Category: Blog

Facebook Has A Major Problem With Fake Accounts

Facebook has been in hot water with evidence mounting that hordes of fake accounts were used to spread misinformation about the recent presidential election.

In addition to sparking congressional hearings, it also prompted Facebook and the other major social media companies to do a deep dive into their own active accounts and get a better sense of just how large and pervasive the problem was.

According to Facebook’s most recent quarterly earnings report, the problem turned out to be a fair bit larger than was first imagined. The company changed their methodology for tracking and identifying fake accounts, which has led to the grim discovery that some 13 percent of the company’s accounts are duplicates, a figure that doesn’t take into account the more than 60 million outright bogus accounts.

According to Facebook’s founder and CEO, Mark Zuckerberg, from in the earnings report: “We’re serious about preventing abuse on our platforms. We’re investing so much in security that it will impact our profitability. Protecting our community is more important than maximizing our profits.”

The problem is going to wind up costing Facebook in a number of ways. First and most obvious, of course, is the unwanted attention caused by the congressional hearings themselves, and the loss of trust it creates in the platform.

More immediately, there’s also the factor addressed directly by Zuckerberg in his statement. The company is spending a ton of money on improving security and rooting out and shutting down duplicate and fake accounts. As he indicated, it’s having an impact on their profitability.

It’s also impacting the company’s ability to generate ad revenue, which, of course, is based on the number of actual users the company can claim are viewing ads. With more than a quarter of a billion duplicate and fake accounts in the system, the network is simply less attractive to advertisers.

There are no simple solutions here, but kudos to Facebook for making significant investments to rein the problem in.

Google Can Still Track You With Location Services Disabled

Google recently found itself in a bit of hot water after an investigation by Quartz revealed that the company was intrusively collecting location data on literally every Android device in use today. That’s billions of devices all over the globe.

There are many instances when there’s an expectation that location data can and will be tracked. In fact, one of the most commonly used features of smartphones in general (GPS and directions) demands it.  After all, Google Maps can’t tell you how to get where you’re going if it doesn’t know where you are to begin with, so that’s all fine and good.

The problem, as revealed by the recent investigation, is that for all of 2017, Google was collecting location data on every Android device. This was happening even if the user took a series of frankly heroic measures in an effort to prevent it, including turning off location services, not allowing any apps to track their location and even pulling their SIM card from the phone.

The practice, as Quartz rightly pointed out, goes far beyond any reasonable expectation of consumer privacy and is wildly intrusive.

When Quartz made inquiries of Google regarding the matter, part of the official company response, sent via email, was as follows:

“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivers. However, we never incorporated Cell ID into our network sync system, so that the data was immediately discarded, and we updated it to no longer request Cell ID.”

In recent years, all the major tech companies have come under fire for the vast amounts of data they collect on consumers of their products. Although Google made it clear that they were formally ending the practice, the current climate makes their intrusive data collection effort (which, again, went completely undetected for the better part of a year) even more disturbing, especially given the lengths the company has gone to in an effort to position themselves as champions of user privacy.

Popular Android Keyboard App Collected Private Information, Has Been Breached

How many apps do you have on your smartphone? Do you know how much data they’re collecting about you?

Most people have scores of apps installed (and often hundreds), even if they only use a few on a regular basis, and shockingly, most users have no idea just how much information those apps are collecting about them.

However much you imagine, the answer is probably “more.”

This point was driven home painfully, courtesy of a recent discovery by a team of researchers at the Kromtech Security Center. They found completely insecure database online, a staggering 577GB in size, owned by an Israeli-based startup called AI.type, makers of a virtual keyboard app bearing the same name.

The information it contained is simply mind boggling.

Not only does it contain personal information on 31 million of the app’s 40 million users, but the database contents reveal just how intrusive AI.type actually is. The data includes:

  • Each user’s full name, email address and phone number
  • What OS version the user is using (AI.type is only available to Android users)
  • Each user’s nation of residence, mobile network name and what languages each user has enabled
  • IP and GPS location data
  • All information included with each user’s social media profiles, including birthdays, photos, posts, etc.
  • Each user’s device name, the make and model of their smartphone and screen resolution

As If that wasn’t enough, the research team also discovered that each user’s contact list had been scraped (including names, email addresses and phone numbers), and that the company was tracking a whole range of internet behaviors, including Google search queries, number of messages sent per day, the average length of those messages and more.

Obviously, there’s no reason that a simple keyboard app needs this level of information on its users. The only possible explanation is that it’s being collected for resale. If you use the app, be aware that the company knows almost everything about you and everyone you’ve been in contact with on your phone, and now, so do a lot of other people who don’t have your best interests at heart.

USB Drives Could Be Huge Factor In Data Loss, Theft

Most people agree that the use of USB drives increases efficiency and boosts productivity, which goes a long way toward explaining their popularity, but these handy little drives can also be problematic.

According to a recently published survey by Apricorn, 87 percent of employees surveyed report that they have lost or had a USB drive stolen and failed to notify their employer. Worse, 80 percent of employees surveyed reported using non-encrypted USB drives that they’ve often acquired for free at trade shows or conferences.

The fact that these drives are unencrypted is bad enough, but there’s another, even more frightening dimension to the problem. Such drives could be pre-loaded with malware, which could easily make it onto your company’s network the moment they’re connected to any office machine.

Apricorn had this to say about the results of the survey:

“With the ever-increasing amount of data breaches and compromises, companies need to carefully monitor what data is being created in their organizations, and what is leaving.

Government, healthcare, finance and education industries have access to copious amounts of sensitive information and most of these industries are using USBs without advanced permission. Not only are these companies leaving themselves vulnerable, they are placing their customers’ and employees’ data at risk.”

Although the company notes that there is an awareness of the damage that lost or compromised data can cause, not much is being done about preventing that loss, at least where the use of USB drives is concerned. According to the survey, fully half of the respondents indicated that they didn’t need to seek permission to use a USB drive to copy or transport potentially sensitive information.

Does your company have a robust set of policies in place to control the use of USB drives? Are all the USBs used by your employees encrypted and secure? Do you have a policy in place regarding proper reporting procedures should a USB drive go missing? Important questions, all.

Android Gets Fix For KRACK WiFi Vulnerability

Last month, a new WiFi security vulnerability known as “Krack” was discovered by a security researcher named Mathy Vanhoef. It was about as serious as a security flaw could be, enabling hackers to clone a router and funnel traffic through it, either monitoring all the activity on the network, or, if they wanted to be more destructive, conducting all manner of “man in the middle” attacks against anyone on the network.

The major tech companies were all given advance notice of Vanhoef’s research, and as such, not long after it was published, many responded almost immediately with patches. Apple, for example, released a Krack patch at the end of October.

Microsoft was even quicker to respond, releasing a patch to the problem quietly before Vanhoef’s research was even published.

In that regard, Google has been a bit behind the curve, but as of the release of this month’s Android Security Bulletin, the company has at last provided a fix for the issue.

This month’s update is spread over the following three updates:

• 2017-11-01
• 2017-11-05
• And 2017-11-06

The fix for the Krack issue is contained in this last one.

If your Android device is set to automatically receive security updates, then there’s nothing for you to do. The patch has already been installed on your phone.

If you tend to take a skeptical view of automatic updates, then at the very least, be sure to grab 2017-11-06. If you don’t, you’re probably putting your organization at unnecessary risk. If you want to check to see if you’re vulnerable before applying the update, you can do that, too. Vanhoef released his proof-of-concept code and detection tools on his GitHub account, and since releasing the data, an interested third-party has developed a tool aptly named “Krack Detector” you can use to see if you need the fix.

Either way, it’s worth looking into, and something your team should make a priority.

Issue With Android Could Let Someone Record Screen And Audio

Do you have an Android phone? Is it running either Lolipop, Marshmallow or Nougat? Those three account for slightly more than 75 percent of the Android phones in service today, so odds are excellent that you do. If so, you should be aware of a nasty vulnerability that could allow a hacker to perform at-will screen captures and audio recording without your knowledge.

The issue resides within Android’s MediaProjection service, which has been a part of the OS since its earliest days. The reason that it has only recently become an issue, though, is that prior to the release of Android Lolipop (version 5.0), third-party apps couldn’t make use of it. It required both root-level access and the app in question had to be signed with the device’s release keys, which meant that only system-level apps deployed by Android OEMs could utilize MediaProjection.

That changed with the release of Lolipop, which opened the service up so that anyone could use it.  Unfortunately, when Google relaxed access to the service, they didn’t put it behind a permission that apps could require from users. All a third-party developer needs to do to access MediaProjection is to make an “intent call” that would show a System UI popup, warning users that an app wanted to capture the screen and/or system audio.

Here’s the problem, though. Security researchers discovered that an attacker could detect when the system popup would appear, and knowing that piece of information, they could trigger some other message to appear on top of it, effectively blinding the phone’s owner to the fact that screen captures and audio recordings were in process.

Since the discovery of the security flaw, Google has released a patch that addresses it. Unfortunately, the patch only applies to Android Oreo (8.0). Older phones are still vulnerable.

If there’s one saving grace, it is the fact that the attack is not completely stealthy, and observant users will note the screencast icon in the phone’s notification bar. It’s far from perfect protection, but it’s something, so be aware if you’ve got an older Android phone.

Data On 123 Million US Households Leaked Online

Security researchers at UpGuard recently made a terrifying discovery in finding an unprotected Amazon S3 server containing several databases belonging to a data analytics provider called Alteryx.

While the server contained a variety of databases, the two that are of biggest concern belonged to Alteryx’s business partners, Experian and the US Census Bureau.

Of these, far and away the most damaging database was the one belonging to Experian. As a credit reporting agency, Experian has access to just about everything that relates to your personal finances. In addition to your address, they’ve got details on how many credit cards you have, what your average balances on each one are, what your credit limit is, the state of your mortgage and more. All of that information was sitting on a completely unprotected server that literally anyone could access.

The scope and scale of the database is almost beyond comprehension, containing more than 3.5 billion financial details of more than 123 US households. That’s almost every household in the country.

It’s not much of a silver lining, but the database did not contain any names. Having said that, since address information was present, linking an address with the name of the current occupant is a trivial task for any hacker.

At this point, it’s unclear if anyone other than the UpGuard researchers downloaded the databases, but ultimately, it doesn’t matter. The simple fact that so much information on so many American households was left unguarded means that virtually every person in the country is now at risk of identity theft.

At the root, this is a problem of standards. Contractors like Alteryx simply do not adhere to the same security standards as the company or agency charged with the responsibility of safeguarding the data in the first place (Experian and the US Census Bureau, in this case). Given that, it was only a matter of time before a mishap of this scale occurred.

At this point, there’s really nothing you can do but be mindful that your personal information may have been compromised, and stay vigilant.

Known WordPress Malware Is Back For Second Round

This past summer, an Italian security researcher named Manuel D’Orso discovered a nasty malware attack aimed at WordPress sites.

Dubbed “Wp-Ved,” after the name of the .php file bearing the malicious payload, the attack was relatively small in its scope and scale, with a few scattered attacks starting in the summer and continuing in sporadic fashion to this very day.

Apparently, the hackers who own the code learned what they needed to, and recently an updated variant of the malware has been spotted in the wild.

The malware is not subtle. It doesn’t try to hide what it’s doing in the least. It simply injects malicious code into legitimate files, focusing on old WordPress default themes such as “Twentyfifteen” and “Twentysixteen.”

Once the code is in place, it works quickly to create a new Admin user with the name “100010010,” which gives the hackers a back door they can use to launch other scripted attacks at their discretion.

Again, owing to the completely un-subtle nature of the code, any user who is running any sort of web application firewall (WAF) would be completely immune to this type of attack, as the WAF would have spotted it immediately and shut it down before it could do any damage. Sadly, a significant percentage of webmasters running WordPress sites don’t take advantage of this sort of protection.

Although this isn’t a large scale, coordinated attack, given the sheer number of WordPress sites on the web, it’s something to be mindful of. As to the damage the hackers could cause if you are infected, unfortunately, the sky’s the limit. Once they’ve got an Admin-level backdoor to work with, there’s not much they couldn’t do, so if you run a WordPress-based site, it’s worth your time to check to see if you’ve been infected. If you have, you’re sitting on a ticking time bomb.

As to how you can protect yourself, the first step is, of course, to delete the files containing the malicious code.

Once that’s done, disable and delete the rogue Admin account, and if one is available, begin making use of a web application firewall so that you can avoid any problems with Wp-Ved in the future.

The WordPress community is, on the whole, quite good at rooting out malware designed to work against the platform. However, this is certainly not the first such campaign hackers have gotten past the active community’s defenses, nor will it be the last.

Just recently, for example, security researchers found vulnerabilities in two of the platform’s most popular plugins, Yoast SEO and Formidable Forms.

In the case of the Yoast security flaw, it has been patched as of version 5.8 of the plugin, so if you use Yoast, be sure you’re using the most up-to-date version.

The bug in the Formidable Forms plugin was patched in version 2.05.02 and higher, so again, if you’re using this plugin on your website, be sure you’ve got the latest and greatest installed.

Many Businesses Found To Be Running Old Microsoft Office Versions

When an operating system reaches the end of its supported life, such as Windows XP, NT and Vista have, it’s big news. It makes headlines. When other forms of software reach the end of the line, there’s just not as much fanfare. It’s not that it’s not important; it’s just not something people think or care very much about.

They probably should, at least according to a recently released survey by Spiceworks, which revealed statistics that were both shocking and dismaying. Here are a few of the highlights:

• Fully 68 percent of businesses surveyed are still running instances of Office 2007, in spite of the fact that the software stopped receiving security updates in October
• Nearly 50 percent (46 percent to be exact) are still running Office 2003
• 21 percent are still running Office 2000
• 15 percent are running Office XP
• And three percent are amazingly still running some instances of Office 97

Of particular interest was the fact that most of the firms running outdated software are mid-sized companies employing between 100 and 1000 people. Large companies have the resources to keep their software up to date and smaller firms, recognizing their lack of resources, have readily moved to embrace Office 365, which is always up to date, and thus, saves them money and headaches.

Those firms stuck in the middle, though, and possibly your own company, find themselves in a tricky position. They’ve invested heavily in productivity tools, then found themselves in the unenviable position of not having the resources to keep them fully updated, and of course, are reluctant to lose their investment by switching to Office 365.

It’s undeniably a balancing act, but the reality is that if your company is using outdated productivity tools, your risks of a breach are higher than they should be. It’s something that’s too important to gloss over or delay. If you’re using an outdated version of Office or other productivity tools, find a way out of that box as soon as is feasible. Your data security staff will thank you for it, and it’ll give you peace of mind.

Always Connected Laptops Could Be The Next Generation Of Hardware

What’s the next big thing for the PC world? If the industry’s major players have anything to say about it, it will be the “always-on” PC.

Forget about plugging into your company’s network. Forget about free WiFi Hotspots. With an always-on PC, you won’t have to worry about either. If they’re not available, your PC can connect via the same cellular data network your smartphone uses, which means you’ll always be just a few mouse clicks away from your data.

It sounds fantastic, but there is, of course, one giant wrinkle in the equation: cost. More specifically, although several major hardware manufacturers are planning to sell always-on PCs soon, nobody knows how much the data plans will wind up costing in the longer term.

A few telecommunications companies have already given some indications here. T-Mobile has announced that its ONE unlimited service will be available for $20 a month. AT&T’s rates are significantly higher, charging $30 a month for 3GB of DataConnect data, and Verizon is charging $10 a month per gigabyte of data.

Depending on how much data you’re working with, that can get expensive very quickly. You could easily wind up paying more on your data plan than the PC itself set you back, and that’s before taking into account what impact the recent reversal on the Net Neutrality policy may have going forward.

One thing’s for certain: carriers won’t be able to get away with charging too much for the service, or customers will simply opt not to play the game, preferring to continue to flock to free WiFi hotspots as they’re doing now.

The first always-on PCs will start shipping in 2018, at which time we’ll find out how anxious the market is to embrace the new feature, and what kind of premium they’ll be willing to pay for it. Stay tuned.