As if you didn't already have enough to worry about, researchers this week showed off how they can eavesdrop on a room that's hundreds of feet away using only the vibrations of a light bulb. OK, you specifically probably don't have to worry about this. But it's a reminder of just how close real-life spying techniques can get to science fiction.
What should rightly concern you, meanwhile, is the continued lack of security protections for internet of things devices. One potential way to help fix that problem: Give them privacy "nutrition" labels that let customers know exactly how safe a given smart speaker or connected toothbrush is. And Google will include privacy improvements that are not just hypothetical in Android 11, including not letting permissions linger for apps you haven't used in months.
Hopefully Georgia and other states will make fixes to their voting accommodations by this fall, as this week's primary meltdown showed how easily poor planning and digital machines can upend an election. We took a look at Intel's repeated failure to fix a hardware security issue, and Amazon's promise not to sell facial-recognition technology to law enforcement for a year. And coder-turned-kingpin Paul Le Roux was sentenced in New York on Friday after years of misdeeds; you can read more about his unlikely journey in this excerpt from The Mastermind: Drugs. Empire. Murder. Betrayal, by Evan Ratliff.
But that's not all. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
Zoom Deactivated US-Based Accounts at China's Request
Ever since Zoom skyrocketed, as videoconferencing became the norm for many workers during the Covid-19 pandemic, it has come under increasing scrutiny for its privacy and security practices. The latest setback: The company acceded to the Chinese government's demands that it deactivate multiple accounts that recently hosted Tiananmen Square memorials, saying that it needed to comply with local laws. But two of the affected accounts were US-based. Zoom has since reinstated the accounts, and said in a blog post that going forward it "will not allow requests from the Chinese government to impact anyone outside of mainland China."
Facebook Helped the FBI Hack a Notorious Cybercriminal
Motherboard has an exclusive report this week about Facebook's efforts to help the FBI take down Buster Hernandez, a hacker who for years tormented underage girls. (Hernandez pleaded guilty to 41 charges in February, ranging from production of child pornography to threats to kill, kidnap, and injure.) Since much of his malicious activity took place on Facebook, the company took an active role in helping authorities ferret him out—which included paying an outside firm a six-figure fee to develop a zero day exploit for Tails, an anonymity-focused operating system. This is reportedly the first and only time that Facebook has gone to such lengths.
Researchers Uncover a Prolific ‘Hack-For-Hire’ Group
The Citizen Lab has shed light on a group it calls Dark Basin, an apparently mercenary hacker group that has targeted thousands of people around the world. Its report this week links that group's activity to an Indian company called BellTroX InfoTech Services. The targets range from nonprofits to government officials to financial firms, and the group’s work represents an alarmingly vast set of campaigns. It's also unclear who has been footing the bill.
Phishing Campaign Stoops to Using Black Lives Matter
If you get a suspicious-looking email asking you to "vote anonymous about Black Lives Matter" with a Microsoft Word attachment, please don't click. It's likely part of a new phishing campaign laced with the notorious Trickbot malware. If there's any good news here, it's that phishing operators for now at least appear not to be using the BLM movement in any widespread fashion—other than whoever decided to stoop that low for this one.