Anti-Social Media

Like many others, I’ve been at least partially assimilated by the social media Cookie Monster. Once upon a time I opened accounts on sites like Facebook and Twitter, so as to find out about their implications for security. (Like many others in the security profession, I suspect.) They also quickly became integrated into my armoury as a means of exchanging and disseminating information, whether it’s a matter of hard data or work-oriented PR. And when friends, colleagues and fellow musicians (some people, of course, are members of two or all three of those sets!) found me on those platforms, it would have been churlish not to have accepted invitations to link up there. (Besides, you can’t tell as much about Facebook’s workings, for instance, if you don’t actually have any Facebook friends…)

However, I’ve always borne in mind the wider implications of membership of such platforms (sociological, psychological, and security-specific), and have often written on those topics. (I’ll probably look back at some of those posts and see if any of them are worth flagging here.) But with the excitement over the Cambridge Analytica, it’s self-proclaimed success at social engineering, and its alleged misuse of data harvested from social media, I can’t help but notice that people who’ve previously expressed no interest in privacy and security have started to voice concern. So I’m going to use this page to flag some news and resources of interest. Starting with a minor deluge of advice from various quarters:

[20th October 2018]

BBC: Children ‘blackmailed’ for sexual images in online video chats. “A surge in the use of video chats and live-streaming among children is leaving them vulnerable to abuse, the NSPCC has warned, calling for a social network regulator to be introduced.”


Graham Cluley: Facebook Portal isn’t designed to be as private as you might hope – Graham says “I doubt I’m alone in the world in thinking that allowing Facebook, of all companies, into your home with a microphone and a video camera is a pretty terrible idea.” Indeed he isn’t… And this story is not reassuring, with FB’s weaselly partial backtracking on the assertion that it would not collect data for targeted advertising.


I’m not the biggest fan of SANS and its newsletters. (That would be SANS…) But the Top Of The News section in its October 19th 2018 Newsbites newsletter includes a number of links relevant to election interference and social media that you might find worth reading.

[19th October 2018]

ESET: Tumblr patches bug that could have exposed user data
The microblogging platform is assuring its users that has found no evidence that any data was actually stolen

The Register: Tumblr turns stumblr, left humblr: Blogging biz blogs bloggers’ private info to world+dog – “Tumblr today reveal it has fixed a security bug in its website that quietly revealed private details of some of its bloggers”


The Next Web: Twitter releases 10M Iranian and Russian propaganda tweets ahead of US Midterms – “Twitter yesterday released a bevy of data related to Iranian and Russian-sponsored misinformation campaigns started as long ago as 2009. The hope, in releasing the trove, is that academics and researchers will use it to come up with solutions to the propaganda problem plaguing US politics.”

[17th October 2018]

Sophos: Donald Daters app for pro-Trump singles exposes users’ data at launch – “Donald Daters, a new dating app that promises to “make dating great again” has instead leaked its users’ data.”

The Mercury News: Facebook lured advertisers by inflating ad-watch times up to 900 percent: lawsuit – “A group of small advertisers … alleged in the filing that Facebook “induced” advertisers to buy video ads on its platform because advertisers believed Facebook users were watching video ads for longer than they actually were.”

[12th October 2018]

Sophos: Instagram tests sharing your location history with Facebook – “For those Facebook users who still cling to the notion that they can limit Facebook’s tracking of our lives like it’s an electronic bloodhound, you should be aware that its Instagram app has been prototyping a new privacy setting that would enable location history sharing with its parent company.”

The Register: Facebook mass hack last month was so totally overblown – only 30 million people affected – “Good news: 20m feared pwned are safe. Bad news: That’s still 30m profiles snooped…”

[10th October 2018]

Catalin Cimpanu for ZDnet: Google sets new rules for third-party apps to access Gmail data – “All Gmail third-party apps with full access to Gmail user data will need to re-submit for a review by February 15, 2019, or be removed.” Meanwhile, according to the Hacker News: Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users’ Data.

“The vulnerability was open since 2015 and fixed after Google discovered it in March 2018, but the company chose not to disclose the breach to the public—at the time when Facebook was being roasted for Cambridge Analytica scandal.”

The Register comments: Google now minus Google Plus: Social mini-network faces axe in data leak bug drama – “Project Zero would have been all over this – yet it remained under wraps”


Pierluigi Paganani: Hackers can compromise your WhatsApp account by tricking you into answering a video call

The Register:  Rap for WhatsApp chat app chaps in phone-to-pwn security nap flap – “Memory corruption flaw present in Android, iOS builds. Aaand it’s been fixed”

[6th October 2018]

Lisa Vaas for Sophos: Facebook finds “no evidence” attackers accessed third-party apps – “Facebook said … Nevertheless, it’s building a tool to allow developers to manually identify which of their apps’ users may have been affected, so they can log them out.”

[3rd October 2018]

ESET: Facebook: No evidence attackers used stolen access tokens on third-party sites
“The social networking behemoth is expected to face a formal investigation by Ireland’s Data Protection Commission in what could be the “acid test” of GDPR since the law became effective in May”


Graham Cluley: Two reasons to reconsider your Facebook membership
“Not only was it revealed that millions of users had their accounts exposed by a vulnerability, but the site has been up to dirty tricks with mobile phone numbers you gave them to supposedly enhance your security.”


Joseph Cox for Motherboard: Hackers Are Holding High Profile Instagram Accounts Hostage

Hackers have hijacked the accounts of at least four high profile Instagrammers recently, locking them out and demanding a bitcoin ransom.[29th September 2018]

Kaspersky: What do you need to do about the recent Facebook security breach?

[28th September 2018]

Thomas Claburn for The Register: Facebook sued for exposing content moderators to Facebook – “Endless series of beheadings and horrible images take mental toll, US lawsuit claims”


Silicon: WhatsApp Founder Admits Selling Out Privacy To Facebook – “Co-founder of WhatsApp Brian Acton admits selling out the privacy of WhatsApp users to Facebook”


Sophos: Facebook scolds police for using fake accounts to snoop on citizens

‘In a letter to MPD Director Michael Rallings, Facebook’s Andrea Kirkpatrick, director and associate general counsel for security, scolded the police for creating multiple fake Facebook accounts and impersonating legitimate Facebook users as part of its investigations into “alleged criminal conduct unrelated to Facebook.”’


New York Times: Facebook Network is Breached, Putting 50 Million Users’ Data at Risk

The Register: Facebook confesses crappy code has exposed up to 90 million users to hackers

[24th September 2018]

Lisa Vaas for Sophos: Years on, third party apps still exposing Grindr users’ locations – “Grindr, the premium gay dating app, is exposing the precise location of its more than 3.6 million active users, in addition to their body types, sexual preferences, relationship status, and HIV status…

…Still.”


Nathan Gleicher for Facebook: Expanding Security Tools to Protect Political Campaigns – “Over the past year, we have invested in new technology and more people to stay ahead of bad actors who are determined to use Facebook to disrupt elections. Today we’re introducing additional tools to further secure candidates and campaign staff who may be particularly vulnerable to targeting by hackers and foreign adversaries. This pilot program is an addition to our existing security tools and procedures, and we will apply what we learn to other elections in the US and around the world.”

Commentary by Danny Bradbury for Sophos: How Facebook wants to protect political campaigners from hacking – “Facebook is making the extra protections available to a select class of political operatives, namely candidates for federal or statewide office, and staff members and representatives from federal and state political party committees.”


Lisa Vaas for Sophos: Facebook faces sanctions if it drags its feet on data transparency – Vera Jourova, the European Commissioner for justice, consumers and gender equality, is evidently not in the least impressed.

[18th September 2018]

Danny Bradbury for Sophos: Deepfake pics and videos set off Facebook’s fake news detector Centres on FB’s announcement that “To date, most of our fact-checking partners have focused on reviewing articles. However, we have also been actively working to build new technology and partnerships so that we can tackle other forms of misinformation. Today, we’re expanding fact-checking for photos and videos to all of our 27 partners in 17 countries around the world (and are regularly on-boarding new fact-checking partners). This will help us identify and take action against more types of misinformation, faster.”

The Register: Not so much changing their tune as enabling autotune: Facebook, Twitter bigwigs nod and smile to US senators – “Google slammed for no-show”


Graham Cluley: Twitter testing new feature that reveals when you’re online – “WHO OTHER THAN STALKERS ACTUALLY WANTS THIS?”


Lisa Vaas for Sophos: Review that! Fake TripAdvisor review peddler sent to jail

“The owner of a fake-review factory is going to get a chance to write a review about his trip to the inside of an Italian jail.

TripAdvisor announced (PDF) on Wednesday that, in one of the first cases of its kind, the criminal court of the Italian city of Lecce has ruled that writing fake reviews, under a fake identity, is criminal conduct.”


Michigan News (University of Michigan): Fake news detector algorithm works better than a human – “ANN ARBOR—An algorithm-based system that identifies telltale linguistic cues in fake news stories could provide news aggregator and social media sites like Google News with a new weapon in the fight against misinformation.

The University of Michigan researchers who developed the system have demonstrated that it’s comparable to and sometimes better than humans at correctly identifying fake news stories.”

[31st August 2018]

Raj Samani (McAfee) for Help Net: The anatomy of fake news: Rise of the bots

[30th August 2018]

Tomáš Foltýn for ESET: Instagram expands 2FA and account verification – “The move is part of a three-pronged plan that is intended to bolster user trust and safety on the photo-sharing platform”

Brian Krebs: Instagram’s New Security Tools are a Welcome Step, But Not Enough – “…Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number…”

[28th August 2018]

Lisa Vaas for Sophos: Tumblr outlaws creepshots and deepfake porn – “The blogging site wants to go back to a simpler time, where, it says, people were a lot nicer … and didn’t glorify gore and upskirting.”

[26th August]

I was a little late spotting this New York Times article from August 21st: Sheera Frenkel and Nicholas Fandos: Facebook Identifies New Influence Operations Spanning Globe – “We know that trolls on social media are trying to sow discord on contentious subjects like race, guns and abortion, but how do they do it? Here is a visual guide to their strategy.”

It’s starting point is this article from Facebook – Taking Down More Coordinated Inauthentic Behavior – regarding how it has taken down 652 pages, groups and accounts for ‘inauthentic behavior’ after receiving information from FireEye about ‘Liberty Front Press’. FireEye’s analysis is summarized here – Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East – linking to a 38-page report. Fascinating stuff.

[24th August]

Richi Jennings for TechBeacon’s Security Blogwatch: It’s election hacking season: Are you a target? A selection of commentary from a variety of sources. “Allegedly, Russia and Iran have been phishing, hacking, and building fake profiles on Facebook, Twitter, and YouTube…With the midterms just a few months away, the froth is building.”


Graham Cluley for BitDefender: Facebook pulls its VPN from the iOS App Store after data-harvesting accusations – “Facebook has withdrawn its Onavo Protect VPN app from the iOS App Store after Apple determined that it was breaking data-collection policies.”

John Leyden for The Register: Facebook pulls ‘snoopy’ Onavo VPN from Apple’s App Store after falling foul of rules


Rebecca Hill for The Register: Chap asks Facebook for data on his web activity, Facebook says no, now watchdog’s on the case – “Info collected on folk outside the social network ‘not readily accessible’ … Facebook’s refusal … is to be probed by the Irish Data Protection Commissioner … Under the General Data Protection Regulation … people can demand that organisations hand over the data they hold on them.”


Lisa Vaas for Sophos: Facebook’s rating you on how trustworthy you are – a good analysis of the difficulties Facebook and other social media face in addressing the problem of fake news.

[21st August 2018]

A paper by Professor Douglas C. Schmidt on Google Data Collection makes clear just how much information Google is collecting about its users and the purposes for which it can be used. It is … disquieting …


Rebecca Hill for The Register: Bloke hurls sueball over Google’s ‘is it off yet?’ location data slurping – “…a lawsuit has accused the search-cum-ads biz of unlawfully invading users’ privates and intentionally complicating the opt-out process…after last week’s Associated Press probe into location data slurping.”


Lisa Vaas for Sophos: Social networks to be fined for hosting terrorist content – “On Sunday, the Financial Times reported that the EC’s going to follow through on threats to fine companies like Twitter, Facebook and YouTube for not deleting flagged content post-haste.”


An article in the New York Times focuses on a paper by Karsten Müller and Carlo Schwarz of the University of Warwick that made a startling assertion: “Wherever per-person Facebook use rose to one standard deviation above the national average, attacks on refugees increased by about 50 percent.” I don’t think they mean to imply that Facebook directly or intentionally encourages the negative traits that such attacks represent: more that it “isolates us from moderating voices or authority figures, siphons us into like-minded groups and, through its algorithm, promotes content that engages our base emotions.” Or to put it another way, our tendency to group ourselves into like-minded ‘bubbles’ inclines us to make distorted assumptions about how widespread our pet beliefs are, assumptions reinforced by ‘superposters’ who energetically promulgate those same beliefs.

While it’s not exactly the same thing,, being more focused on anonymity and pseudonymity,  I was reminded of an older paper by Mich Kabay that has influenced my own thinking significantly over the years: Anonymity and Pseudonymity in Cyberspace: Deindividuation, Incivility and Lawlessness Versus Freedom and Privacy. The similarity is in the examination of the ways in which online behaviour can differ (for the worse) from behaviour in the real world. The difference is the way in which the Warwick study suggests that behaviour in the real world can be redirected into unacceptable channels by perceptions moulded by social media.

[17th August]

[Big catch-up after over a week Out of Office]

Zeljka Zorz for Help Net: Turning off Location History doesn’t prevent Google from knowing your location  – “If you believe that by turning off Location History on your Android device or iPhone means that Google won’t be able to know your location, think again: Princeton University researchers have confirmed Google services store users’ location regardless of those settings.”

Help Net is quoting research performed on behalf of Associated Press…”  AP says “Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored…That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.”


Kashmir Hill and Surya Mattu for Gizmodo: Facebook Wanted Us to Kill This Investigative Tool  – “Last year, we launched an investigation into how Facebook’s People You May Know tool makes its creepily accurate recommendations….In order to help conduct this investigation, we built a tool to keep track of the people Facebook thinks you know. …. In January, after hiring a third party to do a security review of the tool, we released it publicly on Github for users who wanted to study their own People You May Know recommendations.”

Facebook, it seems, wasn’t happy about the release of the tool, for more than one reason. I can actually understand that the terms of service that it might violate are at least in part imposed for reasons of security (or should be). Yet Gizmodo points out that “Journalists need to probe technological platforms in order to understand how unseen and little understood algorithms influence the experiences of hundreds of millions of people”: Facebook’s apparent distrust of this assertion may tell us something about its PR worries, and even about the intrusive nature of the algorithms it prefers to keep secret.


Graham Cluley: Twitter CEO says they’re taking no action against InfoWars and Alex Jones
IT’S THE SAME CONTENT THAT FACEBOOK, YOUTUBE, SPOTIFY, AND APPLE BANNED.
If you’re unaware of the fuss about Jones, you might like to check out this article in the New York Times: Alex Jones, Pursued Over Infowars Falsehoods, Faces a Legal Crossroads


Teiss: Facebook denies it asked banks to share customers’ financial information –  Summarizes a story from the Wall Street Journal which I haven’t read because I’m not a subscriber.


Pierluigi Paganini: Social Mapper – Correlate social media profiles with facial recognition
“Security experts at Trustwave have released Social Mapper, a new open-source tool that allows finding a person of interest across social media platform using facial recognition technology…Experts from Trustwave warn of potential abuses of Social Mapper that are limited “only by your imagination.””

Which is unfortunate in that it’s easily found for free…


An interesting article by William Suberg for CoinTelegraph: Researchers Reveal Network of 15K Crypto-Related Scam Bots on TwitterNew research published today, Aug. 6, has shed light on the infamous phenomenon of cryptocurrency-related Twitter accounts advertising fake “giveaways,” revealing a network of at least 15,000 scam bots.”

[3rd August 2018]

A fascinating article for Quartz by Nikhil SonnadEverything bad about Facebook is bad for the same reason – “Facebook only does the right thing when it’s forced to. Instead, it needs to be willing to sacrifice the goal of total connectedness and growth when this goal has a human cost; to create a decision-making process that requires Facebook leaders to check their instinctive technological optimism against the realities of human life.” Recommended. (Hat tip to Daring Fireball.)

The Next Web: Telegram Passport is already drawing fire for not being secure enough – “Its password encryption could be cracked for just $5”

[2nd August 2018]

(1)

New York Times: Facebook Has Identified Ongoing Political Influence Campaign – “Facebook announced on Tuesday that it has identified a coordinated political influence campaign, with dozens of inauthentic accounts and pages that are believed to be engaging in political activity around divisive social issues ahead of November’s midterm elections.”

Commentary from The Register: Facebook deletes 17 accounts, dusts off hands, beams: We’ve saved the 2018 elections – “Yeah, that’ll do the trick, Mark”

Facebook’s own blog post: Removing Bad Actors on Facebook

(2)

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

(3)

The Register: UK ‘fake news’ inquiry calls for end to tech middleman excuses, election law overhaul  “British lawmakers have been told to create tougher rules for social media giants claiming to be neutral platforms, establish a code of ethics for tech firms, and plump up the UK’s self-styled “data sheriff”.”

(4)

Roger Thompson (Thompson Cyber Security Labs): Ok, this was scary – a disquieting example of how much more information is ‘publicly available’ than you probably think. Even scarier is the question of how much publicly available information is actually accurate.

[27th July 2018]

Reuters: Facebook’s grim forecast: privacy push will erode profits for years “The plummeting stock price wiped out as much as $150 billion in market capitalization and erased the stock’s gains since April when Facebook announced a surprisingly strong 63 percent rise in profit and an increase in users.” John Gruber offers terse but to-the-point commentary.

Graham Cluley: Mind your company’s old Twitter accounts, rather than allowing them to be hijacked by hackers  – “DEFUNCT FOX TV SHOW HAS ITS TWITTER ACCOUNT COMPROMISED BY CRYPTOCURRENCY SCAMMERS.” “…it appears that hackers seized control of the moribund Twitter account and gave it a new lease of life promoting cryptocurrency scams.

Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.

Also from Lisa Vaas: Crimson Hexagon banned by Facebook over user data concern – “The Wall Street Journal last week reported that Facebook is investigating whether the firm’s contracts with the US government and a Russian nonprofit tied to the Kremlin violated its policies.”

Yet another article from the prolific Ms Vaas: Names and photos of Venmo ‘drug buyers’ published on Twitter – she offers another example of data scraped from publicly available data and used inappropriately and misleadingly. A recent article by John E. Dunn describes a rather more responsible use of Venmo’s open privacy settings: Venmo users: time to hide your drug deals and excessive pizza consumption.

And another. Maybe you should just shoot over to the Naked Security site while I get on with some other work… WhatsApp limits message forwarding in response to lynchings – an indication that fake news is no joke, and can be a matter of life or (more to the point) death. In recent months, “India …  has seen dozens of mob lynchings sparked by rumors that have spread virally on social media.”

[23rd July 2018]

Nick Statt for The Verge: Undercover Facebook moderator was instructed not to remove fringe groups or hate speech – “A new documentary details how third-party Facebook moderators ignore the company’s rules … The accusation is a damning one, undermining Facebook’s claims that it is actively trying to cut down on fake news, propaganda, hate speech, and other harmful content that may have significant real-world impact.” The investigation focuses on CPL Resources, which provides a third-party content moderation service.

In an interview with Kara Swisher, Zuckerberg tries to explain why Facebook hasn’t simply taken down InfoWars presence on the platform, but simply moved them ‘down the line’ by reducing distribution. Hmm.  Good interview, though, and lots of glimpses into the man’s head.

The Register: ‘Elders of the Internet’ apologise for social media, recommend Trump filters to fix it – “‘USENET was a pretty clear warning’ of things to come, says new draft IETF standard” I don’t think this IETF draft is entirely serious, but perhaps it should be. IT security remains fixated on technical security and has tended to fight shy of the psychosocial aspects of Internet interaction. Certainly the anti-malware industry in general could have paid more attention to the psychology of the victim than it has. And yes, USENET was a pretty good indication of how awful social media might (and did) turn out to be. And yes, abstention from social media and whisky do both have some appeal… A joke with teeth…

[15th July 2018]

Me, for this blog: Machine learning: science, engineering, or magic fairy dust?

ESET: Facebook fined over data privacy scandal

You’re probably already aware of the gentle tap on the wrist administered by the UK’s Information Commissioner’s Office (ICO), but this does actually indicate why the penalty was so much less than you might have expected (in theory, up to 4% of the company’s total income).

(2) An article from The Next Web: Experts warn DeepFakes could influence 2020 US election – “Fake AI-generated videos featuring political figures could be all the rage during the next election cycle, and that’s bad news for democracy.”

(3) Graham Cluley: Facebook doesn’t want to eradicate fake news. If it did they’d kick out InfoWars – “Social networks giving sick conspiracy theorists a platform to spread hate.” Graham points out that InfoWars misinformation is also an issue on YouTube.

[11th July 2018]

The Register: Brit privacy watchdog reports on political data harvests: We’ve read the lot so you don’t have to – “‘Cambridge Analytica had data ferreted away on disconnected servers, Twitter actually kicked the firm’s ads off its platform, and Facebook still has a lot of questions to answer.”

Washington Post: Twitter is sweeping out fake accounts like never before, putting user growth at risk – “Twitter suspended more than 70 million accounts in May and June, and the pace has continued in July”

Sophos: Apple and Google questioned by Congress over user tracking – “Inquiring minds want to know, for one thing, whether our mobile phones are actually listening to our conversations, the committee said in a press release.

Sophos: Facebook stares down barrel of $660,000 fine over data slurping. David Bisson notes: Facebook Fined £500,000 by ICO for Cambridge Analytica Data Scandal, And Graham Cluley comments: Facebook fined a paltry £500,000 (8 minutes’ revenue) over Cambridge Analytica scandal. Quite…

Pierluigi Paganini: Timehop data breach, data from 21 million users exposed. “The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.”

[5th July 2018]

Graham Cluley:

Carole Cadwalladr takes us behind the scenes of the Cambridge Analytica investigation – HOW MILLIONS OF FACEBOOK USERS’ PERSONAL DATA WERE USED TO INFLUENCE THE US ELECTION AND BREXIT. “Last week, Carole Cadwalladr won The Orwell Prize for Journalism for her work investigating the impact of big data on the EU Referendum at the US Presidential election.”

Rhett Jones for Gizmodo: Google Says It Doesn’t Go Through Your Inbox Anymore, But It Lets Other Apps Do It

[28th June 2018]

Tomáš Foltýn for ESET: How (over)sharing on social media can trip you up. In case you’d forgotten just how many ways there are in which oversharing information can harm you…

The Register: Facebook shells out $8k bug bounty after quiz web app used by 120m people spews profiles – “Facebook has forked out an $8,000 reward after a security researcher flagged up a third-party web app that potentially exposed up to 120 million people’s personal information from their Facebook profiles.” In case you thought Facebook was past all that…

Maria Varmazis for Sophos: Are you happy with this technology that Facebook’s developing? – actually commentary on a story in the New York Times about what Facebook’s patent applications tell us. It seems that there are few aspects of our personal lives that Facebook isn’t  interested in tracking.  Though Maria rightly points out that “these patents are not a product roadmap for Facebook, so it is entirely possible we’ll never see them in action.” Unless, perhaps, FB is encouraged to pursue them by future commercial and political developments…

Also from Sophos: Facebook and Google accused of manipulating us with “dark patterns” – “In a report called Deceived By Design, the Norwegian Consumer Council (Forbrukerrådet) calls out Facebook and Google for presenting their GDPR privacy options in manipulative ways that encourage users to give up their privacy.” However, there are lots of more blatant manipulations to be seen: in many cases, it’s just a case of ‘let us drop our cookies or miss out on what we’re offering.”

[27th June 2018]

Metro: Facebook wants to hide secret inaudible messages in TV ads that can force your phone to record audio – this is so blatant I find it hard to believe, despite my own distrust of Zuckerberg and his minions. But I suppose we’ll see.

[20th June 2018]

Lukas Stefanko : New Telegram-abusing Android RAT discovered in the wild – “Entirely new malware family discovered by ESET researchers”

[15th June 2018]

Bloomberg: Apple Tries to Stop Developers From Sharing Data on Users’ Friends – “Apple Inc. changed its App Store rules last week to limit how developers use information about iPhone owners’ friends and other contacts, quietly closing a loophole that let app makers store and share data without many people’s consent.

[8th June 2018]

John E. Dunn for Sophos: Apple says no to Facebook’s tracking
“Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites…this will ask users whether to allow or block web tracking quietly carried out by a certain co”mpany’s ‘like’, ‘share’ and comment widgets.” And the dialog text in the demo to which the article refers specifically mentions Facebook.

On the other hand: Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

New York Times: Facebook Gave Device Makers Deep Access to Data on Users and Friends –
“The company formed data-sharing partnerships with Apple, Samsung and
dozens of other device makers, raising new concerns about its privacy protections.” And commentary by Help Net Security: Facebook gave user data access to Chinese mobile device makers, too

James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside  – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.

[6th June 2018]

The Register: ‘Tesco probably knows more about me than GCHQ’: Infosec boffins on surveillance capitalism – “Cambridge Uni powwow broods on Facebook, Wannacry” There seem to have been a lot of good points made there. I’m rather sorry I didn’t get to it, but it’s a long way from my part of the world…

Surveillance by cookie isn’t, of course, confined to social media. Perhaps more people have become aware of them recently with the pitter-patter of GDPR-inspired pop-ups on sites noting that they use them, and on occasion requiring visitors to agree to their being used if they’re to continue using the site. What could go wrong? Here’s an interesting, mildly techie paper from Digital Interruption: Are Your Cookies Telling Your Fortune? – An analysis of weak cookie secrets and OSINT. OSINT, by the way, is Open-Source Intelligence, information gathered from publicly available sources.

Sophos: Facebook faces furious shareholders at annual meeting – “Another investor, Will Lana of Trillium Asset Management, said that his firm has been keeping track of the scandals in which Facebook is embroiled. It’s tallied “at least 15 distinct controversies,” he said, as he spoke in favor of a proposal to change the board’s approach to risk management”. [But don’t worry:  Zuckerberg and the Board of Directors managed to ’emerge from the meeting unscathed’. Well, you can worry if you like…]

Thomas Claburn for The Register: Facebook insists device data door differs from dodgy dev data deal – “Facebook on Sunday said an arrangement that gave some 60 mobile device makers access to data about device users’ Facebook friends is not at all like the deal it made with app developers that gave rise to the Cambridge Analytica scandal.” Oh, good…

Given the number of Facebook denizens who are interested in genealogy and heredity, this seems a suitable place to mention a Brian Krebs article: Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage

Catalin Cimpanu for Bleeping Computer: Washington State Sues Facebook and Google Over Election Ads – “Washington State Attorney General Bob Ferguson filed two lawsuits on Monday against Facebook and Google on the grounds of breaking local campaign finance laws.”

Here are a couple of items I’ve also posted to the Mac Virus site, and which are also relevant to the anti-social media page. I haven’t paid much attention to news-recycling sites (apart from The Register, maybe)  in recent years, but these two ZDNet reports actually mildly impressed me.

Adrian Kingsley-Hughes for ZDNet: Your iPhone is tracking your movements and storing your favorite locations all the time. He says: “Now, you may be like me and not care about this data being collected, and might even find it a useful record of where you’ve been over the previous weeks and months. But if you’re uncomfortable for any reason with this data being collected, then Apple offers several ways you can take control over it.” Even if you don’t mind these data being collected by your operating system, you also have to think about the apps that may be accessing it at second hand.

Kind of weirdly, Larry Dignan (also for ZDNet) tells us that Apple, Google have similar phone addiction approaches with iOS, Android. Well, it’s always nice (if unexpected) when Big Business displays a sense of civic responsibility. However, Dignan is probably right when he remarks: “The research is just starting to be compiled on smartphone addiction and what happens when your life is overloaded by apps and notifications. Think of the digital health push from Apple and Google as a way to provide talking points before screen time becomes a Congressional hearing someday.”

[1st June 2018]

Tomáš Foltýn for ESET: More curious, less cautious: Protecting kids online – “How we can help protect a generation for which digital is the way of the world?”

[30th May 2018]

Sophos: Facebook battles tiny startup over privacy accusations John E. Dunn remarks:

“You can argue Six4Three’s allegations either way … they’re another example of the way the company perfectly understood the value of its user data and wanted to monetise it.”

“Alternatively, by restricting third parties, Facebook was simply reigning in risky access that privacy advocates believe should never have been allowed in the first place.”

[26th May 2018]

(1) Graham Cluley for ESET:  Woman says Alexa recorded and shared the private conversation she was having with her husband – “It’s every Amazon Alexa owner’s worst nightmare – your private conversations not just being listened to, but shared with random contacts without your knowledge.” Here’s Amazon’s curious explanation of how it happened:

“Echo woke up due to a word in background conversation sounding like ‘Alexa.’ Then, the subsequent conversation was heard as a ‘send message’ request. At which point, Alexa said out loud ‘To whom?’ At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, ‘[contact name], right?’ Alexa then interpreted background conversation as ‘right’. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”

(2) Also from ESET: Facebook refines 2FA setup, adds authenticator app support

(3) The Register: Welcome to your sci-fi dystopia: Sonic firewalls to crumble inaudible ad-tracking phone cookies – “Ultrasonic packets of data to and from your handheld killed

(4) The Register: New Facebook political ad rules: Now you must prove your ID before undermining democracy – “The horse is a speck on the horizon – but at least the barn door now has a bolt on it … Facebook has rolled out its promised disclosure regime for political and issue advertising, heralding a new age of transparency and civic responsibility. Or so Facebook folks suggest…”

(5) Sophos: Google in court over ‘clandestine tracking’ of 4.4m iPhone users

(6) Sophos (again): Facebook’s counterintuitive way to combat nonconsensual porn

(7) The Register: ‘Facebook takes data from my phone – but I don’t have an account!’ – “Reg reader finds mobile apps can’t be cut or quieted”

(8) Gizmodo: Facebook and Google Accused of Violating GDPR on First Day of the New European Privacy Law – “So what are Facebook and Google allegedly doing to violate the GDPR? Privacy advocates in Europe say that instead of adhering to the letter of the law, companies aren’t really giving consumers a choice; you can either agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services. There is no middle ground.”

[20th May 2018]

Bleeping Computer: The Facebook Android App Is Asking for Superuser Privileges and Users Are Freaking Out

New Scientist: Huge new Facebook data leak exposed intimate details of 3m users  – “Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation has found.” And some commentary from The Register: How could the Facebook data slurping scandal get worse? Glad you asked – “Three million “intimate” user profiles offered to researchers”

And commentary from Sophos: Facebook app left 3 million users’ data exposed for four years

[14th May 2018]

Infoblox have a very interesting report on What is Lurking on Your Network – Exposing the threat of shadow devices.

In his foreword, Gary Cox says:

“For IT departments, the complexities and security issues around managing BYOD schemes and unsanctioned Shadow IT operations have long been a cause for concern.

“In an increasingly complex, connected world, this challenge has now been exacerbated by the explosion in the number of personal devices individuals own, as well as the plethora of new IoT devices being added to the network.”

More reasons to feel uncomfortable with the unfettered enthusiasm for BYOD.

Commentary/summary from Help Net Security: Exposing the threat of shadow devices: “Employees in the US and UK admitted to connecting to the enterprise network for a number of reasons, including to access social media (39 percent), as well as to download apps, games and films … These practices open organizations up to social engineering hacks, phishing and malware injection.”

Updates 12th May 2018

Updates 5th May 2018

Lots of commentary this week on Twitter’s mishaps with our credentials:

The Register: Google will vet political ads to ward off Phantom Menace of fake news – “Mountain View’s Empire Strikes Back against election meddling”

And The Register again, on old favourite Facebook: Time to ditch the Facebook login: If customers’ data should be protected, why hand it over to Zuckerberg? – “How The Social Network and its partners use that info is a total black box”

Updates 3rd May 2018

Kaspersky Threat Post: TENS OF THOUSANDS OF MALICIOUS APPS USING FACEBOOK APIS – “At least 25,936 malicious apps are currently using one of Facebook’s APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address.”

The Register:

Talking of Zuckerberg, here’s his summary of the forthcoming ‘Clear History’ control.

Updates 1st May 2018

The Guardian: WhatsApp CEO Jan Koum quits over privacy disagreements with Facebook – “WhatsApp was built with a focus on privacy and a disdain for ads, but the Facebook-owned service is now under pressure to make money”

Selina Wang for Bloomberg: Twitter Sold Data Access to Cambridge Analytica–Linked Researcher. And commentary from Help Net.

ENISA: Strengthening network & information security & protecting against online disinformation (“fake news”) – “In this paper, ENISA presents some views on the problem of online disinformation in the EU from a Network and Information Security (NIS) perspective. A number of recommendations are presented which relate both to general NIS measures, as well as targeted measures to protect against online disinformation specifically.”

Updates 27th April 2018

Also from Sophos: Know what Instagram knows – here’s how you download your data

The Register: Facebook: Crisis? What crisis? Look at our revenue, it’s fantastic “But analysts say ditch your stock as opex set to blow up”

And again from Sophos: Yahoo fined $35m for staying quiet about mega breach

Updates 25th April 2018

The Register: Happy having Amazon tiptoe into your house? Why not the car, then? In-trunk delivery – what could go wrong? – “New Bezos scheme opens up vehicles as drop-off points” What could go wrong?

Sophos: Ex-Reddit mogul apologizes for making the world ‘a worse place’ “New York Magazine recently interviewed McComas for a project called “The Internet Apologizes.”That project has involved interviews with more than a dozen prominent technology figures about “what has gone wrong with the contemporary internet.” “

Updates 23rd April 2018

Hacker News: Flaw in LinkedIn AutoFill Plugin Lets Third-Party Sites Steal Your Data. Summarizes Jack Cable’s article LinkedIn AutoFill Exposed Visitor Name, Email to Third-Party Websites.

Updates 21st April 2018

(1) Reuters: Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law – “The previously unreported move, which Facebook confirmed to Reuters on Tuesday, shows the world’s largest online social network is keen to reduce its exposure to GDPR, which allows European regulators to fine companies for collecting or using personal data without users’ consent.” (HT to Artem Baranov)

(2) Steven Englehardt et al: No boundaries for Facebook data: third-party trackers abuse Facebook Login – “Today we report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through “login with Facebook” and other such social login APIs. Specifically, we found two types of vulnerabilities:

  • seven third parties abuse websites’ access to Facebook user data
  • one third party uses its own Facebook “application” to track users around the web.”

Commentary from The Register: Facebook’s login-to-other-sites service lets scum slurp your stuff – “A security researcher has claimed it’s possible to extract user information from Facebook’s Login service, the tool that lets you sign into third-party sites with a Facebook ID.”

(3) Help Net: Researchers develop algorithm to detect fake users on social networks – “Ben-Gurion University of the Negev and University of Washington researchers have developed a new generic method to detect fake accounts on most types of social networks, including Facebook and Twitter.”

Paper is here: Generic anomalous vertices detection utilizing alink prediction algorithm

Commentary from The Register: Gang way! Compsci geeks coming through! AI engine can finger fakes on social networks – “Take note Twitter, Facebook et al, it’s really not that hard to weed out bots”

(4) Graham Cluley: Facebook pushes ahead with controversial facial recognition feature in Europe “Facebook uses facial recognition software to automatically match people in photos your friends upload with the other billions of images on Facebook’s servers in which you might appear.”

(5) Help Net: LocalBlox found leaking info on tens of millions of individuals – “The discovery was made by UpGuard researcher Chris Vickery, who stumbled upon the unsecured Amazon Web Services S3 bucket holding the data, bundled in a single, compressed file. When decompressed, it revealed 48 million records in a format that’s easy for anyone to peruse.”

Here’s the Upguard blog post.

And commentary from Graham Cluley for Hot for security: 48 million people put at risk after firm that scraped info from social networks left it exposed for anyone to download

(6) Sophos: Facebook: 3 reasons we’re tracking non-users – more light cast into the shadows by the House Energy and Commerce Committee’s questions to Mark Zuckerberg.

(7) The Guardian: Far More Than 87 Million Facebook Users Had Data Compromised by Cambridge Analytica

(8) Sophos: Google in hot water over privacy of Android apps for kids

(9) Tech Crunch: A flaw-by-flaw guide to Facebook’s new GDPR privacy changes
“Just click accept, ignore those settings”

(10) Brian Krebs: Is Facebook’s Anti-Abuse System Broken?

Updates 17th April 2018

Brian Krebs: Deleted Facebook Cybercrime Groups Had 300,000 Members – “Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups … who flagrantly promoted a host of illicit activities on the social media network’s platform … The average age of these groups on Facebook’s platform was two years.”

Updates 15th April 2018

The Register: Super Cali’s frickin’ whiz kids no longer oppose us: Even though Facebook thought info law was quite atrocious – “Zuck & Co end fight against California’s privacy legislation” Extra points to El Reg for that title, even if it doesn’t scan very well. 🙂

Sophos: Facebook shines a little light on ‘shadow profiles’ (or what Facebook knows about people who haven’t signed up to Facebook).

Also from Sophos: Interview: Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society. OPRS is a privacy advocacy and research group aiming to “to make it easier for people, especially marginalized groups (including LGBT persons), to protect their privacy and anonymity online…”

Updates 12th April 2018

Updates 11th April 2018

Updates 9th April 2018

Updates 8th April 2018

Updates 5th-7th April 2018

Updates 3rd/4th April 2018

Update 2nd/3rd April 2018

Updates 1st April 2018

Updates 31st March 2018

(HT to Mich Kabay for pointing out the Economist articles – NB there’s a limit on how many you can view without subscribing.)

Updates 29th March 2018

Updates 28th March 2018

Updates 26th March 2018

Updates 23rd March 2018

Updates 22nd March 2018

  • For Tech Beacon, Richi Jennings does a good job (as usual) of finding ‘bloggy bits’ relating to the Facebook/Cambridge Analytica mess: No ‘likes’ for Facebook’s API leak, but it’s not a data breach—and not news. And no, the fact that Facebook collects and shares too much information isn’t exactly news. Nor, come to that, the fact that Facebook has itself engaged in some experimental social engineering though I’m guessing that fewer people are or ever were aware of those particular experiments. I think I’ll probably come back to that…
  • A comment to Richi’s announcement of that Tech Beacon article – ironically, on Facebook – brought my attention to this article by Kalev Leetaru for Forbes:

    The Problem Isn’t Cambridge Analytica: It’s Facebook. The article makes some excellent points. For instance:

    • “In 2014 academic researchers at Cornell and Facebook published research in which they had manipulated the emotions of three quarters of a million users … the research had been fully approved by Facebook and Cornell, with ethical review by Cornell’s IRB.” Yes, that’s one of the experiments I was thinking of.
    • “A central theme of the rhetoric and coverage of Cambridge Analytica is that it somehow violated accepted societal norms over the use of Facebook data … referring to it in the cybersecurity parlance of a data “breach.” In fact, this could not be further from the truth in our modern “surveillance economy.”
  • Taylor Lorenz for The Daily Beast: Mark Zuckerberg Swears He’ll Protect Your Data—Next Time – “The Facebook chief promised users that he would do more to ensure that their online lives weren’t put up for sale. One small problem: that’s kind of Facebook’s business model.”
  • Matthew Yglesias, for Vox (that’s the news site, not the music equipment manufacturer), comments on The case against Facebook – “It’s not just about privacy; its core function makes people lonely and sad.” Well, you could argue with that tagline. FB does have a useful function in terms, for instance, of connecting with friends far away. If you keep the Big Picture in mind, you sometimes forget that there are valid reasons why people are prepared to compromise their data by using Facebook (if they think about it at all). Still, there are plenty of very valid points in the article:
    • “…according to Craig Silverman’s path-breaking analysis for BuzzFeed, the 20 highest-performing fake news stories of the closing days of the 2016 campaign did better on Facebook than the 20 highest-performing real ones.”
    • “By turning news consumption and news discovery into a performative social process, Facebook turns itself into a confirmation bias machine — a machine that can best be fed through deliberate engineering….Meanwhile, Facebook is destroying the business model for outlets that make real news.”
  • Kurt Wismer makes a good point about the get-me-out-of-here trend in The problem with #DeleteFacebook. “…a movement to abandon Facebook is going to open up a lot of opportunities for fraud all at once.” He suggests disabling rather than deleting an account. (Actually, I have a similar strategy regarding LinkedIn: I’m not job-hunting any more, but I don’t want to make misuse of my name too easy.)
  • While Brian X. Chen points out for the New York Times: Want to #DeleteFacebook? You Can Try. A few pertinent points here, too:
    • “Keep in mind that Facebook isn’t the only company capable of collecting your information. One big culprit: Web trackers, like cookies embedded into websites and their ads. They are everywhere, and they follow your activities from site to site.”
    • “…you may be better off tweaking your privacy settings on the site.”
  • Help Net Security: Facebook’s trust crisis: Has it harmed democracy?  – “Facebook is losing the faith of the Americans people, according to the Digital Citizens Alliance.

”
  • Sophos: Mozilla stops Facebook advertising, demands privacy changes
  • Mozilla: Mozilla Presses Pause on Facebook Advertising

Updates 21st March 2018

David Harley

Advertisements