Adam Levin - Identity, Security, and Personal Finance
AdamLevin.com is the official homepage of identity theft and credit expert Adam Levin. This blog features his articles surrounding the issues of personal finance, data security, identity theft, and privacy.
Facebook announced that it “unintentionally” harvested the email contacts of 1.5 million of its users without their consent.
The social media company automatically uploaded the information from users who had registered with the site after 2016 and provided their email addresses and passwords. Upon submitting a form to “confirm” their accounts, registrants saw a screen showing that their email contact lists were harvested without any means of providing consent, opting out, or interrupting the process.
“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings,” a Facebook spokeperson said.
Facebook’s requests for user email passwords during account registration has garnered strong criticism from security and privacy experts and led to the company halting the practice earlier this month.
The news comes at an awkward time for the gaffe-prone company in light of its recent attempts to rebrand itself as being more privacy-focused.
A technical glitch took down a wireless network used by New York City’s municipal government, raising serious questions about security and reliability of operational technology used by the city.
The New York City Wireless Network, or NYCWiN, was initially deployed in 2008 at a cost of $500 million. It costs the city an additional $37 million per year to maintain. The stated purpose of NYCWiN is to “support public safety and other essential City operations.” The city uses the GPS-based system to manage license plate readers, as well as the monitoring of water meters and traffic lights among other applications.
NYCWiN was down on April 6, an outage caused by an issue similar to the Y2K bug. In this case, the system required resetting every 1024 weeks due to a memory capacity limitation involving calendar dates.
City officials have been less than transparent about the problem, raising concerns about government communications in general, but especially in the face of increasing attacks against government and municipal targets at the operations level.
“If the city’s paying $40 million a year to maintain software infrastructure, first, when it goes down, the Council and the public should know about it,” said Councilman Brad Lander to the New York Times.
Mayor Bill DiBlasio said the city was investigating who was responsible for the problem. Read more about the outage here.
On March 20, The Walt Disney Company completed its purchase of 21st Century Fox. The acquisition added huge properties like The Simpsons and National Geographic as well as film blockbuster franchises to Disney’s star-studded stable that includes Star Wars, Marvel Comics, Pixar, the Muppets, and a decades-long catalog of major intellectual properties.
While major acquisitions and mergers often give rise to anti-trust issues–and this one was no exception, the transfer of properties with complex privacy policies, and how that works going forward has not been a big topic of discussion.
Corralling such a massive amount of children’s and family-friendly entertainment under one roof may seem, at least on the surface, like a world-friendly move, but to quote a song from Disney’s 1995 direct-to-video sequel, “Pocahontas 2”–“things aren’t always what they appear.”
While Disney’s acquisition lacks the dark mirror quality of Amazon’s ever-expanding home networking business or Google’s inescapable array of services (all of them tracking users with mindboggling granularity), there is considerable consumer data tied to the properties that just changed hands, all of it governed by the privacy policies attached to them, which also changed hands but cannot be changed without user consent. This is not about whateverprivacyfailwemightexpect next from Facebook. It’s about the potential privacy conflicts caused by Disney’s acquisition of Fox.
It Was All Started by a Mouse
Walt Disney liked to remind people that his company started humbly, “by a mouse.” Today, we are also dealing with something mouse-related: Our data.
Disney of course pre-dates the era of a surveillance economy, but it has invested aggressively in data analytics and customer tracking. Strategic data deployment has been central to Disney’s increased profits in recent years, both at its theme parks and brick-and-mortar stores. While RFID tracking for customers, facial recognition, personalized offers based on prior purchases and behavior can all vastly improve customer experience, we’ve seen far too many instance of companies abusing their privileged access to consumer data.
The “Don’t Be Evil” Option
Companies can start with good intentions (see Google’s recently retired “Don’t Be Evil” motto) and eventually expand their data mining practices to Orwellian dimensions. It’s a matter of grave concern.
When a disproportionate number of the customers being tracked are children, this should be even greater cause for concern. That’s the red button aspect of prime interest in the Disney-Fox deal.
Case in point, the 2017 lawsuit filed against Disney and still pending in court that claims the company was tracking children through at least 42 of its mobile apps via unique device fingerprints to “detect a child’s activity across multiple apps and platforms… across different devices, effectively providing a full chronology of the child’s actions.”
Disney denies these allegations, but they did cop to generating “anonymous reporting” from specific user activity through “persistent identifiers,” and that the information was collected by a laundry list of third party providers, many of which are ad tracking platforms.
The company is by no means alone in this practice. A 2018 study found that 3,337 family- and child- oriented apps available on the Google Play store were improperly tracking children under the age of 13. It’s not hard to see why. If consumer data is valuable, starting the process of collecting data associated with an individual as early as possible can provide marketing companies with extremely deep data about their target’s preferences and habits long before they have a disposable income. The U.S. Children’s Online Privacy Protection Rule (“COPPA”) was created to stop this from happening. But as we’ve seen from companies like TikTok, it’s often skirted or flouted outright and the penalties are often laughable compared to profits.
The collection of data on kids is a problem. Enter Disney, the sheer scale of that empire making its data position comparable to that held by Facebook or Google. It is similar with Fox properties, though to a lesser extent. The upshot: An immense amount of data just changed hands and no one is talking about it–and they should be.
Changing Privacy Policies
While privacy policies are easy to find, they are not so much fun to read. They are not all alike. But without engaging in a tale of the tape regarding Disney and Fox policies, there is still reason for concern.
Companies can reserve the right to change their privacy policies, and if we don’t like it we can always opt out. Things become murkier when data is purchased by a third party; this can happen with acquisitions, or when major retailers go belly up. It happened when Radio Shack went out of business, and its entire customer database was suddenly put up for sale to the highest bidder.
The creation of meaningful standards for consumer privacy is a moving target, but it should be a legislatively mandated consideration for large scale mergers and acquisitions. Once a customer’s information is sold, there’s no way to get it back. An effective stopgap might be to demand a data transfer “opt out” button when we’re giving consent to privacy policies. When it comes to children, we might even consider legislating automatic “opt out” for anyone under a certain age. Where safeguarding children’s data is concerned, there’s still much work to be done.
A security analysis of 30 major banking and financial apps has shown major security holes and a lax approach to protecting user data.
The analysis was conducted by the Aite Group, which looked at mobile apps in eight categories: retail banking, credit cards, mobile payment, healthcare savings, retail finance, health insurance, auto insurance and cryptocurrency.
Among the most alarming finding was the practice of embedding and hard-coding of private certificates and API keys into banking apps. API keys and certificates are the primary means of authenticating a user’s identity and determining their level of access to data; leaving hard-coded versions on an app makes access significantly easier for a would-be hacker to gain far too much access to the data underpinning the apps themselves.
Other findings included improperly secured database commands (capable of allowing man-in-the-middle attacks), weak encryption, and the ability to reverse-engineer the app code into a readable format.
Aite declined to identify the companies behind the apps researched or say whether they had warned the companies about the security holes discovered in their apps.
Israeli cybersecurity researchers have created malware capable of showing fake cancerous growths on CT and MRI scans.
The malware, called CT-GAN, served as a proof of concept to show the potential for hacking medical devices with fake medical news that was convincing enough to fool medical technicians. In a video demonstrating the exploit, researchers at Ben Gurion University described how such an attack might be deployed.
“Attacker[s] can alter 3D medical scans to remove existing, or inject non-existing, medical conditions. An attacker may do this to remove a political candidate / leader, sabotage / falsify research, perform murder / terrorism, or hold data ransom for money.”
In a blind study, CT-GAN had a 99% success rate in deceiving radiologists with fake cancer nodules, and a 94% success rate in hiding actual cancer nodules.
Medical facilities are frequently targeted by hackers, due in part to their reliance on networking technologies and their archives of sensitive personal information. A recent study showed that 1 in 4 healthcare facilities were hit by ransomware in 2018 alone.
Click here to see the original report describing the malware findings.
Unless you live under a bottle cap rusting on the bottom of Loon Lake, you know that if you’re concerned about privacy, Facebook CEO Mark Zuckerberg is the gift that keeps on taking.
A week after it landed with a curious (and most likely spurious) thud, Zuckerberg’s announcement about a new tack on consumer privacy still has the feel of an unexpected message from some parallel universe where surveillance (commercial and/or spycraft) isn’t the new normal.
“I believe a privacy-focused communications platform will be even more important than today’s open platforms,” Zuckerberg said. “Privacy gives people the freedom to be themselves and connect more naturally, which is why we build social networks.” And maybe share more freely their inmost wants and needs, thereby making it easier to serve them ads that convert.
While Facebook has a lengthy history of leaks, gaffes, and outright violations of privacy for users and non-users alike, and Zuckerberg has made unfulfilled promises to remedy their problematic and unpopular practices, one needn’t look further than recent news to view this pivot in company policy with deep skepticism:
Facebook’s lobbying against data privacy laws worldwide: Leaked internal memos revealed an extensive lobbying effort against data privacy laws on Facebook’s part, targeting the U.S., U.K., Canada, India, Vietnam, Argentina, Brazil, and every member state of the European Union.
Facebook’s Two-Factor Authentication phone numbers exposed: After prompting users to provide phone numbers to secure their accounts, Facebook allows anyone to look up their account by using them. These phone numbers are publicly accessible by default, and users have no way of opting out once they’ve provided them. (The company has also used security information for advertising in the past.)
Mobile apps send user data to Facebook (even for non-Facebook users): A study by Privacy International showed that several Android apps, including Yelp, Duolingo, Indeed, the King James Bible app, Qibla Connect, and Muslim Pro all transmit users’ personal data back to Facebook. A later update showed that iPhone users were similarly affected: iOS versions of OKCupid, Grindr, Tinder, Migraine Buddy, Kwit, Muslim Pro, Bible, and others were also found to eavesdrop on Facebook’s behalf.
Hundreds of millions of user passwords left exposed to Facebook employees: News recently broke that Facebook left the passwords of between 200 million and 600 million users unencrypted and available to the company’s 20,000 employees going back as far as 2012.
Facebook has had more than its share of bad press in recent years, including Russian meddling in U.S. elections and complicity in a genocide campaign in Myanmar, but the company’s antipathy toward user privacy seems to belie a wider disdain for the public interest, which leads to a bigger question.
Facebook has become the most profitable, debt-free business in the world by selling the private information of its users. Do you really think it’s going to stop? Privacy is increasingly important to consumers, but Facebook is proof that a company need not respect the privacy of the lives it comes in contact with in order to thrive–quite the contrary.
When Did You Stop Beating Your Users?
It seems fair to say that Facebook has not earned the benefit of the doubt when it comes to being open and transparent with the public, and I’m not just saying that because I’ve been betting against the company’s stock (I have a fair amount, and, possibly perversely, I think it’s still a sound investment).
I bring this up because Facebook could be doing something to make itself an even better investment. In fact, any business can do it, and increase its value in the process. Put simply, companies can make themselves harder to hit by hackers, and less prone to compromise. While it’s impossible to know for certain whether a company has been compromised or not, organizations have reputations. Reputations tend to color the way we read events. And finally, reputation management in the day and age of near-constant compromise and breach requires transparency–or at least the perception of transparency.
This was the cybersecurity song stuck in my head when Facebook, Instagram, and WhatsApp experienced widespread service outages on March 13, marking the company’s longest ever downtime.
An announcement on Facebook’s Twitter feed described the outage as a result of a “server configuration change,” contradicting a widespread assumption that it was caused by a cyberattack.
A little context: MySpace recently announced a major migration gaffe: “As a result of a server migration project, any photos, videos, and audio files you uploaded more than three years ago may no longer be available on or from Myspace.” People in the know have estimated the mistake affected 53 million songs from 14 million artists.
The same day as the MySpace buzzkill, Zoll Medical reported it had experienced a data breach during an email server migration that exposed select confidential patient data, including patient names, addresses, dates of birth, limited medical information, and some Social Security numbers.
While Facebook’s statement regarding its server configuration change may have been accurate, there may have been more to the story. The problem here is that we’re not dealing with a company that releases reliable information (that isn’t associated with their users as marketing targets).
While the outage may indeed have been caused by an honest sort of epic fail, Facebook has earned a dose of healthy skepticism. Indeed, scandals and overallwrongdoingsometimes seem the way of the world at Facebook, and as a result of this perception–true, false, or truth-y–there is a significant deficit of trust among the general public. While Facebook is too large to fail as a result of this situation, small- to medium-size companies cannot afford the luxury of being perceived as untrustworthy.
Perception Is Everything
Gustave Flaubert said, “There is no truth. There is only perception.” It mattered when he wrote that, and it still matters today.
When a company doesn’t report a cyberattack–or only reports the more harmless aspects of an incident–that needn’t always be ascribed to sinister motives. Consider what would have happened to Facebook if 1) the recent downtime was caused by an attack (possibly made possible by the configuration that they reported), and 2) they admitted it. Admitting publicly that a cyberattack effectively brought a multibillion-dollar business to a halt for the better part of a day would, first and foremost, have the potential to encourage further attacks. Denying anything happened gives system administrators more time to identify and patch newly discovered vulnerabilities. Then there are the repercussions to the company’s stock price. In short, there is no upside.
Regardless of whether the Facebook outage was the result of a cyberattack or internal error, one factor that’s been largely overlooked is the company’s plan to integrate all of its platforms–specifically to make the previously separate Messenger, WhatsApp, and Instagram applications interoperable.
This cross-platform integration represents a monumental undertaking. Each of these services have, at a minimum, hundreds of millions of active users, all of them with different security protocols, data structures and network requirements. Changing the architecture of three separate applications at a fundamental level not only opens the door to human error and system glitches but also presents a golden opportunity for hackers, and that should be what we’re talking about–before anything bad happens.
The primary means of detecting cyber incidents for trained experts or artificial intelligence is to look for inconsistent or unexpected behavior in a system: An influx of traffic could mean a major news event, but it could also mean a DDoS attack. An unexpected delay in network connections could mean a hardware failure, but it could also signify a hijacked DNS server.
It doesn’t matter what caused Facebook’s recent day-long inter-platform outage. There is a valuable takeaway for businesses regardless: As Facebook trundles toward platform unification, it will be increasingly vulnerable to attack. While all companies are easier to breach when they are making a major change, Facebook and its holdings may represent a clear and present danger the likes of which we’ve never seen, and one that can help lead the way to better cyber solutions, no matter how big a company is.
Multiple sales subsidiaries of Toyota Motor Corp. were breached in an apparent cyberattack that may have leaked the personal information of up to 3.1 million people in the Tokyo area.
Toyota announced the possible breach as being the result of “unauthorized access” to a network server containing customer information in late March, but explained that they were unable to confirm if any data was actually lost.
The hacking attempt was followed the next day by similar cyberattacks on Toyota’s subsidiaries in Vietnam and Thailand, each of which issued statements about the possibility of breaches without any further details or confirmation regarding the data compromised.
These three attempts followed another announcement made by Toyota’s Australian subsidiary in February, where it disclosed an attempted hack but was similarly light on details.
Toyota has yet to issue further statements on these incidents, but has apologized and promised to implement stronger security measures on their networks and at their facilities
The Georgia Institute of Technology disclosed a data breach that exposed the data of up to 1.3 million people, including current and former students, faculty, and staff.
The breach occurred in late March after what the school is calling an “unknown outside entity” gained access to a web application’s data. While the full scope is yet to be determined, the accessed data included names, addresses, Social Security numbers and birthdates.
This marks the second time in the past year that the school has disclosed a compromise of its data, after accidentally emailing out the information of 8,000 students in July 2018. In addition to the size of the breach, the news is noteworthy because of the school’s reputation in the field of computer science.
A woman carrying two Chinese passports and a thumb drive containing malware was arrested by Secret Service agents after gaining entry to President Trump’s Mar-A-Lago resort.
The woman, Yujing Zhang, initially claimed to be on the premises to use a swimming pool, but later said she had arrived early for a United Nations Chinese American Association Event when questioned by a receptionist. There was no such event scheduled.
Zhang was then detained by Secret Service Special Agent Samuel Ivanovich with whom she became “verbally aggressive,” claiming she was onsite to speak with President Trump, who was golfing nearby.
She was arrested and charged with making false statements to a federal law enforcement officer and entering a restricted area. Zhang faces a maximum of six years in prison and $350,000 in fines. A search of her belongings revealed four cell phones, a laptop, a hard drive, and a thumb drive containing “malicious malware,” the nature of which has yet to be announced.
A report issued by the British government has concluded that products developed and manufactured by the Chinese telecommunications company Huawei present significant security risks.
Assembled by the Huawei Cyber Security Evaluation Centre (HCSEC) and presented to the UK National Security Adviser, the report found that on a wide range of security issues related to both its software and engineering, Huawei has failed to maintain adequate protections.
“Poor software engineering and cybersecurity processes lead to security and quality issues, including vulnerabilities. The number and severity of vulnerabilities discovered, along with architectural and build issues, by the relatively small team in HCSEC is a particular concern. If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly,” stated the report, going on to add:
“These findings are about basic engineering competence and cybersecurity hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors.”
Huawei has been the subject of ongoing controversy in the West. Its bids to build the infrastructure for 5G wireless networks have been blocked in the United States, Australia, and New Zealand for security reasons and allegations that their equipment has backdoors that the Chinese government can exploit. U.S. Secretary of State Mike Pompeo has warned European nations that using Huawei equipment make it “more difficult” for the U.S. to partner with them.
Huawei is currently suing the United States over the ban, and the company’s chairman Guo Ping accused the U.S. government of having a “loser’s attitude,” and that “The U.S. has abandoned all table manners.”