privacy – Fabella Security

Antivirus Program Runs Afoul

Posted on January 31, 2020February 1, 2020 by Greg Price in Articles

This article was originally published in The Troy Messenger on January 31, 2020.

The internet is riddled with all sorts of wickedness. The opportunity to encounter malicious content is ever-present. Protecting our technology and digital presences is a matter of necessity. Quite often, the most frequent tool to assist with protection is an anti-virus application.

If you’re not running an anti-virus program on a modern computing device, it’s likely you’re either playing with fire, or, a very lucky person – in either case, it’s only a matter of time before the would-be bad actors reach success and infiltrate your devices with some virus or malware. I’ve written extensively on the importance of protecting devices, updating software and maintaining a healthy dose of skepticism about “apps”.

However, it’s with a heavy heart that I inform you of a substantial issue with a common, and, free antivirus tool: Avast.

I suppose we shouldn’t be too shocked that trusted software can serve duplicitous roles. You all have read of reported issues with other security tools sharing information via clandestine avenues with shadowy organizations. So, let’s add Avast to the list of protective software accused of deceptive tactics.

Avast is well-known and loved. Since 2017, Avast has been the most popular anti-virus vendor on the market. The company holds the largest share of the market for anti-virus applications. I’ve suggested it for many years, in fact, I use the tool. Well, I suppose I should say, I used the tool until recently…

Earlier this week, an investigative report revealed that the Avast anti-virus platform was collecting personal data from its enormous user base and selling the collected personal data to third-parties.

The accusation sent waves through the security community. Such a violation of trust by a provider of software anchored in trust was incorrigible. I was both angered and disappointed.

There’s a reason why the endpoint protection axiom is shouted from the rooftops of every cybersecurity manual: it works. Protect the endpoint, the end-user device, and your defenses are strengthened. Neglect the endpoint and you will suffer the perils of the internet-connected world.

So, what happens when the good guys are suddenly exposed as supposed bad guys?

The trust relationship erodes quickly.

If my anti-virus program fails, that’s a big deal. If I update the application frequently, scan my device intensively and discover that my computer is littered with a variety of badness, I will doubt the product, the company’s ability to deliver on their promise: protect me.

But, what are your concerns about an anti-virus company that protects you while simultaneously spiriting away personal data in the background? Is a moral conundrum afoot?

As an aside, please review every social media platform article I’ve written. But, back to Avast.

The harvesting of personal data is the claim via an investigation by Motherboard and PCMag.

Documents reveal that Avast has been purposefully collecting data from customers for years. A subsidiary company of Avast, called Jumpshot, served as the intermediary for the sale of the data.

What types of data, you ask?

Well, for starters, web browsing history.

Yeah, pause for a moment and think about that. Your anti-virus program protects your device from badness, while peaking over your shoulder. All of those clicks, those websites have been bundled and sold.

Included among the web browsing history are shopping and search engine queries.

The report indicated that some of the biggest companies in the world paid millions of dollars for the data.

One option offered within the data was something referred to as “all clicks feed”. The option tracks all web clicks and interactions with websites with an incredible degree of both accuracy and completeness.

In one example described in the investigative report, a user was observed visiting pornography sites. Not only were the pornography sites listed, but, every click on the sites, every search on the sites, and how the user located the pornography site were included among the datasets.

The report revealed that the data was anonymized: personally identifiable features were not included among the data. But, given the extent of the intrusion, it’s not hard to imagine that data exists somewhere.

So, what do you do?

According to several reports, simply installing Avast doesn’t necessarily equate to an invasion of privacy. A specific browser plugin, suggested by Avast, appears to be the key to the data harvesting efforts. The plugin is offered as a way to protect against cyberattacks and unauthorized connections from dubious web servers and traffic. If the browser extension, plugin isn’t installed, it’s likely that your data hasn’t been pilfered.

Avast’s initial response to the report was weak. They didn’t deny the operation, instead, they simply indicated that the data had been anonymized, bundled within large datasets, and can’t be used to personally identify or target a specific user.

While the statement appears to be technically true, Avast assigned an identifier as a substitute for a personally-identifiable attribute. The assigned identifier persists on your device unless you uninstall the Avast anti-virus product.

However, in the world of big data, when large datasets are combined, the opportunity to specifically identify an individual increases greatly. A collection of anonymized data in the right hands can be reassembled with other “known” data and a clearer picture of the user brought into focus.

On January 30, 2020, Avast announced that they would close Jumpshot and issued an apology.

So, what should you do?

Consider another product. If you’re a Windows user, use Windows Defender. The tool is robust, runs intimately with the operating system and is updated very frequently.

In the meantime, read those software agreements thoroughly and be safe!

Hello Facebook

Posted on November 18, 2019 by Greg Price in Articles

Facebook’s business model is based heavily on the collection and sale of user data.

Fostering digital “friendships” and promoting likes are some of the beguiling tools used to keep you clicking and browsing your feeds – maintaining engagement equals income for Facebook.

Despite Facebook and its leader’s claims to value online privacy, the continued issues and perplexing security conundrums suggest the company is struggling to maintain a positive image.

In 2018, following the Cambridge Analytica debacle, Facebook promised to restrict developer access to user data. Recent announcements by Facebook suggest the new privacy policies haven’t been applied to every developer – possibly over one-hundred application designers continue to have access to the personal data of users in Groups.

Data harvested by the developers include names, profile photos, phone numbers and Facebook reactions, such as your “likes “. According to Facebook, despite the neglect and continued release of the data, the data hasn’t been abused or used inappropriately – trust me, I’m from Facebook. Who knows if the data has been misused, most don’t know it’s being used by other firms.

The incredible irony in these continued abuses is Mark Zuckerberg’s statement that “the future is private”. Is the statement dishonest or the result of poor engagement?

Here’s a simple fact. If you use Facebook, your data is being sold. Stop, don’t argue, don’t venture any further. That’s Facebook’s primary source of income. After all, you are allowed to use Facebook for “free”.

This week’s latest Facebook controversy involves a bizarre issue on the Facebook app for Apple iOS.

When you look at an image or video within the Facebook app, the Apple device’s camera activates on its own, for no known reason. When the issue was reported, nobody had any idea why the app opened the camera.

When you open a photo within the app, swipe down and you will see that your phone’s camera is running live in the background. Why?

Facebook has corrected the issue through a hastily-delivered fix to the Apple App store. Simply visit the App store and download the latest version of the app.

The very peculiar thing for me, when I tested the app on a lab phone, was not once did the Facebook app ask for permission to launch the camera app. At first, I thought the issue was a design intent that presented an impersonated camera interface or maybe a quick include to launch the camera interface rapidly. However, I moved the phone and the surroundings changed – the camera was live.

I could not reproduce the problem on an Apple device running an older version of the iOS; only the latest version, 13.2.2 presented the problem.

I haven’t noticed a formal notice of the issue from Facebook, simply the push of a new version of the app that appears to resolve the matter.

Was the problem the result of buggy software?

Maybe.

If you’re running the latest version of Apple iOS, you have a few options.

First, delete the Facebook app.

Not only will you resolve the current camera problem, but, you’ll tackle all future failures of the social media platform.

But, seriously, you don’t have to use the app to check Facebook. You can use a web browser such as Safari or Firefox and interact with your account through a common tool.

If you’re not ready to abandon ship just yet, obviously, the easiest thing to do is update the Facebook app to the most current version.

Lastly, if for whatever reason, you can’t update the app, disable the camera access for the Facebook app in the phone’s privacy settings. Simply visit the Settings app, select Privacy and then tap Camera. Find the Facebook entry and toggle the green switch to off to disable the camera access.

While you’re there, take a look at the other apps that you’ve granted access to your camera. See something you don’t like or don’t recall enabling? Disable those too.

If you can’t tolerate the thought of deleting Facebook, I urge you to consider restricting what Facebook knows about you. In order to do so, you must make your profile settings as private as possible.

Keep in mind, adjusting the settings to reduce data collection will not make you immune to the inspection and exchange of data; but, perhaps, tightening your settings will allow you to control more of your data and reduce what Facebook collects.

Facebook provides a security checkup – but, only on the desktop version, for now – you cannot perform the security checkup from the mobile Facebook app. The security checkup is supposed to reveal what data is being shared. As you observe those data, you can restrict some of the data.

The downside?

Your tailored, or customized ads and recommendations will be less specific to you – from my perspective, the creepiness will be reduced – not a bad thing.

How do you run the Facebook privacy checkup?

Click the question mark at the top of any Facebook page. Then select Privacy Checkup. Three options should appear: Who can see what you share, How people can find you on Facebook and Your data settings on Facebook.

Click each of the three options and adjust the settings based on your personal needs.

As you step through the privacy checkup, you will see which apps are sharing your data and which data is presented to the public.

I recommended the security checkup to a friend recently. He sought the feature within the app for a day or so before he emailed me. Remember to use a desktop device and a web browser to check the settings and to make adjustments. You can’t do this from within the mobile app.

Interestingly enough, after perusing the settings and associated data, he emailed me and asked how to remove the Facebook app and delete his profile.

Be careful as you look behind the curtain, you might not like what you see.

Be safe.

Facebook officially adds dating service

Posted on September 13, 2019October 17, 2019 by Greg Price in Articles

This article was originally published in The Troy Messenger on September 13, 2019.

Last week, to some fanfare, Facebook announced the launch of Facebook Dating in the United States. I admit when I saw the press release, I wasn’t shocked.

First, let’s be honest, Facebook has been a dating platform unofficially for a long time. If you’re unaware of folks who use the service to scout would-be romantic partners, you’re not very observant. In fact, I suspect you’ve all heard someone say, “I’ll check them out on Facebook first,” when a prospective dating opportunity surfaces.

Given the number of divorce cases that I’ve assisted attorneys with over the past decade, Facebook might also be not only a “dating platform”, but rather a conduit for divorce. With the rise of FOMO (fear of missing out) among dedicated users of social media services, the anxiety of not being able to participate in an upcoming event, might also include the fear of missing out on the next best partner.

Continue reading →