There’s no way to spin this: Facebook is currently running a political ad with a false claim that Biden tried to bribe Ukraine regarding an investigation into a firm that employed his son. Facebook’s own fact-checking partners have debunked this claim, and yet, the ad has been viewed millions of times and even re-broadcasted by traditional media outlets.
According to its own misinformation policy governing ads, Facebook
“…prohibits ads that include claims debunked by third-party fact checkers or, in certain circumstances, claims debunked by organizations with particular expertise.”https://www.facebook.com/policies/ads/prohibited_content/misinformation
Open and shut case, right? Not so fast, or at least, no so fast as of September 24th, when Facebook “clarified” why it was allowing political ads containing lies to run on its platform unchecked. Facebook VP of Global Affairs and Communications Nick Clegg announced on the stage at the Atlantic Festival in Washington D.C.
“We have a responsibility to protect the platform from outside interference, and to make sure that when people pay us for political ads we make it as transparent as possible. But it is not our role to intervene when politicians speak.”https://newsroom.fb.com/news/2019/09/elections-and-political-speech/
And furthermore, Mr. Clegg cites a policy established in 2016 (approximately one month prior to the November 2016 elections) that literally grants an exception to ANY content it deems “newsworthy, significant or important to the public interest…“
“..if someone makes a statement or shares a post which breaks our community standards we will still allow it on our platform if we believe the public interest in seeing it outweighs the risk of harm.” (emphasis mine)https://newsroom.fb.com/news/2019/09/elections-and-political-speech/
I can get behind the principle of this – Facebook is trying to tread the fine line between unbiased distribution of information while facing the impossible task of fact-checking the millions of posts that are published on it platform. But here’s the hitch: Facebook is telling us that it has our best interests at heart, but has repeatedly demonstrated that this is just not the case. Also consider the fact that Facebook considers profanity banworthy but not outright falsehoods. Based solely on that alone, I would question whether or not Facebook has an accurate understanding of what is actually harmful. That and the incident where the spread of false information via Facebook actually lead to genocide, something that the world seems to have conveniently forgotten.
Given that political ads are resulting in millions of dollars in revenue a week for Facebook, and that Mark Zuckerberg has been quietly hosting private dinners with high-profile right-wing conservatives (a verifiable large source of ad revenue) who have been critical of Facebook in the past, its pretty clear that Facebook knows exactly which side butters its toast.
I don’t care which side of the political spectrum an ad comes from, but I do care if you are relying on falsehoods instead of facts to profit, and I find it offensive that the world’s biggest social media platform on which billions trust as their primary news source disrespects its customers with double standards and naked profiteering. At minimum, you should be taking everything you see on Facebook with a huge grain of salt, especially the political ads.
I’ve spent the last 2 blogs getting you pumped up to upgrade to Windows 10, but you should know that despite being an overall improvement from Windows 7 and 8 in many ways, there are several aspects of the “new” operating system that are markedly different from Windows 7, and a few that are, in my opinion, a step backwards from the stability of Windows 7. Regardless of these blemishes, none of us are being given an option to live in the past except at increasing risk, so get ready to love Windows 10, warts and all.
The Bad and the Ugly (Sorry, no “Good” today!)
If you’ve not spent any time doing work on a Windows 10 computer, these may be eye openers for you and as near as I can tell, they are unavoidable for the moment:
- Windows updates are forced. You can defer them for awhile, but at a certain point, you will get updated if you are connected to the internet. There are ways to work around this to a limited degree, but it’s not recommended unless you know specifically that a Windows 10 update will break an application on your computer. And even in these special circumstances it is in your best interest to get that app updated so that it will be in-step with Microsoft’s update cadence. The longer you go, the more onerous the update will be when it happens. See the next wart to understand why you don’t want this
- Windows updates will sometimes temporarily slow down your computer A LOT. Depending on the size of the update, this may be for a few minutes, or, for slower, older computers, the slow down will be several hours and it…will…be…punishing. You can’t stop it (without dire consequences) and there really isn’t any way to make it go faster other than to stop using your computer altogether while it’s updating.
- Windows updates will break your printers (sometimes). I know it’s Microsoft trying to be helpful by providing “updated” printer drivers for your installed printers, but 9 times out of 10, their driver isn’t as fully featured as the manufacturer’s driver, and on older printers, often doesn’t work at all. Be prepared to reinstall your printer drivers after a major Windows update.
- Windows updates will break your PDF reader setting. Again, Microsoft is trying to be helpful by providing you with a PDF reader by changing your computer’s default PDF app to it’s new browser Edge, and to be fair, it does an OK job as a PDF reader. But for those of you who spent an arm and leg to pay for Acrobat, I’m sure that Microsoft’s cheekiness rubs you at least $200 in the wrong direction.
- The fancy new Start Menu will occasionally be populated by games and apps that you did not install. I won’t provide an excuse for this behavior. I find it galling but put up with it because I’m too lazy to remove them, and frankly, I don’t even use the Start Menu, so I don’t see the blatant marketing. Again, there are fixes that require a certain amount of Macguyver’ing that most folks just won’t do, so get ready to ignore yet more advertising on your computer.
- Cortana is useless. It’s not Siri, Alexa nor is it OK Google. I’ve not met anyone who finds it useful or even accurate on a consistent basis. Don’t even bother. You can turn it off but you can’t remove it (yet).
- Windows 10 wants to control your other application defaults. This particular aspect isn’t as consistently annoying as the PDF one mentioned above, but Windows 10 will occasionally challenge you by changing your default printer, internet browser, photo viewer and email reader to the Microsoft designated app.
I’d like to say that none of these are showstoppers, but for many of clients the top 2-3 are frequent work-stoppers, often enough that they’ve come to dread Windows updates almost as much as we do here at C2. I’ve talked a little about this in a previous blog, but despite quite a bit of rabble-rousing from our industry, Microsoft continues to use us as captive beta-testers. Unfortunately, most average Windows users don’t make good testers, so it’s become something of a vicious circle. Over the years of using Windows 10, the one thing I’ve noticed is that the longer you put off applying the updates, the worse it gets in terms of impacting you at exactly the wrong time. My best advice for everyone using Windows 10 – apply those updates on your own terms – don’t wait for Microsoft take that decision (and time) out of your hands.
Hopefully you read last week’s blog about the upcoming demise of Windows 7 and have made the decision to purchase a new Windows 10 machine. Even if you’ve decided to take the decidedly rougher path of Windows 7 to 10 upgrade on the same machine, you should still keep reading so that you can truly weigh both options and know what’s ahead on either path. For most of us, getting a new computer is not something that happens very frequently. Even yours truly has been using the same laptop for over 6 years now! Unfortunately, transitioning to a new computer is never easy, especially if you are moving to a new operating system, but with some preparation and planning, the process doesn’t have to be a showstopper.
Get your transition ducks in a row
The below recommendations apply to both new machine upgrades as well as Windows 7 upgrades, so get ready to do some homework! Even if you are planning to engage a professional to handle the migration for you, you can save yourself some time and money by doing a little preparation.
- First and foremost, backup your data, then make sure that backup is good. I just had a client run a backup to an external USB drive, only to find that device had failed after a few weeks resulting in 100% data loss, so make sure you consider a cloud backup for real peace of mind. Note that no professional worthy of the title will perform an in-place Windows 10 upgrade without verifying your data is backed up.
- Clean up your files. Make sure you know where all your data is, what the folders are called, and for deity’s sake, delete old files you don’t need. Just like moving house, don’t pack up stuff and pay to have it moved just so you can throw it away at the new place. You backed up your data, right?
- Take an inventory of your applications. Make sure they will work on Windows 10, and if not, purchase new or upgrade your existing licenses to versions that are supported on Windows 10. This is also a good time to gather your installation discs (if you still have them), activation codes, account logins and passwords. Most modern applications like MS Office, Adobe Acrobat, Quickbooks, etc can be downloaded from the internet but just about all of the expensive ones will require a login, activation code, or some other proof of purchase when reinstalling them on a new machine. They may also require that you remove the software on the old machine before you can install on the new, so plan accordingly.
- Decide if you want to transfer all of your existing app settings and customizations, or if you’d like to start new. For some things like browser bookmarks and saved passwords, this can be accomplished by using persistent cloud accounts associated with the browser of your choice – Google, Firefox and Microsoft all offer this option as part of their respective browsers, but you need to set up the account and turn on account syncing for this to work. Other things, like Outlook interface customization are harder to sync across computers, and in some cases impossible if you are moving to a new version of the app. If you are in doubt, take pictures of your custom settings and changes. The pictures will be invaluable when trying to set up your new computer and you’ve already uninstalled the app on the old computer.
- Run a malware scan on your computer. Make sure the OS is clean and your files are clean as well. You don’t want to transfer any trojans onto your new computer, especially as it may be slightly more vulnerable during the transition.
- Plan for the downtime. Depending on the path you are taking, upgrading existing or transitioning to new hardware, the process can take multiple hours, even when performed by an experienced professional. If you need to be working during this time, have another machine you can use, or figure out how to stay productive with your mobile devices and web-version of your apps.
Next week: how the Windows 10 upgrade sausage is actually made.
The day that many people are dreading is fast approaching: Microsoft is ending extended support for Windows 7 as January 2020, which means that it will no longer be providing updates and fixes to the extremely popular and widely used operating system. What you may not have realized was that Microsoft actually ended mainstream support for 7 back in 2015, which was when it stopped developing new features for the OS, and stopped taking support calls from users about Windows 7. It’s a testament to the stability and relative security that it’s still in wide use essentially on the eve of it’s retirement, but like all good things, it has to come to an end.
Don’t panic. You have options, but inaction is not one of them.
The primary question I am asked when briefing clients about retiring Windows 7 in their organizations is whether they should upgrade their existing machines, or buy new ones. The simple answer to this, though definitely not the one they necessarily like to hear, is that buying new computers built for Windows 10 are, dollar for dollar, a better investment than upgrading older PCs. Of course there are exceptions, but keep in mind that most PCs that still have a factory-installed Windows 7 OS are likely 3-4 years old at this point, as computers started shipping with Windows 10 mid-2015.
If you’d like to evaluate whether or not your computer is worthy of upgrading versus replacing, consider these factors:
- If your computer is still covered by a warranty, it’s worth considering an upgrade over replacing it.
- Is your computer older than 4 years? Definitely consider replacing, as many of the hardware parts are actually approaching physical end of life and are more likely to fail, regardless of OS.
- Is your CPU an Intel processor 4th generation or higher? Older CPUs will not fair well with Windows 10.
- Do you have at least 4GB of RAM? No? Don’t bother. Four GB is the bare minimum, and 8GB is recommended.
- Running a lot of older applications that you can’t update or upgrade? Upgrading to Windows 10 will likely break those apps. If your business depends on apps that are unsupported on Windows 10, you and I need to have a different discussion.
Even though it’s technically possible to upgrade just about any computer running at least an Intel Core processor (i3, i5 and i7) and 4GB of RAM, there is still a certain amount of work involved in going through this process (which I will detail in next week’s blog). Even if upgrading to Windows 10 results in a functional computer, you are only delaying the inevitable replacement of the device. Still, this is an acceptable path if your short-term budget cannot cover an immediate replacement and you have a longer-term plan to replace the device. On later model PCs, installing Windows 10 can result in some performance gains as well as definite security improvements, but PC’s 4 years and older rarely improve in performance, and the short-term gains are typically overwhelmed the longer that PC is used in any business-critical environment.
If you don’t have a Google account or use the Google calendar feature, you can stop reading and maybe read something from our back catalog. Still with us? Good, I’ll explain what’s happening, and then how you can plug this particular vulnerability. To put it simply, scammers are sending calendar invites to Google users that have malicious links embedded in the text of the invite. Not so bad, right? You know how to spot those. Except these aren’t emails – they are calendar invites that are being automatically added to your calendar courtesy of some default settings that Google has still not changed despite being warned about it nearly 2 years ago. The problem comes when these fake invites actually pop up as a notification on your phone or computer, and as we are all trained to do, we click to get more information, possibly on a disguised link in the text of the invite, and BAM, you are infected.
Here’s how you stop this
You have to do this via a web browser, and I would recommend using a computer instead of your phone, mostly so you can confirm you are changing the correct setting by matching what you see with the screenshots below.
Log into your Google Account. This link will take you to your calendar if you are already logged in, or to the login screen if you are not – https://calendar.google.com/
Look for the gear icon in the upper right corner of the calendar web page and click “Settings”:
Under the “General” menu, click “Event settings” and then look for the “Automatically add invitations” setting which probably says “Yes”:
Change that setting to “No, only show invitations to which I have responded”
Next you may want to consider disabling Google’s “Events from Gmail” function which automatically adds events to your calendar based upon emails you receive, such as flight confirmations, restaurant reservations, concert ticket receipts, etc. If you don’t regularly rely on this feature, you should turn it off until Google is able to further secure calendars from fake invitations.
If you want to disable this feature, look in the left column for “Events from Gmail”, click it, then uncheck the “Automatically add events from Gmail to my calendar”.
Finally, if you already have fake invites in your calendar, you can report them as spam, and Google will automatically remove any other invites on your calendar from that same sender. You also have to do this from a computer web browser. Do not do this from your calendar app on your mobile device.
To report a Google calendar event as spam, find the event in your calendar, open it and then click the three-dot icon “Options” and then select “Report as spam”:
Photo courtesy of Stuart Miles from FreeDigitalPhotos.net
In case you haven’t already been scared silly by the concept, “deep fakes” are a new classification of videos wherein the faces of the subjects of the videos, usually short clips from movies or talk shows with easily recognizable actors, are replaced with a different face. While skilled video and movie special effects editors have been doing this for decades, the effect was usually obvious and it took an expensive special effects studio to produce the result. Now, we have YouTubers producing clips like the below which is amazing and terrifying at the same time:
What this means for you
The amazing part is easy to see (or not see). At some point in the video, I forget that I’m looking a Bill Hader and can only see Arnold’s face, which coupled with his excellent impression of the Governator, makes it look AND sound like Schwarzenegger is sitting with Conan instead of Hader. The terrifying part? This was done by one guy using open source software that doesn’t require an entire special effects studio team to produce.
If that isn’t enough to put a chill in your bones here are a few recent deep fake news stories that should wake you right up:
- The Democratic National Committee produced a deep fake video of their own chair Tom Perez for this year’s Def Con (one of the biggest hacker conventions in the world) to highlight the dangers deep fakes present to the 2020 elections.
- A Chinese app maker just released a free app on the Chinese iOS App store that can use a single picture to replace actors’ faces in a collection of famous movie clips.
- A scammer used a deep fake audio application to impersonate the voice of a UK energy firm CEO which was convincing enough to trick an employee into transferring over $200k to an unauthorized bank account, from where it was quickly transferred and laundered through multiple international accounts.
There’s that elephant again, though at least this time, there are a lot of people talking about it. Technology is again racing ahead of ethics, morality and law, and shows no signs of stopping. Will it take money or elections being stolen before anything is done about it? Have we hit a point where society will always be trailing technology, picking up the broken pieces and taping together integrity as best we can?
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
I’m pretty sure most of us pay very little attention when our mobile phones ask to update the installed apps, even if during that process your phone asks if its OK to grant new permissions to an app that needs access to your contacts, camera, phone or local filesystem. The app is already installed on the phone and you use it (sometimes), so where’s the harm? Unfortunately for millions of Android users who had an app called CamScanner on their phone, the latest version came with a malware delivery vehicle called a Trojan Dropper. This bit of software, once installed, can reach out to a designated server on the internet and download encrypted code which can then be decrypted and run on the device without any action required by the phone owner.
What this means for you
Unfortunately for Android users, even the ones that keep on the straight-and-narrow and only install Play Store apps, staying inside Google’s “walled garden” is sometimes more like wandering around a hedge maze full of holes, thorny bushes and no clear exits. Earlier this month, Google had to remove 34 apps that collectively had been downloaded over 100 million times because they contained a similar bit of malware called a Clicker Trojan. In cases like the Dropper and this Clicker Trojan, the software is designed to allow hackers to covertly subscribe the users to costly subscription services and repeatedly open websites in massive advertising click-fraud campaigns, generating millions of dollars for the attackers, often going completely unnoticed on the compromised phones.
As with many types of malware infections, the underlying cause is often either a lack of understanding of how phones can be infected or what that behavior might look like on a mobile device, or, in many cases, a lack of patience or even care for the diligence required to notice the problem in the first place. If you need some basic guidelines on navigating the mobile app safety maze, here are some things you should always observe:
- Remove any apps you aren’t using, especially ones you don’t remember installing.
- Always read the reviews on apps that you are considering installing. Look for complaints about ads, popups, unusual behavior or suspicious permissions requests.
- Keep track of what you install, and observe your phone closely after installing a new app. The Clicker Trojan mentioned above didn’t activate until 8 hours of being installed to avoid detection.
- Always be suspicious of an app’s request for unusual permissions. If you want to be on the safe side, deny all permissions during install, but be aware that many legitimate apps need access to various functions of your phone to operate properly, and denying permissions will likely cause the app to function poorly or not at all.
- Never install apps from any store other than the official Apple or Google stores. Jailbreaking or rooting your phone, even if you know what you are doing, is not recommended, and at minimum will void your warranty and absolve the carrier and phone manufacturer from providing any kind of support.
- Watch your phone bill and credit cards for unusual charges, especially if you have your bill set to auto-pay through credit card.
Ransomware attacks are on the rise. Depending on which security company you get your news from, the percentage increase from 2018 varies from 110% to a whopping 365% as reported by Malwarebytes Labs. Also important to note: attackers are going after government institutions in the US in a noticeable way. Since the start of 2019, there have been 22 documented attacks on city, county or state governments, including the high-profile incident in Baltimore which I wrote about back in May of this year which has thus far resulted in $18 million in remediation costs and lost revenue. Not to be outdone, the state of Texas can add new record to its list of big things: 23 local government organizations were attacked simultaneously in what is being called the largest coordinated ransomware attack against multiple government entities…so far.
What this means for you
Unless you happened to be served by one of the 23 unlucky institutions affected by this attack, this will be one more splash of water in our ongoing drink from the malware fire hose. Texas officials are keeping mum so far on who-what-where’s of the attack, but if I had to guess, someone got phished via email, gave up credentials, which led to the hackers being able to drop malware on critical systems that all went off on August 16th. Given the breadth of the attack, it’s likely the attackers have been working this particular set of targets for months, meaning it was organized and purposeful.
You might not have noticed this, but ransomware attacks had slipped to the background in 2017, but they are back with a vengeance and focused on businesses and government entities because the hackers realized deeper pockets are just as susceptible to ransomware, and are more likely to pay ransoms because they can’t afford to not pay, as seems to be painfully exemplified by Baltimore’s ongoing recovery. As always, your best protection against this type of malicious, technological pollution is a multi-layered defense perimeter that consists of at minimum: email filtering, workstation and server malware protection, a strong firewall, and cloud-based backups. If you can add employee training to that list, you will be much better protected than your neighbor or even the competition. And in case you were wondering where you might be able to cover all these bases with one call, just give us a ring.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
There are so many reports of this nature that I literally can’t even. My vacation can’t come soon enough, but in reality I’m just going to be worrying about all of you staying safe in the face of widespread negligence and malfeasance. Read on if you dare:
AT&T employees took bribes to plant malware on the company’s network
TLDR: Pakastani hackers bribe ATT employees $1M+ over the course of 5 years to unlock phones and install malware and rogue devices on ATT networks.
More N.S.A. Call Data Problems Surface as Law’s Expiration Approaches
TLDR: Remember all that secret data collection the NSA got caught doing a few years back? They were supposed to delete that data, but Oops! they didn’t.
Yelp is Screwing Over Restaurants By Quietly Replacing Their Phone Numbers
TLDR: Yelp set up a shady deal with GrubHub to redirect customer calls through their hub instead of dialing the restaurant direct. Restaurants get charged a marketing fee for this sleight-of-hand.
Twitter may have shared your data with ad partners without consent
TLDR: Twitter may have inadvertently shared data on your viewing habits that it collected without authorization. And then used that data to show you more ads. “Oops.”
Democratic Senate campaign group exposed 6.2 million Americans’ emails
TLDR: Dumb campaign staffer puts unsecured spreadsheet online in 2010. Emails have been exposed for nearly 10 years.
Image courtesy of TAW4 at FreeDigitalPhotos.net
It’s a day ending in “Y” so that means yet another company CEO is on the news apologizing for exposing your PII to the internet. This time around it’s Capital One CEO Richard Fairbank having to say sorry for letting a hacker get access to approximately 100 million US and 6 million Canadian credit card applications. While Capitol One was quick to try to downplay the severity of the the incident, asserting that no credit card numbers were stolen, there is no sidestepping the fact that the hacker, who has since been arrested, was attempting to sell information that includes 140K US Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, as well as an undisclosed number of names, addresses, credit scores, limits and balances.
Not feeling violated enough yet?
To add to everyone’s continuing dystopian nightmare this week, Apple was recently caught in a glaring contradiction to its ongoing marketing message of being a champion of its users’ privacy. Despite buying huge billboards touting that “what happens on your iPhone stays on your iPhone”, a whistleblower has shared damning details on Apple’s use of contractors who have access to numerous private and very sensitive audio snippets recorded by Siri. According to Apple, only a small number of Siri requests are reviewed by humans for accuracy and algorithm tuning, and supposedly these small audio files are semi-anonymized to protect user privacy. Not so, says the whistleblower. As anyone who uses a voice-activated device can attest, Siri and its ilk can perk an ear up even when not being directly addressed, resulting in plenty of unintended recordings that people would definitely not want shared.
“…you can definitely hear a doctor and patient, talking about the medical history of the patient. Or you’d hear someone, maybe with car engine background noise – you can’t say definitely, but it’s a drug deal … you can definitely hear it happening. And you’d hear, like, people engaging in sexual acts that are accidentally recorded on the pod or the watch.”Anonymous Apple Contractor to The Guardian, 26JUL2019
An important distinction needs to be made with regards to Apple’s voice recognition data gathering practices, especially since they themselves take great pains to tout their privacy advocacy. While Google and Amazon both allow some opt out options on the use of their recordings, Apple does not offer this option short of disabling Siri altogether.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net