Security News

Facebook expands its Oversight Board scope

Avast Security News Team, 16 April 2021

Plus, WhatsApp and Clubhouse face privacy issues and the FBI protects unsuspecting users by...hacking them?

Facebook made an announcement this week that it has expanded the scope of its Oversight Board to include appeals against content that has been left up on either Instagram or Facebook after someone had reported it. Previously, the Oversight Board would only review appeals against content that had been taken down. The new purview grants users the right to file an appeal against either decision. “Removing content is a delicate matter,” commented Avast Security Evangelist Luis Corrons. “At the end of the day, it could be considered censorship of published information. While there are certain topics that are clear, like breaking the law or the platform’s code of conduct, others are more ambiguous.”

Comprised of 40 diverse members from around the world, the Oversight Board comes into play only after Facebook’s regular content review process has made a judgment on reported content. Because Facebook and Instagram receive so many requests for appeals after such a judgment, the Oversight Board handpicks which cases it will review. According to Facebook, the board’s directive is to select “cases that affect many users, are of critical importance to public discourse, and/or raise important questions about Facebook policies.”

Clubhouse says data breach was not a breach

After 1.3 million Clubhouse user records showed up in an SQL database on a popular hacker forum, the new and trending social media platform was thought by many to have suffered a data breach, but a tweet from Clubhouse informed users there was no breach nor hack – the data was simply public information available to anyone. It included user IDs, names, photo URLs, usernames, Twitter handles, Instagram handles, numbers of followers, numbers of accounts followed, account creation dates, and “invited by” user profile names. While the information does not include passwords or credit card numbers, it has sparked closer scrutiny at the security and privacy measures, or lack thereof, used by Clubhouse. Read more on CyberNews

Cyberstalkers aided by WhatsApp online status

Even as Apple and Google endeavor to remove all stalkerware apps from their stores, cyberstalkers can still find tools to track their victims, particularly with apps that log WhatsApp online statuses. A new blog post by the developers of the Traced app delves into the WhatsApp privacy loophole that enables stalkers to observe their victims’ WhatsApp behaviors through legitimate apps offering the service under the guise of tracking one’s minor children. These apps live on the stalkers’ phones, which obviates the need to surreptitiously install anything on the victims’ phones. Some of the WhatsApp status tracing apps even allow users to compare two different WhatsApp accounts, giving them visibility as to whether two users where on at the same time, perhaps talking with each other. Anyone who believes they may be being stalked can seek help from the Coalition Against Stalkerware

Scammers target funerals for Covid-19 victims

The U.S. Federal Trade Commission (FTC) issued an alert this week that scammers are taking advantage of a new Federal Emergency Management Agency (FEMA) program that offers financial assistance of up to $9,000 to help pay for the funerals of victims of Covid-19. The program just started up this week, and phishing emails are already circulating, posing as the government offering to get people “registered” for assistance. If you receive one of these emails, remember that the real FEMA will not contact you unless you’ve applied for assistance. FEMA will not ask you to pay anything up front to receive the financial help, and it will not ask for your Social Security, bank account, or credit card numbers.

FBI hacks unsuspecting users to remove backdoors

The FBI has obtained court approval from the Southern District of Texas to hack into hundreds of unsuspecting users’ computers in order to remove a vulnerable back door that had been placed there by cyberattacks throughout January and February 2021. The attacks targeted thousands of Microsoft Exchange Servers in the United States, inserting a web shell in their systems that would allow for future access and hacks. The attacks were publicized and patched in March, but the FBI noticed that several hundred U.S. computers did not remove the web shell. Gaining court authorization, the FBI hacked into the vulnerable systems – usually without the owners’ knowledge – and programmed the web shells to delete themselves. Read more on The Verge

This week’s ‘must-read’ on The Avast Blog

Last month, we told you about a series of critical vulnerabilities in Microsoft Exchange that were under attack. This month, Microsoft has released a new series of patches for a new, different set of critical vulnerabilities affecting Exchange.