Why no one should be surprised by the Facebook / Cambridge Analytica “breach”

As I’m someone who is concerned about privacy and the invasiveness of technology in our lives, you might be startled by my response to the alleged “data breach” in the Facebook / Cambridge Analytica saga.

My reaction: “It’s not a breach if data was supplied with consent!”

Of course, the important word is “if”.

How often have we seen our friends post on their Facebook profile the results of some new personality test, IQ test, or super addictive free game? In the (very few) cases I might click through to see more, I then get a consent form, more or less saying that “App XYZ requests access to your Contacts, Photos, Posts, Messages, First Born Child and Bank Account.”

So I was confused about why people were calling it a breach.

Of course, further details are coming to light, and Facebook is currently under FTC investigation. It may emerge that there were legal violations. But from a purely technical viewpoint, I don’t consider it a technical breach. Harvesting data is what Facebook and many other companies do – it’s their business model. Here, profile data was scraped by one or more apps, and consent was provided by users who voluntarily used those apps, and this happened within the technological limits and boundaries in place.

But morally, was it a breach? That’s a different question…

Let’s say that I’m person “A”, and my friend is person “B”, the app developer is “C”, and Facebook is “D”. Let’s say I shared private messages and photos with “B” on Facebook.

If “B”, my friend, clicks “Agree” to use an app from “C”, then that’s complicit acknowledgement that the user is happy for his or her own data to be accessible to some unknown 3rd party – which is a very brave move in my view to share your life with someone (or more likely, a company) that you’ve never met. One has to assume that it will be downloaded, mined and stored, even if the original Facebook account is deleted. (Note: GDPR Article 17 will be very welcome.)

I think it’s fair enough; “B” provides that consent to “C”, so the data is fair game.

But how far should consent extend?

As person “A”, I didn’t consent to “C” taking a copy of all messages that I had sent to “B”, or having access to my posts and photos. I have given them to “B”, not “C”. So does “B” have a right to then give copies of that data to “C”? And does “D” have the right to facilitate it?

This raises numerous legal questions, and with laws varying worldwide I’m sure there’ll be different answers.

As a technologist, I really want everyone to realise something.

Facebook is not your friend. It’s a money-making machine, and it makes money by collecting and commercially exploiting your data. No one should be surprised when that data can be used to manipulate our thoughts.

Nor are 3rd party app developers your friend. Especially if the app is free, they’re probably making money by commercially exploiting your data.

Further, data that is posted to Facebook is voluntarily provided by its users. Facebook never forced anyone to use its service or to upload information to it. Every time you visit Facebook, it knows your IP address and connection time. It knows what links you click on, it knows your behaviours, preferences, interests. It’s Big Brother.

Facebook doesn’t force anyone to upload photos or comment on posts. Facebook doesn’t force anyone to use 3rd party apps, or to click on a consent button to share that information with others. It’s voluntary.

It really should come as no surprise to anyone that the data is scraped, harvested, mined, analysed, stored, and can be used to manipulate you.

And once data is “out there”, you have to be prepared for the consequences, good and bad.

It’s not the advertising that I think we should be worried about. It’s all the unintended consequences that should be concerning.

Let’s take an example. Say you’re an avid user of social media, and you also happen to enjoy posting your holiday photos and getting likes and positive comments from your friends. Maybe you’re even careless enough to post photos of your airline boarding passes. Your photos probably contain geo-tags of your location and the date/time of the photo (as Paris Hilton found out when she unknowingly tweeted her home address). This means you’re giving Facebook a history of your movements – information that users know will be used by Facebook and other parties that you consent to share your information with.

But it’s not just Facebook or app developers that can use the data. Let’s say a clever cyber stalker befriends you with a fake account… then suddenly they can see your photos too. And when they see you’re on holidays, they know you’re not at home. That’s very useful information for a thief. (Just ask Paris Hilton.)

With awareness of how our data can be used, I hope individuals can better protect themselves from these situations.

I strongly believe that the only way to have privacy in the age of the cloud is to do several things:

1. Firstly, recognise that using cloud services can easily leak your data – even if legally they shouldn’t. A technological malfunction, like a bug in the cloud provider’s systems, can cause a data breach, or a hacker can compromise your cloud account or a friend’s cloud account. Be careful what information you put out there, and with whom you share it. In the worst case, private data can be made public, as the nude celebrity photo incident revealed.
2. Take control over your own data by using client-side encryption (sometimes called end-to-end encryption). That’s the only guaranteed way to have privacy because you control your own key.
3. Delete unnecessary data in the cloud when it’s no longer relevant. Hopefully over time the data will be deleted off the cloud provider’s systems, and future leaks will be prevented.
4. Pay for data hosting and use only companies with clearly stated data handling procedures. And avoid companies that provide free services. At the end of the day, you can either pay with money, or you pay with your privacy.

If you want complete privacy, you don’t have to live in a cave. Just encrypt everything and keep your keys private. You can still enjoy a lot of the benefits of the cloud, but without the drawbacks. Some good encryption products featuring client-side or end-to-end encryption are:

  • ScramFS and ScramExplorer for encrypted file storage
  • Wire for encrypted instant messaging
  • GPG for encrypted email

Let’s all stay safe.

Origin Energy phishing alert – do not pay any bills until you read this post!

Today I received an email that looked like a bill from Origin Energy.

It looked very authentic – there was good attention to detail, and I’m sure that this will deceive many people.

Do not pay any bill from Origin until you learn how to identify a fake

I’ll cover several ways to spot a fake.

Sign 1: suspicious Pay Now link

Here’s what the email looks like:

When you mouse over the links, most of the links go back to originenergy.com.au, which is Origin Energy’s real website.

However, the View Bill link goes to this address:



This is the first sign of a fake email – when the most important link (the pay link!) goes to a different website.

However, the crim has done a good job here – Energy Australia is a legitimate entity, and the domain name looks plausible. Many phishing domain names look immediately dodgy (e.g. paypal.deoihgw.com). So this deserved further investigation.

Sign 2: Website

The next thing I do is to visit the website of the domain. Here, it’s obvious that the crim has done a good job. Here’s what the website looks like:

Because it looks legitimate, many people will assume this is real, and then click on the link. However, it’s actually very easy to create a website that looks like the original – simply download all their assets (HTML files, CSS, images) and host it on your own site.

This started to look like a very good fake, so I had to dig deeper.

Sign 3: Free HTTPS certificate

The next suspicious sign is the certificate that was used on the phishing domain. It is a free certificate from Let’s Encrypt – this only guarantees the privacy of the website traffic, not the authenticity of the website owner.

This is important to understand – encryption does not guarantee authenticity.

Sign 4: The giveaway: DNS records

The absolute giveaway is in the DNS record for the website, energyaustralia.info.

Here you can see that the website was registered today (27th March 2018), to an address in China.


In contrast, the actual Origin Energy website is registered to a company in Australia.


This is a phishing scam. It looks authentic and is well done, and I expect it will fool many people.

Do not click through on the link, and definitely do not pay any “bills”!

To look for a phishing scam, follow my process above. Please share this post so hopefully no one will fall for this scam.

Here’s How Cybercriminals Stole $100 Million From EU Banks and Vanished Without Trace

A wave of financially-motivated cybercrime has hit European and former Soviet banks to reveal profound security weaknesses in the technology infrastructure that handles transactions and funds worth billions of dollars. But how do we stop the next generation of tech-savvy criminals? What security measures must institutions enact to prevent further hemorrhaging of funds in the wake of escalating attacks? First, let’s analyze what happened and why the criminals were so successful.

Yesterday’s drug mule is today’s cyber-foot soldier

The concept of a ‘mule’ is nothing new. Criminals offer tourists, truck drivers, and other working-class individuals (with clean records) who have citizenship and a passport to travel across borders carrying a dubious package they know little about in exchange for a quick payday.

Today, hackers use mules to create bank accounts with fraudulent or stolen IDs. The mules then take the legitimate debit cards and pass them on to other mules who later make simultaneous withdrawals from ATMs in other countries.

While the mules perform the legwork and prep for the attack, hackers use targeted phishing scams to plant keylogging software on employee terminals where bank tellers and credit card processors work. Over time, they acquire access to the bank’s network and plant legitimate software like Mipko, a software package used to monitor employee terminals remotely. The minimal use of malware is one of the key reasons why these attacks failed to raise any red flags with the banks involved.

Modern banking institutions are frequently interlinked with third-party credit card processors, allowing hackers to freely move between networks and spy on employees until they get the credentials needed to access and modify the bank’s risk scores and overdraft protection limits. As soon as the online attack happens, mules on standby in numerous countries make simultaneous cash withdrawals from ATMs using the legitimate debit cards issued by the institution. This kind of attack exploits both the logistical weaknesses of ATM infrastructure and law enforcement’s ability to track down such a large number of co-conspirators who know very little, if anything, about the actual masterminds.

Hackers then cover their tracks by crashing systems they used and rendering them unbootable, meanwhile the mules disappear with the cash long before authorities have even been notified that a heist is underway. In fact, because of the legal nature of the withdrawals, most banks are completely unaware of the attack until someone notices the spike in ATM traffic hours or days later.

What does this mean for the future of banking?

Thus far, these cyber-attacks have yet to spark a serious change in banking infrastructure because they have yet to affect a rich super-power. However, Trustwave issued an Advanced Threat Report that claims these organized attacks are likely to spread globally over the next few years, increasing both the frequency and intensity of the attacks as the organizers grow in influence and power.

While banks and credit card processors can double down on internal security and in-house training, human error (in the form of falling for phishing scams) remains one of the key weaknesses that hackers exploit—and that isn’t something anyone can just eliminate. Preventing hackers from getting a toe-hold into the network is a crucial countermeasure, but that doesn’t excuse the lax security on integrated networks that should have multiple layers of authentication or the ease of which criminals open new accounts with phony or stolen personal information.

The only other option is to limit the functionality of ATMs to the point where it is too time-consuming (and therefore costly) to engage in this kind of heist. However, this will undoubtedly irritate consumers who rarely opt to sacrifice convenience for security.

The Slow Pace of Linux Kernel Updates is a Frightening IoT Security Problem

When patching holes in your core security kernel takes upwards of three years on average from discovery to patch release, it obviously raises concerns. Add in the view of security analysts that the basic approach of the security design is outdated and not responsive when under attack, and the picture grows ever more worrisome. It is a very big scenario indeed when you consider the vast number of devices out there that are exposed to the hacking fraternity and which probably never receive OS updates ever.

Linux drives the majority of the world’s Internet-connected devices. Its open source nature provides a stark contrast to proprietary platforms such as iOS and Windows in the speed of bug fixing and patch development. The security aspects being highlighted in recent debates have a lower impact on servers housed in data centers than they do on exposed devices in the IoT world. The latter is the real cause for concern.

Device manufacturers deploy Linux on everything from digital video recorders to vacuum cleaners. The cost is attractive and it is customizable and scalable. The downside is that native Linux does not offer patch push functionality to devices in the way that, say, Microsoft does. Often derided for many aspects of Windows development, nobody can deny that Microsoft appears to do all in its power to ensure that connected devices receive frequent OS updates and patches. At the same time, a vast number of connected Linux devices may never receive an OS update in their lifetime.

At the core of the problem is the often very poor code quality and risible security of the countless device drivers that vendors add. This on top of the disjointed not-thought-through nature of the IoT landscape. The Linux security kernel faces challenges not of its own making but which potentially pose a major threat to the Internet itself. Recent massive DDoS attacks launched by botnets of zombie IoT devices generated an unprecedented a level of traffic. An attack measured at over 600 Gbps raises the possibility that even bigger attacks may be possible. Those traffic levels can swamp the routers that connect the Internet’s backbone with its spokes.

Manufacturers and vendors must take a share of the blame for failure to develop code that at least attempts to provide adequate security protection. One senses that the quick buck mentality overrules the genuine need to make drivers and the like robust enough. Of course, there is no money in building security features into vacuum cleaner device drivers. Only attractive functionality might increase the bottom line. Developing security aspects is a cost that may not be justifiable in the boardroom.

Criticism has been levelled at Linus Torvalds and the Linux community for taking a bug fixing approach rather than overhauling the security kernel design. Torvalds is infamous for his tendency to drive his own path forward and ignore arguments for change that potentially have merit. The security debate may be the single biggest challenge to his authoritative approach since 1991 when Linux was first released. Architecture that is 25 years old was not designed to cope with security demands and ever increasing hacking threats of 2016. It does appear that the time has come for a major rethink that will adequately cope with the nature and shape of foreseeable threats of the next 25 years.

IoT CCTV Devices Harvest the Biggest DDoS Ever Recorded

Security experts have long assessed the IoT (Internet of Things) as being a hacker’s paradise in its current format. Last week saw the biggest DDoS attack ever recorded, in terms of hostile traffic bandwidth. French web host OVH was the victim. DDoS attacks have been around for a long time in Internet terms. What is startling about this and at least one other recent attack is that the hostile botnets did not consist of infected PCs but of cameras, digital video recorders and other devices. About 150,000 of them at its peak.

The significant weakness of the IoT is that each and every connected device presents an attack surface. Any device that is connected to the Internet is a potential victim of hacking and hostile takeover, as major corporations are only too well aware. The growth in real life IoT networks is racing ahead of development of adequate security protection for their component parts. There are literally millions of Internet-connected devices that hackers can potentially harvest into zombie networks.

The devices involved in the OVH attack were capable of generating traffic totaling an estimated 600 Gbps when combined. This level of usage threatens to significantly disrupt the Internet for other users. Theoretically, multiple botnets with that capability could “break” the Internet in a geographical region by rendering it so slow as to be practically unusable. Even a 300 Gpbs flow may be enough to put at risk the heavy duty routers that connect the backbone and spokes of the Internet.

At issue is the sheer number of inadequately secured devices out there. The primary sources of a botnet DDoS attack on the website of security writer and independent journalist Brian Krebs in Jan 2015 were home routers. The attack was so heavy and prolonged that the DDoS mitigation service of his web host Akami could not cope over a sustained period. Back then, Krebs predicted that even CCTV cameras were potential zombies. That scenario came true in 2016 with a botnet attack from 25,000 of them.

There is no single solution that will protect all devices from hacking attacks. The most obvious and basic one is for users to change the default access credentials. For most home routers and connectable devices, the factory setting is admin/admin for user name and password. Users are also expected to apply frequent updates and patches to less-than-robust firmware. However, there is such a large percentage of homeowners who are simply either unaware or not technically competent, or both, that the onus must lie with vendors.

Not only that, but owners have no way of knowing if their devices have been compromised. Unlike PCs, laptops and mobile devices, there is no established practice of users hardening security on the majority of dumb-terminal devices. Until progress is made in this critical area of security, the IoT is the soft underbelly of the connected landscape. Devices are manufactured and supplied to perform a function. That is akin to having authority but no responsibility – having the capability to utilize the Internet but security is seen as being somebody else’s problem. This is that attitude that must be changed.

Street Fighter V Gives Killer Punch to User Security

The latest version of Capcom’s Street Fighter V for Windows includes an update that installs an unpublicized rootkit. The company claims it is intended to prevent players from cheating but its poor design allows any installed software to access the rootkit. It is an open back door to full kernel privileges and provides the capability to take over the user’s machine. A hacker’s dream.

What is a rootkit?

The term Rootkit comes from the Linux world where Root is the equivalent of Administrator in Windows. Users or components with this level of authorization have godlike powers over the device to more or less do anything that pleases them. Kit signifies a toolkit of utilities that can perform a range of tasks as the controller of the rootkit demands.

A rootkit is not necessarily malevolent of itself but is generally considered to be cloaking malware, or potential malware at least. Hackers use them to conceal their activities and to run stealth applications such as botnet stations in a DDOS attack, keyboard loggers and spam relays. A decade ago, Symantec, vendors of Norton Utilities debated the true definition of the term and when rootkits are legitimate.

What happens next?

Capcom tweeted that they are backpedaling on that initiative and rolling back those “security measures”. It is difficult to reconcile the concept of security with the release of such a potentially damaging rootkit and does bring into question the decision making process within the Capcom software engineering division. The action delivered a big negative hit to the company’s reputation.

It’s not the first time that a big name software vendor resorted to deploying a variety of rootkit as a means to address a legitimate objective. As well as Symantec, Sony was the original offender that brought the issue into public awareness in the first place in its messy music anti-piracy move.


Symptoms of rootkit infection

Because they operate at the lowest level on a device and implement cloaking measures, users may be unaware of the presence of a rootkit. Symptoms may reveal themselves only when the rootkit is operating stealthily. Screen components, such as the taskbar or system tray may disappear. General slowness is a good indicator. Malware that generates network traffic, such as spam relays and DDOS configurations, may cause a user to think that “the Internet is slow today”. There is no one signal that definitively indicates the presence of rootkit.

How to defend against rootkits

The obvious first step, which all computer users should by now adopt as a normal routine exercise, is to keep anti-virus systems up to date. This presents a difficulty for the older generation, whose devices present a rich picking ground for hackers. However, once installed, all anti-virus applications automatically check for and install the latest updates.

More security conscious users will find a variety of rootkit detection and removal tools online to add an extra layer of defense. The quandary is – just because the tool detects the rootkit while it is running, can it identify the source in a corrupted firmware module, for example? Malware rootkit authors are extremely clever and ingenious in devising the mechanisms to install and launch their tools. Rootkits come in a wide variety of guises and the only sure way to remove them is to strip the device and start with a clean software build.

Hackers Take Control In 2014

If we didn’t know if before, we definitely did by the end of 2014: hacking and cybercrime are on the rise, and all of us are at risk.

From the nude photos of Jennifer Lawrence, to Sony’s private staff emails, to stolen credit card details, 2014 was filled with some of the biggest and most worrying hacking events we have ever seen.

To find out more click here for International Business Times.

What Can A Hacker Learn In 20 Minutes?

Public wifi is not safe and neither is it secure. As an experiment, one journalist took a hacker to a café to see just what damage he could do by hacking into the public wifi.

Within 20 minutes the hacker knew the names, passwords and personal lives of almost everyone around them. He knew everything from people’s sexual orientation to their Google searches.

To find out more click here for full article by Maurits Martijnt

Most Used iCloud Passwords

After the iCloud hacking scandal, Apple introduced a two-step login process designed to stop brute force attacks (attacks where hackers try to guess your password). However, as expected, hackers soon found a new tool to overcome this problem.

The chances of hackers being able to hack your iCloud account by brute force are significantly higher if you have one of the passwords.

To find out more click here for full story at Gizmodo.

Sony’s Hacked Emails Expose Internal Drama

The Sony servers were hacked at the end of 2014, exposing employees’ private work emails and personal information, gender pay gap problems, and some of the juiciest and most damaging Hollywood gossip ever revealed to the public.

It has been speculated that North Korea was responsible for the hacking, possibly in response to the upcoming movie,The Interview, starring Seth Rogan and James Franco. The fictional plot is about a fictional CIA mission to assassinate North Korea’s leader, Kim Jong Un. However, there are a number of experts who do not believe that the hacking was North Korea’s doing.

To find out more click here for Washington Post.