The Verge: How to recover when your Facebook account is hacked

Hopefully the day will never come when you find your Facebook account has been hacked or taken over. It is an awful feeling, and I feel for you for the world of hurt that you will experience in time and perhaps money to return your account to your rightful control. Let me take you through the recovery process and provide some proactive security pointers that you should follow to prevent this awful moment from happening, or at least reduce the chances that it will.

In this post for The Verge, I explain the three different scenarios (a friend borrows your account, someone uses your photo on a new account, or you truly have been hacked) and how you can try to get your social life back. It isn’t easy, it could cost you a lot of time and a bit of money, and there are steps you should take to protect yourself now that will reduce the chances that your account will become compromised — such as removing any payment methods that you may have forgotten about, as shown above.

And if you would rather listen to my descriptions, my podcasting partner Paul Gillin interviewed me on this subject in a recent 16-minute episode.

CNN Underscored: Review of the best USB-C charging blocks

With USB-C finally more-or-less standard across phones, tablets and laptops, and fewer and fewer manufacturers including chargers in the box with their products, a myriad of charging blocks have become available that promise to get your batteries topped up as quickly as possible.

To find the best USB-C charger for your devices, we tested 15 devices from respected manufacturers to find the best for your needs, whether you need to charge a phone, a laptop, or a bagful of accessories. My top pick was the PowerPort Atom III Slim — it has a single USB-C port, and is rated at 45W (there are older versions still on the market that are rated at 30W, so make sure you are getting the higher capacity unit). We liked the smaller footprint slim design, which combines a slimer unit (5/8” thick) with a folding power prong. These make fitting it behind furniture (or carrying in your travel bag) easier.

You can read my review of these chargers here for CNN’s Underscored site.

Avast blog: Fighting stalkerware

Two years ago, the Coalition Against Stalkerware was founded by ten organizations. Today, Avast is one of more than 40 members, which include technology vendors, NGOs, academia, and police organizations from various countries. The goal of the coalition is to put a stop to domestic violence abuse and cyberstalking. In honor of the coalition’s recent second anniversary, I take a look at the international alliance’s ongoing work and achievements to date in this post for Avast’s blog.

The Coalition has lots of useful resources, including a condensed fact sheet for stalkerware survivors. There are guidelines on how to decide if your devices have been compromised or if there are other ways an abusive partner is stalking your digital life. The fact sheet also contains important information on how to remove such software as well as links to organizations that provide additional support.

CSOonline: 9 cloud and on-premises email security suites compared

Email remains the soft underbelly of enterprise security because it is the most tempting target for hackers. They just need one victim to succumb to a phishing lure to enter your network. Phishing (in all its forms) is just one of many attacks that can leverage a poorly protected email infrastructure. Account takeovers (due to reused passwords), business email compromises, payment fraud, specialized mobile malware, and spam messages that contain hidden malware or poisoned web links. That places a heavy burden on any email security solution.

I have been testing and writing about these products for decades and in this roundup I touch on some of the latest integrations and innovations with nine security suites:

  • Abnormal Security’s Integrated Cloud Email Security
  • Area 1’s Horizon
  • Barracuda Email Protection
  • Cisco Secure Email
  • FireEye Email Security
  • Voltage SecureMail
  • Mimecast Email Security
  • Trustifi
  • Zix Secure Cloud Email Security Suite

As what seems like the usual operating procedure, figuring out the pricing for the numerous configurations can be vexing, with one vendor (FireEye) not providing pricing, and several other vendors who declined to participate entirely.

You can read my full roundup for CSOonline here.

What doesn’t get backed up makes you stronger, part deux

I have a couple of confessions to make here. First, my birthday is not January 1. (No I am not going to tell you when it really is). Second, I have been doing a lousy job of backing up my contacts all these years. Welcome to the second part of what is turning out to be a series of posts on what can make your backups stronger. I wrote the first part earlier this year about learning how to backup my Google Authenticator codes when I bought a new phone. Today has actually two challenges. Let’s take the contacts related one first.

For what seems like since the last century, I have been using Google’s now-called Workspace for my main email communications, and also using its Contacts app to store my contacts. Over time I have collected more than 9,000 records in my app. I am sure many of these records are outdated, and every so often I make a half-hearted effort to update people that I come across in LinkedIn that have changed jobs.

Every month or so, I export this contact list into a “Google CSV” file that I dutifully save on my local hard drive. Until today, I have never tried to examine this file to see how it is formatted or even if it contains any useful data. That is the cardinal sin of better backups: Don’t just assume that because you have made a copy of your data that it can be usable.

The reason for doing this is that I came across a Gmail account that I set up long ago that could be used to recover my main email if something should go wrong with my main identity. I don’t use this account for anything, and indeed it had no contact records to prove it. So I thought, this might be a good time to see if I can import my backup contact records. I found out that Gmail is limited to importing only 3,000 contacts per each import. This meant splitting the CSV file into at least four parts. Fortunately, there is an online tool that you can use to do this, and if you don’t have too many requirements, it can be done for free. I had to guess how to split the file up, and luckily I guessed fairly accurately, because I only lost 16 records. It took some trial and error — and liberal use of Gmail’s “undo” feature, before I figured this all out.

Now the hard part is going to be remembering to do this again — sadly, the only way to update my backup contacts is to clear out all of them and start this process all over again. (You can export selected contacts, but I have no way to sort them since a certain date, for example, to do an incremental backup).

Okay, let’s move on to my fake birthday. I did this deliberately as a security measure, to prevent the many people who look me up on The YouTwitFace from getting one piece of data that could be used to compromise my identity. Now, since I did this some of the social media services have placed restrictions on who can see my birthday (as the screen shot here shows The Face’s settings). But I haven’t bothered messing with this until this past week, when I got an assignment to write for The Verge about what happens when your account is hacked. One of the problems is that The Face makes it very hard for you, as the rightful account owner, to prove that you are indeed that person and not some poseur hacker. One of the ways that you are asked to verify yourself is to upload a photo of your ID, showing your actual face and actual birthday. Given that it isn’t 1/1, I will have an issue if at some point I do get hacked and try to present this ID.

Now, I have a choice: I can give Zuck my real birthday and trust that he will not spread it across his universe in the process of selling ads to further target me, or not give out this information and trust that the methods that I have used to protect my account (multiple authentication factors) are sufficient to stop most hacking attempts. I guess I am sticking with 1/1 for now, unless I want to get some fake driver’s license with 1/1 as my birthday that I can use to get into bars and get my account reset.

One other point of discovery as I was rooting around in my account details: I somehow gave The Face access to spend money using my Paypal account. Oopsie. I got rid of that connection quickly. There are two different places you specify this: one called Ads Payments (where they can run ad campaigns and charge you accordingly) and one called Facebook Pay (where you can give money directly to people or causes). You should ensure that the “payment methods” fields are blank in both of them if you don’t want any of your bank account details stored.

So I feel somewhat safer after doing all this, but still not happy that I have to take deeper and deeper dives into protecting my data. I will send you all a note when my piece in The Verge is posted, so you can learn about other ways to better prepare yourself against potential hackers. Spoiler alert: it is not an easy fix.

Avast blog: The report from the third CyberSec&AI conference

Last week, the third annual CyberSec&AI Connected was held virtually. There were many sessions that combined academic and industry researchers along with leaders from Avast to explore the intersection of security and privacy and how AI and machine learning (ML) fit into both arenas. The conference strives to deepen the ties between academia and industry and this report for Avast’s blog dives into new and exciting work being done in various fields.

One of the speakers was Dawn Song, a computer science professor at the University of California at Berkeley. She outlined a four-part framework for responsible data use by AI that includes:

  • Secure computing platforms, such as the Keystone open source secure processor hardware,
  • Federated learning, whereby one’s data stays under their control,
  • Differential privacy, using tools such as the Duet programming language and public data sets such as the Enron email collection, and
  • Distributed ledgers that can have immutable logs to help guarantee security.

Fighting ransomware will require numerous efforts

Ransomware attacks are becoming more numerous and dangerous. According to a recent conference of European law enforcement agencies, ransomware activities have generated $350 million in 2020, a 311% increase from 2019. The site tracks payments and shows more than $45 million in payouts for the first half of 2021, based on public records of the various ransom blockchain transactions and victim reports. 

A Twitter thread by security researcher Ming Zhao shows the depth of the ransomware marketplace and the variety of actors. The flow of funds from victims to criminals, how their attacks have grown, and how the price of cryptocurrency has influenced their actions are revealed in the thread. 

As remote work continues and expands, better ways to secure workers’ connections to and from the organization’s data, both on the cloud and on-premises, are necessary. The risks are further compounded by the too-human inclinations of remote workers to give priority to completing tasks over best-security practices. It is possible for an employee, for example, to use the same password when shopping online and to gain access to critical corporate data from a home office connection. Among more tech-savvy users who should know better, a software deployment might contain code with vulnerabilities because the developer team opted to meet a deadline while forgoing proper security checks for their code before putting the application into production.

For these remote data-access risks, VPNs don’t cut it anymore. They are based on the incorrect assumption that both sides of the VPN tunnel are secure. Since the pandemic began, more corporate workflows traverse the general Internet where they can be more easily compromised. Anyone in an organization can become a target because attackers are looking for weak points in IT infrastructure. 

Added to these trends, Ransomware as a Service organizations have become popular. They make ransomware easier to deploy and more lucrative to operate. And it isn’t just business networks that attract attackers, either. Internet-of-Things (IoT) devices (such as Nest thermostats and connected TVs) and industrial-control systems are targets, too.

Attackers have gone a step further by compromising supply chains. This is what happened to software from SolarWinds and, more recently, with Kaseya VSA. Ransomware attackers now combine the initial encryption attack with follow-up threats to post stolen data from their targets. Security-services provider Emisoft reported in a survey that 11% of ransomware attacks involved data theft during the first half of 2020, a number that continues to rise in 2021.

The feds are trying to stem this tide, what with a variety of executive orders, a two-day international conclave held last month, and the latest attempt to arrest one of the Russian hackers involved in the Kaseya attack. Oddly, REvil, one of the most pernicious of these hacking groups, took down its infrastructure in July. We say odd because no one knows the cause or the details behind the takedown. Whether or not these efforts bear fruit, taken together, they show that fighting ransomware will require many different initiatives and methods at various regulatory levels. This, combined with a variety of protective technologies and tools, will require careful attention to all details across the entire organization and the entire network — as so many attacks have shown, hackers only need to find one weak link to compromise.

Figuring out the Facebook Papers: Who’s Carol Smith?

Illustration of a rabbit coming out from a hole in the ground covered by a bear trap with Facebook emojis scattered across the ground.A consortium of A-list reporters from 17 major American and Euro news outlets have begun publishing what they have learned from the documents unearthed by whistleblower Frances Haugen. The trove is a redacted copy of what was given to various legislative and watchdog US and UK agencies. The story collection is being cataloged over at Protocol here. I haven’t read everything – yet – but here are some salient things that I have learned. Most of this isn’t surprising, given the venality that Zuck & co. have shown over the years.

  1. Facebook indeed favors profits over human safety and continues to do so. This piece for the AP documents how foreign “maids” are recruited on Instagram to come work in Saudi Arabia, and then traded using various Facebook posts once they are in the country. The article talks about current searches for the Arabic word for maids has numerous hits with pictures, ages, and prices of candidates. With all its bluster of billions of dollars spent on tracking down these abuses of its terms of service, this shouldn’t be so easy to find if Facebook was really doing a credible job to stamp this out.
  2. Facebook has played a key role in radicalizing its users. NBC News writes about how internal research identified thousands of QAnon groups covering 2.2M members and nearly a thousand anti-vax groups with 1.7M members. The research attributes this population to what it calls “gateway groups” that recruit more than half of them. Again, the fact that the company’s own researchers could track this – and yet do little to stop the growth of these efforts – is troubling.
  3. The same NBC piece talks about a research project using a strawman “Carol Smith” user. Within days of her creation as a conservative-leaning by Facebook staffers, she was receiving all sorts of pernicious content, including invites to join various QAnon groups and others that clearly violated Facebook’s own disinformation rules. Did they act on this research to prevent this? Not that I could see.
  4. The “Stop the Steal” movement that led to the January 6 Capitol riot was organized through many of Facebook’s properties, pages and groups. CNN reports that one internal memo stated that the company wasn’t able to recognize the people contributing to these efforts in time to stop them, although subsequent algorithmic changes have been put in place to do so. Some content moderation efforts that were put in place prior to the November 2020 election were quickly reversed afterwards and could have helped mute some of the organizers of the January 6 riot.
  5. We might think that Facebook has done a sub-par job vetting American content. But it is far worse elsewhere in the world, as this piece in The Atlantic shows. The data shows 13 percent of Facebook’s misinformation-moderation staff hours were devoted to the non-U.S. countries in which it operates, whose populations comprise more than 90 percent of Facebook’s active users. The moderators hired by Facebook aren’t familiar with the local customs, don’t speak the languages, don’t understand the fragility of their governments or the stability of their internet connections – all things that mean more proportional resources will be needed to do a credible job.

So how can we fix this? I don’t think government regulation is the answer. Instead, it is time for new leadership and better designed algorithms that don’t amplify violence and misinformation. Kara Swisher writes in her current NYT column that “Facebook has been tone-deaf and uncaring about the harm that its own research showed its products were doing, despite ensuing pleas from concerned employees.” She also is lobbying for Zuck’s replacement with a leader who can finally listen to — and act on — these issues.

Another path can be found with the parallel universe being setup by former Facebook data scientists and frustrated middle managers called the Integrity Institute. Whether this will work is an open issue, but it could be a useful start.

FIR podcast episode #151: How Akamai rebuilt its website and drove customer engagement

Few of us get to have as much influence over a more public website than Annalisa Church, VP Digital Technology, Insights & Operations for Akamai.  She has built a career on converging marketing and technology to drive better experiences for customers and build long-term value for enterprises. She is devoted to transforming marketing into a data-driven organization through actionable insights and ensuring the voice of the customer. Prior to Akamai, she worked for eight years in Dell’s marketing department.

Annalisa recently led a massive overhaul of the Akamai website, which is available in nine different languages, with more than 1,200 pages in English covering 18 different products.  The site has tremendous customer engagement, with one million monthly visitors, and almost two-thirds of them become customers after visiting the site.

The diagram below shows some of the changes that Church implemented during her redesign to make it more effective and more relevant to visitors. These efforts have paid off in terms of more engagement, more conversions from visitors to customers, and wider impact.

Listen to our podcast here: