Like many others, I’ve been at least partially assimilated by the social media Cookie Monster. Once upon a time I opened accounts on sites like Facebook and Twitter, so as to find out about their implications for security. (Like many others in the security profession, I suspect.) They also quickly became integrated into my armoury as a means of exchanging and disseminating information, whether it’s a matter of hard data or work-oriented PR. And when friends, colleagues and fellow musicians (some people, of course, are members of two or all three of those sets!) found me on those platforms, it would have been churlish not to have accepted invitations to link up there. (Besides, you can’t tell as much about Facebook’s workings, for instance, if you don’t actually have any Facebook friends…)
However, I’ve always borne in mind the wider implications of membership of such platforms (sociological, psychological, and security-specific), and have often written on those topics. (I’ll probably look back at some of those posts and see if any of them are worth flagging here.) But with the excitement over the Cambridge Analytica, it’s self-proclaimed success at social engineering, and its alleged misuse of data harvested from social media, I can’t help but notice that people who’ve previously expressed no interest in privacy and security have started to voice concern. So I’m going to use this page to flag some news and resources of interest. Starting with a minor deluge of advice from various quarters:
- Ioana Rijnetu for Heimdal Security from a few months back: Facebook Privacy & Security Guide: Everything You Need to Know (I haven’t looked at this closely, but I’ve frequently contributed comment to Heimdal for their “expert roundup” features like this one on software monoculture, and have a lot of respect for their willingness to put the quality of advice and information above competitive advantage.)
- The Motherboard: The Motherboard Guide to Using Facebook Safely
- Sophos: Facebook fallout: How to protect your data
- Basic fairly recent advice from SANS: Top Tips to Securely Using Social Media
- Facecrooks: How to Protect Your Facebook Account from Rogue Applications
- Lots and lots of links in Bruce Schneier’s Cryptogram for April 15th 2018.
- Sophos: How to protect your Facebook data [UPDATED]
[3rd August 2018]
A fascinating article for Quartz by Nikhil Sonnad: Everything bad about Facebook is bad for the same reason – “Facebook only does the right thing when it’s forced to. Instead, it needs to be willing to sacrifice the goal of total connectedness and growth when this goal has a human cost; to create a decision-making process that requires Facebook leaders to check their instinctive technological optimism against the realities of human life.” Recommended. (Hat tip to Daring Fireball.)
The Next Web: Telegram Passport is already drawing fire for not being secure enough – “Its password encryption could be cracked for just $5”
[2nd August 2018]
New York Times: Facebook Has Identified Ongoing Political Influence Campaign – “Facebook announced on Tuesday that it has identified a coordinated political influence campaign, with dozens of inauthentic accounts and pages that are believed to be engaging in political activity around divisive social issues ahead of November’s midterm elections.”
Commentary from The Register: Facebook deletes 17 accounts, dusts off hands, beams: We’ve saved the 2018 elections – “Yeah, that’ll do the trick, Mark”
Facebook’s own blog post: Removing Bad Actors on Facebook
The Register: UK ‘fake news’ inquiry calls for end to tech middleman excuses, election law overhaul “British lawmakers have been told to create tougher rules for social media giants claiming to be neutral platforms, establish a code of ethics for tech firms, and plump up the UK’s self-styled “data sheriff”.”
Roger Thompson (Thompson Cyber Security Labs): Ok, this was scary – a disquieting example of how much more information is ‘publicly available’ than you probably think. Even scarier is the question of how much publicly available information is actually accurate.
[27th July 2018]
Reuters: Facebook’s grim forecast: privacy push will erode profits for years “The plummeting stock price wiped out as much as $150 billion in market capitalization and erased the stock’s gains since April when Facebook announced a surprisingly strong 63 percent rise in profit and an increase in users.” John Gruber offers terse but to-the-point commentary.
Graham Cluley: Mind your company’s old Twitter accounts, rather than allowing them to be hijacked by hackers – “DEFUNCT FOX TV SHOW HAS ITS TWITTER ACCOUNT COMPROMISED BY CRYPTOCURRENCY SCAMMERS.” “…it appears that hackers seized control of the moribund Twitter account and gave it a new lease of life promoting cryptocurrency scams.
Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.
Also from Lisa Vaas: Crimson Hexagon banned by Facebook over user data concern – “The Wall Street Journal last week reported that Facebook is investigating whether the firm’s contracts with the US government and a Russian nonprofit tied to the Kremlin violated its policies.”
Yet another article from the prolific Ms Vaas: Names and photos of Venmo ‘drug buyers’ published on Twitter – she offers another example of data scraped from publicly available data and used inappropriately and misleadingly. A recent article by John E. Dunn describes a rather more responsible use of Venmo’s open privacy settings: Venmo users: time to hide your drug deals and excessive pizza consumption.
And another. Maybe you should just shoot over to the Naked Security site while I get on with some other work… WhatsApp limits message forwarding in response to lynchings – an indication that fake news is no joke, and can be a matter of life or (more to the point) death. In recent months, “India … has seen dozens of mob lynchings sparked by rumors that have spread virally on social media.”
[23rd July 2018]
Nick Statt for The Verge: Undercover Facebook moderator was instructed not to remove fringe groups or hate speech – “A new documentary details how third-party Facebook moderators ignore the company’s rules … The accusation is a damning one, undermining Facebook’s claims that it is actively trying to cut down on fake news, propaganda, hate speech, and other harmful content that may have significant real-world impact.” The investigation focuses on CPL Resources, which provides a third-party content moderation service.
In an interview with Kara Swisher, Zuckerberg tries to explain why Facebook hasn’t simply taken down InfoWars presence on the platform, but simply moved them ‘down the line’ by reducing distribution. Hmm. Good interview, though, and lots of glimpses into the man’s head.
The Register: ‘Elders of the Internet’ apologise for social media, recommend Trump filters to fix it – “‘USENET was a pretty clear warning’ of things to come, says new draft IETF standard” I don’t think this IETF draft is entirely serious, but perhaps it should be. IT security remains fixated on technical security and has tended to fight shy of the psychosocial aspects of Internet interaction. Certainly the anti-malware industry in general could have paid more attention to the psychology of the victim than it has. And yes, USENET was a pretty good indication of how awful social media might (and did) turn out to be. And yes, abstention from social media and whisky do both have some appeal… A joke with teeth…
[15th July 2018]
Me, for this blog: Machine learning: science, engineering, or magic fairy dust?
You’re probably already aware of the gentle tap on the wrist administered by the UK’s Information Commissioner’s Office (ICO), but this does actually indicate why the penalty was so much less than you might have expected (in theory, up to 4% of the company’s total income).
(2) An article from The Next Web: Experts warn DeepFakes could influence 2020 US election – “Fake AI-generated videos featuring political figures could be all the rage during the next election cycle, and that’s bad news for democracy.”
(3) Graham Cluley: Facebook doesn’t want to eradicate fake news. If it did they’d kick out InfoWars – “Social networks giving sick conspiracy theorists a platform to spread hate.” Graham points out that InfoWars misinformation is also an issue on YouTube.
[11th July 2018]
The Register: Brit privacy watchdog reports on political data harvests: We’ve read the lot so you don’t have to – “‘Cambridge Analytica had data ferreted away on disconnected servers, Twitter actually kicked the firm’s ads off its platform, and Facebook still has a lot of questions to answer.”
Washington Post: Twitter is sweeping out fake accounts like never before, putting user growth at risk – “Twitter suspended more than 70 million accounts in May and June, and the pace has continued in July”
Sophos: Apple and Google questioned by Congress over user tracking – “Inquiring minds want to know, for one thing, whether our mobile phones are actually listening to our conversations, the committee said in a press release.”
Sophos: Facebook stares down barrel of $660,000 fine over data slurping. David Bisson notes: Facebook Fined £500,000 by ICO for Cambridge Analytica Data Scandal, And Graham Cluley comments: Facebook fined a paltry £500,000 (8 minutes’ revenue) over Cambridge Analytica scandal. Quite…
Pierluigi Paganini: Timehop data breach, data from 21 million users exposed. “The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.”
[5th July 2018]
Rhett Jones for Gizmodo: Google Says It Doesn’t Go Through Your Inbox Anymore, But It Lets Other Apps Do It
[28th June 2018]
Tomáš Foltýn for ESET: How (over)sharing on social media can trip you up. In case you’d forgotten just how many ways there are in which oversharing information can harm you…
The Register: Facebook shells out $8k bug bounty after quiz web app used by 120m people spews profiles – “Facebook has forked out an $8,000 reward after a security researcher flagged up a third-party web app that potentially exposed up to 120 million people’s personal information from their Facebook profiles.” In case you thought Facebook was past all that…
Maria Varmazis for Sophos: Are you happy with this technology that Facebook’s developing? – actually commentary on a story in the New York Times about what Facebook’s patent applications tell us. It seems that there are few aspects of our personal lives that Facebook isn’t interested in tracking. Though Maria rightly points out that “these patents are not a product roadmap for Facebook, so it is entirely possible we’ll never see them in action.” Unless, perhaps, FB is encouraged to pursue them by future commercial and political developments…
Also from Sophos: Facebook and Google accused of manipulating us with “dark patterns” – “In a report called Deceived By Design, the Norwegian Consumer Council (Forbrukerrådet) calls out Facebook and Google for presenting their GDPR privacy options in manipulative ways that encourage users to give up their privacy.” However, there are lots of more blatant manipulations to be seen: in many cases, it’s just a case of ‘let us drop our cookies or miss out on what we’re offering.”
[27th June 2018]
Metro: Facebook wants to hide secret inaudible messages in TV ads that can force your phone to record audio – this is so blatant I find it hard to believe, despite my own distrust of Zuckerberg and his minions. But I suppose we’ll see.
[20th June 2018]
Lukas Stefanko : New Telegram-abusing Android RAT discovered in the wild – “Entirely new malware family discovered by ESET researchers”
[15th June 2018]
Bloomberg: Apple Tries to Stop Developers From Sharing Data on Users’ Friends – “Apple Inc. changed its App Store rules last week to limit how developers use information about iPhone owners’ friends and other contacts, quietly closing a loophole that let app makers store and share data without many people’s consent.
[8th June 2018]
John E. Dunn for Sophos: Apple says no to Facebook’s tracking
“Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites…this will ask users whether to allow or block web tracking quietly carried out by a certain co”mpany’s ‘like’, ‘share’ and comment widgets.” And the dialog text in the demo to which the article refers specifically mentions Facebook.
On the other hand: Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”
New York Times: Facebook Gave Device Makers Deep Access to Data on Users and Friends –
“The company formed data-sharing partnerships with Apple, Samsung and
dozens of other device makers, raising new concerns about its privacy protections.” And commentary by Help Net Security: Facebook gave user data access to Chinese mobile device makers, too
James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.
[6th June 2018]
The Register: ‘Tesco probably knows more about me than GCHQ’: Infosec boffins on surveillance capitalism – “Cambridge Uni powwow broods on Facebook, Wannacry” There seem to have been a lot of good points made there. I’m rather sorry I didn’t get to it, but it’s a long way from my part of the world…
Surveillance by cookie isn’t, of course, confined to social media. Perhaps more people have become aware of them recently with the pitter-patter of GDPR-inspired pop-ups on sites noting that they use them, and on occasion requiring visitors to agree to their being used if they’re to continue using the site. What could go wrong? Here’s an interesting, mildly techie paper from Digital Interruption: Are Your Cookies Telling Your Fortune? – An analysis of weak cookie secrets and OSINT. OSINT, by the way, is Open-Source Intelligence, information gathered from publicly available sources.
Sophos: Facebook faces furious shareholders at annual meeting – “Another investor, Will Lana of Trillium Asset Management, said that his firm has been keeping track of the scandals in which Facebook is embroiled. It’s tallied “at least 15 distinct controversies,” he said, as he spoke in favor of a proposal to change the board’s approach to risk management”. [But don’t worry: Zuckerberg and the Board of Directors managed to ’emerge from the meeting unscathed’. Well, you can worry if you like…]
Thomas Claburn for The Register: Facebook insists device data door differs from dodgy dev data deal – “Facebook on Sunday said an arrangement that gave some 60 mobile device makers access to data about device users’ Facebook friends is not at all like the deal it made with app developers that gave rise to the Cambridge Analytica scandal.” Oh, good…
Given the number of Facebook denizens who are interested in genealogy and heredity, this seems a suitable place to mention a Brian Krebs article: Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage
Catalin Cimpanu for Bleeping Computer: Washington State Sues Facebook and Google Over Election Ads – “Washington State Attorney General Bob Ferguson filed two lawsuits on Monday against Facebook and Google on the grounds of breaking local campaign finance laws.”
Here are a couple of items I’ve also posted to the Mac Virus site, and which are also relevant to the anti-social media page. I haven’t paid much attention to news-recycling sites (apart from The Register, maybe) in recent years, but these two ZDNet reports actually mildly impressed me.
Adrian Kingsley-Hughes for ZDNet: Your iPhone is tracking your movements and storing your favorite locations all the time. He says: “Now, you may be like me and not care about this data being collected, and might even find it a useful record of where you’ve been over the previous weeks and months. But if you’re uncomfortable for any reason with this data being collected, then Apple offers several ways you can take control over it.” Even if you don’t mind these data being collected by your operating system, you also have to think about the apps that may be accessing it at second hand.
Kind of weirdly, Larry Dignan (also for ZDNet) tells us that Apple, Google have similar phone addiction approaches with iOS, Android. Well, it’s always nice (if unexpected) when Big Business displays a sense of civic responsibility. However, Dignan is probably right when he remarks: “The research is just starting to be compiled on smartphone addiction and what happens when your life is overloaded by apps and notifications. Think of the digital health push from Apple and Google as a way to provide talking points before screen time becomes a Congressional hearing someday.”
[1st June 2018]
Tomáš Foltýn for ESET: More curious, less cautious: Protecting kids online – “How we can help protect a generation for which digital is the way of the world?”
[30th May 2018]
Sophos: Facebook battles tiny startup over privacy accusations John E. Dunn remarks:
“You can argue Six4Three’s allegations either way … they’re another example of the way the company perfectly understood the value of its user data and wanted to monetise it.”
“Alternatively, by restricting third parties, Facebook was simply reigning in risky access that privacy advocates believe should never have been allowed in the first place.”
[26th May 2018]
(1) Graham Cluley for ESET: Woman says Alexa recorded and shared the private conversation she was having with her husband – “It’s every Amazon Alexa owner’s worst nightmare – your private conversations not just being listened to, but shared with random contacts without your knowledge.” Here’s Amazon’s curious explanation of how it happened:
“Echo woke up due to a word in background conversation sounding like ‘Alexa.’ Then, the subsequent conversation was heard as a ‘send message’ request. At which point, Alexa said out loud ‘To whom?’ At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, ‘[contact name], right?’ Alexa then interpreted background conversation as ‘right’. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
(2) Also from ESET: Facebook refines 2FA setup, adds authenticator app support
(3) The Register: Welcome to your sci-fi dystopia: Sonic firewalls to crumble inaudible ad-tracking phone cookies – “Ultrasonic packets of data to and from your handheld killed
(4) The Register: New Facebook political ad rules: Now you must prove your ID before undermining democracy – “The horse is a speck on the horizon – but at least the barn door now has a bolt on it … Facebook has rolled out its promised disclosure regime for political and issue advertising, heralding a new age of transparency and civic responsibility. Or so Facebook folks suggest…”
(6) Sophos (again): Facebook’s counterintuitive way to combat nonconsensual porn
(7) The Register: ‘Facebook takes data from my phone – but I don’t have an account!’ – “Reg reader finds mobile apps can’t be cut or quieted”
(8) Gizmodo: Facebook and Google Accused of Violating GDPR on First Day of the New European Privacy Law – “So what are Facebook and Google allegedly doing to violate the GDPR? Privacy advocates in Europe say that instead of adhering to the letter of the law, companies aren’t really giving consumers a choice; you can either agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services. There is no middle ground.”
[20th May 2018]
New Scientist: Huge new Facebook data leak exposed intimate details of 3m users – “Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation has found.” And some commentary from The Register: How could the Facebook data slurping scandal get worse? Glad you asked – “Three million “intimate” user profiles offered to researchers”
And commentary from Sophos: Facebook app left 3 million users’ data exposed for four years
[14th May 2018]
Infoblox have a very interesting report on What is Lurking on Your Network – Exposing the threat of shadow devices.
In his foreword, Gary Cox says:
“For IT departments, the complexities and security issues around managing BYOD schemes and unsanctioned Shadow IT operations have long been a cause for concern.
“In an increasingly complex, connected world, this challenge has now been exacerbated by the explosion in the number of personal devices individuals own, as well as the plethora of new IoT devices being added to the network.”
More reasons to feel uncomfortable with the unfettered enthusiasm for BYOD.
Commentary/summary from Help Net Security: Exposing the threat of shadow devices: “Employees in the US and UK admitted to connecting to the enterprise network for a number of reasons, including to access social media (39 percent), as well as to download apps, games and films … These practices open organizations up to social engineering hacks, phishing and malware injection.”
Updates 12th May 2018
- Sophos: Google cracks down on election meddling advertisers
- Raj Samani (McAfee) for Help Net Security: Social media: The zero-trust game. On social media and propaganda. See also High-Profile Twitter Accounts Hit by Turkish Propaganda Campaign
- Pierluigi Paganini: Secret Conversation – Twitter is testing End-to-End Encryption for direct messages
- Paul Ducklin for Sophos: The WhatsApp text bomb – no, it won’t destroy your phone! But it might force a restart. I was mildly amused to note that a Sophos mail notification tagged the story “Text bomb, text bomb, WhatsApp text bomb, you can crash my application when I want to get things done,” echoing this article of mine from last February (about quite a different bug): Text bomb, text bomb you’re my text bomb… Great minds think alike…
- The Register: Crypto chat app Signal’s disappearing messages found hiding on macOS – “Mac Notification Center sometimes clones supposedly transient notes”
Updates 5th May 2018
Lots of commentary this week on Twitter’s mishaps with our credentials:
- Twitter: Keeping your account secure – “Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.”
- Graham Cluley: Yes, you should change your Twitter password – but don’t panic – “THE SKY IS NOT FALLING. BUT DO CHANGE YOUR TWITTER PASSWORD.”
- ESET: Twitter advises all users to change passwords after glitch
- Brian Krebs: Twitter to All Users: Change Your Password Now!
- Help Net Security: Twitter reveals security blunder, asks users to change their passwords
- Sophos: Twitter admits to password storage blunder – change your password now!
- And some relevant thoughts from ESET on/around World Password Day: Recycling is a must, but why would you reuse your password?
- Twitter: No big deal, but everyone needs to change their password – “Biz does a GitHub, downplays security blunder as log file of credentials left unencrypted”
The Register: Google will vet political ads to ward off Phantom Menace of fake news – “Mountain View’s Empire Strikes Back against election meddling”
And The Register again, on old favourite Facebook: Time to ditch the Facebook login: If customers’ data should be protected, why hand it over to Zuckerberg? – “How The Social Network and its partners use that info is a total black box”
Updates 3rd May 2018
- CA Commercial: Cambridge Analytica and Scl Elections Commence Insolvency Proceedings and Release Results of Independent Investigation into Recent Allegations – a sort of corporate suicide note…
- Graham Cluley: Goodbye Cambridge Analytica, hello Emerdata? – “HOPE YOU’RE NOT PLANNING TO COME BACK UNDER A DIFFERENT GUISE…”
Kaspersky Threat Post: TENS OF THOUSANDS OF MALICIOUS APPS USING FACEBOOK APIS – “At least 25,936 malicious apps are currently using one of Facebook’s APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address.”
- Post-Facebook fallout: Americans envy Europeans’ privacy – top EU data watchdog – “US can’t operate in ‘splendid isolation’ – Giovanni Buttarelli” From the article: “… in the US, where privacy laws are much less stringent, the Facebook scandal could be described as a wake-up call. Lawmakers are now seriously discussing regulation and during Mark Zuckerberg’s mammoth Congressional hearings, politicians grilled him on plans to apply EU rules globally.”
- What could Facebook possibly do next to reassure privacy fears? Yup – make a dating app
Talking of Zuckerberg, here’s his summary of the forthcoming ‘Clear History’ control.
Updates 1st May 2018
- Venafi: Social Media Data Collection Regulation: Survey – “…70 percent of respondents said governments should regulate the collection of personal data by social media companies to protect user privacy, but 72 percent believe government officials do not have a good understanding of the threats impacting digital privacy…”
- Commentary from Help Net Security: Should governments regulate social media data collection?
The Guardian: WhatsApp CEO Jan Koum quits over privacy disagreements with Facebook – “WhatsApp was built with a focus on privacy and a disdain for ads, but the Facebook-owned service is now under pressure to make money”
Selina Wang for Bloomberg: Twitter Sold Data Access to Cambridge Analytica–Linked Researcher. And commentary from Help Net.
ENISA: Strengthening network & information security & protecting against online disinformation (“fake news”) – “In this paper, ENISA presents some views on the problem of online disinformation in the EU from a Network and Information Security (NIS) perspective. A number of recommendations are presented which relate both to general NIS measures, as well as targeted measures to protect against online disinformation specifically.”
Updates 27th April 2018
- Filip Truta: Researchers show how Amazon Echo can be used for eavesdropping
- The Register: ‘Alexa, listen in on my every word and send it all to a shady developer’ – “Amazon fixes up app security hole affecting always-listening Echo assistants”
- Sophos: Getting an Amazon Echo app to silently eavesdrop on you
Also from Sophos: Know what Instagram knows – here’s how you download your data
The Register: Facebook: Crisis? What crisis? Look at our revenue, it’s fantastic “But analysts say ditch your stock as opex set to blow up”
And again from Sophos: Yahoo fined $35m for staying quiet about mega breach
Updates 25th April 2018
The Register: Happy having Amazon tiptoe into your house? Why not the car, then? In-trunk delivery – what could go wrong? – “New Bezos scheme opens up vehicles as drop-off points” What could go wrong?
Sophos: Ex-Reddit mogul apologizes for making the world ‘a worse place’ “New York Magazine recently interviewed McComas for a project called “The Internet Apologizes.”That project has involved interviews with more than a dozen prominent technology figures about “what has gone wrong with the contemporary internet.” “
Updates 23rd April 2018
Hacker News: Flaw in LinkedIn AutoFill Plugin Lets Third-Party Sites Steal Your Data. Summarizes Jack Cable’s article LinkedIn AutoFill Exposed Visitor Name, Email to Third-Party Websites.
Updates 21st April 2018
(1) Reuters: Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law – “The previously unreported move, which Facebook confirmed to Reuters on Tuesday, shows the world’s largest online social network is keen to reduce its exposure to GDPR, which allows European regulators to fine companies for collecting or using personal data without users’ consent.” (HT to Artem Baranov)
(2) Steven Englehardt et al: No boundaries for Facebook data: third-party trackers abuse Facebook Login – “Today we report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through “login with Facebook” and other such social login APIs. Specifically, we found two types of vulnerabilities:
- seven third parties abuse websites’ access to Facebook user data
- one third party uses its own Facebook “application” to track users around the web.”
Commentary from The Register: Facebook’s login-to-other-sites service lets scum slurp your stuff – “A security researcher has claimed it’s possible to extract user information from Facebook’s Login service, the tool that lets you sign into third-party sites with a Facebook ID.”
(3) Help Net: Researchers develop algorithm to detect fake users on social networks – “Ben-Gurion University of the Negev and University of Washington researchers have developed a new generic method to detect fake accounts on most types of social networks, including Facebook and Twitter.”
Commentary from The Register: Gang way! Compsci geeks coming through! AI engine can finger fakes on social networks – “Take note Twitter, Facebook et al, it’s really not that hard to weed out bots”
(4) Graham Cluley: Facebook pushes ahead with controversial facial recognition feature in Europe “Facebook uses facial recognition software to automatically match people in photos your friends upload with the other billions of images on Facebook’s servers in which you might appear.”
(5) Help Net: LocalBlox found leaking info on tens of millions of individuals – “The discovery was made by UpGuard researcher Chris Vickery, who stumbled upon the unsecured Amazon Web Services S3 bucket holding the data, bundled in a single, compressed file. When decompressed, it revealed 48 million records in a format that’s easy for anyone to peruse.”
Here’s the Upguard blog post.
And commentary from Graham Cluley for Hot for security: 48 million people put at risk after firm that scraped info from social networks left it exposed for anyone to download
(6) Sophos: Facebook: 3 reasons we’re tracking non-users – more light cast into the shadows by the House Energy and Commerce Committee’s questions to Mark Zuckerberg.
(9) Tech Crunch: A flaw-by-flaw guide to Facebook’s new GDPR privacy changes
“Just click accept, ignore those settings”
(10) Brian Krebs: Is Facebook’s Anti-Abuse System Broken?
Updates 17th April 2018
Brian Krebs: Deleted Facebook Cybercrime Groups Had 300,000 Members – “Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups … who flagrantly promoted a host of illicit activities on the social media network’s platform … The average age of these groups on Facebook’s platform was two years.”
Updates 15th April 2018
The Register: Super Cali’s frickin’ whiz kids no longer oppose us: Even though Facebook thought info law was quite atrocious – “Zuck & Co end fight against California’s privacy legislation” Extra points to El Reg for that title, even if it doesn’t scan very well. 🙂
Sophos: Facebook shines a little light on ‘shadow profiles’ (or what Facebook knows about people who haven’t signed up to Facebook).
Also from Sophos: Interview: Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society. OPRS is a privacy advocacy and research group aiming to “to make it easier for people, especially marginalized groups (including LGBT persons), to protect their privacy and anonymity online…”
Updates 12th April 2018
- Roger Thompson: The Privacy Revolution in Action
- Sophos: Congress chews up Zuckerberg, day two: A far more thorough mastication
- Daring Fireball: Regarding Mark Zuckerberg’s Unused Talking Points on Tim Cook and Apple
- The Register: Mark Duckerberg: Second Congressional grilling sees boss dodge questions like a pro – “Zuck shows curious amnesia about his own business”
Updates 11th April 2018
Updates 9th April 2018
- Sadly for Facebook, Sophos is watching. Lisa Vaas counts 5 Facebook facepalms (just last week) – “Your weekly roundup of Facebook news, also known as #SOMUCHPRIVACYSPLATTER!!!”
- CNBC: Facebook suspends another data analytics firm after CNBC discovers it was using tactics like Cambridge Analytica – “CubeYou misleadingly labeled its quizzes “for non-profit academic research,” then shared user information with marketers.”
Updates 8th April 2018
- [April 7th 2018] The Guardian: Christopher Wylie: Why I broke the Facebook data story – and what should happen now – “The whistleblower at the centre of the Cambridge Analytica storm asks if Britain will now address the hard issues which it has raised”
- [April 4th 2018] Daring Fireball quoting New York Times and Washington Post: FACEBOOK SHARPLY INCREASES ESTIMATE OF HOW MANY USERS’ INFORMATION WAS HARVESTED BY CAMBRIDGE ANALYTICA (the Post comment relates to the more recent profile scraping story, but it does tie in).
- [April 6th 2018] Graham Cluley:
Updates 5th-7th April 2018
- [6th April 2018] Zeljka Zorz for Help Net: Malicious actors used Facebook’s own tools to scrape most users’ public info
- Related links:
- [7th April 2018] Chicago Tribune: Facebook hackers could have collected personal data of 2 billion users
- [4th April 2018] Facebook newsroom blog: An Update on Our Plans to Restrict Data Access on Facebook and We’re Making Our Terms and Data Policy Clearer, Without New Rights to Use Your Data on Facebook
- [5th April 2018] Sophos: “Most people on Facebook” have had data scraped by malicious actors
- [6th April 2018] Sophos: Facebook’s new fake news strategy is… decide for yourself! “…the context is going to include the publisher’s Wikipedia entry, related articles … how many times the article has been shared on Facebook…”
Updates 3rd/4th April 2018
- Graham Cluley: Why you might want to tell Facebook you now live in Europe – “(OR JUST DELETE YOUR ACCOUNT) … Facebook CEO and professional hoody-wearer Mark Zuckerberg has told Reuters that it won’t stick to Europe’s new strict data privacy rules globally.” However, an update quotes Zuckerberg as saying subsequently “We intend to make all the same controls and settings available everywhere, not just in Europe. Is it going to be exactly the same format? Probably not.” Make of that what you will…
- The Security Ledger: AggregateIQ Data reveals tools behind pro-Brexit Leave campaigns. Cites Upguard data that “suggested a link between AggregateIQ and the strategy and activity of Cambridge Analytica and its parent company, Strategic Communication Laboratories (SCL).” And also mentions “allegations that the group helped disparate Brexit campaigns coordinate their activities in contravention of UK campaign laws.”
- Sophos: Those Facebook videos you thought were deleted were not deleted – “In this most recent case, the content in question is users’ supposedly deleted videos. Facebook’s blaming a bug for the fact that those videos hung around…Also last week, many were shocked to discover, when they peeked into their archives, that Facebook had been logging call and text data since they downloaded the Facebook app for Android.”
- Sophos: Facebook and Twitter may be forced to identify bots. California has “ntroduced a bill that would give online platforms such as Facebook and Twitter three days to investigate whether a given account is a bot, to disclose that it’s a bot if it is in fact auto-generated, or to remove the bot outright.”
Update 2nd/3rd April 2018
- [3rd April 2018] John Leyden for The Register: One solution to wreck privacy-hating websites: Flood them with bogus info using browser tools – Chad Loder is quoted as saying “The internet ought to “route around” known privacy abusers, shifting from passive blocking of cookies, host names, and scripts to a more active deception model. ” Lots of other useful commentary.
- [2nd April 2018] Facecrooks: Facebook Is Making Its Privacy Settings Easier To Find
Updates 1st April 2018
- Bruce Schneier for CNN: It’s not just Facebook. Thousands of companies are spying on you
- The Register: Facebook reviews defenses as exec pulls foot from mouth – “We didn’t really mean growth matters more than human life”
- Apple: This is how we protect your privacy – “Your personal data should always be protected on your device and never shared without your permission. So we build encryption, on-device intelligence, and other tools into our products to let you share what you want on your terms.”
- Summary from Help Net: Apple puts privacy information screens in users’ line of sight
Updates 31st March 2018
(HT to Mich Kabay for pointing out the Economist articles – NB there’s a limit on how many you can view without subscribing.)
- The Register: Any social media accounts to declare? US wants travelers to tell
“The State Department seeks to expand its social media vetting beyond flagged visa applicants”
- The Economist: To understand digital advertising, study its algorithms – “A Skinner box for software”
- The Economist: The Facebook scandal could change politics as well as the internet – “Even used legitimately, it is a powerful, intrusive political tool”
- The Economist: [What Zuckerberg should do] Facebook faces a reputational meltdown – “This is how it, and the wider industry, should respond”
- Facebook: It’s Time to Make Our Privacy Tools Easier to Find – “We’ll also update our data policy to better spell out what data we collect and how we use it. These updates are about transparency – not about gaining new rights to collect, use, or share data.” Let’s hope so.
- Lisa Vaas for Sophos: Facebook revamps security, privacy settings following huge data scandal – “Facebook says it’s going to reach into the 20 or so dusty corners where it’s tucked away privacy and security settings and pull them into a centralized spot for users to more easily find and edit whatever data it’s got on them.” And about time too…
Updates 29th March 2018
- Dylan Curran for The Guardian: Are you ready? This is all the data Facebook and Google have on you (Well, it’s all the data they have on him: your mileage may vary, as mine does.)
- Richi Jennings for TechBeacon: Facebook fallout followup: Can you trust BYOD? (As ever, Richi does a good job of curating various ‘bloggy bits’ on the topic: sobering reading…)
- Help Net: Consumers worry that small privacy invasions may lead to a loss of civil rights – commentary on the report What the Internet of Things means for consumer privacy from The Economist Intelligence Unit.
Updates 28th March 2018
- Swati Khandelwal for The Hacker News: Facebook Collected Your Android Call History and SMS Data For Years. Re tweets by Dylan McKay. I love the fact that if you download the data Facebook has from you, it says: “Because this download may contain private information, you should keep it secure and take precautions when storing it, sending it or uploading it to another service.”
- Thomas Claburn for The Register: Political ad campaign biz AggregateIQ exposes tools, DB logins online – “Denies ties to Cambridge Analytica and insists it didn’t knowingly break the law”. The company is said to have played a part in the 2016 US election and also the Brexit campaign.
- Rory Cellan-Jones for the BBC: If I’ve got your number, so has Facebook (includes summary of how to get your data from Facebook).
- CNBC: Palantir worked with Cambridge Analytica on the Facebook data it acquired, whistleblower alleges
- Gizmodo: AggregateIQ Created Cambridge Analytica’s Election Software, and Here’s the Proof
- Mashable: Mozilla releases new Firefox extension to stop Facebook from tracking you
- Cylance: Android Trojans Steal Sensitive Facebook Data
- ZDNet: Data breach exposes Cambridge Analytica’s data mining tools – “The exposed data shows Cambridge Analytica used software developed by Canadian firm AggregateIQ to benefit US campaigns.”
- Sophos: Cambridge Analytica’s secret coding sauce allegedly leaked
- The Register: Fed up with Facebook data slurping? Firefox has a cunning plan – “The Facebook Container add-on quarantines the social network to limit data harvesting”
Updates 26th March 2018
- Paul Wagenseil for Tom’s Guide: Facebook Is Working Like It’s Supposed To (And That’s the Real Scandal)
- Help Net: How Facebook’s data issue is a lesson for everyone
- Rebecca Hill for The Register: You’ll like this: Facebook probed by US watchdog amid privacy storm – “‘Non-public’ FTC investigation a new headache for Zuckerberg”
- Sue Poremba for Security Boulevard: The Facebook Privacy Breach: What It Can Teach Us About Privacy Threats Before GDPR
Updates 23rd March 2018
- For The Register, Rebecca Hill gets a bit snarky, which amused me no end: Cambridge Analytica seeks data protection assistant – “Jobseeker? You may have heard of it…”
- org: Researchers find leaky apps that put privacy at risk (not just a Facebook issue). Refers “to a paper presented by Northeastern associate professor Alan Mislove at the the Federal Trade Commission conference PrivacyCon last month,” but, annoyingly, doesn’t include a link.
- John Gruber for Daring Fireball: Sheryl Sandberg and Mark Zuckerberg respond to cambridge analytics scandal. As usual, Gruber’s commentary is terse but very much to the point.
- Sophos: New whistleblower says Facebook turned a blind eye to covert data harvesting
- The Register: UK privacy watchdog finally gets Cambridge Analytica search warrant
Updates 22nd March 2018
- For Tech Beacon, Richi Jennings does a good job (as usual) of finding ‘bloggy bits’ relating to the Facebook/Cambridge Analytica mess: No ‘likes’ for Facebook’s API leak, but it’s not a data breach—and not news. And no, the fact that Facebook collects and shares too much information isn’t exactly news. Nor, come to that, the fact that Facebook has itself engaged in some experimental social engineering though I’m guessing that fewer people are or ever were aware of those particular experiments. I think I’ll probably come back to that…
- A comment to Richi’s announcement of that Tech Beacon article – ironically, on Facebook – brought my attention to this article by Kalev Leetaru for Forbes:
The Problem Isn’t Cambridge Analytica: It’s Facebook. The article makes some excellent points. For instance:
- “In 2014 academic researchers at Cornell and Facebook published research in which they had manipulated the emotions of three quarters of a million users … the research had been fully approved by Facebook and Cornell, with ethical review by Cornell’s IRB.” Yes, that’s one of the experiments I was thinking of.
- “A central theme of the rhetoric and coverage of Cambridge Analytica is that it somehow violated accepted societal norms over the use of Facebook data … referring to it in the cybersecurity parlance of a data “breach.” In fact, this could not be further from the truth in our modern “surveillance economy.”
- Taylor Lorenz for The Daily Beast: Mark Zuckerberg Swears He’ll Protect Your Data—Next Time – “The Facebook chief promised users that he would do more to ensure that their online lives weren’t put up for sale. One small problem: that’s kind of Facebook’s business model.”
- Matthew Yglesias, for Vox (that’s the news site, not the music equipment manufacturer), comments on The case against Facebook – “It’s not just about privacy; its core function makes people lonely and sad.” Well, you could argue with that tagline. FB does have a useful function in terms, for instance, of connecting with friends far away. If you keep the Big Picture in mind, you sometimes forget that there are valid reasons why people are prepared to compromise their data by using Facebook (if they think about it at all). Still, there are plenty of very valid points in the article:
- “…according to Craig Silverman’s path-breaking analysis for BuzzFeed, the 20 highest-performing fake news stories of the closing days of the 2016 campaign did better on Facebook than the 20 highest-performing real ones.”
- “By turning news consumption and news discovery into a performative social process, Facebook turns itself into a confirmation bias machine — a machine that can best be fed through deliberate engineering….Meanwhile, Facebook is destroying the business model for outlets that make real news.”
- Kurt Wismer makes a good point about the get-me-out-of-here trend in The problem with #DeleteFacebook. “…a movement to abandon Facebook is going to open up a lot of opportunities for fraud all at once.” He suggests disabling rather than deleting an account. (Actually, I have a similar strategy regarding LinkedIn: I’m not job-hunting any more, but I don’t want to make misuse of my name too easy.)
- While Brian X. Chen points out for the New York Times: Want to #DeleteFacebook? You Can Try. A few pertinent points here, too:
- “Keep in mind that Facebook isn’t the only company capable of collecting your information. One big culprit: Web trackers, like cookies embedded into websites and their ads. They are everywhere, and they follow your activities from site to site.”
- “…you may be better off tweaking your privacy settings on the site.”
- Help Net Security: Facebook’s trust crisis: Has it harmed democracy? – “Facebook is losing the faith of the Americans people, according to the Digital Citizens Alliance. ”
- Sophos: Mozilla stops Facebook advertising, demands privacy changes
- Mozilla: Mozilla Presses Pause on Facebook Advertising
Updates 21st March 2018
- BBC: Facebook’s Zuckerberg admits mistakes over Cambridge Analytica
- Bleeping Computer:
- Help Net Security: Cambridge Analytica and Facebook’s privacy storm: Latest developments