At a glance.
- Password users behaving badly.
- Implications of the Facebook data dump.
- Sidestepping Apple privacy policies.
- Crooks mistreating other crooks.
- Comment on the LinkedIn data scraping incident.
Passwords: out of sight, out of mind. (And out of control.)
There’s a battle raging between two conflicting forces: the need for secure passwords, and the frailty of human memory. The LastPass Blog explores the results of a recent survey they conducted on two thousand Americans and their password habits. While 70% feel they have too many passwords to remember, on average they use the same password over six sites. And with the surge in remote work meaning most individuals need to access various accounts on multiple devices, 65% experience anxiety when they realize they’re using a device that doesn’t have the password they need. SiliconANGLE notes that, according to the Workplace Password Malpractice Report, 62% of US employees write their passwords down on a piece of paper. TechRadar adds that while a whopping 81% store that piece of paper right next to the device the password is meant to protect, and 67% admit they don’t even know where that paper is. Nearly half store their passwords in an unprotected document in the cloud, and troublingly, nearly two-thirds have shared their password with someone via text or email.
What does the Facebook data leak mean for Facebook users?
Now that the Facebook data leak is front-page news, the big question has become, what can users do if they fear they’re among the half-billion individuals exposed? Forbes explores the difficulty of trying to protect oneself in this type of situation. If it were just passwords that were exposed, changing login info would be an easy fix. But these hackers leaked data like names, birthdates, and addresses -- things that are difficult to change on a whim -- and all for free.
CyberNews shares the views of several industry experts. “Putting it out for free also provides some cover should anyone try to trace the stolen data back to its source. Yet another explanation could be that a competing criminal element or other entity put the data out there to demonetize it and take value away from the criminals,” said Stel Valavanis, CEO of onShore Security.
It’s difficult for victims to protect themselves if they don’t know if they’ve been exposed, and Facebook has openly stated that they’re making no effort to inform the victims, leading some insiders to question whether Facebook cares about protecting its users at all. “The reason Facebook most likely will not do more is because it goes against their business plan. When revenue is tied to user’s posts, friends, likes, and personal interests, it is difficult to tell the end-user that they shouldn’t be sharing all of that,” explained Ryan O’Ramsay Barrett, CEO of ORAM Corporate Advisors.
So what can users do? Aaron Barr, CTO at PiiQ Media advises, “Use proper digital hygiene...Do searches for your name, your email addresses, or use a service to do this for you to help understand what is publicly accessible.” Paul Bischoff, a privacy advocate from Comparitech adds, “Never click on links or attachments in unsolicited messages...Consider changing your phone number or use a call screening app.” But, Bischoff adds, the fact is that Facebook’s business model hinges on monetizing user data, and it’s up to users to protect themselves. “One would hope that market sentiment would turn against Facebook, and users would leave of their own accord if they are truly concerned about data privacy and security. But we have not seen that happen on a large scale yet.”
Procter & Gamble testing new ad tracker to side-step Apple’s policies.
Consumer goods leader Procter & Gamble (P&G) is involved in a trial taking place in China to test a new targeted advertising technique that could bypass Apple’s new user privacy policies, the Wall Street Journal reports. Apple recently announced it will be rolling out a software update that would allow app users to choose whether they want their device activity to be tracked by other companies, giving users more autonomy in their privacy settings. The new technology P&G is testing, called device fingerprinting or CAID, gathers user device data like model, country, language and IP address, most of which is not considered “personal” info based on China’s information security standard. This data is then used to create a device ID which will achieve a similar tracking effect as the identifier that Apple is allowing users to avoid. P&G says the goal of CAID is to “deliver useful content consumers want in a way that prioritizes data privacy, transparency and consent. That means partnering with platforms and publishers—both directly and through our advertising associations across the globe.” TikTok parent company ByteDance Ltd. and Tencent Holdings Ltd., who own some of the most popular apps in China, are also involved in the trial, as well as accounting firms Deloitte LLP and PricewaterhouseCoopers and ratings company Nielsen Holdings PLC.
You reap what you sow.
Users of cardshop Swarmshop, an underground market for stolen payment data, got a dose of their own medicine. Security Affairs reports that threat intelligence firm Group-IB discovered a database containing Swarmshop admin, seller, and buyer data -- including hashed passwords, contact details, and activity history -- was leaked on another underground forum. In addition, the database revealed stolen data being traded on the site, including payment card records from banks in countries like the US, Canada, the UK, China, and Singapore, as well as US Social Security Numbers and Canadian Social Insurance Numbers. “While underground forums get hacked from time to time, cardshop breaches do not happen very often,” said Dmitry Volkov, CTO of Group-IB. “Although the source remains unknown, it must be one of those revenge hacks cases. This is a major reputation hit for the card shop as all the sellers lost their goods and personal data. The shop is unlikely to restore its status.”
Comment on the dump of data scraped from LinkedIn.
Javvad Malik, Security Awareness Advocate at KnowBe4, sent us some comment on the incident in which data scraped from hundreds of millions of LinkedIn profiles appeared for sale in the criminal underground:
"Anti-scraping technology and techniques have been well established for quite some time, so it's a surprise that the alleged scraping of content wasn't detected and picked up. The saving grace, to a degree, is that this all appears to be publicly-accessible information. So, while it may not disclose anything that could not have already been obtained, having all the information in one repository does make it very useful to attackers.
"LinkedIn is already one of the most impersonated brands when it comes to phishing, and having access to such a treasure trove of information can help facilitate convincing phishing and social engineering attacks.
"Users should always be wary of emails which appear to originate from LinkedIn or other social media networks, and rather than following links, navigate directly to the website to read any messages or to respond to notifications.