- Social Site-

Last update 28.09.2017 14:48:34

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8

NYT: Facebook APIs gave device makers deep access to user data. FB disagrees
6.6.2018 securityaffairs

Facebook APIs granted access to the data belonging to FB users to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung so that they could implement Facebook messaging functions.
After the Cambridge Analytica privacy scandal, Facebook is now facing new problems because it is accused of sharing user data with over 60 device-makers.

The social network giant had granted access to the data belonging to its users to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung so that they could implement Facebook messaging functions, “Like” buttons, address books, and other features without requiring their users to install a separate app.

“Facebook has reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — over the last decade, starting before Facebook apps were widely available on smartphones, company officials said.” states the New York Times.

“The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books.”

The controversial practice started more than 10 years ago, before Facebook apps were widely available on smartphones.

The partnerships raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. The decree barred the social network giant from sharing data of users’ Facebook friends with other companies without their explicit consent.
Facebook APIs- Cambridge Analytica
To support the accusation, Michael LaForgia, a New York Times reporter, used a 2013 Blackberry device to access his Facebook account with roughly 550 friends.

He discovered that a BlackBerry app called “The Hub” was still able to harvest private data from 556 of his friends, exposed info including religious and political orientation.

The reported also discovered that The Hub was also able to acquire “identifying information” for up to 294,258 friends of his Facebook friends.

“After connecting to Facebook, the BlackBerry Hub app was able to retrieve detailed data on 556 of Mr. LaForgia’s friends, including relationship status, religious and political leanings and events they planned to attend.” continues the NYT.

“Facebook has said that it cut off third parties’ access to this type of information in 2015, but that it does not consider BlackBerry a third party in this case.”

Facebook responded to the accusation of the NYT report in a blog post entitled “Why We Disagree with The New York Times.”

The social network confirmed that the Facebook APIs were created to allow device-makers to improve the experience of Facebook users implementing features on their operating systems, you have to consider that at the time there were no apps.

“The New York Times has today written a long piece about our device-integrated APIs — software we launched 10 years ago to help get Facebook onto mobile devices.” states the post published by Facebook.

“In the early days of mobile, the demand for Facebook outpaced our ability to build versions of the product that worked on every phone or operating system. It’s hard to remember now, but back then there were no app stores.”

“So companies like Facebook, Google, Twitter and YouTube had to work directly with operating system and device manufacturers to get their products into people’s hands. This took a lot of time—and Facebook was not able to get to everyone.”

“To bridge this gap, we built a set of device-integrated APIs that allowed companies to recreate Facebook-like experiences for their individual devices or operating systems. Over the last decade, around 60 companies have used them—including many household names such as Amazon, Apple, Blackberry, HTC, Microsoft, and Samsung.”

The company added that it carefully monitored the use of the Facebook APIs avoiding any abuses, it also added that device-vendors signed agreements that prevented Facebook users’ information from being used for other purposes.

“Partners could not integrate the user’s Facebook features with their devices without the user’s permission. And our partnership and engineering teams approved the Facebook experiences these companies built,” continues the post.

“Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.”

Facebook APIs mobile devices

After more than ten years things are changed and the Cambridge Analytica scandal has made used aware the importance of their privacy

Today both Facebook iOS and Android apps are very popular and the criticized Facebook APIs are no more used, for this reason, the company began “winding down” the partnerships in April.

“This is very different from the public APIs used by third-party developers, like Aleksandr Kogan. These third-party developers were not allowed to offer versions of Facebook to people and, instead, used the Facebook information people shared with them to build completely new experiences.” concluded Facebook.

“Now that iOS and Android are so popular, fewer people rely on these APIs to create bespoke Facebook experiences. It’s why we announced in April that we’re winding down access to them. We’ve already ended 22 of these partnerships. As always we’re working closely with our partners to provide alternative ways for people to still use Facebook.”

'I'm sorry', Facebook Boss Tells European Lawmakers
23.5.2018 securityweek

Facebook chief Mark Zuckerberg apologized to the European Parliament on Tuesday for the "harm" caused by a huge breach of users' data and by a failure to crack down on fake news.

But Zuckerberg's appearance failed to satisfy MEPs who accused him of dodging questions and criticized a format that gave the parliament's political leaders far more time to give long-winded speeches.

His livestreamed testimony in Brussels was the latest stop on a tour of apology for the Cambridge Analytica scandal that saw him quizzed for ten hours in the US Congress in April, and will take him to Paris on Wednesday.

Zuckerberg said that while Facebook has brought in new features to connect people, it had become clear in the last two years that they "haven't done enough to prevent these tools from being used for harm".

"And that goes for fake news, foreign interference in elections or developers misusing people's information. We didn't take a broad enough view of our responsibility," he said in his opening statement.

"That was a mistake, and I'm sorry for it."

'Too slow'

The European Parliament invited Zuckerberg in March after Facebook admitted that up to 87 million users may have had their data hijacked by British consultancy firm Cambridge Analytica.

The firm, which was working for US President Donald Trump's 2016 campaign, has since declared bankruptcy.

Zuckerberg originally tried to send a junior executive instead but finally bowed to pressure to appear. However he only agreed for it to be livestreamed on Monday after initially insisting on it being behind closed doors.

Appearing calm and unruffled during the 90-minute hearing, Zuckerberg welcomed the EU's sweeping new personal data protection rules, which come into effect in three days, saying that his website would be "fully compliant".

In that spirit, Zuckerberg said Facebook was bringing in new features including a special "clear history" button that would allow them to delete any cookies or browsing history details it stores.

Zuckerberg admitted that Facebook had been "too slow to identify Russian interfering" in the 2016 US presidential ballot but was working with European governments for future elections.

In the run-up to last year's French elections Facebook "found and took down more than 30,000 fake accounts", he said.

'Pre-cooked format'

But some European lawmakers were still unhappy with the format in which Zuckerberg answered questions for only 25 minutes -- half as long as the time it took the parliament's political leaders to get through their long-winded questions.

"Today's pre-cooked format was inappropriate and ensured Zuckerberg could avoid our questions," Guy Verhofstadt, the European Parliament's Liberal leader, tweeted afterwards.

The former Belgian prime minister asked Zuckerberg during the hearing if he wanted to be remembered as a "genius who created a digital monster".

Manfred Weber, the German head of the centre-right European People's Party, the largest group in parliament, said the Facebook chief was "not very convincing" and "did not answer all our questions".

But European Parliament President Antonio Tajani -- who invited Zuckerberg and arranged the meeting -- called Zuckerberg's visit a "success" even if he said his apology was "not enough" and required follow up.

Zuckerberg meanwhile pledged that Facebook would make fresh investments to protect its users in the wake of the scandal -- with many of those in Europe where he plans to have 10,000 employees by the end of the year.

"It's going to take time to work through all of the changes we must make. But I'm committed to getting it right, and to making the significant investments needed to keep people safe," he added.

"I expect this will significantly impact our profitability. But I want to be clear: keeping people safe will always be more important than maximizing our profits."

Zuckerberg is due to meet French President Emmanuel Macron in Paris on Wednesday.

Facebook Suspends 200 Apps Over Data Misuse
16.5.2018 securityweek 

Facebook said Monday it has suspended "around 200" apps on its platform as part of an investigation into misuse of private user data.

The investigation was launched after revelations that political consulting firm Cambridge Analytica hijacked data on some 87 million Facebook users as it worked on Donald Trump's 2016 campaign.

"The investigation process is in full swing," said an online statement from Facebook product partnerships vice president Ime Archibong.

"We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date thousands of apps have been investigated and around 200 have been suspended -- pending a thorough investigation into whether they did in fact misuse any data."

Archibong added that "where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website."

The revelations over Cambridge Analytica have prompted investigations on both sides of the Atlantic and led Facebook to tighten its policies on how personal data is shared and accessed.

Facebook made a policy change in 2014 limiting access to user data but noted that some applications still had data it had obtained prior to the revision.

"There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time," Archibong said.

Facebook Suspends 200 Apps Over Data Misuse
14.5.2018 securityweek

Facebook said Monday it has suspended "around 200" apps on its platform as part of an investigation into misuse of private user data.

The investigation was launched after revelations that political consulting firm Cambridge Analytica hijacked data on some 87 million Facebook users as it worked on Donald Trump's 2016 campaign.

"The investigation process is in full swing," said an online statement from Facebook product partnerships vice president Ime Archibong.

"We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date thousands of apps have been investigated and around 200 have been suspended -- pending a thorough investigation into whether they did in fact misuse any data."

Archibong added that "where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website."

The revelations over Cambridge Analytica have prompted investigations on both sides of the Atlantic and led Facebook to tighten its policies on how personal data is shared and accessed.

Facebook made a policy change in 2014 limiting access to user data but noted that some applications still had data it had obtained prior to the revision.

"There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time," Archibong said.

Change Your Twitter Password Immediately, Bug Exposes Passwords in Plaintext
11.5.2018 thehackernews

Twitter is urging all of its 330 million users to change their passwords after a software glitch unintentionally exposed its users' passwords by storing them in readable text on its internal computer system.
The social media network disclosed the issue in an official blog post and a series of tweets from Twitter Support.

According to Twitter CTO Parag Agrawal, Twitter hashes passwords using a popular function known as bcrypt, which replaces an actual password with a random set of numbers and letters and then stored it in its systems.
This allows the company to validate users' credentials without revealing their actual passwords, while also masking them in a way that not even Twitter employees can see them.

However, a software bug resulted in passwords being written to an internal log before completing the hashing process—meaning that the passwords were left exposed on the company's internal system.
Parag said Twitter had found and resolved the problem itself, and an internal investigation had found no indication of breach or passwords being stolen or misused by insiders.
"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," Parag said.

"We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."
Still, the company urged all of its 363 Million users to consider changing their passwords to be on a safer side.
How to Reset Twitter Password
In order to change your password on Twitter, click on your Profile Picture icon given in the top-right corner, then go to Settings and Privacy → Password. Now, type your current password, and enter a new one, and try keeping it stronger.
For the Twitter app for iOS and Android, click on your Profile Picture icon in the top-left corner, and then go to Settings and Privacy → Account → Change Password ("Password" on Android), and create a new, stronger password.
You should also change the password on all other services where you have used the same password.
You are also advised to enable two-factor authentication service on Twitter, which adds an extra layer of security to your account and help prevent your account from being hijacked.

Twitter is Testing End-to-End Encrypted Direct Messages
11.5.2018 thehackernews

Twitter has been adopting new trends at a snail's pace. But it’s better to be late than never.
Since 2013 people were speculating that Twitter will bring end-to-end encryption to its direct messages, and finally almost 5 years after the encryption era began, the company is now testing an end-to-end encrypted messaging on Twitter.
Dubbed "Secret Conversation," the feature has been spotted in the latest version of Android application package (APK) for Twitter by Jane Manchun Wong, a computer science student at the University of Massachusetts Dartmouth.
End-to-end encryption allows users to send and receive messages in a way that no one, be it an FBI agent with a warrant, hacker or even the service itself, can intercept them.
However, it seems like the Secret Conversation feature has currently been available only to a small number of users for testing. So, if you are one of those lucky ones, you will be able to send end-to-end encrypted Secret Conversation through Direct Messages.
Secret Conversation appears to allow Twitter users to send encrypted direct messages and beef up the security of their conversation.
How to Send Encrypted Twitter Direct Messages

Unlike WhatsApp and Apple's iMessage, your all conversations on Twitter DM will not be end-to-end encrypted by default; rather you'll have to selectively start an encrypted chat, just like you start a Secret Conversations on Facebook Messenger.
As shown in the screenshot shared by Wong, one needs to follow below-mentioned steps to start a Secret Conversation on Twitter (after it's available to everyone):
Open the Twitter app on your Android device.
Open an existing conversation or start a new DM conversation with the person you want to chat secretly.
Tap the information icon in the upper right corner of your phone.
Select 'Start a secret text message,' and a new window will open where you can send encrypted messages.
It should be noted that the current infrastructure of Twitter does not offer the privacy of individuals' encryption keys require to encrypt/decrypt messages, thus Secret Conversation feature would not be available for desktop/web version of Twitter.
Instead, only mobile apps (Android/iOS) for Twitter can easily be used to keep your encryption keys secret on your smartphones, just like WhatsApp, and Facebook Messenger.
Besides Secret Conversation, Twitter is also working on an in-app "Data Saver" mode, which if enabled, saves some of your bandwidth and speeds up the app by disabling autoplay for videos and loading of heavy images.

WhatsApp Group Video Call and Instagram Video Chat Are Coming Soon
9.5.2018 thehackernews 

Facebook announced a whole lot of new features at its 2018 Facebook F8 developers conference, including Dating on Facebook, letting users clear their web browsing history, real-time language translation within Messenger, and many more.
Besides announcing exciting features for its social media platform, Facebook CEO Mark Zuckerberg also gave us a quick look at the features Facebook introduced for companies that it owns, like WhatsApp and Instagram.
During Facebook's F8 conference on Tuesday, Zuckerberg announced a long-awaited feature for WhatsApp—Group Video Calling. Yes, you heard that right. WhatsApp would soon be adding a group video calling feature to the popular end-to-end messaging app, making it possible for its over billion users to have face-to-face conversations with multiple people at once.
Although there are not many details about the WhatsApp group video calling feature at this moment, it is clear that WhatsApp will now allow four people to have one-on-one video chat in groups. The feature will only work with smartphones (not for WhatsApp Web).
Previously, video calling feature was only available for personal chats (involving two parties).
According to Zuckerberg, video calling is one of the most popular features on WhatsApp, and people have already spent about 2 billion minutes for video calling on WhatsApp alone.
Therefore, with the launch of WhatsApp group video calling, the company hopes that the messaging app will become more popular.
Besides group video calling, WhatsApp will also bring support for stickers in the months ahead, just like Messenger, Facebook revealed later.
This year's F8 has also brought a major update to Instagram. Facebook is also bringing the video chat feature to Instagram, giving Instagrammers a new way to spend time together, even when they can not be together.
To start a video chat one-on-one with someone or with a group of people, you simply need to tap the new camera icon at the top of a Direct message thread. You can even minimize the video window and continue the chat while doing other stuff on Instagram.
Besides video chat, Instagram will also be having a redesigned Explore feature to make it easier for Instagrammers to discover things they are interested in.
Both the new Explore and video chat features are currently in the testing phase and will roll out globally soon.
Facebook also introduced a new way for people to share from their favorite apps, like Spotify and GoPro, to Instagram Stories as well as Facebook Stories.
To know everything Facebook announced at 2018 F8 developer conference on Tuesday, you can simply head on the blog post published by the company.

Along with Dating, Here’s a List of New Features Coming to Facebook
9.5.2018 thehackernews 

Facebook announced a whole lot of new features at its 2018 Facebook F8 developers conference, along with the keynote by its CEO Mark Zuckerberg addressing concerns from app developers after Facebook paused 3rd-party app review in the wake of the Cambridge Analytica scandal.
Here are some big takeaways from Zuckerberg's keynote on Day 1 of Facebook F8, held for two days, May 1 and 2, at the McEnery Convention Center in San Jose, California:
FaceDate—Facebook's New Tinder-Like 'Dating' Feature

Still Single? Don't worry because Facebook doesn't want you to remain single for long.
The social network giant is introducing a new dating feature that will allow you to build your profile that will only be visible to other Facebook users (non-friends) who have also opted into looking for love.
Dubbed FaceDate, the new feature will match your profile based on all its data with others to find potential suitors and messaging will happen in a dedicated inbox rather than its default Messenger application.
And worry not. Neither FaceDate will match your profile with your friends, nor your friends will not be able to see your dating profile.
FaceDate is "not just for hookups," said Zuckerberg said. Rather, the feature has been designed for "real long-term relationships."
Shortly after the announcement of FaceDate, the share price of Match Group, the parent company of Match.com, fell 22%, and IAC, the parent of both popular hookup app Tinder and Match Group, fell more than 16%.
Facebook Adds 'Clear History' Tool

Facebook had been embroiled in controversies over its data sharing practices after the Cambridge Analytica scandal, forcing people to think about how the social media handles user privacy, collects data and uses it.
Now to help users protect their privacy, Facebook introduced a new feature, dubbed "Clear History," that will let users clear their browsing history on Facebook.
Clear History will enable users to see the websites and apps that send Facebook information when users use them, delete this information from users' account, and turn off Facebook's ability to store the data "associated with your account" going forward.
Once you clear your history, Facebook will remove identifying information so a history of the sites and apps you have used will not be associated with your account.
It is unclear how Facebook defines 'associated with your account.'
However, Facebook will take a few months to build the Clear History feature, and work with "privacy advocates, academics, policymakers, and regulators to get their input on our approach," Facebook VP and chief privacy officer Erin Egan said in a blog post.
"After going through our systems, this is an example of the kind of control we think you should have," Zuckerberg said. "It's something privacy advocates have been asking for."
Facebook also warned users that by using the Clear History tool, they might be required to sign back in everytime they want to log into their account.
Facebook is also committed to preventing "fake news" and fake accounts from spreading on its platform, though Zuckerberg did not tell much about how Facebook plans to do it.
Facebook Re-Opens App Reviews On Its Platform
In the wake of the Cambridge Analytica scandal, Facebook paused third-party app review, but now Zuckerberg announced that the company is re-opening app reviews for developers starting Tuesday.
The relationship between Facebook and app developers has gotten complicated since it was revealed how digital consultancy firm Cambridge Analytica improperly obtained and misused data on potentially 87 million Facebook users to reportedly help Donald Trump win the US presidency in 2016.
Facebook paused review of new apps after it was revealed that a third-party app developer named Aleksandr Kogan, who created personality quiz app and collected personal data on millions of users who took the quiz, handed over the data to Cambridge Analytica.
"I know it hasn’t been easy being a developer these past couple months, and that’s probably an understatement," Zuckerberg said.
Facebook has re-opened app review, but the process has changed a bit. The company will now "require business verification for apps that need access to specialized APIs or extended Login permissions."
"Apps that ask for basic public profile or additional permissions, such as a birthday or user friends, are not subject to business verification," a blog post published Tuesday reads.
Real Time Language Translations In Facebook Messenger

Facebook has introduced chat translation within Messenger through its M Suggestions assistant, which will translate conversations in real time, just like web browsers do.
However, the feature will be rolled out to users in the United States throughout this year and will only translate English-Spanish conversions.
In the coming weeks, all American Messenger users will get access to this feature, and over time the social media says it will "launch this functionality in additional languages and countries."
Launching in closed beta, businesses will now be able to integrate augmented reality (AR) camera effects for its customers to experience directly into Messenger.
Now when you interact with certain businesses on Messenger, you will be able to virtually try or customize merchandise by opening the app's camera and use a pre-populated brand-specific AR effect.
Facebook is also making simplifications to Messenger's interface. Since the app's quest to embrace businesses, bots, Stories and visual sharing have made it bloated, the company has re-designed Messenger by cutting out the games and camera tabs from the navigation bar.
Besides these features, Facebook has also introduced a new way for people to share from their favorite apps, like Spotify and GoPro, to both Facebook and Instagram Stories. The company has also made its first standalone VR headset Oculus Go available globally for anyone to purchase, starting at $199.
To know more about new launches and watch the full keynote, you can head on to this blog post.

Telegram Rivaling Tor as Home to Criminal 'Forums'

9.5.2018 securityweek Social

Telegram Channels Offer Great Anonymity and Are Being Increasingly Used by Cybercriminals

Serious criminals are abandoning the upper levels of the dark web. The reasons appear to be the relative ease with which such criminal forums are penetrated by law enforcement agents and security researchers -- and the recent shut-downs of major criminal forums Hansa Market and AlphaBay.

Last month, Cybereason tested this idea, and concluded that serious criminals have migrated to the deeper, closed forums of the dark web. Published yesterday, researchers from Check Point now postulate an alternative destination for these criminals; that is, not to deep, dark, Tor-hidden forums, but to Telegram.

Telegram is an encrypted instant messaging system first released in 2013. Like WhatsApp, it offers individual conversations and group chats -- but what sets it apart is its security strength and end-to-end encryption. "As a result, some of its hosted chat groups have become a useful alternative to the secretive forums on the Dark Web," say the Check Point security team.

Telegram groups are known as channels. It is these channels that are increasingly used by criminals. "Any threat actor with a shady offer or conversation to start, can enjoy private and end-to-end encrypted chats instead of the exposed threads that are seen in online forums." The advantages are obvious. They are easier to operate, easier to join, and offer even greater anonymity.

Check Point gives three examples of how Telegram is used. Three channels were found in Russia known as Dark Job, Dark Work and Black Markets. Dark Jobs recruits staff for illegal jobs. The jobs are graded white (for little danger), grey (for greater illegality and difficulty), and black (for dangerous with legal risks). Anyone with the Telegram app can join this channel and can both post advertisements and apply for jobs with complete anonymity. The same principle applies to other channels, and some already have thousands of subscribers.

The simplicity of this criminal method is particularly worrying.

"This is especially worrying," say the researchers, "considering the accessibility of the channels and the promises of high salaries made to those who might otherwise refrain or have no way to reach these markets." In other words, the migration of criminals to Telegram might easily increase the general level of criminality in society.

One area that particularly worries Check Point is the promotion of insider deals. It is easy to imagine a channel called 'Insiders'. This could attract any authorized employee with a grudge or need for additional finances to sell inside access to corporate networks anonymously via Telegram.

"Threat actors might take advantage of these employees in order to obtain insider information and sensitive data that is unavailable to the public," warn the researchers. "This inside information could then be used for personal purposes or sold, or to conduct a cyber-attack from the inside of the company. This would thus eliminate the efficiency of some security solutions. After all, having someone "on the inside" is a very powerful tool. Just like in the real world, in the world of cybercrime it can often be not what you know but who you know."

This is already happening on the Dark Job channel. One advertisement is looking for employees of Western Union or MoneyGram that have access to certain systems -- and offering payment of $1000 per day.

The Dark Work channel seems to be more geared towards criminal projects than employments. One example reads, "Wanted for a dark project: Cryptor running on all systems from Windows XP to 10. Bypassing the top AV especially Avast and Defender." The concern here is that a criminal entrepreneur could outsource an entire project without needing to know anything about technology, nor even his suppliers.

The Dark Market is simply that -- a marketplace for shady goods. Novice users, say the researchers, can find "messages promoting stealthy crypto-miners that will run without the victims' knowledge in exchange for 600 rubles, or even infostealers that collect documents, screenshots and passwords in exchange for 1000 rubles." This makes the Telegram channels very similar to the dark web marketplaces (such as the old Silk Road), but easier and more secure to use.

Government recognition of the increasing criminal use of Telegram is likely behind both the recent national bans, and the western demands for law enforcement encryption backdoors. In March, Russia's Supreme Court ordered that Telegram must provide decryption keys to the country's security services -- which Telegram declined. In mid-April, Russia began blocking Telegram.

Iran also banned Telegram on April 30, 2018, but is so far having little success. As of May 7, Iran's state-owned Telecommunications Infrastructure Company (TIC), which operates under President Hassan Rouhani's Telecommunications Ministry, has yet to comply with a prosecutor's order to block the Telegram messaging app. Radio Farda, a Persian language broadcaster at Radio Free Europe/Radio Liberty, reported today that many Iranians will use filtering software to avoid the ban. Of 9,485 respondents to a question, 9,024 replied they would "stay on Telegram using filtering circumvention software". (This is not a scientific study and is biased towards Iranian citizens already listening to a foreign broadcaster.)

In western democracies, the growing use of Telegram amply illustrates law enforcement's concern that criminals are going dark; and that law enforcement requires encryption backdoors to counter the threat. "Through the use of such tools, access to malware has never been easier, personal documents and certificates can be spread to unknown destinations and companies can be threatened by their own employees," concludes Check Point.

Secret Conversation – Twitter is testing End-to-End Encryption for direct messages
8.5.2018 securityaffairs

A security researcher found evidence that Twitter is testing a new feature, dubbed ‘Secret Conversation,’ to enable end-to-end encryption for its Direct Messages,
Twitter plans to adopt end-to-end encryption for its Direct Messages, the company is currently testing its new service dubbed ‘Secret Conversation’.

The discovery was made by the computer science student at the University of Massachusetts Dartmouth Jane Manchun Wong that noticed the Secret Conversation feature in the latest version of Android application package (APK) for Twitter.

Jane Manchun Wong
Twitter is working on End-to-End Encrypted Secret DM!

6:50 AM - May 4, 2018
155 people are talking about this
Twitter Ads info and privacy
We have a long debate about the End-to-end encryption that allows secure communications between interlocutors preventing eavesdropping, many companies already implement it for its services, including WhatsApp, Facebook, and Skype.

The Secret Conversation is currently available only to a small number of users for testing purpose.

Secret Conversation Twitter

Unlike other platforms, like WhatsApp, the conversations on Twitter Direct Message will not use the end-to-end encryption by default.

Users have to choose to start an encrypted chat, the principle is similar the Secret Conversations on Facebook Messenger.

Below the steps to start using the new feature on Twitter:

Open the Twitter app on your Android device.
Open an existing conversation or start a new DM conversation.
Tap on the information icon in the upper right corner of your phone.
Select ‘Start a secret text message,’
According to the expert, end-to-end encryption Secret Conversation feature would not be available for desktop/web version of Twitter.

Facebook's Growing Privacy Concern
7.5.2018 securityweek

Facebook's Web Traffic Monitoring is Second Only to Google

With GDPR imminent (25 May), Facebook's problems in Europe are mounting. In April, CEO Mark Zuckerberg was questioned by Congress on the Cambridge Analytica affair. He declined to face British lawmakers, sending CTO Mike Schroepfer in his place. Now Damian Collins, head of the UK parliament’s Digital, Culture, Media and Sport Committee, has said, "We hope that [Zuckerberg] will respond positively to our request, but if not the Committee will resolve to issue a formal summons for him to appear when he is next in the UK."

It's not just the Cambridge Analytica scandal. Austrian privacy activist Max Schrems has been pursuing Facebook for years. An earlier case against Facebook led to a European Court of Justice ruling on October 6, 2015 declaring the Safe Harbor agreement between the EU and U.S. to be unconstitutional and invalid. This is often described as the Schrems Ruling, and is now part of EU case law.

Safe Harbor was replaced by Privacy Shield; and Max Schrems has pursued a largely similar course of action -- claiming that his rights as an EU citizen are violated by Facebook transferring his PII to the U.S. where they are easily available to third parties. Once again the case was heard in Ireland (EU home to Facebook); and once again, it has been referred to the Court of Justice of the EU for a decision.

The Schrems Ruling will undoubtedly figure in the court's deliberations; as will the new U.S. CLOUD Act that makes it easier for U.S. government agencies to access any data held by U.S. companies anywhere in the world.

At the end of April 2018, Facebook attempted to prevent the Irish court's latest referral by appeal -- but this was rejected by the Irish High Court on Wednesday, May 02. Facebook had argued that its rights would be prejudiced if a stay was not granted; but the judge declared there would be very real prejudice to the rights of millions of users if the referral was delayed.

There is now the possibility (many privacy activists believe probability) that the European Court of Justice will reject Privacy Shield in the same way and for the same basic reasons that it rejected Safe Harbor. The danger here, if this were to happen, is European regulators might not offer the big tech companies the same period of grace they did after the collapse of Safe Harbor. Facebook may be the catalyst, but the effect could impact a large number of U.S. companies trading with or in Europe.

GDPR is a further privacy complication. In April, Facebook's Erin Egan, VP and chief privacy officer, policy, and Ashlie Beringer, VP and deputy general counsel published, "Complying With New Privacy Laws and Offering New Privacy Protections to Everyone". Everyone, they wrote, "will be asked to review important information about how Facebook uses data and make choices about their privacy on Facebook. We’ll begin by rolling these choices out in Europe this week."

European privacy activists are not impressed. Cliqz (a German firm linked to Ghostery) published on Friday an open letter to Mark Zuckerberg commenting on his appearance before Congress last month, and stating, "you just plainly lied to the world public."

Cliqz's specific concern is over Zuckerberg's claimed lack of knowledge over 'shadow profiles'. Zuckerberg claimed he did not know about shadow profiles. Cliqz explains, "Shadow profiles are the data that Facebook uses to track and collect those Internet users who have never been on Facebook or deliberately left the network."

A December 2017 study by Cliqz and Ghostery found that Facebook monitors nearly one-third of global internet traffic regardless of whether the user is a member of Facebook or not. "The evaluation of 'only' one-third of all the websites we visit is completely sufficient to know more about us than our closest relatives: whether we are in debt, suffering from a serious illness, cheating our partner, looking for a new job, which political attitudes and sexual preferences we have -- our Internet history reveals it."

It is these shadow profiles that Cliqz believes may bring Facebook into non-compliance with GDPR. "The collection of data about non-users in a way that leads to shadow profiles is Facebook’s weak spot when it comes to GDPR compliance," explains Jean-Paul Schmetz, Cliqz's CEO.

Schmetz believes the firm is making a decent effort to comply with GDPR for its users. But, "What about non-users?" he asks. "Non-members or those who deleted their account are still being tracked and can’t do anything to prevent Facebook from building shadow profiles about them. They still won't have any means to opt-out or have their data deleted or get insights into the data Facebook has about them. We think that if Facebook continues to neglect the problem of shadow profiles, the company risks high penalties from the EU for GDPR violation."

For fair comparison, Facebook's traffic monitoring is second only to Google -- which the same Cliqz/Ghostery study found to monitor 60.3% of internet traffic. For the moment, however, it is Facebook that is coming under closer European scrutiny.

A Thomson Reuters/Ipsos survey (PDF) published this weekend found that the Cambridge Analytica affair has not deterred Facebook users in the U.S.

The poll, conducted April 26-30, found that about half of Facebook’s American users said they had not recently changed the amount that they used the site, and another quarter said they were using it more. Only a quarter of American Facebook users said they are using it less frequently or have deleted their account.

Twitter Urges Password Changes After Exposing 'Unmasked' Credentials
4.5.2018 securityweek 

Twitter on Thursday warned its users that an internal software bug unintentionally exposed "unmasked" passwords by storing them in an internal log.

Twitter CTO, Parag Agrawal, explained that Twitter hashes passwords using the popular bcrypt function, which replaces an actual password with a random set of numbers and letters, allowing Twitter's systems to validate credentials without revealing passwords, while also masking them so Twitter employees can't see them.

"Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," Agrawal wrote in a blog post.

Agrawal said the bug has been fixed and an investigation shows no indication of breach or misuse by anyone, but urged users to change their passwords.

"Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password," Agrawal noted.

He also suggested that users enable two factor authentication, calling it "the single best action you can take to increase your account security."

Twitter urges its 330 million users to change passwords after bug exposed them in plain text
4.5.2018 securityaffairs

Twitter is urging all of its more than 330 million users to change their passwords after a bug exposed them in plain text on internal systems.
Twitter is urging its users to immediately change their passwords after a glitch caused some of them to be stored in plain text.

Parag Agrawal
We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do. https://twitter.com/twittersupport/status/992132808192634881 …

10:13 PM - May 3, 2018
441 people are talking about this
Twitter Ads info and privacy
The company did not reveal the number of affected accounts, according to the Reuters a person familiar with the company’s response said the number was “substantial.”

The bad news is that passwords may have been exposed for “several months.”

More than 330 million users have been impacted, according to the company data were stored in plain text only on an internal system.

“We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.” reads the security advisory published by the company.

“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.”

Twitter announced it had fixed the security glitch and started an internal investigation to verify if users’ data may have been abused by insiders.

The company discovered the flaw a few weeks ago and already reported the issue to some regulators, the bug caused the passwords to be written in plain text on an internal computer log before the hashing process was completed.

“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.” continues the advisory.

Just after the announcement of the incident, Twitter’s share price drop 1 percent in extended trade at $30.35, after gaining 0.4 percent during the session.
Twitter apologizes its users and asks its users to change passwords and enable two-factor authentication service. Of course change passwords for all the sites where you have used the same Twitter credentials.

This is the last blatant disclosure of a security breach a few weeks before the introduction of the EU General Data Protection Regulation, a couple of days ago, GitHub announced to have suffered a similar incident.

Cambridge Analytica is shutting down after Facebook privacy scandal, is it true?
3.5.2018 securityaffairs

Cambridge Analytica, the commercial data analytics company at the centre of the Facebook privacy scandal, is ceasing all operations.

The commercial data analytics company Cambridge Analytica that was the protagonist of the biggest privacy scandal of the last years has announced it is “ceasing all operations” following the Facebook data breach.

An official statement released by the company states it had been “the subject of numerous unfounded accusations” and was “vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas.”

The firm has used data harvested by Facebook to target US voters in the 2016 Presidential election.

The data were collected by a group of academics that then shared it with the firm Cambridge Analytica, a news that was later confirmed by Facebook. The researchers used an app developed by the University of Cambridge psychology lecturer, Dr. Aleksandr Kogan, to collect user data.

Cambridge Analytica always denied any involvement with Trump’s campaign has declared that it never use collected data to influence the Presidential election.

Early April, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

In the wake of the scandal, Facebook decided to tighten its privacy restrictions.

“Over the past several months, Cambridge Analytica has been the subject of numerous unfounded accusations and, despite the company’s efforts to correct the record, has been vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas,” said Clarence Mitchell, a spokesman for Cambridge Analytica.

Facebook- Cambridge Analytica
“Despite Cambridge Analytica’s unwavering confidence that its employees have acted ethically and lawfully, which view is now fully supported by Mr Malins’ report (independent investigator Julian Malins), the siege of media coverage has driven away virtually all of the company’s customers and suppliers.” continued the announcement issued today by the data analytics company.

“As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the company into administration.”

While Cambridge Analytica declared it would have helped the UK authorities in investigating into the Facebook scandal, last month, the Information Commissioner Elizabeth Denham declared that the company failed to meet a deadline to produce the information requested by the authorities.

According to the official statement published by Cambridge Analytica on its website, its parent company SCL Elections was also commencing bankruptcy proceedings.

Journalists and experts are skeptical about the decision of the companies to shut down.

Carole Cadwalladr

Remember. SCL & Cambridge Analytica are disinformation specialists. What exactly are they shutting down & why? https://twitter.com/damiancollins/status/991757217895534597 …

9:31 PM - May 2, 2018
1,591 people are talking about this
Twitter Ads info and privacy
“The chair of a UK parliament committee investigating the firm’s activities also raised concerns about Cambridge Analytica and SCL Elections’ move.” reported the BBC.

Damian Collins

Cambridge Analytica and SCL group cannot be allowed to delete their data history by closing. The investigations into their work are vital

9:12 PM - May 2, 2018
1,973 people are talking about this
Twitter Ads info and privacy
“They are party to very serious investigations and those investigations cannot be impeded by the closure of these companies,” said Damian Collins MP.

“I think it’s absolutely vital that the closure of these companies is not used as an excuse to try and limit or restrict the ability of the authorities to investigate what they were doing.”

Is this the end of the story?

No, of course, let me close with this statement published by The Guardian about the future projects of Alexander Nix and his collaborators.

“Although Cambridge Analytica might be dead, the team behind it has already set up a mysterious new company called Emerdata. According to Companies House data, Alexander Nix is listed as a director along with other executives from SCL Group. The daughters of the billionaire Robert Mercer are also listed as directors.” reads The Guardian.

WhatsApp co-founder Jan Koum to leave Facebook amid privacy concerns
1.5.2018 securityaffairs

Jan Koum, one of the WhatsApp founders, reportedly plans to leave the company in the wake of increasing concerns about Facebook’s approach to users’ privacy.
Jan Koum, the co-founder of WhatsApp, reportedly plans to leave the company in the wake of increasing concerns about Facebook’s privacy policy.

“It is time for me to move on . . . I’m taking some time off to do things I enjoy outside of technology, such as collecting rare air-cooled Porsches, working on my cars and playing ultimate frisbee,” WhatsApp co-founder, CEO and Facebook board member Jan Koum wrote in a Facebook post.

Koum, who sold WhatsApp to Facebook for more than $19 billion in 2014, plans to leave the Facebook’s board of directors too.

Koum did not provide further details on his decision or a timeline for his departures.

Jan Koum to leave Facebook

According to The Washington Post, this is one of the effects of the Cambridge Analytica case, clearly, Koum disagrees the way Facebook managed users’ data.

“The billionaire chief executive of WhatsApp, Jan Koum, is planning to leave the company after clashing with its parent, Facebook, over the popular messaging service’s strategy and Facebook’s attempts to use its personal data and weaken its encryption, according to people familiar with internal discussions.” reported the The Washington Post.

“The independence and protection of its users’ data is a core tenet of WhatsApp that Koum and his co-founder, Brian Acton, promised to preserve when they sold their tiny start-up to Facebook. It doubled down on its pledge by adding encryption in 2016. The clash over data took on additional significance in the wake of revelations in March that Facebook had allowed third parties to mishandle its users’ personal information.”

Facebook CEO Mark Zuckerberg replied to Koum’s decision by crediting him with teaching him “about encryption and its ability to take power from centralized systems and put it back in people’s hands. Those values will always be at the heart of WhatsApp.”

According to The Washington Post Koum disappointed also the Facebook executives approach to the end-to-end encryption introduced since 2016 and the possibility to weaken it to facilitate law enforcement agencies’ investigations and business use of the instant messaging app, the WhatsApp For Business program.

According to The Washington Post, other WhatsApp employees are not happy of the situation at the company and plan to leave in November, four years and a month after the Facebook acquisition, when they are allowed to exercise all their stock options under the terms of the Facebook deal.

Ops … Why is Facebook interested in my culinary tastes on Faasos portal?
29.4.2018 securityaffairs

During checkout from faasos, I observed that there are several requests going to Facebook, which carries your Faasos details without user’s consent.
I reported the issue to Facebook that closed my report saying:

“Unfortunately what you have described is not currently covered by this program, We will follow up with you regarding any questions we may have.” (Data Abuse BBP).

So, let’s start from the beginning of the story, you will be aware with the “Cambridge Analytica” case, after its public disclosure Facebook launched “Data Abuse Bounty Program” – 9th April 2018.

Well, we all are aware that we have been tracked for years! Whatever we search on the Internet no matter what object it is, in a day or hours it will be on your suggestion or an advertisement banner.

This is the most recent example: Google is always listening: Live Test

I really love eating veg warps from faasos and it was a normal day when I did a checkout and ordered few of them, however, I have a very bad habit of capturing packets.

What I observed was, there were few `GET` & `POST` request of Facebook as well in between checkout of Faasos at that time I didn’t pay much attention to it. On the same day, I created a test account on Faasos to dig more and clicked on some random wraps, went till checkout and guess what I was still able to see those Facebook request.

I cleared all my history, cookies etc. for the entire day, and thought of doing again, All the request start from login to Faasos, and browsing your items in it.

Goes only to `*faasos.io` based asset but as soon as you press checkout a `GET` request goes to Facebook which carries my juicy information of Faasos which also include my ordering details. (Strange) Apart from that, I start getting suggestions on my Facebook wall regarding Faasos.

Faasos Facebook Cookie

Okay, then I thought of reporting it to Facebook under Data Abuse Bounty Program and we had a long discussion about this, they (Facebook Security Team) also told me to connect with Faasos Security team and I did the same.

However, Faasos security team are not much active, they finally replied me after 4-5 days saying:

“Hey Dhiraj, This tool helps us understand the customer better and show them more appropriate adverts.”

I asked them specifically about tool and where it is been deployed and what all it collects – No reply yet, that’s bad I “personally” feel Faasos been a data-broker over here.

While collecting such info Faasos don’t even take user’s consent. I have seen many application’s which take users consent for such things.

Source https://konqueror.org/features/browser.php

And they also offer you to Opt-out of not been tracking. Pheewww! Now, I understand how all these things work!
I would suggest you all watching this:

That gives lot more understanding of my bug as well, or specifically look the above video from 3.47.25 to 3.51.40 Mins.

On safer side, I would suggest you to enable “Do Not Track Me” on your browser.
Video PoC of my Bug: Facebook Tracking PoC via Faasos. I hope you like the read. Tweet me your views @mishradhiraj_

Facebook Plans to Build Its Own Chips For Hardware Devices
25.4.2018 thehackernews 

A new job opening post on Facebook suggests that the social network is forming a team to build its own hardware chips, joining other tech titans like Google, Apple, and Amazon in becoming more self-reliant.
According to the post, Facebook is looking for an expert in ASIC and FPGA—two custom silicon designs to help it evaluate, develop and drive next-generation technologies within Facebook—particularly in artificial intelligence and machine learning.
The social media company is seeking to hire an expert who can "an end-to-end SoC/ASIC, firmware and driver development organization, including all aspects of front-end and back-end standard cell ASIC development," reads the job listing on Facebook's corporate website.
SoC (system-on-a-chip) is a processor typically used in mobile devices with all the components required to power a device, while ASIC (application-specific integrated circuit) is a customized piece of silicon designed for a narrow purpose that companies can gear toward something specific, like mining cryptocurrency.
FPGA (field programmable gate array) is an adaptable chip designed to be a more flexible and modular design that can be tuned to speed up specific jobs by running a particular piece of software.
First reported by Bloomberg, building its own processors would help the social media giant reduce dependency on companies such as Qualcomm and Intel, who hold the lion's share of the processor market.
Reportedly Apple, who already makes its own A-series custom chips for iPhones, iPads and other iThings, has planned to use its custom-designed ARM chips in Mac computers starting as early as 2020, replacing the Intel processors running on its desktop and laptop hardware.
Google has also developed its own artificial intelligence chip, and Amazon is reportedly designing its custom hardware to improve Alexa-equipped devices.
The plan to invest in building its own processors could help Facebook to power its artificial intelligence software, servers in its data centers, as well as its future hardware devices, like Oculus virtual reality headsets and smart speakers (similar to Amazon Echo and Google Home).
Using its custom chips would also allow the social media company to gain more control over its own hardware roadmap better and eventual feature set to offer better performance to its users.
Facebook has not commented on the news yet, so at this time, it is hard to say where the company will deploy its in-house chips.

Twitter Bans Ads From Kaspersky Lab
23.4.2018 securityweek

Twitter Cites DHS Order in Kaspersky Ads Ban

Twitter no longer allows Russia-based cybersecurity firm Kaspersky Lab to advertise on the platform and the reason appears to be related to the company’s alleged ties to Russian intelligence.

Kaspersky Lab CEO Eugene Kaspersky revealed on Friday that Twitter informed his company of the “policy decision” in late January, claiming that “Kaspersky Lab operates using a business model that inherently conflicts with acceptable Twitter ads business practices.” The security firm was told that it could remain an organic user on the platform.

“One thing I can say for sure is this: we haven’t violated any written – or unwritten – rules, and our business model is quite simply the same template business model that’s used throughout the whole cybersecurity industry: We provide users with products and services, and they pay us for them. What specific (or even non-specific) rules, standards and/or business practices we violated are not stated in the letter,” Eugene Kaspersky wrote in an open letter to Twitter management.

While Twitter’s statement to the press did not provide any additional information, the social media giant did cite a controversial DHS Binding Operational Directive (BOD) that bans Kaspersky products in federal agencies due to concerns that the company may be aiding Russia’s espionage efforts. The BOD, issued in September 2017, was reinforced in mid-December when President Donald Trump signed the National Defense Authorization Act for FY2018.

In his letter to Twitter, Kaspersky calls for more transparency, and points out that the goal of making everything public is to set a precedent as other platforms may also decide to target his company. Kaspersky says the decision is also a matter of principle and the firm is prepared to fight what he has described as “unjustifiable acts akin to censorship.”

“Twitter, if this is a matter of a decision being made in error, please openly admit this; people’d forgive you – everyone makes mistakes! I think that would be the only civilized way to quash any doubts about potential political censorship on Twitter,” Kaspersky said.

Kaspersky said it had spent less than $100,000 for advertising on Twitter last year, but the company will no longer do so even if Twitter reverts its decision. The security firm will donate its planned Twitter advertising budget for 2018 to the EFF.

Kaspersky Lab has been accused of assisting Moscow’s cyber espionage efforts and, despite no evidence being made public, the U.S. and Lithuanian governments have banned the company’s products and the U.K. advised against their use. Even commercial companies in the United States have decided to stop selling antivirus software from the firm as a result of several media reports describing alleged ties between Kaspersky and Russian intelligence.

In response, Kaspersky has launched a transparency initiative that involves significant bug bounties and giving access to its source code, and it has even taken legal action against the United States government over the decision to ban its products.

Surge in Anonymous Asia Twitter Accounts Sparks Bot Fears
22.4.2018 securityweek

Hong Kong - It has been jokingly referred to as "Botmageddon". But a surge in new, anonymous Twitter accounts across swathes of Southeast and East Asia has deepened fears the region is in the throes of US-style mass social media manipulation.

Maya Gilliss-Chapman, a Cambodian tech entrepreneur currently working in Silicon Valley, noticed something odd was happening in early April.

Her Twitter account @MayaGC was being swamped by a daily deluge of follows from new users.

"I acquired well over 1,000 new followers since the beginning of March. So, that's approximately a 227 percent increase in just a month," she told AFP.

While many might delight in such a popularity spike, Gilliss-Chapman, who has previously worked for tech companies to root out spam, was immediately suspicious.

The vast majority of these new accounts contained no identifying photograph and had barely tweeted since their creation.

But they all seemed to be following prominent Twitter users in Cambodia including journalists, business figures, academics and celebrities.

She did some digging and published her findings online, detailing how the vast majority of accounts were recently created in batches by unknown operators who worked hard to hide their real identities.

She wasn't alone.

Soon prominent Twitter users in Thailand, Vietnam, Myanmar, Taiwan, Hong Kong and Sri Lanka noticed the same phenomenon -- a surge in follows from anonymous, recently created accounts, adopting local sounding names but barely engaging on the platform, as if lying in wait for someone's command.

'Organic users'?

While Facebook has received the lion's share of international opprobrium in recent months over allegations it has been slow to respond to people and state actors manipulating its platform, Twitter has also faced accusations it has not done enough to rid the platform of fake users.

Most bots are used for commercial spam. But they have been deployed politically in Asia before. During the 2016 Philippines presidential election, there was a surge of organised bots and trolls deployed to support the man who eventually won that contest, the firebrand populist Rodrigo Duterte.

And after Myanmar's military last year launched a crackdown against the country's Rohingya Muslim minority, there was a wave of accounts that cropped up supportive of the government on Twitter, a platform that until then had very few Burmese users.

With elections due in Cambodia, Malaysia, Thailand and Indonesia in the next two years, many hit by the Twitter follow surge in Asia are asking whether the Silicon Valley tech giants are doing enough to stop fake accounts before they are given their marching orders.

So far Twitter has found nothing untoward.

A spokesperson for the company said engineers were "looking into the accounts in question and will take action against any account found to be in violation of the Twitter Rules".

A source with knowledge of the probe said they believe the accounts are "new, organic users" who were likely being suggested prominent Twitter users across Asia to follow when they sign up. "It's something we're keeping an eye on, but for now, it looks like a pretty standard sign-up/onboarding issue," the source told AFP.

But many experts have been left unconvinced by such explanations.

"Are there really this many new, genuine users joining Twitter, all with the same crude hallmarks of fake accounts?" Raymond Serrato, an expert at Democracy Reporting International who has been monitoring the suspicious accounts, told AFP.

'Like a cancer'

The issue of fake users is hugely sensitive for Twitter because a crackdown could severely dent its roughly 330 million audience -- the company's main selling point.

In a 2014 report to the US Securities and Exchange Commission, Twitter estimated some 5-8.5 percent of users were bots.

But Emilio Ferrara, a research professor at the University of Southern California, published research last year suggesting it could be double that: 9-15 percent.

Last week Pew Research Center released a report analysing 1.2 million English language tweets which contained links to popular websites. Two-thirds of the tweets came from suspected bot accounts.

Twitter Audit Report, a third party company that scans people's followers using software to estimate how many are fake, suggests as many as 16 million of Donald Trump's 51 million followers are not real people.

Jennifer Grygiel, an expert on social media at Syracuse University, New York, said the US presidential election has provided a blueprint for others to copy.

"Bad actors around the world have really followed the potential of social media to influence the political process," she told AFP.

Twitter, she said, is a minnow compared to Facebook's more than two billion users. But it can still be influential because many prominent opinion formers such as journalists, politicians and academics have a major presence on the platform.

"If you can get information within this population, then you've scored," she said.

Serrato, from Democracy Reporting International, said the fake accounts could still pose a threat even if they are currently inactive.

"The accounts can be used at a later date to amplify certain tweets, hijack hashtags, or harass people," he said.

Grygiel used a more blunt metaphor.

"The risk is the accounts are sitting there like a cancer," she said.

Twitter bans Kaspersky from advertising its products through its platform
22.4.2018 securityaffairs

Twitter bans Kaspersky Lab from advertising its solutions on the platform citing DHS ban for its alleged ties with the Russian intelligence.
Twitter bans Kaspersky Lab from advertising on its platform citing DHS ban for its alleged ties with Russian intelligence agencies.

“At the end of January of this year, Twitter unexpectedly informed us about an advertising ban on our official accounts where we announce new posts on our various blogs on cybersecurity (including, for example, Securelist and Kaspersky Daily) and inform users about new cyberthreats and what to do about them.” reads an open letter sent to the management of Twitter by Kaspersky. “In a short letter from an unnamed Twitter employee, we were told that our company “operates using a business model that inherently conflicts with acceptable Twitter Ads business practices.”

According to Twitter, this is a policy decision anyway the social media allows Kaspersky Lab to remain an organic user on the platform in accordance with his Rules.

Twitter bans Kaspersky

In September, the US Department of Homeland security banned government agencies for using software products developed by Kaspersky Labs. The ban was the response to the concerns about possible ties between Kaspersky and Russian intelligence agencies.

According to The Washington Post, which first reported the news, the order applies to all civilian government networks, but not the military ones.

In July, the US General Services Administration announced that the security firm Kaspersky Lab was deleted from lists of approved vendors.

The US government banned Kaspersky solutions amid concerns over Russian state-sponsored hacking.

In September, US Homeland Security issued a Binding Operational Directive that orders agencies to remove products developed by Kaspersky Lab within 90 days.

The Twitter’s decision is directly linked to the ban, it is the first social media platform to adopt this line against the security giant.

In October, both Best Buy and Office Depot decided to stop the sale of Kaspersky products due to the US ban.

In response to the ban, Kaspersky has repeatedly denied the accusations and it announced the launch of a Global Transparency Initiative that involves giving partners access to the source code of its solutions.

Eugene Kaspersky is disappointed for this decision as stated in the open letter.

“Huh? I read this formulation again and again but still couldn’t for the life of me understand how it might relate to us. One thing I can say for sure is this: we haven’t violated any written – or unwritten – rules, and our business model is quite simply the same template business model that’s used throughout the whole cybersecurity industry: We provide users with products and services, and they pay us for them.” continues the letter. “What specific (or even non-specific) rules, standards and/or business practices we violated are not stated in the letter. In my view, the ban itself contradicts Twitter’s declared-as-adopted principle of freedom of expression. I’ll return to that point in a minute, but first let’s look at the others:”

Back to the Twitter ban, Kaspersky announced that it will donate this year’s Twitter advertising budget to the Electronic Frontier Foundation.

“By the way, if you think we’re doing this simply to get our advertising back – you’re wrong. There are many other ways to get information to interested parties. Which got me thinking…” concluded the letter.

“No matter how this situation develops, we won’t be doing any more advertising on Twitter this year. The whole of the planned Twitter advertising budget for 2018 will instead be donated to the Electronic Frontier Foundation (EFF). They do a lot to fight censorship online.”

Tens of thousands per Gram
21.4.2018 Kaspersky

Looking at Instagram one morning, I spotted several posts from some fairly well-known people (in certain circles) who had invested in an ICO held by Telegram. Interesting, I thought to myself. I fancy a piece of that. Only I was pretty sure that if Telegram was indeed holding an ICO, it would be a private affair — off limits to cash-strapped social media-based “investors.” That’s when I decided to do some digging.

Let’s start with a brief history lesson. In late 2017, information appeared on specialized resources about a Telegram ICO to finance the launch of its own blockchain platform based on TON (Telegram Open Network) technology. Despite the fact that Pavel Durov did not confirm the ICO rumors, and no information was posted on the company’s official website (and still hasn’t been), the mooted project attracted a huge number of potential investors. According to various (dubious) sources, participation in the ICO is by invitation only, and the first closed round, the so-called presale, has already taken place. Technical documentation and a white paper also appeared online, but their authenticity is not confirmed.

Perhaps the masterminds behind the project deliberately clothed it in mystery to spark interest. In any case, the lack of information bred speculation and provided fertile ground for scammers: the rumors prompted mailshots seemingly from official representatives of the platform, inviting people to take part in the ICO and purchase tokens. And there was a mushrooming of sites supposedly selling Grams (the name of the cryptocurrency that Telegram presumably intends to launch).

When creating fake sites, cybercriminals try to keep to the style of technical documentation and white papers

Meanwhile, Pavel Durov tweeted that all TON-related news would be posted only on the official website, and asked for any “Gram” sales to be reported:
Pavel Durov

If you see or receive offers to "buy Grams", let us know at http://t.me/notoscam

16:46 - 21 янв. 2018 г. · London, England

Reports about scammers trying to sell "Grams" are welcome here.

1 309
635 человек(а) говорят об этом
Информация о рекламе в Твиттере и конфиденциальность
Despite the announcement, fake sites continued scooping cash from unwitting victims. But to give credit where it’s due, their creators did a superb job. Unlike some phishing fakes, these sites really do lure people in. Not only that, most use a secure connection, require registration, and generate a unique online wallet for each new victim, making it hard to track the movement of money.

Grams can be purchased in a selection of cryptocurrencies

The price of the new cryptocurrency varies greatly from one fake site to the next. And although most of them create unique wallets for victims, I managed to find several that use static wallets. From the transaction history of one of them, we see that the cybercriminals withdrew 85 ETH:

Withdrawal of funds harvested in Ethereum

At the time of writing this article, the Ethereum exchange rate was about $422. This resource alone seems to have collected more than 35 000$(2 million rubles), and there are dozens like it. Judging by their content, it’s possible they have common ownership. For example, several have one and the same Our Team section.

Suspiciously similar Our Team sections

While the presence of the Durov brothers doesn’t raise any question marks, Lucas Pernas-Valles seems to exist only on dozens of other fake sites. He may indeed be a member of Telegram’s new project team, but a brief online check reveals that the person in the photo is not called Lucas Pernas-Valles, although he does have cryptocurrency links.

It should be noted that this ICO project is one of relatively few to have attracted mass attention. And where there’s mass attention, there’s fraud. The lack of reliable information from official sources only serves to aggravate the situation

Probably you ignore that Facebook also tracks non-users across the web
18.4.2018 securityaffairs

Facebook explained how it is tracking Non-Users across the Internet and for which purposes it is using their metadata.
Facebook is still in the middle of a storm for its conduct and the way it approached the privacy of its users after the Cambridge Analytica case.

Now Facebook is under scrutiny after Zuckerberg testified in front of the US Congress, the social network giant disclosed more information on data collection activity that aimed to gather info related to non-Facebook users.

Yes, it is true! Facebook can track you even if you are not using it, this is possible if you visit a website or an application that uses the services of the tech giant.

The services include Social plugins (i.e. Like and Share buttons), Facebook Login, Facebook Analytics, and ads and measurement tools.

“When you visit a site or app that uses our services, we receive information even if you’re logged out or don’t have a Facebook account. This is because other apps and sites don’t know who is using Facebook.” explained product management director David Baser.

“Many companies offer these types of services and, like Facebook, they also get information from the apps and sites that use them. Twitter, Pinterest and LinkedIn all have similar Like and Share buttons to help people share things on their services. Google has a popular analytics service. And Amazon, Google and Twitter all offer login features.”

As you can imagine, all these companies also offer targeted advertising services by leveraging the information gathered through their services.

Everytime a user visits a website, his browser shares the IP address to the website along with info about the machine (i.e. browser, operating system) and cookies. Facebook also collects data related to website or app accessed by the user.

According to Baser, the social network platform uses the information received from websites and apps, to implements its services, to target the advertising and to improve the safety and security on Facebook.

Data collected by the company also allows it to measure the success of its advertising campaigns.

Facebook also uses this information to prevent abuses and identify threat actors targeting its users.

“We also use the information we receive from websites and apps to help protect the security of Facebook. For example, receiving data about the sites a particular browser has visited can help us identify bad actors.” added Baser.

“If someone tries to log into your account using an IP address from a different country, we might ask some questions to verify it’s you. Or if a browser has visited hundreds of sites in the last five minutes, that’s a sign the device might be a bot.”

Websites and apps who use the services of the social network have to inform users that they are collecting and sharing said information with the social network. They need an explicit consent and are requested to explain the purpose data are collected.

Facebook Admits to Tracking Non-Users Across the Internet
18.4.2018 securityweek 

Facebook this week confirmed that it indeed knows when users access websites and apps that use Facebook services, even if they don’t have an account on the social network.

The social media platform has been under heavy scrutiny over user privacy for the past month, after it became public knowledge that at least one firm gathered information on millions of Facebook users without their knowledge or consent.

Over the past weeks, Facebook took various steps towards improving users’ privacy, by limiting apps’ access to user data, introducing bug bounties for data abuse, and updating its terms on privacy and data sharing.

After Facebook CEO Mark Zuckerberg testified in front of the United States Congress last week, the company on Monday shared more information on data collection practices that impact non-Facebook users.

Indeed, the social platform can track people who don't use it, as long as they access websites and applications that do use Facebook services. In other words, when anyone browses to a page that uses such a service, Facebook knows about it, product management director David Baser explains.

These Facebook services include social plugins such as the Like and Share buttons, Facebook Login (allows users to sign into websites and apps with their Facebook account), Facebook Analytics (offers usage data to websites and apps), and Facebook ads and measurement tools (websites and apps can show ads from Facebook advertisers and can run their own ads on Facebook or elsewhere).

“When you visit a site or app that uses our services, we receive information even if you’re logged out or don’t have a Facebook account. This is because other apps and sites don’t know who is using Facebook,” Baser says.

He also points out that other companies offer similar services too, including Twitter, Pinterest, LinkedIn, Google, and Amazon.

“In fact, most websites and apps send the same information to multiple companies each time you visit them,” he notes.

The data sent to Facebook is supposedly meant to make content and ads better. Some of the information a browser sends to the visited website includes user’s IP address, browser and operating system information, and cookies, and Facebook receives the same information. Additionally, the social platform knows which website or app the user accessed.

The information received from websites and apps, Facebook says, is used to provide services to those apps and sites, to improving the safety and security on Facebook, and to improve the social platform’s products and services.

According to Baser, Facebook uses data such as the IP address, browser/operating system, and visited website or app to make features such as the Like button or Facebook Login work. Other information allows the platform better understand how websites, apps, and services are used, and to determine what kind of ads to show to a person. Such data also tells advertisers how many people are responding to their ads.

The information, Baser adds, is also used for security purposes, to better protect users by identifying bad actors and determining whether an account has been compromised. This, of course, only applies to users who already have a Facebook account.

“If someone tries to log into your account using an IP address from a different country, we might ask some questions to verify it’s you. Or if a browser has visited hundreds of sites in the last five minutes, that’s a sign the device might be a bot. We’ll ask them to prove they’re a real person by completing additional security checks,” Baser notes.

Based on the received information, Facebook can also deliver better targeted ads, depending on the websites a user has visited.

Baser underlines that websites and apps who use Facebook services are required to inform users that they are collecting and sharing said information with the platform, and to request permissions to do so. He also notes that users have control over “how the data is used to provide more relevant content and ads,” and that users can completely opt out of being targeted with said ads.

Key Points From Facebook-Zuckerberg Hearings
13.4.2018 securityweek

Facebook chief Mark Zuckerberg testified for nearly 10 hours over two days on Facebook's privacy and data protection issues before committees of the Senate and House on Tuesday and Wednesday. Here are key points:

Protecting the platform

"It's clear now we didn't do enough," Zuckerberg said on the protection of private user data and to prevent the hijacking of data on millions by Cambridge Analytica.

Zuckerberg said Facebook was built as "an idealistic and optimistic company" to help people connect but failed "to prevent these tools from being used for harm... that goes for fake news, for foreign interference in elections, and hate speech, as well as developers and data privacy."

He said that by the end of the year Facebook would have 20,000 people working on security and content review and would also step up use of artificial intelligence to weed out fake accounts and inappropriate content.


Zuckerberg said regulation of social media companies is inevitable, but warned that rules could also hamper the industry's growth.

"The internet is growing in importance around the world in people's lives, and I think that it is inevitable that there will need to be some regulation," he told lawmakers.

"But I think you have to be careful about putting regulation in place. A lot of times regulations put in place rules that a company that is larger, that has resources like ours, can easily comply with, but that might be more difficult for a smaller startup company."

Zuckerberg said the EU's General Data Protection Regulation (GDPR) to come into effect on May 25 was more stringent than what was currently in place at Facebook and suggested it could serve as a rough model for US rules in the future.

Facebook is implementing the GDPR standards for European users next month, and some of its rules will be extended to US and other users later, he confirmed.

"The GDPR requires us to do a few more things and we are going to extend that to the world," he said.

Facebook model

Zuckerberg maintained that Facebook users deserve protection of private data but appeared to argue that its controls make it possible to determine how information is shared.

He claimed that "there's a very common misperception... that we sell data to advertisers," adding that "we do not sell data to advertisers. We don't sell data to anyone."

But he maintained that advertising enables Facebook to offer a free service and that targeted ads based on user categories were more acceptable to users, even if they could opt out.

Zuckerberg also said the company believed in an ad-supported business model, but appeared to leave open the possibility of a paid version.

"There will always be a version of Facebook that is free," Zuckerberg told the hearing.

Russian manipulation

The 33-year-old CEO said Facebook was in a constant struggle to guard against Russian manipulation of the Facebook platform to influence elections in the US and elsewhere.

"There are people in Russia whose job it is to try to exploit our systems and other internet systems and other systems as well," he said.

"So this is an arms race. They're going to keep getting better and we need to invest in getting better at this too."

Zuckerberg has previously acknowledged the social network failed to do enough to prevent the spread of disinformation during the last US presidential race.

"One of my greatest regrets in running the company is that we were slow in identifying the Russian information operations in 2016," he said.

"We expected them to do a number of more traditional cyber attacks, which we did identify and notify the campaigns that they were trying to hack into them. But we were slow at identifying the type of -- of new information operations."

He added that Facebook is cooperating with the special counsel investigation into Russian interference in the 2016 election.

"Our work with the special counsel is confidential. I want to make sure in an open session I don't reveal something that's confidential," he said.

Facebook to Offer 'Bounty' for Reporting Data Abuse
11.4.2018 securityweek 

Facebook said Tuesday it would begin offering rewards to people who report misuse of private information from the social network, as part of an effort to step up data protection in the wake of a firestorm.

The new program "will reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people's data to another party to be sold, stolen or used for scams or political influence," product security chief Collin Greene said in a statement.

Greene said the new offer was inspired by the "bug bounty" offered by Facebook and other online services to reward people who find security flaws.

The reward will be "based on the impact of each report," Greene said, with a minimum of $500 for verified cases of abuse affecting 10,000 people or more.

"While there is no maximum, high impact bug reports have garnered as much as $40,000 for people who bring them to our attention," he added.

The announcement comes with Facebook chief Mark Zuckerberg set to begin testimony at congressional hearings Tuesday and Wednesday on abuse of private data collected by the social network.

Facebook is under fire in the United States and around the world following disclosures of private data hijacked by the consultancy Cambridge Analytica, which was working for Donald Trump's 2016 campaign.

"We'll review all legitimate reports and respond as quickly as possible when we identify a credible threat to people's information," Greene said of the new program.

"If we confirm data abuse, we will shut down the offending app and take legal action against the company selling or buying the data, if necessary. We'll pay the person who reported the issue, and we'll also alert those we believe to be affected."

What Social Media Platforms And Search Engines Know About You
11.4.2018 securityweek 

The Facebook scandal involving the harvesting of data from tens of millions of users has raised a lot of questions about social media and search engines.

As Facebook founder and CEO Mark Zuckerberg testifies before the US Congress this week on protecting user data, here is a primer on what they know about you:

Social media

Facebook, which has more than two billion users, has access to everything you do on the site: the photos and videos you post, your comments, your 'likes,' anything you share or consult, the identity of your friends and any other users you interact with, your location and other information.

Ditto for Instagram and WhatsApp, which are owned by Facebook, and for Snapchat and Twitter. A user can control some sharing of their Facebook data with privacy settings and the ad preferences page.

● What it sells: Facebook insists it does not sell advertisers personally identifiable information or even aggregate data. What it provides an advertiser with is the ability to reach a specific demographic, which enhances the effectiveness of an ad campaign. Twitter, for its part, provides access to an internal search engine that sweeps up all messages on the site.

● What it shares: Most social media platforms are open to outside developers who create apps fed in varying degrees by using data from users of these networks. In the case of Facebook, the public profile -- the whole page for some people, or just the first and last name and photo for others -- does not require authorization from the user, but accessing the rest may require a separate OK from the user.

Once data is mined by outside apps, it is no longer in the grasp of Facebook and trying to get hold of it again is difficult.

"Once people had access to that data, Facebook has no way of knowing for sure what they did with that data," said Ryan Matzner, co-founder of mobile app designer Fueled. "It's like sending an email to somebody and then saying: 'What did they do with that email?' You don't know."

Only bank and payment details held by Facebook are off-limits.

Search engines

● What they collect: Google, Yahoo and Bing gather all information involving searches including the websites that are accessed and the location of the user. This can be integrated with information from other services owned by the internet giants.

"You don't have to tell Google your age and your gender and all those things. They can determine all of that based on so many other factors," said Chirag Shah, a computer science professor at Rutgers University.

● What they sell: like social networks, their revenue comes largely from advertising. They do not sell data, but rather access to a consumer with very specific characteristics.

This comes from compiling search engine data but also, in the case of Google, from searches and content viewed on its YouTube platform. Google used to also mine the content of Gmail before ending this practice in June.

● What they share: Like social media networks, search engines share data with developers and third-party app makers.

Are there limits?

In the United States there are practically no laws against the use of data from social media or search engines.

But the Federal Trade Commission did sanction Facebook in 2011 for its handling of personal data.

In Canada and Europe, there are some limits on the use of data, mainly involving health.

Facebook was fined 110 million euros ($135.7 million) by the European Commission last year for sharing personal data with WhatsApp.

In an attempt to harmonize data privacy laws, the EU's General Data Protection Regulation is to go into force on May 25.

Zuckerberg to Face Angry Lawmakers as Facebook Firestorm Rages
9.4.2018 securityweek

Mark Zuckerberg will appear before US lawmakers this week as a firestorm rocks Facebook over its data privacy scandal, with pressure mounting for new regulations on social media platforms.

The 33-year-old chief executive is expected to face a grilling before a Senate panel Tuesday, and follow up with an appearance in the House of Representatives the following day.

It comes amid a raft of inquiries on both sides of the Atlantic following disclosures that data on 87 million users was hijacked and improperly shared with Cambridge Analytica, a British political consultancy working for Donald Trump's presidential campaign.

On Sunday, Facebook said it had suspended another data analysis firm, US-based Cubeyou, after CNBC reported it used Facebook user information -- harvested from psychological testing apps, as in the case of Cambridge Analytica -- for commercial purposes.

"These are serious claims and we have suspended CubeYou from Facebook while we investigate them," a Facebook spokesperson told AFP in an email.

"If they refuse or fail our audit, their apps will be banned from Facebook."

Lawmakers, meanwhile, have signaled they intend to get tough on Facebook and other online services over privacy.

"A day of reckoning is coming for websites like @facebook," Democratic Senator Ed Markey wrote on Twitter Friday.

"We need a privacy bill of rights that all Americans can rely upon."

Representative Ro Khanna, a California Democrat, agreed that legislation is needed "to protect Americans' dignity and privacy from bad faith actors like Cambridge Analytica, who use social media data to manipulate people."

Khanna tweeted that "self-regulation will not work. Congress must act in the public interest to protect consumers and citizens."

Several lawmakers and activists believe the United States should follow the lead of Europe's data protection law set to be implemented in May, which has strict terms for notification and sharing of personal data online.

Zuckerberg told reporters Facebook would follow the European rules worldwide, although cautioned that its implementation may not be "exactly the same format" for various countries and regions.

- Shift on political ads -

Facebook meanwhile announced Friday it will require political ads on its platform to state who is paying for the message and would verify the identity of the payer, in a bid to curb outside election interference.

The change is meant to avoid a repeat of the manipulation efforts by Russian-sponsored entities which sought to foment discord in 2016, and also responds to criticism about anonymous messages based on Facebook profile data.

Zuckerberg said the change will mean "we will hire thousands of more people" to get the new system in place ahead of US midterm elections in November.

"We're starting this in the US and expanding to the rest of the world in the coming months," Zuckerberg said on his Facebook page.

"These steps by themselves won't stop all people trying to game the system. But they will make it a lot harder for anyone to do what the Russians did during the 2016 election and use fake accounts and pages to run ads."

Zuckerberg said Facebook is now endorsing the "Honest Ads Act," a bill that would require disclosure of the sources of online political ads.

"Election interference is a problem that's bigger than any one platform, and that's why we support the Honest Ads Act," he said. "This will help raise the bar for all political advertising online."

Some activists say Facebook needs to do more to guard against manipulation and deception on the platform.

Facebook "should really be turning their attention not only to election ads but to all ads," said Harlan Yu of the technology and social justice nonprofit group Upturn.

"They should disclose to the public a detailed accounting of all the bad ads they're taking down," Yu told a forum Thursday at the New America Foundation.

Facebook is also likely to face questions on whether it violated a 2011 agreement with the US Federal Trade Commission. Activists have alleged the social network failed to live up to promises to protect privacy.

- 'Serial offender' -

David Vladeck, a Georgetown University law professor who headed the FTC's enforcement division when the Facebook deal was negotiated, called the latest incident a "major breach" of the court-supervised settlement.

"Facebook is now a serial offender," Vladeck said in a Harvard Law Review blog post.

But Vladeck noted that a major problem with Facebook's privacy woes comes from its failure to get written contracts and guarantees with third parties such as app developers.

"It seems that Facebook made no effort to establish the (credential) of developers, much less verify or audit what user data app developers actually harvested and shared," Vladeck said.

Some analysts fear that Zuckerberg's appearance on Capitol Hill will be little more than a public relations exercise.

"Zuckerberg's dance before Congress will be delicate, and I'll bet that even a brainiac like him will have a damp shirt under his very nice suit coat not long into it," said Roger Kay, an analyst and consultant with Endpoint Technologies Associates.

"But in the end, he'll agree to some meaningless adjustments to how Facebook operates just to get out of there in one piece."

After Cambridge Analytica Facebook COO Sandberg admits other possible misuses
8.4.2018 securityaffairs

After the Cambridge Analytica privacy scandal, Facebook chief operating officer Sheryl Sandberg admitted that the company cannot rule out other cases of misuse.
In the wake of recent revelations about the Cambridge Analytica scandal, Facebook Chief operating officer Sheryl Sandberg doesn’t exclude other data misuse.

Sandberg gave two interviews last weeks to National Public Radio and NBC’s “Today Show during which she admitted the severe responsibility of the company. She pointed out that Facebook was not able to prevent third parties from abusing its platform, she said that the company should have taken further steps to protect the privacy of its users.

“We know that we did not do enough to protect people’s data,” Sandberg told NPR. “I’m really sorry for that. Mark is really sorry for that, and what we’re doing now is taking really firm action.”

“Safety and security is never done, it’s an arms race,” she said. “You build something, someone tries to abuse it.”

“But the bigger is, ‘Should we have taken these steps years ago anyway?'” Sandberg said. “And the answer to that is yes.”

“We really believed in social experiences, we really believed in protecting privacy, but we were way too idealistic,” she added.

“We did not think enough about the abuse cases and now we’re taking really firm steps across the board.”

One of the most debated aspects of the Cambridge Analytica scandal is that Facebook was aware of the misuses years before. Unfortunately, this is true and Sandberg confirmed it. She said that Facebook was first aware two and a half years ago that Cambridge Analytica had obtained user data in an illegal way.

“When we received word that this researcher gave the data to Cambridge Analytica, they assured us it was deleted,” she said. “We did not follow up and confirm, and that’s on us — and particularly once they were active in the election, we should have done that.”

Cambridge Analytica

When asked by journalists at “Today Show” if other cases of misuse of user data could be expected, Sandberg

Sandberg was asked by the “Today Show” if other cases of misuse of user data could be expected, she said it is possible and for this reason, the social media giant is doing an investigation.

“We’re doing an investigation, we’re going to do audits and yes, we think it’s possible, that’s why we’re doing the audit,” she told NPR..

“That’s why this week we shut down a number of use cases in other areas — in groups, in pages, in events — because those are other places where we haven’t necessarily found problems, but we think that we should be more protective of people’s data,”

Sandberg announced that from next week, the news feed will be integrated with a feature that will allow users to see all the apps they’ve shared their data with.

“a place where you can see all the apps you’ve shared your data with and a really easy way to delete them.”

Sandberg admitted that the Facebook should have detected the Russian interference in the 2016 presidential election, but this was a lesson for the company that in the future will not permit it again.

“That was something we should have caught, we should have known about,” she told NPR. “We didn’t. Now we’ve learned.”

“We’re going after fake accounts,” “A lot of it is politically motivated but even more is economically motivated.”

Zuckerberg will appear before a US congressional panel next week to address privacy issues.

Facebook's Sandberg Says Other Cases of Data Misuse Possible
7.4.2018 securityweek 

Facebook was aware more than two years ago of Cambridge Analytica's harvesting of the personal profiles of up to 87 million users and cannot rule out other cases of abuse of user data, chief operating officer Sheryl Sandberg said.

Sandberg, who joined Facebook in 2008 from Google, has been largely silent since the privacy scandal broke but she gave interviews on Thursday and Friday to National Public Radio and NBC's "Today Show."

"We know that we did not do enough to protect people's data," Sandberg told NPR. "I'm really sorry for that. Mark (Zuckerberg) is really sorry for that, and what we're doing now is taking really firm action."

"Safety and security is never done, it's an arms race," she said. "You build something, someone tries to abuse it."

"But the bigger (question) is, 'Should we have taken these steps years ago anyway?'" Sandberg said. "And the answer to that is yes.

"We really believed in social experiences, we really believed in protecting privacy, but we were way too idealistic," she said.

"We did not think enough about the abuse cases and now we're taking really firm steps across the board."

Facebook has been scrambling for weeks in the face of the disclosure of the hijacking of private data by the British consulting group working for Donald Trump's 2016 presidential campaign.

'That's on us'

Sandberg said Facebook was first aware two and a half years ago that Cambridge Analytica had obtained user data from a researcher who put up a poll on Facebook.

"When we received word that this researcher gave the data to Cambridge Analytica, they assured us it was deleted," she said. "We did not follow up and confirm, and that's on us — and particularly once they were active in the election, we should have done that."

Sandberg was asked by the "Today Show" if other cases of misuse of user data could be expected.

"We're doing an investigation, we're going to do audits and yes, we think it's possible, that's why we're doing the audit," she said.

"That's why this week we shut down a number of use cases in other areas — in groups, in pages, in events — because those are other places where we haven't necessarily found problems, but we think that we should be more protective of people's data," she told NPR.

Sandberg said that starting Monday, the social network will put on top ot its news feed "a place where you can see all the apps you've shared your data with and a really easy way to delete them."

Sandberg said Facebook also should have been more proactive in dealing with Russian interference in the 2016 presidential election.

"That was something we should have caught, we should have known about," she told NPR. "We didn't. Now we've learned."

"We're going after fake accounts," she told the "Today Show." "A lot of it is politically motivated but even more is economically motivated."

Zuckerberg accepted responsibility this week for the failure to protect user data but maintained he was still the best person to lead the network of two billion users.

He is to appear before a US congressional panel next week to address privacy issues.

Facebook shares were down slightly in mid-morning trading in New York on Friday.

Zuckerberg admitted public data of its 2.2 billion users has been scraped by Third-party entities
6.4.2018 securityaffairs

Third-party scrapers have exploited an issue in the Facebook ’s search function that allows anyone to look up users via their email address or phone numbers.
Facebook revealed on Wednesday that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

Facebook is the middle of a storm, Mark Zuckerberg admitted public data of its 2.2 billion users has been compromised over the course of several years by third-party actors that gathered information on its users.

Third-party scrapers have exploited an issue in the Facebook’s search function that allows anyone to look up users via their email address or phone numbers.

Users name come up in Facebook searches is they don’t explicitly disable this security setting.

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name.” reads a blog post published by CTO Mike Schroepfer.

“However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. “

Schroepfer announced that Facebook has now disabled this feature and is changing the account recovery procedure to reduce the scraping activities.
Zuckerberg confirmed the extent of the scraping activity during a call with the press:

“I would assume if you had that setting turned on that someone at some point has access to your public information in some way.” explained Zuckerberg.

Zuckerberg blamed himself for what has happened to his company and promtly announced further improvements in term of privacy and security.

When asked if he still considered himself the best person to run the company, he said, “Yes.”