At a glance.
- FBI spends millions on social media tracking software.
- Investigation reveals yet another Pegasus spyware hack.
- Cash App broker data breach caused by ex-employee.
- WhatsApp voicemail phishbait.
FBI spends millions on social media tracking software.
The US Federal Bureau of Investigation (FBI) has signed a $27 million contract for five thousand licenses to use social media tracking software Babel X. The software, developed by US tech firm Babel Street, is intended to aid the FBI in searching social media sites for indicators of possible threats of national security, and the contract calls for translation abilities in at least seven foreign languages, geofencing sentiment analysis to help “determine likely attitudes of the targets, and even emoji searches, “predictive analytics,” and bot detection. Jack Poulson, head of research advocacy group Tech Inquiry, told the Washington Post the contract is the largest Babel Street contract he’s encountered. The FBI stated, “The FBI uses social media tools to search publicly available information pertinent to predicated investigations in order to identify and respond to threats of violence, acts of terrorism, and potential federal violations within the scope of the FBI’s mission.”
Civil liberties advocates and lawmakers on both sides of the aisle are concerned that such widespread social media tracking could be a threat to privacy. Greg Nojeim, a senior counsel and co-director at the Center for Democracy and Technology’s Security and Surveillance Project, says such sweeping searches could easily result in misinterpretation. “The risk of misinterpretation is high. So is the risk that an FBI agent who misinterpreted what you said on social media will come knocking on your door,” he stated. Representative Jim Jordan, the House Judiciary Committee’s top Republican, has asked the FBI for a briefing to address “real concerns based on the [FBI’s] history and based on the fact that we don't know how they're using it and who they're going after.”
Paul Bischoff, privacy advocate with Comparitech, stated:
“I can foresee several issues with the FBI monitoring social media. First, it will surely have a chilling effect on free speech. People behave differently when they know they're being watched, leading to self-censorship. Second, this is bulk surveillance, which means the vast majority of people whom the FBI is monitoring are not suspected of any crime. Third, sentiment analysis is about as reliable as astrology. The odds of misinterpretation are very high. Fourth, it sets a dangerous precedent. Dictators in autocratic countries could contract with Babel X or a similar company to spy on dissidents, activists, journalists, and others who speak out. Last, it's notable that the FBI is using a third-party vendor instead of working with the social networks themselves. This is probably because the social networks would never agree to let the FBI directly monitor their users, even though the FBI says it only wants public info. That could mean Babel X scrapes info from social networks using bots, a practice that Facebook and other social media have prohibited in their terms of service and actively fought against to little avail.”
Chris Hauk, consumer privacy champion at Pixel Privacy, commented:
“Unfortunately, the FBI and other federal, state, and local law enforcement agencies will happily use "attacks" like the January 6th event to violate the privacy of American citizens. While the monitoring of social platforms can help law enforcement to plan for possible incidents, my fear is that it may eventually lead to a "Minority Report" type situation where the FBI and other agencies may arrest or otherwise detain citizens that haven't actually violated any laws. I also don't think we can count on the FBI to use the software only for its stated purpose. If there is a way to misuse a tool, you can rely on government agencies to do so.”
Investigation reveals yet another Pegasus spyware hack.
In the continuing investigation of abuses of NSO Group’s controversial Pegasus surveillance software, Front Line Defenders and Citizen Lab say evidence indicates that the iPhone of Award-winning journalist and activist Suhair Jaradat was hacked with the spyware in December, mere weeks after Apple filed a lawsuit seeking an injunction banning NSO from hacking its devices. TechCrunch explains that a threat actor impersonating a popular anti-government critic sent Jaradat a WhatsApp message containing links to the Pegasus spyware, allowing her iPhone to be hacked several times. A spokesperson for the Jordanian Embassy in Washington, DC denied the allegations, stating that Jordan “has not cooperated with any agents with the aim of spying on citizens’ phones or censoring their calls."
Cash App broker data breach caused by ex-employee.
SecurityWeek reports that US financial services and digital payments company Block, Inc. (formerly known as Square) yesterday disclosed that the December data breach of its Cash App investment platform was caused by an ex-employee who stole brokerage data. "Our security team recently determined that a former employee downloaded certain Cash App Investing reports that contained some customer information. While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended," the company stated in an SEC filing. The company has not explained why the former employee retained access to the sensitive financial data (which included brokerage account numbers, names, portfolio values, and holdings for one trading day) after leaving the company, and has also not disclosed how many customers were impacted, though the filing says 8.2 million users are being notified about the incident. Cash App spokesperson Danika Owsley told TechCrunch, “Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
Erich Kron, security awareness advocate at KnowBe4, noted:
"This situation stresses the need for a well-defined employee offboarding process, and possibly even the dangers of shared passwords within organizations. Without a strong offboarding process, accounts that should be disabled can easily be missed, leaving them open for abuse by ex-employees. Shared passwords are equally as dangerous, especially if they are not changed immediately after an employee leaves. It is not uncommon for ex-employees to feel entitled to information, including that of customers they worked with, or of intellectual property they worked on. Not removing access to this information quickly and efficiently can lead to employees returning to take it."
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, commented:
“The statement released does not go into detail about the way the records were accessed by the former employee, but from my experience I believe it’s possible that the breach could have come from an orphaned account still active on a third-party SaaS application like a cloud storage solution.
“Managing all accounts created for employees is becoming increasingly complex as organizations adopt SaaS products accessible from the internet at large. Historically, an employee might have only one account in a central authentication server like Microsoft Active directory that was used for all of the person’s network and application access. It was a simple matter to disable or delete that one account and be more or less certain that it would remove the former employee’s access to company systems or data. Today, however, an organization may have dozens of SaaS solutions in use, many with stand-alone authentication systems not tied to the company’s internal authentication database. In this situation, it can be difficult to identify all of an exiting employee’s accounts and coordinate with potentially many different teams that manage the SaaS products to ensure access is removed. Worse, it’s often the case that these 3rd party hosted solutions have their own logging and auditing functions that don’t tie into the organization’s centralized logging or SIEM for easy review. This leaves the security team blind to suspicious behaviors or authentication attempts and relies on the team managing the SaaS solution for the organization to have a process for regular log review as well as the expertise to understand if events they are seeing indicate a potential problem. Because users can typically access these cloud-based solutions from anywhere, unless the security team or the cloud-application administrator is actively watching the security logs, it could be months or years before unauthorized access is detected and shut down.
“To mitigate potential similar breaches, organizations must adopt a culture of security that takes threats like user account proliferation into their risk management strategy. By doing so, it is possible to incorporate processes for onboarding all applications and services used by the business whether hosted internally or from SaaS providers. These processes can include things like a formal user account request process that can be used for generating an exhaustive list of all internal or external accounts an employee had created during their tenure for easy removal after their departure. Further, this is an important part of an overall vendor management strategy that allows the organization to consider threats that adopting a service may introduce and enact protective strategies to limit potential damages. Such strategies can include requiring vendors demonstrate cybersecurity due diligence, but also ways that the solution may be augmented to provide easier management or monitoring to internal teams, such as tying accounts created in the platform to internal authentical systems such that disabling the account internally also disables access to the SaaS platform and adding the solution’s logging and auditing capabilities into your security team’s centralized logging system or SIEM for visibility.”
WhatsApp voicemail phishbait.
Armorblox has observed a WhatsApp voicemail phishing campaign that targeted more than 27,000 mailboxes. Josh Rickard, Security Automation Architect at Swimlane, commented:
"Phishing attacks are one of the most common methods of cyberattacks and, unfortunately, have become all too easy for cybercriminals to leverage. These types of social engineering attacks that exploit human error are highly effective and well-masked. In this case, WhatsApps’s voice message feature was manipulated in an attempt to spread information-stealing malware to over 27,000 email addresses associated with the app.
"Gone are the days when phishing was a single act targeting a specific individual. Today, malicious emails, texts and phone calls have grown into a vehicle for targeted attacks against entire organizations. Many SecOps teams do not have the bandwidth, time-tested processes or the data to properly investigate suspicious communications. Luckily, advancements in cybersecurity are easing the burden. Versatile platforms that have the ability to centralize detection, response and investigation protocols into a single, streamlined process allow security teams to gain the visibility needed to properly mitigate threats, including those related to phishing, in real time. Leveraging low-code security automation organization-wide makes implementing these features extremely easy, ultimately enabling security and IT teams to more effectively defend against advanced attacks."
James McQuiggan, security awareness advocate at KnowBe4, added:
“When they see it, most people will recognize someone trying to scam them in real life. For example, walking on the streets of New York City and someone tries to sell them an expensive brand watch or handbag, most people will know they are fake and carry on walking.
"However, when one gets an email with a voicemail from a popular messaging app or another social media platform informing the user to listen to the recording for an important message, many people might not recognize that as a scam and fall victim to it.
"Users should review three questions about any email coming into their inboxes. Is the email unexpected? Is this person a stranger? Do they want me to do something quickly?
"If any of these responses are yes, then it is a good recommendation to take a few extra moments to review the email for links, verify the sender and have a healthy skepticism towards the email.
"Users are too accepting of emails. There needs to be more education for everyone, not just within organizations, to spot electronic social engineering or scams, so it is apparent like someone who is trying to sell a fake watch or handbag on the street.”