Category Archives: Facebook

AVIEN resource updates: July 15th 2018

Updates to Anti-Social Media 

(1) ESET: Facebook fined over data privacy scandal

You’re probably already aware of the gentle tap on the wrist administered by the UK’s Information Commissioner’s Office (ICO), but this does actually indicate why the penalty was so much less than you might have expected (in theory, up to 4% of the company’s total income).

(2) An article from The Next Web: Experts warn DeepFakes could influence 2020 US election – “Fake AI-generated videos featuring political figures could be all the rage during the next election cycle, and that’s bad news for democracy.”

(3) Graham Cluley: Facebook doesn’t want to eradicate fake news. If it did they’d kick out InfoWars – “Social networks giving sick conspiracy theorists a platform to spread hate.” Graham points out that InfoWars misinformation is also an issue on YouTube.

Updates to Meltdown/Spectre and other chip-related resources

John Leyden for The Register: Google’s ghost busters: We can scare off Spectre haunting Chrome tabs – “Site Isolation keeps pages fully separate on Windows, Mac, Linux, Chrome OS … Rather than solely defending against cross-site scripting attacks, the technology is now positioned as a necessary defence against infamous data-leaking Spectre CPU vulnerabilities, as a blog post by Google explained this week…”

Updates to Chain Mail Check

Brian Krebs: Sextortion Scam Uses Recipient’s Hacked Passwords

The scammer claims to have made a video of the intended victim watching porn, and threatens to send it to their friends unless payment is made. Not particularly novel: the twist with this one is that it “references a real password previously tied to the recipient’s email address.” Krebs suggests that the scammer is using a script to extract passwords and usernames from a known data breach from at least ten years ago.

The giveaway is that very few people are likely to be using the same password now – and it’s unlikely that there are that many people receiving the email who might think that such a video could have been made. Still, it seems that some people have actually paid up, and it’s possible that a more convincing attack might be made sending a more recent password to a given email address, and perhaps using a different type of leverage.

Commentary from Sophos here.

David Harley

Advertisements

Machine learning: science, engineering, or magic fairy dust?

Here’s an interesting article by Tristan Greene  for The Next Web: Academic expert says Google and Facebook’s AI researchers aren’t doing science. The expert in question is Simon DeDeo, and he’s a astrophysicist rather than a practitioner in AI. But he’s speaking as a scientist and an academic when he points out – rightly, in my opinion – that “Machine learning is an amazing accomplishment of engineering. But it’s not science. Not even close. It’s just 1990, scaled up. It has given us *literally* no more insight than we had twenty years ago.”

He also remarks that “They said they did social science, but it was nothing of the sort. It was homo economicus spread out over 50 GPUs.” Which reminds me very much of Facebook’s dabbling in psychological manipulation and emotional contagion. Well, I’ve been fairly scathing from time to time about Facebook’s reliance on algorithms that presumably work well enough for its paying customers but may be irritating or even painful to its product those of us who trade its intrusiveness and willingness to share our data for its social advantages. And I’m not even going to mention Cambridge Analytica.

I will quote one more of DeDeo’s tweets, though: “The real subjectivity is in ML, which spends all its time developing new techniques to optimize a subjectively-chosen goal function on a subjectively-chosen test set.” I could draw a parallel there with the way in which some so-called next-gen security companies still cite their use of machine-learning as if it was their very own magic fairy dust that detects all malware (yeah, right…) while propagating a series of myths about how mainstream products work. (Relying on signatures? Which century are you living in, Help Net? You know better than that, and so does Cylance…)

In fact, as I may have mentioned before, machine learning is used by mainstream companies to sift through the ludicrously high volumes of potentially malicious samples we see on a daily basis to prioritize other analytical techniques. But we – and the black hats behind malware – are all too aware of the risks of relying purely on machine-learning to distinguish between Good and Evil samples. But I don’t think I’ll go further into that yet again at this point.

David Harley

April 15th resource updates

Updates to Anti-Social Media 

The Register: Super Cali’s frickin’ whiz kids no longer oppose us: Even though Facebook thought info law was quite atrocious – “Zuck & Co end fight against California’s privacy legislation” Extra points to El Reg for the title, even if it doesn’t actually scan very well. 🙂

Sophos: Facebook shines a little light on ‘shadow profiles’ (or what Facebook knows about people who haven’t signed up to Facebook).

Also from Sophos: Interview: Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society. OPRS is a privacy advocacy and research group aiming to “to make it easier for people, especially marginalized groups (including LGBT persons), to protect their privacy and anonymity online…”

Updates to Cryptocurrency/Crypto-mining News and Resources

F5: WINDOWS IIS 6.0 CVE-2017-7269 IS TARGETED AGAIN TO MINE ELECTRONEUM – “Last year, ESET security researchers reported that the same IIS vulnerability was abused to mine Monero, and install malware to launch targeted attacks against organizations by the notorious “Lazarus” group.”

The Register: Tried checking under the sofa? Indian BTC exchange Coinsecure finds itself $3.5m lighter. “Indian Bitcoin exchange Coinsecure has mislaid 438.318 BTC belonging to its customers.”

Help Net Security: 2.5 billion crypto mining attempts detected in enterprise networks – “The volume of cryptomining transactions has been steadily growing since Coinhive came out with its browser-based cryptomining service in September 2017.” This is commentary on an earlier article from Zscaler: Cryptomining is here to stay in the enterprise.

Updates to Meltdown/Spectre – Related Resources

Help Net Security: AMD users running Windows 10 get their Spectre fix – microcode to mitigate Spectre variant 2, and a Microsoft update for Windows 10 users.

Updates to Specific Ransomware Families and Types

[14th April 2018] Bleeping Computer re PUBG (and RensenWare, a blast from the past): PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown’s Battlegrounds, based on research from MalwareHunter. Described as a joke, but apart from the fact that such messing with a victim’s data might conceivably go horribly wrong in some circumstances – it doesn’t appear to be an impeccably well-coded program – and is likely in any case to cause the victim serious concern, it looks to me as though this is criminal activity, involving unauthorized access and modification in most jurisdictions.

Updates to Mac Virus

The Register: Exposed: Lazy Android mobe makers couldn’t care less about security  “Never. Is never a good time to get vulnerability fixes? Never is OK with you? Cool, never it is”

Graham Cluley for Bitdefender: China forces spyware onto Muslim’s Android phones, complete with security holes. Links to Adam Lynn’s report for the Open Technology Fund: App Targeting Uyghur Population Censors Content, Lacks Basic Security

Updates to Anti-Malware Testing

[14th April 2018]

Fairness and ethical testing: Pointer to a blog for ESET by Tony Anscombe: Anti-Malware testing needs standards, and testers need to adopt them “A closer look at Anti-Malware tests and the sometimes unreliable nature of the process.” A good summary, and a useful reminder of the work that AMTSO is doing, but it’s a shame that after all these years we still need to keep making these points.

David Harley

Social media and privacy

Resources updates, 26 March 2018

Updates to Anti-Social Media

Updates to Specific Ransomware Families and Types

Updates to Cryptocurrency/Crypto-mining News and Resources

David Harley

22nd March Resources Update

Cryptocurrency/Crypto-mining News and Resources

Anti-Social Media

Mac Virus

Facebook Fallout

Added to the ANTI-SOCIAL MEDIA page today:

  • For Tech Beacon, Richi Jennings does a good job (as usual) of finding ‘bloggy bits’ relating to the Facebook/Cambridge Analytica mess: No ‘likes’ for Facebook’s API leak, but it’s not a data breach—and not news. And no, the fact that Facebook collects and shares too much information isn’t exactly news. Nor, come to that, the fact that Facebook has itself engaged in some experimental social engineering though I’m guessing that fewer people are or ever were aware of those particular experiments. I think I’ll probably come back to that…
  • A comment to Richi’s announcement of that Tech Beacon article – ironically, on Facebook – brought my attention to this article by Kalev Leetaru for Forbes:

    The Problem Isn’t Cambridge Analytica: It’s Facebook. The article makes some excellent points. For instance:

    • “In 2014 academic researchers at Cornell and Facebook published research in which they had manipulated the emotions of three quarters of a million users … the research had been fully approved by Facebook and Cornell, with ethical review by Cornell’s IRB.” Yes, that’s one of the experiments I was thinking of.
    • “A central theme of the rhetoric and coverage of Cambridge Analytica is that it somehow violated accepted societal norms over the use of Facebook data … referring to it in the cybersecurity parlance of a data “breach.” In fact, this could not be further from the truth in our modern “surveillance economy.”
  • Taylor Lorenz for The Daily Beast: Mark Zuckerberg Swears He’ll Protect Your Data—Next Time – “The Facebook chief promised users that he would do more to ensure that their online lives weren’t put up for sale. One small problem: that’s kind of Facebook’s business model.”
  • Matthew Yglesias, for Vox (that’s the news site, not the music equipment manufacturer), comments on The case against Facebook – “It’s not just about privacy; its core function makes people lonely and sad.” Well, you could argue with that tagline. FB does have a useful function in terms, for instance, of connecting with friends far away. If you keep the Big Picture in mind, you sometimes forget that there are valid reasons why people are prepared to compromise their data by using Facebook (if they think about it at all). Still, there are plenty of very valid points in the article:
    • “…according to Craig Silverman’s path-breaking analysis for BuzzFeed, the 20 highest-performing fake news stories of the closing days of the 2016 campaign did better on Facebook than the 20 highest-performing real ones.”
    • “By turning news consumption and news discovery into a performative social process, Facebook turns itself into a confirmation bias machine — a machine that can best be fed through deliberate engineering….Meanwhile, Facebook is destroying the business model for outlets that make real news.”
  • Kurt Wismer makes a good point about the get-me-out-of-here trend in The problem with #DeleteFacebook. “…a movement to abandon Facebook is going to open up a lot of opportunities for fraud all at once.” He suggests disabling rather than deleting an account. (Actually, I have a similar strategy regarding LinkedIn: I’m not job-hunting any more, but I don’t want to make misuse of my name too easy.)
  • While Brian X. Chen points out for the New York Times: Want to #DeleteFacebook? You Can Try. A few pertinent points here, too:
    • “Keep in mind that Facebook isn’t the only company capable of collecting your information. One big culprit: Web trackers, like cookies embedded into websites and their ads. They are everywhere, and they follow your activities from site to site.”
    • “…you may be better off tweaking your privacy settings on the site.”
  • Help Net Security: Facebook’s trust crisis: Has it harmed democracy?  – “Facebook is losing the faith of the Americans people, according to the Digital Citizens Alliance.

”

David Harley

Resource updates 21st March 2018

Additions to the new Anti-Social Media page:

Additions to Meltdown/Spectre – Related Resources

New information/resource page: [anti-]social media

[This article is itself the first entry on the new page Anti-Social Media.]

Like many others, I’ve been at least partially assimilated by the social media Cookie Monster. Once upon a time I opened accounts on sites like Facebook and Twitter, so as to find out about their implications for security. (Like many others in the security profession, I suspect.) They also quickly became integrated into my armoury as a means of exchanging and disseminating information, whether it’s a matter of hard data or work-oriented PR. And when friends, colleagues and fellow musicians (some people, of course, are members of two or all three of those sets!) found me on those platforms, it would have been churlish not to have accepted invitations to link up there. (Besides, you can’t tell as much about Facebook’s workings, for instance, if you don’t actually have any Facebook friends…)

However, I’ve always borne in mind the wider implications of membership of such platforms (sociological, psychological, and security-specific), and have often written on those topics. (I’ll probably look back at some of those posts and see if any of them are worth flagging here.) But with the excitement over the Cambridge Analytica, it’s self-proclaimed success at social engineering, and its alleged misuse of data harvested from social media, I can’t help but notice that people who’ve previously expressed no interest in privacy and security have started to voice concern. So I’m going to use this page to flag some news and resources of interest. Starting with a minor deluge of advice from various quarters:

David Harley

Support scams: what can AVIEN do about it?

In the wake of a blog I posted today at ESET, on my perennial warhorse of support scams and cold-calling, I’ve been talking to Martijn Grooten of Virus Bulletin and Steve Burn, both of whom contributed to that article. While we and other people in the industry hack away from time to time at this unpleasant but undramatic variety of fraud, the telephonic equivalent of fake AV, it doesn’t seem to have much impact on the hydra-headed scammer networks of Kolkata and New Delhi. How, we wondered, can we make more headway?

It would be nice to think that people who read those occasional articles from security bloggers get some educational value out of them, that’s a tiny number compared to the potentially exploitable Facebook users, for example, who might be tricked into endorsing a scammer’s FB page. In fact, it’s even worse than that, in that readers of security blogs are generally aware enough not to fall so easily for scams: many people comment on my ESET blogs on the topic, but most of them aren’t themselves victims.

While there’s occasionally a little more movement when the media like the Guardian, or the Register, or SC Magazine picks up the theme (as they all have), they’ll only do that now and again, and only when there’s a particularly dramatic or emotional story to hang it on.

Law enforcement doesn’t seem to be making much of an impact either. And that’s understandable: like the 419 gangs, the scammers are a volatile and scattered target, individual victims tend to lose fairly small sums even compared to some of the big 419 scores, and that lessens the interest from law enforcement in general, even assuming that cooperation betweenthe countries targeted by the scammers (US, UK, Australia, New Zealand, and to a lesser extent parts of Europe and limited regions in the Far East) and the regions of India that seem to be spawning this type of activity. Agencies might, I suspect, be more interested if the security people who work with them directly on other issues such as botnets and phishing were themselves more interested. But while there are quite a few security-oriented individuals who’d like to see more action, I’m not sure how much of a concentrated effort we can get out of the security industry, because the PR value doesn’t really translate directly into product sales.

Again like 419 scams, people are interested in reporting incidents close to home, but as the Met’s own fraudalert page suggests (http://www.met.police.uk/fraudalert/reporting_fraud.htm) there’s no clear single mechanism and precious little feedback. I’m wondering whether it might be worth trying to establish a central information resource and building on that in some or all these directions, with an initial focus on education. If so, perhaps AVIEN would be a suitable venue, since it has a lot of people with security expertise but is essentially vendor neutral, even though many AV companies still participate, or at least subscribe to our mailing lists.

I’d kind of like to put more of a focused effort into fighting this, but it isn’t something I can do all by myself. What do the AVIEN members out there think?

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow