Facebook is Copying your Contacts

Finally upgraded my phone, and with it all apps including Facebook Messenger. Which really wants access to my contact list.

“Your contacts will be continuously synced with our servers.”

No no, and if you have little dossiers attached to a contact, bet those are copied too.

The app is aggressive, and about every 12th use it prompts.

Now begins the game of “it’s one slip of the finger and I accidentally hit okay…”

Then what, turn my phone off? That’s seconds, it’s likely done hoovering the list by now, or just pick up where it left off when the phone is turned back on.

Do you have a hard copy of your contact list?

Saved on a USB that’s tucked away safe?

How would you find your loved ones if you lost access to your account? Everything’s in the cloud and it fails? If your only copy of your contacts is stored in Facebook, please leave my blog.

Maybe it’s me. Maybe just give Facebook everything it wants, forget this all, and look at my new coat.

Blog tag = Facebook

 

 

It’s a Good Idea to Monitor Connections

When you visit to a website, there are multiple connections happening behind the scenes, not only one connection, like it appears.

For an idea, some conservative estimates:

– a reasonably popular site – 25+ connections
– KeriBlog – 4
– Buzzfeed – 50+

It’s a good idea to monitor these, and approve / deny what you feel comfortable with connecting to your laptop.

Example:

Why, out of nowhere, is Celebuzz site trying to connect to my machine?

At the time of this connection request, I was not surfing gossip sites, but I have in the past, which is why the site is checking in on me.

Connection denied.

How I’m doing this

I use a program called Little Snitch.

(this is NOT an endorsement)

It installs deep in my operating system, so no matter which program I’m using (iTunes / internet browser / photo editing software), it halts all incoming connections, until I tell it how to proceed.

It looks like this:

You teach it rules (example: I accept all connections from Google.ca, I deny all connections to many ad serving URLs).

I deny everything with “track”, “metrics” or “ads” in the URL, and don’t much notice a decline in quality of browsing.

It’s free to try, and a licence is $35. I bought mine like, 4 years ago, still works.

How this helps

Keeping your computing environment as clean as possible helps. And monitoring software, while it doesn’t replace an anti-virus software, can help catch malicious connections.

A small example:

While streaming TV from one-of-those sites, the site asked to have some dedicated space on my hard drive…

Had I not stopped the connection, the website would have not only connected to my laptop,
but stored up to 1 MB of “something” on it!

The video played fine even after I denied it access.

They’re not posting free, timely TV episodes because of kindness, because they care if I’m up-to-date on The Office.  This is the price guys. 

 

 

LinkedIn Invites are Great for Spreading Malware

Fake LinkedIn invitations are one of the most effective methods of getting a human to click a malicious link.

This type of attack, a phishing attack (or a more targeted, spear phishing attack) works because who doesn’t want to increase their LinkedIn number up to that magical 500+. Plus, LinkedIn is maybe the most reputable of all the social media networks, so that reputation is exploited.

Additionally, LinkedIn is a business-oriented social media site, therefore, most use occurs on a computer attached to a corporate network.  And that’s more valuable to a thief than a lone, personal computer.

The Attack

You receive an email, “Let’s connect!”

It looks like a real, and safe, LinkedIn invitation.

Click on “View Profile” > goes to a fake site > where a virus / malware / etc is waiting >  that’s then installed onto your computer > now the attacker has a way into your machine > and potentially the corporate network it’s attached to.

The Defence

I rely on 2 things – my gut, and LinkedIn’s security (note this method is not 100% fail-safe.)

1 – hmm, I have never heard of this human, and something about the name / company makes my gut say wait….

2 – I open a new browser, go to LinkedIn > Invitations > is the same name on my list there?

If yes: click around to verify identity, check for connections in common, and lots of Googling.

If no: delete the email

***

Don’t be shy to ask for more clarification, proof of identity, reply with “do I know you, and how?”

And always listen to your gut, the best defence against social engineering

 

 

You Have a Facebook Facial Recognition Number

A unique number has been assigned to the face of each account.  From the help page:

Facial Recognition Data – A unique number based on a comparison of the photos you’re tagged in. We use this data to help others tag you in photos.

We currently use facial recognition software that uses an algorithm to calculate a unique number (“template”) based on someone’s facial features, like the distance between the eyes, nose and ears. This template is based on your profile pictures and photos you’ve been tagged in on Facebook

This is “Tag Suggest“.

Last week, I downloaded my Facebook account archive, to see what was included in it (how to here).  Below is my face when I found this face number, imagination going wild.

Because really, Facebook is the world’s largest biometric database.

And its entire contents were not only submitted voluntarily, but tagged and identified as well. Someone is going to sleep laughing each night.

Facebook updated their privacy policy at the end of the summer, to account for some more powerful software, for a better “Tag Suggest”.

Some countries are not okay with this, Germany’s pretty upset. They’ve been pushing back for a while wait, I may have blogged this hang on….. yup here: October ’12. There’s much debate about to who and how access is granted, to this database.

I’m not 100%, and the test I conducted was only so-so, but it appears that in Canada, we can’t turn off “Tag Suggest”.

Here’s the Facebook help page, “Turn OFF Tag Suggest“. It says the last item below is where to disable the feature (purple asterisk).

Below are my settings, “unavailable”.

Ugh. Unavailable. Eye roll.

Here tag this.

 

 

Proof Why to Never Upload a Compromising Image

I use Google / Picasa to publish the photos you see here. I upload them to my Google+ account, then copy the embed code here.

Recently, Google came out with a new feature, “Auto Backup” – on its own, it animates some of my photos, and on the weekend, Google made me this animated gif of my year in photos.

Here’s the problem.

I have my Google+ account organized into months, plus one private folder called, “Holding Tank”.

Days ahead of blogging, I filter photos and upload them to ‘Holding Tank’ until they’re ready to be moved to a public folder.

(the red smudge is masking the authentication key for the private folder.)

Bottom row, second from the left – that’s a private photo.

This one:

So accidentally, a private photo was published.

Proof that the only safe way to keep something protected, is not to upload it at all.

This isn’t dire, that’s me at a Canadian Tire winter tire event I haven’t blogged yet.

I’d guess  Google’s response would be that the animated gif wasn’t public until I made it so, but, if that one photo was at all compromising, I couldn’t use this .gif.

I didn’t even catch this mistake until the day after I’d blogged the gif.