Wednesday, January 10, 2018

Facebook Bug

Facebook bug could have exposed your phone number to marketers

You know that Facebook data-use policy, the one that promises it’s not going to spread our personal information to outfits that want to slice and dice and analyze us into chop suey and market us into tomato paste?

“We do not share information that personally identifies you (personally identifiable information is information like name or email address that can by itself be used to contact you or identifies who you are) with advertising, measurement or analytics partners unless you give us permission.

Yea, well… funny thing about that…
Turns out that up until a few weeks ago, against its own policy, Facebook’s self-service ad-targeting tools could have squeezed users’ cellphone numbers from their email addresses… albeit very, verrrrry sloooowly. The same bug could have also been used to collect phone numbers for Facebook users who visited a particular webpage.
Finding the bug earned a group of researchers from the US, France and Germany a bug bounty of $5000. They reported the problem at the end of May, and Facebook sewed up the hole on 22 December.
That means that phone numbers could have been accessed for at least seven months, although Facebook says that there’s no evidence that it happened.
The researchers described in a paper how they used one of Facebook’s self-serve ad-targeting tools called Custom Audiences to ascertain people’s phone numbers.
That tool lets advertisers upload lists of customer data, such as email addresses and phone numbers. It takes about 30 minutes for the tool to compare an advertiser’s uploaded customer list to Facebook’s user data, and then presto: the advertisers can target-market Facebook users whose personal data they already have.
Custom Audiences also throws in other useful information: it tells advertisers how many of its users will see an ad targeted to a given list, and in the case of multiple targeted-ad lists, it tells advertisers how much the lists overlap.
And that’s where the bug lies. Until Facebook fixed it last month, the data on audience size and overlap could be exploited to reveal data about Facebook users that was never meant to be offered up. The hole has to do with how Facebook rounded up the figures to obscure exactly how many users were in various audiences.
As far as resources go, the initial exploitation is the most “expensive” aspect of the exploit, the researchers said. In one evaluation of the attack, they recruited 22 volunteers with Facebook accounts who lived either in Boston or in France.
It took 30 minutes to upload two area code lists for Boston (617 and 857) where the phones had 7 digits to infer. Each list had one million phone numbers, all with a single digit in common. France was even tougher to chew through: it took a week to generate 200 million possible phone numbers starting with 6 or 7 and to upload each list.
But after that, it was fairly smooth sailing.

“The resulting audiences can be re-used to infer the phone number of any user”.

The researchers went on to use Facebook’s tools to repeatedly compare those audience lists against others generated using the targets’ emails. They kept an eye out for changes to the estimated audience figures that occurred when an email address matched a phone number, revealing users’ numbers drip by drip, one digit at a time.
The attack apparently worked with all Facebook users who had a phone number associated with their account. The exploit stumbled when people provided multiple, or no, phone numbers for their Facebook accounts. It took under 20 minutes per user to get phone numbers.
The researchers used the same technique to collect phone numbers en masse for volunteers who visited a website with the “tracking pixel” Facebook provides to help site operators target ads to visitors. As they explain, Facebook gives advertisers some code – referred to as a tracking pixel, since it was historically implemented as a one-pixel image – to include on their websites. When users visit the advertiser’s website, the code makes requests to Facebook, thereby adding the user to an audience.
The audiences aren’t defined by “attributes,” such as visitors’ gender or their location. Rather, these are “PII-based audiences.” Advertisers select specific users they want to target, by either uploading known email addresses, names, or other personally identifying information (PII), or by selecting users who visited an external website that’s under the advertiser’s control.
The tracking-pixel version of the exploit succeeded in getting the researchers the phone numbers they were after. It appeared to work for all accounts Facebook defines as daily active users.
Facebook fixed the bug by weakening its ad-targeting tools. They’re not showing audience sizes any longer when customer data is used to make new ad-targeting lists.
Facebook Vice President for Ads Rob Goldman put out a thank-you statement for the researchers’ find:

“We’re grateful to the researcher who brought this to our attention through our bug bounty program. While we haven’t seen any abuse of this complex technique, we’ve made product changes to prevent this from occurring.

Thursday, February 13, 2014

How to make your blog work for YOU..!!

Blogging is brilliant, nobody can deny it, its fast, sometimes free and a brilliant platform to launch yourself or your business on. So now how do you make blogging work for you? If you have thought about owning and running a blog then what is stopping you? www.blogger.com is free and literally takes just minutes.
Deciding what to blog about is probably the most difficult choice and decision you will have to make. So lets get down to it, to find a topic/subject/interest for your blog I suggest that you do what you enjoy. What hobbies, passions or interests do you have? What do you enjoy reading, researching or talking about?

Whatever it is as long as it is legal you can write/blog about it. So why not start by writing down everything you enjoy doing, what appeals to you, what makes you happy and more importantly do you genuinely enjoy the "said" subject enough to write about it day after day for the foreseeable future or are you just in it for the money? If you are just in it for the money then I don't think you will get that far, If you want to produce informative, fun helpful and useful blogs for people to read then please carry on.

Once you have written down all of your ideas, look over your list/s what stand out and grabs your attention if anything? If nothing does then give it a break and write down come more things after you have had a cup of coffee, if you have found something that really truly and deeply interests you then congratulations you are ready to start your own blog.

To be successful at blogging I think there are a few main things you need to consider including:

1. You have to have a good blog topic, a good topic is ideally something that people search for or want to find out about on the internet, but not something that has been saturated by hundreds before you.

2. You have to decide how much time and effort you want to give and put into your blog, for example it would be ideal if you could post on a regular basis as nothing turns blog readers and fans off quicker than a blogger who posted 5 times a day for a month and then posted nothing for 2 weeks. Try to keep your posting some what consistent and regular so that you can get, keep and maintain peoples interest.

3. You ideally need to be promoting your blog once it is up and running, you need to get it out there, in search engines, in blog directories and so on. These days just starting and writing in a blog is not enough, you need to find readers and plenty of them if you want to have a successful blog in your hands.

I hope these tips and ideas have given you some food for thought. I wish you every success with your blog/blogging.

Friday, November 8, 2013

What is a Blog ?????

  Blogs appear on the news pretty often these days. For example, a reporter is tipped to a story by a blog, or a blog reports another angle on a story. Blogs show up in magazines a lot, too.
But there is a good chance you have never seen a blog (also known as a weblog) or experienced the blogosphere. What are blogs? There are now millions of them -- where did they all come from?
One of the things that is so amazing about blogs is their simplicity.
Think about a "normal Web site." It usually has a home page, with links to lots of sub-pages that have more detail. HowStuffWorks is like this, with thousands of information pages all organized under a home page. A small business site follows the same format -- it might have a home pag­e and five or 10 sub-pages. Most traditional Web sites follow this format. If the site is small, it is sort of like an online brochure. If it is large, it is like an electronic encyclopedia.
A typical Web site has a home page that links to sub-pages within the site. CNN.com is typical of this genre. The CNN site contains thousands of articles all organized into big categories. The categories and all the latest stories are accessed from the home page.
A blog is much simpler:
A blog is normally a single page of entries. There may be archives of older entries, but the "main page" of a blog is all anyone really cares about.
A blog is organized in reverse-chronological order, from most recent entry to least recent.
A blog is normally public -- the whole world can see it.
The entries in a blog usually come from a single author.
The entries in a blog are usually stream-of-consciousness. There is no particular order to them. For example, if I see a good link, I can throw it in my blog. The tools that most bloggers use make it incredibly easy to add entries to a blog any time they feel like it.

In my next blog, you will have a chance to enter the world of blogging. You will even learn how to create your own blog and publish it to the world.

Tuesday, November 5, 2013

Are you underestimating power of BLOGGING..???


 
With  an estimated 150 thousand new websites and 15 million new pages added to the Internet every day, the biggest challenge for every entrepreneur is to get found, and get some credibility for a new startup. I can attest from experience that publishing a regular blog to properly showcase your offering, even before you have it, is a most cost effective approach in time and money.

The biggest roadblock is that startup founders already have too much to do building a product, mapping strategy, courting investors, etc. So finding time is hard, and good writing is simply not what most people do. But here are some key reasons why you need to give it some priority:

You can validate the need and your solution before spending money. Too many entrepreneurs spend big money on development, only to find out that the solution isn’t quite right. Feedback from your blog will tell you quickly whether anyone agrees with your assessment, and whether you have a customer base waiting.
Find potential partners. Most of the people you would want as co-founders are now cruising the relevant blogs for ideas and partners. It’s a great way to find like-minded people, and get a dialog going. From a networking standpoint, it’s a lot more efficient than going to seminars and other industry events.
Populate your team. Smart potential employees are also reading blogs to stay up-to-date in their field, and find the new leaders. More and more, employees work for people they respect, rather than companies. Take the initiative to put yourself out there. Of course, ultimately you want employees who can blog for you and your company as well.
Cultivate early customers. It’s never too early to start a dialog with customers, as long as you don’t mislead them about where you are in the cycle. Build your brand and get leads today. There’s also the opportunity to do some consulting with interested customers to provide needed revenue while the product is still under development.
Build your credibility with investors. A blog is an excellent vehicle to meet investors, before you are ready to ask them for money. You will also learn about competitors, who can’t resist responding to a well-written blog. Once you gain real traction as an expert in your space through the blog, investors will put you at the top of their funding list.
Hone your communication skills. Writing a blog is all about communication, and that’s your number one job as founder of a new startup. Trying to write something down for someone else to understand quickly, will tell you if you really understand it yourself. Even if you use a ghost writer for your blog, the briefing process will enhance your skills.
Your Google ranking will go up dramatically. Whereas Google and other search engines may take two or three weeks to list your new website in search results, new blog sites and new blog entries are indexed every day. From comments, you will accumulate external links both into and out of your site, and get additional ranking from Google.
Since a startup by definition is not a recognized brand, you are the brand, based on the social media culture of today. People assume your startup is real, if they see real people, and they will attribute credibility to your startup, based on your own credentials and the quality of information you offer through your blog. No person and no blog puts your startup at the bottom of a long list. Business blogging, or value-blogging, is all about helping others and helping yourself at the same time. I wonder if the 70% of startups that fail in the first five years are the same 70% that don’t have a blog? What’s holding you back?

 In my next blog I’ll share how blogging can help you generate dollars… by then eat good food and have fun…!! :) 

Google knows nearly every Wi-Fi password in the world

If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide.

Recently IDC reported that 187 million Android phones were shipped in the second quarter of this year. That multiplies out to 748 million phones in 2013, a figure that does not include Android tablets.

Many (probably most) of these Android phones and tablets are phoning home to Google, backing up Wi-Fi passwords along with other assorted settings. And, although they have never said so directly, it is obvious that Google can read the passwords.

Sounds like a James Bond movie. 

Android devices have defaulted to coughing up Wi-Fi passwords since version 2.2. And, since the feature is presented as a good thing, most people wouldn't change it. I suspect that many Android users have never even seen the configuration option controlling this. After all, there are dozens and dozens of system settings to configure.

And, anyone who does run across the setting can not hope to understand the privacy implication. I certainly did not.

Specifically:

In Android 2.3.4, go to Settings, then Privacy. On an HTC device, the option that gives Google your Wi-Fi password is "Back up my settings". On a Samsung device, the option is called "Back up my data". The only description is "Back up current settings and application data". No mention is made of Wi-Fi passwords.
In Android 4.2, go to Settings, then "Backup and reset". The option is called "Back up my data". The description says "Back up application data, Wi-Fi passwords, and other settings to Google servers".
Needless to say "settings" and "application data" are vague terms. A longer explanation of this backup feature in Android 2.3.4 can be found in the Users Guide on page 374:

Check to back up some of your personal data to Google servers, with your Google Account. If you replace your phone, you can restore the data you’ve backed up, the first time you sign in with your Google Account. If you check this option, a wide variety of you personal data is backed up, including your Wi-Fi passwords, Browser bookmarks, a list of the applications you’ve installed, the words you’ve added to the dictionary used by the onscreen keyboard, and most of the settings that you configure with the Settings application. Some third-party applications may also take advantage of this feature, so you can restore your data if you reinstall an application. If you uncheck this option, you stop backing up your data to your account, and any existing backups are deleted from Google servers.

A longer explanation for Android 4.0 can be found on page 97 of the Galaxy Nexus phone users Guide:

If you check this option, a wide variety of your personal data is backed up automatically, including your Wi-Fi passwords, Browser bookmarks, a list of the apps you've installed from the Market app, the words you've added to the dictionary used by the onscreen keyboard, and most of your customized settings. Some third-party apps may also take advantage of this feature, so you can restore your data if you reinstall an app. If you uncheck this option, your data stops getting backed up, and any existing backups are deleted from Google servers.

Sounds great. Backing up your data/settings makes moving to a new Android device much easier. It lets Google configure your new Android device very much like your old one.

What is not said, is that Google can read the Wi-Fi passwords.

And, if you are reading this and thinking about one Wi-Fi network, be aware that Android devices remember the passwords to every Wi-Fi network they have logged on to. The Register writes

The list of Wi-Fi networks and passwords stored on a device is likely to extend far beyond a user's home, and include hotels, shops, libraries, friends' houses, offices and all manner of other places. Adding this information to the extensive maps of Wi-Fi access points built up over years by Google and others, and suddenly fandroids face a greater risk to their privacy if this data is scrutinised by outside agents.

The good news is that Android owners can opt out just by turning off the checkbox.

Update: Sept 15, 2013: Even if Google deletes every copy of your backed up data, they may already have been compelled to share it with others. And, Google will continue to have a copy of the password until every Android device that has ever connected to the network turns off the backing up of settings/data.

The bad news is that, like any American company, Google can be compelled by agencies of the U.S. government to silently spill the beans.

When it comes to Wi-Fi, the NSA, CIA and FBI may not need hackers and cryptographers. They may not need to exploit WPS or UPnP. If Android devices are offering up your secrets, WPA2 encryption and a long random password offer no protection.

I doubt that Google wants to rat out their own customers. They may simply have no choice. What large public American company would? Just yesterday, Marissa Mayer, the CEO of Yahoo, said executives faced jail if they revealed government secrets. Lavabit felt there was a choice, but it was a single person operation.

This is not to pick on Google exclusively. After all, Dropbox can read the files you store with them. So too, can Microsoft read files stored in SkyDrive. And, although the Washington Post reported back in April that Apple’s iMessage encryption foils law enforcement, cryptographer Matthew Green did a simple experiment that showed that Apple can read your iMessages.

In fact, Green's experiment is pretty much the same one that shows that Google can read Wi-Fi passwords. He describes it:

First, lose your iPhone. Now change your password using Apple's iForgot service ... Now go to an Apple store and shell out a fortune buying a new phone. If you can recover your recent iMessages onto a new iPhone -- as I was able to do in an Apple store this afternoon -- then Apple isn't protecting your iMessages with your password or with a device key. Too bad.

Similarly, a brand new Android device can connect to Wi-Fi hotspots it is seeing for the very first time.

Back in June 2011, writing for TechRepublic, Donovan Colbert described stumbling across this on a new ASUS Eee PC Transformer tablet:

I purchased the machine late last night after work. I brought it home, set it up to charge overnight, and went to bed. This morning when I woke I put it in my bag and brought it to the office with me. I set up my Google account on the device, and then realized I had no network connection ...  I pulled out my Virgin Mobile Mi-Fi 2200 personal hotspot and turned it on. I searched around Honeycomb looking for the control panel to select the hotspot and enter the encryption key. To my surprise, I found that the Eee Pad had already found the Virgin hotspot, and successfully attached to it ... As I looked further into this puzzling situation, I noticed that not only was my Virgin Hotspot discovered and attached, but a list of other hotspots ... were also listed in the Eee Pad's hotspot list. The only conclusion that one can draw from this is obvious - Google is storing not only a list of what hotspots you have visited, but any private encryption keys necessary to connect to those hotspots ...

Micah Lee, staff technologist at the EFF, CTO of the Freedom of the Press Foundation and the maintainer of HTTPS Everywhere, blogged about the same situation back in July.

When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. There’s no sort of password hash that your Android phone could send your router to authenticate besides the password itself.

Google stores the passwords in a manner such that they can decrypt them, given only a Gmail address and password.

Shortly after Lee's blog, Ars Technica picked up on this (see Does NSA know your Wi-Fi password? Android backups may give it to them). A Google spokesperson responded to the Ars article with a prepared statement.

Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch.  At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.

Sean Gallagher, who wrote the Ars article, added "The spokesperson could not speak to how ... the data was secured at rest."

Lee responded to this with:

... it’s great the backup/restore feature is optional. It’s great that if you turn it off Google will delete your data. It’s great that the data is encrypted in transit between the Android device and Google’s servers, so that eavesdroppers can’t pull your backup data off the wire. And it’s great they they have strong security, both digital and physical, at their data centers. However, Google’s statement doesn’t mention whether or not Google itself has access to the plaintext backup data (it does)... [The issue is] Not how easy it is for an attacker to get at this data, but how easy it is for an authorized Google employee to get at it as part of their job. This is important because if Google has access to this plaintext data, they can be compelled to give it to the US government.

Google danced around the issue of whether they can read the passwords because they don't want people like me writing blogs like this. Maybe this is why Apple, so often, says nothing.

Eventually Lee filed an official Android feature request, asking Google to offer backups that are stored in such a way that only the end user (you and I) can access the data. The request was filed about two months ago and has been ignored by Google.

I am not revealing anything new here. All this has been out in the public before. Below is a partial list of previous articles.

However, this story has, on the whole, flown under the radar. Most tech outlets didn't cover it (Ars Technica and The Register being exceptions) for reasons that escape me. 

1) Google knows where you've been and they might be holding your encryption keys. June 21, 2011 by Donovan Colbert for TechRepublic. This is the first article I was able to find on the subject. Colbert was not happy, writing:

 ... my corporate office has a public, protected wireless access point. The idea that every Android device that connects with that access point shares our private corporate access key with Google is pretty unacceptable ... This isn't just a trivial concern. The fact that my company can easily lose control of their own proprietary WPA2 encryption keys just by allowing a user with an Android device to use our wireless network is significant. It illustrates a basic lack of understanding on the ethics of dealing with sensitive corporate and personal data on the behalf of the engineers, programmers and leadership at Google. Honestly, if there is any data that shouldn't be harvested, stored and synched automatically between devices, it is encryption keys, passcodes and passwords.

2) Storage of credentials on the company servers Google by Android smartphones  (translated from German). July 8, 2013. The University of Passau in Germany tells the university community to turn off Android backups because disclosing passwords to third parties is prohibited. They warn that submitting your password to any third party lets unauthorised people access University services under your identity. They also advise changing all passwords stored on Android devices.

3)  Use Android? You’re Probably Giving Google All Your Wifi Passwords  July 11, 2013 by Micah Lee. Where I first ran into this story.

4) Android and its password problems open doors for spies July 16, 2013 by The H Security in Germany. Excerpt:

Tests ... at heise Security showed that after resetting an Android phone to factory settings and then synchronising with a Google account, the device was immediately able to connect to a heise test network secured using WPA2. Anyone with access to a Google account therefore has access to its Wi-Fi passwords. Given that Google maintains a database of Wi-Fi networks throughout the world for positioning purposes, this is a cause for concern in itself, as the backup means that it also has the passwords for these networks. In view of Google's generosity in sharing data with the NSA, this now looks even more troubling ... European companies are unlikely to be keen on the idea of this backup service, activated by default, allowing US secret services to access their networks with little effort.

5)  Does NSA know your Wi-Fi password? Android backups may give it to them July 17, 2013 by Sean Gallagher for Ars Technica. This is the article referred to earlier. After this one story, Ars dropped the issue, which I find strange since they must have realized the implications.

6) Android backup sends unencrypted Wi-Fi passwords to Google July 18, 2013 by Zeljka  Zorz for net-security.org

7) Would you tell Google your Wi-Fi password? You probably already did... July 18, 2013 by Paul Ducklin writing for the Sophos Naked Security blog. Ducklin writes

... the data is encrypted in transit, and Google (for all we know) probably stores it encrypted at the other end. But it's not encrypted in the sense of being inaccessible to anyone except you ...  Google can unilaterally recover the plaintext of your Wi-Fi passwords, precisely so it can return those passwords to you quickly and conveniently ...

8) Android Backups Could Expose Wi-Fi Passwords to NSA July 19, 2013 by Ben Weitzenkorn of TechNewsDaily. This same story also appeared atnbcnews.com and mashable.com.

9) Despite Google’s statement, they still have access to your wifi passwords July 19, 2013 by Micah Lee on his personal blog. Lee rebuts the Google spokesperson response to the Ars Technica article.

10) Oi, Google, you ate all our Wi-Fi keys - don't let the spooks gobble them too July 23, 2013 by John Leyden for The Register. Leyden writes: "Privacy experts have urged Google to allow Android users' to encrypt their backups in the wake of the NSA PRISM surveillance flap."

11) Google: Keep Android Users' Secure Network Passwords Secure August 5, 2013 by Micah Lee and David Grant of the EFF. They write

Fixing the flaw is more complicated than it might seem. Android is an open source operating system developed by Google. Android Backup Service is a proprietary service offered by Google, which runs on Android. Anyone can write new code for Android, but only Google can change the Android Backup Service.

To conclude on a Defensive Computing note, those that need Wi-Fi at home should consider using a router offering a guest network.

Make sure that Android devices accessing the private network are not backing up settings to Google. This is not realistic for the guest network, but you can enable the guest network only when needed and then shut it down afterwards. Also, you can periodically change the password of the guest network without impacting your personal wireless devices.

At this point, everybody should probably change their Wi-Fi password.