Why am I asking the question “Data Scraping or Data Breaches”?

In recent weeks, three of the large social media companies have had lots and lots of personal data exposed online by cybercriminals. Now these social media companies are claiming that these were data that were scraped from their services. That this information that is already in the public domain.

These may have been Data Scraping

In the case of Clubhouse which had 1.3 million records exposed and LinkedIn which had 500 million records exposed. Yes all of the data that was exposed is stuff that you can see on their platforms. You can see this information very publicly on their platforms. That’s a reasonable expectation. That’s what you use these sites for.

But my issue here is that LinkedIn and Clubhouse should have done much more. They could prevent data being exposed and scraped like that, in such mass quantities. That stuff can be slowed down. It can be made non-economical.

So yes, that was data scraping, maybe not really a data breach but more should have been done.

But this one is definitely a Data Breach

Facebook, which had 533 million records exposed, this is a different situation. They had my mobile number and I had only given it to them for the purpose of authenticating my log on and I had set it to not expose that information to the public. My mobile number was exposed to the public. So therefore that is a data breach, simple as.

Facebook are being disingenuous with their claim that this was data scraping.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 074 Data Scraping or Data Breaches appeared first on L2 Cyber Security Solutions Ltd..

Setting up an account is sooo easy

Cast your mind back to when you set up Whatsapp on your phone for the first time and you set up your account with them. Did you specify a User ID or Username? Did you give it a password? The answer is no. The only authentication was your telephone number, which your phone was giving the app.

Recycling is good for the planet, but not good for security

Mobile telephone numbers get recycled by telephone companies all the time. This is because they don’t have an unlimited amount of numbers that they can issue. If you watch enough crime programmes on the TV, you will see a lot of “burner” phones being used. These are basically a cheap phone and number that might only be used once or twice and then is disposed of forever. Also, people having affairs would sometimes have a second “secret” phone for communicating with their paramour. If the affair doesn’t last long, that phone number will be disposed of.

So phone companies that have old numbers, where a contract hasn’t been renewed or a prepaid number has not been topped up in some time, they will simply assign them to new SIM cards and push them out through their retail channels. Thus the number is recycled and reused.

This is what happened to Abby Fuller. She got a new number and when she installed Whatsapp, she had all of the messages from that telephone number’s previous owner restored onto her device. Because the number is the only means of identifying an account, this is why Whatsapp authentication sucks.

She took the correct course of action and deleted everything. However if she had a bad side, she could have downloaded all of the messages or even worse, she could have impersonated that number’s previous owner in those messages and caused all sorts of issues.

So Whatsapp authentication sucks. What can I do about it?

You can set up, what Whatsapp calls, two step verification. With this enabled, if you (or somebody else), try to setup Whatsapp with your number on a different phone, you (or they) will be asked for a PIN number, which only you should know.

It’s really easy to set up:

1. Go into your Whatsapp settings
2. Select Account -> Two step verification
3. It will have an explanation screen. Click Enable
4. Provide a 6 digit PIN number and then confirm it
5. Optionally (but recommended) you can provide an email address should you forget the PIN number, where a PIN reset request can be sent. You will need to confirm that email address
6. That’s it

If somebody gets your number or they try to take over your phone number, when they try to set up Whatsapp, they will need to input the PIN you just set up. It’s not really the best two step verification in the world, but it should be effective.

I must try and persuade the few Whatsapp groups that I am involved in to switch to something more secure like Signal.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR

The post Whatsapp Authentication Sucks appeared first on L2 Cyber Security Solutions Ltd..

“But where are the €20m or 4% of turnover fines for violating the GDPR?” you shout. As the underlying data breach incident occurred some years ago and surfaced before the #GDPR went into effect in May 2018, then they couldn’t be prosecuted under the Data Protection Act 2018, which implements the GDPR.

But this is still a significant judgement. The ICO has gone for the maximum possible penalty against Facebook, showing that what they were up to was completely unacceptable and rightly so. They found that Facebook had breached two of the principles of data protection:

1. Facebook had unfairly processed personal data.
2. And they didn’t put in place appropriate measures to prevent unauthorised or unlawful processing of personal data.

So while Facebook are only fined £500,000 this time, this is a clear indication that data protection authorities won’t be afraid of going after the maximum fines available to them for failures in respect to protecting peoples personal data.

Also don’t forget that the Irish Data Protection Commissioner is investigating Facebook for a GDPR era incident. That incident started with 50m people affected with another 40m possibly impacted. It dropped down to only ~30m affected … but that’s still ~30,000,000 people. Of those, 14m had the following personal data accessed:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

That is a massive amount of personal data to have been harvested, and could definitely be used against the victims. That particular investigation will be a big one and will probably run into some time in 2019.

In the meantime, lets be careful out there.

#SecuritySimplified

The post Facebook are only fined £500,000 appeared first on L2 Cyber Security Solutions Ltd..

As you should know by now, the General Data Protection Regulation (GDPR) requires a business to notify the regulatory authority for data protection within 72 hours of becoming aware of the breach, where there is a risk to the rights and freedoms of the affected individuals. They also must notify the affected individuals if there is a high risk to their rights and freedoms and must do so without undue delay.

Facebook notified both on Friday. They put out a public notice about the breach and the DPC were notified, as confirmed by them earlier this week. Here are some tweets from the Data Protection Commission:

The DPC talked very publicly about the Facebook breach, didn’t they?

And this is what I want to address in this post. This Facebook breach was addressed very publicly by the DPC. I would believe that this is because Facebook is such a huge source of personal data. Also the fact that this story has attracted massive worldwide attention. If they didn’t come out with those tweets, they would have been accused of all sorts of bad practice.

I don’t expect them to be publicly tweeting about a data breach in a small business, which accidentally sent a spreadsheet containing customer personal data to an incorrect e-mail recipient. It’s very important you realise this. I don’t want any business owner, who becomes aware of a data breach which needs to be reported, to decide not to notify the DPC in case they should start tweeting about it.

If you become aware of a notifiable breach, please report it. Unless you are a massive source of personal data, I don’t expect the DPC to tweet about it. It will be dealt with reasonably discreetly.

Want to find out more about data breaches?

I did a short (<2 minute) video on 6 examples of a data breach. If you head over to my YouTube channel you can see an entire video series with more discussion about the different examples of data breaches.

In the meantime, lets be careful out there.

#GDPR #SecuritySimplified

The post Facebook Breach – The DPC was very public about it. appeared first on L2 Cyber Security Solutions Ltd..

What did Cambridge Analytica do?

In 2015, Dr Aleksandr Kogan, who was a lecturer at Cambridge University’s Department of Psychology, put out an “App” on Facebook which carried out a survey for the purposes of “scientific research”. ?

This app had some 270,000 people use it on their Facebook page. “In so doing, they gave their consent for Kogan to access information such as the city they set on their profile, or content they had liked, as well as more limited information about friends who had their privacy settings set to allow it.” according to a Facebook statement.

Basically, this “App” profiled the people who used it, then probed into the Facebook profiles of the friends of that 270,000 and profiled them as well. This is where the 50 million affected people figure came from.

Just to be clear – There was no breach of Facebook data in this “scandal”. Facebook had a “Feature” at the time which allowed apps to look at freinds profiles. These apps would have told the users that this is what they were enabling before they used the app for the first time. You know. At that screen that nobody (but me) reads! Here’s an example.

Cambridge Analytica then used all of the data to psychologically profile Americans and then target specific political messages, which would definitely influence that individual. Doing so to 50 million individuals is tantamount to manipulation.

This video has a CA whistle blower telling what they did:

Should I delete my Facebook account?

Well that is completely up to you.

I deleted my original Facebook account back in about 2012, after I downloaded a copy of my Facebook data and saw just how much information I had given them and what it could be potentially used for. It’s not just the content of posts, photos and videos that I had put on the platform (and I was fairly prolific at the time), but it was all of the Likes and Shares of different things that caused me concern.

By looking at all of this data in one place, I could see that they could potentially see who and what I was about and what my opinions might be.

It freaked me out.

I deleted my account.

I created a new account in 2014 as I had become involved in a community project which needed online exposure. I have expanded that to a few other community projects, as well as my own business page, but I am pretty frugal with anything else I give Facebook. I usually limit it to photos of my dogs, the scenery or the weather.

I recently downloaded my Facebook data again and because I have been careful, I don’t see too much in they way for potential manipulation with it.

I needn’t worry too much, because I never believe anything I read … particularly on Facebook. ???

But have a read of this other short blog about what breached data can be used for.

The post Cambridge Analytica were nosey ninnies appeared first on L2 Cyber Security Solutions Ltd..

Most of the big on-line services have this facility buried in their settings somewhere, but when you find them, they are really easy to go through and it can be an eye-opening exercise. I discovered on my personal GMail account, that a phone I had on loan while my own was off getting repaired was still an authorised device on my account. I wasn’t too concerned, because I myself had carried out a factory reset on that phone before I handed the loaner back in.

However, most people would not think to do such a thing and, while you would expect the repair shop to do it as part of their procedures, this does not necessarily make it happen … and I’m not talking about the small phone repair shops that are dotted about the place either. A friend got a loaner phone from one of the big mobile companies while her’s was sent for repair. She took a few photos one day and was browsing them that evening and she came across a few dozen photos of some people she did not recognise. She mentioned this to the shop when she collected her repaired phone. They apologised profusely, immediately did a factory reset on the loaner and showed her the completely empty device when it restarted. That was OK for her. But what about the previous user of the device. What if she knew even one of the people in those photos? What if the photos were embarrassing or worse … incriminating? 

Anyway, I’ve done a Billy Connolly and wandered wildly off-topic, so back to privacy check-ups.

You can do these all at once, if you want, or just take 2 minutes each day over the next few days and do a privacy check-up and security/account check-up on each account. I would also recommend you do this on a desktop/laptop, as the mobile apps may not have the full set of privacy settings to be checked. Finally don’t just be looking for authorised devices, keep an eye out for Apps which are authorised on your accounts, which you may no longer use. You should really remove their access.

GMail … has both privacy https://myaccount.google.com/privacy and security https://myaccount.google.com/security check-ups

LinkedIn … has privacy https://www.linkedin.com/psettings/privacy and account https://www.linkedin.com/psettings/account settings pages.

FaceBook … privacy https://www.facebook.com/settings?tab=privacy and security https://www.facebook.com/settings?tab=security

Twitter … Privacy https://twitter.com/settings/safety and account https://twitter.com/settings/account settings

Other online services that you use might have something similar. Just go into their settings and search for privacy and account or security tabs and simply go through each of them.

You might even pop a reminder into your calendar to come back in 6 months time and review these settings again because lets face it, something will have changed.

And hey … Let’s be careful out there.

The post Take a 2-Minute Privacy check-up. appeared first on L2 Cyber Security Solutions Ltd..

This is pretty compelling. It looks like there is a video of you on YouTube with nearly 384K views. You’ve got to go see what everybody is looking at … right?

The post Facebook Messenger scam … it’s nothing new, but it’s still effective. appeared first on L2 Cyber Security Solutions Ltd..

Helpful tip #1

Helpful tip #2

Helpful tip #3

Conclusion

The post Here is a worrying aspect of the Yahoo breach. appeared first on L2 Cyber Security Solutions Ltd..

I’ve put a link to the full article at the bottom of this post, but essentially what happens is:

• If you click on a compromised link, a very legitimate looking “Facebook Page Verification” form will appear asking for your e-mail/phone, password and a  security question.

• If you fill it in, it will say that the first attempt is incorrect.
• If you fill it in again, it will then come back to say it has been accepted and is awaiting approval, which might take 24 hours.

The failure at the first attempt is a clever ruse to fool people that might input a false ID and password initially (in case the form is illegitimate) before proceeding with their correct credentials when they perceive the site to be legitimate (as it rejected their false details).

Whatever you have typed in will be taken and used/abused by the evildoers.

The only way to protect yourself from being compromised by these type of phishing scams is to turn on “Login Approvals” in your Facebook security settings. This will mean if somebody (including you) try to log in to your Facebook account from a different device/location, they will need to use your phone to get a code to prove you are who you told Facebook you are.

If you have already filled in your details on this page, change your Facebook password immediately and turn on the Login Approvals. If your e-mail account associated with Facebook has the same password, then change that one too and if possible turn on it’s Two-Factor Authentication (i.e. to use your phone to secure that account as well).

And lets be careful out there!

http://news.netcraft.com/archives/2016/04/22/hook-like-and-sinker-facebook-serves-up-its-own-phish.html

The post Sneaky Facebook phishing attack. appeared first on L2 Cyber Security Solutions Ltd..