This is the Shared Security Weekly Blaze for March 26, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston.
This is your Shared Security Weekly Blaze for March 26th 2018…with your host, Tom Eston.
In this week’s episode: Facebook and the Cambridge Analytica Controversy, Vulnerable VPNs and Siri Lock Screen Privacy
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Shout outs this week to @StrongArmSecure, @BrotherBlarneyS and @AANaseer on Twitter as well as @newcybersource and @thebluehawaiipodcast on Instagram and David, Julie, Gary and Jason on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show!
Several privacy focused vulnerabilities were identified in three popular VPNs. According to research done by VPN Mentor, PureVPN, Zenmate and Hotspot Shield were all found to leak your real IP address. This vulnerability could allow an attacker to know your real location while you use the Internet which is not the purpose of a VPN at all. Hotspot Shield and PureVPN appear to have remediated this issue but as of this podcast recording, Zenmate VPN has not fixed these vulnerabilities.
In addition, functionality was disabled in the Firefox web browser that could invade your privacy. Mozilla has disabled functionality, called the proximity API, which allows websites you visit to know how far your phone is away from your face as well as the ability to detect what the ambient light levels are of the room you’re in. The reason that Firefox is disabling these features is that they can be used to fingerprint or identify you to target more ads to you. In regards to the ambient light sensor, some techniques can be used to leak your browsing history in something called a browser history attack. Mozilla is disabling these features in Firefox version 62.
As we’ve mentioned on the show many times before, make sure you’re staying up to date with software updates for the apps you use especially VPNs and your web browser. Ensuring you are applying frequent updates is a one of the most important things you can do to from a cybersecurity perspective.
Do you have an iPhone with Siri enabled from your lock screen? If you do, you should know that there is a new vulnerability that can allow Siri to read out messages from the lock screen even if those messages are hidden. This vulnerability allows someone to access hidden messages from many different types of third-party applications including popular secure messaging apps like Facebook Messenger, Signal and WhatsApp. The good news is that the vulnerability doesn’t apply to Apple iMessage or standard text messages. The vulnerability currently affects version 11.2.6 of iOS and Apple is aware and working on a fix.
If you are concerned that someone would be able to gain access to sensitive information in your messages you’ll need to do the following two things. First, turn off screen notifications in your settings for any sensitive applications you may be using and second, disable the feature to allow Siri to be used when your device is locked. Check out our show notes for details on where these settings are on your iOS device.
Last weekend Facebook confirmed that back in 2013 an academic researcher named Dr. Aleksandr Kogan created a Facebook app called “This is Your Digital Life” which was a personality quiz distributed through Facebook. When Facebook users took the quiz it harvested profile data from their Facebook account. About 300,000 Facebook users took the quiz, but the data of about 50 million users ended up being harvested because the app also accessed profile data of those users friends. In 2014, this was Facebook’s feature called “friends of friends” where apps could access your friends data under certain conditions. This data was then given by Kogan to a political consulting and data analytics firm called “Cambridge Analytica” which apparently has ties to US president Trump and his political campaign. According to sources, Cambridge Analytica used this data to profile 50 million people so that they could target them with political propaganda prior to the US election.
Many news articles and other sources have been stating that this was a “data breach” and that this data was effectively “stolen” from Facebook users. These statements are absolutely false because that’s not how Facebook applications work at all. Each user that took this quiz willingly installed the app and accepted that their personal data was going to be accessed. Facebook always shows you the permissions that the app is requesting and you as the user need to accept this or the app won’t be installed.
Here’s what happened with the Cambridge Analytica situation. In 2014 Facebook made changes to application privacy settings and type of data that apps like these can harvest. Today, Facebook apps can access your friends data only if they too have authorized the app. Facebook also stated that the researcher did violate Facebook’s terms of service and that any data collected was not to be shared with any other third-party. In 2015, Facebook also had the app removed and that the developer and Cambridge Analytica certify that the data was deleted. Cambridge Analytica claims that the data was never used but questions still remain if the data was actually deleted or not. This past week Facebook as said that they’ve hired a forensics firm to find this out. Some of the other fallout from this controversy is that US senators as are asking for Facebook CEO Mark Zuckerberg to testify before Congress and to explain how Facebook will protect its users data. Last week in a Facebook post Zuckerburg said quote “This was a breach of trust between Kogan, Cambridge Analytica and Facebook,” as well as “it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.”
Look, this is definitely a concerning issue, not because of how the data collected, but how the data was used and the associated cover up. However, you need to understand that collecting your personal data is what Facebook was designed to do. This is how they make money. If you don’t accept this or the other terms of their service then you simply shouldn’t use Facebook.
You should also be aware that this won’t be the first and certainly not the last Facebook application that is designed to harvest your personal information for malicious purposes. Ironically, as part of a talk that Kevin Johnson and I did at the DEF CON hacking conference in 2009, we conducted an experiment by posting a quiz on Facebook which asked for “25 Random Things About You”. These “random things” questions may seem innocent but were actually password reset questions that we pulled off of Yahoo Mail that are asked for when resetting the password for your email account. While this was just an experiment on a much smaller scale than the application used by Cambridge Analytica, it was shocking to see how many people just willingly gave personal information because it seemed like an innocent way to get to know your friends better.
For most of us, deleting our Facebook account isn’t an option. Seriously, it’s hard to do because we use Facebook for so many legitimate purposes like keeping in touch with our friends and family. So what can you do to better protect your information on Facebook?
First, stop taking all those stupid quizzes and installing or taking survey apps that you see people posting and sharing on the Facebook news feed. All of these apps and quizzes have some type of alternative motive and are sharing your data with many different third-party advertising companies like Cambridge Analytica.
Second, limit the amount of information about you that apps your friends are using can access. See the show notes for where this setting is at but note it’s pretty buried within your Facebook app settings.
Third, check to see what apps you have installed in your Facebook account and what permissions they have. You might be surprised to see how many apps can access your data, especially if you’ve been using Facebook for a long time. You’ll also want to dig down to see which apps or sites you’ve logged in to with your Facebook login and disable these sites and apps as necessary.
Lastly, you can disable your access to what Facebook calls the “Platform” which will turn off all app integrations as well as any access to sites or apps that you’ve chosen to use your Facebook login instead of their own. Be cautious if you turn off the Platform. This is like hitting the “big red button” which will make Facebook almost unusable so you may just be better off deleting your Facebook account altogether.
If you do continue to use Facebook make sure you’re staying up-to-date on your privacy settings and stay tuned for more information and news about Facebook privacy in future episodes of the podcast.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
*** This is a Security Bloggers Network syndicated blog from Shared Security authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2018/03/26/the-shared-security-weekly-blaze-facebook-and-the-cambridge-analytica-controversy-vulnerable-vpns-siri-lock-screen-privacy/