In a recent breach of Facebook it is suspected that approximately 29 million users had their data stolen, with the most severely affected being a group of 14 million. The attack is currently being attributed to spammers pretending to be a digital marketing firm. According to Facebook, Data stolen includes: “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches”. News of the hack first surfaced on October 5th when it was suspected that 50 million users were affected, a number that has since been lowered.
Usually, companies in such a predicament offer access to credit protection agencies and other methods of identity theft prevention like in the case of the 2013 Target breach. However, Facebook declared that it would not be taking such steps, and would instead direct users to help pages where they could learn how to avoid phishing. Experts worry about the potential for smaller scale attacks. Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, believes that though no financial data was captured, information gathered could still be used in knowledge based authentication to break into accounts. He believes that the best move for Facebook would be to offer free access to password managers and other similar software to help combat this.
In Europe, the breach is costing Facebook about $1.6 billion, or 4% of its yearly revenue. This case is being recognized as the first major test of the General Data Protection Regulation which was enacted in May.
Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.
These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.
It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.
Article 29 Working Party Publishes Guidance on Consent Under the GDPR
Snapchat became a social media giant a few years ago, and as always, with social media comes security risks.
A method for saving photo and videos in Snapchat included connecting to API, the app’s application programming interface. By using this technique, the third-party developers were capable to log into the app remotely without using the original Snapchat application. In 2013, a number of third-party applications were developed in relation to API vulnerability. The apps that enabled downloading and saving received images were publicly available in app stores, such as iTunes App Store or Google Play. The Federal Trade Commission claims that, during that period, “on Google Play alone, ten of these applications have been downloaded as many as 1.7 million times.” Using the hacked API, one of the biggest cyber-crimes related to Snapchat was committed.
13 gigabytes of pictures/videos from users was leaked, in response to this, the third party application was shutdown by snapchat.
Another defect was found in the app’s authorization system allows hackers to use denial-of-service attacks that can crash users’ smartphones by sending a large number of messages in a short period of time. Receiving multiple messages at once causes freezing of the device and requires rebooting it. For Apple iPhone users, this security defect can cause more harm than for Android users. In Android operational system, such incident only slows down the work of the device but does not require the system to reboot. This technical issue has not been addressed by Snapchat yet.
This might seem a tad common sense, but it seems that many people are upset over how Facebook has been mishandling data as of late. Specifically how much of the information on the site is not well protected by “privacy” settings.
Basically, Aleksandr Krogan, a UK citizen, used a Facebook personality test app to harvest information of Facebook profiles. Notably it could harvest data of the friends of people that took the personality test. Krogan would then go on to send all of this data to Cambridge Analytica. Its not clear how this information was used, but with the many political organizations that pay for Cambridge Analytica’s services, many people have found this revelation to be disturbing.
Now, there will no doubt be a long period of finger pointing and upset users for the rest of the week. WhatsApp co-founder Brian Acton has suggested that people delete their Facebook account with the trending hashtag “#DeleteFacebook”. Mark Zuckerburg is expected to break silence on this matter soon, so far Facebook’s response has been to say that Dr. Krogan violated site policy. This is also not Facebook’s first incident of their platform getting inadvertently involved in politics. In the last year incidents with Russian run campaign ads during the US election, and incidents with “fake news” have caused much turmoil for the company’s public opinion.
I personally think that this whole situation begs a new question. Should we honestly be surprised that information that we put on social media is actually not private? Facebook’s business model relies on gathering userdata and using it for advertising. Beyond mischievous motives, the service is exists to allow users to share data with other users. With that in mind, you have to realise that you not only trust Facebook to enforce your privacy settings, but every single person on your friendslist. Each one of your friends has to keep their account secure, whether it be from intrusion or just a malicious app such as this personality test from Aleksandr Krogan. Its unrealistic honestly, making user data harder to access hampers the social part of a social network; and as it is, there are plenty of vectors for someone to harvest “private” information. Hopefully with each one of these large events people can learn the value of their own personal information, and maybe show restraint towards what they share online. People can’t expect the facade of account visibility to keep their information truly private, it can only delay the inevitable breach.
One of the worlds largest computer security conferences, RSA, has recently been in the spotlight for all of the wrong reasons. The conference, which is six weeks away, just released their lineup of keynote speakers, which contains 22 individuals, and only one of those are female. Even worse, the one female speaker, Monica Lewinsky, is not even in the security field, she is speaking about anti-bullying. There was a large uproar regarding this which resulted in the foundation of a new conference, ironically named OURSA, which was formed in a mere 5 days. It is a predominantly female created conference, with the help of allies, that will take place at the same date and time as RSA. The lack of representation isn’t a new issue though, since over many different conferences there has been a collective loss of inclusion of different minorities, including women. RSA responded to the conference by saying the keynote speaker list is not final, and “…it also blamed the lack of women in the field, where just 11% of positions worldwide are held by women.” Firstly, that is an extremely sexist response, but second, if the percentage of positions held by women are so low, wouldn’t it be inspiring to see more female keynote speakers to inspire the next generation? This will only be a one time event and will only be able to host 1000 people instead of the 43,000 that RSA hosted last year. Nevertheless, this will be a groundbreaking conference that will hopefully shed light upon the issues with diversity in the community and the promotion of inclusion within all groups.