Doubts raised over Bezos iPhone hack analysis; EU considers temporary ban on facial recognition; and full metal ATM skimming in Brazil
Allegations that staff of Saudi ruler Prince Mohammed bin Salman hacked the mobile phone of Amazon boss Jeff Bezos propelled tech news to the front pages this week.
Team Bezos claims his phone was hacked using a booby-trapped video sent via WhatsApp from the phone of the Saudi crown prince. Private information was then purportedly stolen from the hacked iPhone X and used to publicly expose Bezos’ then-secret affair with girlfriend Lauren Sanchez.
Evidence of the hack came from a forensic analysis by specialists FTI.
Independent experts raised doubts about FTI’s methodology, essentially arguing that the analysis could have been more thorough and that the evidence uncovered is something short of compelling.
Leaving those concerns to one side, the story is that the hack was essentially pulled off using social engineering. There’s no suggestion any zero-day vulnerabilities or elaborate exploits were involved.
Infosec commentators noted this is something that’s likely much more typical of cyber-spying in general than some would have us believe.
Meanwhile Saudi denials of the allegations as “absurd” were met with a withering put down from one prominent US TV anchor:
If nothing else, the story provoked a discussion about whether the Bezos hack meant the “end of privacy” because if someone with his resources can be hacked, then what chance does the average person in the street have?
Face/off
Staying with privacy, news emerged this week that the European Commission is considering a temporary moratorium on the use of facial recognition in public areas.
The proposed five-year ban would give regulators the breathing space they need to develop regulations to guard against potential abuse of the technology, Politico reports.
Exceptions could be made for “security projects” as well as research and development, according to a leaked 18-page EU policy paper on artificial intelligence.
The proposals have split opinion in Silicon Valley. Alphabet chief executive Sundar Pichai is supportive of the EU’s proposed approach, in apparent contrast with Microsoft president Brad Smith.
Smith cited examples of how facial recognition technology might be used in finding missing children in calling for a regulatory approach that addresses the “problem with a scalpel instead of a meat cleaver”, Reuters reports.
Pichai, by contrast, told a conference in Belgium: “I think it is important that governments and regulations tackle it sooner rather than later and give a framework for it.”
Clear and present danger?
Privacy is generally considered a higher public policy priority in Europe than the US, but concern over the potential abuse of facial recognition technology is far from absent in North America – as illustrated through concerns about a new app called ‘Clearview’.
Clearview – whose use is presently restricted to law enforcement and corporate investigators – works from a database of more than three billion images scraped from Facebook, YouTube, Venmo, and other sources, and boasts the ability to name the name and address of people simply from a picture.
“It will end your ability to walk down the street anonymously,” a New York Times investigation into the previously obscure app warned.
NYT reporter Kashmir Hill got a first-hand glimpse of the potential of the technology during her investigation. After she asked police officers to run a photo of her through the app, they soon (rather unnervingly) received calls from Clearview asking if they were talking to the media.
Leaky buckets
Many organizations have exposed sensitive information because of cloud configuration mistakes but a recent slip-up by Microsoft has to count as one of the biggest (by sheer volume, at least) of all time.
Microsoft exposes 250 million customer records through a set of five unsecured Elasticsearch servers. The sensitive data – useful fodder for tech support scammers and other miscreants – was discovered over the turn of the year by security researchers at Comaritech, who quickly notified Redmond about their find.
The trove included logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019.
The unencrypted data (which also included customer email addresses, locations, and IP addresses) was left accessible to anyone with a web browser, with no password or other form of authentication needed.
It’s unclear whether or not malign parties accessed the sensitive data while it was exposed.
Microsoft promptly secured the data upon notification, allowing Comaritech to go public with its findings.
LostPass
LastPass has reached the end of a turbulent week for both the company and users of its password management technology.
Last Friday, some LastPass users began complaining about error messages when they tried to log in. LastPass said it had resolved the problem by mid-afternoon on Friday.
Days later, on Wednesday, LastPass admitted that it had “accidentally removed” its Chrome Web Store extension.
The issue was restricted to the Chrome extension. Users were still able to access their vault via the website, different browser plugin or mobile app.
The Chrome browser plugin was returned to active service late on Thursday.
ATM slam
Finally, Brazilian cybercriminals have taken ATM skimming to a whole new level (or should that be overlay?)
Video surfaced on Reddit this week of the installation of an entire fraudulent terminal in front of a legitimate ATM at a Banco do Brasil outlet in São Paulo.