Cybersecurity Roundup: June 11, 2019

This week Facebook removed any meaningful search of its platform to prevent ‘future privacy scandals,’ Google/YouTube got pulled into the Roger Stone case, CBP admitted its border surveillance contractor got massively hacked, a treasure trove of threat research came out from behind a paywall, Tinder matched with the Russian government’s surveillance arm, and much more.

Nuke it from orbit

This week Facebook quietly disabled Graph Search, a tool used by human rights organizations, journalists, the open source intelligence community, law enforcement hunting traffickers, companies tracking corruption, and everyone researching information on Facebook in the public interest. 

The change is felt by many, though first pointed out by researchers at Bellingcat (who helped nail the Russian Novichok poisoning culprits), and was reported by Joseph Cox on Vice.

The headlines are starting to hit: Facebook Turned Off Search Features Used To Catch War Criminals, Child Predators, And Other Bad Actors (BuzzFeed)

According to four Facebook employees who spoke with Bellingcat off the record, Facebook has removed Graph “in order to avoid future privacy scandals.”

Nick Waters was researching for a Bellingcat investigation into airstrikes in Yemen, and when Facebook removed Graph Search he publicly appealed for help. Vice reported:

“Now that Graph Search has gone down, it’s become evident that it’s used by some incredibly important section[s] of society, from human rights investigators and citizens wanting to hold their countries to account, to police investigating people trafficking and sexual slavery, to emergency responders,” Waters told Motherboard in an online chat.
Van Ess also shared with Motherboard several messages he said came from people looking for tool alternatives or updates, including journalists and companies tracking corruption.

For a company whose main problem is the public finding out about human rights abuses (and genocide) facilitated with its platform, or Russian attacks on American society, or the prevalence and activities of nationalist and neo-Nazi hate groups on Facebook, or any number of things, it’s a brutal tactic from a company that will apparently protect its own interests at any cost. 

This makes Facebook even more of a darknet than before. Now we won’t be learning any facts about disinformation campaigns on Facebook from here on out unless it comes from court docs, a whistleblower, or Facebook itself.

Bellingcat contributor Nathan Patin tweeted, “We need an open letter from the likes of @bellingcat, @amnesty, @hrw, @anticorruption et al to make sure @facebook understands the negative impact Graph’s demise will have.”

Caught in a bad bromance

Two developments emerge this week in the frisson between Roger “I am not a crook” Stone, and Julian “I am not a douchebag” Assange.

On the WikiLeaks front, CNN reports: “The United States has submitted its formal request to the United Kingdom to extradite WikiLeaks founder Julian Assange.”

“Prosecutors initially charged Assange with a single count of computer intrusion, but last month added 17 new counts,” CNN wrote. News of the extradition request means, “Now that the formal extradition package is in, the Justice Department is unlikely to mount additional charges against Assange.” We’ll have to wait and see what happens next.

Meanwhile, le Roger Stone just keeps a rollin’ — downhill. Because the one skill Stone excels at is not being able to keep his mouth shut, the Department of Justice (an ongoing case stemming from the Mueller investigation) has demanded data from Google to piece together what Stone said, and when. Fortunately for them, there’s a lot!

Specifically, “Investigators believe YouTube upload dates and times of eight specific videos will help” and seek “footage of Stone’s appearances at Republican meetups and on right-wing shows like InfoWars, as well as public comments from Wikileaks chief Julian Assange.” Forbes adds, “The videos were uploaded by various YouTube accounts, not by Stone or Wikileaks.”

Forbes reports:

The videos include footage of Stone’s discussion of WikiLeaks on Alex Jones’ InfoWars and on the former Breitbart commentator and NRA spokesperson Dana Loesch’s show. Google has also been ordered to provide upload information of a YouTube video of a Stone speech in Broward County, Florida, in which he admits to speaking with Assange. He later claimed that he hadn’t spoken to Assange directly but only through an intermediary, as per the January indictment.

They also want upload data surrounding a Wikileaks video statement made by Assange where he talks about having Clinton emails “pending publication.”

Wannabe, indeed

As expected, all the nonconsensual dragnet surveillance happening at US borders is being poorly secured.

The Register reported last month that super-creepy federal contractor Perceptics got popped when a couple hundred gigs of the company’s data surfaced from the breach online. Register has more details on the haul, like that it included business plans, HR files, border security data acquisition info, and of course, the company’s border surveillance images and videos. The attacker even snatched copies of music off a Perceptics computer that included “Superstition, by Stevie Wonder, and Wannabe by Spice Girls, and a variety of AC/DC and Cat Stevens songs.”

Well, it’s not like we’d expect anyone working in this corner of the surveillance state to have taste. Anyway, Perceptics kept quiet about it.

But yesterday, U.S. Customs and Border Protection acknowledged that “photos of travelers had been compromised as part of a “malicious cyber-attack.”

CBP wouldn’t say what exactly was stolen, how many people are affected, or which of its contractors were hacked. And yet, “a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, includes the name “Perceptics” in the title.” Oops.

Today, Telegraph tells us that photos in the stolen data includes “photos of tourists entering the US.”

So what we’ve learned today is that the people whose literal job it is to handle border security can’t do security, and they’re bad at lying about it. Turns out, “Wannabe by Spice Girls” is painfully appropriate.

There’s more, and some of it is really cool:

Filed under "water is wet": Cognitive Bias Can Hamper Security Decisions (Dark Reading)

This is SO cool: Something’s Fishy About This Computer (HackaDay)

Here’s a big deal for security nerds like me: Akamai quietly brought its threat research out from behind a paywall and made all of it public. If I landed a gig that wanted geeky security posts, I’d be in an infosec research K-hole right now: Akamai: Threat Research (Akamai)

Tinder is a subsidiary of IAC who partners with Thorn who works directly with US law enforcement, and I’m just waving those red flags: Tinder and the Russian Intelligence Services: It’s a Match! (Foreign Policy)

So I guess people who can afford a thousand dollar phone can protect themselves from police abuse: ‘Siri, I’m getting pulled over’: A shortcut for iPhones can automatically record the police (Business Insider)

This white-knuckle thread about a real pentest is fantastic: Slipping By With A Smile – Breaking and Entering Through Con Artistry (Tinker | Twitter)

I blame Cary Grant for my romantic obsession with art thievery: Brian Ross Investigates — The FBI Art Theft Squad (YouTube)

A hard love letter to security

I know this weekly roundup is cranky, but you may be surprised to know that I look forward to curating and writing it every week. I spend a few hours every day examining topics and research, and adding potential news items to my list for Tuesday morning. Then I get to put it all together Monday night — and have fun with it. 

This is rare in infosec reporting: being able to combine my technical acumen, historical knowledge about the community, my sources, my opinions, and then piece stories together stories in ways that bring out important elements I feel aren’t being talked about. Plus, I get to weave a voice into all this news that believes in inclusivity.

I love hackers and infosec communities, the passion driving people who care about what it means (even ones who are mad about what it has become), and I want to translate hacking and infosec to the people it affects. And I want so badly to show hacking and infosec what it can learn from at-risk communities. I’m telling you this because I feel that this weekly roundup, in many ways, is my hard love letter to computer security. Which, by extension, is the burgeoning field of computer privacy.

I’m only able to do this because: a) Kind and generous people put dollars into the weirdness of Patreon that turns into rent, cat food, keeping my lights on, and the words you're reading right now, and b) people share it.

If you can become a patron, your support is needed. If you can't afford it right now, please share a link.

I want to grow this roundup into a weekly podcast and more. Can you help?

Post image via JWZ.

Become a patron to

Unlock 136 exclusive posts
Listen anywhere
Connect via private message