February 26, 2019

Facebook apps secretly sending sensitive data back to the mothership

By Lisa Vaas

A trio of privacy earthquakes shook Facebooklandia on Friday.

TL;DR: It turns out that…

  1. Eleven third-party apps are sharing our sensitive data with Facebook. Don’t want the network to know when you menstruate? The purchase price for that house you ogled? Tough. News about the oversharing came from the Wall Street Journal [paywalled] on Friday, and as a result…
  2. New York’s governor called on two state agencies to investigate this “secret” sharing of health and financial data, which apparently violates Facebook’s own policies, and which is reportedly done to both non-Facebook users and non-logged-in users, without much by way of explicit user consent. Meanwhile…
  3. 60 pages of un-redacted legal documents from a lawsuit between Facebook and app developer Six4Three were anonymously posted on GitHub. The documents haven’t been independently confirmed, The Guardian reports, but Facebook hasn’t denied their authenticity. The internal emails reveal that Facebook planned to spy on Android users and that Facebook itself had what it called a near-fatal brush with a data privacy breach when a third-party app came close to disclosing its financial results ahead of schedule.

To get to the bottom of the WSJ’s findings about the blabby apps, New York Governor Andrew Cuomo said that he’s putting multiple agencies to work on the matter.

If the WSJ’s investigation proves to be accurate, and if those freshly leaked internal emails from Six4Three prove authentic, it’s going to paint an even uglier picture of Facebook post-Cambridge Analytica, governmental investigations and fines

Read more at https://nakedsecurity.sophos.com/2019/02/26/facebook-apps-secretly-sending-sensitive-data-back-to-the-mothership/

Mozilla fears encryption law could turn its employees into insider threats

By Danny Bradbury

Mozilla has told the Australian government that its anti-encryption laws could turn its own employees into insider threats.

The Mozilla Corporation, which is the arm of the Mozilla Foundation that develops and maintains its software, made the striking warnings in a letter to the country’s government last week.

The letter, written to the Parliamentary Joint Committee on Intelligence and Security, criticises the country’s controversial Telecommunication & Other Legislation Amendment (Assistance & Access) Act of 2018 (TOLA).

TOLA is Australia’s attempt to provide the government with access to encrypted communications. It enables the authorities to ask technology companies nicely for help decrypting a user’s communications, using an order called a technical assistant request (TAR). If they are technically able to help but don’t want to, the government can force them to with an order called a technical assistance notice (TAN).

What about companies that don’t want to help and say that they couldn’t anyway because their own technology stops them from giving up customer communications? In this case, the law allows the government to issue a technical capability notice (TCN). This forces the company to alter its systems to make them more, um, co-operative.

Read more at https://nakedsecurity.sophos.com/2019/02/26/mozilla-aussie-employees-could-pose-a-threat-under-anti-crypto-law/

Android nudges passwords closer to the cliff edge with FIDO2 support

By Lisa Vaas

The passwordless web came a billion devices closer to reality on Monday when the Fast IDentity Online (FIDO) alliance announced an update to Google Play Services that brings FIDO2 certification to roughly half of all Android devices available today.

Specifically, the alliance said that any compatible device running Android 7.0+ is now FIDO2 certified out of the box or after an automated Google Play Services update.

This will allow users to log in to websites and apps that support the FIDO2 protocols by using their devices’ biometric readers – such as fingerprint or facial recognition. Alternatively, they can log in with other forms of authentication that are compatible with the FIDO2 specification, such as YubiKeys or Titans, which are Google’s own Bluetooth-based version of Yubico’s hardware-based security key.

Releasing the FIDO2 update through the automated Google Play Services feature means that it should be a pretty frictionless security boost. Manufacturers don’t have to adapt their devices or, really, do anything. That should make the security upgrade easier to get users to adopt, in contrast to two-factor authentication (2FA).

Read more at https://nakedsecurity.sophos.com/2019/02/26/android-nudges-passwords-closer-to-the-cliff-edge-with-fido2-support/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation