Posts

Data Talks Newsletter – April 19, 2019

In response to feedback from our online digital security course and talks, DataShift has released the monthly “Data Talks” newsletter that looks at recent digital security headlines and links the stories to everyday behaviors. If you are interested in getting the next newsletter in your inbox, please e-mail DataShift [at] CIVICUS.org with the subject line: Subscribe Data Talks.

HEADLINE: Facebook 3rd Party Application

News broke out that over 540 million Facebook records, collected by third parties applications were found to be easily accessible and unsecured, and it took security researchers quite a while to remove the exposed data.

What does it mean for me?

Twenty-two thousand logins and passwords from the third party Facebook application, “At The Pool” were exposed. This situation creates specific risk to unauthorized Facebook login only if you’re reusing the same password for Facebook itself. Other Facebook data leaked was mostly comments, likes, reactions, account names and so on. While the leaked data is a huge privacy problem, the overall security concern may not be as critical as one may think from the alarming headlines.

There are two lessons from this story: keep your passwords unique for each important account and keep third-party applications in your accounts in check because all data and permissions you’re giving them is out of Facebook’s and your control.

HEADLINE: Secret Service Agent

Another story in the news is about the reckless behaviour of the US President’s Secret Service agent who put a confiscated USB drive into his computer, which triggered file installation. His action got a lot of deserved criticism from the infosec community.

What does it mean for me?

Never put an unknown USB in your device, especially if you don’t have full-time tech support to make sure your laptops and PCs are configured correctly and receive timely security updates. Many types of malware are distributed this way and in some cases, the malware can start working without your action or even warning from the system.

HEADLINE: Microsoft Customer Support Tool

And the last but not least – hackers were able to have to get unauthorized access to a number of Outlook, Hotmail and MSN private e-mail accounts using a vulnerability in Microsoft’s customer support tool. It seems that hackers were able to read at least some of the compromised email content.

What does it mean for me?

If you or your organisation is using a paid, enterprise account – these accounts definitely were not affected by this vulnerability. If you’re using a private email account, these accounts probably were not affected unless you’ve got breach notification letter from Microsoft. The company stated that the vulnerability was fixed and compromised credentials disabled.

MERE MORTALS TECH SPEAK: Third-party app

A third-party app is an application created by a someone that isn’t the owner of the website that offers it. Facebook, Google and many other platforms permit many apps that they did not develop to function on their websites. Nowadays users are explicitly asked to give permission to those apps in order to grant them a varying level of access to their accounts. Some of the third party apps may be extremely useful, some of them just fun and some may pose a significant security risk to your data.

Why do I care?

It’s important to remember, that platforms (like Facebook and Google) don’t have control over owners and developers of those apps nor the data they gather from your account.

What can I do?

The rule of thumb in handling third-party apps is to delete or disable every third-party app which you either:

  • don’t know
  • don’t need
  • don’t use for more than a month or two

Where can I check?

You may check what applications have access to your Facebook account go to https://www.facebook.com/settings?tab=applications.