Turbotodd

Ruminations on tech, the digital media, and some golf thrown in for good measure.

Posts Tagged ‘privacy

Didja Delete Your Facebook Yet?

leave a comment »

People around the globe are having a crisis of conscience.

Do I delete my Facebook account or do I not?

Even Hamlet didn’t have to contend with such an existential crisis.

Get a grip and some perspective, people.  Take a deep breath, and…one….hold…and two….

And then, if you’re really, really concerned about whether or not the privacy trade-off is worth keeping up with the virtual Joneses, Techpinions did some fast research of 1,000 Americans about their feelings and actions re: Facebook post-Cambridge Analytica;

The big takeaways:

  • 17% of respondents said they deleted the Facebook app from their phone over privacy concerns
  • 35% said they were using Facebook less than they used to over the privacy issue
  • 39% said they were “very aware” of the Cambridge Analytica scandal, while 37% said they were “somewhat aware.”
  • 9% reported deleting their Facebook account altogether

So, according to that report, nearly 1 in 10 have said “sayonara” to Facebook. 

For those who stayed, there’s the issue of perhaps exerting more usage of Facebook’s already-extensive privacy controls.  

Facebook VP of global marketing solutions, Carolyn Everson, spoke at The Wall Street Journal CEO Council in London, and indicated that “we have not seen wild changes in behavior with people saying I’m not going to share any data with Facebook anymore,” and that Facebook users largely haven’t changed their privacy settings in the past four weeks since the Cambridge story broke.

If you don’t want to break up with Facebook, but you’d like to exert more control of how your information is used there, check out this guidance from ZDNet.

It’s like getting your PhD in Facebook privacy!

Written by turbotodd

April 13, 2018 at 9:49 am

Posted in 2018, facebook, privacy

Tagged with , ,

I Can’t Get Rid of My Friends!

leave a comment »

Okay, Mark Zuckerberg probably had a less rosy day on Capitol Hill yesterday in front of the House, but overall, I would have to say he acquitted himself well.

As for that whole thing I mentioned in an earlier posts about the Senators and Congresspeople hopefully being well briefed by their staffs…well, you could tell from the questioning either A) that didn’t happen or B) the Senators and Congresspeople just didn’t have the depth of knowledge necessary to follow up with thoughtful and probing interrogatory.

Facebook definitely won this round.  Ding ding!

But tech journalists who *do* have some technical chops continue to probe around the edges to find privacy and related holes in Facebook’s business model and capabilities.

Brian Chen, a New York Time’s technology journalist, recently downloaded his full data from Facebook using a tool Facebook has made available to the public.

Chen noted in the piece that his Facebook profile is “sparse” and that he rarely posts anything on the site, and seldom clicks on ads.

And yet within a few clicks of looking through the data, he “learned that about 500 advertisers — many that I had never heard of, like Bad Dad, a motorcycle parts store, and Space Jesus, an electronic band — had my contact information, which could include my email address, phone number, and full name.”

Welcome to Mark Zuckerberg’s closet, Brian.

He also learned that an index file contact the 764 names and phone numbers of everyone in his iPhone’s address book, which Facebook had uploaded when Chen was setting up Facebook Messenger.

Welcome to Mark Zuckerberg’s garage, Brian.

He indicated that Facebook “also kept a history of each time I open Facebook over the last two years, including which device and web browser I used. On Sundays, it even logged my locations, like when I was in a hospital two years ago or when I visited Tokyo last year.”

Welcome to Mark Zuckerberg’s attic, Brian.

But, Chen wrote, what really got his goat was the data he  “had explicitly deleted but that lingered in plain sight.”

He indicated that on his friends list, Facebook had a record of “removed friends,” a dossier of the 112 people he had removed along with the date he had clicked the “unfriend” button. Why should Facebook remember the people he cut off from his life?

Because, Brian.  

It’s Facebook, and that’s what Facebook is and that’s what Facebook does.

And that’s what you, me, and 2 billion other people on the planet signed up for.

Welcome to Mark Zuckerberg’s mansion, Brian.

Written by turbotodd

April 12, 2018 at 9:31 am

Posted in Uncategorized

Tagged with , ,

You Thought You Had a Bad Tuesday

leave a comment »

You thought you had a bad Tuesday?

You weren’t sitting in front of a bunch of hot lights and a swarm of photographers before a joint session of the Commerce and Judiciary committees on Capitol Hill.

Mark Zuckerberg, founder and CEO of Facebook, was, and judging from coverage of his “performance,” he was a calm and cool customer, absorbing jibes, barbs, and other commentary and questions from a Senate with a wide range of perspectives (No report I’ve seen yet as to how many of the senators had taken campaign contributions from his inquisitors).

The Verge did a nice job of breaking down some of the key issues raised, and who raised them.

  • Sen. Lindsey Graham (R-SC) asked about Facebook’s monopoly power (As in, IS Facebook one?). Zuckerberg: “It certainly doesn’t feel like that to me.”
  • Multiple senators raised the issue of whether Zuckerberg might consider a paid, ad-free version of Facebook. Zuckerberg said it was possible, but that there would always be a free version.
  • Leaning on AI to improve moderation on the platform: Zuckerberg “invoked the promise of AI to help Facebook quickly sort through hate speech and other problematic posts.”

In terms of actionability, Zuckerberg referred repeatedly to changes in the product that will better prevent data leakage and make privacy shortcuts easier to find, as well as restrict data shared with developers.

Will it be enough to keep regulation and/or legislation at bay? Doubtful. On the other hand, I hardly see a pro-regulatory government about to completely throw the book at one of the world’s most successful Internet companies.

So I’ll quote from that bastion of Congressional wisdom, SchoolHouse Rock’s “I’m Just a Bill”:

I’m just a bill
Yes I’m only a bill,
And I got as far as Capitol Hill.
Well, now I’m stuck in committee
And I’ll sit here and wait 
While a few key Congressmen discuss and debate
Whether they should let me be a law.
How I hope and pray that they will,
But today I am still just a bill.

Written by turbotodd

April 11, 2018 at 8:58 am

Posted in 2018, facebook, legislation, privacy

Tagged with , ,

Grindr Reveals HIV Status, Location Data to Third Parties

leave a comment »

The privacy morasse plot thickens.

BuzzFeed reported yesterday via an independent data analysis by an outside research firm that show popular gay dating app is sharing its users’ HIV status with two outside companies.

The gay hookup app Grindr, which has more than 3.6 million daily active users across the world, has been providing its users’ HIV status to two other companies, BuzzFeed News has learned.

The two companies — Apptimize and Localytics, which help optimize apps — receive some of the information that Grindr users choose to include in their profiles, including their HIV status and “last tested date.”

Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue.

If the Nixonian saying was “It’s not the cover up but the crime,” perhaps the 21st century privacy counterpart should be along the lines of, “It’s not the first use of the information, it’s the unintended third party use.”

As BuzzFeed’s article points out, Grindr is a unique place for openness about one’s HIV status, but to have that information shared with third parties that an individual was never notified about…that’s a safety risk, and one that should whose mitigation should best be left with the individual and not Grindr.

George Orwell’s not only spinning in his grave, he’s doing triple axels in multiples of three at a time.

Privacy may not be dead, but it sure has taken a beating in the first three months of 2018. 

Written by turbotodd

April 3, 2018 at 9:33 am

Posted in 2018, data security, privacy

Tagged with ,

Facebook to Limit 3rd Party Data

leave a comment »

Facebook is going to start to limit how much data it makes available to advertisers buying hyper-targeted ads on the social network, according to a report from Recode.

Specifically, Facebook has indicated it would stop using data from third-party data aggregators, including companies like Acxiom and Experian, both of which have extensive data stores of offline data such as purchasing activity which Facebook could use to supplement its own data set.

Recode recounts that Facebook previously let advertisers target people using data from a number of sources (beyond Experian and Acxiom), including:

  • Data from Facebook, which the company collects from user activity and profiles.
  • Data from the advertiser itself, like customer emails they’ve collected on their own.

Official confirmation of the move came from Graham Mudd, a product marketing manager at Facebook:

We want to let advertisers know that we will be shutting down Partner Categories,” Mudd said in the statement. “This product enables third party data providers to offer their targeting directly on Facebook. While this is common industry practice, we believe this step, winding down over the next six months, will help improve people’s privacy on Facebook.

Recode notes, however, that even had the move been made earlier, this decision would not have impacted the outcome of the Cambridge Analytica scandal, in which that firm collected the personal data of some 50 million Facebook users without their permission.

In related news, Facebook has also introduced new, more centralized privacy controls that are “easier to find and use”:

We’ve redesigned our entire settings menu on mobile devices from top to bottom to make things easier to find. Instead of having settings spread across nearly 20 different screens, they’re now accessible from a single place. We’ve also cleaned up outdated settings so it’s clear what information can and can’t be shared with apps.

The new “Privacy Shortcuts” menu is just that, a menu where you can “control your data in just a few taps, with clearer expectations of how our controls work.”

As for all the various and sundry your data has been used by the company in the past, I guess we’ll just have to wait for Mark Zuckerberg’s testimony on Capitol Hill.

Be sure to share with all your friends. ; )

Written by turbotodd

March 29, 2018 at 9:57 am

Posted in 2018, facebook, privacy, social media

Tagged with , ,

Batten Down The Hatches! IBM’s X-Force 2012 Trend And Risk Report

leave a comment »

It’s been a busy year for IT security incidents. Yesterday, John Markoff and Nicole Perlroth with The New York Times told us about yet another incident, this time a cyberattack involving antispam group Spamhaus and an anonymous group unhappy with their efforts.

Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosedin 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.

Click to enlarge. Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosed in 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.

But the list goes on and on. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations have been inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.

At the mid-year of 2012, IBM’s X-Force team predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case. While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year’s headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection.

What continues to be clear is that attackers, regardless of operational sophistication, will pursue a path-of-least-resistance approach to reach their objectives. Integration of mobile devices into the enterprise continues to be a challenge. In the previous report, X-Force looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices.

That said, recent developments have indicated that while these dangers still exist, and X-Force believes mobile devices should be more secure than traditional user computing devices by 2014. While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.

In its latest report, X-Force explores how security executives are advocating the separation of personas or roles on employee-owned devices. It also addresses some secure software mobile application development initiatives that are taking place today. The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose.

The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,they have become a favorite target of scam and phishing.

Click to enlarge. The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,
they have become a favorite target of scam and phishing.

Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems.  They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems.

Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.

As X-Force also reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing. Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive.

Whether the target is individuals or the enterprise, once again, X-Force reminds organizations that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.

Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak X-Force recorded.

Social media has dramatically changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities.

Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks.

The values for the evaluated threat and residualthreat can be determined by comparing thelikelihood or frequency of a threat occurring (high,medium, low) against the damage impact that couldhappen if the threat occurred (catastrophic, high,medium, low). The goal is to implement mitigationprocesses that either reduce the frequency of thethreat occurring or reduce the impact if the threatdoes occur. A requirement for this to be successful is to have aspecific, designated monitoring mechanism to monitorthe implementation of the treatment processes andfor the appearance of the threats. This monitoringmechanism should be monitored and alerts should beresponded to. It does no good to have network-basedanti-virus consoles gathering information about virusalerts across the network, if nobody is assigned tomonitor the console and respond to those alerts.Monitoring and responding is part of the mitigationprocess. (An example threat assessment and riskmitigation process chart is provided below, thoughthe IR team may identify a greater list.)

Click to enlarge. The values for the evaluated threat and residual threat can be determined by comparing the likelihood or frequency of a threat occurring (high, medium, low) against the damage impact that could happen if the threat occurred (catastrophic, high, medium, low). The goal is to implement mitigation processes that either reduce the frequency of the threat occurring or reduce the impact if the threat does occur. A requirement for this to be successful is to have a specific, designated monitoring mechanism to monitor the implementation of the treatment processes and for the appearance of the threats.

2012 X-Force Trend And Risk Report Highlight

Malware and the malicious web

  • In 2012, near daily leaks of private information about victims were announced like game scoreboards through tweets and other social media. Personal details, such as email addresses, passwords (both encrypted and clear text), and even national ID numbers were put on public display.
  • Based on data for 2012, it is not surprising that the bulk of the security incidents disclosed were carried out with the majority of attackers going after a broad target base while using off-the-shelf tools and techniques. X-Force attributes this to the wide public availability of toolkits and to the large number of vulnerable web applications that exist on the Internet.
  • The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers. This technique assisted in much higher connected uptime as well as having more bandwidth than home PC’s to carry out the attacks. In the sampling of security incidents from 2012, the United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%.
  • IBM Managed Security Services (MSS) security incident trends are markers that represent the state of security across the globe. The relative volume of the various alerts can help to describe how attacks are established and launched. They also frequently provide hints about how methods have evolved. Based on this, the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet.
  • IBM MSS has noted a dramatic and sustained rise in SQL injection-based traffic due, in large part, to a consistent effort from the Asia Pacific region. The alerts came from all industry sectors, with a bias toward banking and finance targets.
  • Web browser exploit kits (also known as exploit packs) are built for one particular purpose: to install malware on end-user systems. In 2012 X-Force observed an upsurge in web browser exploit kit development and activity—the primary target of which are Java vulnerabilities—and X-Force supplies some strategies and tips to help protect against future attacks (see end of post to download full report).
  • Java continues to be a key target for attackers. It has the advantage of being both cross-browser and cross-platform—a rare combination that affords attackers a lot of value for their investment. Web content trends, spam, and phishing Web content trends Top used websites are readily deployed as IPv6- ready, although attackers do not yet seem to be targeting IPv6 on a large scale.
  • One third of all web access is done on websites which allow users to submit content such as web applications and social media.
  • Nearly 50% of the relevant websites now link to a social network platform, and this intense proliferation poses new challenges to companies that need to control the sharing of confidential information.

Spam and phishing

  • Spam volume remained nearly flat in 2012.
  • India remains the top country for distributing spam, sending out more than 20% of all spam in the autumn of 2012. Following India was the United States where more than 8% of all spam was generated in the second half of the year. Rounding out the top five spam sending countries of origin were Vietnam, Peru, and Spain.
  • At the end of 2012, IBM reports that traditional spam is on the retreat, while scam and spam containing malicious attachments is on the rise. In addition, attackers are demonstrating more resiliency to botnet take downs which results in an uninterrupted flow of spam volume.

Operational Security Practices

Vulnerabilities and exploitation

  • In 2012, there were over 8,168 publicly disclosed vulnerabilities. While not the record amount X-Force expected to see after reviewing its mid-year data, it still represents an increase of over 14% over 2011.
  • Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012.
  • Cross-site scripting vulnerabilities accounted for over half of the total web application vulnerabilities disclosed in 2012. Cross-site scripting dominated the web vulnerability disclosures. Fifty-three percent of all publicly released web application vulnerabilities were cross-site scripting related. This is the highest rate X-Force has ever seen. This dramatic increase occurred while SQL injection vulnerabilities enjoyed a higher rate than 2011 but were still down significantly since 2010.
  • There were 3,436 public exploits in 2012. This is 42% of the total number of vulnerabilities, up 4% from 2011 levels.
  • Web browser vulnerabilities declined slightly for 2012, but not at as high a rate as document format issues. While the overall number of web browser vulnerabilities dropped by a nominal 6% from 2011, the number of high- and critical severity web browser vulnerabilities saw an increase of 59% for the year.
  • Few innovations have impacted the way the world communicates quite as much as social media. However, with the mass interconnection and constant availability of individuals, new vulnerabilities and a fundamental shift in intelligence-gathering capabilities has provided attackers and security professionals alike with information useful for enhancing their activities.
  • Rather than seeing a particular enterprise as an individual entity, attackers can view enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise.

Emerging Trends In Security

Mobile

  • Prediction: Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
  • Separation of personas or roles: While a small percentage of enterprises have dealt with BYOD by using virtualized desktop solutions to separate and control enterprise applications and data from the rest of the personally owned device, a greater number of enterprises have wanted or required some form of separation or dual persona on mobile devices. This difference in use or adoption could be the result of greater numbers of devices driving greater risk in the percentage of personally owned mobile devices versus personally owned PCs in a BYOD program.
  • In many cases, enterprises have made significant investments into implementing Secure Software Development Life Cycle (SSDLC) processes. Today’s mobile application development benefits from this. Tools exist to support secure development as part of the process instead of being conducted in qualification or production. As a result, it should be more common for enterprises to have more securely developed mobile applications than their existing legacy applications. Closure of vulnerabilities in some traditional computing applications may only conclude as existing versions are sunset and replaced with newer, more securely developed replacements.
  • Over 2012, it is safe to conclude that more enterprises are supporting BYOD or the use of personally owned devices than previously. In the last two years, IBM Security has spoken to hundreds of global 2000 customers and out of those interviewed, only three said they had no plans to implement any kind of BYOD program.

To learn more on how your organization can work to address these types of vulnerabilities, download the full IBM X-Force 2012 Trend And Risk Report here.

Turbo Imagines Searching Through His Facebook Graph

leave a comment »

Facebook had the world waiting for its news yesterday.

There was interminable hyperbole about what the announcement would bring.

Facebook was preparing to conquer the world of mobile.

Facebook would FINALLY be introducing a mobile phone.

Facebook was going to send a coding team to Mars to write a search engine for Martians.

That last part I made up.

But hey, why not, everyone else in the world was conjecturing what was the primary topic of the looming announcement?

Being a marketer, I was caught up in it like everybody else, and also just as much in the dark.

Which was kind of the point.

There’s no question Facebook CEO Mark Zuckerberg has taken a few pages from the Steve Jobs “secrecy in marketing” playbook.

Announce you’re going to have an announce, be as positively vague as possible, and then wait for the speculation onslaught to begin.

In the end, it was all about search, which has for Facebook’s short life been one of its more miserable capabilities, so in that respect, the news was welcomed.

Facebook was going to fix its search capability, allowing its users (albeit initially in a limited beta) the opportunity to search their Facebook social “graph” across a range of functions: People, pictures, interests.

The fact that it took two displaced Google engineers to come into Facebook to build this function adds only a wee bit of irony to the equation.

I, for one, immediately went and asked to participate in the beta, though my invitation will likely loom ignored in Zuck’s inbox for some time.

In the meantime, I will wait impatiently for the opportunity to go out and search my high school Facebook sub-graph to discern, once and for all, the most popular band during our golden years (My money’s on AC/DC, but Pink Floyd might give them a run for their “Money”).

Or, to discover via the serendipity that is inevitably going to characterize Facebook’s search graph, that Austin still largely prefers Uchi (in South Austin) to Mushashino (off Mopac) for its finer sushi, although the latter is always a good escape valve for the Uchi unagi lines snaking along South Lamar.

Or to find out that Facebookers around the world who root for the Chelsea Blues pretty much detest anything to do with Manchester United, with the exception of one person on the planet (me).  I like ’em both, but perhaps that’s just my attempt to pick TWO winners to try and make up for the recent massive deficit left by the wandering Dallas Cowboys.

No, much of this I already know, and Facebook search will simply be my new vindication engine, confirming the best and worst I thought of humanity in one fell graph searching sweep.

I just wonder if the new search graph is going to tell me something I don’t know.

Excuse me while I run over to Google to see if I can find out.

Written by turbotodd

January 16, 2013 at 4:01 pm

%d bloggers like this: