December 20, 2018

Facebook denies sharing private messages without user knowledge

By Danny Bradbury

Facebook hit back at press reports this week that highlighted a deep network of privileged data-sharing partnerships between the social media company and other large organisation’s.

The bi-lateral relationships saw companies including Amazon, Netflix, Microsoft and Spotify exchange user data that helped both them and Facebook extend their reach by learning more about their users, often without those users being aware. They also extended to businesses in other sectors ranging from finance to the auto industry.

The New York Times explained that there were over 150 of these partnerships, so many that the social network giant needed a technology tool to keep track. Some of the deals raised privacy concerns due to the private information that they exchanged, the paper said.

Information flowed both ways. Not only could partners see data including the contact details of peoples’ friends and some private messages, but Facebook also received data about individuals from those companies:

Among the revelations was that Facebook obtained data from multiple partners for a controversial friend-suggestion tool called “People You May Know.”

The story sheds new light on a pattern of relationships that Facebook had already announced in 2010 at its F8 conference. Called instant personalization, it shared Facebook user information with other websites to help them personalize a person’s experience when they visited. The company closed down the instant personalization feature, which shared public data, but the New York Times story is one of several that documented links between Facebook and some companies that existed beyond that point.

Read more at https://nakedsecurity.sophos.com/2018/12/20/facebook-defends-itself-in-latest-data-sharing-scandal/

Most home routers lack simple Linux OS hardening security

By John E Dunn

More disconcerting news for router owners – a new assessment of 28 popular models for home users failed to find a single one with firmware that had fully enabled underlying security hardening features offered by Linux.

CITL (Cyber Independent Testing Laboratories) says it made this unexpected discovery after analysing firmware images from Asus, D-Link, Linksys, Netgear, Synology, TP-Link and Trendnet running versions of the Linux kernel on two microprocessor platforms, MIPS and ARM.

The missing security protections included Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and RELocation Read-Only (RELRO).

Granted, this will sound like a jumble of technical terms to most router owners, but in modern operating systems this layer of security should matter.

Linux pioneered features such as ASLR (Windows added it to Vista in 2007), taking advantage of the memory segmentation features of modern CPUs via something called the NX bit (no-execute).

As its name suggests, ASLR protects against buffer overflow attacks by randomizing where system executables are loaded into memory (so attackers don’t know where they are).

Meanwhile, its relative, DEP, is a way of stopping malware from executing from system memory in use by the OS.

Read more at https://nakedsecurity.sophos.com/2018/12/20/most-home-routers-lack-simple-linux-os-hardening-security/

Glitter bomb engineer exacts revenge on parcel thieves

By Lisa Vaas

Well, who knew: the sweet smell of success actually smells like farts and is uber fabulously glittery.

That was proved by former NASA engineer Mark Rober, who, in his own words, “over-engineered the crap” out of a glitter bomb to sprinkle glee and regular emissions of aerosolized fart odor upon package thieves…

…and who, in order to record the newly sparkling thieves’ Emmy award-worthy reactions – the majority of which amount to variations on “what the fuuhh…..??!!!” – used an accelerometer in the fake package to detect movement, geofencing to send an alert to his phone when the package left his property, and four camera phones to record visual and audio of the package-nappers.

But enough with blah blah blah. A collection of glitter explosion video captures alone are worth a thousand words, never mind the value of the suspense that mounts at the sound of a motor cranking as the fart smell machinery revs up for its 30-second-interval gusts.

Rober spent nine years working at NASA – mostly on the Curiosity rover – at its Jet Propulsion Laboratory. He’s an engineer (obviously!), an inventor (ditto!), and a YouTube personality. To date, pre-glitter fart bomb, his most popular invention has been Digital Dudz: a selection of Halloween costumes that incorporate mobile apps with clothing.

The glitter fart bomb, however, is his magnum opus, he said.

Read more at https://nakedsecurity.sophos.com/2018/12/20/glitter-bomb-engineer-exacts-revenge-on-parcel-thieves/

Phone repair shop employees accused of stealing nude photos

By Lisa Vaas

Ever broken your phone screen? Had your computer fritz? Ever taken a device to a repair shop? Ever been asked for your password when you hand it over? Ever wonder whether the shop workers lift the lid to rifle through your little treasure chest of personal data?

Anybody should think about that last one, but it goes double for women or girls, as recent news makes clear.

Terrence M. Roy, 47, of Seekonk, in the US state of Rhode Island, is now facing two counts of accessing a computer for fraudulent purposes and one conspiracy count. He’s one of six defendants who were/are employed by Flint Audio Video, in Middletown, RI.

An RI State Police investigation has found that 13 women between the ages of 22 and 47 never gave anyone from Flint permission to go through their “media files, make copies and later disseminate them.” Nonetheless, the women allege that store employees stole and shared their nude images and videos.

The statute of limitations means that only five of the alleged victims are now associated with the case. Police believe that the alleged thefts have been going on for seven years – since 2011.

As reported by the Providence Journal on Monday, Roy said in an interview with state police that he had surreptitiously taken photos of customers inside the store and sent them to former employee George Quintal, 34, who’s also facing five counts of accessing a computer for fraudulent purposes and five conspiracy counts.

Read more at https://nakedsecurity.sophos.com/2018/12/20/phone-repair-shop-employees-accused-of-stealing-nude-photos/

Serious Security: When cryptographic certificates attack

By Paul Ducklin

Artificial intelligence, fuzzy logic, neural networks, deep learning…

…any tools that help computers to behave in a way that’s closer to what we could call “thinking” are immensely useful in fighting cybercrime.

That’s because what’s generally known today as machine learning is good at dealing quickly with immense amounts of threat-related data, pruning out the many irrelevancies to leaving the interesting and important stuff in clear sight.

But don’t knock human savvy just yet!

Sometimes, a single, informed glance by a human expert is more than enough, like this great tweet from last week by computer security practitioner Paul Melson.

If you’re a security researcher yourself, you’re probably going, “Hey, that’s cool!” (Or, perhaps more appropriately, “That’s very uncool.”)

But if you aren’t a sysadmin, you might be wondering what the fuss is about – so we figured it would be informative to dig into the story behind the story.

Why does the text ----BEGIN CERTIFICATE---- UEsDBBQ... ring all sort of alarm bells, and what do those bells tell you?

Read more at https://nakedsecurity.sophos.com/2018/12/19/serious-security-when-cryptographic-certificates-attack/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation