Category: Cybersecurity

Faceboök Harm Reduction?

So in the interests of harm reduction, I offer the following suggestions for people who want to have a richer, safer, and more satisfying experience.

tl;dr

You can avoid a shitload of Facebõok problems by

  1. Using the mobile browser version m.facebook.com
  2. Use the Mozilla Firefox browser with Fàcebook Container extension
  3. Unfriend people you don’t interact with much

All of these are described below.

IMPORTANT WARNING: If you are in an abusive relationship or being stalked, quit Facebõok, In-sta, and WhåtsApp immediately. Social media is the number one way abusers track down their victims. For help with domestic violence, telephone in the USA
800-799-7233
Don’t use the Internet for this because your abuser may have tampered with your browser. Better to phone. Even better if you can use a friend’s phone.

https://www.thehotline.org

Ways to Use Fåcebook More Safely

“… it works for me, so fuck off” (Friend)

This was a friend’s humorous response to my observations about Facêbook’s social and privacy problems. These are the kinds of things people in InfoSec/Cybersecurity are trained to notice. The only people I know who quit or drastically cut back on FB are InfoSec/CyberSecurity professionals or victims of FB retaliation. (Retaliation)

To almost everyone else, it doesn’t seem so bad or they haven’t yet experienced any harm. This blog will provide some ways FB is less than good for ordinary people. Then it will suggest some ways to reduce harm while using FB.

What harm?

Betty White famously framed one answer when she hosted Saturday Night Live due to a FB petition gaining over 1,000,000 likes. She said: “I didn’t know what Facebøok was. And now that I do know, it sounds like a huge waste of time.” Yes.

FB: “And now that I do know, it sounds like huge waste of time”

When I’ve shared with people horrible things about Fß, the most common response is “But I only use it to keep up with friends and family.”

Thus, people who might agree that FB is leveraged for evil by others, they still use it for themselves. This isn’t the first time people do things that aren’t good for them. That’s why I’m a big advocate of harm reduction. This is the simple idea that if you give people factual information about options and respect their dignity, they will do things in a way that is least harmful. Example of Harm Reduction: Wearing a seatbelt while driving. (Controversy)

First of all, what harm does FB inflict on ordinary people? It

  • manipulates our emotions through it’s selection of what it shows us (CBS)
  • makes us feel worse when we’re sad, down, or angry (Sad)
  • wastes our time by making us look at things we don’t want (see Betty White above)
  • fills our feed with ads that range from idiotic (ads1) to disturbing (ads2)

Harm Reduction Tactics

So in the interests of harm reduction, I offer the following suggestions for people who want to have a richer, safer, and more satisfying experience.

  1. Download and use the Mozilla Firefox browser with the FB container fence extension enabled (Fence)
  2. Use the old, but still active mobile phone browser m.facebook.com
  3. Unfriend people who don’t add positive value to your life
  4. Unfriend people whose constant bragging makes you compare yourself negatively
  5. Download and use the free version of CCleaner that will erase FB cookies and web storage files https://www.ccleaner.com (Reputable)

Harm Reduction Benefits

If you do these things, you will gain the following benefits:

  • Your feed will be more specific to your needs (and not those of advertisers)
  • You’ll enjoy better, richer interaction with friends and family
  • YOU will be in control of your FB experience more than the algorithm

Not a Personal Problem

One of the blindspots we westerners have is that we tend to cast everything as an individual problem. We’re not very good at group thinking. This hilarious mock educational film about Faceboök Manners is a good example of side-stepping group and corporate responsibility .

Spoof of Educational Film re: The Electric Friendship Generator

Privacy Badger

Although not specific to FB, when it comes to online protection, I highly recommend the Electronic Frontier Foundation’s Privacy Badger that can be added to Firefox, Chrome, Edge, and Opera https://privacybadger.org/

Additional Info

For me, FB is one big steaming pile of holocaust deniers, racists bigots, a flood of raw sewage disinformation and info-warfare by well-funded troll farms, and the target of many breaches of user data.

Footnotes

(Friend) This partial quote is wildly out of context. After listening to my technology and privacy concerns about Facébook, he humorously replied: “Well, you do security for a living so I respect your views, but it works for me, so fuck off.” Still makes me laugh recalling that.

(Retaliation) FB does not welcome criticism: https://www.technologyreview.com/2021/07/29/1030260/facebook-whistleblower-sophie-zhang-global-political-manipulation/

(Controversy) Harm reduction for illicit drugs more controversial. Teaching people to use alcohol pads to cleanse needles can prevent infection, but many “guardian types” insist that they only approach should be “Don’t Do Drugs!!!”

(CBS) “The thing I saw at F B over and over again was there were conflicts of interest between what was good for the public and what was good for F B. And FB, over and over again, chose to optimize for its own interests, like making more money.”  https://www.cbsnews.com/news/facebook-whistleblower-frances-haugen-misinformation-public-60-minutes-2021-10-03/

(Sad) Science Explains How FB Makes You Sad https://www.psychologytoday.com/us/blog/what-mentally-strong-people-dont-do/201603/science-explains-how-facebook-makes-you-sad

(ads1) When I was active on F B, I received countless ads for very expensive gentlemen’s underpants. I would screen-capture those for fun. How do you say “gay” without saying “gay”? Code an ad to reach men in certain zip codes in a relationship with someone of the same gender. In 2018, FB made a video just for me. I was sure to use those screen-captures:

Very Expensive Underoos for Men

(ads2) An ad looking to drum up a class action suit against PrEP medicines showed up in my feed in 2018. When I clicked on “Why am I seeing this ad?” the info was the advertiser was looking for people who live or lived in California. They did NOT reveal the whole search criteria. They were looking for gay men, using advanced search logic such as zip codes, cities, relationship status with another of the same sex, gender, etc..

Some people deny that FB allows advertisers to target gay men. How many straight men would wear the shirt on the left?

Does FB Let Advertisers Target Gay Men?

(Fence) Faceböok Container works by isolating your FB identity into a separate container (like a fence) that makes it harder for Fa cebook to track your visits to other websites with third-party cookies.

(Reputable) There are many bad programs that claim to clean up your computer, but actually contain adware or spyware. Be sure to use one that has a good reputation such as CCleaner

We Need a New “Gray Team” for Cyber Security

In cyber security, we adopted the military model of red teams for penetration testing and blue teams for vulnerability analysis. I say it’s time for a new gray team – people charged with thinking through the misuse of systems. These are not attackers, but hostile users. This would be an uphill battle.

Everyone has heard the phase: “Move fast and break things.” However, there’s another mantra that is just as binding in software engineering: “You don’t need a solution until there’s a problem.” A gray team would take on this mindset. It would not wait until the problems occurred, it would prevent them.

Here’s example of a problem that should have been anticipated, but wasn’t: A woman using a P2P payment app kept receiving $1 payments accompanied by evil, threatening messages from a stalking douchebag ex, but there was no way to block someone sending a payment.1 It’s tempting to think: “Why would you ever want to block someone sending you money?” But the problem was the hostile use of the messaging aspect of the system. A gray team would know that almost all forms of human communication have been misused for abuse.

Another horrific example has happened to women who tragically have miscarriages, but their browsers and social media feeds remain flooded with ads for new baby things for weeks and weeks.2 Why isn’t there a way to report these ads for being in situationally poor taste? Organizations have been funding algorithm development to spot expecting parents, but a gray team would have identified that we needed a user-controlled “flush” command on this profiling. (If you’ve ever tried to report an ad for being misleading or in poor taste, you’ll soon find that those are not considered legitimate reasons to report ads.)

Some other examples of problems that could have been prevented:

  • Gay men have been hunted and beaten by homophobic thugs using the leaked location data from a popular gay dating app.3
  • A person set up a small business account with a credit reporting bureau. He then downloaded hundreds of thousands of credit reports. 4
  • Realtors are reporting that vacant properties are receiving multiple letters addressed to different people from State unemployment benefits departments.5
  • End-users have clicked on ads that contain links to malware sites.6

These are all examples of how a huge bling spot is created by the mindset: “You don’t need a solution until there is a problem.” When I first entered the work force, there was a humorous saying: “When you’re up to your ass in alligators it’s difficult to remember your original objective was to drain the swamp.” The main benefit of a gray team is that preventing problems will always be cheaper and easier than fixing them afterwards. Also, anticipating problems will prevent “technical debt” from piling up.

We need gray teams because it’s not realistic to expect individual software engineers to deal with this. It’s not about individuals, it’s about organizations. Organizations need to step up their game to protect end-users and conserve cash by avoiding costly rework.

Back in olden days (the 1980s), a wise mentor of mine observed: “Any system humans can create, humans can subvert.” Digital transformation will be a lot more productive and less abused if organizations methodically searched for and prevented ways to subvert the systems we create. Gray teams would be one way to do that.

References:

  1. P2P Payment Stalker: https://twitter.com/TweetAnnaMarie/status/766774995057987585
  2. Miscarriages then targeted with new baby ads: https://www.huffingtonpost.co.uk/entry/women-affected-by-miscarriage-and-infertility-are-being-targeted-with-baby-ads-on-facebook_uk_5d7f7c42e4b00d69059bd88a
  3. Grindr location data leaking: https://www.newsweek.com/grindr-location-leak-1453697
  4. Credit Bureau Misuse: https://www.businessinsider.co.za/the-personal-details-of-millions-of-south-africans-have-just-been-hacked-2020-8
  5. Unemployment fraud https://www.ksby.com/news/local-news/central-coast-residents-flooded-with-fraudulent-edd-letters
  6. Malware in ads: https://www.imperva.com/learn/application-security/malvertising/

Much respect and appreciation to Jonathan Rothwell and Steve Freeman for their excellent presentation “So You Can Sleep at Night” https://youtu.be/A5umy4lUOOY They approach this as an inquiry into software engineering ethics. My approach is to build upon this from an organization systems perspective.

Credit Reporting Bureau Hacked: What Next?

Two immediate actions will greatly help you — and six more things will happen over the next 6 to 12 months. Immediately, you’ll want to:

1. Take Equifax up on their offer of the free monitoring service.

2. Place a “freeze” on all credit reports on each of the 3 services (yes, you have to pay some of them, but it’s worth it). Also do a freeze on the business-to-business company called Innovis.

Note: If your kids already have a social security number, put a freeze on their credit reports, too. (They shouldn’t have anything in the report except their name, address, and social security number.)

What Next?

Over the next 6 to 12 months, banks, auto financing firms, and landlords will implement more and more bureaucratic requirements to prove your identity.

1. Whenever a bank, brokerage, or insurance company provides 2-factor authentication for web log in, use it. Same for voice biometrics at their call centers.

2. Whenever you get a notice from a bank for a credit card you did not apply for, follow up in 2 calls. First, call the toll-free number and stop the application. Second, get the number for the ID theft department and ask for a 7-year fraud alert on your credit report.

3. Don’t let your drivers license or state ID expire. Make sure you keep it up to date. An expired ID is no longer good enough.

4. Likewise keep your passport up-to-date. If you do not have one, get one. In the US, an expired passport is no longer considered valid ID. The law changed.

5. Make sure you have a copy of your birth certificate. Order one now from the Bureau of Vital Records in your county or state. You’ll need to send a photocopy of your ID.

6. Be prepared for more and more bank/financial documents to require a thumbprint and Medallion Guaranteed Signature (which credit unions cannot provide — only commercial banks).

Image Courtesy of GIPHY

The 3rd Perp in the W-2 Phishing Scam?

In systems theory, a useful tool is looking past the “presenting problem.” When it comes to the W-2 phishing scam, we find the typical explanation: Humans are the weakest link in cybersecurity. (Info Sec magazine* called this particular phishing scam an “epidemic” because more than 55 companies have been identified as victims and CSO magazine** reports it as more than 60 companies.)

The standard narrative is that one individual in finance or HR fell for a phishing email that looked like it was from his/her CEO. In the case of Alpha Payroll Services, reported in CSO magazine, the employee who complied with the fake CEO request was fired. “Alpha Payroll leadership promptly terminated the employee, hired experts to assist in the investigation and response, and has been in contact with law enforcement, including the Criminal Investigation Division of the IRS and the FBI, regarding the incident.”

What I haven’t heard once in the coverage is any acknowledgement of how truly insidious this phishing scam is: It’s the companies with decisive and commanding CEOs who are most likely to be victimized. The very attributes that make for a charismatic leader are the ones that have been exploited the most in this scam.

From a “presenting problem” view point, we have two perpetrators:

1. The cybercriminals who devised the scam and exploit reponses

2. Employees in HR and Finance who fall for the scam

But when we look past the presenting problem, we have a third actor:

3. CEOs who request reports and data expecting unquestioned obedience

In the cases that have been documented in the press, not one analyst or journalist has suggested that CEOs send emails to their entire company granting permission to challenge requests from the CEO. Instead, they  either talk about awareness training for all employees or the need for sophistical data loss prevention systems.

In most of the high-tech companies I’ve worked for, it was standard operating procedure to respond to any request from the CEO within 3 hours — even if the requests were sent at 11pm or 4am.

Security awareness training often starts with the instructor saying: “Don’t be the weakest link.” I think that is wise counsel to both rank-and-file employees and executives.

* http://www.infosecurity-magazine.com/news/55-companies-and-counting-fall-to/

** http://www.csoonline.com/article/3064675/security/alpha-payroll-fires-employee-victimized-by-w-2-phishing-scam.html

Rethinking “Date of Birth” to Verify Identity

Recently, I received a robocall purporting to be from a nationally recognized pharmacy chain. As part of the interaction, the computer-generated voice asked me to enter my date of birth.

Rule-of-thumb: If you haven’t signed up to receive robocalls from a company, hang up and dial the company in question yourself. It could be a scam*

It’s difficult to gauge the probability that the call really was from the national pharmacy chain. Regardless, it baffles me how anyone could think date of birth was useful in verifying identity. Date of birth is a very easy datum to obtain on most people.

Young-Frankenstein

There are many genealogy sites that aggregate public records such as birth and marriage records. The purpose of these ancestor look up sites may be perfectly wholesome and innocent, but that does not preclude nefarious use. Additionally, many counties publish their tax rolls online (including name, address, photos, mini-blueprint of your house, and assessed taxes).**

* The FTC website is a good source of information about defense against robocalls: https://www.consumer.ftc.gov/articles/0076-phone-scams#Robo

** This information has always been public, but before digitization, the process usually meant visiting a government building, going into the records basement, and pouring through analog paper records. The digital age has changed all that.

TunnelBear: A Personal VPN App

“TunnelBear” is a cool, free VPN app you can use to protect your laptop or phone. People need this protection when using public WiFi (such as when you’re at the airport, coffee place, or on airplanes).

Ever since that reporter got hacked on an airplane while using an in-flight WiFi service, it seems many people are telling us to use a VPN. However, they do NOT say how to get one.

For personal use, a VPN app like TunnelBear does the trick. Just search for TunnelBear on your favorite app store or browser search engine.

Tunnel Bear Graphic
Search for Tunnel Bear on your favorite app store or search engine

Q: Is the VPN client my company put on my laptop enough? A: The VPN client that is put on your laptop is used to “tunnel into” the internal network of that company. ALWAYS use that when in a public place and you are working on company business. However, your personal laptop or phone also needs a VPN. That’s where an app like Tunnel Bear comes in.

Q: What’s the catch? A: Glad you asked. The free version of TunnelBear is limited to 500MB per month. That’s plenty for email and web surfing. Not enough for streaming movies or music. If you need more data, you can buy it. (You can pay by credit card, PayPal, or jars of honey.)

Q: I’ve been using free hotspots for years without any problem. Why do I need a VPN now? A: Unfortunately, the technology for hacking WiFi has become more widespread and easier to obtain than in the past. Consequently, the risk has been increasing.

Q: What do bears have to do with it? A: The Tunnel Bear company is located in Canada. The bear motif strikes me as an expression of True North’s freedom.

Q: Are there other VPN apps? A: Yes, but I have not used them.

Q: Do you get anything out of it? A: No. Although there is a referral program that issues a custom link, I’m not using it. Just search for tunnel bear on your favorite app store or Google it.

Q: What does VPN stand for? A: Virtual Private Network

Q: What does “virtual private network” mean? A: Let’s break that down. “Virtual” means “pretend.” “Private network” means it’s separate from the public network. A VPN secures data through encryption (so outsiders cannot intercept it). It’s not really a private network, but because of the encryption it acts like it.

Q: What do tunnels have to do with it? A: It’s a metaphor. It might not be a perfect metaphor, but it’s good. When we send and receive data over the Internet, it’s broken into smaller units of data called packets. Metaphorically, each packet is surrounded by the encryption. All the packets lined up are encased by the shell that forms a metaphorical tunnel that protects the data. All metaphors break down. In this case, the encryption shell acts like a tunnel, but packets can still be intercepted. However, because the packets are encrypted, no one can read/understand the data.

Q: I’ve heard people from my company’s I.T. department use “VPN” as a verb; as in: “You’ll need to VPN into the network to access the Wiki.” Is VPN a verb? A: I have been told that any word can be verbed. However, when you read technical documentation, they will usually use the verb “to tunnel” as in, “Start your VPN client in order to tunnel into the secure network.”

Q: Seriously, can you pay with jars of honey? A: Yes, according to the pix on their web. It’s probable, however, that this is more for publicity. Not easy to pack up jars of honey and ship them.