Category Archives: facebook

A week in security (December 10 – 16)

Last week on Labs, we took a look at some new Mac malware, a collection of various scraped data dumps, the protection of power grids, and how bad actors are using SMB vulnerabilities. 

Other cybersecurity news

  • Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook)
  • Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake, according to US law enforcement. (source: The Register)
  • Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police)
  • Another Google Plus bug: For six days, developer were able to access profile data not made public by the users. (source: Google)
  • Windows 10 data collection: Reddit users complained Windows 10 is grabbing a certain kind of data even with the setting disabled. (source: How to Geek)
  • Taylor Swift concert tracks stalkers with facial recognition software: At a recent event, cutting-edge tech was deployed to ensure the crowds were free of potential troublemakers. (Source: Rolling Stone)
  • Password disasters of 2018: A tongue in cheek look at some of the more spectacular password mishaps seen rumbling into view this year. (Source: Help Net Security)
  • Android Trojan steals from PayPal accounts: Even with 2FA enabled, it might not be enough to keep your account balance safe. (Source: ESET)
  • Character recognition collects URLs in YouTube videos: Theoretically private data in hidden videos may not be as private as you’d first hoped. (Source: Austin Burk’s blog)
  • Traveller data left lying around on USB sticks: Border Agents aren’t being quite as careful as they should be where potentially sensitive passenger data is concerned. (Source: Naked Security)

Stay safe, everyone!

The post A week in security (December 10 – 16) appeared first on Malwarebytes Labs.

Facebook Disbands Secretive Research Lab Amid Reorganization

Facebook has disbanded its secretive research lab, where the company developed new hardware like its Portal speakers and researched moonshot projects like brain computer interfaces. "Building 8, the division Facebook created in 2016 to house some of its most ambitious projects, has been disbanded and the projects have been redistributed to other groups within the social media company," reports Mashable. From the report: The change, which was first reported by Business Insider, marks the end of the "Building 8" brand, though the group's work will continue on. Now, thanks to BI, we know that behind the scenes Facebook has separated the Portal team into its own group, which oversees Facebook's other "unannounced hardware projects." Meanwhile, Building 8's researchers have been shuffled to Facebook Reality Labs (FRL), another new group at Facebook lead by Facebook's top VR researcher, Michael Abrash. The FRL group was created in May, around the same time Facebook announced a bigger reorganization among its top executives. A Facebook spokesperson confirmed to BI that the Building 8 brand was no more, but said it continues to work on the same projects and hasn't laid off any employees as a result of the re-structuring: "Building 8 was the early name of the team building consumer hardware at Facebook. Building 8 is part of Facebook's AR/VR organization. Now that we're shipping, it's the Portal team. And Rafa Camargo is still leading the team; that has not changed. We also unified research looking at longer terms projects under one team, which became Facebook Reality Labs, which is also part of our AR/VR organization. This includes research projects like the Brain Computer Interface."

Read more of this story at Slashdot.

Facebook bug exposed unposted photos of 6.8 million users

Facebook accidentally exposed 6.8 million users’ private photos to developers

Facebook on Friday disclosed a data breach that may have exposed unposted photos of as many as 6.8 million users.

According to the company’s developer blog, a photo API bug accidentally gave hundreds of third-party apps unauthorized access to photos of as many as 6.8 million users during a 12 days period between September 13 and 25. It is believed that up to 1,500 apps built by 876 developers may have been affected by the bug.

“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” engineering director Tomer Bar said in a message to developers.

“In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.”

Apparently, the bug inadvertently also gave third-party apps access to photos that were not shared on timelines, for example, if someone uploads a photo to Facebook but doesn’t finish posting it, Bar added.

“We store a copy of that photo so the person has it when they come back to the app to complete their post,” he said.

Bar added that potentially affected Facebook users will get a Facebook notification, which will direct them to a Help Center link where they will be able to see if they have used any apps that were affected by the bug.

“We’re sorry this happened,” Bar said. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

Bar also suggested that users should log into any apps with which they have shared their Facebook photos to find out if they have access to photos they shouldn’t.

Besides the Facebook photo API bug discovered in September, the social networking giant was also hit by another data breach the same month where data of some 30 million users were exposed to hackers as a result of a flaw in Facebook’s ‘View As’ feature.

The post Facebook bug exposed unposted photos of 6.8 million users appeared first on TechWorm.

Facebook bug exposed private photos of 6.8M users to third-party developers

By Waqas

Another day, another privacy breach – This time, the social media giant Facebook has announced that a bug in its Photo API exposed private photos of over 6.8 million users to third-party app developers. The breach took place from September 13 to September 25, 2018, which means for 12 days straight some developers could view your […]

This is a post from HackRead.com Read the original post: Facebook bug exposed private photos of 6.8M users to third-party developers

A bug in Facebook Photo API exposed photos of 6.8 Million users

New problems for Facebook, the social network giant announced that a bug related to Photo API could have allowed third-party apps to access users’ photos.

Facebook announced that photos of 6.8 Million users might have been exposed by a bug in the Photo API allowing third-party apps to access them.  
The bug impacted up over 870 developers, only apps granted access to photos by the user could have exploited the bug. 
According to Facebook, the flaw exposed user photos for 12 days, between September 13 and September 25, 2018.

The flaw was discovered by the Facebook internal team and impacted users who had utilized Facebook Login and allowed third-party apps to access their photos.

“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.” reads a post published by Facebook.

Theoretically, applications that are granted access to photos could access only images shared on a user’s timeline. The bug could have exposed also other photos, including ones shared on Facebook Marketplace or via Stories, and even photos that were only uploaded but not posted.

“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.” continues the post.

Facebook is notifying impacted people via an alert in their account.

“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.” concludes Facebook.

“We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.”

Pierluigi Paganini

(Security Affairs –Facebook, privacy)

The post A bug in Facebook Photo API exposed photos of 6.8 Million users appeared first on Security Affairs.

Facebook Says A Bug May Have Exposed The Unposted Photos Of Millions Of Users

A day after hosting a pop-up store in New York City's Bryant Park to explain how privacy is the "foundation of the company," Facebook disclosed that a security flaw potentially exposed the public and private photos of as many as 6.8 million users to developers. From a report: On Friday, the Menlo Park, California-based company said in a blog post that it discovered a bug in late September that gave third-party developers the ability to access users' photos, including those that had been uploaded to Facebook's servers but not publicly shared on any of its services. The security flaw, which exposed photos for 12 days between Sept. 13 and Sept. 25, affected up to 1,500 apps from 876 developers, according to Facebook. "We're sorry this happened," Facebook said in the post. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users." Facebook has not yet responded to questions about whether company representatives staffing its privacy pop-ups yesterday were aware of this security flaw as they were meeting with reporters and customers to discuss privacy.

Read more of this story at Slashdot.

Facebook Doesn’t Care About Fixing Fake News Problem On Its Platform

An anonymous reader quotes a report from The Guardian: Journalists working as factcheckers for Facebook have pushed to end a controversial media partnership with the social network, saying the company has ignored their concerns and failed to use their expertise to combat misinformation. Current and former Facebook factcheckers told the Guardian that the tech platform's collaboration with outside reporters has produced minimal results and that they've lost trust in Facebook, which has repeatedly refused to release meaningful data about the impacts of their work. Some said Facebook's hiring of a PR firm that used an antisemitic narrative to discredit critics -- fueling the same kind of propaganda factcheckers regularly debunk -- should be a deal-breaker. Facebook now has more than 40 media partners across the globe, including the Associated Press, PolitiFact and the Weekly Standard, and has said false news on the platform is "trending downward." While some newsroom leaders said the relationship was positive, other partners said the results were unclear and that they had grown increasingly resentful of Facebook. Facebook has said that third-party factchecking is one part of its strategy to fight misinformation, and has claimed that a "false" rating leads an article to be ranked lower in news feed, reducing future views by 80% on average. The company has refused, however, to publicly release any data to support these claims. Facebook said in a statement that it had "heard feedback from our partners that they'd like more data on the impact of their efforts," adding that it has started sending "quarterly reports" with "customized statistics" to partners and would be"looking for more statistics to share externally in early 2019." Facebook declined to share the reports with the Guardian.

Read more of this story at Slashdot.

Episode 124: The Twitter Accounts Pushing French Protests. Also: social engineering the Software Supply Chain

In this week’s podcast (#124):  we speak with French security researcher Baptiste Robert about research on the social media accounts pushing the french "Yellow Vest" protests. Surprise, surprise: they're not french. Also: Brian Fox of the firm Sonatype joins us to talk about the recent compromise of the Github event-stream project and why...

Read the whole entry... »

Related Stories

Facebook Filed a Patent To Calculate Your Future Location

Facebook has filed several patent applications with the U.S. Patent and Trademark Office for technology that uses your location data to predict where you're going and when you're going to be offline. BuzzFeed News reports: A May 30, 2017, Facebook application titled "Offline Trajectories" describes a method to predict where you'll go next based on your location data. The technology described in the patent would calculate a "transition probability based at least in part on previously logged location data associated with a plurality of users who were at the current location." In other words, the technology could also use the data of other people you know, as well as that of strangers, to make predictions. If the company could predict when you are about to be in an offline area, Facebook content "may be prefetched so that the user may have access to content during the period where there is a lack of connectivity." Another Facebook patent application titled "Location Prediction Using Wireless Signals on Online Social Networks" describes how tracking the strength of Wi-Fi, Bluetooth, cellular, and near-field communication (NFC) signals could be used to estimate your current location, in order to anticipate where you will go next. This "background signal" information is used as an alternative to GPS because, as the patent describes, it may provide "the advantage of more accurately or precisely determining a geographic location of a user." The technology could learn the category of your current location (e.g., bar or gym), the time of your visit to the location, the hours that entity is open, and the popular hours of the entity. Yet another Facebook patent application, "Predicting Locations and Movements of Users Based on Historical Locations for Users of an Online System," further details how location data from multiple people would be used to glean location and movement trends and to model location chains. According to the patent application, these could be used for a "variety of applications," including "advertising to users based on locations and for providing insights into the movements of users." The technology could even differentiate movement trends among people who live in a city and who are just visiting a city. A Facebook spokesperson said in a statement: "We often seek patents for technology we never implement, and patent applications -- such as this one -- should not be taken as an indication of future plans."

Read more of this story at Slashdot.

Helping Kids Deal with the Digital Rejection of ‘Ghosting’

digital rejection of ghosting

digital rejection of ghostingRejection is the unspoken risk that is present when we enter into any relationship be it a friendship or a love relationship. It’s a painful, inescapable part of life that most of us go to great lengths to avoid. That said, there’s a social media phenomenon called “ghosting” that can take the pain of rejection to surprising depths — especially among teens.

Ghosting is when a person (or friend group) you’ve been talking to online suddenly stops all communication without any explanation.

Digital Dismissal

If you’re on the receiving end of the ghosting, consider yourself ghosted. Text conversations abruptly stop. You get blocked on all social media accounts. The ghost untags him or herself in all past photos on your profiles and deletes all past comments; theirs and yours. Direct messages (if not blocked) are marked as “seen” but never get a response.

Ghosting makes it feel as if a relationship never existed, which can leave anyone — child, teen, or adult — feeling hurt, frustrated, betrayed and even traumatized.

A teen named Jess* shared her ghosting experience and described feeling “helpless, confused, and worthless,” when a person she considered a boyfriend suddenly disappeared from her life after five months and started talking to another girl online. “One minute we were close and sharing all kinds of deep stuff and then, ‘poof’! He blocked me from his social media, stopped answering my texts, and started ignoring me at school. It’s as if I never existed to him.”

Rejection = Pain

In one study, MRI images showed that the same areas of the brain become activated when we experience a social rejection as when we experience physical pain, which is why rejection can hurt so much. According to Dr. Guy Winch, rejection destabilizes our need to belong and causes us to question our self-worth. “We often respond to romantic rejections by finding fault in ourselves, bemoaning all our inadequacies, kicking ourselves when we’re already down, and smacking our self-esteem into a pulp.” Rather, he clarifies, rejection is often just a matter of being mismatched in several areas such as chemistry, goals, and commitment level.

Micro-rejection 24/7

Thanks to social media, ghosting is not only a term but a common (albeit cruel) way to end an online relationship. Because it’s digital it’s easier for some people to view others as avatars; and easier to block rather than confront. It doesn’t help that the online culture fosters micro-rejections at every turn especially for tweens and teens. With every photo that is uploaded, so too, is a young person’s bid for approval. It’s not uncommon that a child’s happiness (or lack of) is influenced by the number of likes and comments a photo racks up.

While it may be impossible to protect our kids from painful digital rejections, we can equip them to handle it when and if it comes their way. Here are a few ideas that may help ease the pain of being ghosted.

Acknowledge the hurt

digital rejection of ghostingNo doubt, being ghosted hurts and can be embarrassing for your child (or anyone for that matter) to even talk about so tread lightly if you suspect it. Listen more than you speak and empathize more than advise if you learn this is a situation your child is experiencing. Acknowledge the real pain of being cut off, dismissed, blocked, and ignored. Ghosting can happen between two people or even with a friend group. If you have a similar situation and can relate, share that experience with your child.

Help frame the situation

Tweens and teens often do not have the tools they need in their emotional toolbox to deal with confrontation. Nor are they pros at communicating. So, rather than exit a relationship properly, some kids will find it easier to disappear with a simple click or two. Help your child understand the bigger picture that not all people will act with integrity or kindness. And, not all people are meant to be your friend or romantic match, and that’s okay. There are plenty of people who will value, love, and treat them with respect.

Help set healthy standards

Being ghosted, while painful, is also an opportunity to help your son or daughter define or re-define his or her standards. Ask: What qualities and characteristics you value in a friend or love interest? What values do you need to share with another person before trusting them? What warning signs should you look for next time that a person isn’t friend material? Advise: Don’t always be the person initiating every conversation, pay attention to the quality of interactions, don’t pursue people who are unresponsive or constantly “busy.”

Discourage retribution

digital rejection of ghostingWhile some ghosting situations are mild and dismissed quickly, others can cause the person ghosted to feel humiliated, angry, and vengeful. Lashing out at or trolling a ghost online as payback isn’t the answer and will only prolong the pain of being ghosted. Encourage your child that discovering the person’s character now is a gift and that moving on with wisdom and integrity (minus conflict) is the fastest way to heal.

Help them move on

One huge pain point for people who have been ghosted is that he or she did not get any closure or insight as to why the relationship ended. To help with this, you might suggest your son or daughter write a letter to get all the feelings out — but never mail it. Need the satisfaction of posting that letter online (minus names)? There’s a site for that (warning: language).

Beware of haunting

Haunting is when a ghost tries to reconnect in small ways over time. He or she may resurface to leave a comment or periodic likes to test the re-entry climate. Some may even send a direct message trying to explain the poor behavior. While every situation is different, warn your kids against reconnecting with anyone who would ghost a relationship. Encourage your child to invest time in friends who value friendships and honor the feelings of others.

*Name changed

The post Helping Kids Deal with the Digital Rejection of ‘Ghosting’ appeared first on McAfee Blogs.

Days After Massive Breach, Marriott Customers Await Details

Nearly a week after Marriott disclosed a massive breach of its Starwood reservation system, customers complain that the company has not communicated with them to tell them whether they are affected. Marriott says it is sending “rolling” emails to hundreds of millions of victims. An estimated 500 million Marriott International customers...

Read the whole entry... »

Related Stories

Facebook Will Bring Political Ad Transparency Tools To India Ahead of 2019 Elections

As India inches closer to its general elections, Facebook announced today that it is bringing transparency to political ads on its platform in the country early next year. From a report: This would make India the fourth market -- after the U.S., Brazil, and the U.K. -- where Facebook offers users a disclaimer on political ads. Facebook began offering users in the U.S. information about the buyer of a political ad as part of a series of changes last year to fight misinformation and foreign meddling in elections. [...] Facebook said Thursday that it will also maintain an online searchable Ad Library, as it has in other markets, which will document all the ads related to politics from a particular advertiser alongside other information such as range of impressions, demographics that saw the ad, and the budget that went behind an individual ad. India, which is Facebook's largest market, could be the biggest test yet for whether the company has learned from its recent mistakes.

Read more of this story at Slashdot.

Facebook Employees Are So Paranoid They’re Using Burner Phones To Talk To Each Other

Facebook's reputation has only continued to get more sullied in recent weeks, and it's taking a toll on employees. According to a new report, things over at the old FB are, well, kind of grim. From the report: "People now have burner phones to talk shit about the company -- not even to reporters, just to other employees," one former employee said. Another described the current scene as a "bunker mentality," meaning that after nearly two years of continuous bad press some people are, to borrow a phrase, leaning in as hard as they can to cope. "It's otherwise rational, sane people who're in Mark's orbit spouting full-blown anti-media rhetoric, saying that the press is ganging up on Facebook," said the former employee. Further reading: Facebook Employees Are Calling Former Colleagues To Look For Jobs Outside the Company and Asking About the Best Way To Leave.

Read more of this story at Slashdot.

Facebook Used Its VPN App To Track Competitors, Documents Reveal

Newly public documents reveal just how paranoid Facebook was of its potential competitors and shines new light on some of the company's most important acquisitions. From a report: The internal documents, made public as part of a cache of documents released by UK lawmakers, show just how close an eye the social network was keeping on competitors like WhatsApp and Snapchat, both of which became acquisition targets. The documents, which are labeled "highly confidential," show slides from an internal presentation in 2013 that compares Facebook's reach to competing apps, including WhatsApp and Snapchat. While Facebook and Instagram lead in marketshare, it's clear why Facebook may have viewed Snapchat and WhatsApp as potential threats. [...] Facebook's presentation relied on data from Onavo, the virtual private network (VPN) service which Facebook also acquired several months later. Facebook's use of Onavo, which has been likened to "corporate spyware," has itself been controversial.

Read more of this story at Slashdot.

Internal Emails Show Facebook Weighing the Privacy Risks of Quietly Collecting Call and Text Records From Its Android Users — Then Going Ahead Anyway

Earlier this year, many Android users were shocked to discover that Facebook had been collecting a record of their call and SMS history, as revealed by the company's data download tool. Now, internal emails released by the UK Parliament show how the decision was made internally. From a report: According to the emails, developers knew the data was sensitive, but they still pushed to collect it as a way of expanding Facebook's reach. The emails show Facebook's growth team looking to call log data as a way to improve Facebook's algorithms as well as to locate new contacts through the "People You May Know" feature. Notably, the project manager recognized it as "a pretty high-risk thing to do from a PR perspective," but that risk seems to have been overwhelmed by the potential user growth. Initially, the feature was intended to require users to opt in, typically through an in-app pop-up dialog box. But as developers looked for ways to get users signed up, it became clear that Android's data permissions could be manipulated to automatically enroll users if the new feature was deployed in a certain way.

Read more of this story at Slashdot.

Facebook Ends Platform Policy Banning Apps That Copy Its Features

Facebook will now freely allow developers to build competitors to its features upon its own platform. Today Facebook announced it will drop Platform Policy section 4.1, which stipulates "Add something unique to the community. Don't replicate core functionality that Facebook already provides." TechCrunch reports: Facebook had previously enforced that policy selectively to hurt competitors that had used its Find Friends or viral distribution features. Apps like Vine, Voxer, MessageMe, Phhhoto and more had been cut off from Facebook's platform for too closely replicating its video, messaging or GIF creation tools. The move will significantly reduce the risk of building on the Facebook platform. It could also cast it in a better light in the eyes of regulators. Anyone seeking ways Facebook abuses its dominance will lose a talking point. And by creating a more fair and open platform where developers can build without fear of straying too close to Facebook's history or road map, it could reinvigorate its developer ecosystem. In a statement to TechCrunch, a Facebook spokesperson said: "We built our developer platform years ago to pave the way for innovation in social apps and services. At that time we made the decision to restrict apps built on top of our platform that replicated our core functionality. These kind of restrictions are common across the tech industry with different platforms having their own variant including YouTube, Twitter, Snap and Apple. We regularly review our policies to ensure they are both protecting people's data and enabling useful services to be built on our platform for the benefit of the Facebook community. As part of our ongoing review we have decided that we will remove this out of date policy so that our platform remains as open as possible. We think this is the right thing to do as platforms and technology develop and grow."

Read more of this story at Slashdot.

Read All About It: The Breaches That Won’t Make the Headlines

It’s been a busy few months for those tracking cybersecurity breaches. Considering that this quarter alone has seen headlines for British Airways identifying additional victims behind its already significant breach, Facebook’s massive messaging leak and Yahoo’s significant payout related to earlier data breaches, there are plenty of high profile cases that reinforce the importance of […]… Read More

The post Read All About It: The Breaches That Won’t Make the Headlines appeared first on The State of Security.

Facebook Employees Are Calling Former Colleagues To Look For Jobs Outside the Company and Asking About the Best Way To Leave

An anonymous reader shares a report: Six former Facebook employees who left the company within the last two years told CNBC they've experienced a rise in contact from current company employees to inquire about opportunities or ask for job references. [...] The shift could be an early warning of recruiting and retention challenges for Facebook after a turbulent year. In 2018, the company has faced public questioning at multiple congressional hearings, scandals around third-party abuse of user data and public relations practicesand flat or declining user growth in key markets. It's also seen its stock drop nearly 40 percent from July. The stories from former employees are only anecdotal at this point, and there's no firm data showing a significant uptick in departures or employee dissatisfaction.

Read more of this story at Slashdot.

Cyber Security Roundup for November 2018

One of the largest data breaches in history was announced by Marriott Hotels at the end of November. A hack was said to have compromised up to a mind-blowing "half a Billion" hotel guests' personal information over a four year period.  See my post, Marriott Hotels 4 Year Hack Impacts Half a Billion Guests for the full details. The Radisson Hotel Group also disclosed its Rewards programme suffer a data compromise. Radisson said hackers had gained access to a database holding member's name, address, email address, and in some cases, company name, phone number, and Radisson Rewards member number.

Vision Direct reported a website compromise, which impacted users of their website between 3rd and 8th November, some 16,300 people were said to be at risk  A fake Google Analytics script was placed within its website code by hackers. 

Eurostar customers were notified by email to reset their passwords following presumably successful automated login attempts to Eurostar accounts with stolen credentials obtained by an unknown method.

Two of the TalkTalk hackers were sentenced to a grand total of 20 months for their involvement in the infamous 2015 blackmail hack, which was said to have cost TalkTalk £77 million. There may have been up to 10 other attackers involved according to the court transcripts when hackers attempted to blackmail TalkTalk’s then CEO Dido Harding into paying a ransom in Bitcoin to cover up the breach. Has the enterprise, and judiciary, learned anything from TalkTalk hack?

Uber was fined £385,000 by the UK Information Commissioner's Office, after hackers stole 2.7 million UK customers in October and November 2016. Uber attempted to cover up the breach by paying the hackers $100,000 (£78,400) to destroy the stolen customer data. Meanwhile stateside,
 Uber paid $148m to settle federal charges. 

HSBC announced it had suffered a customer data breach in between 4th and 14th of October 2018 in a suspected "credential stuffing" attack. HSBC didn't state how many customers were impacted but are known to have 38 million customers worldwide. HSBC advised their customers to regularly change and use strong passwords and to monitor their accounts for unauthorised activity, sage good practice online banking advice, but I am sure their customers will want to know what has happened.

Facebook is still making the wrong kind of privacy headlines, this time it was reported that Facebook member's private message data was found for sale online, with one instance involving 257,256 stolen profiles and including 81,208 private messages. The report appears to suggest malicious browser extensions, not Facebook, may be behind the data breach.

A report from a UK parliamentary committee warned the UK government is failing to deliver on protecting the UK's critical national infrastructure (CNI) from cyber attacks. "The threat to critical infrastructure, including the power grid, is growing" the committee reported, with some states -"especially Russia" - starting to explore ways of disrupting CNI. An advisory notice also warned that UK companies connected to CNI were being targeted by cyber attackers believed to be in eastern Europe. APT28 (Russian based FancyBear) has added the "Cannon" Downloader Tool to their arsenal, according to researchers.

Amazon's showcase Black Friday sale was hit by data breach days before it started. The online retail giant said it emailed affected customers, but refused to provide any details on the extent or nature of the breach. The customer email said “Our website inadvertently disclosed your email address or name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.” 

There was a far more positive security announcement by Amazon about their AWS (cloud) services, with the launch of three new services to simplify and automate AWS security configuration called AWS Control Tower, AWS Security Hub, and AWS Lake Formation McAfee released their 2019 'Cloud Adoption and Risk Report' which highlights the vital importance of configuring cloud services correctly and securely.

RiskIQ claimed that monitoring for malicious code could have stopped the recent theft of 185,000 British Airways customer records. The Magecart hacker group is believed to be responsible for injecting twenty-two lines of malicious script into the British Airway's payment page, which successfully lifted debit and credit card details, including the CVV code.

Finally, according to enSilo, European Windows users are said to be targeted by a sophisticated malware called 'DarkGate', which has an arrange of nefarious capabilities, including cryptomining, credential stealing, ransomware, and remote-access takeovers. The DarkGate malware has been found to be distributed via Torrent files disguised as popular entertainment offerings, which includes Campeones and The Walking Dead, so be careful to avoid becoming infected!

NEWS

WhatsApp Faces Misinformation Problem in Nigeria, Reports Say

Fake news is being spread on WhatsApp in some of Africa's most populous countries, according to two new reports, raising concerns over coming elections in Nigeria. From a report: Photoshopped images and false claims about politicians have been circulating on the Facebook-owned messaging service in Nigeria, which holds election in February next year, according to a report from The Poynter Institute on Friday. Many of the false claims are in local languages and exploit ethnic friction. One set of false claims focuses on how politicians will address clashes between a group of semi-nomadic herdsmen and farmers, Poynter said. Another rumor claimed a presidential candidate couldn't enter the US because of a corruption charge, Poynter reported.

Read more of this story at Slashdot.

Facebook Discussed Using People’s Data As a Bargaining Chip, Emails and Court Filings Suggest

An anonymous reader quotes a report from The Washington Post: Facebook executives in recent years appeared to discuss giving access to their valuable user data to some companies that bought advertising when it was struggling to launch its mobile-ad business, according to internal emails quoted in newly unredacted court filings. In an ongoing federal court case against Facebook, the plaintiffs claim that the social media giant doled out people's data secretly and selectively in exchange for advertising purchases or other concessions, even as others were cut off, ruining their businesses. The case was brought by one such company, Six4Three, which claims its business was destroyed in 2015 by Facebook's actions. In one of the exchanges from the filings, Facebook employees discussed shutting down access "in one-go to all apps that don't spend at least $250k a year to maintain access to the data," according to the trove. The documents reference email exchanges regarding Facebook's relations with several large commercial partners, including Lyft, Tinder, Amazon.com, Airbnb and the Royal Bank of Canada. Facebook denies that it exchanged access to people's data for commercial benefit. Thousands of pages of court filings, which Facebook is fighting to keep sealed -- including in an emergency hearing scheduled for Friday afternoon -- illustrate the shrewd strategies the social network employed as it built its advertising empire. The disclosure sheds light on allegations of anti-competitive behavior that could play into efforts by U.S. and European lawmakers to curb the power of technology giants. "The documents Six4Three gathered for this baseless case are only part of the story and are presented in a way that is very misleading without additional context," Konstantinos Papamiltiadis, Facebook's director of developer platforms and programs, said in a statement. "We stand by the platform changes we made in 2015 to stop a person from sharing their friends' data with developers. Any short-term extensions granted during this platform transition were to prevent the changes from breaking user experience."

Read more of this story at Slashdot.

Researchers Are Proposing a New Way To Generate Street Addresses by Extracting Roads From Satellite Images

An estimated 4 billion people in the world lack a physical address. Researchers at the MIT Media Lab and Facebook are now proposing a new way to address the unaddressed: with machine learning. From a report: The team first trained a deep-learning algorithm to extract the road pixels from satellite images. Another algorithm connected the pixels together into a road network. The system analyzed the density and shape of the roads to segment the network into different communities, and the densest cluster was labeled as the city center. The regions around the city center were divided into north, south, east, and west quadrants, and streets were numbered and lettered according to their orientation and distance from the center. When they compared their final results with a random sample of unmapped regions whose streets had been labeled manually, their approach successfully addressed more than 80% of the populated areas, improving coverage compared with Google Maps or OpenStreetMaps. This isn't the only way to automate the creation of addresses. The organization what3words generates a unique three-word combination for every 3-by-3-meter square on a global grid. The scheme has already been adopted in regions of South Africa, Turkey, and Mongolia by national package delivery services, local hospitals, and regional security teams. But Ilke Demir, a researcher at Facebook and one of the creators of the new system, says its main advantage is that it follows existing road topology and helps residents understand how two addresses relate to one another.

Read more of this story at Slashdot.

Facebook Quietly Hired Republican Strategy Firm Targeted Victory

Facebook is still reeling from the revelation that it hired an opposition research firm with close ties to the Republican party, but its relationship with Definers Public Affairs isn't the company's only recent contract work with deeply GOP-linked strategy firms. TechCrunch reports: According to sources familiar with the project, Facebook also contracted with Targeted Victory, described as "the GOP's go-to technology consultant firm." Targeted Victory worked with Facebook on the company's Community Boost roadshow, a tour of U.S. cities meant to stimulate small business interest in Facebook as a business and ad platform. The ongoing Community Boost initiative, announced in late 2017, kicked off earlier this year with stops in cities like and Topeka, Kansas and Albuquerque, New Mexico. Facebook also worked with Targeted Victory on the company's ad transparency efforts. Over the last year, Facebook has attempted to ward off regulation from Congress over ad disclosure, even putting forth some self-regulatory efforts to appease legislators.

Read more of this story at Slashdot.

British MP: Facebook was aware about Russian activity at least since 2014

A British MP claims Facebook was ware about Russian political interference in 2014, long before the events become public.

The British MP Damian Collins, head of a parliamentary inquiry into disinformation, revealed that one of the emails seized from US software company Six4Three as part of a US lawsuit, demonstrates that a Facebook engineer had notified the social network giant in October 2014 that Russian IP addresses were accessing “three billion data points a day” on the network.

“British MPs joined together with fellow lawmakers from the parliaments of Argentina, Brazil, Canada, France, Ireland, Latvia and Singapore in an unusual move aimed at emphasising international solidarity on the issue.reported AFP press.

The information was shared during an international hearing that parliament hosted on Tuesday to gather info into disinformation and “fake news.”

The emails confirmed that Facebook was aware of the activities carried out by Russian threat actors in 2014 when they accessed a huge amount of data from the social media company.

“If Russian IP addresses were pulling down a huge amount of data from the platform was that reported or was that just kept, as so often seems to be the case, within the family and not talked about,” Collins asked Richard Allan, Facebook’s Vice President of Policy Solutions.

Richard Allan, Facebook’s Vice President of Policy Solutions, that represents the company replied that information could be used to provide a distorted interpretation of events.

“Any information you have seen… is at best partial and at worst potentially misleading” replied Allan. The emails were “unverified partial accounts”.

Allan also defended Facebook CEO Mark Zuckerberg, who has refused to appear before the British parliamentary inquiry.

Since the disclosure of the Cambridge Analytica privacy scandal and the alleged interference in the 2016 Presidential election, Facebook data protection policies were questioned by intelligence analysts and privacy advocates.

“While we were playing with our phones and apps, our democratic institutions… seem to have been upended by fratboy billionaires in California”. Charlie Angus from Canada’s House of Commons told Allan.

Catherine Morin-Desailly from the French Senate classified the Facebook data protection approach as “a scandal”, other lawmakers condemned the way Facebook shared user data with third-party companies.

Pierluigi Paganini

(Security Affairs – Facebook, fake news)

The post British MP: Facebook was aware about Russian activity at least since 2014 appeared first on Security Affairs.

Kaspersky Lab official blog: Dangerous liaisons: How relatives and friends give away your secrets

Increasingly, modern technologies are helping people’s secrets move into the public domain. There are many such examples, from massive leaks of personal data to the online appearance of private (and even intimate) photos and messages.

This post will leave aside the countless dossiers kept on every citizen in the databases of government and commercial structures — let’s naively assume that this data is reliably protected from prying eyes (although we all know it isn’t). We shall also discard the loss of flash drives, hacker attacks, and other similar (and sadly regular) incidents. For now, we’ll consider only user uploads of data on the Internet.

The solution would seem simple — if it’s private, don’t publish it. But people are not fully in control of all of their private data; friends or relatives can also post sensitive information about them, sometimes without their consent.

Public genes

The information that goes public might be close to the bone, quite literally. For example, your DNA might appear online without your knowledge. Online services based on genes and genealogy, such as 23andMe, Ancestry.com, GEDmatch, and MyHeritage, have been gaining in popularity of late (incidentally, MyHeritage suffered a leak quite recently, but that’s a topic for a separate post). Users voluntarily hand over a biomaterial sample to these services (saliva or a smear from the inside of the cheek), on which basis their genetic profile is determined in the lab. This can be used, for example, to trace a person’s ancestry or establish genetic predisposition to certain diseases.

Confidentiality is not on the agenda. Genealogical services work by matching profiles with ones already in their database (otherwise, family members will not be found). Users occasionally disclose information about themselves voluntarily for the same reason: so that relatives also using the service can find them. An interesting nuance is that clients of such services simultaneously publish the genealogical information of family members who share their genes. These relatives might not actually want people to track them down, especially based on their DNA.

The benefits of genealogical services are undeniable and have resulted in more than a few happy family reunions. However, it should not be forgotten that public genetic databases can be misused.

Brotherly love

At first glance, the problem of storing genetic information in a public database might seem contrived, with no practical consequences. But the truth is that genealogical services and biomaterial samples (a piece of skin, nail, hair, blood, saliva, etc.) can, under certain circumstances, help identify a person, without so much as a photograph.

The reality of the threat was highlighted in a study published in October in the journal Science. One of the authors, Yaniv Erlich, knows firsthand the ins and outs of this industry; he works for MyHeritage, which provides DNA analysis and family tree services.

According to the research, roughly 15 million people to date have undergone a genetic test and had a profile created in electronic form (other data indicate that MyHeritage alone has more than 92 million users). Focusing on the United States, the researchers predicted that public genetic data would soon allow any American with European ancestry (a very large proportion of those so far tested) to be identified by their DNA. Note that it makes no difference whether the subject initiated the test or whether it was done by a curious relative.

To show how easy DNA identification really is, Erlich’s team took the genetic profile of a member of a genome research project, punched it into the database of the GEDmatch service, and within 24 hours had the name of the owner of the DNA sample, writes Nature.

The method has also proved useful to law enforcers, who have been able to solve several dead-end cases thanks to genealogical online services.

How the DNA chain unmasked a criminal

This past spring, after 44 years of unsuccessful searching, a 72-year-old suspect in a series of murders, rapes, and robberies was arrested in California. He was fingered by genealogical information available online.

Lab analysis of biomaterial found at the crime scene resulted in a genetic profile that met the requirements of public genealogical services. Acting as regular users, the detectives then ran the file through the GEDmatch database and compiled a list of likely relatives of the criminal.

All of the matches — more than a dozen in all — were rather distant relatives (none closer than a second cousin). In other words, these people all had common ancestry with the criminal tracing back to the early nineteenth century. As described by the Washington Post, five genealogists armed with census archives, newspaper obituaries, and other data then proceeded to move from these ancestors forward in time, gradually filling in empty slots in the family tree.

A huge circle of distant but living relatives of the perpetrator was formed. Discarding those who did not fit the age, sex, and other criteria, the investigators eventually homed in on the suspect. The detective team then followed him, got hold of an object with a DNA sample on it, and matched it against the material found at the crime scene many years before. The DNA in the samples was the same, and 72-year-old Joseph James DeAngelo was arrested.

The case spotlighted the main benefit of genealogical online public services over the DNA databases of law-enforcement agencies from the viewpoint of investigators. The latter databases store information only on criminals, whereas the former are full of noncriminal users who cast a virtual net over their relatives.

Now imagine that a person is wanted not by the law, but by a criminal group — maybe an accidental witness or a potential victim. The services are public, so anyone can use them. Not so good.

Incriminating tags

DNA-based searches using public services are still fairly niche. Besides creating genetic profiles, a more common way for well-meaning friends and relatives to inadvertently reveal your whereabouts to criminals, law-enforcement agencies, and the world at large is through the ubiquitous practice of tagging photos, videos, and posts on social media.

Even if no ill-wishers are looking for you, these tags can cause embarrassment. Let’s say a carefree lab technician decides to upload photos from a lively staff party and tags everyone in it, including a distinguished professor. The photos immediately and automatically pop up on the latter’s page, undermining his authority in the eyes of students.

A careless post such as this could well lead to dismissal or worse for the person tagged. By the way, any information in social networks can readily form the missing link in the type of search described above, using the public databases of genealogical services.

How to configure tagging

Social networks allow users to control tags and mentions of themselves to varying degrees. For example, Facebook and VK.com let you remove tags from photos published by others and limit the circle of people who can tag you or view materials with tags of you. Facebook users can keep the photos they upload from being seen by friends of people tagged in them, and the VK.com privacy settings let users create a white list of users allowed to view photos with tagged individuals.

Curiously, Facebook not only encourages users to tag friends through hints generated by face-recognition technology (this feature can be disabled in the account settings), but also helps to control their privacy: The social network sends a notification if that technology spots you in someone else’s pic.

As for Instagram, this is what it has to say on the matter: All people, except those you have blocked, can tag you in their photos and videos. That said, the social network lets you choose whether photos with you tagged appear on your profile automatically or only after your approval. You can also specify who can view these posts in your profile.

Despite these functions offering partial control over where and when you pop up, the potential threats are still numerous. Even if you slap a ban on people tagging you in pictures, your name (including a link to the page) might still be mentioned in the description or comments on a photo. That means that the photo is still linked to you, and keeping track of such leaks is near impossible.

With friends like these

Friends and relatives aren’t the only ones who might give away your secrets to third parties. Technologies themselves can also do it, for example, because of the peculiarities of the recommendations system.

VK.com suggests friending people with whom users have mutual friends in the social network. Meanwhile, the Facebook algorithm is far more active in its search for candidates, sometimes recommending fellow members of a particular group or community (school, university, organization). In addition, the friend-selection process employs users’ contact information uploaded to Facebook from mobile devices. However, Facebook does not disclose all of the criteria by which its algorithm selects potential friends, and sometimes you may be left guessing about how it knows about your social connections.

How does this relate to privacy? Here’s an example. In a particularly awkward case, the system recommended unacquainted patients of a psychiatrist to each other — and one of them even divined what they had in common. Health-related data, especially psychiatric, is among the most sensitive there is. Not many would voluntarily agree to it being stored on social media.

Similar cases were cited in a US Senate Committee appeal to Facebook following the Senate hearing in April 2018 on Facebook users’ privacy. In its response, the company did not comment on cases involving patients, listing only the abovementioned sources of information for its friend-suggestion algorithm.

What next?

The Internet already stores far more social and even biological information about us than we might imagine. And one reason we can’t always control it is simply that we don’t know about it. With the advance of new technologies, it is highly likely that the very concept of private data will soon become a thing of the past — our real and online selves are becoming increasingly intertwined, and any secret on the Internet will be outed sooner or later.

However, the problem of online privacy has been raised lately at the level of governments worldwide, so perhaps people can still find a way to fence themselves off from nosy outsiders.



Kaspersky Lab official blog

A UK Commons Committee Chair Says He’s Seen Evidence a Facebook Engineer Flagged Russian Entities Pulling Billions of Points of Data Every Day in 2014

A UK Commons committee chair claims a seized trove of Facebook documents reveals that a company engineer flagged Russian "entities" were using a Pinterest API to pull billions of points of Facebook data every day in 2014. From a report: Damian Collins appeared to use parliamentary privilege to outline the detail from the sealed documents, during a fiery session of questioning of Facebook executive Richard Allan before the first sitting of the "international grand committee on disinformation and fake news" in London on Tuesday. The most contentious moment came during an exchange between Allan and the chair of the committee over what's alleged to be in a set of documents that are subject to the protective order of a California court. During the questioning of Allan on Tuesday, Collins said the emails would not be released. But he did outline details from an alleged incident which, if true, would raise further questions about how Facebook responded to learning about data being taken from the platform. "An engineer at Facebook notified the company in October 2014 that entities with Russian IP addresses have been using a Pinterest API key to pull over 3 billion data points a day," Collins said. "Now was that reported to any external body at the time?" Allan dismissed the claim by focusing on the source of the information, Six4Three, labelling it a "hostile litigant." Further reading: Facebook Exec Admits Zuckerberg Not Appearing Before UK Parliament Doesn't Look Great (CNBC); 'The Problem is Facebook,' Lawmakers From Nine Countries Tell Zuckerberg's Accountability Stand-in (TechCrunch); and "When You Get That Wealthy, You Start to Buy Your Own Bullshit": The Miseducation of Sheryl Sandberg (VanityFair).

Read more of this story at Slashdot.

Security Affairs: UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.



Security Affairs

UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.

Facebook Watch, a YouTube Competitor, is Pivoting To Older Audiences as Teens Tune Out and Publishers Balk

As Facebook struggles to find an audience for its YouTube competitor, Watch, the company has been talking to some media companies about focusing its efforts on audiences 30 years and older instead of teens and younger millennials. From a report: The move signals more troubles for Facebook's video ambitions. Expansion in video, messaging, and Stories are key for the future of Facebook, CEO Mark Zuckerberg said during a call with analysts in October.

Read more of this story at Slashdot.

UK Parliament Seizes Facebook’s Internal Documents

Facebook’s internal documents seized by the UK Parliament to investigate privacy practices

As a part of an investigation into the Cambridge Analytica scandal, the UK Parliament has used its legal powers to seize a cache of internal Facebook documents, according to The Observer, which first reported the story.

It is alleged that the documents contain significant revelations about Facebook decisions on data and privacy controls that caused the Cambridge Analytica scandal, including correspondence between Facebook CEO Mark Zuckerberg and company executives.

Damian Collins, chairman of the Commons Digital, Culture, Media and Sport (DCMS) Committee used a rare parliamentary mechanism and compelled Ted Kramer, the founder of Six4Three, a US app software company, to hand over the documents who was on a business trip in London last week.

Kramer was given a final warning and a two-hour deadline to comply with the order sent along with a serjeant at arms.

When Kramer failed to produce these documents within the prescribed two-hour deadline, he was escorted to Parliament warned that he could face possible fines or imprisonment.

“We are in uncharted territory. This is an unprecedented move but it’s an unprecedented situation. We’ve failed to get answers from Facebook and we believe the documents contain information of very high public interest,” Collins said.

“We have very serious questions for Facebook. It misled us about Russian involvement on the platform. And it has not answered our questions about who knew what, when with regards to the Cambridge Analytica scandal.

“We have followed this court case in America and we believed these documents contained answers to some of the questions we have been seeking about the use of data, especially by external developers.”

Apparently, the company Six4Three is involved in a legal case against Facebook in the U.S., where the documents were obtained through legal procedures. The company had invested $250,000 in Facebook and claims that the media giant exploited its privacy policy.

The social networking giant has asked the DCMS committee to refrain from reviewing those documents, as they are subject to a protective order in the U.S.

“The materials obtained by the DCMS committee are subject to a protective order of the San Mateo Superior Court restricting their disclosure,” Facebook told the Observer.

“We have asked the DCMS committee to refrain from reviewing them and to return them to counsel or to Facebook. We have no further comment.”

Apparently, since the files are subject to an order of the California superior court, they cannot be made public in the U.S.

However, since the summons was issued in the UK, where Parliament has superiority, the Six4Three founder was obliged to hand over the documents. It is believed that the founder has informed both Facebook and the Californian court in the US.

The post UK Parliament Seizes Facebook’s Internal Documents appeared first on TechWorm.

Facebook appeals UK fine in Cambridge Analytica privacy Scandal

Facebook appeals 500,000-pound fine for failing to protect users’ personal information in the Cambridge Analytica scandal.

Facebook appeals the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

Now Facebook is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

“Their reasoning challenges some of the basic principles of how people should be allowed to share information online, with implications which go far beyond just Facebook, which is why we have chosen to appeal,” explained the Facebook lawyer Anna Benckert.

“For example, under ICO’s theory people should not be allowed to forward an email or message without having agreement from each person on the original thread. These are things done by millions of people every day on services across the internet.”

Pierluigi Paganini

(Security Affairs – Cambridge Analytica, Facebook)

The post Facebook appeals UK fine in Cambridge Analytica privacy Scandal appeared first on Security Affairs.

Bug Bounty: Earn $40,000 for hacking Facebook, Instagram or WhatsApp

By Waqas

Facebook has launched a new bug bounty program inviting hackers to identify and report vulnerabilities in its website and applications. The social network has increased payouts and offers researchers to look for vulnerabilities in a wide variety of products owned by Facebook including Instagram, WhatsApp, and Oculus. The company will only consider reports that can lead […]

This is a post from HackRead.com Read the original post: Bug Bounty: Earn $40,000 for hacking Facebook, Instagram or WhatsApp

After Initially Calling The New York Times’ Report False, Facebook Confirms Most Claims Made in the Story

Nellie Bowles and Zach Wichter, reporting for The New York Times: Joining a long tradition of companies and campaigns that drop bad news on holidays, Facebook on Thanksgiving eve took responsibility for hiring a Washington-based lobbying company, Definers Public Affairs, that pushed negative stories about Facebook's critics, including the philanthropist George Soros. Facebook's communications and policy chief, Elliot Schrage, said in a memo posted Wednesday that he was responsible for hiring the group, and had done so to help protect the company's image and conduct research about high-profile individuals who spoke critically about the social media platform. Mr. Schrage will be leaving the company, a move planned before the memo was released. Facebook fired Definers last week, after a New York Times investigation published on Nov. 14. "Did we ask them to do work on George Soros?" Mr. Schrage wrote in the memo, a draft of which had circulated online earlier in the week. "Yes." He added: "I'm sorry I let you all down. I regret my own failure here." This is a change from just a few days ago, when Facebook wrote on Nov. 15 that the Times report was full of "inaccuracies." The same day, Sheryl Sandberg, the company's chief operating officer, posted on her Facebook page that she had no idea the company had hired Definers.

Read more of this story at Slashdot.

Hack Facebook or Instagram accounts and get paid up to $40,000

Facebook to pay up to $40,000 for finding ways to hack Facebook or Instagram accounts

Facebook has been going through a rough patch this year after suffering two severe security breaches that affected millions of its users.

While every year, Facebook pays millions of dollars to researchers and bug hunters to find security holes in its products and organization, it is still facing security breaches. Facebook has been running its Bug Bounty program since 2011.

Now, in order to step up its efforts to tighten the security of the platform, Facebook on Tuesday announced in a post that it has increased the average payout for account takeover vulnerabilities so as “to encourage security researchers to work on finding high-impact issues”.

The announcement further read, “The researchers who find vulnerabilities that can lead to a full account takeover, including access tokens leakage or the ability to access users’ valid sessions, will be rewarded an average bounty of:

* $40,000 if user interaction is not required at all, or
* $25,000 if minimum user interaction is required.

“This change applies to all products owned by Facebook, including Instagram, WhatsApp, and Oculus.

“Further, we will not require a full exploit chain in cases where leveraging the vulnerability requires bypassing our Linkshim mechanism.

“While monetary reward may not be the strongest incentive for why bug bounty researchers hack, we believe it remains a strong motivator for our white hat researchers to invest time in helping us identify and mitigate vulnerabilities. We encourage researchers to share their proof of concept reports with us without having to also discover bypasses for Facebook defense mechanisms.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high-quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.”

For those unaware, earlier this year, it was the Facebook–Cambridge Analytica data scandal where the personal information of 87 million Facebook users was harvested by Cambridge Analytica without their consent and used for political purposes.

Later, in September this year, Facebook discovered a major security issue that allowed hackers to access information, which could allow them to take over around 50 million accounts.

Source: Facebook 

The post Hack Facebook or Instagram accounts and get paid up to $40,000 appeared first on TechWorm.

Facebook And Instagram Went Down Due To A Server Bug

Facebook makes it into the news once again for troubling users globally. Supposedly, Facebook users have faced trouble with Instagram

Facebook And Instagram Went Down Due To A Server Bug on Latest Hacking News.

Phishers Up Their Game to Combat User Awareness

In an attempt to undermine the security industry’s effort to educate end users about phishing campaigns, malicious actors are evolving in their tactics, according to Zscaler. In a recent blog

The post Phishers Up Their Game to Combat User Awareness appeared first on The Cyber Security Place.

Smashing Security #105: Facebook, Nietzsche, Tesla, and Nicole

Smashing Security #105: Facebook, Nietzsche, Tesla, and Nicole

Tesla takes customer service a step too far, is it a romantic gesture or stalking when you email 246 women called Nicole, and Carole finds herself in a Facebook dilemma.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Jessica Barker.

Facebook increases rewards for its bug bounty program and facilitate bug submission

Facebook updates its bug bounty program, it is increasing the overall rewards for security flaws that could be exploited to take over accounts.

Facebook announced an important novelty for its bug bounty, the social media giant is going to pay out as much as $40,000 for vulnerabilities that can be exploited to hack into accounts without user interaction.

The Facebook bug bounty program will cover also other companies owned by the social network giant, including Instagram, WhatsApp, and Oculus.

Vulnerabilities that require a minimum user interaction for the exploitation will be paid out $25,000.

The researchers who find vulnerabilities that can lead to a full account takeover, including access tokens leakage or the ability to access users’ valid sessions, will be rewarded an average bounty of:

* $40,000 if user interaction is not required at all, or 
* $25,000 if minimum user interaction is required.” reads the post published by Facebook.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.” 

Increasing Bounties for Account Takeover VulnerabilitiesSince 2011, our Bug Bounty program has been among the most…

Gepostet von Facebook Bug Bounty am Dienstag, 20. November 2018

The bug bounty programs are becoming crucial for companies to assess their products and infrastructure and to avoid data breaches.

In September a vulnerability in the ‘View As’ feature allowed hackers to steal access tokens that could be used by attackers to hijack accounts and access to third-party apps that used Facebook as an authentication platform.

Facebook Data Breach

Facebook revealed that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

Facebook aims at encouraging white hat hackers in reporting critical flaws in the social media platform by increasing the awards for bug bounty program and facilitate the process to report account hacking issued.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.” concludes Facebook.

Pierluigi Paganini

(Security Affairs – Hacking, Facebook bug bounty program)

The post Facebook increases rewards for its bug bounty program and facilitate bug submission appeared first on Security Affairs.

14 Years of Mark Zuckerberg Saying Sorry, Not Sorry

Do you trust Mark Zuckerberg? The Washington Post: From the moment the Facebook founder entered the public eye in 2003 for creating a Harvard student hot-or-not rating site, he's been apologizing. So we collected this abbreviated history of his public mea culpas. It reads like a record on repeat. Zuckerberg, who made "move fast and break things" his slogan, says sorry for being naive, and then promises solutions such as privacy "controls," "transparency" and better policy "enforcement." And then he promises it again the next time. You can track his sorries in orange and promises in blue in the timeline by The Washington Post. Mark Zuckerberg, in an interview with CNN Business on Tuesday: Zuckerberg resisted growing calls for changes to Facebook's C-suite, reiterated Facebook's potential as a force for good, and pushed back at some of the unrelenting critical coverage of his company after a year of negative headlines about fake news, election meddling and privacy concerns. "A lot of the criticism around the biggest issues has been fair, but I do think that if we are going to be real, there is this bigger picture as well, which is that we have a different world view than some of the folks who are covering us," Zuckerberg told CNN Business' Laurie Segall at Facebook's headquarters in Menlo Park, California. "There are big issues, and I'm not trying to say that there aren't," he said. "But I do think that sometimes, you can get the flavor from some of the coverage that that's all there is, and I don't think that that's right either."

Read more of this story at Slashdot.

Is your Facebook and Instagram down? Well, you are not alone

By Waqas

Another day, another service outage at social media giant Facebook and its subsidiary company Instagram. Yes, Facebook and Instagram have been hit by a worldwide service outage forcing both platforms to go offline. According to the outage map displayed on DownDetecter, the scale of this outage can be seen affecting users in Brazil, Argentina, Peru, Colombia, Italy, […]

This is a post from HackRead.com Read the original post: Is your Facebook and Instagram down? Well, you are not alone

Instagram’s download your data tool exposed users’ passwords to public view

By Waqas

Facebook somehow manages to make headlines one way or the other. Last week we were all praises for the social network for introducing the Unsend feature in the Messenger app and this week we are despising the company’s lack of interest in offering fool-proof security to its users after bug in Instagram’s download your data tool. […]

This is a post from HackRead.com Read the original post: Instagram’s download your data tool exposed users’ passwords to public view

86 Organizations Demand Zuckerberg To Improve Takedown Appeals

An anonymous reader quotes a report from Motherboard: An open letter to Mark Zuckerberg signed by 86 organizations and published on Tuesday implores Facebook to provide a clear, fast mechanism that allows users to appeal instances of content takedowns and account deactivations. The letter which was spearheaded by the Electronic Frontier Foundation, Article 19, Ranking Digital Rights, and the Center for Democratic Technology (CDT) -- expanded upon the Santa Clara Principles published earlier this year, which called for all social media platforms to improve its transparency and responsiveness to flagged posts and appeals for removed content. In April of this year, Facebook launched appeals for posts that are removed on grounds nudity, hate speech, or graphic violence. The press release claims that one of Facebook's human content reviewers will review all appeals within 24 hours, and notify users if their appeal has been approved or denied. The open letter to Mark Zuckerberg also requests that all content takedown and deactivation appeals are reviewed by a human moderator, which Facebook claims that it already does. EFF Director of International Freedom of Expression, Jillian York, believes the undercurrent of content moderation on social media is the censorship or restriction of speech towards marginalized groups. "There are accounts, [and] there is content that is taken down frequently from social media, and we don't hear those stories as much because they're often overshadowed by the pushes for hate speech to come down," York said. "I respect the people doing that work, I think it's really important. But really, the thing about appeals is they work in every case. So if someone breaks the rules for hate speech and they appeal, they're not gonna get their account restored. But if someone who should not have had their account taken down in the first place, appeals are the right solution to that."

Read more of this story at Slashdot.

Facebook Claims NYT Expose Has ‘A Number of Inaccuracies’

Earlier today, Facebook issued a response to a New York Times report on the social media company's handling of the many scandals it faced last year, including Russian interference and the Cambridge Analytica scandal. "There are a number of inaccuracies in the story," Facebook said in a point-by-point blog post, including that the company was aware of Russian meddling on the social platform months before taking any action. Variety reports: Facebook said it has "acknowledged publicly on many occasions" that "we were too slow to spot Russian interference on Facebook, as well as other misuse." But Facebook denied the allegation in the Times report that the company knew about Russian activity as early as the spring of 2016 and had failed to actively investigate it. The company cited CEO Mark Zuckerberg's congressional testimony from April 2018, in which he said Facebook detected threats related to Russia only in the weeks leading up to the U.S. election in November 2016. When it identified fake accounts that were used to furnish stolen information to journalists, "we shut these accounts down for violating our policies," Zuckerberg testified. Meanwhile, Facebook in October 2017 enlisted Washington, D.C.-area PR firm Definers Public Affairs, founded by Republican political strategists, as part of its crisis response to dealing with the Russia fallout. Among other activities, Definers launched a campaign linking Facebook critics to liberal billionaire George Soros, a common tactic used by anti-Semitic alt-right groups. At the same time, Facebook lobbied the Anti-Defamation League to portray other critics of the company as anti-Semitic, per the Times report. On Thursday, Facebook said it terminated its contract with Definers on Nov. 14 after the Times story was published. Facebook acknowledged that Definers "did encourage members of the press to look into the funding"of Freedom From Facebook, an anti-Facebook organization that has called for the company's breakup. "The intention [of the Definers' efforts] was to demonstrate that it was not simply a spontaneous grassroots campaign, as it claimed, but supported by a well-known critic of our company. To suggest that this was an anti-Semitic attack is reprehensible and untrue," Facebook said.

Read more of this story at Slashdot.

Facebook Reportedly Hired a PR Firm That Wrote Negative Articles About Rivals, Pushed George Soros Conspiracy Theory

According to a recently-published report in the New York Times, Facebook hired a public relations firm last year that wrote dozens of articles critical of rivals Google and Apple and pushed the idea that liberal financier George Soros was behind a growing anti-Facebook movement. "Facebook expanded its relationship with Definers Public Affairs in October 2017 after enduring a year's worth of external criticism over its handling of Russian interference on its social network," CNBC summarizes. From the report: The firm reportedly wrote articles that blasted Google and Apple while downplaying the impact of Russian interference on Facebook. Those articles were published on NTK Network, an affiliate of the firm whose content is often followed by politically conservative outlets, including Breitbart, the report says. Definers Public Affairs also reportedly pressed reporters to explore Soros' financial connections with groups that protested Facebook at Congressional hearings in July. Facebook's relationship with Definers Public Affairs were outlined as part of a broader report that looked at the company's handling of numerous scandals over the past three years, including Russian interference and the Cambridge Analytica scandal in March. Other revelations in the report include Sheryl Sandberg's apparent fury when former security chief told the board of directors in fall 2017 about the full extent of Russian interference on the platform, and Mark Zuckerberg ordering managers to use Android phones after Apple CEO Tim Cook criticized the company's approach to privacy earlier this year.

Read more of this story at Slashdot.

Facebook flaw could have exposed private info of users and their friends

Security experts from Imperva reported a new Facebook flaw that could have exposed private info of users and their friends

A new security vulnerability has been reported in Facebook, the flaw could have been exploited by attackers to obtain certain personal information about users and their network of contacts.

The recently discovered issue raises once again the concerns about the privacy of the users of social network giant.

The vulnerability was discovered by security experts from Imperva, it resides in the way Facebook search feature displays results for queries provided by the users.

The good news for Facebook users is that this flaw has already been patched and did not allow attackers to conduct massive scraping of the social network for users’ information.

The page used to display the results of the users’ queries includes iFrame elements associated with each result, experts discovered that the URLs associated to those iFrames is vulnerable against cross-site request forgery (CSRF) attacks.

The exploitation of the flaw is quite simple, an attacker only needs to trick users into visiting a specially crafted website on their web browser where they have already logged into their Facebook accounts.

The website includes a javascript code that will get executed in the background when the victim clicks anywhere on that page.

“For this attack to work we need to trick a Facebook user to open our malicious site and click anywhere on the site, (this can be any site we can run JavaScript on) allowing us to open a popup or a new tab to the Facebook search page, forcing the user to execute any search query we want.” reads the analysis published by Imperva.

“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property.

By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user.”

Searching something like “pages I like named `Imperva`” the exports noticed they were forcing the social network to return one result if the user liked the Imperva page or zero results if not.

Composing specific queries it was possible to extract data about the user’s friends, below some interesting examples of queries provided by the experts:

  • Check if the current Facebook users have friends from Israel: https://www.facebook.com/search/me/friends/108099562543414/home-residents/intersect
  • Check if the user has friends named “Ron”: https://www.facebook.com/search/str/ron/users-named/me/friends/intersect
  • Check if the user has taken photos in certain locations/countries: https://www.facebook.com/search/me/photos/108099562543414/photos-in/intersect
  • Check if the current user has Islamic friends: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/intersect
  • Check if the current user has Islamic friends who live in the UK: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/106078429431815/residents/present/intersect
  • Check if the current user wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_me%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies
  • Check if the current user’s friends wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_friends%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies

Below the video PoC published by Imperva:

The process can be repeated without the need for new popups or tabs to be open because the attacker can control the location property of the Facebook window using the following code.Facebook flaw

Experts pointed out that mobile users are particularly exposed to such kind of attack because it is easy for them to forget open windows in the background allowing attackers to extract the results for multiple queries.

Imperva reported the flaw to Facebook through the company’s vulnerability disclosure program in May 2018, and the social network addressed the problem in a few days implementing CSRF protections.

Pierluigi Paganini

(Security Affairs – BCMPUPnP_Hunter botnet, hacking)

The post Facebook flaw could have exposed private info of users and their friends appeared first on Security Affairs.

Secret Sister scam returns in time for Christmas

The festive season may be imminent, but it’s a Facebook Secret Sister (not Santa) you have to steer clear of. Secret Sister has been a mainstay of Yuletide scams since at least 2015, and has come back around once more. But what is it?

Your office probably has a Secret Santa scheme in place. You draw names from a hat, and you secretly buy the named person a gift. It’s all pretty straightforward, and a great source of unwanted deodorants and novelty kitchenware. Secret Sister isn’t quite as nice, and could drop you in a great deal of trouble. You probably won’t even get your hands on the deodorant.

How the scam works

Usually, chain letters of the Secret Sister variety are jammed through your front door. In this case, the chain letter lands in your digital mailbox as opposed your real one. You could in theory receive one of these anywhere, and people have reported receiving them on everywhere from Reddit and Facebook to various social portals and forums. For whatever reason, Facebook seems to be the scammer’s favourite place to get the ball rolling on this particular scam. The possibility of being able to send it pinging around large social connection chains is too good to resist.

Secret Sister sample 

The messages can vary wildly, but one of the most popular ones going back a year or so reads as follows:

Anyone interested in a Holiday Gift exchange? I don’t care where you live – you are welcome to join. I need 6 (or more) ladies of any age to participate in a secret sister gift exchange. You only have to buy ONE gift valued at $10 or more and send it to one secret sister and you will receive 6-36 in return!

Let me know if you are interested and I will send you the information!

Please don’t ask to participate if you are not willing to spend the $10.

TIS THE SEASON! and its getting closer. COMMENT if You’re IN and I will send you a private message. Please don’t comment if you are not interested and aren’t willing to send the gift!

It might sound promising to many people reading it, but it really won’t do you much good.

From chains to pyramids

Chain letters are essentially pyramid schemes. Pyramid schemes involve funneling money from bottom to top of the pyramid, benefiting those at the top and not many others. If you’re there from the get-go, your chances of making a good return increase somewhat. For everyone else, you’re probably going to lose out.

Where this becomes complicated is in the US is these schemes tend to resemble gambling. This means you could easily end up breaking the law. From the US Postal Inspectors website:

They’re illegal if they request money or other items of value and promise a substantial return to the participants. Chain letters are a form of gambling, and sending them through the mail (or delivering them in person or by computer, but mailing money to participate) violates Title 18, United States Code, Section 1302, the Postal Lottery Statute

Secret Sister data harvesting

You definitely won’t receive a pile of free gifts. However, you could be dragged into some sort of dubious postal scam with mail fraud penalties instead. There’s also the risk of identity theft to consider. Mail fraud scammers typically ask for various pieces of personal information. You could end up handing them your name, address, phone number, alongside a variety of online profiles to tie them to. This could be all an enterprising criminal needs to do some additional damage, especially if they persist in branching out from your profile to those of your friends.

No matter how appealing the prospect of easy free gifts sounds as 2018 slowly draws to a close, don’t fall for it. These types of antics have been around for a long time, and moving into the digital realm doesn’t make them any safer. If you’re not based in the US, you may not have the legal worry to deal with as a result but that’s scant consolation.

Our advice is to stick to Secret Santa, and give his sister nothing more than a Return to Sender.

The post Secret Sister scam returns in time for Christmas appeared first on Malwarebytes Labs.

Facebook Messenger to offer Unsend feature to delete sent messages

By Waqas

Facebook has made many efforts so far to refine its Messenger app. This year in May, Facebook CEO Mark Zuckerberg along with other executives of the social network admitted that the Facebook Messenger has to be refined since the current app contained many useless features while lacked critically important ones. Such as, its UI could […]

This is a post from HackRead.com Read the original post: Facebook Messenger to offer Unsend feature to delete sent messages

Facebook is the least-trusted major tech company- study

Facebook Is the Least Trusted Major Tech Company Among Americans For Protecting Personal Data, Suggests Polls

Facebook, the social networking giant, has been voted as the least trustworthy tech company, according to a recent survey conducted by Fortune. Thanks to Facebook’s increasing scrutiny for its handling of data privacy, ad targeting, and propaganda that has made its users trust the company the least.

According to the survey, only 22 percent of Americans trust Facebook with their personal information out of all major tech companies. On the other hand, Amazon with 49 percent ranks the highest in terms of trust, followed by Google (41 percent), Microsoft (40 percent), and Apple (39 percent).

“Facebook is in the bottom in terms of trust in housing your personal data,” said Harris Poll CEO John Gerzema. “Facebook’s crises continue rolling in the news cycle.” The poll was carried out by Harris Poll on behalf of Fortune in mid-October that surveyed over 2,000 U.S. adults.

This obvious lack of trust is bad news for Facebook, which is mainly due to factors such as leadership, ethics, trust, and image. Also, the Cambridge Analytica scandal earlier this year where up to 87 million Facebook users data was shared without their permission, along with the September data breach in which roughly 50 million of its users’ data was exposed through an attack on its network, has only attributed to Facebook’s low rankings.

Additionally, 48 percent of those who took the survey admitted to viewing Facebook more negatively than six months ago.

According to the survey, only 59 percent of respondents said they were “at least somewhat confident” in Zuckerberg’s leadership in the ethical use of data and privacy information. With 77 percent, Amazon CEO Jeff Bezos came in first, followed by Apple’s CEO Tim Cook at 72 percent, Microsoft’s CEO Satya Nadella at 71 percent, and Google’s CEO Sundar Pichai at 68 percent.

“That would be a C or D in grade school,” Gerzema said about Zuckerberg.

Facebook declined to comment on the poll. The company instead pointed to recent remarks made by Zuckerberg where he said that Facebook continues to invest in security and that its defenses are improving.

Not only the Facebook users, but some of the company’s major investors too are disappointed by Zuckerberg. Last month, several major public investment funds had proposed removing Zuckerberg as the company’s chairman of the board.

Source: PYMTS

The post Facebook is the least-trusted major tech company- study appeared first on TechWorm.

Patched Facebook Vulnerability Could Have Exposed Private Information About You and Your Friends

In a previous blog we highlighted a vulnerability in Chrome that allowed bad actors to steal Facebook users’ personal information; and, while digging around for bugs, thought it prudent to see if there were any more loopholes that bad actors might be able to exploit.

What popped up was a bug that could have allowed other websites to extract private information about you and your contacts.

Having reported the vulnerability to Facebook under their responsible disclosure program in May 2018, we worked with the Facebook Security Team to mitigate regressions and ensure that the issue was thoroughly resolved.

Identifying the Threat

Throughout the research process for the Chrome piece, I browsed Facebook’s online search results, and in their HTML noticed that each result contained an iframe element — probably used for Facebook’s own internal tracking. Being pretty familiar with the unique cross-origin behavior of iframes, I came up with the following technique:

To start, let’s take a look at the Facebook search page, we have an endpoint that expects a GET request with a number of search parameters. The endpoint, like most search endpoints, is not cross-site request forgery (CSRF) protected, which normally allows users to share the search results page via a URL.

This is fine in most cases since no action is being made by the user, making this CSRF attack meaningless by itself. The thing is, iFrames, unlike most web elements, are exposed in part to cross-origin documents; combine that with the search CSRF issue and you have a real problem on your hands.

Check out the proof of concept here:

Attack Flow

For this attack to work we need to trick a Facebook user to open our malicious site and click anywhere on the site, (this can be any site we can run JavaScript on) allowing us to open a popup or a new tab to the Facebook search page, forcing the user to execute any search query we want.

Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property.

By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user.

For example, by searching: “pages I like named `Imperva`” we force Facebook to return one result if the user liked the Imperva page or zero results if not:

Similar queries can be composed to extract data about the user’s friends. For example, by searching “my friends who like Imperva” I can check if the current user has any friends who like the Imperva Facebook page.

Other interesting examples of the kind of data it was possible to extract:

  • Check if the current Facebook users have friends from Israel: https://www.facebook.com/search/me/friends/108099562543414/home-residents/intersect
  • Check if the user has friends named “Ron”: https://www.facebook.com/search/str/ron/users-named/me/friends/intersect
  • Check if the user has taken photos in certain locations/countries: https://www.facebook.com/search/me/photos/108099562543414/photos-in/intersect
  • Check if the current user has Islamic friends: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/intersect
  • Check if the current user has Islamic friends who live in the UK: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/106078429431815/residents/present/intersect
  • Check if the current user wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_me%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies
  • Check if the current user’s friends wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_friends%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies

This process can be repeated without the need for new popups or tabs to be open since the attacker can control the location property of the Facebook window by running the following code:

This is especially dangerous for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site.

As a researcher, it was a privilege to have contributed to protecting the privacy of the Facebook user community, as we continuously do for our own Imperva community.

The post Patched Facebook Vulnerability Could Have Exposed Private Information About You and Your Friends appeared first on Blog.

Smashing Security #103: An Instagram nightmare, crazy iPhone deaths, and election hack claims

Smashing Security #103: An Instagram nightmare, crazy iPhone deaths, and election hack claims

One travel blogger finds you don’t have to be Kylie Jenner to be targeted by an Instagram hacker. When 40 iPhones at a hospital mysteriously die, what could be the explanation? And, surprise surprise, political parties in the USA are throwing around hacking accusations.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Naked Security’s Mark Stockley.

At What Age Should Kids Join Social Media?

Last week, I waved goodbye to my eldest son as he moved halfway across the world to study for a year. I was so emotional at the airport – I couldn’t talk! After many cups of tea and even more stares in an airport café, I had no more tears left and was finally able to pull it together. I must have looked like a crazy cat!

Letting go of our kids is tough. Whether it’s their first day of school, their first sleepover, their first girlfriend or boyfriend or their first social media account – these steps towards independence can be enough to send many of us into a tailspin.

How Do We Know When Our Kids Are Ready for More Independence?

Our main job as parents is to raise our kids to be independent, law-abiding individuals who are autonomous. But every child is different with some maturing far quicker than others. So, how do we know when our kids are ready for important life milestones, particularly joining social media?

What Does the Law Say?

While there is no Australian law that dictates the minimum age kids need to be to join social media, most social media platforms require their users to be 13 years old to set up an account. This is a result of a US federal law, the Children’s Online Privacy Protection Act (COPPA), which affects any social media platform that US citizens can join. So, therefore it affects nearly all social media platforms worldwide.

What Happens in Reality?

Rightly or wrongly, many kids join social media before the age of 13. Some do this with the consent of their parents, while many don’t. In recognition of the ‘reality of the situation’, many big-time social media players, including Mark Zuckerberg, have been critical of the COPPA legislation claiming it is unrealistic. Zuckerberg even committed to trying to get it overruled – so far, no news!

And this reality hasn’t escaped the attention of the big players. Earlier this month, Instagram released a parent’s guide in which they acknowledge that ‘many younger children (under 13) use the service, often with their parents’ permission’. The parent’s guide, produced in conjunction with US internet safety group Connect Safely, also advised parents that banning social media may not be the best solution to managing their teen’s digital socialising. Instead they suggest parents should ensure the lines of communication are always open so that they can work with their kids to find appropriate ways of managing their digital lives. Pretty sound advice if you ask me, but Instagram was criticised for offering self-serving advice and encouraging youngsters to get online.

What to Do?

As the mother of four boys, I can unreservedly tell you that a ‘one size fits all’ approach does not cut it when raising kids. Every child is different. Some kids are more robust and resilient while others are more sensitive and emotional. And that’s OK. The worst thing we can do as parents is assume milestones must be met at the same time everyone else’s children do.

Just like with toilet training, sleepovers and co-ed parties, you (as the parent) are the absolute best judge of when your child is ready for these key steps. And social media is no different. Yes, there is a plethora of advice from experts and ‘experienced’ parents to consider but ultimately, it’s your call as the parent.

What To Consider When Deciding When Your Child Should Join Social Media

So, here are some things to consider when deciding if, and when your child should join social media. If your tween has already gone ahead and joined, then why not use these points to refine the current usage strategy.

1. Are They Ready?

Chances are your tween will be busting to get onto social media and will absolutely consider themselves ‘ready’! In fact, they may have already gone ahead and created their own profile without consulting you. But if they haven’t and you have a close connection with your kids, then you have a golden opportunity to assess their readiness.

You may decide that your under 13-year-old is mature enough and help them set up social media accounts and profiles. Many believe social media is an inevitable, unavoidable milestone and that it’s best to manage it proactively to avoid underground activity. You may require passwords to be shared and for posts to be approved before they are uploaded. If they have proved themselves to be trustworthy after a period of time, you may choose to be less involved.

However, if you have a child who is less mature and who tends to be anxious, you may insist they wait till 13. As we all know, it is not always pretty online. A certain level of resilience and a decent dose of perspective is essential to ride out the bumps. If there is any pushback from your tween then just talk a lot about the COPPA legislation!

2. Family Policy

If you have a tribe of kids, you may want to consider a family policy on the age your offspring can join social media. Although I am not a believer in ‘one size fits all’, I can tell you from experience that the perception of fairness in a family is very powerful. The arguments over who gets the bigger piece of cake or whose turn it is to sit in the front seat can drove you bonkers!

3. Workshop the ‘Likes Culture’ Before They Embark on their Social Media Careers

The quest to get likes online can become all encompassing, particularly when you are navigating your way through your teenage years. Before your kids join up, please have several conversations about the dangerous ‘culture of likes’ that is pervading the online world. Likes are viewed as a measure of social acceptance for many teenagers. The number of likes they do (or don’t) receive can affect their self-esteem and confidence which is very concerning. Please ensure your kids are NOT defined by the number of likes on a post and that this number is NOT reflective of their worth.

4. Set the Ground Rules

Regardless of whether your tween is about to embark on the social media journey or whether they have taken the advanced route, a family technology contract can be a great way of clarifying and formalising your expectations of both their social media usage and behaviour online. If you are looking for a good place to start, check out the contract that The Modern Parent uses. Obviously adapt it for your own situation and children’s needs, but ensure it covers key points including time spent online, sharing of personal information and what to do if a stranger tries to befriend you or if you receive online abuse.

Personally, I think 13 is a great age to kick off one’s social media career. I’m a fan of risk management and I really believe the older kids are, the better they can deal with complex online situations. But I also believe you should trust your gut as a parent. You may have a very mature 12-year-old, with a host of older siblings, who is busting to get on Instagram. Working with them to set up a profile, sharing passwords and mentoring them through their entrée to social media may be a much better option than pushing this inevitable step underground and off your radar.

So, over to you parents. This is your call! And just to inspire you a little more, let me just borrow some words from Scottish actor and father of 4 daughters, Ewan McGregor:

 ‘The thing about parenting rules is there aren’t any. That’s what makes it so difficult.’

Good luck!

Alex xx

The post At What Age Should Kids Join Social Media? appeared first on McAfee Blogs.

Russian hackers compromise 120 million Facebook accounts; private messages on sale online

Facebook has fallen victim to countless security breaches and November brings even more bad news for the social network. Russian hackers are selling private conversations of at least 81,000 Facebook accounts at 10 cents per account, writes the BBC.

According to the BBC Russian Service, which communicated with the hackers, the criminals claim to have the private conversations of 120 million accounts and, of course, they are willing to sell for the right price. Most of the accounts belong to users in Ukraine and Russia, but some come from other countries such as the UK, US and Brazil.

The data breach was detected in September when the hackers announced on a forum that “We sell personal information of Facebook users. Our database includes 120 million accounts.”

The IP address of the website has been linked to the dissemination of the LokiBot Trojan, malware that lets criminals steal user passwords.

Facebook claims the security of its messaging platform was not compromised, and blames malicious browser extensions such as games and bookmarking applications. If users didn’t hide their information, emails and phone numbers may have also been compromised.

“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” said Facebook executive Guy Rosen.

“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”

The BBC Russian Service reached out to the hackers via the emails provided in the announcement, asking to buy the details of 2 million accounts. Following the email exchange, BBC says the hackers denied any relation to the Cambridge Analytica story or other hacks, and claimed they were not linked to the Russian government or Internet Research Agency.

Cyber Security Roundup for October 2018

Aside from Brexit, Cyber Threats and Cyber Attack accusations against Russia are very much on the centre stage of UK government's international political agenda at the moment. The government publically accused Russia's military 'GRU' intelligence service of being behind four high-profile cyber-attacks, and named 12 cyber groups it said were associated with the GRU. Foreign Secretary Jeremy Hunt said, "the GRU had waged a campaign of indiscriminate and reckless cyber strikes that served no legitimate national security interest".

UK Police firmly believe the two men who carried out the Salisbury poisoning in March 2018 worked for the GRU.

The UK National Cyber Security Centre said it had assessed "with high confidence" that the GRU was "almost certainly responsible" for the cyber-attacks, and also warned UK businesses to be on the alert for indicators of compromise by the Russian APT28 hacking group.  The NCSC said GRU hackers operated under a dozen different names, including Fancy Bear (APT28), had targetted:
  • The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published 
  • The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
  • Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - Fontanka.ru and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment 
  • An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen

Facebook was fined the maximum amount of £500,000 under pre-GDPR data protection laws by the UK Information Commissioner's Office (ICO) over the Cambridge Analytica Scandal. Facebook could face a new ICO fine after revealing hackers had accessed the contact details of 30 Million users due to a flaw with Facebook profiles. The ICO also revealed a 400% increase in reported Cyber Security Incidents and another report by a legal firm RPC said the average ICO fines had doubled, and to expect higher fines in the future. Heathrow Airport was fined £120,000 by the ICO in October after a staff member lost a USB stick last October containing "sensitive personal data", which was later found by a member of the public.

Notable Significant ICO Security Related Fines

Last month's British Airways website hack was worse than originally reported, as they disclosed a second attack which occurred on 5th September 2018, when the payment page had 22 lines of malicious Javascript code injected in an attack widely attributed to Magecart.  Another airline Cathay Pacific also disclosed it had suffered a major data breach that impacted 9.4 million customer's personal data and some credit card data.

Morrisons has lost a challenge to a High Court ruling which made it liable for a data breach, after an employee, since jailed for 8 years, stole and posted thousands of its employees' details online in 2014.  Morrisons said it would now appeal to the Supreme Court., if that appeal fails, those affected will be able to claim compensation for "upset and distress". 

Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G.  He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.

NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.

Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.

So its time to move over to the more secure TLS V1.2 or the more secure & efficient TLS V1.3.

NEWS

Project Lakhta: Putin’s Chef spends $35M on social media influence

Project Lakhta is the name of a Russian project that was further documented by the Department of Justice last Friday in the form of sharing a Criminal Complaint against Elena Alekseevna Khusyaynova, said to be the accountant in charge of running a massive organization designed to inject distrust and division into the American elections and American society in general.

https://www.justice.gov/opa/press-release/file/1102316/download
In a fairly unusual step, the 39 page Criminal Complaint against Khusyaynova, filed just last month in Alexandria, Virginia, has already been unsealed, prior to any indictment or specific criminal charges being brought against her before a grand jury.  US Attorney G. Zachary Terwilliger says "The strategic goal of this alleged conspiracy, which continues to this day, is to sow discord in the U.S. political system and to undermine faith in our democratic institutions."

The data shared below, intended to summarize the 39 page criminal complaint, contains many direct quotes from the document, which has been shared by the DOJ. ( Click for full Criminal Complaint against Elena Khusyaynova )

Since May 2014 the complaint shows that the following organizations were used as cover to spread distrust towards candidates for political office and the political system in general.

Internet Research Agency LLC ("IRA")
Internet Research LLC
MediaSintez LLC
GlavSet LLC
MixInfo LLC
Azimut LLC
NovInfo LLC
Nevskiy News LLC ("NevNov")
Economy Today LLC
National News LLC
Federal News Agency LLC ("FAN")
International News Agency LLC ("MAN")

These entities employed hundreds of individuals in support of Project Lakhta's operations with an annual global budget of millions of US dollars.  Only some of their activity was directed at the United States.

Prigozhin and Concord 

Concord Management and Consulting LLC and Concord Catering (collectively referred to as "Concord") are related Russian entities with various Russian government contracts.  Concord was the primary source of funding for Project Lakhta, controlling funding, recommending personnel, and overseeing activities through reporting and interaction with the management of various Project Lakhta entities.

Yevgeniy Viktorovich Prigozhin is a Russian oligarch closely identified with Russian President Vladimir Putin.  He began his career in the food and restaurant business and is sometimes referred to as "Putin's Chef."  Concord has Russian government contracts to feed school children and the military.

Prigozhin was previously indicted, along with twelve others and three Russian companies, with committing federal crimes while seeking to interfere with the US elections and political process, including the 2016 presidential election.

Project Lakhta internally referred to their work as "information warfare against the United States of America" which was conducted through fictitious US personas on social media platforms and other Internet-based media.

Lakhta has a management group which organized the project into departments, including a design and graphics department, an analysts department, a search-engine optimization ("SEO") department, an IT department and a finance department.

Khusyaynova has been the chief accountant of Project Lakhta's finance department since April of 2014, which included the budgets of most or all of the previously named organizations.  She submitted hundreds of financial vouchers, budgets, and payments requests for the Project Lakhta entities.  The money was managed through at least 14 bank accounts belonging to more Project Lakhta affiliates, including:

Glavnaya Liniya LLC
Merkuriy LLC
Obshchepit LLC
Potentsial LLC
RSP LLC
ASP LLC
MTTs LLC
Kompleksservis LLC
SPb Kulinariya LLC
Almira LLC
Pishchevik LLC
Galant LLC
Rayteks LLC
Standart LLC

Project Lakhta Spending 

Monthly reports were provided by Khusyaynova to Concord about the spendings for at least the period from January 2016 through July 2018.

A document sent in January 2017 including the projected budget for February 2017 (60 million rubles, or roughly $1 million USD), and an accounting of spending for all of calendar 2016 (720 million rubles, or $12 million USD).  Expenses included:

Registration of domain names
Purchasing proxy servers
Social media marketing expenses, including:
 - purchasing posts for social networks
 - advertisements on Facebook
 - advertisements on VKontakte
 - advertisements on Instagram
 - promoting posts on social networks

Other expenses were for Activists, Bloggers, and people who "developed accounts" on Twitter to promote online videos.

In January 2018, the "annual report" for 2017 showed 733 million Russian rubles of expenditure ($12.2M USD).

More recent expenses, between January 2018 and June 2018, included more than $60,000 in Facebook ads, and $6,000 in Instagram ads, as well as $18,000 for Bloggers and Twitter account developers.

Project Lakhta Messaging

From December 2016 through May 2018, Lakhta analysts and activist spread messages "to inflame passions on a wide variety of topics" including:
  • immigration
  • gun control and the Second Amendment 
  • the Confederate flag
  • race relations
  • LGBT issues 
  • the Women's March 
  • and the NFL national anthem debate.


Events in the United States were seized upon "to anchor their themes" including the Charleston church shootings, the Las Vegas concert shootings, the Charlottesville "Unite the Right" rally, police shootings of African-American men, and the personnel and policy decisions of the Trump administration.

Many of the graphics that were shared will be immediately recognizable to most social media users.

"Rachell Edison" Facebook profile
The graphic above was shared by a confirmed member of the conspiracy on December 5, 2016. "Rachell Edison" was a Facebook profile controlled by someone on payroll from Project Lakhta.  Their comment read  "Whatever happens, blacks are innocent. Whatever happens, it's all guns and cops. Whatever happens, it's all racists and homophobes. Mainstream Media..."

The Rachell Edison account was created in September 2016 and controlled the Facebook page "Defend the 2nd".  Between December 2016 and May 2017, "while concealing its true identity, location, and purpose" this account was used to share over 700 inflammatory posts related to gun control and the Second Amendment.

Other accounts specialized on other themes.  Another account, using the name "Bertha Malone", was created in June 2015, using fake information to claim that the account holder lived in New York City and attended a university in NYC.   In January 2016, the account created a Facebook page called "Stop All Invaders" (StopAI) which shared over 400 hateful anti-immigration and anti-Islam memes, implying that all immigrants were either terrorists or criminals.  Posts shared by this acount reached 1.3 million individuals and at least 130,851 people directly engaged with the content (for example, by liking, sharing, or commenting on materials that originated from this account.)

Some examples of the hateful posts shared by "Bertha Malone" that were included in the DOJ criminal complaint,  included these:




The latter image was accompanied by the comment:

"Instead this stupid witch hunt on Trump, media should investigate this traitor and his plane to Islamize our country. If you are true enemy of America, take a good look at Barack Hussein Obama and Muslim government officials appointed by him."

Directions to Project Lakhta Team Members


The directions shared to the propaganda spreaders gave very specific examples of how to influence American thought with guidance on what sources and techniques should be used to influence particular portions of our society.  For example, to further drive wedges in the Republican party, Republicans who spoke out against Trump were attacked in social media:
(all of these are marked in the Criminal Complaint as "preliminary translations of Russian text"):

"Brand McCain as an old geezer who has lost it and who long ago belonged in a home for the elderly. Emphasize that John McCain's pathological hatred towards Donald Trump and towards all his initiatives crosses all reasonable borders and limits.  State that dishonorable scoundrels, such as McCain, immediately aim to destroy all the conservative voters' hopes as soon as Trump tries to fulfill his election promises and tries to protect the American interests."

"Brand Paul Ryan a complete and absolute nobody incapable of any decisiveness.  Emphasize that while serving as Speaker, this two-faced loudmouth has not accomplished anything good for America or for American citizens.  State that the only way to get rid of Ryan from Congress, provided he wins in the 2018 primaries, is to vote in favor of Randy Brice, an American veteran and an iron worker and a Democrat."

Frequently the guidance was in relation to a particular news headline, where directions on how to use the headline to spread their message of division where shared. A couple examples of these:

After a news story "Trump: No Welfare To Migrants for Grants for First 5 Years" was shared, the conspiracy was directed to twist the messaging like this:

"Fully support Donald Trump and express the hope that this time around Congress will be forced to act as the president says it should. Emphasize that if Congress continues to act like the Colonial British government did before the War of Independence, this will call for another revolution.  Summarize that Trump once again proved that he stands for protecting the interests of the United States of America."

In response to an article about scandals in the Robert Mueller investigation, the direction was to use this messaging:

"Special prosecutor Mueller is a puppet of the establishment. List scandals that took place when Mueller headed the FBI.  Direct attention to the listed examples. State the following: It is a fact that the Special Prosector who leads the investigation against Trump represents the establishment: a politician with proven connections to the U.S. Democratic Party who says things that should either remove him from his position or disband the entire investigation commission. Summarize with a statement that Mueller is a very dependent and highly politicized figure; therefore, there will be no honest and open results from his investigation. Emphasize that the work of this commission is damaging to the country and is aimed to declare impeachement of Trump. Emphasize that it cannot be allowed, no matter what."

Many more examples are given, some targeted at particular concepts, such as this direction regarding "Sanctuary Cities":

"Characterize the position of the Californian sanctuary cities along with the position of the entire California administration as absolutely and completely treacherous and disgusting. Stress that protecting an illegal rapist who raped an American child is the peak of wickedness and hypocrisy. Summarize in a statement that "sanctuary city" politicians should surrender their American citizenship, for they behave as true enemies of the United States of America"

Some more basic guidance shared by Project Lakhta was about how to target conservatives vs. liberals, such as "if you write posts in a liberal group, you must not use Breitbart titles.  On the contrary, if you write posts in a conservative group, do not use Washington Post or BuzzFeed's titles."

We see the "headline theft" implied by this in some of their memes.  For example, this Breitbart headline:


Became this Project Lakhta meme (shared by Stop All Immigrants):


Similarly this meme originally shared as a quote from the Heritage Foundation, was adopted and rebranded by Lakhta-funded "Stop All Immigrants": 



Twitter Messaging and Specific Political Races

Many Twitter accounts shown to be controlled by paid members of the conspiracy were making very specific posts in support of or in opposition to particular candidates for Congress or Senate.  Some examples listed in the Criminal Complaint include:

@CovfefeNationUS posting:

Tell us who you want to defeat!  Donate $1.00 to defeat @daveloebsack Donate $2.00 to defeat @SenatorBaldwin Donate $3.00 to defeat @clairecmc Donate $4.00 to defeat @NancyPelosi Donate $5.00 to defeat @RepMaxineWaters Donate $6.00 to defeat @SenWarren

Several of the Project Lakhta Twitter accounts got involved in the Alabama Senate race, but to point out that the objective of Lakhta is CREATE DISSENT AND DISTRUST, they actually tweeted on opposite sides of the campaign:

One Project Lakhta Twitter account, @KaniJJackson, posted on December 12, 2017: 

"Dear Alabama, You have a choice today. Doug Jones put the KKK in prison for murdering 4 young black girls.  Roy Moore wants to sleep with your teenage daughters. This isn't hard. #AlabamaSenate"

while on the same day @JohnCopper16, also a confirmed Project Lakhta Twitter account, tweeted:

"People living in Alabama have different values than people living in NYC. They will vote for someone who represents them, for someone who they can trust. Not you.  Dear Alabama, vote for Roy Moore."

@KaniJJackson was a very active voice for Lakhta.  Here are some additional tweets for that account:

"If Trump fires Robert Mueller, we have to take to the streets in protest.  Our democracy is at stake." (December 16, 2017)

"Who ended DACA? Who put off funding CHIP for 4 months? Who rejected a deal to restore DACA? It's not #SchumerShutdown. It's #GOPShutdown." (January 19, 2018)

@JohnCopper16 also tweeted on that topic: 
"Anyone who believes that President Trump is responsible for #shutdown2018 is either an outright liar or horribly ignorant. #SchumerShutdown for illegals. #DemocratShutdown #DemocratLosers #DemocratsDefundMilitary #AlternativeFacts"   (January 20, 2018)

@KaniJJackson on Parkland, Florida and the 2018 Midterm election: 
"Reminder: the same GOP that is offering thoughts and prayers today are the same ones that voted to allow loosening gun laws for the mentally ill last February.  If you're outraged today, VOTE THEM OUT IN 2018. #guncontrol #Parkland"

They even tweet about themselves, as shown in this pair of tweets!

@JemiSHaaaZzz (February 16, 2018):
"Dear @realDonaldTrump: The DOJ indicted 13 Russian nationals at the Internet Research Agency for violating federal criminal law to help your campaign and hurt other campaigns. Still think this Russia thing is a hoax and a witch hunt? Because a lot of witches just got indicted."

@JohnCopper16 (February 16, 2018): 
"Russians indicted today: 13  Illegal immigrants crossing Mexican border indicted today: 0  Anyway, I hope all those Internet Research Agency f*ckers will be sent to gitmo." 

The Russians are also involved in "getting out the vote" - especially of those who hold strongly divisive views:

@JohnCopper16 (February 27, 2018):
"Dem2018 platform - We want women raped by the jihadists - We want children killed - We want higher gas prices - We want more illegal aliens - We want more Mexican drugs And they are wondering why @realDonaldTrump became the President"

@KaniJJackson (February 19, 2018): 
"Midterms are 261 days, use this time to: - Promote your candidate on social media - Volunteer for a campaign - Donate to a campaign - Register to vote - Help others register to vote - Spread the word We have only 261 days to guarantee survival of democracy. Get to work! 

More recent tweets have been on a wide variety of topics, with other accounts expressing strong views around racial tensions, and then speaking to the Midterm elections: 

@wokeluisa (another confirmed Project Lakhta account): 
"Just a reminder that: - Majority black Flint, Michigan still has drinking water that will give you brain damage if consumed - Republicans are still trying to keep black people from voting - A terrorist has been targeting black families for assassination in Austin, Texas" 

and then, also @wokeluisa: (March 19, 2018): 
"Make sure to pre-register to vote if you are 16 y.o. or older. Don't just sit back, do something about everything that's going on because November 6, 2018 is the date that 33 senate seats, 436 seats in the House of Representatives and 36 governorships will be up for re-election." 

And from @johncopper16 (March 22, 2018):
"Just a friendly reminder to get involved in the 2018 Midterms. They are motivated They hate you They hate your morals They hate your 1A and 2A rights They hate the Police They hate the Military They hate YOUR President" 

Some of the many additional Twitter accounts controlled by the conspiracy mentioned in the Criminal Complaint: 

@UsaUsafortrump, @USAForDTrump, @TrumpWithUSA, @TrumpMov, @POTUSADJT, @imdeplorable201, @swampdrainer659, @maga2017trump, @TXCowboysRawk, @covfefeNationUS, @wokeluisa (2,000 tweets and at least 55,000 followers), @JohnCopper16, @Amconvoice, @TheTrainGuy13, @KaniJJackson, @JemiSHaaaZzz 




Facebook’s confusion about its Portal camera is concerning

Facebook couldn't have picked a worse time to introduce Portal, a camera-equipped smart display designed to make video chatting in your home easier. And, if the rumors are true, the company is reportedly also preparing to launch a video chat camera for your TV, based on the same system as Portal. Not only does news of this hardware come at a time when when Facebook is under major scrutiny after suffering a massive data breach in September, which exposed private information of 29 million users, including usernames, birth date, gender, location, religion and the devices used to browse the site. But the most concerning part about Portal, is that Facebook's own executives don't seem to have a basic understanding of what types of data the company will be collecting or what it will be using it for.

WSJ: Facebook believes spammers were behind its massive data breach

More than two weeks after Facebook revealed a massive data breach, we still don't know who was using the flaw in its site to access information on tens of millions of users. Now the Wall Street Journal reports, based on anonymous sources, that the company believes spammers perpetrated the hack in an attempt to make money via deceptive advertising.

Source: Wall Street Journal

Here’s how to see if you were affected by Facebook’s breach

Today, Facebook provided additional information on the data breach it disclosed last month. Whereas it initially said up to 50 million users might have been affected, it now reports that 30 million were impacted by the breach. By exploiting a system vulnerability, attackers were able to steal digital keys called access tokens from those 30 million users, and Facebook has now laid out how those users were affected. The company is also notifying those impacted, but if you don't want to wait to be notified, you can check if your account was affected through this link.

Source: Facebook

Facebook says recent data breach wasn’t ‘related to the midterms’

Even though the number of users affected by Facebook's most recent hack was lowered to 29 million, from 50 million, it's still safe to say the attack was worse than originally thought. That's because we now know that the breach, which Facebook revealed a couple of weeks ago, exposed very detailed information of 14 million of those users, including their username, birthdate, gender, location, relationship status, religion, hometown, self-reported current city, education, work, the devices they used to access Facebook and the last 10 places they checked into (or were tagged in) on the site. The attackers, whose identities Facebook won't reveal because of an ongoing FBI investigation, were also able to view which people/Pages were followed by these 14 million users, as well as their 15 most recent searches on Facebook.

Facebook’s recent hack exposed private information of 29 million users

Late last month, Facebook announced a data breach that affected up to 50 million of its users. The issue involved access tokens -- digital keys that let people remain logged into Facebook -- and a vulnerability allowed attackers to steal those tokens and hijack other users' Facebook accounts. The company has now released an update on that report and it now says fewer people were affected that it originally thought. "Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen," it said.

Source: Facebook

Facebook: Hackers didn’t access third-party sites with our sign-in

The Facebook hack compromised 50 million users, but the damage might not be as extensive as some expected. In a statement, company security VP Guy Rosen revealed that investigators "found no evidence" of the intruders accessing third-party apps with its Facebook Login feature. Some sites using the single sign-on also confirmed that there was no indication of a data breach on their end, although they're not necessarily taking chances.

Source: Reuters, Facebook

Cyber Security Roundup for September 2018

September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating. 

There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.

There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren't for Tesco's good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period. 

Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers. 

Looks like the MoD and GCHQ are looking to beef up Britan's Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong 'cyber force' to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie "Catch me if you Can".

Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement

Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Facebook Announces Security Flaw Found in “View As” Feature

Another day, another Facebook story. In May, a Facebook Messenger malware named FacexWorm was utilized by cybercriminals to steal user passwords and mine for cryptocurrency. Later that same month, the personal data of 3 million users was exposed by an app on the platform dubbed myPersonality. And in June, millions of the social network’s users may have unwittingly shared private posts publicly due to another new bug. Which brings us to today. Just announced this morning, Facebook revealed they are dealing with yet another security breach, this time involving the “View As” feature.

Facebook users have the ability to view their profiles from another user’s perspective, which is called “View As.” This very feature was found to have a security flaw that has impacted approximately 50 million user accounts, as cybercriminals have exploited this vulnerability to steal Facebook users’ access tokens. Access tokens are digital keys that keep users logged in, and they permit users to bypass the need to enter a password every time. Essentially, this flaw helps cybercriminals take over users’ accounts.

While the access tokens of 50 million accounts were taken, Facebook still doesn’t know if any personal information was gathered or misused from the affected accounts. However, they do suspect that everyone who used the “View As” feature in the last year will have to log back into Facebook, as well as any apps that used a Facebook login. An estimated 90 million Facebook users will have to log back in.

As of now, this story is still developing, as Facebook is still investigating further into this issue. Now, the question is — if you’re an impacted Facebook user, what should you do to stay secure? Start by following these tips:

  • Change your account login information. Since this flaw logged users out, it’s vital you change up your login information. Be sure to make your next password strong and complex, so it will be difficult for cybercriminals to crack. It also might be a good idea to turn on two-factor authentication.
  • Update, update, update. No matter the application, it can’t be stressed enough how important it is to always update an app as soon as an update is available, as fixes are usually included with each version. Facebook has already issued a fix to this vulnerability, so make sure you update immediately.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Facebook Announces Security Flaw Found in “View As” Feature appeared first on McAfee Blogs.

Facebook hack exposed info on up to 50 million users

Facebook announced on Friday that it has suffered a data breach affecting up to 50 million users. According to a report from the New York Times, Facebook discovered the attack on Tuesday and have contacted the FBI. The exploit reportedly enables attackers to take over control of accounts so, as a precaution, the social network has automatically logged out more than 90 million potentially compromised accounts.

Source: Facebook

Hacker says he’ll livestream deletion of Zuckerberg’s Facebook page (updated)

A white-hat hacker briefly promised to livestream his bid to hack into Mark Zuckerberg's Facebook account on Sunday, September 30th). "Broadcasting the deletion of Facebook founder Zuck's account," Chang Chi-yuan told his 26,000-plus followers on the social network, adding: "Scheduled to go live." By Friday afternoon, the stream had been cancelled.

Via: Bloomberg

Source: Chang Chi-yuan (Facebook)

5 Reasons Why Strong Digital Parenting Matters More than Ever

digital parentingAs a parent raising kids in a digital culture, it’s easy to feel at times as if you have a tiger by the tail and that technology is leading your family rather than the other way around.

But that familiar feeling — the feeling of being overwhelmed, outsmarted, and always a step or two behind the tech curve — is just a feeling, it’s not a fact.

Digital Parenting Matters

The fact is, you are the parent. That is a position of authority, honor, and privilege in your child’s life. No other person (device, app, or friend group) can take your place. No other voice is more influential or audible in your child’s mind and heart than yours.

It’s true that technology has added several critical skills to our parenting job description. It’s true that screens have become an integral part of daily life and that digital conversation can now shape our child’s self-image and perspective of his or her place in the world. All of this digital dominance has made issues such as mental health, anxiety, and cyberbullying significant concerns for parents.digital parenting

What’s also true is that we still have a lot of control over our kids’ screen time and the role technology plays in our families. Whether we choose to exercise that influence, is up to us but the choice remains ours.

Here are just a few reasons why strong digital parenting matters more than ever. And, some practical tools to help you take back any of the influence you feel you may have lost in your child’s life.

5 Digital Skills to Teach to Your Kids

Resilience

According to the American Psychological Association, resilience building is the ability to adapt well to adversity, trauma, tragedy, threats or even significant sources of stress. Resilience isn’t something you are born with. Kids become resilient over time and more so with an intentional parent. Being subject to the digital spotlight each day is a road no child should have to walk alone. September is National Suicide Prevention Month and an excellent opportunity to talk to your kids about resilience building. Digital Parenting Skills: Helping kids understand concepts like conflict-management, self-awareness, self-management, and responsible decision-making, is one of the most critical areas of parenting today. Start the conversations, highlight examples of resilience in everyday life, model resilence, and keep this critical conversation going.

Empathy

digital parentingEmpathy is the ability to understand and share the feelings of another person. Unfortunately, in the online space, empathy isn’t always abundant, so it’s up to parents to introduce, model, and teach this character trait. Digital Parenting Skills: According to Dr. Michele Borba, author of #UnSelfie: Why Empathetic Kids Succeed in Our All-About-Me World, there are 9 empathy-building habits parents can nurture in their kids including Emotional Literacy, Moral Identity, Perspective Taking, Moral Imagination, Self Regulation, Practicing Kindness, Collaboration, Moral Courage, and Altruistic Leadership Abilities.

Life Balance

Screentime is on the rise, and there’s no indication that trend is going to change. If we want kids that know the value of building an emotionally and physically healthy life, then teaching (and modeling) balance is imperative today. Digital Parenting Skills: Model screentime balance in your life. Be proactive in planning device-free activities for the whole family, and use software that will help you establish time limits on all devices. You might be surprised how just a few small shifts in your family’s tech balance can influence the entire vibe of your home.

Reputation Management

digital parenting

Most kids work reasonably hard to curate and present a specific image on their social profiles to impress their peers. Few recognize that within just a few years, colleges and employers will also be paying attention to those profiles. One study shows that 70% of employers use search engines and social media to screen candidates. Your child’s digital footprint includes everything he or she says or does online. A digital footprint includes everything from posts to casual “likes,” silly photos, and comments. Digital Parenting Skills: Know where your kids go online. Monitor their online conversations (without commenting publically). Don’t apologize for demanding they take down inappropriate or insensitive photos, comments, or retweets. The most important part of monitoring is explaining why the post has to come down. Simply saying “because I said so,” or “that’s crude,” isn’t enough. Take the time to discuss the reasons behind the rules.

Security and Safetydigital parenting

It’s human nature: Most us aren’t proactive. We don’t get security systems for our homes or cars until a break-in occurs to us or a close friend. Often, we don’t act until it gets personal. The same is true for taking specific steps to guard our digital lives. Digital Parenting Skills: Talk to your kids about online risks including scams, viruses and malware, identity fraud, predators, and catfishing. Go one step further and teach them about specific tools that will help keep them safe online. The fundamentals of digital safety are similar to teaching kids habits such as locking the doors, wearing a seatbelt or avoiding dangerous neighborhoods.

Your kids may be getting older and may even shrug off your advice and guidance more than they used to but don’t be fooled, parents. Kids need aware, digitally savvy parents more than ever to navigate and stay safe — both emotionally and physically — in the online arena. Press into those hard conversations and be consistent in your digital parenting to protect the things that truly matter.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online. Also, join the digital security conversation on Facebook.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post 5 Reasons Why Strong Digital Parenting Matters More than Ever appeared first on McAfee Blogs.

Could the Photos You’re Sharing Online Be Putting Your Child at Risk?

sharing photos risksConfession time. I’m a mom that is part of the problem. The problem of posting photos of my kids online without asking for their permission and knowing deep down that I’m so excited about sharing, I’m not paying much attention at all to the risks.

Why do I do it? Because I’m madly in love with my two wee ones (who aren’t so wee anymore). Because I’m a proud parent who wants to celebrate their milestones in a way that feels meaningful in our digital world. And, if I’m honest, I think posting pictures of my kids publically helps fill up their love tank and remind them they are cherished and that they matter. . . even if the way I’m communicating happens to be very public.

Am I that different than most parents? According to a recent McAfee survey, I’m in the majority.

Theoretically, I represent one of the 1,000 interviewed for McAfee’s recent Age of Consent survey* that rendered some interesting results.

Can you relate?

  • 30% of parents post a photo of their child to social media daily.
  • 58% of parents do not ask for permission from their children before posting images of them on social media.
  • 22% think that their child is too young to provide permission; 19% claim that it’s their own choice, not their child’s choice.

The surprising part:

  • 71% of parents who share images of their kids online agree that the images could end up in the wrong hands.
  • Parents’ biggest concerns with sharing photos online include pedophilia (49%), stalking (48%), and kidnapping (45%).
  • Other risks of sharing photos online may also be other children seeing the image and engaging in cyberbullying (31%), their child feeling embarrassed (30%), and their child feeling worried or anxious (23%).

If this mere sampling of 1,000 parents (myself included) represents the sharing attitudes of even a fraction of the people who use Facebook (estimated to be one billion globally), then rethinking the way in which we share photos isn’t a bad idea.

We know that asking parents, grandparents, friends, and kids themselves to stop uploading photos altogether would be about as practical as asking the entire state of Texas to line up and do the hokey pokey. It’s not going to happen, nor does it have to.

But we can dilute the risks of photo sharing. Together, we can agree to post smarter, to pause a little longer. We can look out for one another’s privacy, and share in ways that keep us all safe.

Ways to help minimize photo sharing risks:

  • Pause before uploading. That photo of your child is awesome but have you stopped to analyze it? Ask yourself: Is there anything in this photo that could be used as an identifier? Have I inadvertently given away personal information such as a birthdate, a visible home addresses, a school uniform, financial details, or potential passwords? Is the photo I’m about to upload something I’d be okay with a stranger seeing? sharing photos risks
  • Review your privacy settings. It’s easy to forget that when we upload a photo, we lose complete control over who will see, modify, and share that photo again (anywhere they choose and in any way they choose). You can minimize the scope of your audience to only trusted friends and family by customizing your privacy settings within each social network.  Platforms like Facebook and Instagram have privacy settings that allow you to share posts (and account access) with select people. Use the controls available to boost your family privacy.
  • Voice your sharing preferences with others. While it may be awkward, it’s okay (even admirable) to request friends and family to reign in or refrain from posting photos of your children online. This rule also applies to other people’s public comments about your vacation plans, new house, children’s names or birthdates, or any other content that gives away too much data. Don’t hesitate to promptly delete those comments by others and explain yourself in a private message if necessary.
  • Turn off geotagging on photos. Did you know that the photo you upload has metadata assigned to it that can tell others your exact location? That’s right. Many social networks will tag a user’s location when that user uploads a photo. To make sure this doesn’t happen, simply turn off geotagging abilities on your phone. This precaution is particularly important when posting photos away from home.
  • Be mindful of identity theft. Identity theft is no joke. Photos can reveal a lot about your lifestyle, your habits, and they can unintentionally give away your data. Consider using an identity theft protection solution like McAfee Identity Theft Protection that can help protect your identity and safeguard your personal information.

* McAfee commissioned OnePoll to conduct a survey of 1,000 parents of children ages one month to 16 years old in the U.S.

The post Could the Photos You’re Sharing Online Be Putting Your Child at Risk? appeared first on McAfee Blogs.

Family Tech: How Safe is Your Child’s Personal Data at School?

Kids and Personal DataRight about now, most kids are thinking about their chemistry homework, the next pep rally, or chiming in on their group text. The last thing on their minds as they head back to school is cybersecurity. But, it’s the one thing — if ignored — that can wreck the excitement of a brand new school year.

You’ve done a great job, parent. You’ve equipped their phones, tablets, and laptops with security software. And, you’ve beefed up safeguards on devices throughout your home. These efforts go a long way in protecting your child’s (and family’s) privacy from prying eyes. Unfortunately, when your child walks out your front door and into his or her school, new risks await.

No one knows this season better than a cybercriminal. Crooks know there are loopholes in just about every school’s network and that kids can be easy targets online. These security gaps can open kids up to phishing scams, privacy breaches, malware attacks, and device theft.

The school security conversation

Be that parent. Inquire about your school’s security protocols.  The K-12 Cybersecurity Resource Center reports that 358 school breaches have taken place since January of 2016.  Other reports point to an increase in hackers targeting school staff with phishing emails and seeking student social security numbers to sell on the dark web.

A few questions to consider:Kids and Personal Data

  • Who has physical and remote access to your student’s digital records and what are the school’s protection practices and procedures?
  • How are staff members trained and are strong password protocols in place?
  • What security exists on school-issued devices? What apps/software is are being used and how will those apps collect and use student data?
  • What are the school’s data collection practices? Do data collection practices include encryption, secure data retention, and lawful data sharing policies?
  • What is the Bring Your Own Device (BYOD) policy?

The data debate

As K-12 administrators strive to maintain secure data collection practices for students, those same principles may be dubious as kids move on to college. As reported by Digiday, one retailer may be quietly disassembling privacy best practices with a bold “pay with data” business model. The Japanese coffee chain Shiru Café offers students and faculty members of Brown University free coffee in exchange for entering personal data into an online registry. Surprisingly, the café attracts some 800 customers a day and is planning on expanding its business model to more college campuses.

The family conversation

Keep devices close. Kids break, lose, lend, and leave their tech unattended and open to theft. Discuss responsible tech ownership with your kids. Stolen devices are privacy gold mines.

Never share passwords. Kids express their loyalty to one another in different ways. One way that’s proving popular but especially unsafe nowadays is password sharing. Remind kids: It’s never okay to share passwords to devices, social networks, or school platforms. Never. Password sharing opens up your child to a number of digital risks.

Safe clicking, browsing practices. Remind kids when browsing online to watch out for phishing emails, fake news stories, streaming media sites, and pop-ups offering free downloads. A bad link can infect a computer with a virus, malware, spyware, or ransomware. Safe browsing also includes checking for “https” in the URL of websites. If the website only loads with an “http,” the website may not be enforcing encryption.Kids and Personal Data

Be more of a mystery. Here is a concept your kids may or may not latch on to but challenge them to keep more of their everyday life a mystery by posting less. This includes turning off location services and trying to keep your whereabouts private when sharing online. This challenge may be fun for your child or downright impossible, but every step toward boosting privacy is progress!

Discuss the risk of public Wi-Fi. Kids are quick to jump on Wi-Fi wherever they go so they can use apps without depleting the family data plan. That habit poses a big problem. Public Wi-Fi is a magnet for hackers trying to get into your device and steal personal information. Make sure every network your child logs on to requires a password to connect. Go a step further and consider using a Virtual Private Network (VPN) for added security for your whole family.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online, and follow @McAfee_Family on Twitter. Also, join the digital security conversation on Facebook.

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Family Tech: How Safe is Your Child’s Personal Data at School? appeared first on McAfee Blogs.

Tech Talk: Ways to Help Your Child Conquer Back-To-School Fears

Tech and back-to-school fears

The first-day-of-school jitters nearly did me in as a kid. Our military family moved ten times, so I got used to the stomach aches and stares that came with every new school.

I can’t imagine making those big moves as a kid in today’s digital culture.  The cliques are far more visible. The fails are far more public and weaknesses, far more exploited.

This digital layer of scrutiny and exposure sends my admiration and respect for kids today to heroic levels.

Tech and Anxiety

Reports of tech-related anxiety* and depression in kids on the rise, which can put a whole layer of angst on first-day jitters. And while there is no one-size-fits-all solution to ease that stress, helping your child manage his or her technology can help diminish it.

Tips to Help Ease Stress

1. Unplug more. Discuss the power and emotional pull of the smartphone and how it can escalate the stress of starting school. Remind kids that the edited, seemingly perfect version of life people post on social media doesn’t represent reality and that constant comparison can be harmful.

While we recommend families establish a phone curfew every night for health reasons, it’s especially crucial in the weeks leading up to the first day of school. Other simple ways to ease stress this school year: Turn off all push notifications during school hours and use parental control apps to help with time limits and safety. Tech and back-to-school fears

2. Make time to talk. Ask your child what concerns him or her most about starting school. Then, just listen. Acknowledge your child’s fears and try to relate or find common ground. Let your child know that worry is normal, it can help protect us, and everyone experiences it from time to time. Some of the stresses they might share: Finding friends and fitting in, who they will sit with at lunchtime, having the right clothes or fashion sense, being able to find their classes, opening the combinations on their lockers, sports or music auditions, body image and appearance, school work challenges, and more.

3. Visualize the first day. Help your child map out his or her classes. Based on your child’s feedback, talk through possible awkward or stressful situations that might come up to help build his or her confidence and reduce worry. Often just getting a fear from your brain to your lips can strip power from fear. Brainstorm one-liners your kids might use to introduce themselves to new people or positive responses that might deflect a negative comment.

4. Practice the present. Anxiety* can be triggered when we live more of life in the future — imagining the what-ifs — than living in the right now. Who hasn’t imagined tripping in the lunchroom or falling down the stairs? A few simple tips: Teach kids to practice deep breathing, to challenge their negative thoughts, and to talk/think about life in the present tense.Tech and back-to-school fears

5. Encourage. Without going over the top (because kids can smell inflated praise), remind your child of his or her strengths. Fear creates a wall that blocks our view of past accomplishments. Provide that recollection for your child. Give truthful reminders of your child’s strengths, talents, and unique qualities.

6. Help kids with balance on and offline. A new school year represents a clean slate. There’s no need to bring bad habits along. So make the changes you’ve always intended to make. Set time limits on technology and stick to them. Help your kids prioritize face-to-face time with peers. Know what’s going on in your child’s online life and make sure his or her digital community isn’t unraveling your parenting goals. Pay close attention to new friends and your child’s demeanor on a daily basis.

* It’s important to note that while the word “anxiety” is commonly used, the American Acadamy of Pediatrics says that 8% of kids are diagnosed with an anxiety disorder. If your child’s stress level becomes serious, please seek professional help.

 

toni page birdsongToni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Tech Talk: Ways to Help Your Child Conquer Back-To-School Fears appeared first on McAfee Blogs.

Too Much Tech: 4 Steps to Get Your Child to Chill on Excessive Snapchatting

We were in the midst of what I believed to be an important conversation.

“Just a sec mom,” she said promptly after a Snapchat notification popped up on her iPhone.

She stopped me mid-sentence, puckered her lips, rolled her eyes, typed a few lines of copy, and within three seconds, my teenage daughter Snapchatted a few dozen friends.

“Sorry, mom, what were you saying?” she turned back toward me her face void of any trace of remorse.

It was clear: Snapchat had far more influence than I, the parent, and it was time to make some serious changes.

Imbalance of Power

It’s obvious the power apps hold over our lives. In fact, in an attempt to encourage responsible app use, Facebook and Instagram recently announced it would implement tools allowing users to track how much time they spend on the apps. This mom is hoping Snapchat will follow suit.

Since its inception in 2011, Snapchat has become one of the most popular apps with an estimated 187 daily active users. A 2017 study released by Science Daily found that 75% of teens use Snapchat. But it’s not the only app winning our kids affections:

  • 76 percent of American teens age 13-17 use Instagram.
  • 75 percent of teens use Snapchat.
  • 66 percent of teens use Facebook.
  • 47 percent of teens use Twitter.
  • Fewer than 30 percent of American teens use Tumblr, Twitch, or LinkedIn.

If you have a teen, you understand the dilemma. We know that social ties are essential to a teen’s psychological well-being. We also know that excessive time online can erode self-esteem and cause depression. We can’t just yank our child’s favorite app, but we also can’t let it run in the background of our lives 24/7, right?

What we can do is take some intentional steps to help kids understand their responsibility to use apps in healthy, resilient ways. In our house, taking that step meant addressing — and taming — the elephant in the room: Snapchat. Here are a few things that worked for us you may find helpful.

4 Steps to Help Curb Excessive Snapchatting

  1. Strive for quality relationships. With so much more information available on the downside of excessive social media use, it’s time to be candid with our kids. Excessive “liking,” carefully-curated photos, and disingenuous interactions online are not meaningful interactions. Stress to kids that nothing compares to genuine, face-to-face relationships with others.
  2. Zero phone zones. This is a rule we established after one too many snaps hijacked our family time. We agreed that when in the company of others — be it at home, in the car, in a restaurant, at church, at a relative’s house — all digital devices get turned facedown or put in a pocket. By doing this, we immediately increased opportunities for personal connection and decreased opportunities for distraction. This simple but proven strategy has cut my daughter’s Snapchat time considerably.
  3. Establish a Snapchat curfew. Given the opportunity, teens will Snapchat until the sun comes up. Don’t believe me? Ask them. If not for the body’s physical need for sleep, they’d happily Snapchat through the night. Consider a curfew for devices. This rule will immediately begin to wean your child’s need to Snapchat around the clock.
  4. Track Snapchat time. Investing in software such as McAfee® Safe Family is an option when trying to strike a healthy tech balance. The software will help with time limits, website filtering, and app blocking. There is also helpful time tracking apps. For the iPhone, there’s Moment, and for Android, there’s Breakfree. Both apps will track how much time you spend on your phone. Seeing this number — in hours — can be a real eye-opener for both adults and kids.

    toni page birdsongToni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Too Much Tech: 4 Steps to Get Your Child to Chill on Excessive Snapchatting appeared first on McAfee Blogs.

Family Matters: How to Help Kids Avoid Cyberbullies this Summer

The summer months can be tough on kids. There’s more time during the day and much of that extra time gets spent online scrolling, surfing, liking, and snap chatting with peers. Unfortunately, with more time, comes more opportunity for interactions between peers to become strained even to the point of bullying.

Can parents stop their kids from being cyberbullying completely? Not likely. However, if our sensors are up, we may be able to help our kids minimize both conflicts online and instances of cyberbullying should they arise.

Be Aware

Summer can be a time when a child’s more prone to feelings of exclusion and depression relative to the amount of time he or she spends online. Watching friends take trips together, go to parties, hang out at the pool, can be a lot on a child’s emotions. As much as you can, try to stay aware of your child’s demeanor and attitude over the summer months. If you need help balancing their online time, you’ve come to the right place.

Steer Clear of Summer Cyberbullies 

  1. Avoid risky apps. Apps like ask.fm that allow outsiders to ask a user any question anonymously should be off limits to kids. Kik Messenger and Yik Yak are also risky apps. Users have a degree of anonymity with these kinds of apps because they have usernames instead of real names and they can easily connect with profiles that could be (and often are) fake. Officials have linked all of these apps to multiple cyberbullying and even suicide cases.
  2. Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in on the tone of the conversations, the language, and keep tabs on your child’s demeanor. For your child’s physical and emotional health, make every effort to help him or her balance summer gaming time.
  3. Make profiles and photos private. By refusing to use privacy settings (and some kids do resist), a child’s profile is open to anyone and everyone, which increases the chances of being bullied or personal photos being downloaded and manipulated. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying.
  4. Don’t ask peers for a “rank” or a “like.” The online culture for teens is very different than that of adults. Kids will be straightforward in asking people to “like” or “rank” a photo of them and attach the hashtag #TBH (to be honest) in hopes of affirmation. Talk to your kids about the risk in doing this and the negative comments that may follow. Remind them often of how much they mean to you and the people who truly know them and love them.
  5. Balance = health. Summer means getting intentional about balance with devices. Stepping away from devices for a set time can help that goal. Establish ground rules for the summer months, which might include additional monitoring and a device curfew.

Know the signs of cyberbullying. And, if your child is being bullied, remember these things:

1) Never tell a child to ignore the bullying. 2) Never blame a child for being bullied. Even if he or she made poor decisions or aggravated the bullying, no one ever deserves to be bullied. 3) As angry as you may be that someone is bullying your child, do not encourage your child to physically fight back. 4) If you can identify the bully, consider talking with the child’s parents.

Technology has catapulted parents into arenas — like cyberbullying — few of us could have anticipated. So, the challenge remains: Stay informed and keep talking to your kids, parents, because they need you more than ever as their digital landscape evolves.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Family Matters: How to Help Kids Avoid Cyberbullies this Summer appeared first on McAfee Blogs.

Cyber Security Roundup for July 2018

The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

Other companies known to be impacted by the Typeform breach include:

The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs

A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


NEWS

Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Weekly Cyber Risk Roundup: Orbitz Breach, Facebook Privacy Fallout

One of the biggest data breach announcements of the past week belonged to Orbitz, which said on Tuesday that as many as 880,000 customers may have had their payment card and other personal information compromised due to unauthorized access to a legacy Orbitz travel booking platform.

“Orbitz determined on March 1, 2018 that there was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers),” the company said in a statement.

Information potentially compromised includes payment card information, names, dates of birth, addresses, phone numbers, email addresses, and gender.

As American Express noted in its statement about the breach, the affected Orbitz platform served as the underlying booking engine for many online travel websites, including Amextravel.com and travel booked through Amex Travel Representatives.

Expedia, which purchased Orbitz in 2015, did not say how many or which partner platforms were affected by the breach, USA Today reported. However, the company did say that the current Orbitz.com site was not affected.

2018-03-24_ITTGroups

Other trending cybercrime events from the week include:

  • State data breach notifications: Island Outdoor is notifying customers that payment card information may have been stolen due to the discovery of malware affecting several of its websites. Agemni is notifying customers about unauthorized charges after “a single authorized user of our software system used customer information to make improper charges for his personal benefit.” The Columbia Falls School District is notifying parents of a cyber-extortion threat involving their children’s personal information. Intuit is notifying TurboTax customers that their accounts may have been accessed by an actor leveraging previously leaked credentials. Taylor-Dunn Manufacturing Company is notifying customers that it discovered cryptocurrency mining malware on a server and that a file containing personal information of those registered for the Taylor-Dunn customer care or dealer center may have been accessed. Nampa School District is notifying a “limited number” of employees and Skamania Public Utility District is notifying customers that their personal information may have been compromised due to incidents involving unauthorized access to an employee email account.
  • Data exposed: A flaw in Telstra Health’s Argus software, which is used by more than 40,000 Australian health specialists, may have exposed the medical information of patients to hackers. Primary Healthcare is notifying patients of unauthorized access to four employee email accounts. More than 300,000 Pennsylvania school teachers may have had their personal information publicly released due to an employee error involving the Teacher Management Information System.
  • Notable ransomware attacks: The city of Atlanta said a ransomware attack disrupted internal and customer-facing applications, which made it difficult for citizens to pay bills and access court-related information. Atrium Hospitality is notifying 376 hotel guests that their personal information may have been compromised due to a ransomware infection at a workstation at the Holiday Inn Sacramento. Finger Lakes Health said it lost access to its computer system due to ransomware infection.
  • Other notable events: Frost Bank said that malicious actors comprised a third-party lockbox software program and were able to access images of checks that were stored in the database. National Lottery users are being advised to change their passwords after 150 accounts were affected by a “low-level” hack. A lawsuit against Internet provider CenturyLink and AT&T-owned DirecTV alleges that customer data was available through basic Internet searches.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

2018-03-24_ITT

Cyber Risk Trends From the Past Week

2018-03-24_RiskScoresFacebook has faced a week of criticism, legal actions, and outcry from privacy advocates after it was revealed that the political consulting Cambridge Analytica had accessed the information of 50 million users and leveraged that information while working with the Donald Trump campaign in 2016.

“Cambridge Analytica obtained the data from a professor at the University of Cambridge who had collected the information by creating a personality-quiz app in 2013 that plugged into Facebook’s platform,” The Wall Street Journal reported. “Before a policy change in 2015, Facebook gave app creators and academics access to a treasure trove of data, ranging from which pages users liked to details about their friends.”

It isn’t clear how many other developers might have retained information harvested from Facebook before the 2015 policy change, The Journal reported. However, Mark Zuckerberg said the company may spend “many millions of dollars” auditing tens of thousands of data collecting apps in order to get a better handle on the situation.

The privacy breach has already led to regulatory scrutiny and potential lawsuits around the globe. Bloomberg reported that the FTC is probing whether data handling violated terms of a 2011 consent decree. In addition, Facebook said it would conduct staff-level briefings with six congressional committees in the coming week. Some lawmakers have called for Zuckerberg to testify as well, and Zuckerberg told media outlets that he would be willing to do so if asked.

Facebook’s stock price has dropped from $185 to $159 over the past eight days amid the controversy, and several companies have suspended their advertising on Facebook or deleted their Facebook pages altogether due to the public backlash.

Twitter – Den of Iniquity or Paragon of Virtue… or Someplace in Between?


Twitter - Den of Iniquity or Paragon of Virtue or Someplace in Between


Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that
one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.

Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.

That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.

Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.

Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.

Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.