Category Archives: Anti-social media

Anti-Social Media: bumper bundle

[I’ve been catching up after a week out of office, so there’s quite a lot to be depressed about this time.]

Zeljka Zorz for Help Net: Turning off Location History doesn’t prevent Google from knowing your location  – “If you believe that by turning off Location History on your Android device or iPhone means that Google won’t be able to know your location, think again: Princeton University researchers have confirmed Google services store users’ location regardless of those settings.”

Help Net is quoting research performed on behalf of Associated Press…”  AP says “Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored…That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.”


Kashmir Hill and Surya Mattu for Gizmodo: Facebook Wanted Us to Kill This Investigative Tool  – “Last year, we launched an investigation into how Facebook’s People You May Know tool makes its creepily accurate recommendations….In order to help conduct this investigation, we built a tool to keep track of the people Facebook thinks you know. …. In January, after hiring a third party to do a security review of the tool, we released it publicly on Github for users who wanted to study their own People You May Know recommendations.”

Facebook, it seems, wasn’t happy about the release of the tool, for more than one reason. I can actually understand that the terms of service that it might violate are at least in part imposed for reasons of security (or should be). Yet Gizmodo points out that “Journalists need to probe technological platforms in order to understand how unseen and little understood algorithms influence the experiences of hundreds of millions of people”: Facebook’s apparent distrust of this assertion may tell us something about its PR worries, and even about the intrusive nature of the algorithms it prefers to keep secret.


Graham Cluley: Twitter CEO says they’re taking no action against InfoWars and Alex Jones
IT’S THE SAME CONTENT THAT FACEBOOK, YOUTUBE, SPOTIFY, AND APPLE BANNED.
If you’re unaware of the fuss about Jones, you might like to check out this article in the New York Times: Alex Jones, Pursued Over Infowars Falsehoods, Faces a Legal Crossroads


Teiss: Facebook denies it asked banks to share customers’ financial information –  Summarizes a story from the Wall Street Journal which I haven’t read because I’m not a subscriber.


Pierluigi Paganini: Social Mapper – Correlate social media profiles with facial recognition
“Security experts at Trustwave have released Social Mapper, a new open-source tool that allows finding a person of interest across social media platform using facial recognition technology…Experts from Trustwave warn of potential abuses of Social Mapper that are limited “only by your imagination.””

Which is unfortunate in that it’s easily found for free…

David Harley

Advertisements

AVIEN resource updates 3rd August 2018

Updates to Anti-Social Media 

A fascinating article for Quartz by Nikhil SonnadEverything bad about Facebook is bad for the same reason – “Facebook only does the right thing when it’s forced to. Instead, it needs to be willing to sacrifice the goal of total connectedness and growth when this goal has a human cost; to create a decision-making process that requires Facebook leaders to check their instinctive technological optimism against the realities of human life.” Recommended. (Hat tip to Daring Fireball.)

The Next Web: Telegram Passport is already drawing fire for not being secure enough – “Its password encryption could be cracked for just $5”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

US-CERT advised that the FBI published an article on securing the internet of things. US-CERT also flagged the NCCIC Tip Securing the Internet of Things.

David Harley

AVIEN Resource updates 2nd August

Updates to Anti-Social Media 

(1)

New York Times: Facebook Has Identified Ongoing Political Influence Campaign – “Facebook announced on Tuesday that it has identified a coordinated political influence campaign, with dozens of inauthentic accounts and pages that are believed to be engaging in political activity around divisive social issues ahead of November’s midterm elections.”

Commentary from The Register: Facebook deletes 17 accounts, dusts off hands, beams: We’ve saved the 2018 elections – “Yeah, that’ll do the trick, Mark”

Facebook’s own blog post: Removing Bad Actors on Facebook

(2)

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

(3)

The Register: UK ‘fake news’ inquiry calls for end to tech middleman excuses, election law overhaul  “British lawmakers have been told to create tougher rules for social media giants claiming to be neutral platforms, establish a code of ethics for tech firms, and plump up the UK’s self-styled “data sheriff”.”

(4)

Roger Thompson (Thompson Cyber Security Labs): Ok, this was scary – a disquieting example of how much more information is ‘publicly available’ than you probably think. Even scarier is the question of how much publicly available information is actually accurate.

Updates to Cryptocurrency/Crypto-mining News and Resources

Graham Cluley: Steam game Abstractism pulled after cryptomining accusations

The Register: ‘Unhackable’ Bitfi crypto-currency wallet maker will be shocked to find fingernails exist – “A crypto-currency wallet heavily promoted as “unhackable” – complete with endorsements from the security industry’s loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week.”

Bleeping Computer: Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers – “Security researchers have unearthed a massive cryptojacking campaign that targets MikroTik routers and changes their configuration to inject a copy of the Coinhive in-browser cryptocurrency mining script in some parts of users’ web traffic.” Lengthy analysis by Trustwave: Mass MikroTik Router Infection – First we cryptojack Brazil, then we take the World?

Updates to GDPR page

The Register: India mulls ban on probes into anonymized data use – with GDPR-style privacy laws – “Thought having your call center in India was a good idea? Maybe not so much now”

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Pierluigi Paganini: Tens of flaws in Samsung SmartThings Hub expose smart home to attack
““Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.”

The SANS OUCH! newsletter for August offers basic but generally sensible advice on Smart Home Devices. “There is no reason to be afraid of new technologies but do understand the risk they pose. By taking these few simple steps you can help create a far more secure Smart Home.”

Updates to Mac Virus

Android and OneDrive, and iOS-targeting phish

David Harley

Anti-social media updates: 27th July 2018

Reuters: Facebook’s grim forecast: privacy push will erode profits for years “The plummeting stock price wiped out as much as $150 billion in market capitalization and erased the stock’s gains since April when Facebook announced a surprisingly strong 63 percent rise in profit and an increase in users.” John Gruber offers terse but to-the-point commentary.

Graham Cluley: Mind your company’s old Twitter accounts, rather than allowing them to be hijacked by hackers  – “DEFUNCT FOX TV SHOW HAS ITS TWITTER ACCOUNT COMPROMISED BY CRYPTOCURRENCY SCAMMERS.” “…it appears that hackers seized control of the moribund Twitter account and gave it a new lease of life promoting cryptocurrency scams.

Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.

Also from Lisa Vaas: Crimson Hexagon banned by Facebook over user data concern – “The Wall Street Journal last week reported that Facebook is investigating whether the firm’s contracts with the US government and a Russian nonprofit tied to the Kremlin violated its policies.”

Yet another article from the prolific Ms Vaas: Names and photos of Venmo ‘drug buyers’ published on Twitter – she offers another example of data scraped from publicly available data and used inappropriately and misleadingly. A recent article by John E. Dunn describes a rather more responsible use of Venmo’s open privacy settings: Venmo users: time to hide your drug deals and excessive pizza consumption.

And another. Maybe you should just shoot over to the Naked Security site while I get on with some other work… WhatsApp limits message forwarding in response to lynchings – an indication that fake news is no joke, and can be a matter of life or (more to the point) death. In recent months, “India …  has seen dozens of mob lynchings sparked by rumors that have spread virally on social media.”

David Harley

Anti-Social Media Updates

Nick Statt for The Verge: Undercover Facebook moderator was instructed not to remove fringe groups or hate speech – “A new documentary details how third-party Facebook moderators ignore the company’s rules … The accusation is a damning one, undermining Facebook’s claims that it is actively trying to cut down on fake news, propaganda, hate speech, and other harmful content that may have significant real-world impact.” The investigation focuses on CPL Resources, which provides a third-party content moderation service.

In an interview with Kara Swisher, Zuckerberg tries to explain why Facebook hasn’t simply taken down InfoWars presence on the platform, but simply moved them ‘down the line’ by reducing distribution. Hmm.  Good interview, though, and lots of glimpses into the man’s head.

The Register: ‘Elders of the Internet’ apologise for social media, recommend Trump filters to fix it – “‘USENET was a pretty clear warning’ of things to come, says new draft IETF standard” I don’t think this IETF draft is entirely serious, but perhaps it should be. IT security remains fixated on technical security and has tended to fight shy of the psychosocial aspects of Internet interaction. Certainly the anti-malware industry in general could have paid more attention to the psychology of the victim than it has. And yes, USENET was a pretty good indication of how awful social media might (and did) turn out to be. And yes, abstention from social media and whisky do both have some appeal… A joke with teeth.

David Harley

AVIEN resource updates: July 15th 2018

Updates to Anti-Social Media 

(1) ESET: Facebook fined over data privacy scandal

You’re probably already aware of the gentle tap on the wrist administered by the UK’s Information Commissioner’s Office (ICO), but this does actually indicate why the penalty was so much less than you might have expected (in theory, up to 4% of the company’s total income).

(2) An article from The Next Web: Experts warn DeepFakes could influence 2020 US election – “Fake AI-generated videos featuring political figures could be all the rage during the next election cycle, and that’s bad news for democracy.”

(3) Graham Cluley: Facebook doesn’t want to eradicate fake news. If it did they’d kick out InfoWars – “Social networks giving sick conspiracy theorists a platform to spread hate.” Graham points out that InfoWars misinformation is also an issue on YouTube.

Updates to Meltdown/Spectre and other chip-related resources

John Leyden for The Register: Google’s ghost busters: We can scare off Spectre haunting Chrome tabs – “Site Isolation keeps pages fully separate on Windows, Mac, Linux, Chrome OS … Rather than solely defending against cross-site scripting attacks, the technology is now positioned as a necessary defence against infamous data-leaking Spectre CPU vulnerabilities, as a blog post by Google explained this week…”

Updates to Chain Mail Check

Brian Krebs: Sextortion Scam Uses Recipient’s Hacked Passwords

The scammer claims to have made a video of the intended victim watching porn, and threatens to send it to their friends unless payment is made. Not particularly novel: the twist with this one is that it “references a real password previously tied to the recipient’s email address.” Krebs suggests that the scammer is using a script to extract passwords and usernames from a known data breach from at least ten years ago.

The giveaway is that very few people are likely to be using the same password now – and it’s unlikely that there are that many people receiving the email who might think that such a video could have been made. Still, it seems that some people have actually paid up, and it’s possible that a more convincing attack might be made sending a more recent password to a given email address, and perhaps using a different type of leverage.

Commentary from Sophos here.

David Harley

Machine learning: science, engineering, or magic fairy dust?

Here’s an interesting article by Tristan Greene  for The Next Web: Academic expert says Google and Facebook’s AI researchers aren’t doing science. The expert in question is Simon DeDeo, and he’s a astrophysicist rather than a practitioner in AI. But he’s speaking as a scientist and an academic when he points out – rightly, in my opinion – that “Machine learning is an amazing accomplishment of engineering. But it’s not science. Not even close. It’s just 1990, scaled up. It has given us *literally* no more insight than we had twenty years ago.”

He also remarks that “They said they did social science, but it was nothing of the sort. It was homo economicus spread out over 50 GPUs.” Which reminds me very much of Facebook’s dabbling in psychological manipulation and emotional contagion. Well, I’ve been fairly scathing from time to time about Facebook’s reliance on algorithms that presumably work well enough for its paying customers but may be irritating or even painful to its product those of us who trade its intrusiveness and willingness to share our data for its social advantages. And I’m not even going to mention Cambridge Analytica.

I will quote one more of DeDeo’s tweets, though: “The real subjectivity is in ML, which spends all its time developing new techniques to optimize a subjectively-chosen goal function on a subjectively-chosen test set.” I could draw a parallel there with the way in which some so-called next-gen security companies still cite their use of machine-learning as if it was their very own magic fairy dust that detects all malware (yeah, right…) while propagating a series of myths about how mainstream products work. (Relying on signatures? Which century are you living in, Help Net? You know better than that, and so does Cylance…)

In fact, as I may have mentioned before, machine learning is used by mainstream companies to sift through the ludicrously high volumes of potentially malicious samples we see on a daily basis to prioritize other analytical techniques. But we – and the black hats behind malware – are all too aware of the risks of relying purely on machine-learning to distinguish between Good and Evil samples. But I don’t think I’ll go further into that yet again at this point.

David Harley

Anti-social media: at least Twitter is doing some things right…

The Register: Brit privacy watchdog reports on political data harvests: We’ve read the lot so you don’t have to – “‘Cambridge Analytica had data ferreted away on disconnected servers, Twitter actually kicked the firm’s ads off its platform, and Facebook still has a lot of questions to answer.”

Washington Post: Twitter is sweeping out fake accounts like never before, putting user growth at risk – “Twitter suspended more than 70 million accounts in May and June, and the pace has continued in July”

Sophos: Apple and Google questioned by Congress over user tracking – “Inquiring minds want to know, for one thing, whether our mobile phones are actually listening to our conversations, the committee said in a press release.

Sophos: Facebook stares down barrel of $660,000 fine over data slurping. David Bisson notes: Facebook Fined £500,000 by ICO for Cambridge Analytica Data Scandal, And Graham Cluley comments: Facebook fined a paltry £500,000 (8 minutes’ revenue) over Cambridge Analytica scandal. Quite…

Pierluigi Paganini: Timehop data breach, data from 21 million users exposed. “The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.”

David Harley

Resource updates 5th July 2018

Updates to Anti-Social Media 

Graham Cluley: Carole Cadwalladr takes us behind the scenes of the Cambridge Analytica investigation – HOW MILLIONS OF FACEBOOK USERS’ PERSONAL DATA WERE USED TO INFLUENCE THE US ELECTION AND BREXIT. “Last week, Carole Cadwalladr won The Orwell Prize for Journalism for her work investigating the impact of big data on the EU Referendum at the US Presidential election.”

John E. Dunn for Sophos: Facebook gave certain companies special access to customer data – “What do Russian internet company Mail.ru, car maker Nissan, music service Spotify, and sports company Nike have in common? They, and 57 other companies, were revealed by Facebook in a US House of Representatives’ Energy and Commerce Committee submission to have been given temporary extensions to access private Friends data API despite the company supposedly changing the policy allowing this in May 2015.”

The Hacker News: Facebook Admits Sharing Users’ Data With 61 Tech Companies

Rhett Jones for Gizmodo: Google Says It Doesn’t Go Through Your Inbox Anymore, But It Lets Other Apps Do It

Updates to Cryptocurrency/Crypto-mining News and Resources

Pierluigi Paganini: Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation – “Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.”

Paul Ducklin for Sophos: Serious Security: How to cut-and-paste your way to Bitcoin riches – “Whether it’s cryptocurrency addresses, payment card details, ID numbers or other snippets of personal information, malware that sneakily changes data in the clipboard as you work online can trick you into paying the wrong people.”

Updates to GDPR page

The Register: United States, you have 2 months to sort Privacy Shield … or data deal is for the bin – Eurocrats – “MEPs call for urgent fix”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

DZone Security Zone: Glimpse Inside IoT-Triggered DDoS Attacks and Securing IT Infrastructures

Tech support scams resource page

SANS Ouch Newsletter: Phone Call Attacks & Scams

Updates to Mac Virus

Andrew Orlowski for The Register: Uh-oh. Boffins say most Android apps can slurp your screen – and you wouldn’t even know it – “Over 89 per cent of apps in the Google Play store make use of an API that requests screen capture or recording – and the user is oblivious as it evades the Android permission framework.” Summary of a paper”…titled Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications (summary and PDF).”

Pierluigi Paganini: A Samsung Texting App bug is sending random photos to contacts – ”

“The problem affected Galaxy S9 and S9+ devices, but we cannot exclude that other devices may have been affected…several users reported the anomalous behavior on Reddit and the company official forums.”

John E. Dunn for Sophos: Samsung phones sending photos to contacts without permission and also Your smartphone can watch you if it wants to, study finds.

Elcomsoft:  Apple Warns Users against Jailbreaking iOS Devices: True or False? Not whether Apple has issued the warnings – of course it has – but more about how justified the warnings are. The conclusion seems to be mostly true, with “with few caveats and one major exception.” Interesting article, anyway.

David Harley

Updates to the ‘(Anti-)social media’ page

Tomáš Foltýn for ESET: How (over)sharing on social media can trip you up. In case you’d forgotten just how many ways there are in which oversharing information can harm you…

The Register: Facebook shells out $8k bug bounty after quiz web app used by 120m people spews profiles – “Facebook has forked out an $8,000 reward after a security researcher flagged up a third-party web app that potentially exposed up to 120 million people’s personal information from their Facebook profiles.” In case you thought Facebook was past all that…

Maria Varmazis for Sophos: Are you happy with this technology that Facebook’s developing? – actually commentary on a story in the New York Times about what Facebook’s patent applications tell us. It seems that there are few aspects of our personal lives that Facebook isn’t  interested in tracking.  Though Maria rightly points out that “these patents are not a product roadmap for Facebook, so it is entirely possible we’ll never see them in action.” Unless, perhaps, FB is encouraged to pursue them by future commercial and political developments…

Also from Sophos:

Facebook and Google accused of manipulating us with “dark patterns” – “In a report called Deceived By Design, the Norwegian Consumer Council (Forbrukerrådet) calls out Facebook and Google for presenting their GDPR privacy options in manipulative ways that encourage users to give up their privacy.” However, there are lots of more blatant manipulations to be seen: in many cases, it’s just a case of ‘let us drop our cookies or miss out on what we’re offering.”

David Harley