Tag Archives: Facebook

Security News Bites for the Week Ending August 31, 2018

Spyware Company Leaves Terabytes of Data Unprotected

Spyfone, a software company that allows parents to spy on their kids, spouses to spy on each other and employers to spy on employees allowed the world to spy on everyone.

The data left exposed on Amazon included photos, text messages, contacts, location information, Facebook messages and other information.

In addition to leaving all of their customer’s data exposed, their own backend servers were also left unprotected.

I guess you might call it Karma for spying on people.  Source: Motherboard.

California Tech Execs Pushing Feds to Reverse Cali Privacy Law

Between GDPR, CCPA and other new privacy laws, the tech industry is concerned that their business model is at risk.

As a result Google, Microsoft, IBM, Facebook and others are lobbying aggressively to the Trump administration and Congress to pass a weak federal privacy law that would usurp California’s law and make it easier for those companies to continue their business model as is.

Whatever happens in DC (don’t count on anything happening, but you never know), that won’t affect the changes in Europe and many other countries that are passing similar laws to the EU to allow those countries to do business with the EU.  Those laws will impact US businesses if they have customers in those countries.  While they could create one policy for the US and another for the rest of the world, that would be complicated.

Historically DC has tried to pass a national privacy law, but those past attempts have been much weaker than existing state laws, which has made it difficult to get enough votes to pass it.  A tough law will be heavily lobbied against.  This is why, unlike most other countries in the world, we have no national privacy law.  Source: NY Times .

Senator Wyden Confirms Stingrays Interfere with 911 Calls

Harris Communications, maker of the Stingray has confirmed that the feature which is designed to stop the Stingray from interfering with 911 calls was never tested and never confirmed to work.

Comforting.

As if that wasn’t a big enough problem, hobbyists can build a DIY Stingray for less than $1,000 in parts.

And, foreign spies are already using them in Washington, DC.

WHAT.  COULD,  GO,  WRONG??   Source: Tech Crunch

Apple Forces Facebook VPN App Out of App Store

Facebook recently bought a company named Onavo that makes a VPN app.  The claim is that it makes your browsing experience a more secure browsing experience.

Only problem is that they had an ulterior motive.  They – Facebook – was collecting data on every web page the user visited, every app that you used, every bit of data that you transferred.  While the bad guys couldn’t eavesdrop, Facebook could.  And did.

Well apparently Apple had enough of the duplicity and told Facebook to either voluntarily withdraw the app or they would do it for Facebook.  The app is now gone for iPhone users.  It is still available to Android users.  Source: The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Facebook is in More Hot Water

Glad I am not Mark Zuckerberg,

Well, maybe.  I think I would like to have his bank account 🙂

Facebook is making some efforts to rehabilitate it’s image within the fundamental constraint that it is selling your data for a living.  While pretending that it is all for your benefit.

As part of this rehab effort, Facebook is reviewing tens of thousands (or more) of apps to find ones that are misusing data.

So far, they have “suspended” about 200 apps.

One app, myPersonality, has likely misused large amounts of data on millions of users over the last 3-4 years.  It, too, is now suspended.

To quote someone (there is a debate as to who) :  With Great Power Comes Great Responsibility.

This may be a defining moment for Facebook.

So what should you do?

The greatest power is the power wielded by the Internet user.  Facebook can only collect information that you provide it. Same for Google.  Sometimes the information is provided willingly.  Other times it is much less obvious, like when Google collects information about what web pages you visit and for how long.

Hopefully, for most people, it is becoming painfully obvious that YOU are the product.

So be careful about what apps you install, what data you provide and to whom.  Or not.  But, if not, understand the implications.  

One thing you should assume.  If you provide information to an app or a public web site, it could become public.   If that is a problem, don’t provide the information.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Friday News for May 11th, 2018

Irish High Court Deals Blow to Facebook

In yet another case that could deal a blow to the way that Facebook and others transfer data between the EU and the US, the Irish High Court told Facebook that it would not stay it’s “referral” to the European Court of Justice.  The case in question is a ruling about whether “Standard Contract Clauses” and the U.S. Privacy Shield provide sufficient protections for E.U. residents private data.  Facebook wants to appeal the decision to turn the question over to the ECJ to the Irish Supreme Court because the last place they want to be is at the ECJ – who ruled against them in their last privacy suit that destroyed the predecessor to Privacy Shield,  Safe Harbor (Source: Reuters).

Georgia Governor Vetos Cybersecurity Bill

The Georgia legislature recently passed a cybersecurity bill that would have likely criminalized cybersecurity research and allowed so-called hack back attacks where victims can hack the hackers (what could possibly go wrong when security novices go after professional hackers?).  The law, written by lawyers, was so vague that it might have made reporting a vulnerability a crime.  Equally likely, the large cybersecurity firms with offices in Georgia would have left the state and security researchers at Georgia Universities would have likely found more understanding states to do their research in.  Faced with a horribly drafted bill and the prospect of losing hundreds or maybe thousands of high paying jobs, the governor did the expedient thing – he vetoed the bill and told the legislature to find someone who knows something about security before they wrote the next version (Source: CSO Online).

IBM Bans All Removable Storage

IBM has issued a new company-wide policy that bans ALL FORMS OF REMOVABLE STORAGE from the company.  IBM’s Global Chief Information Security Officer made the announcement saying “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBM isn’t saying “Why now?” , but likely someone screwed up big time.

That being said, it is relatively easy to technically implement this ban and, if done along side a policy on the appropriate use of services like Dropbox, Box, One Drive and others, it likely will reduce the certain types of information leakage.

What is or should be your company’s policy?  (Source: Gizmodo)

Beware of those Browser Extensions

Social engineering is still a very popular way to get you to load malware.  Researchers are warning people of a campaign, said to have already infected a hundred thousand users, where people are lured to click on a link on social media which redirects them to a page that tells them that they have to install a plugin or browser extention to continue reading the page.  DON’T!  Once the software is invited in by the user,  it steals passwords for a variety of accounts.  Other variants of this type of attack could empty your bank account when you log in to your bank or forward all of your email to the hacker, as other examples.

If you think you need a plugin or browser extension to view a page and  it is not already installed, independently find that extension and install it from the vendor’s site.  Make sure that the site is not one with a name similar to the real site (think App1e is not Apple, for example) that hackers have set up to fool you (source: The Hacker News).

The Dangers Of Government Surveillance

The conversation often comes up about trusting the government with all of the data that they have of ours.   Some people say there is nothing to worry about if you didn’t do anything wrong.

And then reality creeps in.

Sheriff Cory Hutcheson of Mississippi County, MO, used a service sold by Securus Technologies that is used to record and track phone calls to and from prisoners,

Unfortunately, he used it to track calls of a Judge and members of the State Highway Patrol.  This would allow him to track the location and obtain call data of these people. And anyone else he wanted to.

Securus requires someone to upload a document authorizing the request and certify that the activity was legal – basically, pinky swearing.

When the sheriff was arrested and the media went to Securus to ask about their practices, they claimed that they weren’t judges or lawyers, so, basically, they just trust people.

Sometimes trust is good, but verifying usually better.

How much of this activity goes on – who knows (Source: NY Times)?

Facebooktwitterredditlinkedinmailby feather

Logon Using Facebook ID? Understand the Devil’s Bargain You Made

Security.  Convenience.  Pick one!  That is my forever mantra.

Now we are finding out that when you login to your favorite site using “Login with Facebook” your data is exposed to third parties.  Nice.

According to research from “Freedom to Tinker” at Princeton, when a user logs in using Facebook’s API, Javascript on the site is able to grab your profile data and email address and maybe more.

Facebook, currently in a world of hurt (worldwide) over the Cambridge Analytica mess is magically very sensitive to people – other than them – stealing your data.

As of right now, they have suspending the ability to link Userids to Facebook profile pages and are looking at what else they are willing to do to contain the damage while not damaging their business model of allowing everyone to capture and sell your data.

If all of a sudden web site operators and advertisers can no longer scrape your data, ad revenue may be flushed down the toilet.

Information for this post came from CNBC.

So, given the above, what should you do?

First I want to make one thing clear.  Facebook is only one culprit in this game and while it is fun beating Facebook up, we should not lose track of the bigger picture.

Anytime you login to website “B”  using the userid and password from website “A” (such as using your Facebook ID to log into BandsInTown), you run the risk of exposing yourself.

While right now we are only talking about your profile and email being exposed, the developer API documentation on Facebook’s web site says:

To ask for any other permission, your app will need to be reviewed by Facebook before these permission become visible in the Login Dialog to the public who’re logging into your app with Facebook.

I gather this means that other apps may have more of your information than we are talking about in this situation based on how well the app developer has conned Facebook (think Cambridge Analytica) or even how much they paid Facebook.

Also, the site that you are using your Facebook ID to login to with could compromise your ID and password and then all other sites that you also login to with your Facebook ID will also be exposed.

The best solution to this is log in to each site with its own userid and password.  

Use a password manager to track this for you .  Most password managers will pick crazy passwords for you and since they enter them in the login page automatically for you, you don’t have to remember them.  Win-Win – better passwords and easier for you.

If you are not willing to do this, then, at least, only do this for accounts that you don’t care about – what I call throw away accounts.  Don’t do it for any account that has access to your credit card information (any e-commerce site) or bank account information.

Ultimately, the choice is yours.  Security or convenience, pick one.

And Facebook is only one site that does this shared login thing.  The problem is the same with all of them.  The list of OAuth providers (which is the technical term for what this process is) is long including Google, Etsy, Flickr, Instragram and many more – see a list of them here.

Facebooktwitterredditlinkedinmailby feather

Facebook Continues it’s Damage Control Program

Facebook is used to riding high.  Not so much lately.

First they said that Cambridge Analytica inappropriately captured the data of 47 million users after 250,000 or so users completed a survey and they captured the information of all of those people’s friends without their permission.

Now they are saying that their arithmetic wasn’t so good and it wasn’t 47 million but rather 87 million users (Source: National Review).

Facebook is also saying that “malicious actors” took advantage of the search tools on Facebook and captured public information on most of all 2 billion users.  The attack was very creative.  Take email addresses or phone numbers compromised in one of many breaches and pop them into Facebook’s search box.  Until yesterday, that would retrieve any information you marked as public including photos, job history, friends and other information.  Yesterday, as part of their  “rehabilitation”, they disabled the feature, but not before bad guys stole terabytes of data (Source: Washington Post).

Then there was the memo by Facebook exec “Boz” who said that anything that we do to connect more people is good, even if it is used by terrorists.  Now that the memo has become public, he claims that he didn’t really believe that. (Source: CNBC).

Finally, after first saying that while he liked the EU’s new privacy regulation, GDPR, Facebook had no plans to make that the rule in places where they were not being forced to do that by law, they are now saying, just kidding (Source: Ars Technica).

Okay, given that Facebook seems to be acting like the twin of Mr. Robot’s Evil Corp., what should you do?

First, be a conscious user.  Even today Facebook allows you to make information private or visible to just friends.  My posts are public, intentionally, but nothing else is public – only visible to friends.

Given that Facebook makes all of its money from selling your data, the default is always going to be share (or steal) your data.  You need to proactively change the defaults.

As Facebook makes changes in response to the current PR disaster it is in the middle of, see what new capabilities they offer and take advantage of them.

Finally, don’t post so much.  Do you really need to post everything that you do?  Once you post it, it is out there.  At least one insurance company is denying burglary claims if people posted their vacation plans prior to returning home.  Be smart;  post less.

Social media is wonderful, but with wonderfulness comes problems, so be smart.

Facebooktwitterredditlinkedinmailby feather

Facebook Caught Mining User Data Again

This time, the data that Facebook is mining is your call data and your text message data.  But there is a difference.  In this case, Facebook says that it asked permission when you installed Messenger or Facebook Lite.  However, the default was to collect the data and it was not very clear to users that the data was being collected.

They have been doing this from both Android and iPhone users.

If you download your Facebook data (to download your data, go to http://www.facebook.com/settings  and click on the tiny little link at the bottom that says download a copy of my facebook data), you can see what data Facebook has.

Roughly a year ago, Facebook made it more obvious that they were collecting the data when you install the app.

Facebook says that they never sell this data (probably true) and it’s purpose is to let friends find each other on Facebook and help them create a better experience for everyone (more doubtful).

OK; lets say you are a FB Messenger user, what can you do?

1.  Check if your contacts are being synced with Facebook.  The instructions are different between iPhone and Android users, but the instructions can be found at https://www.facebook.com/mobile/messenger/contacts/ .

2. You can turn off syncing contacts by following the instructions at https://www.facebook.com/help/838237596230667 .  Again, the instructions are different between the iPhone and Android.

3. You can delete your call history from Messenger also.  Instructions can be found at https://www.facebook.com/help/messenger-app/870177389760756?helpref=hc_fnav .

Suffice it to say, Facebook is going to try real hard to capture the data.  After all, the name of the game for them is to harvest your data to increase your use and dependence on Facebook and to use that data to sell you stuff.

However, you can disable it.  Just not easily.

 

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather