Facebook exposed
ABOUT 553 million Facebook users were publicly exposed last month. Facebook says the data was collected before 2020 when it changed things to prevent such information from being scraped from profiles. To my mind, this just reinforces the need to remove mobile phone numbers from all of your online accounts, wherever possible.
Furthermore – this is not a new hack, the 533 million Facebook accounts database was first put up for sale on the Darknet back in June 2020, offering Facebook profile data from 100 countries, including name, mobile number, gender, occupation, city, country, and marital status!
Many people may not consider their mobile phone number to be private information, but there is a world of misery that bad guys, stalkers and creeps can visit on your life just by knowing your mobile number.
Not a problem for those who change mobile numbers every so often, but I’ve had mine for the last 20 years! Sure they could call you and harass you that way, but more likely they will see how many of your other accounts - at major email providers and social networking sites like Facebook, Twitter, Instagram, e.g. - rely on that number for password resets or multi-factor (MFA) authentication.
My advice is to simply remove mobile numbers from your online accounts wherever you can, and avoid selecting SMS or phone calls for second factor or one-time codes.
I know it’s convenient but phone numbers were never designed to be identity documents, but that’s effectively what they’ve become. It’s time we stopped letting everyone treat them that way.
Removing your phone number may be even more important for any email accounts you may have. Sign up with any service online, and it will almost certainly require you to supply an email address.
In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts– merely by requesting a password reset email.
Here’s the thing: Most online services require users to supply a mobile phone number when setting up the account, but do not require the number to remain associated with the account after it is established!
Google’s top security teams recently shut down a counterterrorism operation. What wasn’t disclosed: The move shut down an active counter-terrorist operation being conducted by a Western government. This should raise some interesting questions.
Google runs some of the most complex cybersecurity operations on the planet: its Project Zero team, for example, finds powerful undiscovered security vulnerabilities, while its Threat Analysis Group directly counters hacking backed by governments, including North Korea, China, and Russia.
And those two teams caught an unexpectedly big fish recently: an “expert” hacking group exploiting 11 powerful vulnerabilities to compromise devices running Apple’s iOS, Android, and Windows.
But the hackers in question were actually Western government operatives actively conducting a counterterrorism operation. The company’s decision to stop and publicise the attack caused internal division at Google and raised questions inside the intelligence communities of the United States and its allies.
Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees (the big picture – in case you missed that one).
Recent Google blog posts detail the collection of zeroday vulnerabilities that it discovered hackers using over the course of nine months. The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts because of their sophistication, scale and speed.
Google’s announcement glaringly omitted key details, however, including who was responsible for the hacking and who was being targeted, as well as important technical information on the malware or the domains used in the operation. At least some of that information would typically be made public in some way.
Security companies regularly shut down exploits that are being used by friendly governments, but such actions are rarely made public. In response to this incident, some Google employees have argued that counterterrorism missions ought to be out of bounds of public disclosure; others believe the company was entirely within its rights, and that the announcement serves to protect users and make the Internet more secure.
However this is where I think one of the key ethical dimensions comes in. How one treats intelligence activity or law enforcement activity driven under democratic oversight within a lawfully elected representative government is very different from that of an authoritarian regime. Or is it?
Google found the hacking group exploiting 11 zero-day vulnerabilities in just nine months, a high number of exploits over a short period. Software that was attacked included the Safari browser on iPhones but also many Google products, including the Chrome browser on Android phones and Windows computers.
Instead of focusing on who was behind and targeted by a specific operation, Google decided to take broader action for everyone. The justification was that even if a Western government was the one exploiting those vulnerabilities today, it will eventually be used by others, and so the right choice is always to fix the flaw today.
This is far from the first time a Western cybersecurity team has caught hackers from allied countries. Some companies, however, have a quiet policy of not publicly exposing such hacking operations if both the security team and the hackers are considered friendly—for example, if they are members of the “Five Eyes” intelligence alliance, which is made up of the US, the UK, Canada, Australia, and New Zealand.
Several members of Google’s security teams are veterans of Western intelligence agencies, and some have conducted hacking campaigns for these governments.
The usual procedure for cybersecurity experts is to advise the executives and step away. It’s not their job to figure out why; they politely move aside.
This is not without precedent with the Russian cybersecurity firm Kaspersky exposing an American-led counterterrorism cyber operation against ISIS and Al Qaeda members in the Middle East in 2018.
The alarms raised both inside government and at Google show the company is in a difficult position.
Google security teams have a responsibility to the company’s customers, and it is widely expected that they will do their utmost to protect the products and therefore users who are under attack.
In this incident, it’s notable that the techniques used affected not just Google products like Chrome and Android, but also iPhones.
But while protecting customers from attack is important, some argue that counterterrorism operations are different, with potentially life-and-death consequences that go beyond day-to-day internet security.
When state-backed hackers in Western nations find cybersecurity flaws, there are established methods for working out the potential costs and benefits of disclosing the security gap to the company that is affected. In the United States it’s called the “vulnerabilities equities process.”
Critics worry that US intelligence hoards large numbers of exploits, but the American system is more formal, transparent, and expansive than what’s done in almost every other country on earth, including Western allies.
The process is meant to allow government officials to balance the advantages of keeping flaws secret in order to use them for intelligence purposes with the wider benefits of telling a tech company about a weakness in order to have it fixed.
But even though the American intelligence system’s disclosure process can be opaque, similar processes in other Western nations are often smaller, more secretive, or simply informal and therefore easier to bypass.
Some observers worry about live counterterrorism cyberoperations being shut down at potentially decisive moments without the ability to quickly start up again. There are many pros and cons to this debate and no easy solutions.
As the Latin phrase goes: “Quis custodiet ipsos custodies”, written around AD 100, but roughly translated as “who watches the watchers”.
Here’s wishing you all a blessed weekend, stay safe and well in both digital and physical worlds.
Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com