Last year was not a good year for Facebook. Starting with the Cambridge Analytica, the social media giant seemed to stumble through a series of gaffes that literally erased billions from Mark Zuckerberg’s net worth. Yet, here we are again with the social media giant continuing to act with cavalier indifference towards its users’ privacy, and at this point, are you really surprised? We’re all adults here – I’m in no position to tell you what you should be keeping private or not, but I feel it’s my duty to make sure you are aware with whom you are sharing data, and that they are NOT here to serve you, but vice versa. And let’s put one big, stinging fact on the table – despite all of this, Facebook’s stock bounced back easily from last year’s drubbing, and is now poised to surge ahead thanks to better-than-expected fourth quarter earnings.
The latest proof that Facebook doesn’t care about your privacy
A few years back, Facebook instituted two-factor authentication for its login process, asking user’s for a phone number as the second factor. At this point, 2FA is the new security hotness, and millions are already smarting from a variety of virus infections, identity theft and account hacks to agree that 2FA was the best way to secure their accounts. While they weren’t (and still aren’t) wrong, could they have guessed that Facebook would start using that phone number as a means for other people to search for you, even if the searcher wasn’t someone you actually knew? How about doing this without even asking if its OK? This setting can be changed, but by default it’s set to allow “Public” access to use the 2FA phone number to help others find you. I don’t know about you, but that feels like the opposite of what everyone thought sharing this number with Facebook would do.
Strike two this month comes in the form of Facebook openly admitting that it receives data from many apps, including ones that help users track menstrual cycles, heart rates and website viewing habits, even if the user didn’t have a Facebook account. If this looks eerily similar to a recent article I wrote about a certain cell provider who was not being a good steward of your data, it is because it is yet another iteration of the same questionable practice.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
If you’ve been reading my blog for any length of time, you’ve seen me describe the current state of security in a variety of colorful ways, but my favorite analogy is the one where I liken ourselves to jugglers with many objects in the air and with more being tossed in every minute by hackers and criminals. We lose if we drop a single item, but there is no “win” condition for juggling. If anyone has enough hands and arms to keep a lot of things in the air, it should be Facebook, and they have a lot going on, but in the end, they have come up short on another promise: transparency in sponsored advertising. Facebook’s never ending torrent of fake news was supposed to be somewhat dampened by a tool rolled out in May of this year called “Paid for by” which was built to bring some accountability to Facebook publishing tools heavily abused by political trolls leading up to the 2016 US elections, and surrounding numerous other political events since then.
Transparency or Lip Service?
Just ahead of the 2018 midterm elections, Vice.com investigators, through the “Paid for by” tool on Facebook, applied to purchase ads on behalf of all 100 US Senators. All 100 applications were approved, despite the ads being shared from fake political groups built specifically to test Facebook’s transparency tool, and the very obvious fact that Vice investigators are clearly not actual spokespeople for any sitting US Senator. The same tool also allowed the Vice team to buy ads on behalf of Vice President Mike Pence and the Islamic State, but curiously enough, not Hillary Clinton. Based on the amount of effort the Vice team exerted to circumvent the “Paid for by” verification tool, it’s clear that Facebook put an equal amount of effort into building this tool, i.e. virtually none. It’s unclear if the “Paid for by” tool was a token effort put up by Facebook to appease shareholders and lawmakers, or if the problem of fake news on Facebook is truly unsolvable, but if an organization as big and as powerful as Facebook can’t (or won’t) solve this problem, the only other solution is to completely ignore it as a source of news.
And that’s the other problem with elephants on the internet: because of their size, they are hard to ignore.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
I’ll dispense with the editorializing about Facebook and other internet giants playing fast and loose with our information and get down to the nitty-gritty of what you should know about the latest Facebook breach, which I initially wrote about (only) two weeks ago:
- Go to this Facebook link (while you are logged in to Facebook) to determine if you were one of the 30M that was affected by the breach: https://www.facebook.com/help/securitynotice
- Initial estimate of compromised accounts revised down from 50-90M to “just” 30M (OK, you got me, I can’t help myself).
- Approximately half (15M) of the compromised accounts had an extensive amount of information leaked, including data that most people would consider private, such as religion, relationship status, recent searches and geographical location.
- The other half (14M less the small percentage in the next line) had access to names and email addresses or phone numbers, or both.
- Three percent (about 1M) did not have any information exposed though their access tokens were stolen.
- Nobody’s Facebook passwords was stolen as part of this breach.
- Facebook cannot divulge motive or identities as it is working with the FBI, but based upon analysis of the attack, the hackers were organized and well-equipped to pull off the data heist. Translation: likely nation-state or organized crime-backed.
What this means for you
If you happened to fall into the bucket where a large amount of private information was exposed by Facebook, be extremely wary of targeted phishing attempts, usually sent by email. Because your information is now readily available to be cross-indexed with any numerous other items exposed in previous breaches, it’s trivial for cybercriminals to create very realistic emails that appear legitimate based upon the use of this stolen data, whether it be fake password reset notifications from widely used services like Office 365, Facebook, Gmail, SnapChat, or strangely familiar emails using that private data to trick you into revealing additional info or access to strangers pretending to be co-workers, friends or even family. Just to add insult to injury, if some of the leaked data is info you might use as an answer to the “Forgot your password?” questions many services use, hackers can now use that info to try and guess your answers to reset your password for their own nefarious purposes.
Just because your password wasn’t stolen in this breach doesn’t mean that it wasn’t exposed in any of the myriad breaches over the past several years. Visit this site – https://www.haveibeenpwned.com/password – to determine if it might be exposed, and if so, continued use of it will likely result in any account secured by the exposed password being compromised very soon.
Back when I first heard about Facebook I was working for a private university known for its “dry” campus. I was asked to consult on the case of a student who was being disciplined for violating the no-alcohol policy because a picture had been discovered of them buying booze at a nearby supermarket. It had been uploaded by the student’s friend to a hot new website called Facebook. I distinctly remember discussing this with staff and faculty at the time, predicting, “This is going to get a lot of kids in trouble.” There was discussion of banning access to the site, but filtering internet content back then wasn’t as straightforward as it is now, and the discussion was tabled with a promise to review the issue at a later time. Fast-forward to the present, where Facebook is still getting a lot of people in trouble, and themselves as well.
From the frying pan, to the fire, to…incinerator?
It might be hard to believe, but it was only June when we had to air out the latest load of dirty laundry from Facebook. Prior to that, they have been blog subjects seven times this year alone, and none of them were for something good! I’d say this month’s two-fer entry might be their pièce de résistance of colossal cock-ups, but there are still 90 days left in the year, and Facebook seems bent on setting some sort of record for destroying themselves.
First, they were caught red-handed letting advertisers use phone numbers provided by users for authentication purposes, something they had previously denied. To add insult to injury, it’s also come to light that they will also target individuals through contact information uploaded by their friends through the Facebook app, even if the individual never provided any sort of consent for such use.
If that isn’t enough to get your blood boiling, how about 50M Facebook users having their accounts compromised? Rather than the old-fashioned password hack, attackers exploited a bug in Facebook’s “View as” feature which allowed them to essentially steal the authentication token used to provide continued access after you’ve initially logged in. Think of this token as a VIP wristband you might wear at an event that also gets you access to the backstage. This token not only provides you a quick login to Facebook but to dozens of other connected services, such as Instagram and WhatsApp, that allow users to authenticate through Facebook instead of creating a unique login and password. Just like the wristband, Facebook only looks at the token and not the person using it, to determine what they are allowed to access, so you might get an inkling of why it being stolen is kind of a bad thing. The investigation is still ongoing, but according to Facebook, no passwords or credit cards were stolen, and it doesn’t look like the perpetrators of the September breach used their “wristbands” get into the various third-party platforms it could have granted access to, but I’d put even money on Facebook having yet another, “Wait, hold my beer,” moment, so don’t put the pitchforks too far out of reach.
Unfortunately for the two billion humans who are still trying to get some sort enjoyment (or livelihood) out of Facebook, there really isn’t any platform that comes close to being able to replace it. Your choices are “deal with it” or go cold turkey, the latter of which I don’t see any of my Facebook-hooked friends doing any time soon. If you’ve tied your various other online services to Facebook’s login in the pursuit of convenience, it only makes giving up Facebook that much harder and further illustrates just how dangerous this type of practice can be – Facebook login gave everyone a shovel, and quite a few people dug a hole that they have no idea how to get out of. Sadly, not climbing out of that hole and permanently putting the shovel aside essentially rewards Facebook for their negligent security practices, something that we should not do if we ever want the service to be something more than a way for advertisers and hackers (and Facebook!) to exploit for their own profit.
It’s been a solid three weeks since Facebook last graced our blog, but just like the proverbial bad penny, it just can’t stop turning up in the news for all the wrong reasons. There is a worn adage that claims there is no such thing as bad PR, but in Facebook’s case, I’m betting they’d rather stay out of the spotlight for a little longer. During CEO Mark Zuckerberg’s grueling congressional testimony earlier this year, Mr. Zuckerberg assured senators that Facebook users had complete control over who sees their data as well as how you share it. In a recent interview with the NY Times, Facebook has now owned up to previously undisclosed data-sharing relationships with four Chinese manufacturers, including Huawei who is viewed by American intelligence officials as a national security “threat” due to its close ties with the Chinese government.
What this means for you
According to an agreement Facebook entered into with the Federal Trade Commission in 2011, Facebook is not allowed to override a user’s privacy settings without first getting explicit consent. As part of the partnership agreement with these manufacturers – Huawei, Lenovo, Oppo and TC – Facebook granted privileged access to these partners to data collected through Facebook apps installed on their devices, even to the point of overriding the user’s explicit denial of access. Facebook executives have argued that they had adhered to the letter of the 2011 consent decree because the data in question (your data, your friends’ data, and your friends’ friends’ data) never actually leaves the device, and is only used “locally” to power applications and social media platforms. I’m no lawyer, but that sounds like splitting hairs, and as has been amply demonstrated by the Cambridge Analytica debacle (not even 2 months old, mind you!) relying on a partner company to adhere to Facebook’s privacy policies is not guaranteed, nor apparently something they can even enforce, once again demonstrating a clear gap in trustworthiness. Should you continue to use Facebook? As long as you keep your eyes open to the fact that Facebook might not be as transparent as they promise, even in the face of Congressional scrutiny, and more importantly, the watchful eye of journalistic rigor.
I’d like to say we actually went a few weeks without having to talk about Facebook because they weren’t in the news, but in reality, they were. I was just exhausted with the punishment they have been taking in the media ring, and rang the bell out of mercy rather than letting them continue to get pounded, at least on this blog. But break time is over and its time to lace up. Facebook did come out swinging earlier this week, publicizing their last quarter efforts to clean the place up: over half a billion fake accounts have been banned since the start of 2018, and they have removed nearly one billion posts that violated the social media giant’s guidelines. But the wind was snatched from their sails with news of a yet another breach of user privacy as researchers at New Scientist uncover a leak of three million users’ extremely confidential data gathered by an app called My Personality. The app, designed by psychometric researchers affiliated with Cambridge University, gathered in-depth psychological data on over six million users, half of whom agreed to share their data anonymously with 3rd-parties for research purposes.
Pinky-swear to keep this data confidential?
While I’m sure they didn’t intend to out three million people to the internet, a class project uploaded to a popular code-sharing website by university students was found to contain a login and password to the protected database built by the My Personality team. Whoops. And that data was there, available for the public to access, for 4 years. Double-whoops. Here’s the thing: in order to gain access to this data originally, one had to register for access, and were supposedly bound by a strict confidentiality clause. Two-hundred and eighty people from 150 companies did register, but you can bet at least an equal number (and probably many more) did not, once they discovered the “backdoor” uploaded to GitHub. And the thing with data, once it’s out of the barn, there is no telling where it went from there. There’s a hard lesson to be learned from all of this: it’s extremely difficult to control data once you relinquish any control on it, and this control all but vanishes literally one step from that first line of control, as managing the chain of custody scope expands exponentially. You can liken this to the old party game of “Telephone”, but instead of the message getting muddled with each person, the security and responsibility get hopelessly mangled literally in the next whispered exchange.
We might be setting a blog record as Facebook makes our front page for the fourth week in a row. Lest you think I’m resting on my laurels and taking easy swings at low hanging fruit (mixed metaphors for the win!), Facebook’s fall from grace might be the biggest tech story of the decade, and this is happening alongside Intel’s monstrous security flaw, the Equifax breach (remember that one?), and the dismantling of Net Neutrality. And those are just the ones I can recall off the top of my head! I’d love to be writing about other things, but due to its sheer size and global reach, this evolving disaster is something from which we cannot (and must not) look away. The Cambridge Analytica debacle is the gift that keeps on giving, but unfortunately it’s the mother of all white elephants as far as Zuckerberg et al. are concerned, and I’m sure a large helping of “do not want” is being served around the table at Chez Facebook.
It’s like watching a slow-motion derailment
Mark Zuckerberg may be one of the richest technocrats on Earth at the moment, but that didn’t stop Congress from skewering him in a multi-hour, publicly televised congressional hearing. On the whole, I’d say he’s lucky some of the Senators are in their 60’s and 70’s, and clearly did not have a solid grasp of Facebook’s technology, allowing him to sidestep some of the more naive or ill-informed questions. But several, more savvy Senators put him square into a glaring spotlight that he could not dodge: What is Facebook doing to combat hate speech? Is Facebook a Monopoly? Are Cambridge Analytica and Russian “troll farm” Internet Research Agency somehow connected? Was Facebook selectively biased towards left-leaning content? Perhaps most telling was Sen. Durbin’s (D-Ill.) line of questioning: “Would (Zuckerberg) share the name of the hotel he stayed in last night?” to which the CEO responded, “No, I would not choose to do that publicly here.” Audible laughter from the room rang that point home.
Given the attention focused on digital privacy, two US Senators have hitched a new bill to the hype train named the CONSENT (Customer Online Notification for Stopping Edge-provider Network Transgressions) Act which calls for much more strict and well defined consent from consumers, putting the onus on providers to secure a user’s affirmative consent, ie. “opt in” as opposed to the current policy trend of requiring users to “opt out.”
And in case you need any more confirmation that Facebook might not have your best interests at heart, California’s own Senator Kamala Harris zeroed in on what I believe is a key takeaway from this current circus. When asked by Sen. Harris, point-blank, about the decision made at Facebook in 2015 to not notify users that their data had been inappropriately shared with Cambridge Analytica, Zuckerberg admitted, “in retrospect it was a mistake.” This was an important question, as Facebook’s failure to notify users of this breach is probably a direct violation of a deal the internet company reached with the SEC in 2011 that barred the company from making misrepresentations about the privacy or security of consumers’ personal information.
In case you are curious as to whether your information was shared with Cambridge Analytica in the breach mentioned above, you can click this Facebook link for an immediate look at what, if any, of your personal information was shared.
Last week’s breach of Italian security firm Hacking Team exposed documentation that detailed the firm’s use of previously unknown security weaknesses in Adobe’s pervasive Flash platform. Typically known as “zero-day” vulnerabilities, these types of holes are being exploited by cybercriminals from the moment they are discovered, and companies will scramble madly to patch the problems and distribute the fix to their customers. Apparently fed up with the ongoing security failures of the plugin and Adobe’s lackluster speed at fixing them, Mozilla has started blocking outdated Flash plugins from running in Firefox, and Facebook’s security czar has called for the troubled platform to be retired:
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
— Alex Stamos (@alexstamos) July 12, 2015
What this means for you:
If you are the owner of a website that uses Flash, you should review whether its use is optional or required, with the latter choice presenting numerous challenges, including alienating a large segment of your mobile browsers; both iOS and Android require special, third-part apps to run Flash that are typically not free. Adding this to Google’s latest ranking algorithm which disfavors sites that aren’t mobile friendly, and you could end up with a website that gets relegated to a dark corner of the internet.
As a website visitor, at minimum you should update your Flash plugin immediately, and only do so by getting the latest version from Adobe’s website. Do not follow links or popups that appear while visiting websites – 99% of the time they are not legitimate and will lead to a malware infection. If you’d prefer to stop using Flash altogether, you can follow these instructions to make Flash ask for permission every time it runs:
Like the predictable “tick-tock” of a clock, reports are coming in of an infection spreading rapidly through Facebook via a fake Flash Update. The “tick” in this case was the report last week of a zero-day Flash vulnerability, and the subsequent legitimate update of the Adobe Flash plug-in. Not wanting to miss an opportunity, cybercriminals have released the “tock” – a video on Facebook is tricking clickers into installing a set of malware that can take complete control of the victim’s computer. Over 100k have fallen for this scam which is only 2 days old as of this writing.
What this means for you:
If you see a warning pop up on your computer that software on your computer may be out of date, it may be legitimate, and it may not be. With Adobe Flash, it’s very easy to check by going to Adobe’s own Flash website http://helpx.adobe.com/flash-player.html. Also be wary of the source of the update warning, such as that which comes from clicking on a dodgy link on Facebook or in an email. Doublecheck it against a legitimate source. Not sure what that source might be? Your trusted IT professional is only a quick call away. Spending five more minutes to vette that update warning is certainly worth avoiding a malware infection, right?