It’s been a solid three weeks since Facebook last graced our blog, but just like the proverbial bad penny, it just can’t stop turning up in the news for all the wrong reasons. There is a worn adage that claims there is no such thing as bad PR, but in Facebook’s case, I’m betting they’d rather stay out of the spotlight for a little longer. During CEO Mark Zuckerberg’s grueling congressional testimony earlier this year, Mr. Zuckerberg assured senators that Facebook users had complete control over who sees their data as well as how you share it. In a recent interview with the NY Times, Facebook has now owned up to previously undisclosed data-sharing relationships with four Chinese manufacturers, including Huawei who is viewed by American intelligence officials as a national security “threat” due to its close ties with the Chinese government.
What this means for you
According to an agreement Facebook entered into with the Federal Trade Commission in 2011, Facebook is not allowed to override a user’s privacy settings without first getting explicit consent. As part of the partnership agreement with these manufacturers – Huawei, Lenovo, Oppo and TC – Facebook granted privileged access to these partners to data collected through Facebook apps installed on their devices, even to the point of overriding the user’s explicit denial of access. Facebook executives have argued that they had adhered to the letter of the 2011 consent decree because the data in question (your data, your friends’ data, and your friends’ friends’ data) never actually leaves the device, and is only used “locally” to power applications and social media platforms. I’m no lawyer, but that sounds like splitting hairs, and as has been amply demonstrated by the Cambridge Analytica debacle (not even 2 months old, mind you!) relying on a partner company to adhere to Facebook’s privacy policies is not guaranteed, nor apparently something they can even enforce, once again demonstrating a clear gap in trustworthiness. Should you continue to use Facebook? As long as you keep your eyes open to the fact that Facebook might not be as transparent as they promise, even in the face of Congressional scrutiny, and more importantly, the watchful eye of journalistic rigor.
Unfortunately for the information security industry, a lot of other news was breaking this past Memorial Day weekend, so it’s entirely possible that you missed a PSA, tweet or even email from the Federal Bureau of Investigation asking you, citizen, to please reboot your SOHO (Small Office/Home Office) router, and to also disable remote management (if enabled) on the device. Apparently, up to half a million routers from Linksys, MikroTik, NetGear TP-Link and network attached storage (NAS) devices from QNAP are impacted by this malware threat, which has spread to 54 countries around the world. Initial analysis pins the blame on the same Advanced Persistent Threat (APT) group APT28 or “Fancy Bear” – the same group accused of perpetrating the attacks on the Democratic National Committee in 2016.
What this means for you
If you happen to be one of our managed firewall clients, you are not impacted by this version of VPNFilter malware. However, if you happen to be powered by one of these listed devices, you should contact us immediately to discuss short and long term security implications:
Linksys Devices:
- E1200
- E2500
- WRVS4400N
Mikrotik RouterOS Versions for Cloud Core Routers:
- 1016
- 1036
- 1072
Netgear Devices:
- DGN2200
- R6400
- R7000
- R8000
- WNR1000
- WNR2000
QNAP Devices:
- TS251
- TS439 Pro
TP-Link Devices:
- R600VPN
Researchers are still trying to determine exactly what this attack platform is meant to do, but they have confirmed that it can collect confidential information (such as website logins) and has a self-destruct code that can literally render affected devices inoperable, possibly permanently.
In the short term, rebooting the router will eliminate a part of the threat, but if the device is compromised, the only way to remove the rest of the malware is to completely factory reset the device (or replace it), which means you will have to reprogram it to get connected back to the internet. If you’ve not done this before (and even if you have), this may not be straightforward and can be very disruptive to your operations. Most professional environments, especially offices with servers, may have configurations that are modified from the “vanilla” settings provided by a factory reset, and unless you have a backup or written documentation, may be difficult to reproduce quickly or without a lot of trial and error. Make sure you consult with a technology professional before pushing the factory reset button on your device.
Image courtesy of Nat_Stocker at FreeDigitalPhotos.net
Over the past 2 weeks, all of you have probably been beset with numerous emails from the various websites and online services with whom you regularly (or even infrequently) interact, notifying you that their terms of service/use or privacy policies have changed. Depending on how closely you may be paying attention to the ceaseless flood of data we call our inboxes these days, this might have struck you as rather odd. You might have also noticed a common set of letters sprinkled throughout these emails, “GDPR”, an unfamiliar anagram that seems to have an inordinate amount of influence over all of these companies, including ones we all assumed determined what exactly we could view as private or public. In this case, this particular bit of alphabet soup stands for “General Data Protection Regulation” and it is a new set of rules that govern how EU citizen data should be handled globally, starting May 25, 2018.
For the most part, the GDPR only governs data protection and privacy for EU an EEA citizens, and is designed to provide better protection and control of their personal data to those individuals, as well as unify the regulatory environment for international organizations that collect and use that data. Without diving into the gory details, the core intent of the GDPR is to require any organization that handles data generated by EU/EEA individuals to clearly disclose what, how and why data is being collected, how long it will be retained and if it is being shared with third-parties. These same users have a right to request a copy of the data collected, and in certain appropriate circumstances, request to have that data erased or removed.
What does this mean for Americans?
While you may think this should have zero impact on you as an American citizen, there are two things to consider. We all interact with businesses and organizations that operate globally. You could probably name 5 companies that have specifically changed their policies to comply with GDPR by scanning your inbox: Facebook, Google, Twitter, Instagram, and Microsoft are just a few of the ones in mine. The “side-effect” of these companies reshaping their operations to comply with GDPR means an improvement for users in terms of privacy and security for everyone, regardless of country. Though some companies may make changes to only their non-US operations and processes due to budgetary or resource constraints, it typically makes better long-term sense to streamline or consolidate operations around the most secure and compliant technologies. A rising tide of privacy protection raises all boats.
Secondly, if you own, operate or work for an organization that collects data from EU citizens, you are subject to the GDPR, regardless of where your business physically resides. Make sure you understand how this impacts your business practices, specifically in the area of data security and privacy policy.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
I’d like to say we actually went a few weeks without having to talk about Facebook because they weren’t in the news, but in reality, they were. I was just exhausted with the punishment they have been taking in the media ring, and rang the bell out of mercy rather than letting them continue to get pounded, at least on this blog. But break time is over and its time to lace up. Facebook did come out swinging earlier this week, publicizing their last quarter efforts to clean the place up: over half a billion fake accounts have been banned since the start of 2018, and they have removed nearly one billion posts that violated the social media giant’s guidelines. But the wind was snatched from their sails with news of a yet another breach of user privacy as researchers at New Scientist uncover a leak of three million users’ extremely confidential data gathered by an app called My Personality. The app, designed by psychometric researchers affiliated with Cambridge University, gathered in-depth psychological data on over six million users, half of whom agreed to share their data anonymously with 3rd-parties for research purposes.
Pinky-swear to keep this data confidential?
While I’m sure they didn’t intend to out three million people to the internet, a class project uploaded to a popular code-sharing website by university students was found to contain a login and password to the protected database built by the My Personality team. Whoops. And that data was there, available for the public to access, for 4 years. Double-whoops. Here’s the thing: in order to gain access to this data originally, one had to register for access, and were supposedly bound by a strict confidentiality clause. Two-hundred and eighty people from 150 companies did register, but you can bet at least an equal number (and probably many more) did not, once they discovered the “backdoor” uploaded to GitHub. And the thing with data, once it’s out of the barn, there is no telling where it went from there. There’s a hard lesson to be learned from all of this: it’s extremely difficult to control data once you relinquish any control on it, and this control all but vanishes literally one step from that first line of control, as managing the chain of custody scope expands exponentially. You can liken this to the old party game of “Telephone”, but instead of the message getting muddled with each person, the security and responsibility get hopelessly mangled literally in the next whispered exchange.
The concept of a virtual assistant isn’t new – the practice has been around for easily a decade, if not longer, and traditionally taken to describe someone hired to work as a personal assistant that wasn’t physically located near the person they were assisting. Initially received very coolly, the practice has become fairly commonplace, though somewhat outmoded now by easier-to-use technology and the internet itself, both of which enabled concept of a virtual assistant in the first place.
When Google and Apple introduced their voice-activated “assistants” there was a thought that our smart phones might actually be able to act as, well, real assistants. Heck, I was counting on it, given the amount of time I’m stuck in traffic. And sadly, we find that both platforms, as well as the many copy-cats and voice-enabled apps that followed were barely usable on a good day, and more often a source of amusement than anything else. Amazon’s Alexa is perhaps the closest we’ve come to having a useful, voice-activated device, maybe until now. Google’s CEO Sundar Pichai demonstrates Google Assistant scheduling an appointment via phone as part of the Google I/O Conference keynote, and it’s an exciting glimpse into the future some of us have always dreamed of.
Would you take a call from a truly virtual assistant? What if you didn’t know the person on the other end wasn’t human? More importantly, would you trust Google to set your calendar for you? I’m willing to give it a try!
While I know I should be grateful that it’s a slow news week for technology, it makes writing this blog a little challenging. However there are a few bits of news that may be of interest to at least some of you. Taken individually, each item is probably not worth more than a “Hmph” from the average reader. Together they form a lumpy potpourri of cautionary tales that only serve to highlight our favorite elephant on the internet.
Volkswagen & Audi Cars get hacked
No one should be surprised that if you put a wifi-enabled infotainment system in a new car, someone is going to try to hack it. Dutch researchers from Computest did just that, and succeeded in compromising the system significantly by gaining access to the root account of the in-vehicle infotainment system, which allowed them to view various telemetry data including current and previous locations, address books and even the car’s microphone. Additionally, the researchers hypothesized that they could have accessed the car’s acceleration and braking systems, but stopped short of doing so for fear of being sued by VW. To its credit, VW’s engineers took the Computest’s findings under advisement and have supposedly plugged the exploits for certain models, but it’s unclear how they would handle the millions of cars on the road that do not have the means for an over-the-air update to patch the vulnerabilities. Researchers also concluded that Volkswagen, prior to Computest’s discovery, had not properly tested the infotainment system for these types of security issues. Volkswagen excuses this failing as part of their transition from automaker to “mobility provider”, which only serves to highlight how big companies, to this day, struggle to balance profit with security.
Core IRS tech platform goes down on Tax Day
Surprising: The Internal Revenue Service online tax submission platform went down on April 17. I don’t remember this happening in recent years, and their track record may go as far back as when they first started taking digital submissions in 1986.
Not Surprising: The reason the IRS went down – a core computing platform reliant on technology built in the 1960s. That’s right, the IRS processes some of it’s data on technology that’s over 50 years old. I can’t even wrap my head around how they can actually keep that technology going when we struggle to keep two-year-old laptops functional. This is the organization that handles our tax dollars, at “work”. However, I do concede that replacing this ancient mainframe powering the IRS is probably akin to performing open-heart surgery on oneself while keeping pace in the Boston Marathon – not a casual undertaking, and something that can only be done once. You’d think they have enough money for this, but apparently the project to do just this is millions of dollars over budget and years behind schedule. Surprise, surprise.
Do you remember when a technology company in the media spotlight usually meant something exciting and shiny was being announced? Those days seem so distant now. Back then, Jobs was giving us “one more thing,” Google was actually trying to not be evil, Flash was still doing amazing things on the web, Facebook was connecting us with long-lost friends and relatives, and Yahoo was the darling search engine and homepage for millions. Unfortunately for all involved, their present-day state reads like a click-bait-y “Where are they now?” article, and it’s just as depressing as you might think, at least as far as Yahoo Mail is concerned.
So where is Yahoo now?
The former internet giant was divvied up in 2015 between Oath Inc (aka Verizon) and a new company called Altaba. Oath took over the ailing portal and email services, while the more profitable parts of the business, including Yahoo! Japan and their investments in Alibaba were consolidated under Altaba. While it may be hard to comprehend why anyone, let alone Verizon, would pay to take over Yahoo Mail, apparently the revenue potential of millions of eyeballs trying to read emails surrounded by advertising whetted someone’s appetite. Whatever tantalizing profit potential that might have existed, it’s considerably less thanks to a $35M fine handed down by the SEC for the company’s failure to inform its investors of the 2014 breach, which, keep in mind, was a paltry 500M accounts breached as compared to the 3 billion accounts breached in the previous year. Oh, and don’t forget, it’s also highly likely that the US government scanned your Ymail for terrorist activity as well. Would you think less of me if I started calling this service “Why-mail”? Or maybe “Y-R-U-still-using-this-mail”. Oh, how the might-Y have fallen. Alright, I’ll stop now, please don’t unsubscribe!
It used to be a simple topic to explain: if the hacking attempt to undermine or subvert a government entity was sponsored by another country, it was considered cyberwarfare, and if by a geo-political group, (but not a recognized nation) cyber-terrorism. Everything else fell into the lesser evil that was Spam used by desperate marketers, and viruses used by anarchists and pranksters to sow chaos and prove hacking prowess. Six or seven years ago, for most of us, malware was a nuisance, sometimes a business headache and relatively uncommon. Spam was a significant threat, but mostly in that it prevented us from reading important emails in a timely fashion.
Welcome to 2018
Malware and spam has become so prevalent that no device with a processing unit is safe, translated to essentially anything that can connect to the internet. On top of this, both criminal and subversive political entities (nations, terrorists and even activists) have thoroughly integrated these tools within a larger internet-powered toolkit that also includes social media and big-data algorithms. The result? These shadowy groups have developed an eye-popping ability to coalesce disparate demographic niches or divide communities according to various agendas, most of which could be considered detrimental to the advancement of humanity. Hacking a nation to swing an election used to be science fiction, but now it seems way closer to home than we thought. Ransomware made criminals $24M in 2015, $1B in 2016, and is predicted to top $5B in 2017. This particular type of malware became the darling of online-organized crime and has held businesses, hospitals, churches and even an entire city hostage for crippling amounts of time. Personal information and identity theft has become so commonplace that even the massive Equifax breach has been essentially forgotten. You may not have realized it, but the real cyberwar isn’t being fought between nations. This is a war for the legitimacy and integrity of the internet, and we are all on the front line. What’s perhaps most terrifying is that it’s no longer clear who the bad guys are, and if there is anyone standing up for the average human just trying to make it through the day without being hacked, breached, phished, spammed or misled.
Image courtesy of freebieshutterb at FreeDigitalPhotos.net
We might be setting a blog record as Facebook makes our front page for the fourth week in a row. Lest you think I’m resting on my laurels and taking easy swings at low hanging fruit (mixed metaphors for the win!), Facebook’s fall from grace might be the biggest tech story of the decade, and this is happening alongside Intel’s monstrous security flaw, the Equifax breach (remember that one?), and the dismantling of Net Neutrality. And those are just the ones I can recall off the top of my head! I’d love to be writing about other things, but due to its sheer size and global reach, this evolving disaster is something from which we cannot (and must not) look away. The Cambridge Analytica debacle is the gift that keeps on giving, but unfortunately it’s the mother of all white elephants as far as Zuckerberg et al. are concerned, and I’m sure a large helping of “do not want” is being served around the table at Chez Facebook.
It’s like watching a slow-motion derailment
Mark Zuckerberg may be one of the richest technocrats on Earth at the moment, but that didn’t stop Congress from skewering him in a multi-hour, publicly televised congressional hearing. On the whole, I’d say he’s lucky some of the Senators are in their 60’s and 70’s, and clearly did not have a solid grasp of Facebook’s technology, allowing him to sidestep some of the more naive or ill-informed questions. But several, more savvy Senators put him square into a glaring spotlight that he could not dodge: What is Facebook doing to combat hate speech? Is Facebook a Monopoly? Are Cambridge Analytica and Russian “troll farm” Internet Research Agency somehow connected? Was Facebook selectively biased towards left-leaning content? Perhaps most telling was Sen. Durbin’s (D-Ill.) line of questioning: “Would (Zuckerberg) share the name of the hotel he stayed in last night?” to which the CEO responded, “No, I would not choose to do that publicly here.” Audible laughter from the room rang that point home.
Given the attention focused on digital privacy, two US Senators have hitched a new bill to the hype train named the CONSENT (Customer Online Notification for Stopping Edge-provider Network Transgressions) Act which calls for much more strict and well defined consent from consumers, putting the onus on providers to secure a user’s affirmative consent, ie. “opt in” as opposed to the current policy trend of requiring users to “opt out.”
And in case you need any more confirmation that Facebook might not have your best interests at heart, California’s own Senator Kamala Harris zeroed in on what I believe is a key takeaway from this current circus. When asked by Sen. Harris, point-blank, about the decision made at Facebook in 2015 to not notify users that their data had been inappropriately shared with Cambridge Analytica, Zuckerberg admitted, “in retrospect it was a mistake.” This was an important question, as Facebook’s failure to notify users of this breach is probably a direct violation of a deal the internet company reached with the SEC in 2011 that barred the company from making misrepresentations about the privacy or security of consumers’ personal information.
In case you are curious as to whether your information was shared with Cambridge Analytica in the breach mentioned above, you can click this Facebook link for an immediate look at what, if any, of your personal information was shared.
If the past few weeks haven’t opened your eyes to the Facebook monster, let me share a picture with you that will be worth way more words than I could possibly write.
Go ahead. Click on that picture and take a good look. That’s an actual screenshot of my Facebook account settings. And no, I did not set that particular label anywhere in my profile. Nor do I participate in the various Facebook personality quizzes (“What type of shoe are you?”), and as you might have guessed, my posts are usually for the business, especially in the last few years. I was most active when I first opened my account, and slowly tapered off when Facebook and I “grew apart,” to the point where my usage is purely mercenary and academic. Also, as any of you who socialize with me probably already know, that label isn’t inaccurate, but it is a gross over-generalization of my political viewpoints. Plural.
What the F…acebook?!
You can find this bit of data by going to your Facebook Settings, clicking the “Ads” icon on the left menu bar. Expand the “Your information” section, and then click the “Your categories” tab. If you are disturbed about the categories with which you’ve been labeled, you can click the faint “x” on the right side of each label to delete them. You can also tell Facebook that you don’t want advertising targeted based upon your profile information by turning off each category, but if you read carefully, they tell you (in small print), “We may still add you to categories related to these fields.” You can bet that whatever you remove in the categories section will probably be put back in the near future. And who knows what stuff they aren’t showing us.
Labels aside, even knowing what I know about Facebook and its recent flaying in the news, this particular thing struck me as a perfect, stark example of how Facebook (and the internet) has categorized everyone. Apparently the variations of this particular category are Very Liberal, Liberal, Moderate, Conservative, and Very Conservative. Does it make you wonder what advertisers are doing with that particular bit of data? Does it make you wonder how many of those “advertisers” were actually propaganda outfits using this data to drive a wedge between you and your friends and family, purely for political and financial gain? Perhaps you are smart enough to spot the fake news, but what about your Facebook “friends”? Or their friends?