Category: Facebook

Twitter has a new chief twit in the form of Elon Musk and he’s causing problems, scientists say artificial intelligence may help us communicate with animals, and is the office of the future set in the metaverse? All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by … Continue reading "Smashing Security podcast #296: Twitter turmoil, AI animal chatters, and metaverse at work"

In February this year, Check Point researchers revealed that a new malware named ‘Ducktail’ was behind the Facebook (FB) employees who were taking care of ad campaigns and their motive was to take hold of the direct payments made to them by customers or to hijack the ad campaigns to place their advertisements.

Now, a new campaign of similar type has emerged on the dark web and it is taking a step ahead in malevolent behavior as it is found stealing browser data, currency from cryptocurrency wallets and credentials related to FB accounts.

As these malicious campaigns are being hosted in ZIP format on various file hosting providers in the PHP script, it is hard to detect such campaigns.

The campaign operatives are simple, lure the victim with flashy ads with X rated content, subtitled files (SRT), games, or cracked MS software. And when the victim clicks such files, a malware installs in the background in disguise of fake application and starts operating without the knowledge of the device users.

Now, the big question-how to avoid falling prey to such malware?

a.) It’s simple: never click on links that have flashy ads and those which are not convincing at all; especially the ones posted on various social media platforms, including LinkedIn.

b.) Avoid downloading content such as music, image, and video files from websites that have been red-flagged.

c.) Secure your device with anti-malware solutions.

d.) Keep your data backed up that can be revived on time when required.

e.) Be vigilant while signing up for ad campaigns.

 

The post Facebook Ad Campaigns hit by Malware appeared first on Cybersecurity Insiders.

Long and interesting interview with Signal’s new president, Meredith Whittaker:

WhatsApp uses the Signal encryption protocol to provide encryption for its messages. That was absolutely a visionary choice that Brian and his team led back in the day ­- and big props to them for doing that. But you can’t just look at that and then stop at message protection. WhatsApp does not protect metadata the way that Signal does. Signal knows nothing about who you are. It doesn’t have your profile information and it has introduced group encryption protections. We don’t know who you are talking to or who is in the membership of a group. It has gone above and beyond to minimize the collection of metadata.

WhatsApp, on the other hand, collects the information about your profile, your profile photo, who is talking to whom, who is a group member. That is powerful metadata. It is particularly powerful—and this is where we have to back out into a structural argument ­ for a company to collect the data that is also owned by Meta/Facebook. Facebook has a huge amount, just unspeakable volumes, of intimate information about billions of people across the globe.

It is not trivial to point out that WhatsApp metadata could easily be joined with Facebook data, and that it could easily reveal extremely intimate information about people. The choice to remove or enhance the encryption protocols is still in the hands of Facebook. We have to look structurally at what that organization is, who actually has control over these decisions, and at some of these details that often do not get discussed when we talk about message encryption overall.

I am a fan of Signal and I use it every day. The one feature I want, which WhatsApp has and Signal does not, is the ability to easily export a chat to a text file.

Meta, the parent company of Facebook has disclosed that it has disabled thousands of fake social media accounts that derailed and influence the US Elections by taking sides on ‘Hot Button’ issues such as threat to National Security, high school classes on gun usage and violence, Gay and Abortion bills.

The issue was triggered when Ben Nimmo, the Chief of Global Threat Intelligence, acknowledged the issue to be true and added that the white house will do everything to avert digital assaults on the mid-term elections to be held in this November.

However, Mr. Nimmo added to his statement in the press briefing that his analysts are yet to get a conformation from intelligence on whether the government of China was involved in the campaign or it simply originated in China.

Meanwhile, Meta has also stated in one of its statements that it has weeded out nearly 2,300 fake accounts that were spreading disinformation about the invasion in Ukraine.

Interestingly, the sophistication driven campaign was derived after a spending of £100,000 that was spent to create content on several fake websites trumpeting about Kremlin’s talking points and highlighting points that threaten west on a direct note.

What’s more interesting about the campaign is the fact that both China and Russia are busy creating thousands of bots across the world and are planning to launch DDoS attacks on the critical infrastructure of nations supporting Volodymyr Zelenskyy and his country’s populace. It was also revealed in the analysis that the Killnet hacking group has been assigned disrupting the mid-term elections, and so might come up with some digital assault tactics by October this year to influence the public of America to vote down Biden and his team.

 

The post Facebook Meta neutralized China and Russian bot attacks on US Elections appeared first on Cybersecurity Insiders.

This is from a court deposition:

Facebook’s stonewalling has been revealing on its own, providing variations on the same theme: It has amassed so much data on so many billions of people and organized it so confusingly that full transparency is impossible on a technical level. In the March 2022 hearing, Zarashaw and Steven Elia, a software engineering manager, described Facebook as a data-processing apparatus so complex that it defies understanding from within. The hearing amounted to two high-ranking engineers at one of the most powerful and resource-flush engineering outfits in history describing their product as an unknowable machine.

The special master at times seemed in disbelief, as when he questioned the engineers over whether any documentation existed for a particular Facebook subsystem. “Someone must have a diagram that says this is where this data is stored,” he said, according to the transcript. Zarashaw responded: “We have a somewhat strange engineering culture compared to most where we don’t generate a lot of artifacts during the engineering process. Effectively the code is its own design document often.” He quickly added, “For what it’s worth, this is terrifying to me when I first joined as well.”

[…]

Facebook’s inability to comprehend its own functioning took the hearing up to the edge of the metaphysical. At one point, the court-appointed special master noted that the “Download Your Information” file provided to the suit’s plaintiffs must not have included everything the company had stored on those individuals because it appears to have no idea what it truly stores on anyone. Can it be that Facebook’s designated tool for comprehensively downloading your information might not actually download all your information? This, again, is outside the boundaries of knowledge.

“The solution to this is unfortunately exactly the work that was done to create the DYI file itself,” noted Zarashaw. “And the thing I struggle with here is in order to find gaps in what may not be in DYI file, you would by definition need to do even more work than was done to generate the DYI files in the first place.”

The systemic fogginess of Facebook’s data storage made answering even the most basic question futile. At another point, the special master asked how one could find out which systems actually contain user data that was created through machine inference.

“I don’t know,” answered Zarashaw. “It’s a rather difficult conundrum.”

I’m not surprised. These systems are so complex that no humans understand them anymore. That allows us to do things we couldn’t do otherwise, but it’s also a problem.

EDITED TO ADD: Another article.

Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser’s Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.

Facebook has responded by encrypting the entire URL into a single ciphertext blob.

Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.

A self-proclaimed "super hacker" causes problems in the Magic Kingdom, criminals regret trusting Anom phones, and lawsuits are filed against TikTok. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading. Plus don't miss our featured interview with Scott McCrady, the CEO of SolCyber Managed Security Services.