Facebook caught testing Instagram user location history →

October 5, 2018 Jonathan Greig

Instagram's founders resigned last week reportedly over efforts by Facebook to gather more user information from the popular app for targeted ads.

Facebook's rough week started with news of a potential data breach exposing nearly 50 million users and is ending with further controversy, now that eagle-eyed tech researcher Jane Manchun Wong discovered testing for a feature that would give location data from Instagram -- even if the app was closed -- to Facebook.

Facebook was forced to release a statement to TechCrunch about the feature, and Wong said it was later shut down. But the move comes on the heels of a major change in management at Instagram. The company's founders, Kevin Systrom and Mike Krieger, quit last week amid rumors that they, like recently-resigned WhatsApp founder Jan Koum, were having increased concerns about Facebook's stance on data, privacy, and information collection practices.

Facebook announced recently that former News Feed VP Adam Mosseri would run Instagram, with the primary goal being closer ties between the two apps. Instagram continues to be one of Facebook's best purchases and has helped the company's popularity stay afloat amid a seemingly never-ending stream of bad news.

But the company was recently fined $122 million by the EU for siphoning data from WhatsApp. Facebook has been able to use its other, more successful apps to push people back into the Facebook orbit with constant ads and attempts to take you to the main Facebook app. With location data from Instagram, Facebook would be able to target ads based on where you are and note what stores you go to.

"To confirm, we haven't introduced updates to our location settings. As you know, we often work on ideas that may evolve over time or ultimately not be tested or released," a Facebook spokesperson told TechCrunch.

"Instagram does not currently store Location History; we'll keep people updated with any changes to our location settings in the future," it added, implying that there were plans for the feature to appear in both Instagram and Facebook Messenger. The feature may also be tied to other efforts on Facebook to tie events to locations and create "find friends nearby" capabilities.

Users could find the information stored in Facebook Profile's Activity Log, even containing maps of where you went with the time and date. When you go to the page, a Learn More tab leads you to an explanation from Facebook where it openly admits to tracking your location even when the app is not in use.

"When Location History is on, Facebook will periodically add your current precise location to your Location History even if you leave the app. You can turn off Location History at any time in your Location Settings on the app," it writes.

"Facebook may still receive your most recent precise location so that you can, for example, post content that's tagged with your location. Location History helps you explore what's around you, get more relevant ads, and helps improve Facebook."

Google employs many of the same tracking tactics as Facebook and has been similarly criticized for the data it stores on your location history even when you aren't using its apps. It faced a heavy amount of criticism and blowback from users in August when the AP confirmed that Google could and did track people even when they turned the Location History feature off.

Location data is a particularly thorny issue, especially after a Facebook employee was arrested in May after stalking a woman online using his position as an engineer to track certain data about her. Facebook chief security officer Alex Stamos was forced to apologize in a statement at the time, writing that it was "important that people's information is kept secure and private when they use Facebook."

"It's why we have strict policy controls and technical restrictions so employees only access the data they need to do their jobs - for example to fix bugs, manage customer support issues or respond to valid legal requests," he added.

"Employees who abuse these controls will be fired."

*this story was featured on Download.com on October 5, 2018: https://download.cnet.com/blog/download-blog/facebook-caught-testing-instagram-user-location-history/

Mozilla's Firefox Monitor security tool checks if your accounts have been compromised by hackers

June 26, 2018 Jonathan Greig

Mozilla's Firefox Monitor security tool checks if your accounts have been compromised by hackers

Despite the prevalence of hacks and data breaches in the news recently, few people ever find out if their information has been released or taken advantage of unless there is a noticeable problem. Just last year, more than 179 million records were exposed in the U.S.

Mozilla is hoping to change that by teaming with Troy Hunt -- a renowned Australian digital security expert who runs HaveIBeenPwned.com -- to create Firefox Monitor. The website HaveIBeenPwned.com allows you to search for your email address to see whether it has been involved in a data breach, giving you the date, breached company, and amount of data stolen. The website also gives a description of the hack your email was involved in and suggests ways to move forward.

Have I been pwned?

"Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called 'Firefox Monitor'," Hunt wrote in a blog post about the partnership.

"This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream."

HaveIBeenPwned.com currently has a secure database of 5.1 billion records, with 3.1 billion unique email addresses, yet only a bit more than 2 million subscribers. The more people that take advantage of the pwned website, the more people will be able to secure their accounts and make it safer for everyone, including the websites involved in the original hack.

"Understandably, people are now more worried about internet-related crimes involving personal and financial information theft than conventional crimes. In order to help keep personal information and accounts safe, we will be testing user interest in a security tool that lets users check if one of their accounts has been compromised in a data breach," Mozilla wrote in its announcement of the deal.

Check for a privacy breach

"Visitors to the Firefox Monitor website will be able to check (by entering an email address) to see if their accounts were included in known data breaches, with details on sites and other sources of breaches and the types of personal data exposed in each breach. The site will offer recommendations on what to do in the case of a data breach, and how to help secure all accounts," they said adding that they were working on another feature that would let users know when their information was involved in a data breach.

Mozilla and HaveIBeenPwned.com initially announced a partnership last fall that saw the web browser add an alert that would notify users when they were visiting a website that had recently been involved in a data breach.

Hunt also secured a deal with 1Password, a password management app, in February that allows users to search if their email or password had been released in a data breach.

Both Hunt and Mozilla wrote extensively about the security concerns people may have with the database and entering their email addresses into the service. They employ a detailed strategy that makes it nearly impossible to use or even identify the email addresses in their database.

According to Mozilla, Firefox Monitor will begin testing next week, with 250,000 mostly U.S.-based users invited to join the trial period.

Mozilla Firefox since the end of last year has put protecting its users privacy and personal data at the top of its list. Firefox lets you create and manage strong passwords with an easy-to-use password manager that can handle credit card and other login information. The Firefox browser also includes tools that block websites from tracking your online activities. You can also extend Firefox's usefulness through browser extensions that let you harden your browser's security.

*This article was featured on Download.com on June 26, 2018: https://download.cnet.com/blog/download-blog/mozillas-firefox-monitor-security-tool-checks-if-your-accounts-have-been-compromised-by-hackers/

Source: https://download.cnet.com/blog/download-bl...

Here's why Apple is banning cryptocurrency mining on iPhones and iPads →

June 12, 2018 Jonathan Greig

Apple has joined Google, Facebook and many other tech giants in banning stealthy cryptojackers from secretly using your device.

Despite its continued popularity, cryptocurrency continues to have a rough 2018, with multiple websites and platforms banning ads and apps that secretly use your device to mine for a variety of cryptocurrencies.

Apple quietly updated its App Store review guidelines, banning apps from running "unrelated background processes, such as cryptocurrency mining."

"Apps may facilitate virtual currency storage, provided they are offered by developers enrolled as an organization. In addition, apps may not mine directly for cryptocurrencies, unless the mining is performed in the cloud or otherwise off-device," the new rules say, adding that any apps offering initial coin offerings (ICOs) must "originate from established banks, securities firms, futures commission merchants, or other approved financial institutions."

Developers are still allowed to create apps that run cryptocurrency trades but they cannot "offer currency for completing tasks, such as downloading other apps, encouraging other users to download, posting to social networks."

As noted by Ars Technica, one of the reasons for the ban may be to keep the miners from depleting a user's battery life while running in the background. Apple has put a heavy focus on iPhone battery life lately, with iOS 12 offering even more insight into battery use.

Another reason could be the controversial nature of cryptocurrencies in general.

Cryptocurrencies were largely unregulated until last year, when the SEC began to sniff around following a number of obvious scams that cost investors millions. They took particular aim at ICOs, and warned investors that these cryptocurrency marketplaces were not regulated by the SEC.

The SEC shut down PlexCoin in December, calling it a "a full-fledged cyber scam" and released a statement in March reminding investors that while cryptocurrency is a vital source of innovation, it needs to be scrutinized more closely because the SEC has little regulatory power over them.

"The SEC staff has concerns that many online trading platforms appear to investors as SEC-registered and regulated marketplaces when they are not. Many platforms refer to themselves as 'exchanges' which can give the misimpression to investors that they are regulated or meet the regulatory standards of a national securities exchange," they said in a March 7 press release.

"Although some of these platforms claim to use strict standards to pick only high-quality digital assets to trade, the SEC does not review these standards or the digital assets that the platforms select, and the so-called standards should not be equated to the listing standards of national securities exchanges."

Days after the statement, co-director of the SEC's Enforcement Division, Stephanie Avakian, announced that dozens of cryptocurrencies were under investigation. In January, Facebook banned all ads promoting cryptocurrencies and Google did the same in June 2018. Google also banned cryptocurrency mining extensions on the Chrome web store, which had been rife with crypto apps that plagued users by mining coins secretly and selling their data.

Google found that despite their rules allowing cryptomining as long as users were informed, "approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply." Users also pilloried YouTube for pages overrun by cryptojacking mining code.

LinkedIn, Twitter, Google, and Snapchat have all banned ads featuring ICOs and more continue to look for ways to stop cryptojacking, which is ruining devices and jacking up energy bills. In November, a researcher found nearly 2,500 websites running some form of cryptojacking software designed to use your device to mine for a variety of coins‚but typically the cryptocurrency Monero.

Apps on iPhones, iPads, and MacOS found in the App Store are not allowed to use a device's processor to mine for cryptocurrency. Apple made security a key facet of their Worldwide Developer Conference (WWDC) presentation, highlighting a new feature called 'Intelligent Tracking Prevention' that is designed to stop websites from monitoring you as you browse the web.

Apple dealt with an issue earlier this year involving the Calendar 2 app, which was found to have been using people's devices to mine for Monero. One user reported the app using 200% of their device's CPU.

Critics have been divided on whether the constant stream of bad news about cryptocurrency has affected their price on the market. The price of Bitcoin, Ethereum, and Litecoin all fell in March after news about potential SEC investigations broke and Google, as well as Facebook, announced their bans. But some say the prices have not fluctuated much and the scrutiny may help the more established cryptocurrencies over any new offerings.

*this article was featured on TechRepublic.com on June 12, 2018: https://www.techrepublic.com/article/heres-why-apple-is-banning-cryptocurrency-mining-on-iphones-and-ipads/

Microsoft extending GDPR protections to all global customers, here's how →

May 22, 2018 Jonathan Greig

The tech giant now gives users the ability to transfer or delete all of the data it has collected through its programs, apps, and search engines.

Microsoft said it will give all of its users across the world many of the same protections enshrined in the EU's impending General Data Protection Regulation, which comes into effect on May 25.

The passing and enforcement of the GDPR has become somewhat of a watershed moment for privacy as consumers gain a fuller picture of the data tech companies collect on a daily basis. In a statement, Microsoft CEO Satya Nadella laid out the plethora of ways they gather information and either use it themselves or offer it to other companies.

Nadella said Microsoft collects data on your web browsing and online searchers, places you go using map apps, Windows 10 and any of your online services, fitness and health apps, any ads you click on, sign-in, and payment data. The firm also leverages any connected device sensors you may have in your home or car, according to the statement.

But users now have access to a privacy dashboard that allows you to easily regulate or opt out of any data collection. You can delete all of your search history and data or move it somewhere else.

"We believe privacy is a fundamental human right. As people live more of their lives online and depend more on technology to operate their businesses, engage with friends and family, pursue opportunities, and manage their health and finances, the protection of this right is becoming more important than ever," Julie Brill, corporate vice president of Microsoft, said in a blog post. "Today we are announcing that we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide. Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else."

Other tech giants have struggled to comply with the regulations soon to take effect, and have waffled on whether their users worldwide will be given the same rights and options as those in the EU.

Just last month, Facebook CEO Mark Zuckerberg was criticized for demurring when asked whether US users would get access to GDPR rights. In response to an uproar after his comments, he said, "We intend to make all the same controls and settings available everywhere, not just in Europe. Is it going to be exactly the same format? Probably not."

Analysts and journalists have noted that despite some cosmetic changes, Facebook still makes it very difficult for users to opt out of its robust data collection efforts. In their review of Facebook's privacy changes, TechCrunch noted that "the fact that the button to reject the new Terms Of Service isn't even a button, it's a tiny 'see your options' hyperlink shows how badly Facebook wants to avoid you closing your account."

"It seems obvious that Facebook is trying to minimize the visibility of the path to account deletion rather than making it an obvious course of action if you don't agree to its terms," TechCrunch later added.

Microsoft is also gaining business through their GDPR compliance services, which are available for businesses of all sizes.

Many tech companies will likely release new service agreements on Friday and have already made changes to how they notify you of what data they collect and share with third parties.

*this article was featured on TechRepublic.com on May 22, 2018: https://www.techrepublic.com/article/microsoft-extending-gdpr-protections-to-all-global-customers-heres-how/

IoT security spending to hit $1.5B in 2018 as targeted cyberattacks grow rampant

March 21, 2018 Jonathan Greig

Spending on security for smart devices will see a 28% increase from last year, eventually hitting $3 billion by 2021.

As Internet of Things (IoT) devices like Apple's HomePod and Amazon's Echo become more popular, attempts to hack these devices have also increased, prompting industry leaders to spend more time and money on security in an effort to address the issue.

Some 20% of organizations have experienced at least one IoT attack in the last three years, according to a new report from Gartner. While spending on security for smart devices will reach more than $1.5 billion this year, the firm predicts, the inability of the industry to prioritize and implement "security best practices" is hampering efforts to tackle the problem, according to a press release.

"Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed," Ruggero Contu, research director at Gartner, said in the release. "However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider's alliances with partners or the core system that the devices are enhancing or replacing."

The entire IoT industry is in need of better regulation, Gartner said in the report, and as more smart devices are weaved into other heavily regulated industries such as healthcare and automotives, companies will be forced to comply with more stringent security rules.

"This innovation, often described as Industrial Internet of Things (IIoT) or Industry 4.0, is already impacting security in industry sectors deploying operational technology (OT), such as energy, oil and gas, transportation, and manufacturing," Contu said in the release.

The tech industry has been grappling with the security of IoT devices for years, most notably since a massive cyber attack in the fall of 2016 left many of the internet's biggest websites down for hours across the globe.

The attack featured the use of the " Mirai botnet" which focused specifically on targeting IoT devices, giving it access to thousands of different entry points into a system.

David Fidler, an adjunct senior fellow for cybersecurity at the Council on Foreign Relations, told The Guardian in 2016 that he couldn't remember a hacking attempt even half the size of the Mirai attack.

"We have a serious problem with the cyber insecurity of IoT devices and no real strategy to combat it. The IoT insecurity problem was exploited on this significant scale by a non-state group, according to initial reports from government agencies and other experts about who or what was responsible," Fidler told The Guardian.

"Imagine what a well-resourced state actor could do with insecure IoT devices," he added.

More and more governments are integrating smart technology and IoT devices into every aspect of daily life, but the security is often an afterthought.

Despite many new regulations aimed specifically at IoT deployment, few, if any companies, governments and people take the time to secure their devices, according to a report from Future Markets Research.

"Although a number of governing authorities have issued guidelines to be followed by IoT device manufacturers so as to protect against cyber-attacks on IoT networks and devices, many device manufacturers and users are not strictly adhering to these guidelines," they wrote in the report, which focused on IoT security between 2017 and 2027.

"Non-adherence to these guidelines results in security lapses, which cyber attackers can take advantage of and this creates challenges for IoT security solution providers. This factor is expected to hamper growth of the IoT security product market to a large extent," they said.

*this article was featured on the Tech Republic website on March 21, 2018: https://www.techrepublic.com/article/iot-security-spending-to-hit-1-5b-in-2018-as-targeted-cyberattacks-grow-rampant/