So Mr. Zuckerberg Went To Washington

Standard

The following was published in the Sunday, April 15, 2018 edition of Foster’s and Seacoast Sunday.

Zuckerberg Testimony

I think the woman in green represents how everyone in the room was feeling, except the members of Congress.

Amidst the outcry over revelations that the political data mining firm Cambridge Analytica inappropriately accessed and used the personal data of nearly 87 million Facebook users, Facebook founder and CEO Mark Zuckerberg answered the call from Congress to come to Washington, D.C.

He faced two days of questioning from House and Senate committees. The results were sometimes downright bizarre.

I think Zuckerberg should be complimented for agreeing to come to Washington and face this questioning. While many criticized Facebook’s initial response to the scandal, the company has done a lot since then and is acknowledging where it can do better. What’s that old cliché? The first step to admitting you have a problem is to say you have a problem. Facebook admits it has a problem and Zuckerberg directly apologized for the breach of the public trust and took responsibility as any good leader should.

Now, as for the value of the questioning and what it says about both Facebook and our elected representative? It sure didn’t leave me feeling great. The talk among my colleagues in the industry ranged from outright laughter to downright disgust. What came through loudest was how unprepared our elected officials are to deal with issues like this. The sheer lack of basic technical understanding from some of the members was appalling.

I could only watch bits and pieces of the sessions because I became frustrated by the lack of preparation on the part of the members, our elected officials, who have an obligation to protect our interests. The vast majority of them should be embarrassed and apologize to both Facebook and us, their constituents, for wasting our time and distracting themselves from the important work we expect from our Congress.

Instead, many grandstanded, obviously relishing the spotlight they were able to exploit for who knows what purpose. There was no real outcome from the hearings, other than Congress feeling they should legislate a solution and everyone else fearing what that legislation might look like.

The members of Congress would have been far better serving the interests of their constituents if they had consulted with industry and privacy experts to understand exactly what happened and to equally understand what complexities will come to the table in trying to prevent a recurrence. Instead, it felt like several of the members had searched for social media conspiracy theories and crafted their questions accordingly.

Clearly, it wasn’t all bad, but unfortunately, the bad outweighed the good by a significant margin. Facebook has a problem. All of social media has a problem, but perhaps the biggest problem of all is that many people still do not grasp social media for what it is. Most are platforms that do not charge any fee to the individual to be a member. Why, because they make their money in other ways. Mostly through advertising and data sharing. We all know this, so the outrage is just a tad overblown, in my humble opinion. If you wouldn’t choose to hang up a banner outside your home announcing your name, hometown, relationship status and your most precious pictures, then why would you put it on social media? If you are using a complex, technology driven platform like social media for free, shame on you if you didn’t stop to think about how the company is making money from your membership.

As I wrote about in my last column, you can do a lot to limit what information Facebook shares about you. The same is true of most social media platforms, but Facebook is the one in the spotlight at the moment. As I suggested, Facebook has made a lot of improvements to its app settings over the last several weeks. When you click the arrow next to the help icon and select settings and go to apps, you’ll find it much more obvious what apps you have allowed to be connected to your Facebook account. It’s easy to now select the apps you don’t want to have access and remove them with the click of a single button. The options for all of the apps is much easier to find and intuitive to change. The same is true for the ads settings.

So unlike one senator or congressman who made the statement that he likes chocolate and didn’t understand why after he mentioned chocolate on Facebook he started seeing chocolate ads, hopefully you understand how that happens and how to manage your exposure.

Hopefully, this entire fiasco has made you a more educated social media user. I wish the same were true for the people who have the power to limit and regulate the technology we have access to. Hopefully they will catch up to their constituents, many of whom were shaking their heads this week.

A New Low

Standard

Following up on my post about a Phishing Example, the people behind these phishing attacks have sunk to a new low.

Playing on the fears of active shooter events, especially at schools, these latest phishing scams try to trick you into clicking on a link related to an event on a college or high school campus.  When you click the link, you are presented with a fake Microsoft login screen to try to steal your Microsoft Account credentials.  This started in Florida, but will like quickly spread around the country, so be on the lookout!

Security firm KnowBe4 sent out the following advisory related to this new, low trick:

“Heads-up. You’d think it could not get any worse, but some bad guys have sunk to a new low. They are now exploiting recent active shooter events on campus to get people panicked and “click-by-reflex” to find out if a loved one is safe.

This same phishing attack could be used against any organization with an active shooter protocol and training in place. If you see emails with titles like:

cyberscooty-alert_phishing

  • “IT DESK: Security Alert Reported on Campus”
  • “IT DESK: Campus Emergency Scare”
  • “IT DESK: Security Concern on Campus Earlier”

Please think before you click, and look for any red flags related to a phishing scam.”

Phishing Example

Standard

Last week, I attended an industry conference and spoke on a security panel.  More on that in a post over the next couple of days.  One of the consistent themes around cyber security was how effective phishing email and social engineering are.  It has become the number one vehicle that hackers are using to gain access to secure networks.  This morning, I received a well crafted phishing email that I want to share, as it has several elements that are good to be aware of, in order to not fall victim.

Let’s take a look at the email that arrive this morning with the subject “Shipment Tracking Number” from “notification@fedex.com.”  Both the subject and From address seem legitimate.  Here is the actual message:

FedEx Phish.png

This message looks fairly legitimate and if you were to simply quickly glance at the message, many people would likely click on the link, so let’s look deeper.

If you hover over the link instead of just clicking it, which is ALWAYS recommended, here is what you see:
FedEx Phish Hover

When you look at the image above, when hovering over the link, the URL does not match the URL that was in the email.  This should be a clear warning that could be a phishing message.

Now let’s look a little more closely at the message text itself:

FedEx Phish Markup.png

The sentence that begins at the #1 is not properly capitalized.  The dollar representation at #2 is not in proper currency format and the USD should be capitalized.  The comma following usd is also misplaced and follows a random space.  There is no punctuation at #3 or #4.  #5 lacks proper capitalization and punctuation.  #6 is not the real FedEx logo.  Notice how it is standard text and not the bold logo where the d and E are actually connected.

So, taken all together, do you think the real FedEx would ever allow a message like this to be sent?  No, not at all.  This is definitely a phishing email, designed to get you to click on the link, which will instantly infect your computer and allow a hacker access to your computer or worse, to capture everything you type on your keyboard, which will give them access to far more.

For the more technically inclined, if you also look at the email header, you will find several other identifying details that confirm this is not really from FedEx and a phishing email:

X-Country-Path Denmark->
X-Note-Sending-IP 212.237.47.12
X-Note-Reverse-DNS host12-47-237-212.serverdedicati.aruba.it

These three lines of the header really confirm this.  The IP address resolves to the domain aruba.it.  A WhoIs lookup of that domain shows it being registerd to an organization called Aruba Spa, surely a fake organization.  The country is reported as Denmark, but if you know your world geography, Denmark is in Europe and Aruba is in the Carribbean.  Further, the .it domain suffix is actually the top level domain for the country of Italy.  So, did this email come from Denmark, Aruba or Italy?  Probably none.  It’s likely all an elaborate path to mask the real sender, who, if you were not convinced to this point, you should now know without a shadow of a doubt, is not FedEx.

I hope all this information helps you protect yourself from these types of socially engineered phishing scams.

Cell Phone Spying is Here

Standard

As if we didn’t have enough privacy worries, confirmation came this week that cell phone spying is actively taking place in the United States and specifically in Washington, DC.

Now this should really not come as a huge surprise, but the ease with which it can beStingRayII done is a cause for concern.  In DC, the Department of Homeland Security has confirmed that it has identified several “StingRay” devices in the city.  These are devices that trick mobile phones into connecting to them instead of a legitimate cell tower.  In so doing, they are able to intercept voice conversations and text messaging.  Some experts suggest malware could also be installed onto connected devices, without the user knowing.  These immitation cell towers are also able to track the location of a given device, making them an excellent tracking tool.  What’s more is that these devices are not physically large.  We are not talking about a fake cell tower that rises high into the skyline.  Some say they can be as small as a cell phone, or like a moderately sized piece of audio equipment.  There is even some thought that they are able to be deployed in low flying aircraft to not only lock on to a mobile device but to follow it almost without limit.

These devices are known to be in use by some police departments and the intelligence services.  This partly explains a battle between the FCC and the wireless carriers around who is responsible for securing the wireless networks from these types of threats.  Fully securing the wireless infrastucture could prevent police and intelligence services from carrying on surveillance that may be critical to national and local security.

This will not be an easy issue to address.  If you’ve been thinking that your cell phone is immune to being intercepted, think again.  It will be interesting to see how this plays out.

Update on Recent Data Breaches

Standard

As a follow up to my recent posts “MyFitnessPal Data Breach” and “Now it’s Lord & Taylor and Saks” I wanted to share an email I received today from ID Shield, a service I subscribe to through my employer.

ID Shield


What you need to know about two recent breaches:

Saks-Lord & Taylor and MyFitnessPal 


Dear Valued Member:

As part of the IDShield family, we want to make you aware of recent large data breaches that have the potential to cause concern among consumers.

THIS MESSAGE IS NOT AN ALERT THAT YOU ARE AFFECTED

BY EITHER OF THESE BREACHES.

We hope these breaches don’t affect you. However, since you have IDShield protection, we can alert you to potential threats to your identity and have experts ready to assist with those threats, should it be needed.

Saks-Lord & Taylor

More than five million credit and debit card numbers from in-store customers of Saks Fifth Avenue and Lord & Taylor, mostly in New York and New Jersey, have been stolen. At this time, it is unknown if any personal data of these customers has been exposed; the stores’ e-commerce platforms do not appear to have been affected.

What you should do: If you made any purchase at a Saks or Lord & Taylor store between May 2017 and March 2018, monitor your card’s activity. The easiest way to do this is to sign up for transaction alerts on your credit card accounts so you will be notified of any activity in real-time. Ensure that you’ve activated all of the monitoring available to you through your IDShield membership by visiting myidshield.com. We will alert you if there are any changes in account activity, such as a new address, credit limit increase, past due status, etc.

MyFitnessPal

Approximately 150 million MyFitnessPal accounts were hacked in February. According to parent company Under Armour, the compromised data includes usernames, encrypted passwords and email addresses but not bank account, driver’s license or Social Security numbers.

What you should do: MyFitnessPal is notifying its members of the breach and requiring them to change their account password. If you were using that password for any other online account(s), you should change the password on those as well, choosing a unique password for each account.

IDShield is here for you.

As always, we will keep a close eye out for suspicious use of your personal information and alert you should we find anything you may need to be aware of.

Sincerely,

IDShield Member Services

Now it’s Lord & Taylor and Saks

Standard

Yesterday, Lord & Taylor, Saks Fifth Avenue and Saks Off 5th announced a data breach impacting 5 million debit and credit cards.  If you are a customer, check your accounts closely.

L&T-SaksAccording to reports from security firms and financial institutions, it appears this breach took place from May 2017 until March 28, 2018 when the hacking synidcate associated with this breach made it known.  Reports also indicate that many of the breached payment cards are posted for sale on the Dark Web.  It appears that this breach targeted locations in New York and New Jersey, so if you have shopped these stores in those states, be especially vigilant.

Should You Delete Your Facebook Account?

Standard

The following was published in today’s Foster’s and Seacoast Sunday.

Should you delete your Facebook account?

Probably not, though thousands of Facebook users are in the wake of the data-sharing controversy involving Cambridge Analytica, a British firm that specializes in data mining. In a nutshell, the firm scours the internet for your digital history and uses that information to build a psychographic profile of you others may want to purchase from it. In the case of the current controversy involving Facebook, the profile data was used by the Trump presidential campaign to influence voter behavior.

FB

In this April 2013 photo, Facebook CEO Mark Zuckerberg walks at the company’s headquarters in Menlo Park, Calif. Facebook is reeling after allegations a political consulting firm working for the Trump campaign got data inappropriately from millions of Facebook users. [AP photo/Marcio Jose Sanchez, file]

This is not a political article. I am not going to wade into the right or wrong, the candidate or conspiracy theories.

The fundamental issue is whether Facebook intentionally shared user data with Cambridge Analytica or if it was duped by Cambridge Analytica, which many believe took advantages of weaknesses in Facebook’s data privacy to assemble a remarkably detailed portrait of some 50 million Facebook users without necessarily having their permission.

How did this happen? You know those fun quizzes that pop up on Facebook and ask you to answer a bunch of questions like how many U.S. states you have visited? Those are driven by apps developed by other companies, not Facebook, but use the Facebook platform to get you to play along. When you do, you click to allow that app to access your Facebook profile. When you do, sometimes those apps are allowed to access profile data on your friends and possibly even their friends. This is how things spread like wildfire online.

While many users are angry with Facebook and deleting their accounts, that really doesn’t address the root of the issue. It may also cut off a useful communication tool that keeps people in touch across the globe. My family, which is large and dispersed around the world, relies on Facebook to stay in touch and share family stories, historical and in real-time. I don’t want to give that up. If you’re like me, here are some steps to take to secure your Facebook profile and not fall victim to questionable companies accessing your Facebook profile without your knowledge.

For this article, I’m focusing on using Facebook on a web browser on a computer, not a mobile device. The good news is Facebook announced this week it is significantly enhancing its privacy tools to allow users to take complete control of what is shared and what is not. This revamp will bring all these settings together on one screen and be seamless whether you are changing settings from a computer or mobile device. For now, you may have to hunt around some menus on mobile devices to find these settings.

Step one is to click on the down arrow next to the help icon (a question mark) and select Settings. Next, click on Apps near the bottom of the menu of options on the left side of the screen. The first section you will notice is labeled “Logged in with Facebook.” Here you will see a bunch of icons. Be sure to click Show All. You may be surprised to see how many outside apps you have allowed to connect to your Facebook account. This is where it starts. When you hover your mouse over one of the apps, you’ll have access to a pencil icon, to edit the settings for this app or a checkbox to select the app. If you are not sure what an app is there for, I recommend selecting it. Select all the apps you want to get rid of and click Remove to delete them all at once. Deleted apps will no longer have access to your Facebook profile. If you decide to click on the pencil to edit the apps permissions, you can select what parts of your Facebook profile you want the app to have access to. Finally, if you see Only Me, Friends or Public, that tells you who else on Facebook is able to see that you use that app. Only Me is your safest setting.

The next sections are more broad in nature, but critically important to taking control of your profile. I recommend you click Edit on each section and read the descriptions, so you can make appropriate decisions about whether to allow some of these settings to be on or turned off. Turning a setting off may prevent you from logging into non-Facebook services where you have used your Facebook profile as your login to that service.

Just this week, Facebook completely disabled the settings known as Apps Other Use. This was one of the primary vehicles used by Cambridge Analytica to get at so much data. This former feature allowed an app that a Facebook friend of yours used to access your profile and harvest that data, even though you may have never used that app. This is really what has people and regulators up in arms and Facebook has acknowledged the fundamental flaw in allowing this in the first place.

Facebook is making daily changes to respond to the outcry and reassure users privacy is important to the company. Whether it succeeds in regaining trust will take time to assess. For now, taking these simple steps to further secure your Facebook profile from prying eyes is the right thing to do. Don’t just do this once and forget about it. Keep watch for more developments on this and more ways to secure yourself online as the dust settles from this latest breach of public trust.

MyFitnessPal Data Breach

Standard

MyFitnessPal, the popular exercise and food tracking platform from Under Armour has announced a data breach.  If you are a MyFitnessPal user, you should have received the following email over the last 24 hours.  I have highlighted in red the actions steps that are recommended in response to this breach.

MyFitnessPal


NOTICE OF DATA BREACH

To the MyFitnessPal Community:

We are writing to notify you about an issue that may involve your MyFitnessPal account information. We understand that you value your privacy and we take the protection of your information seriously.

What Happened?

On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.

What Information Was Involved?

The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.

What We Are Doing

Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.

We are taking steps to protect our community, including the following:

  • We are notifying MyFitnessPal users to provide information on how they can protect their data.
  • We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately.
  • We continue to monitor for suspicious activity and to coordinate with law enforcement authorities.
  • We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.

What You Can Do

We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information. We recommend you:

  • Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
  • Avoid clicking on links or downloading attachments from suspicious emails.

For More Information

For more information, please go to https://content.myfitnesspal.com/security-information/FAQ.html.

Sincerely,

Paul Fipps
Chief Digital Officer

Are You Aware of our National Cybersecurity Emergency?

Standard

First, sorry for the brief hiatus in posts.  I took a last minute mini-vacation with my wife and forgot to post an udpate to that effect.  So, time to get back to blogging.

This week, President Trump extended the state of national cybersecurity emergency in response to malicious attacks that continue to pose an extraordinary threat to the United States.  This extends the national cybersecurity emergency that was implemented by President Obama on April 1, 2015.  It was due to expire on Sunday.  President Trump’s order is for a one year extension, which is a very good thing.

TreasuryThe original order was in response to growing cyber attacks that have been tied to various malicious actors, including nation states.  The primary response mechanism of the order is sanctions and freezing of assets that are in or passing through the United States by known bad actors.  This responsibility falls to the Department of the Treasury, who has levied sanctions on individuals and governments under this order.

Unless you have been living under an extremely large rock, you should be well aware of the hacking activity of foreign powers that seek to disrupt our economy and weaken our nation.  In announcing the extension of the order, the President said that “significant malicious cyber-enabled activities continue to pose an unusual and extraordinary threat to the national security, foreign policy and economy of the United States.”

I’m glad to see this order extended and the continued spotlight on these issues.  This is not a simple problem to solve.  More damage is likely to be done.  Stay vigilant protecting yourself and your business online.

CompTIAWorld Spring 2018

Standard

CompTIA has just released the spring edition of CompTIAWorld.  This is a twice a year publication that CompTIA puts out and it’s full of great insight into the state of the IT industry, trends, new and emerging technologies.  There is a wealth of information in each issue and if you are in the IT industry, you should be reading this.

Check out the current issue here:

CompTIAWorld Spring 2018

CompTIAWorld Spring 2018