Tech shorts for February 10, 2015: Facebook malware, privacy quiz, and data security guidelines
Facebook malware attacks on the rise. A friend asked me recently about suspicious videos appearing on her Facebook timeline. The videos were labeled as posted by one of her friends, but they were graphic and unrelated to anything her friend was likely to post.
It turns out there has been a rash of malware-infected videos crashing Facebook timelines, as CSO's Steve Ragan reports in a January 30, 2015, article. The videos tag several of your friends, but if you click the link, your system is thoroughly scanned by the bad guys. Depending on what type of device you're using, you may be redirected to a site that tries to get you to pay for a bogus security service, or if you're using Windows, you may be prompted to download a "video player" that will actually infect your machine.
The security firm that disclosed the attack, BitDefender, recommends that you avoid downloading any players you're not sure of (for example, Flash updates should come only from the Adobe site). The company also suggests you keep your anti-malware software up-to-date and adjust your Facebook privacy settings to ask permission before content you're tagged in can be displayed to your friends. Instructions for doing so are on the Facebook Privacy Settings page.
What's your privacy IQ? Turns out mine wasn't as high as I thought when I got the results of Science Magazine's digital-privacy IQ test. The 10-question test takes only a few minutes to complete, but offers lessons that will serve you well into the future.
Encryption's benefits questioned. One of the best ways for companies to protect their customers' data from theft is to encrypt it -- when it's stored and when it's transmitted. In a February 5, 2015, article on Ars Technica, Steven M. Bellovin states that encryption wouldn't have prevented the theft of Social Security numbers and other personal information in the recent hack of health insurance company Anthem.
Bellovin claims that data has to be decrypted when it is accessed by Anthem employees, so the records would be vulnerable even if they were stored in encrypted form. Of course, how often do the workers need to access the SSNs and other sensitive information of the customers? Why can't Anthem -- and other firms -- provide access only to the data the employees need to complete their work? That's like saying bank tellers need access to the entire vault and all safe-deposit boxes to handle one person's cash withdrawal.
In the wings: Government guidelines for data protection. Companies are just starting to take data security seriously, in part because of increased attention from government regulators to lax security practices. For example, the Federal Trade Commission is preparing a "roadmap for responsible data practices," as Omer Tene of the International Association of Privacy Professionals reports in a February 3, 2015, article.
Raising red flags in particular are the ethics of targeted advertising, cross-device tracking, device fingerprinting, and onboarding -- the practice of combining data collected online and offline. Another area of focus is ensuring that companies are responsible for the data-security practices of their business partners and other third parties they deal with -- so-called indirect liability.
Also, the White House recently issued its own report on the dangers posed by lax data-security practices to consumers in general and school children in particular. In a February 5, 2015, article, TechCrunch's Ron Miller writes about the Obama administration's proposals to prevent misuse of big data without impinging the benefits the technology promises for health care and other industries.