otherwise all good, though.
And while you may have heard that Russia disconnected itself from the internet over the holidays, that’s not quite right. But the Kremlin’s efforts to censor the internet are very real, and increasingly broad.
And that’s not all! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
The FBI Wants Apple to Unlock iPhones Again
Stop us if you’ve heard this one before: The FBI has asked Apple to unlock the iPhone of a mass shooter. As it did when the agency did the same in the San Bernadino investigation, Apple has declined. The Cupertino company regularly complies with subpoenas for data stored in its cloud, but it argues that breaking into a locked iPhone would require undermining its own encryption, which in turn would make all iPhones less safe. The prolonged fight in 2016 ended in something of a draw, when the FBI found a way to unlock the iPhone on its own. While its request hasn’t escalated to a court fight yet, it’s only a matter of time before it tries for a rematch.
A Comprehensive Look at How SMS Two-Factor Authentication Gets Abused
We’ve written about the risks inherent in using SMS-based two-factor authentication since 2016. Since then, the plague of so-called SIM-swap attacks that it enables have only grown, hitting even Twitter CEO Jack Dorsey. This week, researchers at Princeton University’s Center for Information Technology detailed the many, many ways that SMS 2FA can go wrong, including multiple failings on the part of carriers to vet SIM-swap requests. If this doesn’t convince you to switch to an authenticator app, nothing will.
Contractors in China Listened to Skype Calls With No Security Precautions
By now it’s no longer surprising that every voice assistant has a small army of human contractors behind it, transcribing recordings to improve accuracy. (Or did, until the public backlash.) Skype, however, reportedly hit an impressive low by not only using contractors in China but letting them listen to recordings through a Chrome web browser. They were also encouraged to all log in through the same account and password. In other words, it would have been almost comically easy to compromise the sensitive data. Microsoft told The Guardian that it has since moved its transcription efforts out of China and into “secure facilities.” It’s unclear exactly what that means, but the bar appears to be extremely low.
4 Ring Employees Fired for Watching User Videos
To continue the theme: In a letter to US senators this week, Ring acknowledged that four employees sought improper access to video taken by its customers’ cameras over the past four years. The company says that all four of them were fired for violating company policy, and that currently only three employees can access stored customer videos.