Plus: Smartmatic lawsuits, a fake WhatsApp, and more of the week’s top security news.
That’s more than can generally be said for streamer donation platforms Streamlabs and StreamElements, which have allowed far-right and white supremacist users to monetize their hate
. Both services do take down accounts that violate their terms of service when reported, but they have yet to take proactive measures, as Twitter and Facebook have done in recent months.
Also having a hard time with moderation: Zoom, which despite introducing measures intended to stop “Zoom-bombing,” still suffers from the scourge. Researchers found that those mitigating features don’t do much good against inside jobs
—a high school kid calling on 4chan to disrupt his class, for instance—which remain a prevalent source of attacks.
Speaking of attack sources, it turns out SolarWinds provided two of them. Not only did Russian hackers pull off a so-called supply chain attack by manipulating the company’s own code, Chinese hackers used a flaw in SolarWinds software
to dig deeper into at least one network that they had already compromised.
And there’s more! Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.
+ abstracts + link
Subject: Paper – A First Look at Zoombombing
Source: Binghamton and Boston Universities via beSpacific
A First Look at Zoombombing
. Chen Ling, Utkucan Balcı, Jeremy Blackburn, Gianluca Stringhini. Computers and Society. arXiv:2009.03822 [cs.CY].
“Abstract—Online meeting tools like Zoom and Google Meethave become central to our professional, educational, and personal lives. This has opened up new opportunities for large scale harassment. In particular, a phenomenon known as zoombombing has emerged, in which aggressors join online meetings with the goal of disrupting them and harassing their participants.In this paper, we conduct the first data-driven analysis of calls for zoombombing attacks on social media. We identify ten popular online meeting tools and extract posts containing meeting invitations to these platforms on a mainstream social network, Twitter, and on a fringe community known for organizing coordinated attacks against online users, 4chan. We then perform manual annotation to identify posts that are calling for zoombombing attacks, and apply thematic analysis to develop a codebook to better characterize the discussion surrounding calls for zoombombing.
Subject: They Stormed the Capitol. Their Apps Tracked Them.
Source: NYT via beSpacific
Subject: Section 230 and Big Tech
Source: Consumer Reports
Twenty-five years ago, Congress passed a little-noticed law that shielded online platforms from liability for the content posted by users. In the decades since, Section 230 of the Communications Decency Act, signed into law by President Bill Clinton on Feb. 8, 1996, has paved the way for the internet as we know it.
For the better: by enabling everything from unfiltered opinion in the comments sections of news sites to the phenomenon of social media, as well as giving platforms the option to moderate that online content. And for the worse: by facilitating the mass distribution of disinformation, hate speech, and other objectionable content.
“It affects every aspect of the internet from online safety to online shopping,” says Laurel Lehman, policy analyst for Consumer Reports.
And now, as it celebrates its silver anniversary, Section 230 finds itself under attack from across the political spectrum, including legislators and others ready to revise the law and with it the digital lives of millions of U.S. consumers. Here’s what you need to know about this important provision and its uncertain future…
More on the Internet and the Law
Subject: Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online
Source: Vice via beSpacific
: “Favicons are one of those things that basically every website uses but no one thinks about. When you’ve got 100 tabs open, the little icon at the start of every browser tab provides a logo for the window you’ve opened. Twitter uses the little blue bird, Gmail is a red mail icon, and Wikipedia is the bold W. It’s a convenient shorthand that lets us all navigate our impossible tab situation.
According to a researcher, though, these icons can also be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online. The tracking method is called a Supercookie…
Strehle has set up a website that demonstrates how easy it is to track a user online using a favicon. He said it’s for research purposes, has released his source code online, and detailed a lengthy explanation of how supercookies work on his website.
The scariest part of the favicon vulnerability is how easily it bypasses traditional methods people use to keep themselves private online. According to Strehle, the supercookie bypasses the “private” mode of Chrome, Safari, Edge, and Firefox. Clearing your cache, surfing behind a VPN, or using an ad-blocker won’t stop a malicious favicon from tracking you.
Subject: NSF pushing for agency-specific cyber-physical research
With the growing importance of cyber-physical systems, the National Science Foundation’s research program aims to uncover cross-cutting principles, tools and hardware and software components that can accelerate the transition of CPS research into the real world.
CPS tightly integrates computing devices and networking infrastructure to deliver sensing of the physical world. It relies on data analytics, machine learning, autonomy, internet of things, networking, privacy, security and verification and may include human-aided control. Architectures may be distributed or centralized and feature multi-level hierarchical control and coordination of physical and organizational processes.
“CPS technology will transform the way people interact with engineered systems — just as the Internet has transformed the way people interact with information,” NSF said in its program announcement
The Department of Homeland Security’s Science & Technology Directorate, the Federal Highway Administration (FHWA), the National Institutes of Health and the Department of Agriculture are sponsoring the research.
DHS S&T’s Technology Centers Division is interested in CPS research that protects industrial controls from cyberattacks and that helps systems identify, predict or recover from faults. Privacy and managing the use of sensitive data is of interest, as is validation, verification and certification that speed up design cycles while ensuring high confidence in system safety and functionality.
[shhh, don’t tell’m about Stuxnet
from more than a decade ago /pmw1]
Subject: U.S. Reps. Wexton, Speier urge DNI to update security clearance guidelines
Source: Homeland Preparedness News
U.S. Reps. Jennifer Wexton (D-VA) and Jackie Speier (D-CA) are urging the Director of National Intelligence (DNI) Avril Haines to adopt new security clearance guidelines to prevent individuals involved in extremist groups from accessing classified information.
Specifically, Wexton and Speier are asking the DNI to update current guidelines to directly screen for threats from white supremacists, neo-Nazis, and other far-right extremists. Currently, individuals are not explicitly required to self-report involvement with extremist groups unless the organization professes to be a terrorist organization, seeks to overthrow the United States government, or uses violence.
Subject: Joseph Chase Oaks Of Alabama Accused Of Targeting Hundreds Of People Across The Country In Cell Phone Number Scam
Source: CBS New York and Pittsburgh
Wednesday, the Manhattan District Attorney’s office announced an even more sophisticated scam called SIM swapping.
Joseph Chase Oaks, from Alabama, is charged with grand larceny and identity theft, accused of targeting 300 people in New York and across the country to steal identities and $150,000 in cryptocurrency like bitcoin.
Subject: Google Chrome’s engineering director discusses how the company is trying to preserve digital advertising after tracking cookies are killed off
Source: Markets Insider
Google, owner of the world’s most popular web browser, set the countdown clock ticking last year when it said it wouldend support for third-party cookies in Chrome by 2022
. It’s been experimenting with tools in its “Privacy Sandbox
” that are designed to allow advertising to continue to work on the web but in a less privacy encroaching way.
Last month, Google said one of those new techniques – Federated Learning of Cohorts (also known as FLoC) – was “nearly as effective as cookie-based approaches
” in its own tests. FLoC uses machine learning algorithms that run on a user’s device to cluster people into interest-based groups based on behavior like their browsing history. It’s now preparing to let other adtech companies experiment with some of its proposals
Insider spoke with Justin Schuh, security and privacy engineering director for Google Chrome, who is leading its Privacy Sandbox efforts. Schuh discussed how Chrome is attempting to assuage ad industry concerns about its cookie replacements, his ambitions for other browsers and platforms to adopt Privacy Sandbox-like solutions, and how Chrome is thinking about ways to give users more control how their data is used.
This interview has been edited for clarity and length.