Tag Archives: Facebook

Anti-Social Media: bumper bundle

[I’ve been catching up after a week out of office, so there’s quite a lot to be depressed about this time.]

Zeljka Zorz for Help Net: Turning off Location History doesn’t prevent Google from knowing your location  – “If you believe that by turning off Location History on your Android device or iPhone means that Google won’t be able to know your location, think again: Princeton University researchers have confirmed Google services store users’ location regardless of those settings.”

Help Net is quoting research performed on behalf of Associated Press…”  AP says “Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored…That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.”


Kashmir Hill and Surya Mattu for Gizmodo: Facebook Wanted Us to Kill This Investigative Tool  – “Last year, we launched an investigation into how Facebook’s People You May Know tool makes its creepily accurate recommendations….In order to help conduct this investigation, we built a tool to keep track of the people Facebook thinks you know. …. In January, after hiring a third party to do a security review of the tool, we released it publicly on Github for users who wanted to study their own People You May Know recommendations.”

Facebook, it seems, wasn’t happy about the release of the tool, for more than one reason. I can actually understand that the terms of service that it might violate are at least in part imposed for reasons of security (or should be). Yet Gizmodo points out that “Journalists need to probe technological platforms in order to understand how unseen and little understood algorithms influence the experiences of hundreds of millions of people”: Facebook’s apparent distrust of this assertion may tell us something about its PR worries, and even about the intrusive nature of the algorithms it prefers to keep secret.


Graham Cluley: Twitter CEO says they’re taking no action against InfoWars and Alex Jones
IT’S THE SAME CONTENT THAT FACEBOOK, YOUTUBE, SPOTIFY, AND APPLE BANNED.
If you’re unaware of the fuss about Jones, you might like to check out this article in the New York Times: Alex Jones, Pursued Over Infowars Falsehoods, Faces a Legal Crossroads


Teiss: Facebook denies it asked banks to share customers’ financial information –  Summarizes a story from the Wall Street Journal which I haven’t read because I’m not a subscriber.


Pierluigi Paganini: Social Mapper – Correlate social media profiles with facial recognition
“Security experts at Trustwave have released Social Mapper, a new open-source tool that allows finding a person of interest across social media platform using facial recognition technology…Experts from Trustwave warn of potential abuses of Social Mapper that are limited “only by your imagination.””

Which is unfortunate in that it’s easily found for free…

David Harley

Advertisements

AVIEN resource updates 3rd August 2018

Updates to Anti-Social Media 

A fascinating article for Quartz by Nikhil SonnadEverything bad about Facebook is bad for the same reason – “Facebook only does the right thing when it’s forced to. Instead, it needs to be willing to sacrifice the goal of total connectedness and growth when this goal has a human cost; to create a decision-making process that requires Facebook leaders to check their instinctive technological optimism against the realities of human life.” Recommended. (Hat tip to Daring Fireball.)

The Next Web: Telegram Passport is already drawing fire for not being secure enough – “Its password encryption could be cracked for just $5”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

US-CERT advised that the FBI published an article on securing the internet of things. US-CERT also flagged the NCCIC Tip Securing the Internet of Things.

David Harley

Anti-social media updates: 27th July 2018

Reuters: Facebook’s grim forecast: privacy push will erode profits for years “The plummeting stock price wiped out as much as $150 billion in market capitalization and erased the stock’s gains since April when Facebook announced a surprisingly strong 63 percent rise in profit and an increase in users.” John Gruber offers terse but to-the-point commentary.

Graham Cluley: Mind your company’s old Twitter accounts, rather than allowing them to be hijacked by hackers  – “DEFUNCT FOX TV SHOW HAS ITS TWITTER ACCOUNT COMPROMISED BY CRYPTOCURRENCY SCAMMERS.” “…it appears that hackers seized control of the moribund Twitter account and gave it a new lease of life promoting cryptocurrency scams.

Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.

Also from Lisa Vaas: Crimson Hexagon banned by Facebook over user data concern – “The Wall Street Journal last week reported that Facebook is investigating whether the firm’s contracts with the US government and a Russian nonprofit tied to the Kremlin violated its policies.”

Yet another article from the prolific Ms Vaas: Names and photos of Venmo ‘drug buyers’ published on Twitter – she offers another example of data scraped from publicly available data and used inappropriately and misleadingly. A recent article by John E. Dunn describes a rather more responsible use of Venmo’s open privacy settings: Venmo users: time to hide your drug deals and excessive pizza consumption.

And another. Maybe you should just shoot over to the Naked Security site while I get on with some other work… WhatsApp limits message forwarding in response to lynchings – an indication that fake news is no joke, and can be a matter of life or (more to the point) death. In recent months, “India …  has seen dozens of mob lynchings sparked by rumors that have spread virally on social media.”

David Harley

Anti-Social Media Updates

Nick Statt for The Verge: Undercover Facebook moderator was instructed not to remove fringe groups or hate speech – “A new documentary details how third-party Facebook moderators ignore the company’s rules … The accusation is a damning one, undermining Facebook’s claims that it is actively trying to cut down on fake news, propaganda, hate speech, and other harmful content that may have significant real-world impact.” The investigation focuses on CPL Resources, which provides a third-party content moderation service.

In an interview with Kara Swisher, Zuckerberg tries to explain why Facebook hasn’t simply taken down InfoWars presence on the platform, but simply moved them ‘down the line’ by reducing distribution. Hmm.  Good interview, though, and lots of glimpses into the man’s head.

The Register: ‘Elders of the Internet’ apologise for social media, recommend Trump filters to fix it – “‘USENET was a pretty clear warning’ of things to come, says new draft IETF standard” I don’t think this IETF draft is entirely serious, but perhaps it should be. IT security remains fixated on technical security and has tended to fight shy of the psychosocial aspects of Internet interaction. Certainly the anti-malware industry in general could have paid more attention to the psychology of the victim than it has. And yes, USENET was a pretty good indication of how awful social media might (and did) turn out to be. And yes, abstention from social media and whisky do both have some appeal… A joke with teeth.

David Harley

Anti-social media: at least Twitter is doing some things right…

The Register: Brit privacy watchdog reports on political data harvests: We’ve read the lot so you don’t have to – “‘Cambridge Analytica had data ferreted away on disconnected servers, Twitter actually kicked the firm’s ads off its platform, and Facebook still has a lot of questions to answer.”

Washington Post: Twitter is sweeping out fake accounts like never before, putting user growth at risk – “Twitter suspended more than 70 million accounts in May and June, and the pace has continued in July”

Sophos: Apple and Google questioned by Congress over user tracking – “Inquiring minds want to know, for one thing, whether our mobile phones are actually listening to our conversations, the committee said in a press release.

Sophos: Facebook stares down barrel of $660,000 fine over data slurping. David Bisson notes: Facebook Fined £500,000 by ICO for Cambridge Analytica Data Scandal, And Graham Cluley comments: Facebook fined a paltry £500,000 (8 minutes’ revenue) over Cambridge Analytica scandal. Quite…

Pierluigi Paganini: Timehop data breach, data from 21 million users exposed. “The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.”

David Harley

Updates to the ‘(Anti-)social media’ page

Tomáš Foltýn for ESET: How (over)sharing on social media can trip you up. In case you’d forgotten just how many ways there are in which oversharing information can harm you…

The Register: Facebook shells out $8k bug bounty after quiz web app used by 120m people spews profiles – “Facebook has forked out an $8,000 reward after a security researcher flagged up a third-party web app that potentially exposed up to 120 million people’s personal information from their Facebook profiles.” In case you thought Facebook was past all that…

Maria Varmazis for Sophos: Are you happy with this technology that Facebook’s developing? – actually commentary on a story in the New York Times about what Facebook’s patent applications tell us. It seems that there are few aspects of our personal lives that Facebook isn’t  interested in tracking.  Though Maria rightly points out that “these patents are not a product roadmap for Facebook, so it is entirely possible we’ll never see them in action.” Unless, perhaps, FB is encouraged to pursue them by future commercial and political developments…

Also from Sophos:

Facebook and Google accused of manipulating us with “dark patterns” – “In a report called Deceived By Design, the Norwegian Consumer Council (Forbrukerrådet) calls out Facebook and Google for presenting their GDPR privacy options in manipulative ways that encourage users to give up their privacy.” However, there are lots of more blatant manipulations to be seen: in many cases, it’s just a case of ‘let us drop our cookies or miss out on what we’re offering.”

David Harley

AVIEN resource updates 27th June 2018 (continued)

Updates to Anti-Social Media 

Metro: Facebook wants to hide secret inaudible messages in TV ads that can force your phone to record audio – this is so blatant I find it hard to believe, despite my own distrust of Zuckerberg and his minions. But I suppose we’ll see.

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Help Net: GlobalSign launches IoT Identity Platform addressing IoT device security requirements

Updates to Specific Ransomware Families and Types

Talos: Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor – “Additionally, due to issues present within the encryption process leveraged by this ransomware, the malware authors are unable to return the data to the victim, even if he or she pays the ransom. While previous reports seem to indicate this is accidental, specific campaigns appear to demonstrate that in some cases, this is intentional on the part of the distributor.”

John Leyden for The Register: A year after devastating NotPetya outbreak, what have we learnt? Er, not a lot, says BlackBerry bod – “Say it with me: ‘Patch outdated systems.’ Good, and again…”

David Harley

AVIEN resource updates 8th June 2018

Updates to Cryptocurrency/Crypto-mining News and Resources

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

Updates to GDPR page

James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside  – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.

Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary – you may not be able to read this without a router. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface. And sometimes even necessary devices entail security risks.]

Stephen Cobb for ESET: VPNFilter update: More bad news for routers 
“New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.”

The Register: IoT CloudPets in the doghouse after damning security audit: Now Amazon bans sales “Amazon on Tuesday stopped selling CloudPets, a network-connected family of toys, in response to security and privacy concerns sounded by browser maker and internet community advocate Mozilla.” Commentary by Graham Cluley for BitDefender: Creepy CloudPets pulled from stores over security fears

Updates to Tech support scams resource page

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

Updates to Chain Mail Check

Tomáš Foltýn for ESET: You have NOT won! A look at fake FIFA World Cup-themed lotteries and giveaways

“With the 2018 FIFA World Cup in Russia just days away, fraudsters are increasingly using all things soccer as bait to reel in unsuspecting fans so that they get more than they bargained for”

Updates to Mac Virus

John E. Dunn for Sophos: Apple says no to Facebook’s tracking
“Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites…this will ask users whether to allow or block web tracking quietly carried out by a certain co”mpany’s ‘like’, ‘share’ and comment widgets.” And the dialog text in the demo to which the article refers specifically mentions Facebook.

Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

And from the New York Times: Facebook Gave Device Makers Deep Access to Data on Users and Friends –
“The company formed data-sharing partnerships with Apple, Samsung and
dozens of other device makers, raising new concerns about its privacy protections.” And commentary by Help Net Security: Facebook gave user data access to Chinese mobile device makers, too

David Harley

Apple on Safari, gunning for Facebook?

Updates to Anti-Social Media 

John E. Dunn for Sophos: Apple says no to Facebook’s tracking
“Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites…this will ask users whether to allow or block web tracking quietly carried out by a certain co”mpany’s ‘like’, ‘share’ and comment widgets.” And the dialog text in the demo to which the article refers specifically mentions Facebook.

On the other hand: Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

New York Times: Facebook Gave Device Makers Deep Access to Data on Users and Friends –
“The company formed data-sharing partnerships with Apple, Samsung and
dozens of other device makers, raising new concerns about its privacy protections.” And commentary by Help Net Security: Facebook gave user data access to Chinese mobile device makers, too

James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside  – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.

David Harley

(Anti-)Social Media – news updates June 6th 2018

The Register: ‘Tesco probably knows more about me than GCHQ’: Infosec boffins on surveillance capitalism – “Cambridge Uni powwow broods on Facebook, Wannacry” There seem to have been a lot of good points made there. I’m rather sorry I didn’t get to it, but it’s a long way from my part of the world…

Surveillance by cookie isn’t, of course, confined to social media. Perhaps more people have become aware of them recently with the pitter-patter of GDPR-inspired pop-ups on sites noting that they use them, and on occasion requiring visitors to agree to their being used if they’re to continue using the site. What could go wrong? Here’s an interesting, mildly techie paper from Digital Interruption: Are Your Cookies Telling Your Fortune? – An analysis of weak cookie secrets and OSINT. OSINT, by the way, is Open-Source Intelligence, information gathered from publicly available sources.

Sophos: Facebook faces furious shareholders at annual meeting – “Another investor, Will Lana of Trillium Asset Management, said that his firm has been keeping track of the scandals in which Facebook is embroiled. It’s tallied “at least 15 distinct controversies,” he said, as he spoke in favor of a proposal to change the board’s approach to risk management”. [But don’t worry:  Zuckerberg and the Board of Directors managed to ’emerge from the meeting unscathed’. Well, you can worry if you like…]

Thomas Claburn for The Register: Facebook insists device data door differs from dodgy dev data deal – “Facebook on Sunday said an arrangement that gave some 60 mobile device makers access to data about device users’ Facebook friends is not at all like the deal it made with app developers that gave rise to the Cambridge Analytica scandal.” Oh, good…

Given the number of Facebook denizens who are interested in genealogy and heredity, this seems a suitable place to mention a Brian Krebs article: Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage

Catalin Cimpanu for Bleeping Computer: Washington State Sues Facebook and Google Over Election Ads – “Washington State Attorney General Bob Ferguson filed two lawsuits on Monday against Facebook and Google on the grounds of breaking local campaign finance laws.”

Here are a couple of items I’ve also posted to the Mac Virus site, and which are also relevant to the anti-social media page. I haven’t paid much attention to news-recycling sites (apart from The Register, maybe)  in recent years, but these two ZDNet reports actually mildly impressed me.

Adrian Kingsley-Hughes for ZDNet: Your iPhone is tracking your movements and storing your favorite locations all the time. He says: “Now, you may be like me and not care about this data being collected, and might even find it a useful record of where you’ve been over the previous weeks and months. But if you’re uncomfortable for any reason with this data being collected, then Apple offers several ways you can take control over it.” Even if you don’t mind these data being collected by your operating system, you also have to think about the apps that may be accessing it at second hand.

Kind of weirdly, Larry Dignan (also for ZDNet) tells us that Apple, Google have similar phone addiction approaches with iOS, Android. Well, it’s always nice (if unexpected) when Big Business displays a sense of civic responsibility. However, Dignan is probably right when he remarks: “The research is just starting to be compiled on smartphone addiction and what happens when your life is overloaded by apps and notifications. Think of the digital health push from Apple and Google as a way to provide talking points before screen time becomes a Congressional hearing someday.”

David Harley