Category Archives: facebook

Facebook data breach: Victims will not be offered free identity theft protection

Facebook announced that the recent data breach it has suffered is a little less massive than initially thought: “only” 30 million users have been affected. But, although highly personal information has been harvested from the profiles of 14 millions of the victims, Facebook has told the BBC that it does not plan, at this time, to provide them with free identity theft protection services. New information On Friday, while still insisting on calling this data … More

The post Facebook data breach: Victims will not be offered free identity theft protection appeared first on Help Net Security.

Hackers accessed 29 million user accounts, says Facebook

Facebook confirms 29 million users’ data accessed by hackers: How to check if your account has been hacked

Last month, Facebook was hit by the worst-security breach where the hackers accessed personal information of millions of users. Back then, Facebook had said that the hack had exposed data of approximately 50 million users.

However, the social networking giant has now confirmed that the security breach has actually affected nearly 30 million accounts, which is less than the originally estimated 50 million. Additionally, hackers weren’t able to access more sensitive information like password or financial information, as well as third-party apps weren’t affected, the company said.

Of the 30 million accounts, hackers were able to successfully access personal information from 29 million Facebook users. However, the hackers were not able to get access to information about the accounts of one million people.

Out of those 29 million accounts, hackers were able to name and contact details (phone number, email, or both, depending on what people had on their profiles) of 15 million people.

Further, in case of another 14 million people, besides stealing information in regard to name and contact details, they also stole other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totalling about 400,000 people. In the process, however, this technique automatically loaded those accounts? Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles,” said Guy Rosen, Facebook Vice President of Product Management in a news release.

“That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers,” he added.

Besides this, Rosen also added that the attackers had no information to data from “Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.”

Facebook stated that while they are continuing to investigate and are working to resolve the security breach discovered two weeks ago, they do not rule out the possibility of smaller-scale attacks. The social networking is working with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities to investigate who might be behind the breach.

In the coming weeks, Facebook also plans to send customised messages to the 30 million people affected to explain what information the hackers might have accessed, and steps to protect themselves, including from suspicious emails, text messages, or calls.

Facebook said that affected people can check whether their accounts were hacked by visiting ‘Help Center‘.

The post Hackers accessed 29 million user accounts, says Facebook appeared first on TechWorm.

Facebook Says Russian Firms ‘Scraped’ Data, Some for Facial Recognition

An anonymous reader quotes the New York Times: On the same day Facebook announced that it had carried out its biggest purge yet of American accounts peddling disinformation, the company quietly made another revelation: It had removed 66 accounts, pages and apps linked to Russian firms that build facial recognition software for the Russian government. Facebook said Thursday that it had removed any accounts associated with SocialDataHub and its sister firm, Fubutech, because the companies violated its policies by scraping data from the social network. "Facebook has reason to believe your work for the government has included matching photos from individuals' personal social media accounts in order to identify them," the company said in a cease-and-desist letter to SocialDataHub that was dated Tuesday and viewed by The New York Times... As Facebook is taking a closer look at its own products amid increasing scrutiny and public outcry, it is increasingly finding examples of companies that have been exploiting its global social network for questionable ends.... Artur Khachuyan, the 26-year-old chief executive of SocialDataHub and Fubutech, said in an interview Friday that Fubutech scraped data from the web, particularly Google search and the Russian search engine Yandex, to build a database of Russian citizens and their images that the government can use for facial recognition. "We don't know exactly what they do with it," he said.... At one point in a 30-minute phone interview, he said the Russian Defense Ministry was a client but later said he could not name Fubutech's government clients. The two Russian companies have been around for over four years, "relying in part on Facebook data," the Times reports. "At the top of the SocialDataHub's website, there is a single line: 'We know everything about everybody.'"

Read more of this story at Slashdot.

How To See If Your Personal Data Was Stolen In the Recent Facebook Hack

An anonymous reader quotes a report from Recode: Hackers stole personal data from 29 million Facebook users in a recent hack, including information like phone numbers, emails, gender, hometowns and even relationship data. Was your data stolen? (Mine was.) There's an easy way to check. Visit this Help Center page on Facebook's website and log in to your account. It will tell you whether or not your data was stolen, and which data in particular. Worth noting, while Facebook's alert says that no "payment card or credit card information" was stolen, Facebook product executive Guy Rosen did say that hackers would have been able to see the last four digits of a user's credit card through this hack. Facebook also says it will reach out to people directly if their data was stolen.

Read more of this story at Slashdot.

Security Affairs: Facebook Data Breach Update: attackers accessed data of 29 Million users

Facebook data breach – The company provided an updated for the data breach it disclosed at the end of September, hackers accessed personal data of 29 million users.

Facebook announced that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

The hackers did not access  did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.

Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.

Earlier this month Facebook revealed attackers chained three bugs to breach into the Facebook platform.

“We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.” Rosen added.

In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”

Facebook data breach

Facebook is cooperating with the US authorities, the Irish Data Protection Commission and other authorities regarding the breach.

Rosen confirmed Facebook had “no reason to believe this attack was related to the mid-term elections” in the US.

Pierluigi Paganini

(Security Affairs – Facebook data breach, hacking)

The post Facebook Data Breach Update: attackers accessed data of 29 Million users appeared first on Security Affairs.



Security Affairs

Facebook Data Breach Update: attackers accessed data of 29 Million users

Facebook data breach – The company provided an updated for the data breach it disclosed at the end of September, hackers accessed personal data of 29 million users.

Facebook announced that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

The hackers did not access  did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.

Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.

Earlier this month Facebook revealed attackers chained three bugs to breach into the Facebook platform.

“We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.” Rosen added.

In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”

Facebook data breach

Facebook is cooperating with the US authorities, the Irish Data Protection Commission and other authorities regarding the breach.

Rosen confirmed Facebook had “no reason to believe this attack was related to the mid-term elections” in the US.

Pierluigi Paganini

(Security Affairs – Facebook data breach, hacking)

The post Facebook Data Breach Update: attackers accessed data of 29 Million users appeared first on Security Affairs.

30M Facebook breach; includes users phone numbers and location data

By Waqas

FBI has asked Facebook not to discuss who may be behind this attack. On September 28th, 2018 the social media giant Facebook announced that it suffered a massive data breach in which hackers stole access tokens of millions of accounts after exploiting a critical vulnerability in its “View As” feature. At that time, the estimate […]

This is a post from HackRead.com Read the original post: 30M Facebook breach; includes users phone numbers and location data

Here’s how to see if you were affected by Facebook’s breach

Today, Facebook provided additional information on the data breach it disclosed last month. Whereas it initially said up to 50 million users might have been affected, it now reports that 30 million were impacted by the breach. By exploiting a system vulnerability, attackers were able to steal digital keys called access tokens from those 30 million users, and Facebook has now laid out how those users were affected. The company is also notifying those impacted, but if you don't want to wait to be notified, you can check if your account was affected through this link.

Source: Facebook

Facebook says recent data breach wasn’t ‘related to the midterms’

Even though the number of users affected by Facebook's most recent hack was lowered to 29 million, from 50 million, it's still safe to say the attack was worse than originally thought. That's because we now know that the breach, which Facebook revealed a couple of weeks ago, exposed very detailed information of 14 million of those users, including their username, birthdate, gender, location, relationship status, religion, hometown, self-reported current city, education, work, the devices they used to access Facebook and the last 10 places they checked into (or were tagged in) on the site. The attackers, whose identities Facebook won't reveal because of an ongoing FBI investigation, were also able to view which people/Pages were followed by these 14 million users, as well as their 15 most recent searches on Facebook.

The FBI Is Now Investigating Facebook’s Security Breach Where Attackers Accessed 30 Million Users’ Personal Information

An online attack that forced Facebook to log out 90 million users last month directly affected 29 million people on the social network [alternative source], the company said Friday as it released new details about the scope of an incident that has regulators and law enforcement on high alert. The company said the FBI is actively investigating the hack, and asked Facebook not to disclose any potential culprits. From a report: Through a series of interrelated bugs in Facebook's programming, unnamed attackers stole the names and contact information of 15 million users, Facebook said. The contact information included a mix of phone numbers and email addresses. An additional 14 million users were affected more deeply, by having additional details taken related to their profiles such as their recent search history, gender, educational background, geolocation data, birth dates, and lists of people and pages they follow. Facebook said last month that it detected the attack when it noticed an uptick in user activity. An investigation soon found that the activity was linked to the theft of security codes that, under normal circumstances, allow Facebook users to navigate away from the site while remaining logged in. The bugs that allowed the attack to occur gave hackers the ability to effectively take over Facebook accounts on a widespread basis, Facebook said when it disclosed the breach. The attackers began with a relatively small number of accounts that they directly controlled, exploiting flaws in the platform's "View As" feature to gain access to other users' profiles.

Read more of this story at Slashdot.

Facebook’s recent hack exposed private information of 29 million users

Late last month, Facebook announced a data breach that affected up to 50 million of its users. The issue involved access tokens -- digital keys that let people remain logged into Facebook -- and a vulnerability allowed attackers to steal those tokens and hijack other users' Facebook accounts. The company has now released an update on that report and it now says fewer people were affected that it originally thought. "Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen," it said.

Source: Facebook

Check Chain Mail and Hoaxes: Facebook cloning revisited

A lot of people know by now that the widely-received warning about multiple Friend requests is generally unhelpful (to say the least). Many are dismissing it as a hoax, but that doesn’t address the more general confusion about FB cloning, hacking (not the same thing), clickjacking and clickbait, and general misinformation. This article for ESET attempts to put it into the wider context in a form that doesn’t require a PhD in information security. 

Send in the clones: Facebook cloning revisited

David Harley

Advertisements




Check Chain Mail and Hoaxes

HACKMAGEDDON: 16-30 September 2018 Cyber Attacks Timeline

It’s time to publish the second timeline of September covering the main cyber attacks occurred between September 16th and September 30th (plus a few events that slipped away from the previous timeline. If you still have an account on Facebook...



HACKMAGEDDON

Facebook announces AI-powered video calling device “Portal”

Meet Portal and Portal+, Facebook’s smart video calling devices for Messenger

Facebook has finally amidst all rumors officially launched its Messenger-enabled video chatting devices for the home, Portal and Portal+. With the launch of these devices, Facebook has entered the smart speaker space to compete with the likes of Amazon, Google, and Apple.

The two products, Portal and Portal+, allows users to make and receive video calls using the Facebook Messenger service or Facebook. Portal closely resembles Amazon’s Echo Show.

Specifications and Features:

Display

Facebook Portal features a 10-inch touch-sensitive display at a 1280 x 800 resolution, while the Portal+ has a larger high-definition 15-inch screen with a 1920 x 1080 resolution. Portal’s display is fixed in landscape mode, but Portal+’s screen can pivot between portrait and landscape modes.

Camera

Smart Camera and Smart Sound use AI (artificial intelligence) technology for added security and runs locally on Portal, not on Facebook servers. Powered by AI, Portal’s Smart Camera and Smart Sound technology allow users to enjoy a more convenient, hands-free experience. While Portal’s camera doesn’t use facial recognition and doesn’t identify the user, it does follow users during video calls.

“Smart Camera stays with the action and automatically pans and zooms to keep everyone in view. Smart Sound minimizes background noise and enhances the voice of whoever is talking, no matter where they move. It’s like having your own cinematographer and sound crew direct your personal video calls,” notes Facebook in a blog post.

Privacy

As Facebook is aware of privacy concerns, the cameras in the Portal and Portal+ come with a cover that can easily block the camera’s lens at any time and the user can still receive incoming calls and notifications, plus use voice commands. Facebook has done this to give an assurance to its users that it is not watching their moves. Also, Facebook allows users to disable cameras and the microphones in Portal and Portal+ with a single tap.

Password

To manage Portal access within your home, you can set a four- to 12-digit passcode to keep the screen locked. Changing the passcode requires your Facebook password.

Encryption

Facebook notes that it “doesn’t listen to, view, or keep the contents of your Portal video calls”. The Portal conversations stay between the user and the people they are calling. In addition, video calls on the Portal are encrypted, which means the calls are always secure.

Voice Control + Alexa

Portal offers hands-free voice control. Like other voice-enabled devices, Portal only sends voice commands to Facebook servers after you say, “Hey Portal”. You can delete your Portal’s voice history in your Facebook Activity Log whenever you want. With Amazon Alexa built-in Portal, you can check for weather updates, sports scores, control smart home devices, order groceries, and much more. You can also use Amazon Prime music streaming on the device.

Music and Video

Portal enables shared activities like listening to music together or watching some of your favorite shows. The Portal and Portal+ can play music through Spotify Premium, Pandora and iHeartRadio, or stream video from Facebook Watch, Food Network, and Newsy. Facebook says that more partners for content will be announced soon

Connect with Facebook and Messenger Friends

You can call Facebook friends and connections on Messenger even if they don’t have Portal. You can also use the touchscreen to start a call. Calls can be made to and from Messenger-enabled smartphones and tablets. Portal supports group calls of up to seven people at the same time.

Other features

When you are not using the video calling feature, Portal’s Superframe can display your favorite photos and videos and important notifications like birthday reminders, anniversaries to make you feel a little more connected to your closest family and friends.

Another cool feature is Story Time, which has five interactive storybooks you can read. This feature brings stories to life with custom sound effects and visuals.

Portal and Portal+ are available now for pre-order in the U.S. from Facebook, Amazon and Best Buy. You can purchase a Portal for $199 or a Portal+ for $349. However, if you bundle two Portal models together, you can save $100, and get the pair for just $298. Both the devices will start shipping in November.

The post Facebook announces AI-powered video calling device “Portal” appeared first on TechWorm.

BrahMos Engineer Arrested on Charges of Spying for Pakistan’s Intelligence Agency ISI





Nishant Agrawal, an engineer from the BrahMos Aerospace Private Limited in Nagpur was arrested in a joint operation by the Military Intelligence and the Uttar Pradesh and Maharashtra police, following a tip.

Arrested on Monday on charges of spying for Pakistan's intelligence agency ISI and various other countries, Nishant was accused of passing on classified and secret information to the Inter-Services Intelligence of Pakistan in addition to other countries as well. Experts, in any state, clarified that he worked at the integration facility and were uncertain whether he had access to any classified information or not.

Nonetheless he will be charged under the Official Secrets Act, following which his home and office computers have already been seized. The police are still investigating whether he was "honey-trapped" by Facebook IDs in the name of women, which have been traced to Pakistan.

"Very sensitive information was found on his personal computer. We found evidence of him chatting on Facebook with Pakistan-based IDs," said Aseem Arun, the chief of the anti-terror squad of Uttar Pradesh.

Nishant has worked in the technical research section of the missile centre for four years, studied at the National Institute of Technology in Kurukshetra, and was also a gold medallist, described as a very bright engineer.

Presently there are two other scientists working in a Defence Research and Development Organisation (DRDO) lab in Kanpur who are being monitored for more suspicious activity and the situation is being monitored as this is occurrence is the first spy scandal to hit the Brahmos Aerospace, considered the world's fastest cruise missile.


Facebook Unveils Portal and Portal+ Smart Speakers With Video Calling Feature

Facebook on Monday unveiled a pair of smart speakers, complete with cameras and microphones, for your home. From a report: The devices, Portal and Portal+, directly challenge Amazon, Google and Apple in the fast-growing smart-speaker market with a unique approach that will emphasize video calling. It's Facebook's first hardware product outside the Oculus line of virtual-reality devices. To start a video call, users can say "Hey Portal, call ..." followed by the name of a connection on Facebook's Messenger service. These calls include entertaining augmented-reality features that can outfit users with cat hats or turn their living rooms into animated night clubs. Another feature is Smart Camera, which uses artificial intelligence and the devices' cameras to perfectly frame users on video as they move around while on a call. [...] Besides video calls, the Portal devices can stream music from Spotify, Pandora and Amazon Music and video from Facebook Watch. Not included at launch are services like Apple Music, YouTube, Netflix, Hulu or HBO Now. The devices come equipped with Amazon's Alexa voice assistant and the many skills available on that service, allowing them to ask questions like "What's the weather?" or "How are my teams doing?" [...] The company is taking preorders for the devices now and will begin shipping them early next month. The Portal, which features a 10-inch screen, is available for $199 while the Portal+, which has a long, 15.6-inch screen, is priced at $349. WashingtonPost reports that the device follows the person in their house: What's unique about Facebook's device is the tech it uses to make the video calls look good. Think of it as a personal cinematographer: A 12-megapixel camera -- equivalent to most phones -- identifies the shape of people within its 140-degree field of view and pans and zooms to make sure they're all always in the frame. You can wander around the room, do chores, Jazzercise, play with the kids or whatever. (Or, if you want, you can tap on the face of one person and the Portal camera will track just them.)

Read more of this story at Slashdot.

Facebook Is ‘Teeming’ With Fake Accounts Created By Undercover Cops

An anonymous reader quotes NBC News: Police officers around the country, in departments large and small, working for federal, state and local agencies, use undercover Facebook accounts to watch protesters, track gang members, lure child predators and snare thieves, according to court records, police trainers and officers themselves. Some maintain several of these accounts at a time. The tactic violates Facebook's terms of use, and the company says it disables fake accounts whenever it discovers them. But that is about all it can do: Fake accounts are not against the law, and the information gleaned by the police can be used as evidence in criminal and civil cases. Investigators know this, which is why the accounts continue to flourish. "Every high-tech crime unit has one," said an officer who uses an undercover account to monitor gang members and drug dealers in New Jersey and who spoke on the condition of anonymity to avoid having the account exposed or shut down. "It's not uncommon, but we don't like to talk about it too much." The proliferation of fake Facebook accounts and other means of social media monitoring -- including the use of software to crunch data about people's online activity -- illustrates a policing "revolution" that has allowed authorities to not only track people but also map out their networks, said Rachel Levinson-Waldman, senior counsel at New York University School of Law's Brennan Center for Justice.... Judges in New Jersey and Delaware have upheld investigators' use of fake social media profiles. U.S. Immigration and Customs Enforcement, the Cincinnati Police Department and the Chicago Police Department have publicly boasted of using undercover Facebook accounts in cases against accused child predators, gangs and gun traffickers. Following an outcry after a Drug Enforcement Administration agent created a fake Facebook account in a suspect's name to catch members of a drug ring, the Department of Justice promised in 2014 to review the agency's policies -- but the department did not respond to multiple requests to say what has changed. Several law enforcement agencies, including the New York Police Department, the Georgia Bureau of Investigation and the Indiana Intelligence Fusion Center, have policies that explicitly allow the creation of fake profiles, with some conditions -- including obtaining prior approval from a superior and limiting interactions with targets.... [P]olice agencies have been able to keep undercover accounts for years without Facebook discovering them. After one successful ACLU lawsuit this August, a Memphis activist discovered that his local police department had assembled 22,000 pages about him and his friends.

Read more of this story at Slashdot.

Instagram Tests Sharing Your Location History With Facebook

Instagram is testing a feature that would allow it to share your location data with Facebook, regardless of whether you're using the app or not. Researcher Jane Manchun Wong says the option, which is being tested as a setting you have to opt-in to, allows Facebook products to "build and use a history of precise locations" which the company says "helps you explore what's around you, get more relevant ads and helps improve Facebook." The Verge reports: In a statement to TechCrunch, a spokesperson from Facebook confirmed that there was no guarantee the feature would see a wide release. "We often work on ideas that may evolve over time or ultimately not be tested or released. Instagram does not currently store Location History; we'll keep people updated with any changes to our location settings in the future." Wong has a history of correctly identifying features like this before they're officially announced. She has previously leaked Facebook's dating application, Instagram's updated two-factor authentication, and Instagram's school bio feature. Facebook is also reportedly testing a map view to see friend's locations, similar to what's already offered by Snapchat. Instagram's data sharing could provide additional data points to power this functionality, while providing Facebook with more data to better target its ads.

Read more of this story at Slashdot.

A Look at Facebook’s Use of Systemd

At an event this month (you can find the video of it here), Davide Cavalca, a production engineer at Facebook, spoke about the growing adoption of systemd at the data centers of the company. From a report: Facebook continues making use of systemd's many features inside their data centers. Some of their highlights for systemd use in 2018 includes: Facebook's servers have been relying on systemd for about the past two years. Facebook is using CentOS 7 everywhere from hosts to containers. While relying on CentOS 7, Facebook backports a lot of packages including new systemd releases, Meson, other dependencies, and of course new Linux kernel releases. Facebook is working on "pystemd" as a Python (Cython) wrapper on top of SD-BUS.

Read more of this story at Slashdot.

Facebook Employees Outraged Over Exec’s Appearance at Kavanaugh Hearing

An anonymous reader writes: Hundreds of Facebook employees have reportedly expressed anger that an executive attended Supreme Court Justice nominee Brett Kavanaugh's public hearing last week to support him, The Wall Street Journal reports. Joel Kaplan, Facebook's head of global policy, was at Kavanaugh's hearing because he is reportedly close friends with the Supreme Court Justice nominee. Outraged employees reportedly brought his appearance up during an internal question-and-answer session with CEO Mark Zuckerberg, and have been expressing their concerns in internal discussion threads. On Friday, Zuckerberg said that "he wouldn't have made the same decision but the appearance didn't violate Facebook policies," the Journal reports.

Read more of this story at Slashdot.

Smashing Security #098: A Facebook omnishambles

Smashing Security #098: A Facebook omnishambles

Millions of Facebook user accounts put at risk after hack! The UK Conservative party’s conference app causes a privacy omnishambles! And Facebook (again) has been doing something naughty with the phone numbers you give it for security reasons! Oh, and Maria gets very excited about something to do with Star Trek.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Facebook Bug Prevented Users From Deleting Their Accounts

Emil Protalinski, reporting for VentureBeat: Until just a few days ago, some Facebook users could not delete their accounts -- the option to do so simply didn't work. After VentureBeat reached out to Facebook regarding the issue, an engineer was able to squash the bug. Two weeks ago, I got an email from a VentureBeat reader who couldn't delete his Facebook account. He claimed there were others also having issues -- no matter what they tried, they simply could not delete Facebook. I didn't believe him at first. [...] I did my due diligence. The least I could do was help him delete his account. Upon request, the reader was gracious enough to let me log into his Facebook account so I could see for myself. No matter what I tried, and regardless of which browser I used, the Facebook help page for deleting your account would not load when logged into his account. The reporter contacted a Facebook spokesperson, who after looking into the matter concluded that a bug prevented some people with "a large number of posts" from deleting their accounts. Facebook says it has resolved the issue.

Read more of this story at Slashdot.

The Largest Facebook Hack Happened Last Week

The most massive hack in Facebook’s history happened last week. On late Friday, the social-media giant announced in a blog post that they discovered a cyber-security issue directly affecting nearly 50 million people, and causing problems to a total of 90 million people from all over the world. The affected Facebook users include US citizens.

Facebook learned about the issue on Tuesday last week and claimed to have resolved it by the end of Thursday. The hack forced Mark Zuckerberg’s team to reset the login tokens for another 40 million people ranking up the total of affected Facebook users to 90 million. While the first 50 million are known to have been directly affected, the token reset for the other 40 million has been done as a precaution by the social media conglomerate. As a result of the hack, roughly 90 million Facebook users have had to log back into Facebook, or any other apps that use the company’s login.

This means that if you’ve always been able to access your Facebook profile with only one click but over the last couple days you have been asked to suddenly type in a password when you are logging in from your phone, and you’ve seen a notification at the top of your News Feed explaining what happened, you are among the affected ones.

What happened?

A Facebook code vulnerability caused the data breach. Cybercriminals have been able to exploit the feature “View As” and steal Facebook access tokens. As you might already know, “View As” is a feature that lets Facebook users see what their profile looks like to someone else. The access tokens are similar to the digital keys that keep Facebook users logged continuously in so they don’t have to type in their password every time they want to access the app.

What was stolen?

Access to users’ Facebook accounts have been stolen, cyber-criminals have been able to get access to sensitive information such as the DOB of the affected people and their friends, Facebook activity history, full name, addresses and generally everything that you’ve shared on Facebook.

The incident has been reported to the authorities. Facebook apologized and confirmed that the breach has been massive and are still investigating that cause of the hack. It is currently unknown who is behind the attack and there is no concrete evidence about the country of origin of the hackers.

Should you change your password?

Facebook said that every affected platform user had been forced to log out and log back in. However, the social media platform confirmed that they are still investigating the issue and there might be new finding in the coming days. As a precaution, if you feel nervous, we advise you to change your password and keep changing it every three months. Sometimes it takes months, and even years, for companies to disclose data breaches. Last but not least, having an extra layer of security on all your connected devices is a must for everyone who is conscious about their online security.

The post The Largest Facebook Hack Happened Last Week appeared first on Panda Security Mediacenter.

The Effects of GDPR’s 72-Hour Notification Rule

The EU's GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem:

Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete.

1) Announce & cop to max possible impacted users.
2) Everybody is confused on actual impact, lots of rumors.
3) A month later truth is included in official filing.

Last week's Facebook hack is his example.

The Twitter conversation continues as various people try to figure out if the European law allows a delay in order to work with law enforcement to catch the hackers, or if a company can report the breach privately with some assurance that it won't accidentally leak to the public.

The other interesting impact is the foreclosing of any possible coordination with law enforcement. I once ran response for a breach of a financial institution, which wasn't disclosed for months as the company was working with the USSS to lure the attackers into a trap. It worked.

[...]

The assumption that anything you share with an EU DPA stays confidential in the current media environment has been disproven by my personal experience.

This is a perennial problem: we can get information quickly, or we can get accurate information. It's hard to get both at the same time.

Hackers are holding Instagram accounts of influencers for ransom

By Waqas

The social media giant Facebook was hacked a few days ago after hackers exploited a vulnerability in its “View As” feature. As a result, 90 million users were affected but now, in another hacking spree hackers are targeting high-profile Instagram accounts and holding them for ransom – In some cases, hackers have gone one step further by […]

This is a post from HackRead.com Read the original post: Hackers are holding Instagram accounts of influencers for ransom

The ultimate fallout from the Facebook data breach could be massive

Less than a week ago, Facebook announced that unknown attackers have managed to string together three bugs affecting the social media platform, which allowed them to steal access tokens of at least 50 million users – and likely more. The tokens allowed the attackers to take over victims’ Facebook accounts but could also have been used to log into accounts the victims opened on other websites and apps by using Facebook Login (i.e. using Facebook … More

The post The ultimate fallout from the Facebook data breach could be massive appeared first on Help Net Security.

Facebook Finds ‘No Evidence’ Hackers Accessed Connected Apps

An anonymous reader quotes a report from TechCrunch: Facebook has said it's found "no evidence" that third-party apps were affected by the data breach it revealed last week. Hackers stole account access tokens on at least 50 million users by exploiting a chain of three vulnerabilities inadvertently introduced by Facebook last year. Another 40 million also may have been affected by the attack. Facebook revoked those tokens -- which keep users logged in when they enter their username and password -- forcing users to log back into the site again. But there was concern that third-party apps, sites and services that rely on Facebook to log in -- like Spotify, Tinder and Instagram -- also may have been affected, prompting companies that use Facebook Login to seek answers from the social networking giant. "We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week,â said Guy Rosen, Facebook's vice president of product management, in a blog post. "That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login. Any developer using our official Facebook SDKs -- and all those that have regularly checked the validity of their users' access tokens -- were automatically protected when we reset people's access tokens." Furthermore, Rosen said that not all developers use Facebook's developer tools, so the social network is "building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out."

Read more of this story at Slashdot.

Facebook: Hackers didn’t access third-party sites with our sign-in

The Facebook hack compromised 50 million users, but the damage might not be as extensive as some expected. In a statement, company security VP Guy Rosen revealed that investigators "found no evidence" of the intruders accessing third-party apps with its Facebook Login feature. Some sites using the single sign-on also confirmed that there was no indication of a data breach on their end, although they're not necessarily taking chances.

Source: Reuters, Facebook

Episode 114: Complexity at Root of Facebook Breach and LoJax is a RAT You Can’t Kill

In this week’s podcast: Facebook revealed that a breach affected 50 million accounts and as many as 90 million users. Is complexity at the root of the social media giant’s troubles? We speak with Gary McGraw of the firm Synopsys about it. Also: BIOS-based malware has been demonstrated at security conferences for years.  Last week, the...

Read the whole entry... »

Related Stories

Hackers Are Selling Facebook Credentials on the Dark Web For $3

Hackers are selling Facebook logins for just $3 on the dark web, according to new research. From a report: The study by Money Guru found that Facebook logins can be bought for as little as 2.30 Pound ($3), with the report coming just hours after it was revealed that an enormous data breach has left at least 50 million Facebook accounts compromised. The research also found that hacked email logins are also being flogged on dark web marketplaces, which are easily accessible to anyone with the right browser and web addresses. Even financial data is being sold cheaply, with credit card information available for as little as $14 and debit card information for $19.50. The research was looking into the availability of logins for sale for the 26 most commonly used online accounts.

Read more of this story at Slashdot.

Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising

From Kashmir Hill:

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn't hand over at all, but that was collected from other people's contact books, a hidden layer of details Facebook has about you that I've come to call "shadow contact information." I managed to place an ad in front of Alan Mislove by targeting his shadow profile. This means that the junk email address that you hand over for discounts or for shady online shopping is likely associated with your account and being used to target you with ads.

Here's the research paper. Hill again:

They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.

IT Security Expert Blog: Cyber Security Roundup for September 2018

September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss; 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, shares to drop by 4% in value. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

Facebook continues to make the wrong type of headlines after a massive user data breach was confirmed by social media giant at end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook doesn’t know who is behind the attack, however, the FBI is investigating. 

There was an embarrassment at Tory Conference after a conference App flaw revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information made available,including their phone numbers

There were several large data breach fines were handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA). The FCA said Tesco had security deficiencies which left account holders vulnerable to a cyber attack in November 2016 which netted the bad guys, via 34 transactions, £2.26 million The FCA reported the cyber criminals exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team to carry out the attack over a 48-hour period. 

Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens.  ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drives, as a result of trying to cover up a huge breach which occurred in 2016 from regulators. The ride-hailing company paid off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data from 57 million Uber accounts also included information about 600,000 driving license numbers. 

The MoD and GCHQ are looking to beef up Britan's Cyber Attack capabilities, announcing a plan to recruit a 2,000 strong cyber force to tackle the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with cheque fraud expert, Frank Abagnale, the subject of book and movie "Catch me if you Can".

Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement

Europol warned of 15 ways that you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE


IT Security Expert Blog

Cyber Security Roundup for September 2018

September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating. 

There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.

There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren't for Tesco's good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period. 

Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers. 

Looks like the MoD and GCHQ are looking to beef up Britan's Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong 'cyber force' to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie "Catch me if you Can".

Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement

Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Facebook is Equipping K-8 Classrooms With Robot Sets To Boost Tech Diversity

Long time reader theodp writes: Facebook last week announced the launch of CodeFWD, "a free online education program created in partnership with [robotic toy maker] Sphero to increase the amount of underrepresented and female students interested in studying computer science." Sphero and CodeFWD are offering a free Sphero BOLT Power Pack (a classroom set of 15 robots valued at $2,499) for a select number of accepted applicants through the program. So, what do you need to begin CodeFWD by Facebook? "No experience necessary. No experience preferred ," explains the website. However, that's not to say CodeFWD is for all. "CodeFWD is intended for educators who are credentialed K-12 teachers or 501(c)(3) non-profit staff members in the United States," the website makes clear, adding that "given the limited supply of robots, we will evaluate the information you've provided and prioritize those applications that help us achieve the goal of expanding access to computer programming opportunities." And Facebook, being Facebook, adds that it wants some data out of the deal: "Please note that Facebook will have access to aggregate, anonymous usage data from Sphero, but will not have access to user-identifiable data collected by Sphero."

Read more of this story at Slashdot.

A week in security (September 24 – 30)

Last week on Labs was a busy one. We discussed how SMS phishing attacks target the job market, issued a warning for TV Licensing phishes, commented on how Apple confused Safari users with recent changes to how OSX handles browser extensions, and elaborated on holes found in Mojave’s privacy protection—deep breath! We also showed how a buggy implementation of CVE-2018-8373 vulnerability is used to deliver Quasar RAT, discussed what is needed to fight back in the age of unwanted calls, gave some tips on how to protect your data from Magecart and other e-commerce attacks, and alerted our readers that millions of accounts were affected in the latest Facebook vulnerability.

Other cybersecurity news:

  • Tech firms back US privacy law to negate states. (Source: The Washington Post)
  • Microsoft rolls out confidential computing for Azure. (Source: Bleeping Computer)
  • Google recently made a change to simplify the way Chrome handles sign-in. (Source: The Keyword)
  • VirusTotal announces VirusTotal Enterprise. (Source: medium.com)
  • 14 years imprisonment for man who helped hackers evade detection by antivirus software. (Source: Hot for Security)
  • Port of San Diego’s information technology systems disrupted by ransomware. (Source: Port of San Diego)
  • LoJax: the first UEFI rootkit found in the wild, courtesy of the Sednit group. (Source: WeLiveSecurity}
  • Telegram leaks public/private IP addresses of end users in desktop. (Source: inputzero)
  • iPhone XS passcode bypass hack exposes contacts and photos. (Source: ThreatPost)
  • Secret Service warns of surge in ATM ‘wiretapping’ attacks. (Source: Krebs on Security)
  • Mutagen Astronomy: Linux kernel ‘give me root, now’ security hole sighted. (Source: TheRegister)

Stay safe, everyone!

The post A week in security (September 24 – 30) appeared first on Malwarebytes Labs.

Facebook: How to minimize the risk of vulnerabilities

Facebook: how to avoid the risks of vulnerabilities

In the last few months, the world’s most popular social network has faced several problems when it comes to data protection. In July of this year, the Information Commissioner’s Office (ICO) in the UK imposed a £500,000 fine on Facebook for its implication in the Cambridge Analytica case. This was the maximum possible fine, given that the incident occurred before the implementation of the GDPR.

Now, a new data protection scandal has rocked the Internet giant. Last Friday, as Guy Rosen, VP of Product Management explained, almost 50 million accounts were exposed to an attack that happened on Tuesday September 25. The attack was made possible thanks to a vulnerability in the video uploading function that also affected the “View as” function, that allows people to see what their own profile looks to other users. This vulnerability would have allowed the attackers to steal users’ access tokens – a kind of key that means that users don’t have to reenter their passwords every time they access the site. Theoretically, with these tokens, an attacker could gain access to any third-party app that uses Facebook to log in.

Facebook, the initial response to the attack

It didn’t take long for Facebook to react – they notified the Data Protection Commission (DPC) in Ireland, where the company’s European headquarters are located. Under the rules of the GDPR, a company is obliged to inform of a data breach within 72 hours of its discovery. However, the DPC has said that it needs more information about the attack, such as the number of European users affected and the risk that they face, in order to carry out their investigation.

Since the incident happened after the GDPR came into force, the social network could face a fine of up to 4% of the annual worldwide turnover of the preceding financial year, which, in the case of Facebook, would be $1.63 billion (€1.4 billion). But this economic sanction isn’t the only repercussion; we can also add the reputational damage that the firm will suffer, another key aspect in this kind of incident. Many users will lose confidence in the company thanks to this data breach, and this loss of confidence may turn into a loss of clients and money.

Personal data, fuel for companies

There’s no doubt that personal information is power, and means serious money. How companies process and use this data is varied and sophisticated, and is very lucrative. Business of this kind is very simple: we hand over information in return for a service. But the service is paid for with our personal data. And organizations are responsible for looking out for our safety when it comes to possible cybercrimes whose ultimate goal is to compromise our privacy, such as phishing, digital identity theft, or the exploitation of unpatched vulnerabilities, as was the case in this latest incident.

With all of this in mind, it seems that it is now easier than ever to be the victim of a cyberattack. While this is true to a certain extent, it is also true that prevention, detection, response and remediation systems are more and more efficient. Combining, as is the case with Panda Adaptive Defense, solutions and services to optimize protection, reduce the attack surface, and minimize the impact of these threats.

And the fact is that, with the number of documented glitches and vulnerabilities –  now up to 20,000 cases, a 38% increase compared to five years ago –  the first thing to bear in mind is limiting the attack surface. At tech giants such as Facebook, this may seem like a pipe dream. But keeping confidential information safe from theft or data kidnapping – even if it’s an exorbitant amount, as is the case with the 50 million Facebook profiles – today it is possible thanks to solutions such as Panda Patch Management, the new module of Adaptive Defense, that reduces the complexity of managing patches and updates in operating systems and hundreds of third party applications.

What’s more, Panda Patch Management helps companies to comply with the accountability principle. Many regulations such as GDPR, HIPAA and PCI, force organizations to take the appropriate technical and organizational measures to ensure proper protection of the sensitive data under their control, as is the case with Facebook. Thanks to real time updates, this module provides visibility of the health of endpoints in terms of pending vulnerabilities and updates for the system, allowing it to get ahead of exploits of these vulnerabilities.

How to protect your company

  • Hackers exploit vulnerabilities in unpatched programs. Keep your software and devices up-to-date.
  • Having an automatic vulnerability detection solution reduces the possibility of suffering a security breach by up to 20%.
  • Get absolute control of personal data and protect your pocket: with the GDPR, correct, speedy management by the DPO will save you economic sanctions and reputational damage.
  • The ability to efficiently and quickly compile detailed reports with the information about an incident of this type – how, when, and how much – is very important to facilitate the work of data protection agencies. The module Panda Data Control allows you to discover, audit and monitor unstructured personal data on the endpoints in your company.

The post Facebook: How to minimize the risk of vulnerabilities appeared first on Panda Security Mediacenter.

Attackers chained three bugs to breach into the Facebook platform

Facebook has revealed additional details about the cyber attack that exposed personal information of 50 million accounts.

Last week, Facebook announced that attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users.

The “View As” feature allows users to see how others see their profile, it was implemented under the privacy section to help users to check that only intended data is visible for their public profile.

Facebook noticed a traffic spike on September 16 but determined that is was under attack on September 25, when it also discovered the way attackers breached the platform. The incident was disclosed on September 27.

Facebook disabled the “View As” feature in response to the incident, the company reset the security tokens for the 50 million impacted accounts, and as a precautionary measure, reset them for other 40 million accounts.

Attackers also accessed data of the Facebook founder Mark Zuckerberg and the COO Sheryl Sandberg. Facebook is notifying users whose tokens have been compromised.

According to Facebook, the vulnerability is the result of the chaining of three flaws affecting the “View As” feature and the Facebook’s video uploader.

The company clarified that the version of the video uploader interface affected by the vulnerability was introduced in July 2017.

  1. Experts noticed that the “View As” allows displaying the profile as a read-only interface. but the platform fails to validate the content submitted through text box that allows people to wish happy birthday to their friends(this is the first bug). The experts discovered that it is possible to post a video through this field.
  2. The second issue is related to the fact that the video uploader generated an access token that had the permissions of the Facebook mobile app when posting a video in the text box.
  3. The third bug is that the token generated was not for the user who had been using “View As” but for the one whose profile was being viewed, this means that attackers could obtain the token from the page’s HTML code and use it to take over a targeted user’s account.

It is interesting to note that an attacker would first hack into a friends’ account and move target other accounts connected to it.

“It was the combination of these three bugs that became a vulnerability: when using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up. That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user.explained Guy Rosen, VP of Product Management.

“The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”

“The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.” added edro Canahuati, VP of Engineering, Security and Privacy at Facebook.

According to Facebook, the attackers queried the APIs to access profile information, but no private information (private messages or credit card data) seems to have been accessed.

Another aspect that was underestimated is that the exposed tokens can be used to access third-party apps that allow the authentication using Facebook profile. The token reset also mitigated this risk.

Experts also warn that users who have linked Facebook to an Instagram account will need to unlink and re-link their accounts due to the reset of the tokens.

Based on the info shared by Facebook, the attack was probably carried out by advanced attackers.

In the next weeks, we will a clear picture of the impact of the hack on the company, the company could face $1.63 billion EU fine under EU GDPR.

Rumors of a class action lawsuit are circulating online.

Pierluigi Paganini

(Security Affairs – Facebook hack, hacking)

The post Attackers chained three bugs to breach into the Facebook platform appeared first on Security Affairs.

Facebook faces a whopping €1.4 billion penalty under GDPR for Sept. 30 data breach

Facebook, which revealed last week that a massive data breach compromised 50 million accounts, is facing a potential $1.63 billion / €1.4 billion penalty under new European regulations.

A Facebook investigation revealed that attackers exploited a vulnerability in the “View As” feature that lets people see what their own profile looks like to external parties.

“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” the company said in a breach notice signed by its VP of Product Management, Guy Rosen.

Facebook discovered the breach Tuesday, Sept. 25, and complied with the EU’s General Data Protection Regulation’s requirement that entities report a breach within 72 hours of the moment they learned of it. The company offered few details about the hack, but promised to take the incident extremely seriously and offer updates as investigators learn more about what happened.

Facebook’s lead privacy regulator in Europe, Ireland’s Data Protection Commission, is ready to fine the social network up to $1.63 billion / €1.4 billion for this incident, under the European Union’s GDPR.

In an emailed statement, the regulator told the press it was “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”

“Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of EUR20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation,” reports MarketWatch.

Since then, Facebook has issued several updates with clarifications about the breach, though the situation remains virtually unchanged – users’ whose accounts have fallen in the wrong hands before Facebook’s auto-logout could be compromised.

If you’ve found yourself logged out of Facebook after the news hit the wires, Facebook says there’s no need to change your password. But if you’re having trouble logging back into your account, the company says you should learn what you can do at this address.

Hacker vows to delete Mark Zuckerberg’s Facebook account; reports it for bounty instead

By Waqas

Hacker Cancels Plan to Live Stream Deletion of Mark Zuckerberg’s Facebook Account. It was just yesterday when Facebook announced that it was hacked after attackers exploited a vulnerability in its View As feature and gained access to over 50 million accounts. Now, a well-known hacker from Taiwan, Chang Chi-yuan made headlines for a rather intriguing […]

This is a post from HackRead.com Read the original post: Hacker vows to delete Mark Zuckerberg’s Facebook account; reports it for bounty instead

Facebook Hack: Massive Breach Affects 50 Million Accounts

Is Facebook really safe? Well, these days we came across with tons of news related to Facebook account hacks and all.

The biggest social media company in the world is really struggling very hard to keep its user’s data safe and sound. But there are some notorious hackers who swiped the sleep of Facebook’s security researchers team.

Also Read- Top 10 Ways That Hackers Use To Hack Facebook Accounts

Recently Facebook said that over 50 million of its users’ data is left exposed by a security flaw. The company also said that by taking the advantage of this flaw, hackers somehow managed to exploit a vulnerability in a feature known as “View as” to get an access over people’s accounts.

The breach was discovered on Tuesday and Facebook immediately informed the police after that.

Now, as a result, the users who got affected by this attack were bound to re-log-in on Friday.

What is ‘View as’

It’s a feature from Facebook which allows people to see, how their profile looks to others. In short how their information is displayed to friends or friends of friends or to anyone.

Hackers discovered so many bugs in this feature which ultimately allowed them to steal Facebook access tokens. These Facebook access tokens could be used to take over people’s accounts and they did exactly this. Facebook has temporarily disabled this feature to investigate more on it.

According to Mr. Ronsen “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.” He then said that the breach comes into the picture when the firm is struggling to convince lawmakers in the US and beyond, that it is capable of protecting user data.

In the face of constant attacks. Mark Zuckerberg (CEO or co-founder of Facebook) at the conference call on Friday said that company is taking security seriously.

He also posted about this attack on his Facebook account

Who got affected?

Offcourse facebook won’t be ever admitting who were those 50 million users. But they have informed Irish data regulators where Facebook’s European subsidiary is based.

The users who are affected were prompted to re-log-in on Friday as they don’t have any other option. The company also said that users need not worry about the password change.

Facebook team has just started their investigation process. They are not sure if the accounts are misused or not. They also don’t know who did that? and from where they belong from.

At last, the flaw is fixed. Confirmed by the head security of the firm Guy Rosen. He also said that all the affected accounts had been reset. Plus they even did the same for another 40 million as a precautionary step.

By this news, Facebook which has more than two billion monthly active users saw its share price drop by more than 3% on Friday.

The post Facebook Hack: Massive Breach Affects 50 Million Accounts appeared first on TechWorm.

Facebook: User shadow data, including phone numbers may be used by advertisers

The worst suspect is a disconcerting reality, Facebook admitted that advertisers were able to access phone numbers of its users for enhanced security.

Researchers from two American universities discovered that that phone numbers given to Facebook for two-factor authentication were also used for advertising purposes.

“These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings,” reads the study published by the researchers. 

“Most worrisome, we found that phone numbers uploaded as part of syncing contacts — that were never owned by a user and never listed on their account – were in fact used to enable PII-based advertising,”

The study investigates the channels used by advertisers can gather personally identifying information (PII) from Facebook, WhatsApp and Messenger services.

The contact lists uploaded to the Facebook platforms could be used by advertisers that once extracted the personal information can leverage it to target people in their networks.

The experts speculate Facebook is using a hidden layer of details it has about its users, like phone numbers used for 2FA authentication, that they called “shadow contact information.”

The study supported concerns that Facebook uses “shadow” sources of data not given to the social network for the purpose of sharing to make money on advertising.

“We use the information people provide to offer a better, more personalized experience on Facebook, including showing more relevant ads.” a spokeswoman told Gizmodo that first reported the news.

Facebook continues to face a severe crisis due to the way it manages data of its users, the Cambridge Analytica case has shocked the world about the way the social network giant has shared the information of its unaware users with third party companies.

At the time of writing, Facebook’s Guy Rosen, VP of Product Management announced that attackers exploited a vulnerability in the “View As” feature to steal Facebook access tokens of 50 Million Users.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook: User shadow data, including phone numbers may be used by advertisers appeared first on Security Affairs.

Security Affairs: Facebook: User shadow data, including phone numbers may be used by advertisers

The worst suspect is a disconcerting reality, Facebook admitted that advertisers were able to access phone numbers of its users for enhanced security.

Researchers from two American universities discovered that that phone numbers given to Facebook for two-factor authentication were also used for advertising purposes.

“These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings,” reads the study published by the researchers. 

“Most worrisome, we found that phone numbers uploaded as part of syncing contacts — that were never owned by a user and never listed on their account – were in fact used to enable PII-based advertising,”

The study investigates the channels used by advertisers can gather personally identifying information (PII) from Facebook, WhatsApp and Messenger services.

The contact lists uploaded to the Facebook platforms could be used by advertisers that once extracted the personal information can leverage it to target people in their networks.

The experts speculate Facebook is using a hidden layer of details it has about its users, like phone numbers used for 2FA authentication, that they called “shadow contact information.”

The study supported concerns that Facebook uses “shadow” sources of data not given to the social network for the purpose of sharing to make money on advertising.

“We use the information people provide to offer a better, more personalized experience on Facebook, including showing more relevant ads.” a spokeswoman told Gizmodo that first reported the news.

Facebook continues to face a severe crisis due to the way it manages data of its users, the Cambridge Analytica case has shocked the world about the way the social network giant has shared the information of its unaware users with third party companies.

At the time of writing, Facebook’s Guy Rosen, VP of Product Management announced that attackers exploited a vulnerability in the “View As” feature to steal Facebook access tokens of 50 Million Users.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook: User shadow data, including phone numbers may be used by advertisers appeared first on Security Affairs.



Security Affairs

US Government Loses Bid To Force Facebook To Wiretap Messenger Calls

An anonymous reader quotes a report from TechCrunch: U.S. government investigators have lost a case to force Facebook to wiretap calls made over its Messenger app. A joint federal and state law enforcement effort investigating the MS-13 gang had pushed a district court to hold the social networking giant in contempt of court for refusing to permit real-time listening in on voice calls. According to sources speaking to Reuters, the judge later ruled in Facebook's favor -- although, because the case remains under seal, it's not known for what reason. The case, filed in a Fresno, Calif. district court, centers on alleged gang members accused of murder and other crimes. The government had been pushing to prosecute 16 suspected gang members, but are said to have leaned on Facebook to obtain further evidence.

Read more of this story at Slashdot.

Massive Facebook Breach Affects 90 Million Accounts

Facebook forced a reset of more than 50 million user accounts on Thursday and would force another 40 million account resets in the coming days, citing a major breach of the site’s security that allowed unknown attackers to take over people’s accounts. The company said its own engineering team discovered the flaw, which involved the...

Read the whole entry... »

Related Stories

Facebook leaks data (including private conversations) from 50 million accounts

40 million more “likely” affected

If you were born in the late 80s, you probably know the meaning of AFK. Otherwise, not only that you likely have no clue what it is, but chances are that you never logged out of your account. And that was perfectly fine.

Until today, when almost 90 million users have found themselves logged out of Facebook hours ago as a precaution to what appears to be the worst privacy blunder of the social network to date. And, yes, we’ve heard of Cambridge Analytica and the rest of the stories.

The story, frame by frame

As per Facebook’s announcement, almost 50 million accounts have been compromised through a daisy-chained vulnerability in the View As feature, which allowed an unknown party to snatch authentication tokens of these 50 million users. These authentication tokens allow you to stay logged into the account whenever you refresh the browser page, reboot the computer or put it to sleep. As long as you have the token, you are granted access to your account without having to actually go through the login process. Whoever has this token is also exempt from going through the login process, including whoever snatched it through this vulnerability.

There is little additional information about this bug, except for the fact that it has been partially mitigated by the social network disabling the View As feature, but it’s worth mentioning that there is no mention of a Bug Bounty reward or an account of a white-hat hacker reporting this vulnerability. At this point, it’s safe to assume that this was not a controlled report and that a third party literally walked away with at least 50 MILLION access tokens to as many accounts.

Here comes the painful part

According to Statista, Facebook Messenger is world’s second largest instant messaging platform with almost 1.3 billion active users. It’s also world’s largest instant messaging platform that does not have end-to-end encryption turned on by default. This means that chat history is always available from whatever machine you are logging into, unless you have manually turned on the Secret Conversations option. At this point, it’s safe to assume that, if you got logged out of Facebook for no apparent reason:

  1. Most likely your account was among the ones that have been hacked. Which brings us to point number 2.
  2. Your private posts, conversations and every piece of information, like check-ins, pictures sent via chat and so on, have likely fallen into the wrong hands. If, at any point, they become public following a “data dump”, marriages will get broken, friendship will end abruptly and sensitive pictures will flood the internet. Life will never be the same as before, “thanks” to a small bug in a platform.
  3. Other accounts using Facebook authentication might have been accessed.

As of now, it is hard to tell what hackers were able to get their hands on. However, given the complexity of the bug and the generous timeframe (the bug was caught last Tuesday by the social network, but it could have been exploited for way longer than this), it is fair to assume the worst. The reason you had to login again today was Facebook’s way of denying hackers access to the accounts: they invalidated the access token of both the 50M confirmed compromised accounts as well as the 40M accounts suspected of being compromised.

And, as we’re talking about extremely sensitive content such as private chat conversations, group chats and business-to-consumer interactions, changing your password won’t be enough to make everything OK again. So, if you’ve had sensitive content shared on the Facebook Messenger, it’s time to come to terms with it. If you’re a company that uses Facebook Messenger for support purposes and you’ve been logged out of your account, you’d better start evaluating what information has been exchanged across the medium and start notifying customers. This is by all account a data breach that falls under the GDPR and should be treated as such.

What you should do now

Today’s disclosure goes along the lines of the old adage saying “never put your eggs in one basket”. Social networks have become the centerpiece of our digital life that blurs into the physical life itself. It is also an account that social networks can do so much more than influence your shopping behavior or steal an election: it can have serious consequences on your lifestyle based on private social interactions.

Unfortunately, what has been seen cannot be unseen and there is little you can do right now to change the course of things. What you should do though is consider your future options:

  1. Understand that social networks are not bulletproof places where your secrets are safe. Plan for the worst and act accordingly.
  2. Never put something in writing that you would not like to leak several years from now when the platform gets breached.
  3. Embrace end-to-end encryption like your life and your freedom depend on it. Sometimes it does.
  4. Use privacy-focused IM clients such as Signal for sensitive chats or any other business that should stay segregated from your physical persona.

McAfee Blogs: Facebook Announces Security Flaw Found in “View As” Feature

Another day, another Facebook story. In May, a Facebook Messenger malware named FacexWorm was utilized by cybercriminals to steal user passwords and mine for cryptocurrency. Later that same month, the personal data of 3 million users was exposed by an app on the platform dubbed myPersonality. And in June, millions of the social network’s users may have unwittingly shared private posts publicly due to another new bug. Which brings us to today. Just announced this morning, Facebook revealed they are dealing with yet another security breach, this time involving the “View As” feature.

Facebook users have the ability to view their profiles from another user’s perspective, which is called “View As.” This very feature was found to have a security flaw that has impacted approximately 50 million user accounts, as cybercriminals have exploited this vulnerability to steal Facebook users’ access tokens. Access tokens are digital keys that keep users logged in, and they permit users to bypass the need to enter a password every time. Essentially, this flaw helps cybercriminals take over users’ accounts.

While the access tokens of 50 million accounts were taken, Facebook still doesn’t know if any personal information was gathered or misused from the affected accounts. However, they do suspect that everyone who used the “View As” feature in the last year will have to log back into Facebook, as well as any apps that used a Facebook login. An estimated 90 million Facebook users will have to log back in.

As of now, this story is still developing, as Facebook is still investigating further into this issue. Now, the question is — if you’re an impacted Facebook user, what should you do to stay secure? Start by following these tips:

  • Change your account login information. Since this flaw logged users out, it’s vital you change up your login information. Be sure to make your next password strong and complex, so it will be difficult for cybercriminals to crack. It also might be a good idea to turn on two-factor authentication.
  • Update, update, update. No matter the application, it can’t be stressed enough how important it is to always update an app as soon as an update is available, as fixes are usually included with each version. Facebook has already issued a fix to this vulnerability, so make sure you update immediately.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Facebook Announces Security Flaw Found in “View As” Feature appeared first on McAfee Blogs.



McAfee Blogs

Facebook Announces Security Flaw Found in “View As” Feature

Another day, another Facebook story. In May, a Facebook Messenger malware named FacexWorm was utilized by cybercriminals to steal user passwords and mine for cryptocurrency. Later that same month, the personal data of 3 million users was exposed by an app on the platform dubbed myPersonality. And in June, millions of the social network’s users may have unwittingly shared private posts publicly due to another new bug. Which brings us to today. Just announced this morning, Facebook revealed they are dealing with yet another security breach, this time involving the “View As” feature.

Facebook users have the ability to view their profiles from another user’s perspective, which is called “View As.” This very feature was found to have a security flaw that has impacted approximately 50 million user accounts, as cybercriminals have exploited this vulnerability to steal Facebook users’ access tokens. Access tokens are digital keys that keep users logged in, and they permit users to bypass the need to enter a password every time. Essentially, this flaw helps cybercriminals take over users’ accounts.

While the access tokens of 50 million accounts were taken, Facebook still doesn’t know if any personal information was gathered or misused from the affected accounts. However, they do suspect that everyone who used the “View As” feature in the last year will have to log back into Facebook, as well as any apps that used a Facebook login. An estimated 90 million Facebook users will have to log back in.

As of now, this story is still developing, as Facebook is still investigating further into this issue. Now, the question is — if you’re an impacted Facebook user, what should you do to stay secure? Start by following these tips:

  • Change your account login information. Since this flaw logged users out, it’s vital you change up your login information. Be sure to make your next password strong and complex, so it will be difficult for cybercriminals to crack. It also might be a good idea to turn on two-factor authentication.
  • Update, update, update. No matter the application, it can’t be stressed enough how important it is to always update an app as soon as an update is available, as fixes are usually included with each version. Facebook has already issued a fix to this vulnerability, so make sure you update immediately.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Facebook Announces Security Flaw Found in “View As” Feature appeared first on McAfee Blogs.

Millions of accounts affected in latest Facebook hack

Facebook announced earlier today that its social network had been hacked, resulting in 40 million accounts that were directly impacted, while another 50 million were also considered to be potentially affected.

Attackers exploited a feature in Facebook called “View As,” which essentially shows how your profile looks to others. The flaw enabled them to get ahold of so-called Access Tokens, which allowed them to be logged in as genuine Facebook users without having to use their password.

The feature has for now being turned off and the underlying vulnerability fixed. A law enforcement investigation is ongoing to determine the full scope of this hack and identify the eventual perpetrators.

Facebook says they have taken actions and that there is no need for users to reset their passwords, although it is a good opportunity remind users that passwords should be complex and not reused across multiple services.

We recommend people follow the Facebook hack story to get a better idea of what exactly was accessed and take the necessary precautions. We will keep Labs readers informed of further developments.

The post Millions of accounts affected in latest Facebook hack appeared first on Malwarebytes Labs.

Facebook Discloses Data Breach, 50 Million User Accounts Affected

Facebook announced on Friday that it recently discovered a data breach affecting 50 million user accounts. The social media giant said the security issue was uncovered by its engineering team on Tuesday, Sept. 25. “Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted […]… Read More

The post Facebook Discloses Data Breach, 50 Million User Accounts Affected appeared first on The State of Security.

Facebook hacked – 50 Million Users’ Data exposed in the security breach

Facebook hacked – Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users.

Facebook hacked, this is news that is rapidly spreading across the Internet. A few hours ago, Facebook announced that an attack on its computer network exposed the personal information of roughly 50 million users.

The giant of social networks has discovered the security breach this week, the attackers have exploited a bug in the “View as” features to steal access tokens of the users and take over their accounts.

Facebook has identified the flaw exploited in the attack and already fixed it, it immediately launched an investigation and reported the incident to law enforcement.

In a blog post, Facebook’s Guy Rosen, VP of Product Management explained that the attackers exploited a vulnerability associated with Facebook’s “View As” feature that allowed them to steal Facebook access tokens. These tokens could then be used to take over people’s accounts.

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts.”   stated Guy Rosen, Facebook VP of Product Management.

“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”

Facebook disabled the “View As” feature in response to the incident, the company reset the security tokens for the 50 million impacted accounts, and as a precautionary measure, reset them for other 40 million accounts.

“Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.” continues Guy Rosen.

“Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.”

Facebook hacked

Facebook revealed that the bug exploited by the attackers was introduced with a change to their video uploading feature made in July 2017.

The tech giant said it did not know the source of the attack or identity of the attackers.

“We’re taking it really seriously,” Mark Zuckerberg, the company’s chief executive, said in a conference call with reporters. “We have a major security effort at the company that hardens all of our surfaces.” He added: “I’m glad we found this. But it definitely is an issue that this happened in the first place.”

The company will provide more information once the investigation will be completed.

Pierluigi Paganini

(Security Affairs – Facebook hacked, data breach)

The post Facebook hacked – 50 Million Users’ Data exposed in the security breach appeared first on Security Affairs.

Facebook hacked: Hackers steal access tokens of 50 million accounts

By Waqas

Hackers exploited a vulnerability in the “View As” feature of Facebook. The social media giant Facebook has announced that it has suffered a massive cyber attack, resulting in  50 million users account impacted. In a statement, the vice president of product management at Facebook, Guy Rosen said that hackers exploited a vulnerability in Facebook’s ‘view as’ feature which […]

This is a post from HackRead.com Read the original post: Facebook hacked: Hackers steal access tokens of 50 million accounts

Facebook Says it Has Discovered ‘Security Issue’ Affecting Nearly 50 Million Accounts, Investigation in Early Stages

Facebook shared the following security announcement Friday: On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security. Our investigation is still in its early stages. But it's clear that attackers exploited a vulnerability in Facebook's code that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app. Here is the action we have already taken. First, we've fixed the vulnerability and informed law enforcement. Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We're also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened. Third, we're temporarily turning off the "View As" feature while we conduct a thorough security review. The company added it has yet to determine whether these impacted accounts were misused or any information was accessed. Senator Mark Warner has issued a stern reprimand to Facebook over the security incident revelation today. "This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I've said before -- the era of the Wild West in social media is over," he wrote.

Read more of this story at Slashdot.

Facebook hack exposed info on up to 50 million users

Facebook announced on Friday that it has suffered a data breach affecting up to 50 million users. According to a report from the New York Times, Facebook discovered the attack on Tuesday and have contacted the FBI. The exploit reportedly enables attackers to take over control of accounts so, as a precaution, the social network has automatically logged out more than 90 million potentially compromised accounts.

Hacker Proclaims He’ll Live-Stream an Attempt To Delete Mark Zuckerberg’s Facebook Page This Sunday

An indie Taiwanese hacker has proclaimed he'll broadcast an attempt to wipe out Mark Zuckerberg's Facebook page this Sunday -- live. From a report: Self-professed bug bounty-hunter Chang Chi-yuan, who ferrets out software flaws in return for cash, says he'll live-stream an endeavor to delete the billionaire's account at 6 p.m. local time from his own Facebook page. He didn't get into details or respond to an online query. "Broadcasting the deletion of FB founder Zuck's account," the lanky youngster, who turns 24 this year based on past interviews, told his 26,000-plus followers on Facebook this week. "Scheduled to go live." Cyber-enthusiasts from India to the U.S. routinely expose loopholes in corporate websites and software, earning small financial rewards. It's unusual however for so-called white-hat hackers to do so in real time. Chang, a minor celebrity at home who's gone on talk shows to discuss his exploits, was reportedly sued by a local bus operator after infiltrating their systems and buying a ticket for just NT$1 (3 cents). He's published a gamut of claims -- none of which could be independently verified -- including attacks on Apple and Tesla. And his Facebook account was listed among eight "special contributors" in Line's 2016 bug-hunters' hall of fame.

Read more of this story at Slashdot.

Hacker says he’ll livestream deletion of Zuckerberg’s Facebook page

A white-hat hacker is promising to livestream his bid to hack into Mark Zuckerberg's Facebook account this Sunday. "Broadcasting the deletion of FB founder Zuck's account," Chang Chi-yuan told his 26,000-plus followers on the social network, adding: "Scheduled to go live."

Via: Bloomberg

Source: Chang Chi-yuan (Facebook)

Facebook Announces $399 Oculus Quest Standalone VR Headset

Facebook's Oculus has announced its new $399 standalone virtual-reality headset that's scheduled to launch in the spring of 2019. Facebook CEO Mark Zuckerberg says that "with Oculus Quest, we will complete our first generation of Oculus products," adding that the Oculus Quest combines "the key attributes of the ideal VR system" -- a wireless design, virtual hand controllers, and full positional tracking. The Verge reports: The Oculus Quest is a consumer version of what was previously known as Project Santa Cruz. It uses motion controllers similar to Oculus Touch, and four wide-angle cameras provide positional tracking that lets people walk through virtual space. It's supposed to support "Rift-quality" experiences, with a starting catalog of over 50 titles, including well-known existing games like climbing simulator The Climb and adventure-puzzle game Moss. Oculus Quest essentially combines the high-end, tethered Oculus Rift headset with the relatively cheap, standalone Oculus Go device that was released earlier this year. It uses the same optics as the Oculus Go, with a resolution of 1600 x 1440 per eye, but with the option to adjust lens spacing. Also like the Oculus Go, the Oculus Quest includes built-in speakers that pipe sound into users' ears, but supposedly with improved bass. But unlike the Oculus Go, you can walk around, apparently for large distances. Barra describes it as having "arena-scale" tracking that supports at least 4,000 square feet of space. Its controllers have the same button layout as the Rift's Touch controllers, but with the half-moon tracking ring reversed, so it loops above your hands instead of below them.

Read more of this story at Slashdot.

Facebook Is Giving Advertisers Access To Your Shadow Contact Information

Kashmir Hill, reporting for Gizmodo: Last week, I ran an ad on Facebook targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn't work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove's office, a number Mislove has never provided to Facebook. He saw the ad within hours. One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a "custom audience." You might assume that you could go to your Facebook profile and look at your "contact and basic info" page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it's going about it in a less transparent and more invasive way. [...] Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser. They came up with a novel way to detect whether that information became available to advertisers by looking at the stats provided by Facebook about the size of an audience after contact information is uploaded. They go into this in greater length and technical detail in their paper [PDF]. They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. Officially, Facebook denies the existence of shadow profiles. In a hearing with the House Energy & Commerce Committee earlier this year, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it.

Read more of this story at Slashdot.

Facebook Executive Hits Back at WhatsApp Co-founder Brian Acton: ‘A Whole New Standard of Low-Class’

Facebook's David Marcus, who until recently ran the Facebook Messenger before starting the blockchain group earlier this year, is defending the company and CEO Mark Zuckerberg after a WhatsApp founder spoke critically of his experience at the company. Marcus: [...] On the business model. I was present in a lot of these meetings. Again, Mark protected WhatsApp for a very long period of time. And you have to put this in the context of a large organization with businesses knocking on our door to have the ability to engage and communicate with their customers on WhatsApp the same way they were doing it on Messenger. During this time, it became pretty clear that while advocating for business messaging, and being given the opportunity to build and deliver on that promise, Brian actively slow-played the execution, and never truly went for it. In my view, if you're passionate about a certain path -- in this case, letting businesses message people and charging for it -- and if you have internal questions about it, then work hard to prove that your approach has legs and demonstrate the value. Don't be passive-aggressive about it. And by the way the paid messaging that WhatsApp is rolling out now sounds pretty similar to metered messaging from my point of view... Lastly -- call me old fashioned. But I find attacking the people and company that made you a billionaire, and went to an unprecedented extent to shield and accommodate you for years, low-class. It's actually a whole new standard of low-class. I'll close by saying that as far as I'm concerned, and as a former lifelong entrepreneur and founder, there's no other large company I'd work at, and no other leader I'd work for. I want to work on hard problems that positively impact the lives of billions of people around the world. And Facebook is truly the only company that's singularly about people.

Read more of this story at Slashdot.

In Senate Hearing, Tech Giants Push Lawmakers For Federal Privacy Rules

Another day, another hearing of tech giants in Congress. Wednesday's hearing at the Senate Commerce Committee with Apple, Amazon, Google and Twitter, alongside AT&T and Charter, marked the latest in a string of hearings in the past few months into all things tech: but mostly controversies embroiling the companies, from election meddling to transparency. This time, privacy was at the top of the agenda. The problem, lawmakers say, is that consumers have little of it. From a report: The hearing said that the U.S. was lagging behind Europe's new GDPR privacy rules and California's recently passed privacy law, which goes into effect in 2020, and lawmakers were edging toward introducing their own federal privacy law. AT&T, Apple, Charter and Google used their time in the Senate to call on lawmakers to introduce new federal privacy legislation. Tech companies spent the past year pushing back against the new state regulations, but have conceded that new privacy rules are inevitable. Now the companies realize that it's better to sit at the table to influence a federal privacy law than stand outside in the cold. In pushing for a new federal law, representatives from each company confirmed that they support the preemption of California's new rules -- something that critics oppose. AT&T's chief lawyer Len Cali said that a patchwork of state laws would be unworkable. Apple, too, agreed to support a privacy law, but noted as a company that doesn't hoard user data for advertising -- like Facebook and Google -- that any federal law would need to put a premium on protecting the consumer rather than helping companies make money. But Amazon's chief lawyer Andrew DeVore said that complying with privacy rules has "required us to divert significant resources to administrative tasks and away from invention."

Read more of this story at Slashdot.

AggregateIQ Faces First GDPR Enforcement Over Data-Privacy Dispute

AggregateIQ, one of the companies at the heart of the Facebook unauthorized data-sharing scandal, could be one of the first companies to face penalties under the European Union’s recently implemented General Data Protection Regulation (GDPR). The United Kingdom’s (UK’s) Information Commissioner’s Office (ICO) quietly...

Read the whole entry... »

Related Stories

Internet Society Partners with Facebook To Expand Internet Connectivity in Africa

The Internet Society, a global non-profit organization dedicated to the open development, evolution and use of the Internet, today announced that it is partnering with Facebook to develop Internet Exchange Points (IXP) throughout Africa. From a press release: An Internet Exchange Point is where multiple local and international networks, ISPs and content providers interconnect their networks together to efficiently exchange Internet traffic through an arrangement commonly referred to as Peering. Currently, 42% of countries in Africa lack IXPs, which means that most of their domestic Internet traffic is exchanged through points outside their respective country, usually through satellite or submarine fiber across multiple international hubs to reach their destination. This can result in poor end-user experiences and discourages hosting content locally, which are some of the key factors towards the development of the local Internet ecosystem. Peering at IXPs helps keep domestic Internet traffic local by offloading traffic from relatively expensive international links onto more affordable local links. As a result, ISPs are able to offer improved Internet experiences for end-users and spur interest in hosting content locally. The Internet Society and Facebook will collaborate in promoting IXP infrastructure development, training and community engagement with the objective of increasing the number of IXPs and supporting the expansion of existing IXPs to meet the growing demand in Africa. Studies have shown that Internet users throughout Africa benefit from Peering as it enables faster, more affordable and reliable access to content.

Read more of this story at Slashdot.

Facebook’s Plan To Let Companies It Buys Live Independently is Over

Jon Russell, writing for TechCrunch: Mark Zuckerberg was quick to realize that Facebook, the largest social network in the world, doesn't have a monopoly on all users nor can it bank on holding its position as top dog forever. Thus he instituted a policy of buying up promising rivals and integrating them into the Facebook 'group' in a strategy designed to be a win-win for all. But by leaving Facebook in abrupt fashion this week, Kevin Systrom and Mike Krieger -- the founders of Instagram -- have shown that the social network's vision of letting acquired businesses operate independently simply isn't feasible. [...] The original idea is a best-of-both-worlds approach: a company's finances are infinitely secured and it can grow as needed inside the Facebook 'family,' with access to resources like engineering, marketing, admin, etc. That was also the plan for WhatsApp, but founding pair Jan Koum and Brian Acton managed four and three and a half years, respectively, at Facebook following their $19 billion acquisition in 2014. VR firm Oculus, another billion-dollar purchase, lost co-founders Palmer Lucky (political scandal) and Brendan Iribe (reshuffled) three years after its deal.

Read more of this story at Slashdot.

Facebook Is Not Protecting Content Moderators From Mental Trauma, Lawsuit Claims

A former Facebook contract employee has filed a lawsuit, alleging that content moderators who face mental trauma after reviewing distressing images on the platform are not being properly protected by the social networking company. Reuters reports: Facebook moderators under contract are "bombarded" with "thousands of videos, images and livestreamed broadcasts of child sexual abuse, rape, torture, bestiality, beheadings, suicide and murder," the lawsuit said. "Facebook is ignoring its duty to provide a safe workplace and instead creating a revolving door of contractors who are irreparably traumatized by what they witnessed on the job," Korey Nelson, a lawyer for former Facebook contract employee Selena Scola, said in a statement on Monday. Facebook in the past has said all of its content reviewers have access to mental health resources, including trained professionals onsite for both individual and group counseling, and they receive full health care benefits. More than 7,500 content reviewers work for Facebook, including full-time employees and contractors. Facebook's director of corporate communications, Bertie Thomson, said in response to the allegations: "We take the support of our content moderators incredibly seriously, [...] ensuring that every person reviewing Facebook content is offered psychological support and wellness resources."

Read more of this story at Slashdot.

Facebook’s “Portal video” chat device could launch next week

Portal: Facebook’s own Alexa-powered video chat device to launch next week

Facebook is all set to unveil its first video device called “Portal” as soon as next week, according to a report by financial website Cheddar. Facebook plans to compete in the smart speaker space by taking on the likes of AmazonGoogle, and Apple.

Portal, the smart speaker, will reportedly come in two sizes and will be powered by Amazon Alexa voice assistant. It will have similar features like Echo Show, Amazon’s video-enabled smart speaker, and sport a display and a camera for video chatting purposes and facial recognition. It will allow users to see cooking recipes, play music, watch videos, and give users the news.

Portal will also feature wide-angle video camera that will take advantage of Artificial Intelligence (AI) to “recognize people in the frame and follow them as they move throughout a room”. It will also come with a privacy shutter to suppress the camera for those having privacy concerns when it’s not in use.

Apparently, Facebook had plans to launch Portal at its F8 developer conference in May “but the company’s scandals, including the Cambridge Analytica data breach and the bombshell revelation that Russia used the platform to interfere with the 2016 elections, led executives to shelve the announcement at the last minute,” reads the report.

Facebook Portal with the larger screen is expected to cost around $400, while the smaller screen variant will cost $300.

The post Facebook’s “Portal video” chat device could launch next week appeared first on TechWorm.

5 Reasons Why Strong Digital Parenting Matters More than Ever

digital parentingAs a parent raising kids in a digital culture, it’s easy to feel at times as if you have a tiger by the tail and that technology is leading your family rather than the other way around.

But that familiar feeling — the feeling of being overwhelmed, outsmarted, and always a step or two behind the tech curve — is just a feeling, it’s not a fact.

Digital Parenting Matters

The fact is, you are the parent. That is a position of authority, honor, and privilege in your child’s life. No other person (device, app, or friend group) can take your place. No other voice is more influential or audible in your child’s mind and heart than yours.

It’s true that technology has added several critical skills to our parenting job description. It’s true that screens have become an integral part of daily life and that digital conversation can now shape our child’s self-image and perspective of his or her place in the world. All of this digital dominance has made issues such as mental health, anxiety, and cyberbullying significant concerns for parents.digital parenting

What’s also true is that we still have a lot of control over our kids’ screen time and the role technology plays in our families. Whether we choose to exercise that influence, is up to us but the choice remains ours.

Here are just a few reasons why strong digital parenting matters more than ever. And, some practical tools to help you take back any of the influence you feel you may have lost in your child’s life.

5 Digital Skills to Teach to Your Kids

Resilience

According to the American Psychological Association, resilience building is the ability to adapt well to adversity, trauma, tragedy, threats or even significant sources of stress. Resilience isn’t something you are born with. Kids become resilient over time and more so with an intentional parent. Being subject to the digital spotlight each day is a road no child should have to walk alone. September is National Suicide Prevention Month and an excellent opportunity to talk to your kids about resilience building. Digital Parenting Skills: Helping kids understand concepts like conflict-management, self-awareness, self-management, and responsible decision-making, is one of the most critical areas of parenting today. Start the conversations, highlight examples of resilience in everyday life, model resilence, and keep this critical conversation going.

Empathy

digital parentingEmpathy is the ability to understand and share the feelings of another person. Unfortunately, in the online space, empathy isn’t always abundant, so it’s up to parents to introduce, model, and teach this character trait. Digital Parenting Skills: According to Dr. Michele Borba, author of #UnSelfie: Why Empathetic Kids Succeed in Our All-About-Me World, there are 9 empathy-building habits parents can nurture in their kids including Emotional Literacy, Moral Identity, Perspective Taking, Moral Imagination, Self Regulation, Practicing Kindness, Collaboration, Moral Courage, and Altruistic Leadership Abilities.

Life Balance

Screentime is on the rise, and there’s no indication that trend is going to change. If we want kids that know the value of building an emotionally and physically healthy life, then teaching (and modeling) balance is imperative today. Digital Parenting Skills: Model screentime balance in your life. Be proactive in planning device-free activities for the whole family, and use software that will help you establish time limits on all devices. You might be surprised how just a few small shifts in your family’s tech balance can influence the entire vibe of your home.

Reputation Management

digital parenting

Most kids work reasonably hard to curate and present a specific image on their social profiles to impress their peers. Few recognize that within just a few years, colleges and employers will also be paying attention to those profiles. One study shows that 70% of employers use search engines and social media to screen candidates. Your child’s digital footprint includes everything he or she says or does online. A digital footprint includes everything from posts to casual “likes,” silly photos, and comments. Digital Parenting Skills: Know where your kids go online. Monitor their online conversations (without commenting publically). Don’t apologize for demanding they take down inappropriate or insensitive photos, comments, or retweets. The most important part of monitoring is explaining why the post has to come down. Simply saying “because I said so,” or “that’s crude,” isn’t enough. Take the time to discuss the reasons behind the rules.

Security and Safetydigital parenting

It’s human nature: Most us aren’t proactive. We don’t get security systems for our homes or cars until a break-in occurs to us or a close friend. Often, we don’t act until it gets personal. The same is true for taking specific steps to guard our digital lives. Digital Parenting Skills: Talk to your kids about online risks including scams, viruses and malware, identity fraud, predators, and catfishing. Go one step further and teach them about specific tools that will help keep them safe online. The fundamentals of digital safety are similar to teaching kids habits such as locking the doors, wearing a seatbelt or avoiding dangerous neighborhoods.

Your kids may be getting older and may even shrug off your advice and guidance more than they used to but don’t be fooled, parents. Kids need aware, digitally savvy parents more than ever to navigate and stay safe — both emotionally and physically — in the online arena. Press into those hard conversations and be consistent in your digital parenting to protect the things that truly matter.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online. Also, join the digital security conversation on Facebook.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post 5 Reasons Why Strong Digital Parenting Matters More than Ever appeared first on McAfee Blogs.

Facebook Dating feature starts rolling out in Columbia

Facebook officially launches its dating service in Columbia

Facebook has started rolling out a countrywide test of its new online ‘Dating’ feature in Colombia that aims to take on major dating apps, such as Tinder, Bumble and Match.

For those unaware, Facebook had originally announced the feature at the F8 developer conference in May this year. The online Facebook Dating feature will allow people able to create a dating profile that is separate from their Facebook profile – and potential matches will be recommended based on dating preferences, things in common, and mutual friends. The dating feature has been built keeping privacy and security in mind.

Also, back then Facebook’s CEO Mark Zuckerberg had mentioned at the F8 developer conference that the new feature is “not just for hookups” but to build “meaningful, long-term relationships.”

“We wanted to make it apparent these are people you’re considering. It’s not just a profile,” Nathan Sharp, product manager for Facebook dating, said in an interview last week. “This should be about relationships, not one-night stands.”

How Does Facebook Dating Works?

Based on an algorithm powered home screen, the all-new Facebook Dating feature of the app basically helps users to select romantic matches from Facebook’s wide pool of single users.

Since, the Facebook Dating feature is optional and is supported through the app, the users will have to select it to use the service. The users will then have to fill out basic information about themselves, such as age, gender, occupation, education, religion, etc. Facebook also offers non-binary genders and sexual orientations.

Users are allowed to upload up to 12 photos on their profile and can respond to as many as 20 questions, such as “What does your perfect day look like?” or “What song always makes you sing along? How loud?”. These will not only help the user’s match to know him/her better but also make it easier for them to strike a conversation with the user.

Also, there is no swiping left or right to like or reject potential matches unlike competitors Tinder or Bumble. Instead, the user will need to scroll down through a person’s profile and tap if he/she is interested.

Those opting for the service will have to verify their location and will be able to find matches within 100 kilometers. It will suggest matches to users that they aren’t already friends with.

Additionally, the users will have the option to discover others with similar interests through their Groups or Events so that users can find even more prospective matches. However, what people do within the Facebook Dating feature will not be shown to their friends.

The Facebook Dating feature is limited to text and emoji-only, which means photos, links, or other media cannot be exchanged, as Facebook is aiming to foster meaningful relationships through the app.

Facebook Dating feature now rolling out in Columbia

The Facebook Dating feature is free and currently active in Columbia. Users aged 18 and above can avail the online dating service by signing up for it. However, Facebook will let users start matching their profiles with each other only when it thinks it has collected enough profiles, which could be days or weeks, the company added. For now, Facebook Dating is mobile-only, and is a part of the main app.

If Facebook’s Dating feature is able to make an impact on its users, then it could pose a great threat to major dating apps, such as Tinder, Bumble and Match.

What do you think of Facebook’s Dating feature? Would you give Tinder, Match, Bumble, or Hinge amiss to use this feature, do let us know in the comments section below.

The post Facebook Dating feature starts rolling out in Columbia appeared first on TechWorm.

Facebook Will Open a ‘War Room’ Next Week To Monitor Election Interference

An anonymous reader quotes a report from The Verge: Sheera Frankel and Mike Isaac [write from The New York Times]: "Sandwiched between Building 20 and Building 21 in the heart of Facebook's campus, an approximately 25-foot by 35-foot conference room is under construction. Thick cords of blue wiring hang from the ceiling, ready to be attached to window-size computer monitors on 16 desks. On one wall, a half dozen televisions will be tuned to CNN, MSNBC, Fox News and other major cable networks. A small paper sign with orange lettering taped to the glass door describes what's being built: "War Room." Set to open next week, the conference room is in keeping with Facebook's nick-of-time approach to midterm election preparedness. (It introduced a "pilot program" for candidate account security on Monday.) It's a big project. Samidh Chakrabarti, who oversees elections and civic engagement, told the Times: "We see this as probably the biggest companywide reorientation since our shift from desktops to mobile phones." Of course, the effort extends beyond the new conference room. Chakrabarti showed the Times a new internal tool "that helps track information flowing across the social network in real time," helping to identify misinformation as it goes viral or a surge in the creation of new (and likely fake) accounts.

Read more of this story at Slashdot.

California man may get 6 months in prison for uploading Deadpool on Facebook

By Carolina

It is quite unlikely that somebody would be naïve enough to upload a copy of a newly released movie on his Facebook page with his real name since this would lead the law enforcement straight to the person, that too, in no time. However, it seems that there is one such person and his name […]

This is a post from HackRead.com Read the original post: California man may get 6 months in prison for uploading Deadpool on Facebook

Facebook Wanted Banks To Fork Over Customer Data Passing Through Messenger

An anonymous reader quotes a report from The Verge: For years, Facebook has publicly positioned its Messenger application as a way to connect with friends and as a way to help customers interact directly with businesses. But a new report from The Wall Street Journal today indicates that Facebook also saw its Messenger platform as a siphon for the sensitive financial data of its users, information it would not otherwise have access to unless a customer interacted with, say, a banking institution over chat. In this case, the WSJ report says not only did the banks find Facebook's methods obtrusive, but the companies also pushed back against the social network and, in some cases, moved conversations off Messenger to avoid handing Facebook any sensitive data. Among the financial firms Facebook is said to have argued with about customer data are American Express, Bank of America, and Wells Fargo. The report says Facebook was interested in helping banks create bots for its Messenger platform, as part of a big push in 2016 to turn the chat app into an automated hub of digital life that could help you solve problems and avoid cumbersome customer service calls. But some of these bots, like the one American Express developed for Messenger last year, deliberately avoided sending transaction information over the platform after Facebook made clear it wanted to use customer spending habits as part of its ad targeting business. In some cases, companies like PayPal and Western Union negotiated special contracts that would let them offer many detailed and useful services like money transfers, the WSJ reports. But by and large, big banks in the U.S. have reportedly shied away from working with Facebook due to how aggressively it pushed for access to customer data. Facebook said in a statement to The Wall Street Journal: "Like many online companies, we partner with financial institutions to improve people's commerce experiences, like enabling better customer service, and people opt into these experiences. We've emphasized to partners that keeping people's information safe and secure is critical to these efforts. That has been and always will be our priority."

Read more of this story at Slashdot.

Facebook Bug Bounty Program Expands To Include Third-Party Apps

In the post-Cambridge Analytica phase, Facebook appears to have worked extensively towards user data privacy. Although, even after the Cambridge Analytica

Facebook Bug Bounty Program Expands To Include Third-Party Apps on Latest Hacking News.

Facebook offers bounties for user token bugs in third-party apps, websites

Facebook is expanding its bug bounty program to include vulnerabilities in third-party apps and websites that involve improper exposure of Facebook user access tokens. What’s in scope? “Access tokens allow people to log into another app using Facebook and are uniquely generated for the specific person and app,” security engineer Dan Gurfinkel noted. “If exposed, a token can potentially be misused, based on the permissions set by the user. We want researchers to have a … More

The post Facebook offers bounties for user token bugs in third-party apps, websites appeared first on Help Net Security.

Facebook Increases Security For Political Campaign Staff

Facebook is introducing new security tools for political campaign staff, concerned about dirty tricks in the run-up to the mid-term elections. On his personal Facebook page, CEO Mark Zuckerberg admitted

The post Facebook Increases Security For Political Campaign Staff appeared first on The Cyber Security Place.

Safari & Firefox browser to block user data tracking with new security add-ons

By Waqas

Apple has been trying hard to improve the security mechanisms of its hardware and software products.  The addition of new privacy features in Safari browser is yet another attempt to toughen security measures for preventing breaches and tracking by websites like Facebook. It is a well-known fact that companies use cookies to keep track of […]

This is a post from HackRead.com Read the original post: Safari & Firefox browser to block user data tracking with new security add-ons

Could the Photos You’re Sharing Online Be Putting Your Child at Risk?

sharing photos risksConfession time. I’m a mom that is part of the problem. The problem of posting photos of my kids online without asking for their permission and knowing deep down that I’m so excited about sharing, I’m not paying much attention at all to the risks.

Why do I do it? Because I’m madly in love with my two wee ones (who aren’t so wee anymore). Because I’m a proud parent who wants to celebrate their milestones in a way that feels meaningful in our digital world. And, if I’m honest, I think posting pictures of my kids publically helps fill up their love tank and remind them they are cherished and that they matter. . . even if the way I’m communicating happens to be very public.

Am I that different than most parents? According to a recent McAfee survey, I’m in the majority.

Theoretically, I represent one of the 1,000 interviewed for McAfee’s recent Age of Consent survey* that rendered some interesting results.

Can you relate?

  • 30% of parents post a photo of their child to social media daily.
  • 58% of parents do not ask for permission from their children before posting images of them on social media.
  • 22% think that their child is too young to provide permission; 19% claim that it’s their own choice, not their child’s choice.

The surprising part:

  • 71% of parents who share images of their kids online agree that the images could end up in the wrong hands.
  • Parents’ biggest concerns with sharing photos online include pedophilia (49%), stalking (48%), and kidnapping (45%).
  • Other risks of sharing photos online may also be other children seeing the image and engaging in cyberbullying (31%), their child feeling embarrassed (30%), and their child feeling worried or anxious (23%).

If this mere sampling of 1,000 parents (myself included) represents the sharing attitudes of even a fraction of the people who use Facebook (estimated to be one billion globally), then rethinking the way in which we share photos isn’t a bad idea.

We know that asking parents, grandparents, friends, and kids themselves to stop uploading photos altogether would be about as practical as asking the entire state of Texas to line up and do the hokey pokey. It’s not going to happen, nor does it have to.

But we can dilute the risks of photo sharing. Together, we can agree to post smarter, to pause a little longer. We can look out for one another’s privacy, and share in ways that keep us all safe.

Ways to help minimize photo sharing risks:

  • Pause before uploading. That photo of your child is awesome but have you stopped to analyze it? Ask yourself: Is there anything in this photo that could be used as an identifier? Have I inadvertently given away personal information such as a birthdate, a visible home addresses, a school uniform, financial details, or potential passwords? Is the photo I’m about to upload something I’d be okay with a stranger seeing? sharing photos risks
  • Review your privacy settings. It’s easy to forget that when we upload a photo, we lose complete control over who will see, modify, and share that photo again (anywhere they choose and in any way they choose). You can minimize the scope of your audience to only trusted friends and family by customizing your privacy settings within each social network.  Platforms like Facebook and Instagram have privacy settings that allow you to share posts (and account access) with select people. Use the controls available to boost your family privacy.
  • Voice your sharing preferences with others. While it may be awkward, it’s okay (even admirable) to request friends and family to reign in or refrain from posting photos of your children online. This rule also applies to other people’s public comments about your vacation plans, new house, children’s names or birthdates, or any other content that gives away too much data. Don’t hesitate to promptly delete those comments by others and explain yourself in a private message if necessary.
  • Turn off geotagging on photos. Did you know that the photo you upload has metadata assigned to it that can tell others your exact location? That’s right. Many social networks will tag a user’s location when that user uploads a photo. To make sure this doesn’t happen, simply turn off geotagging abilities on your phone. This precaution is particularly important when posting photos away from home.
  • Be mindful of identity theft. Identity theft is no joke. Photos can reveal a lot about your lifestyle, your habits, and they can unintentionally give away your data. Consider using an identity theft protection solution like McAfee Identity Theft Protection that can help protect your identity and safeguard your personal information.

* McAfee commissioned OnePoll to conduct a survey of 1,000 parents of children ages one month to 16 years old in the U.S.

The post Could the Photos You’re Sharing Online Be Putting Your Child at Risk? appeared first on McAfee Blogs.

Before Senate Facebook, Twitter Defend Efforts to Stop Fake News

Facebook and Twitter executives defended recent efforts to stop the use of their platforms by Russia, Iran and other countries to influence U.S. elections. In testimony before the U.S. Senate, Facebook COO Sheryl Sandberg and Twitter Chief Executive Jack Dorsey on Wednesday defended their employers’ recent efforts to thwart influence...

Read the whole entry... »

Related Stories

Family Tech: How Safe is Your Child’s Personal Data at School?

Kids and Personal DataRight about now, most kids are thinking about their chemistry homework, the next pep rally, or chiming in on their group text. The last thing on their minds as they head back to school is cybersecurity. But, it’s the one thing — if ignored — that can wreck the excitement of a brand new school year.

You’ve done a great job, parent. You’ve equipped their phones, tablets, and laptops with security software. And, you’ve beefed up safeguards on devices throughout your home. These efforts go a long way in protecting your child’s (and family’s) privacy from prying eyes. Unfortunately, when your child walks out your front door and into his or her school, new risks await.

No one knows this season better than a cybercriminal. Crooks know there are loopholes in just about every school’s network and that kids can be easy targets online. These security gaps can open kids up to phishing scams, privacy breaches, malware attacks, and device theft.

The school security conversation

Be that parent. Inquire about your school’s security protocols.  The K-12 Cybersecurity Resource Center reports that 358 school breaches have taken place since January of 2016.  Other reports point to an increase in hackers targeting school staff with phishing emails and seeking student social security numbers to sell on the dark web.

A few questions to consider:Kids and Personal Data

  • Who has physical and remote access to your student’s digital records and what are the school’s protection practices and procedures?
  • How are staff members trained and are strong password protocols in place?
  • What security exists on school-issued devices? What apps/software is are being used and how will those apps collect and use student data?
  • What are the school’s data collection practices? Do data collection practices include encryption, secure data retention, and lawful data sharing policies?
  • What is the Bring Your Own Device (BYOD) policy?

The data debate

As K-12 administrators strive to maintain secure data collection practices for students, those same principles may be dubious as kids move on to college. As reported by Digiday, one retailer may be quietly disassembling privacy best practices with a bold “pay with data” business model. The Japanese coffee chain Shiru Café offers students and faculty members of Brown University free coffee in exchange for entering personal data into an online registry. Surprisingly, the café attracts some 800 customers a day and is planning on expanding its business model to more college campuses.

The family conversation

Keep devices close. Kids break, lose, lend, and leave their tech unattended and open to theft. Discuss responsible tech ownership with your kids. Stolen devices are privacy gold mines.

Never share passwords. Kids express their loyalty to one another in different ways. One way that’s proving popular but especially unsafe nowadays is password sharing. Remind kids: It’s never okay to share passwords to devices, social networks, or school platforms. Never. Password sharing opens up your child to a number of digital risks.

Safe clicking, browsing practices. Remind kids when browsing online to watch out for phishing emails, fake news stories, streaming media sites, and pop-ups offering free downloads. A bad link can infect a computer with a virus, malware, spyware, or ransomware. Safe browsing also includes checking for “https” in the URL of websites. If the website only loads with an “http,” the website may not be enforcing encryption.Kids and Personal Data

Be more of a mystery. Here is a concept your kids may or may not latch on to but challenge them to keep more of their everyday life a mystery by posting less. This includes turning off location services and trying to keep your whereabouts private when sharing online. This challenge may be fun for your child or downright impossible, but every step toward boosting privacy is progress!

Discuss the risk of public Wi-Fi. Kids are quick to jump on Wi-Fi wherever they go so they can use apps without depleting the family data plan. That habit poses a big problem. Public Wi-Fi is a magnet for hackers trying to get into your device and steal personal information. Make sure every network your child logs on to requires a password to connect. Go a step further and consider using a Virtual Private Network (VPN) for added security for your whole family.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online, and follow @McAfee_Family on Twitter. Also, join the digital security conversation on Facebook.

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Family Tech: How Safe is Your Child’s Personal Data at School? appeared first on McAfee Blogs.

Plaintiffs File Class Action Lawsuit Against Nielsen Over Alleged False and Misleading Statements

On August 28, 2018, plaintiffs filed a class action lawsuit against Nielsen Holdings PLC (“Nielsen”) and some of its officers and directors for making allegedly materially false and misleading statements to investors about the impact of privacy regulations and third-party business partners’ privacy policies on the company’s revenues and earnings. The case was filed in the United States District Court for the Southern District of New York. 

The complaint alleges that Nielsen made false and/or misleading statements and/or failed to disclose that: (1) Nielsen recklessly disregarded its readiness for and the true risks of privacy-related regulations and policies, including the EU General Data Protection Regulation (“GDPR”), on its current and future financial and growth prospects; (2) Nielsen’s financial performance was far more dependent on Facebook and other third-party large data set providers than previously disclosed, and privacy policy changes affected the scope and terms of access Nielsen would have had to third-party data; and (3) access to Facebook and other third-party provider data was becoming increasingly restricted for Nielsen and Nielsen clients. Plaintiffs allege that, as a result, Nielsen’s public statements were materially false and misleading at all relevant times.

The complaint maintains that, because of Nielsen’s “material misrepresentations and omissions, Nielsen stock traded at artificially inflated prices.” The complaint further alleges that when Nielsen published its financial results for the second quarter of 2018 announcing that it missed revenue and earnings targets, its stock plummeted, which caused substantial harm to the plaintiffs who were investors in Nielsen stock. In that announcement, Nielsen cited the impact of the GDPR on the company’s results and announced that its CEO and Executive Chairman, Mitch Barns, would retire from the company at the end of 2018.

Read the complaint.

A week in security (August 20 – August 26)

Last week on Labs, we took a look at insider threats, doubled back on the privacy of search browser extensions, profiled green card scams, revisited Defcon badgelife, and talked about what happens to a user’s accounts when they die.

Other cybersecurity news

  • There was an archiving error in Twitch HQ. Unfortunately, that left some private user messages (even those with sensitive info in them) exposed to the public for a time. (Source: Sophos’ Naked Security Blog)
  • Researchers from Catholic University found that apps offering ad blocking and privacy can be bypassed. (Source: Sophos’ Naked Security Blog)
  • Researchers associated with Project Insecurity found a flaw in disability services in Canadian telcos. (Source: Kaspersky’s Threatpost)
  • Facebook continued to clean house, removing more pages of campaigns that originated from Iran and Russia to curb “coordinated inauthentic behavior.” (Source: Facebook Newsroom)
  • A computer science professor at Vanderbilt University published a 55-page study on how Google continues to collect data on users, even when the device is idle. (Source: The Washington Post)
  • Philips revealed that their cardiovascular imaging devices have a flaw that could provide a low-level hacker “improper privilege management.” (Source: ZDNet)
  • Videomaker service provider Animoto was breached. (Source: TechCrunch)
  • Ryuk, a new ransomware, trained their crosshairs at large organizations capable of paying high-valued ransom in Bitcoin. (Source: ZDNet)
  • North Korea’s The Lazarus Group pushed out its first Mac malware and successfully infiltrated IT systems of a cryptocurrency exchange platform based in Asia. (Source: Bleeping Computer)
  • Superdrug, the popular health and beauty retailer based in the UK, was breached. (Source: InfoSecurity Magazine)
  • Cobalt Dickens, a campaign that originated in Iran, targeted universities in 14 countries to steal credentials. (Source: SecureWorks)
  • Hackers make millions by selling unpublished press releases. (Source: The Verge)

Stay safe, everyone!

The post A week in security (August 20 – August 26) appeared first on Malwarebytes Labs.

Facebook pulls its VPN from the iOS App Store after data-harvesting accusations

Facebook has withdrawn its Onavo Protect VPN app from the iOS App Store after Apple determined that it was breaking data-collection policies.

The app, which was free to download, promoted itself as helping users keep themselves and their data safe when you go online, “blocking potentially harmful websites and securing your personal information.”

What users of Onavo may not have realised was that the app was also being used by Facebook to collect information about other apps installed on a user’s iPhone.

Under Apple developer guidelines, such information is not allowed to be collected by apps for analysis or marketing. However, data collected by Onavo is used to provide valuable market intelligence about marketshare and usage of apps.

In the words of the app’s own store description:

“Onavo may collect your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps, and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.”

According to a report in the Wall Street Journal, Apple and Facebook met last week to discuss concerns about the behaviour of the app, where the iPhone maker suggested that it be withdrawn from the App Store. Facebook, seemingly recognising that it would look better to choose to withdraw the app than be kicked out of the store, agreed.

A Facebook spokesperson claimed that the company has been upfront about how Onavo works:

“We’ve always been clear when people download Onavo about the information that is collected and how it is used. As a developer on Apple’s platform we follow the rules they’ve put in place.”

In the past, Facebook chief Mark Zuckerberg and Apple boss Tim Cook have publicly disagreed over their respective companies’ different approaches to user privacy.

Although the Onavo Protect app has now been withdrawn from the App Store, it’s possible that there are still plenty of users still relying on the service. In light of the accusations of data-harvesting, users would be wise to uninstall it from their devices.

Even if you aren’t concerned about the data collection, the app will no longer be receiving updates including, if they were made available, security updates. So the only sensible step is to remove the app and find an alternative VPN service which respects your privacy.

One other thing. Facebook has only pulled its controversial Onavo Protect VPN app from Apple’s app store. It is still available from the Google Play Android marketplace, where it has been downloaded over 10 million times.

Unlike Apple, Google may not be kicking up a stink about Facebook’s Onavo app but that’s not a reason for Android users to be any less concerned. Think carefully about what apps you install on your smartphone, and always consider how app developers might be planning to monetise your private data.

Hundreds of Instagram users report similarly hacked accounts

A number of people have reported having their Instagram accounts hacked this month, Mashable reports, and many of these hacks appear to have taken the same approach. Users suddenly find themselves logged out of their accounts and when they try to log back in, they discover that their handle, profile image, contact info and bios have all been changed. Often the profile image has been changed to a Disney or Pixar character and the email address connected to the account is changed to one with a .ru Russian domain, according to Mashable. Some even had their two-factor authentication turned off by hackers.

Via: CNET

Source: Mashable

Tech Talk: Ways to Help Your Child Conquer Back-To-School Fears

Tech and back-to-school fears

The first-day-of-school jitters nearly did me in as a kid. Our military family moved ten times, so I got used to the stomach aches and stares that came with every new school.

I can’t imagine making those big moves as a kid in today’s digital culture.  The cliques are far more visible. The fails are far more public and weaknesses, far more exploited.

This digital layer of scrutiny and exposure sends my admiration and respect for kids today to heroic levels.

Tech and Anxiety

Reports of tech-related anxiety* and depression in kids on the rise, which can put a whole layer of angst on first-day jitters. And while there is no one-size-fits-all solution to ease that stress, helping your child manage his or her technology can help diminish it.

Tips to Help Ease Stress

1. Unplug more. Discuss the power and emotional pull of the smartphone and how it can escalate the stress of starting school. Remind kids that the edited, seemingly perfect version of life people post on social media doesn’t represent reality and that constant comparison can be harmful.

While we recommend families establish a phone curfew every night for health reasons, it’s especially crucial in the weeks leading up to the first day of school. Other simple ways to ease stress this school year: Turn off all push notifications during school hours and use parental control apps to help with time limits and safety. Tech and back-to-school fears

2. Make time to talk. Ask your child what concerns him or her most about starting school. Then, just listen. Acknowledge your child’s fears and try to relate or find common ground. Let your child know that worry is normal, it can help protect us, and everyone experiences it from time to time. Some of the stresses they might share: Finding friends and fitting in, who they will sit with at lunchtime, having the right clothes or fashion sense, being able to find their classes, opening the combinations on their lockers, sports or music auditions, body image and appearance, school work challenges, and more.

3. Visualize the first day. Help your child map out his or her classes. Based on your child’s feedback, talk through possible awkward or stressful situations that might come up to help build his or her confidence and reduce worry. Often just getting a fear from your brain to your lips can strip power from fear. Brainstorm one-liners your kids might use to introduce themselves to new people or positive responses that might deflect a negative comment.

4. Practice the present. Anxiety* can be triggered when we live more of life in the future — imagining the what-ifs — than living in the right now. Who hasn’t imagined tripping in the lunchroom or falling down the stairs? A few simple tips: Teach kids to practice deep breathing, to challenge their negative thoughts, and to talk/think about life in the present tense.Tech and back-to-school fears

5. Encourage. Without going over the top (because kids can smell inflated praise), remind your child of his or her strengths. Fear creates a wall that blocks our view of past accomplishments. Provide that recollection for your child. Give truthful reminders of your child’s strengths, talents, and unique qualities.

6. Help kids with balance on and offline. A new school year represents a clean slate. There’s no need to bring bad habits along. So make the changes you’ve always intended to make. Set time limits on technology and stick to them. Help your kids prioritize face-to-face time with peers. Know what’s going on in your child’s online life and make sure his or her digital community isn’t unraveling your parenting goals. Pay close attention to new friends and your child’s demeanor on a daily basis.

* It’s important to note that while the word “anxiety” is commonly used, the American Acadamy of Pediatrics says that 8% of kids are diagnosed with an anxiety disorder. If your child’s stress level becomes serious, please seek professional help.

 

toni page birdsongToni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Tech Talk: Ways to Help Your Child Conquer Back-To-School Fears appeared first on McAfee Blogs.

Too Much Tech: 4 Steps to Get Your Child to Chill on Excessive Snapchatting

We were in the midst of what I believed to be an important conversation.

“Just a sec mom,” she said promptly after a Snapchat notification popped up on her iPhone.

She stopped me mid-sentence, puckered her lips, rolled her eyes, typed a few lines of copy, and within three seconds, my teenage daughter Snapchatted a few dozen friends.

“Sorry, mom, what were you saying?” she turned back toward me her face void of any trace of remorse.

It was clear: Snapchat had far more influence than I, the parent, and it was time to make some serious changes.

Imbalance of Power

It’s obvious the power apps hold over our lives. In fact, in an attempt to encourage responsible app use, Facebook and Instagram recently announced it would implement tools allowing users to track how much time they spend on the apps. This mom is hoping Snapchat will follow suit.

Since its inception in 2011, Snapchat has become one of the most popular apps with an estimated 187 daily active users. A 2017 study released by Science Daily found that 75% of teens use Snapchat. But it’s not the only app winning our kids affections:

  • 76 percent of American teens age 13-17 use Instagram.
  • 75 percent of teens use Snapchat.
  • 66 percent of teens use Facebook.
  • 47 percent of teens use Twitter.
  • Fewer than 30 percent of American teens use Tumblr, Twitch, or LinkedIn.

If you have a teen, you understand the dilemma. We know that social ties are essential to a teen’s psychological well-being. We also know that excessive time online can erode self-esteem and cause depression. We can’t just yank our child’s favorite app, but we also can’t let it run in the background of our lives 24/7, right?

What we can do is take some intentional steps to help kids understand their responsibility to use apps in healthy, resilient ways. In our house, taking that step meant addressing — and taming — the elephant in the room: Snapchat. Here are a few things that worked for us you may find helpful.

4 Steps to Help Curb Excessive Snapchatting

  1. Strive for quality relationships. With so much more information available on the downside of excessive social media use, it’s time to be candid with our kids. Excessive “liking,” carefully-curated photos, and disingenuous interactions online are not meaningful interactions. Stress to kids that nothing compares to genuine, face-to-face relationships with others.
  2. Zero phone zones. This is a rule we established after one too many snaps hijacked our family time. We agreed that when in the company of others — be it at home, in the car, in a restaurant, at church, at a relative’s house — all digital devices get turned facedown or put in a pocket. By doing this, we immediately increased opportunities for personal connection and decreased opportunities for distraction. This simple but proven strategy has cut my daughter’s Snapchat time considerably.
  3. Establish a Snapchat curfew. Given the opportunity, teens will Snapchat until the sun comes up. Don’t believe me? Ask them. If not for the body’s physical need for sleep, they’d happily Snapchat through the night. Consider a curfew for devices. This rule will immediately begin to wean your child’s need to Snapchat around the clock.
  4. Track Snapchat time. Investing in software such as McAfee® Safe Family is an option when trying to strike a healthy tech balance. The software will help with time limits, website filtering, and app blocking. There is also helpful time tracking apps. For the iPhone, there’s Moment, and for Android, there’s Breakfree. Both apps will track how much time you spend on your phone. Seeing this number — in hours — can be a real eye-opener for both adults and kids.

    toni page birdsongToni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Too Much Tech: 4 Steps to Get Your Child to Chill on Excessive Snapchatting appeared first on McAfee Blogs.

Family Matters: How to Help Kids Avoid Cyberbullies this Summer

The summer months can be tough on kids. There’s more time during the day and much of that extra time gets spent online scrolling, surfing, liking, and snap chatting with peers. Unfortunately, with more time, comes more opportunity for interactions between peers to become strained even to the point of bullying.

Can parents stop their kids from being cyberbullying completely? Not likely. However, if our sensors are up, we may be able to help our kids minimize both conflicts online and instances of cyberbullying should they arise.

Be Aware

Summer can be a time when a child’s more prone to feelings of exclusion and depression relative to the amount of time he or she spends online. Watching friends take trips together, go to parties, hang out at the pool, can be a lot on a child’s emotions. As much as you can, try to stay aware of your child’s demeanor and attitude over the summer months. If you need help balancing their online time, you’ve come to the right place.

Steer Clear of Summer Cyberbullies 

  1. Avoid risky apps. Apps like ask.fm that allow outsiders to ask a user any question anonymously should be off limits to kids. Kik Messenger and Yik Yak are also risky apps. Users have a degree of anonymity with these kinds of apps because they have usernames instead of real names and they can easily connect with profiles that could be (and often are) fake. Officials have linked all of these apps to multiple cyberbullying and even suicide cases.
  2. Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in on the tone of the conversations, the language, and keep tabs on your child’s demeanor. For your child’s physical and emotional health, make every effort to help him or her balance summer gaming time.
  3. Make profiles and photos private. By refusing to use privacy settings (and some kids do resist), a child’s profile is open to anyone and everyone, which increases the chances of being bullied or personal photos being downloaded and manipulated. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying.
  4. Don’t ask peers for a “rank” or a “like.” The online culture for teens is very different than that of adults. Kids will be straightforward in asking people to “like” or “rank” a photo of them and attach the hashtag #TBH (to be honest) in hopes of affirmation. Talk to your kids about the risk in doing this and the negative comments that may follow. Remind them often of how much they mean to you and the people who truly know them and love them.
  5. Balance = health. Summer means getting intentional about balance with devices. Stepping away from devices for a set time can help that goal. Establish ground rules for the summer months, which might include additional monitoring and a device curfew.

Know the signs of cyberbullying. And, if your child is being bullied, remember these things:

1) Never tell a child to ignore the bullying. 2) Never blame a child for being bullied. Even if he or she made poor decisions or aggravated the bullying, no one ever deserves to be bullied. 3) As angry as you may be that someone is bullying your child, do not encourage your child to physically fight back. 4) If you can identify the bully, consider talking with the child’s parents.

Technology has catapulted parents into arenas — like cyberbullying — few of us could have anticipated. So, the challenge remains: Stay informed and keep talking to your kids, parents, because they need you more than ever as their digital landscape evolves.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Family Matters: How to Help Kids Avoid Cyberbullies this Summer appeared first on McAfee Blogs.

Cyber Security Roundup for July 2018

The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

Other companies known to be impacted by the Typeform breach include:

The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs

A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


NEWS

What Parents Need to Know About the Popular App Mappen

Kids love their apps but in their excitement to download the new ones, app safety often falls straight off their radar. One of those new, fun, not-so-safe apps is Mappen.

Kids, pre-teens specifically, are jumping on Mappen to connect with friends nearby and, as the app’s tagline encourages, “Make Things Happen.” The location-based app allows friends to see each other’s location, what they are doing, and make it easy to meet up. Sounds like fun except for the fact that the app is brimming with potential security flaws.

How It Works

Anyone who downloads the Mappen app can send a friend request to anyone else and begin sharing his or her location (and data) immediately. While on Mappen, friends can share updates and photos much like any other social network. Personal data that can be shared: names, birthdates, location, likes, dislikes, photos, and friend lists.

Once a user installs the app (icon, right), he or she is asked to turn on location services that must remain on to share location, see others, and post content updates. The app also asks to access a user’s full contact list before it can be used.

The Risks

While many location-based apps exist now, Mappen specifically targets tweens. Mappen’s privacy policy states clearly that it collects and shares data, which presents a privacy risk to minors who use the app.

Likewise, the location requirement to use the app poses a safety risk. This feature means anyone on your child’s friend list can see your child’s location at any time. As your child’s Mappen circle grows, so too might the chance of your child sharing his or her location and personal information with an unsafe “friend.”

Tips to Help Boost App Safety

Stay connected with your kids. The greatest risk to your child’s online safety is a strained relationship. Every family dynamic and circumstance varies, but consider doing all you can to make your relationship with your child a priority. When communication and trust are strong with your child, you will better know what’s going on in his or her life, whom their friends are, and if there’s a situation in which they might need help.

Monitor apps! The best way to know which apps your kids use and how they use them is to routinely monitor their phones. How do you do this? You do this physically and with technology. About once a week, look at your child’s phone and laptop or tablet (preferably with your son or daughter next to you), look at the display screen, examine the app icons, and ask questions. If you don’t recognize an app, click it open, or ask questions. Also, if there’s an app icon you click that asks for a password, it may be a vault app that requires a few more clicks or a conversation. Another way to monitor apps is using technology such as filtering software that will help you filter and track the content that comes into your home via your child’s devices.

Do your research, stay aware. Stay on top of trends in apps by reading this and other technology or family blogs. New apps come out all the time, and word-of-mouth among teens quickly spreads. One of the best ways to keep your kids safe online is to understand where they connect online and what risks those digital spaces may present. Potential risks to be aware of that some apps may carry potential privacy infringements, cyberbullying, pornography, phishing scams, malware, predators, and sex-related crimes.

Turn off location. Mappen, as well as other apps such as Facebook, Kik, and Snapchat, access a user’s location while using the app and even when the app is not in use. To ensure your location isn’t shared randomly, turn off location when apps are not in use. Depending on the age of your child, you may consider not allowing the use of location-based apps at all.

Say NO to random friend requests. It’s easy for criminals to create a fake profile and gain access into your child’s life. An attractive peer from a nearby town who wants to “connect” may be a catfish using another person’s identity or a predator looking to groom a vulnerable tween or teen.

Guard your child’s privacy. When your child shares personal information through an unsafe app, it opens up them up, and it opens up your entire family to risk. Often kids get comfortable online and forget — or don’t fully understand — the problem with sharing personal details. Review the importance of keeping details such as full name, school, birthdates, address, personal photos, and other family information private.

The post What Parents Need to Know About the Popular App Mappen appeared first on McAfee Blogs.

Summer Refresh: Take Time to Relax but Not on Password Security

With summer comes permission to relax a little more, sun a little more, and fun a little more. But, as Newton’s Third Law reminds us, for every action, there is an equal and opposite reaction. Apply that principle to online safety and it might read like this: Each time you relax your family’s digital security a little, there’s a hacker nearby who will step up his or her schemes accordingly.

If your summer routine includes more traveling, online gaming, or time for social connecting, your first line of digital defense is strong, unhackable passwords.

Now is a great time to pump up those passwords to make sure your summer playlist streams seamlessly and summer goes off without a hitch. (Note: If you feel confident in your password strength, type your email address into the site ;– Have I been pwned? to see if your passwords have been compromised).

5 Tips to Pump Up Your Password Strength

  1. Think strength. It’s never too late to put serious thought into creating strong passwords. Begin today. Visualize your password as a superhero. Because of their strength, superheroes like Hulk, Thor, or Optimus Prime can handily protect the world. Strip them of their strength, and each warrior becomes an average Joe vulnerable to the elements of evil. Strength is inherent to password power. Infuse your password with superhero strength by including numbers, lowercase and uppercase letters, and symbols. The more complex your password is, the more difficult it will be for a crook to crack (it’s okay to add a personal touch to your password). A few examples of a secure password might be: myDogisCr@yCr@y!!, Ilov3Gummi3B3ars!! or $oundOfMu$ic_1965.
  2. Get a password manager. If you are driving yourself crazy trying to wrangle a million passwords, a password manager will do the remembering for you. A powerful password manager will:  Generate random passwords that are difficult to guess, require Multi-Factor Authentication (MFA), auto-save and securely enter your passwords on frequented sites.
  3. Use unique passwords and MFA. If taken seriously, these two extra steps could save you a million headaches. 1) Use unique passwords for each of your accounts. By using different passwords, you avoid having all of your accounts become vulnerable if you are hacked (think domino effect). 2) MFA is Multi-Factor Authentication (also called two-step verification or authentication ). MFA confirms a user’s identityonly after presenting two or more pieces of evidence. Though not 100% secure, this practice adds a layer of security to an account.
  4. Pay attention and take action. It might be summer, but if you snooze, you will lose — privacy in this case. Be sure to pay attention to the news and know if a data breach affects your family. According to the Identity Theft Resource Center® (ITRC), the number of U.S. data breach incidents in2017 hit a new record high, rising a drastic 44.7 percent over 2016. Popular sites such as Facebook, Netflix, and Twitter have experienced breaches might easily have affected you or a member of your family.
  5. Connect carefully. So you’ve done everything you can to create strong passwords and that’s awesome! What you can’t control is how others protect your account data, which often includes passwords. Make sure that websites, platforms, and companies that have access to your sensitive information take security seriously and have privacy and security plans in place. Google the company before you establish an account to see if it has had a data breach.

What are the potential consequences of a weak password? A determined hacker can track a person’s online activity, identify and hack weak passwords then use those weak passwords to access banking information, credit card numbers, and personal data used to steal a person’s identity. Remember: Just as you go to work each morning to put food on the table for your family, a hacker has similar goals. So, work with equal diligence to protect what’s yours.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Summer Refresh: Take Time to Relax but Not on Password Security appeared first on McAfee Blogs.

#CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online

Summer has officially rolled out its welcome mat. But as most parents might be thinking about slowing down, for most kids, summer is when digital device use goes into overdrive. That’s why June — which also happens to be Internet Safety Month — is a perfect time strengthen your family’s digital readiness.

Good news: This digital safety skills booster is quick and actionable. And who knows — if a few of these tips boost your family’s safety, you may have just saved summer for everyone!

4 Ways to Boost Family Safety Online 

Practice safe social. Challenge your family to reign in its social footprint by taking these specific actions: 1) Adjust privacy settings on all social networks. 2) Trim friend and follower lists. 3) Delete any personal data on social profiles such as birthdate, address, or school affiliation. 4) Edit, limit app permissions. As we’ve just seen in the headlines, the misuse of personal data is a very big deal. 5) Share with care. Routinely scrolling, liking, and commenting on social sites such as Snapchat and Instagram can give kids a false sense of security (and power). Remind tweens and teens to share responsibly. Oversharing can damage a reputation and words or images shared callously can damage other people.

Practice safe gaming. Summertime is a gamer’s heaven. Endless battles and showdowns await the dedicated. However, some digital pitfalls can quickly douse the fun. According to the National Cyber Security Alliance’s gaming tip sheet, safe gaming includes: updating gaming software, protecting devices from malware, protecting your child’s personal data, using voice chat safely, and paying close attention to content ratings.

Practice strong security. There are some steps only a parent can take to safeguard the family online. 1) Parental controls. Filtering software blocks inappropriate websites and apps as well as establishes boundaries for family tech use. 2) Comprehensive security software helps protect your PCs, tablets, and devices from viruses, malware, and identity theft. 3) Keeping your guard up. According to McAfee’s Gary Davis staying safe online also includes digital habits such as using strong passwords, boosting your network security and firewall, and being aware of the latest scams that target consumers.

Practice wise parenting. 1) Know where kids go. Know which apps your kids love and why, how they interact with others online, and how much time they spend online. 2) Unplug. Establish tech-free family activities this summer. Powering off and plugging into quality time is the most powerful way to keep your family safe online. Strong relationship empowers responsibility. 3) Be confident. As parenting expert, Dr. Meg Meeker says, parents should be parenting from a place of confidence, rather than from a place of fear. “The temptation for parents is to think that they have no control over what their child does online. This isn’t true,” says Meeker. “Parents, you are in control of your child’s technology use; it is not in control of you.”

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post #CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online appeared first on McAfee Blogs.

Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Weekly Cyber Risk Roundup: Orbitz Breach, Facebook Privacy Fallout

One of the biggest data breach announcements of the past week belonged to Orbitz, which said on Tuesday that as many as 880,000 customers may have had their payment card and other personal information compromised due to unauthorized access to a legacy Orbitz travel booking platform.

“Orbitz determined on March 1, 2018 that there was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers),” the company said in a statement.

Information potentially compromised includes payment card information, names, dates of birth, addresses, phone numbers, email addresses, and gender.

As American Express noted in its statement about the breach, the affected Orbitz platform served as the underlying booking engine for many online travel websites, including Amextravel.com and travel booked through Amex Travel Representatives.

Expedia, which purchased Orbitz in 2015, did not say how many or which partner platforms were affected by the breach, USA Today reported. However, the company did say that the current Orbitz.com site was not affected.

2018-03-24_ITTGroups

Other trending cybercrime events from the week include:

  • State data breach notifications: Island Outdoor is notifying customers that payment card information may have been stolen due to the discovery of malware affecting several of its websites. Agemni is notifying customers about unauthorized charges after “a single authorized user of our software system used customer information to make improper charges for his personal benefit.” The Columbia Falls School District is notifying parents of a cyber-extortion threat involving their children’s personal information. Intuit is notifying TurboTax customers that their accounts may have been accessed by an actor leveraging previously leaked credentials. Taylor-Dunn Manufacturing Company is notifying customers that it discovered cryptocurrency mining malware on a server and that a file containing personal information of those registered for the Taylor-Dunn customer care or dealer center may have been accessed. Nampa School District is notifying a “limited number” of employees and Skamania Public Utility District is notifying customers that their personal information may have been compromised due to incidents involving unauthorized access to an employee email account.
  • Data exposed: A flaw in Telstra Health’s Argus software, which is used by more than 40,000 Australian health specialists, may have exposed the medical information of patients to hackers. Primary Healthcare is notifying patients of unauthorized access to four employee email accounts. More than 300,000 Pennsylvania school teachers may have had their personal information publicly released due to an employee error involving the Teacher Management Information System.
  • Notable ransomware attacks: The city of Atlanta said a ransomware attack disrupted internal and customer-facing applications, which made it difficult for citizens to pay bills and access court-related information. Atrium Hospitality is notifying 376 hotel guests that their personal information may have been compromised due to a ransomware infection at a workstation at the Holiday Inn Sacramento. Finger Lakes Health said it lost access to its computer system due to ransomware infection.
  • Other notable events: Frost Bank said that malicious actors comprised a third-party lockbox software program and were able to access images of checks that were stored in the database. National Lottery users are being advised to change their passwords after 150 accounts were affected by a “low-level” hack. A lawsuit against Internet provider CenturyLink and AT&T-owned DirecTV alleges that customer data was available through basic Internet searches.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

2018-03-24_ITT

Cyber Risk Trends From the Past Week

2018-03-24_RiskScoresFacebook has faced a week of criticism, legal actions, and outcry from privacy advocates after it was revealed that the political consulting Cambridge Analytica had accessed the information of 50 million users and leveraged that information while working with the Donald Trump campaign in 2016.

“Cambridge Analytica obtained the data from a professor at the University of Cambridge who had collected the information by creating a personality-quiz app in 2013 that plugged into Facebook’s platform,” The Wall Street Journal reported. “Before a policy change in 2015, Facebook gave app creators and academics access to a treasure trove of data, ranging from which pages users liked to details about their friends.”

It isn’t clear how many other developers might have retained information harvested from Facebook before the 2015 policy change, The Journal reported. However, Mark Zuckerberg said the company may spend “many millions of dollars” auditing tens of thousands of data collecting apps in order to get a better handle on the situation.

The privacy breach has already led to regulatory scrutiny and potential lawsuits around the globe. Bloomberg reported that the FTC is probing whether data handling violated terms of a 2011 consent decree. In addition, Facebook said it would conduct staff-level briefings with six congressional committees in the coming week. Some lawmakers have called for Zuckerberg to testify as well, and Zuckerberg told media outlets that he would be willing to do so if asked.

Facebook’s stock price has dropped from $185 to $159 over the past eight days amid the controversy, and several companies have suspended their advertising on Facebook or deleted their Facebook pages altogether due to the public backlash.

Facebook Phishing Targeted iOS and Android Users from Germany, Sweden and Finland

Two weeks ago, a co-worker received a message in Facebook Messenger from his friend. Based on the message, it seemed that the sender was telling the recipient that he was part of a video in order to lure him into clicking it.

Facebook Messenger message and the corresponding Facebook Page

The shortened link was initially redirecting to Youtube.com, but was later on changed to redirect to yet another shortened link – po.st:

Changes in the Picsee short link

The po.st shortened link supported two types of redirection links – original link and smart links. If the device that accessed the URL was running in iOS or Android, it was redirected to the utm.io shortened link, otherwise it was redirected to smarturl.it.

The short link with the smart links

So for the iOS and Android users, they were served with the following phishing page:

Phishing page for utm.io short link

For the rest of the devices, the users ended up with the smarturl.it link that went through several redirections which eventually led to contenidoviral.net. That page contained an ad-affiliate URL which redirected to mobusi.com, a mobile advertising company.

Phishing page’s ad-affiliate URL

Based on the data from the links, the campaign began last October 15th when it targeted mostly Swedish users. On the 17th, it moved to targeting Finnish users. Then from 19th onwards, it mostly went after German users.

The total number of clicks for the entire campaign reached almost 200,000, where close to 80% of the visitors were from Germany, Sweden and Finland.

Statistics from po.st tracking page

The campaign ran for two weeks with a main motive of stealing Facebook credentials from iOS and Android users. The cybercriminals used those stolen credentials to spread the malicious links, and subsequently gather more credentials. However, while in the process of stealing the credentials, the cybercriminals also attempted to earn from other non-iOS and non-Android users through ad-fraud.

This practice of using email addresses in place of unique names as account credentials creates a big opportunity for phishers. Just by launching this Facebook phishing campaign, they can mass harvest email and password credentials that are later on used for secondary attacks such as gaining access to other systems or services that could have a bigger monetary value because of password reuse.

We highly recommend the affected users to change their passwords as soon as possible, including other systems and services where the same compromised password was used.

URLs:

  • hxxp://lnk[.]pics/19S3Y
  • hxxp://lnk[.]pics/18JDK
  • hxxp://lnk[.]pics/196OV
  • hxxp://lnk[.]pics/18XH7
  • hxxp://lnk[.]pics/196PN
  • hxxp://lnk[.]pics/19LBP
  • hxxp://lnk[.]pics/18YZV
  • hxxp://lnk[.]pics/18QZW
  • hxxp://lnk[.]pics/196PA
  • hxxp://lnk[.]pics/19XK7
  • hxxp://lnk[.]pics/18HFX
  • hxxp://lnk[.]pics/19S3L
  • hxxp://lnk[.]pics/18J7S
  • hxxp://lnk[.]pics/19XKF
  • hxxp://lnk[.]pics/19K94
  • hxxp://lnk[.]pics/19LBW
  • hxxp://pics[.]ee/188g7
  • hxxp://pics[.]ee/18cdl
  • hxxp://po[.]st/ORyChA
  • hxxp://smarturl[.]it/02xuof
  • hxxp://utm[.]io/290459
  • hxxp://at.contenidoviral[.]net

Twitter – Den of Iniquity or Paragon of Virtue… or Someplace in Between?


Twitter - Den of Iniquity or Paragon of Virtue or Someplace in Between


Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that
one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.

Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.

That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.

Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.

Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.

Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.

Facebook’s new terms, is the sky falling?

You have seen them if you are on Facebook, and perhaps even posted one yourself. I’m talking about the statements that aim to defuse Facebook’s new terms of service, which are claimed to take away copyright to stuff you post. To summarize it shortly, the virally spreading disclaimer is meaningless from legal point of view and contains several fundamental errors. But I think it is very good that people are getting aware of their intellectual rights and that new terms may be a threat.

Terms of service? That stuff in legalese that most people just click away when starting to use a new service or app. What is it really about and could it be important? Let’s list some basic points about them.

  • The terms of service or EULA (End User License Agreement) is a legally binding agreement between the service provider and the user. It’s basically a contract. Users typically agree to the contract by clicking a button or simply by using the service.
  • These terms are dictated by the provider of the service and not negotiable. This is quite natural for services with a large number of users, negotiating individual contracts would not be feasible.
  • Terms of service is a defensive tool for companies. One of their primary goals is to protect against lawsuits.
  • These terms are dictated by one part and almost never read by the other part. Needless to say, this may result in terms that are quite unfavorable for us users. This was demonstrated in London a while ago. No, we have not collected any children yet.
  • Another bad thing for us users is the lack of competition. There are many social networks, but only one Facebook. Opting out of the terms means quitting, and going to another service is not really an option if all your friends are on Facebook. Social media is by its nature monopolizing.
  • The upside is that terms of service can’t change the law. The legislation provides a framework of consumer and privacy protection that can’t be broken with an agreement. Unreasonable terms, like paying with your firstborn child, are moot.
  • But be aware that the law of your own country may not be applicable if the service is run from another country.
  • Also be aware that these terms only affect your relationship to the provider of the service. Intelligence performed by authorities is a totally different thing and may break privacy promises given by the company, especially for services located in the US.
  • The terms usually include a clause that grant the provider a license to do certain things with stuff the users upload. There’s a legitimate reason for this as the provider need to copy the data between servers and publish it in the agreed way. This Facebook debacle is really about the extent of these clauses.

Ok, so what about Facebook’s new terms of service? Facebook claim they want to clarify the terms and make them easier to understand, which really isn’t the full story. They have all the time been pretty intrusive regarding both privacy and intellectual property rights to your content, and the latest change is just one step on that path. Most of the recent stir is about people fearing that their photos etc. will be sold or utilized commercially in some other way. This is no doubt a valid concern with the new terms. Let’s first take a look at the importance of user content for Facebook. Many services, like newspapers, rely on user-provided content to an increasing extent. But Facebook is probably the ultimate example. All the content you see in Facebook is provided either by the users or by advertisers. None by Facebook itself. And their revenue is almost 8 billion US$ without creating any content themselves. Needless to say, the rights to use our content is important for them. What Facebook is doing now is ensuring that they have a solid legal base to build current and future business models on.

But another thing of paramount importance to Facebook is the users’ trust. This trust would be severely damaged if private photos start appearing in public advertisements. It would cause a significant change in peoples relationship with Facebook and decrease the volume of shared stuff, which is what Facebook lives on. This is why I am ready to believe Facebook when they promise to honor our privacy settings when utilizing user data.

Let’s debunk two myths that are spread in the disclaimer. Facebook is *not* taking away the copyright to your stuff. Copyright is like ownership. What they do, and have done previously too, is to create a license that grant them rights to do certain things with your stuff. But you still own your data. The other myth is that a statement posted by users would have some kind of legal significance. No, it doesn’t. The terms of service are designed to be approved by using the service, anyone can opt to stop using Facebook and thus not be bound by the terms anymore. But the viral statements are just one-sided declarations that are in conflict with the mutually agreed contact.

I’m not going to dig deeper into the changes as it would make this post long and boring. Instead I just link to an article with more info. But let’s share some numbers underlining why it is futile for ordinary mortals to even try to keep up with the terms. I browsed through Facebook’s set of terms just to find 10 different documents containing some kind of terms. And that’s just the stuff for ordinary users, I left out terms for advertisers, developers etc. Transferring the text from all these into MS Word gave 41 pages with a 10pt font, almost 18 000 words and about 108 000 characters. Quite a read! But the worst of all is that there’s no indication of which parts have changed. Anyone who still is surprised by the fact that users don’t read the terms?

So it’s obvious that ordinary user really can’t keep up with terms like this. The most feasible way to deal with Facebook’s terms of service is to consider these 3 strategies and pick the one that suits you best.

  1. Keep using Facebook and don’t worry about how they make money with your data.
  2. Keep using Facebook but be mindful about what you upload. Use other services for content that might be valuable, like good photos or very private info.
  3. Quit Facebook. That’s really the only way to decline their terms of service.

By the way, my strategy is number 2 in the above list, as I have explained in a previous post. That’s like ignoring the terms, expecting the worst possible treatment of your data and posting selectively with that in mind. One can always put valuable stuff on some other service and post a link in Facebook.

So posting the viral disclaimer is futile, but I disagree with those who say it’s bad and it shouldn’t be done. It lacks legal significance but is an excellent way to raise awareness. Part of the problem with unbalanced terms is that nobody cares about them. A higher level of awareness will make people think before posting, put some pressure on providers to make the terms more balanced, and make the legislators more active, thus improving the legal framework that control these services. The legislation is by the way our most important defense line as it is created by a more neutral part. The legislator should, at least in theory, balance the companies’ and end users’ interests in a fair way.

 

Safe surfing,
Micke

 

Image: Screenshot from facebook.com