Like many others, I’ve been at least partially assimilated by the social media Cookie Monster. Once upon a time I opened accounts on sites like Facebook and Twitter, so as to find out about their implications for security. (Like many others in the security profession, I suspect.) They also quickly became integrated into my armoury as a means of exchanging and disseminating information, whether it’s a matter of hard data or work-oriented PR. And when friends, colleagues and fellow musicians (some people, of course, are members of two or all three of those sets!) found me on those platforms, it would have been churlish not to have accepted invitations to link up there. (Besides, you can’t tell as much about Facebook’s workings, for instance, if you don’t actually have any Facebook friends…)
However, I’ve always borne in mind the wider implications of membership of such platforms (sociological, psychological, and security-specific), and have often written on those topics. (I’ll probably look back at some of those posts and see if any of them are worth flagging here.) But with the excitement over the Cambridge Analytica, it’s self-proclaimed success at social engineering, and its alleged misuse of data harvested from social media, I can’t help but notice that people who’ve previously expressed no interest in privacy and security have started to voice concern. So I’m going to use this page to flag some news and resources of interest. Starting with a minor deluge of advice from various quarters:
- Ioana Rijnetu for Heimdal Security from a few months back: Facebook Privacy & Security Guide: Everything You Need to Know (I haven’t looked at this closely, but I’ve frequently contributed comment to Heimdal for their “expert roundup” features like this one on software monoculture, and have a lot of respect for their willingness to put the quality of advice and information above competitive advantage.)
- The Motherboard: The Motherboard Guide to Using Facebook Safely
- Sophos: Facebook fallout: How to protect your data
- Basic fairly recent advice from SANS: Top Tips to Securely Using Social Media
- Facecrooks: How to Protect Your Facebook Account from Rogue Applications
- Lots and lots of links in Bruce Schneier’s Cryptogram for April 15th 2018.
- Sophos: How to protect your Facebook data [UPDATED]
Updates 23rd April 2018
Hacker News: Flaw in LinkedIn AutoFill Plugin Lets Third-Party Sites Steal Your Data. Summarizes Jack Cable’s article LinkedIn AutoFill Exposed Visitor Name, Email to Third-Party Websites.
Updates 21st April 2018
(1) Reuters: Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law – “The previously unreported move, which Facebook confirmed to Reuters on Tuesday, shows the world’s largest online social network is keen to reduce its exposure to GDPR, which allows European regulators to fine companies for collecting or using personal data without users’ consent.” (HT to Artem Baranov)
(2) Steven Englehardt et al: No boundaries for Facebook data: third-party trackers abuse Facebook Login – “Today we report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through “login with Facebook” and other such social login APIs. Specifically, we found two types of vulnerabilities:
- seven third parties abuse websites’ access to Facebook user data
- one third party uses its own Facebook “application” to track users around the web.”
Commentary from The Register: Facebook’s login-to-other-sites service lets scum slurp your stuff – “A security researcher has claimed it’s possible to extract user information from Facebook’s Login service, the tool that lets you sign into third-party sites with a Facebook ID.”
(3) Help Net: Researchers develop algorithm to detect fake users on social networks – “Ben-Gurion University of the Negev and University of Washington researchers have developed a new generic method to detect fake accounts on most types of social networks, including Facebook and Twitter.”
Commentary from The Register: Gang way! Compsci geeks coming through! AI engine can finger fakes on social networks – “Take note Twitter, Facebook et al, it’s really not that hard to weed out bots”
(4) Graham Cluley: Facebook pushes ahead with controversial facial recognition feature in Europe “Facebook uses facial recognition software to automatically match people in photos your friends upload with the other billions of images on Facebook’s servers in which you might appear.”
(5) Help Net: LocalBlox found leaking info on tens of millions of individuals – “The discovery was made by UpGuard researcher Chris Vickery, who stumbled upon the unsecured Amazon Web Services S3 bucket holding the data, bundled in a single, compressed file. When decompressed, it revealed 48 million records in a format that’s easy for anyone to peruse.”
Here’s the Upguard blog post.
And commentary from Graham Cluley for Hot for security: 48 million people put at risk after firm that scraped info from social networks left it exposed for anyone to download
(6) Sophos: Facebook: 3 reasons we’re tracking non-users – more light cast into the shadows by the House Energy and Commerce Committee’s questions to Mark Zuckerberg.
(9) Tech Crunch: A flaw-by-flaw guide to Facebook’s new GDPR privacy changes
“Just click accept, ignore those settings”
(10) Brian Krebs: Is Facebook’s Anti-Abuse System Broken?
Updates 17th April 2018
Brian Krebs: Deleted Facebook Cybercrime Groups Had 300,000 Members – “Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups … who flagrantly promoted a host of illicit activities on the social media network’s platform … The average age of these groups on Facebook’s platform was two years.”
Updates 15th April 2018
The Register: Super Cali’s frickin’ whiz kids no longer oppose us: Even though Facebook thought info law was quite atrocious – “Zuck & Co end fight against California’s privacy legislation” Extra points to El Reg for that title, even if it doesn’t scan very well. 🙂
Sophos: Facebook shines a little light on ‘shadow profiles’ (or what Facebook knows about people who haven’t signed up to Facebook).
Also from Sophos: Interview: Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society. OPRS is a privacy advocacy and research group aiming to “to make it easier for people, especially marginalized groups (including LGBT persons), to protect their privacy and anonymity online…”
Updates 12th April 2018
- Roger Thompson: The Privacy Revolution in Action
- Sophos: Congress chews up Zuckerberg, day two: A far more thorough mastication
- Daring Fireball: Regarding Mark Zuckerberg’s Unused Talking Points on Tim Cook and Apple
- The Register: Mark Duckerberg: Second Congressional grilling sees boss dodge questions like a pro – “Zuck shows curious amnesia about his own business”
Updates 11th April 2018
Updates 9th April 2018
- Sadly for Facebook, Sophos is watching. Lisa Vaas counts 5 Facebook facepalms (just last week) – “Your weekly roundup of Facebook news, also known as #SOMUCHPRIVACYSPLATTER!!!”
- CNBC: Facebook suspends another data analytics firm after CNBC discovers it was using tactics like Cambridge Analytica – “CubeYou misleadingly labeled its quizzes “for non-profit academic research,” then shared user information with marketers.”
Updates 8th April 2018
- [April 7th 2018] The Guardian: Christopher Wylie: Why I broke the Facebook data story – and what should happen now – “The whistleblower at the centre of the Cambridge Analytica storm asks if Britain will now address the hard issues which it has raised”
- [April 4th 2018] Daring Fireball quoting New York Times and Washington Post: FACEBOOK SHARPLY INCREASES ESTIMATE OF HOW MANY USERS’ INFORMATION WAS HARVESTED BY CAMBRIDGE ANALYTICA (the Post comment relates to the more recent profile scraping story, but it does tie in).
- [April 6th 2018] Graham Cluley:
Updates 5th-7th April 2018
- [6th April 2018] Zeljka Zorz for Help Net: Malicious actors used Facebook’s own tools to scrape most users’ public info
- Related links:
- [7th April 2018] Chicago Tribune: Facebook hackers could have collected personal data of 2 billion users
- [4th April 2018] Facebook newsroom blog: An Update on Our Plans to Restrict Data Access on Facebook and We’re Making Our Terms and Data Policy Clearer, Without New Rights to Use Your Data on Facebook
- [5th April 2018] Sophos: “Most people on Facebook” have had data scraped by malicious actors
- [6th April 2018] Sophos: Facebook’s new fake news strategy is… decide for yourself! “…the context is going to include the publisher’s Wikipedia entry, related articles … how many times the article has been shared on Facebook…”
Updates 3rd/4th April 2018
- Graham Cluley: Why you might want to tell Facebook you now live in Europe – “(OR JUST DELETE YOUR ACCOUNT) … Facebook CEO and professional hoody-wearer Mark Zuckerberg has told Reuters that it won’t stick to Europe’s new strict data privacy rules globally.” However, an update quotes Zuckerberg as saying subsequently “We intend to make all the same controls and settings available everywhere, not just in Europe. Is it going to be exactly the same format? Probably not.” Make of that what you will…
- The Security Ledger: AggregateIQ Data reveals tools behind pro-Brexit Leave campaigns. Cites Upguard data that “suggested a link between AggregateIQ and the strategy and activity of Cambridge Analytica and its parent company, Strategic Communication Laboratories (SCL).” And also mentions “allegations that the group helped disparate Brexit campaigns coordinate their activities in contravention of UK campaign laws.”
- Sophos: Those Facebook videos you thought were deleted were not deleted – “In this most recent case, the content in question is users’ supposedly deleted videos. Facebook’s blaming a bug for the fact that those videos hung around…Also last week, many were shocked to discover, when they peeked into their archives, that Facebook had been logging call and text data since they downloaded the Facebook app for Android.”
- Sophos: Facebook and Twitter may be forced to identify bots. California has “ntroduced a bill that would give online platforms such as Facebook and Twitter three days to investigate whether a given account is a bot, to disclose that it’s a bot if it is in fact auto-generated, or to remove the bot outright.”
Update 2nd/3rd April 2018
- [3rd April 2018] John Leyden for The Register: One solution to wreck privacy-hating websites: Flood them with bogus info using browser tools – Chad Loder is quoted as saying “The internet ought to “route around” known privacy abusers, shifting from passive blocking of cookies, host names, and scripts to a more active deception model. ” Lots of other useful commentary.
- [2nd April 2018] Facecrooks: Facebook Is Making Its Privacy Settings Easier To Find
Updates 1st April 2018
- Bruce Schneier for CNN: It’s not just Facebook. Thousands of companies are spying on you
- The Register: Facebook reviews defenses as exec pulls foot from mouth – “We didn’t really mean growth matters more than human life”
- Apple: This is how we protect your privacy – “Your personal data should always be protected on your device and never shared without your permission. So we build encryption, on-device intelligence, and other tools into our products to let you share what you want on your terms.”
- Summary from Help Net: Apple puts privacy information screens in users’ line of sight
Updates 31st March 2018
(HT to Mich Kabay for pointing out the Economist articles – NB there’s a limit on how many you can view without subscribing.)
- The Register: Any social media accounts to declare? US wants travelers to tell
“The State Department seeks to expand its social media vetting beyond flagged visa applicants”
- The Economist: To understand digital advertising, study its algorithms – “A Skinner box for software”
- The Economist: The Facebook scandal could change politics as well as the internet – “Even used legitimately, it is a powerful, intrusive political tool”
- The Economist: [What Zuckerberg should do] Facebook faces a reputational meltdown – “This is how it, and the wider industry, should respond”
- Facebook: It’s Time to Make Our Privacy Tools Easier to Find – “We’ll also update our data policy to better spell out what data we collect and how we use it. These updates are about transparency – not about gaining new rights to collect, use, or share data.” Let’s hope so.
- Lisa Vaas for Sophos: Facebook revamps security, privacy settings following huge data scandal – “Facebook says it’s going to reach into the 20 or so dusty corners where it’s tucked away privacy and security settings and pull them into a centralized spot for users to more easily find and edit whatever data it’s got on them.” And about time too…
Updates 29th March 2018
- Dylan Curran for The Guardian: Are you ready? This is all the data Facebook and Google have on you (Well, it’s all the data they have on him: your mileage may vary, as mine does.)
- Richi Jennings for TechBeacon: Facebook fallout followup: Can you trust BYOD? (As ever, Richi does a good job of curating various ‘bloggy bits’ on the topic: sobering reading…)
- Help Net: Consumers worry that small privacy invasions may lead to a loss of civil rights – commentary on the report What the Internet of Things means for consumer privacy from The Economist Intelligence Unit.
Updates 28th March 2018
- Swati Khandelwal for The Hacker News: Facebook Collected Your Android Call History and SMS Data For Years. Re tweets by Dylan McKay. I love the fact that if you download the data Facebook has from you, it says: “Because this download may contain private information, you should keep it secure and take precautions when storing it, sending it or uploading it to another service.”
- Thomas Claburn for The Register: Political ad campaign biz AggregateIQ exposes tools, DB logins online – “Denies ties to Cambridge Analytica and insists it didn’t knowingly break the law”. The company is said to have played a part in the 2016 US election and also the Brexit campaign.
- Rory Cellan-Jones for the BBC: If I’ve got your number, so has Facebook (includes summary of how to get your data from Facebook).
- CNBC: Palantir worked with Cambridge Analytica on the Facebook data it acquired, whistleblower alleges
- Gizmodo: AggregateIQ Created Cambridge Analytica’s Election Software, and Here’s the Proof
- Mashable: Mozilla releases new Firefox extension to stop Facebook from tracking you
- Cylance: Android Trojans Steal Sensitive Facebook Data
- ZDNet: Data breach exposes Cambridge Analytica’s data mining tools – “The exposed data shows Cambridge Analytica used software developed by Canadian firm AggregateIQ to benefit US campaigns.”
- Sophos: Cambridge Analytica’s secret coding sauce allegedly leaked
- The Register: Fed up with Facebook data slurping? Firefox has a cunning plan – “The Facebook Container add-on quarantines the social network to limit data harvesting”
Updates 26th March 2018
- Paul Wagenseil for Tom’s Guide: Facebook Is Working Like It’s Supposed To (And That’s the Real Scandal)
- Help Net: How Facebook’s data issue is a lesson for everyone
- Rebecca Hill for The Register: You’ll like this: Facebook probed by US watchdog amid privacy storm – “‘Non-public’ FTC investigation a new headache for Zuckerberg”
- Sue Poremba for Security Boulevard: The Facebook Privacy Breach: What It Can Teach Us About Privacy Threats Before GDPR
Updates 23rd March 2018
- For The Register, Rebecca Hill gets a bit snarky, which amused me no end: Cambridge Analytica seeks data protection assistant – “Jobseeker? You may have heard of it…”
- org: Researchers find leaky apps that put privacy at risk (not just a Facebook issue). Refers “to a paper presented by Northeastern associate professor Alan Mislove at the the Federal Trade Commission conference PrivacyCon last month,” but, annoyingly, doesn’t include a link.
- John Gruber for Daring Fireball: Sheryl Sandberg and Mark Zuckerberg respond to cambridge analytics scandal. As usual, Gruber’s commentary is terse but very much to the point.
- Sophos: New whistleblower says Facebook turned a blind eye to covert data harvesting
- The Register: UK privacy watchdog finally gets Cambridge Analytica search warrant
Updates 22nd March 2018
- For Tech Beacon, Richi Jennings does a good job (as usual) of finding ‘bloggy bits’ relating to the Facebook/Cambridge Analytica mess: No ‘likes’ for Facebook’s API leak, but it’s not a data breach—and not news. And no, the fact that Facebook collects and shares too much information isn’t exactly news. Nor, come to that, the fact that Facebook has itself engaged in some experimental social engineering though I’m guessing that fewer people are or ever were aware of those particular experiments. I think I’ll probably come back to that…
- A comment to Richi’s announcement of that Tech Beacon article – ironically, on Facebook – brought my attention to this article by Kalev Leetaru for Forbes:
The Problem Isn’t Cambridge Analytica: It’s Facebook. The article makes some excellent points. For instance:
- “In 2014 academic researchers at Cornell and Facebook published research in which they had manipulated the emotions of three quarters of a million users … the research had been fully approved by Facebook and Cornell, with ethical review by Cornell’s IRB.” Yes, that’s one of the experiments I was thinking of.
- “A central theme of the rhetoric and coverage of Cambridge Analytica is that it somehow violated accepted societal norms over the use of Facebook data … referring to it in the cybersecurity parlance of a data “breach.” In fact, this could not be further from the truth in our modern “surveillance economy.”
- Taylor Lorenz for The Daily Beast: Mark Zuckerberg Swears He’ll Protect Your Data—Next Time – “The Facebook chief promised users that he would do more to ensure that their online lives weren’t put up for sale. One small problem: that’s kind of Facebook’s business model.”
- Matthew Yglesias, for Vox (that’s the news site, not the music equipment manufacturer), comments on The case against Facebook – “It’s not just about privacy; its core function makes people lonely and sad.” Well, you could argue with that tagline. FB does have a useful function in terms, for instance, of connecting with friends far away. If you keep the Big Picture in mind, you sometimes forget that there are valid reasons why people are prepared to compromise their data by using Facebook (if they think about it at all). Still, there are plenty of very valid points in the article:
- “…according to Craig Silverman’s path-breaking analysis for BuzzFeed, the 20 highest-performing fake news stories of the closing days of the 2016 campaign did better on Facebook than the 20 highest-performing real ones.”
- “By turning news consumption and news discovery into a performative social process, Facebook turns itself into a confirmation bias machine — a machine that can best be fed through deliberate engineering….Meanwhile, Facebook is destroying the business model for outlets that make real news.”
- Kurt Wismer makes a good point about the get-me-out-of-here trend in The problem with #DeleteFacebook. “…a movement to abandon Facebook is going to open up a lot of opportunities for fraud all at once.” He suggests disabling rather than deleting an account. (Actually, I have a similar strategy regarding LinkedIn: I’m not job-hunting any more, but I don’t want to make misuse of my name too easy.)
- While Brian X. Chen points out for the New York Times: Want to #DeleteFacebook? You Can Try. A few pertinent points here, too:
- “Keep in mind that Facebook isn’t the only company capable of collecting your information. One big culprit: Web trackers, like cookies embedded into websites and their ads. They are everywhere, and they follow your activities from site to site.”
- “…you may be better off tweaking your privacy settings on the site.”
- Help Net Security: Facebook’s trust crisis: Has it harmed democracy? – “Facebook is losing the faith of the Americans people, according to the Digital Citizens Alliance. ”
- Sophos: Mozilla stops Facebook advertising, demands privacy changes
- Mozilla: Mozilla Presses Pause on Facebook Advertising
Updates 21st March 2018
- BBC: Facebook’s Zuckerberg admits mistakes over Cambridge Analytica
- Bleeping Computer:
- Help Net Security: Cambridge Analytica and Facebook’s privacy storm: Latest developments