The University of Massachusetts Amherst
Categories
Apps Security Web

What’s Going on with Cambridge Analytica?

If you’ve paid attention in the news this week, you may have heard the name “Cambridge Analytica” tossed around or something about a “Facebook data breach.” At a glance, it may be hard to tell what these events are all about and how they relate to you. The purpose of this article is to clarify those points and to elucidate what personal information one puts on the internet when using Facebook. As well, we will look at what you can do as a user to protect your data.

The company at the heart of this Facebook data scandal is Cambridge Analytica: a private data analytics firm based in Cambridge, UK, specializing in strategic advertising for elections. They have worked on LEAVE.EU (a pro-Brexit election campaign), as well as Ted Cruz’s and Donald Trump’s 2016 presidential election campaigns. Cambridge Analytica uses “psychographic analysis” to predict and target the kind of people who are most likely to respond to their advertisements. “Psychographic analysis”, simply put, is gathering data on individuals’ psychological profiles and using it to develop and target ads. They get their psychological data from online surveys that determine personality traits of individuals. They compare this personality data with data from survey-takers’ Facebook profiles, and extrapolate the correlations between personality traits and more readily accessible info (likes, friends, age group) onto Facebook users who have not even taken the survey. According to CEO Alexander Nix, “Today in the United States we have somewhere close to four or five thousand data points on every individual […] So we model the personality of every adult across the United States, some 230 million people.”. This wealth of data under their belts is extremely powerful in their business, because they know exactly what kind of people could be swayed by a political ad. By affecting individuals across the US, they can sway whole elections.

Gathering data on individuals who have not waived away their information may sound shady, and in fact it breaks Facebook’s terms and conditions. Facebook allows its users’ data to be collected for academic purposes, but prohibits the sale of that data to “any ad network, data broker or other advertising or monetization-related service.” Cambridge Analytica bought their data from Global Science Research, a private business analytics research company. The data in question was collected by a personality survey (a Facebook app called “thisisyourdigitallife”, a quiz that appears similar to the silly quizzes one often sees while browsing Facebook). This app, with its special academic privileges, was able to harvest data not just from the user who took the personality quiz, but from all the quiz-taker’s friends as well. This was entirely legal under Facebook’s terms and conditions, and was not a “breach” at all. Survey-takers consented before taking it, but their friends were never notified about their data being used. Facebook took down thisisyourdigitallife in 2015 and requested Cambridge Analytica delete the data, however ex-Cambridge Analytica employee Christopher Wylie says, “literally all I had to do was tick a box and sign it and send it back, and that was it. Facebook made zero effort to get the data back.”

This chain of events makes it clear that data analytics companies (as well as malicious hackers) are not above breaking rules to harvest your personal information, and Facebook alone will not protect it. In order to know how your data is being used, you must be conscious of who has access to it.

What kind of data does Facebook have?

If you go onto your Facebook settings, there will be an option to download a copy of your data. My file is about 600 MB, and contains all my messages, photos, and videos, as well as my friends list, advertisement data, all the events I’ve ever been invited to, phone numbers of contacts, posts, likes, even my facial recognition data! What is super important in the realm of targeted advertisement (though not the only info people are interested in) are the ad data, friends list, and likes. The “Ads Topics” section, a huge list of topics I may be interested in that
determines what kind of ads I see regularly, has my character pinned down.Though some of these are admittedly absurd, (Organism? Mason, Ohio? Carrot?) knowing I’m interested in computer science, cooperative businesses, Brian Wilson, UMass, LGBT issues, plus the knowledge that I’m from Connecticut and friends with mostly young adults says a lot about my character even without “psychographic analysis”—so imagine what kind of in-depth record they have of me up at Cambridge Analytica! I implore you, if interested, to download this archive yourself and see what kind of person the ad-brokers of Facebook think you are.

Is there a way to protect my data on Facebook?

What’s out there is out there, and from the Cambridge Analytica episode we know third-party companies may not delete data they’ve already harvested, and Facebook isn’t particularly interested in getting it back, so even being on Facebook could be considered a risk by some. However, it is relatively easy to remove applications that have access to your information, and that is a great way to get started protecting your data from shady data harvesters. These applications are anything that requires you to sign in with Facebook. This can mean other social media networks that link with Facebook (like Spotify, Soundcloud, or Tinder), or Facebook hosted applications (things like Truth Game, What You Would Look Like As The Other Gender, or Which Meme Are You?). In Facebook’s settings you can view and remove applications that seem a little shady.

You can do so by visiting this link, or by going into settings, then going into Apps.

After that you will see a screen like this, and you can view and remove apps from there.

However, according to Facebook, “Apps you install may retain your info after you remove them from Facebook.” They recommend to “Contact the app developer to remove this info”. There is a lot to learn from the events surrounding Facebook and Cambridge Analytica this month, and one lesson is to be wary of who you allow to access your personal information.

Categories
Security

Creating and Remembering Long Passwords – The Roman Room Concept

Comic courtesy of xkcd by Randall Munroe

If you are anything like me, you have numerous passwords that you have to keep track of.  I can also safely assume, that unless you are in the vast minority or people, you also have autofill/remember passwords turned on for all of your accounts. I’m here to tell you that there is an easy way to remember your passwords so that using these convenient insecurities can be avoided.

The practice that I use and advocate for remembering and creating passwords is called The Roman Room. I’ll admit, this concept is not my own. I’ve borrowed it from a TV show called Leverage. I found it to be a neat concept, and as such I have employed it since.  The practice works as follows: Imagine a room, it can be factual or fictional. Now imagine specific, detailed items that you can either “place” in the room, or that exist in the room in real life. This place could be your bedroom, your family’s RV, really anywhere that you have a vivid memory of, and can recall easily. I suggest thinking of items that you know very well, as this will make describing them later easier. Something like a piece of artwork, a unique piece of furniture, or a vacation souvenir. Something that makes a regular appearance in the same spot or something that has a permanence about it.

Now comes the challenging part: creating the password. The difficulty comes in creating a password that fulfills the password requirements at hand. This technique is most useful when you have the option to have a longer password (16+ characters), as that adds to more security, as well as allows for a more memorable/unique password. Let’s say for example that I often store my bicycle by hanging it on my bedroom wall. It’s a black and red mountain bike, with 7 speeds. I could conjure up the password “Black&RedMountain7Sp33d”.

Editor: This is not Tyler's bike.
Image: bicyclehabitat.com

Alternatively, I could create a password that describes that state of the bike opposed to its appearance.  This example reminds me of how the bike looks when its hung on the wall, it looks like its floating. Which reminds me of that scene from ET. I could then create the password “PhoneHomeB1cycle”, or something along those lines. This technique is just something that I find useful when I comes time to create a new password, and as a means to remember them easily that also prevents me from being lazy using the same password again, and again. Though this method doesn’t always generate the most secure password (by that I mean gibberish-looking password), it is a means to help you create better passwords and remember them without having to store them behind yet another password (in a password manager). What good is a password if you can’t remember or have to write it down?

Categories
Android iOS Operating System Security

SOS: Emergency Response in the Smartphone Era

By now, we’ve all seen or heard stories about a recent scare in Hawai’i where residents were bombarded (ironically) with an emergency notification warning of a ballistic missile heading towards the isolated island state. Within seconds, the people of Hawai’i panicked, contacting their families, friends, loved ones, and stopping everything that they were doing in their final minutes of their lives.

Of course, this warning turned out to be false.

The chaos that ensued in Hawai’i was the result of an accidental warning fired off by a government employee of the Emergency Management Agency. Not only did this employee send off a massive wave of crisis alert notifications to Hawaiians everywhere. In some cases, it took up to 30+ minutes to signal to people that this was a false flag warning. With the rising tensions between the United States and the trigger-happy North Korea, you could imagine that this could be problematic, to put it simply.

The recent mishap in Hawai’i opens up a conversation about Phone notifications when responding to crisis situations. While Hawaiians, and more broadly Americans, aren’t used to seeing this type of notification appear on their lock screen, this is a common and very effective tool in the middle east, where Israel uses push notifications to warn of nearby short range missiles coming in from Syria and the Gaza Strip/West Bank.

Image result for israel missile defense notification

In a region full hostilities and tense situations, with possible threats from all angles, Israel keeps its land and citizens safe using a very effective system of Red Alert, an element of Israel’s Iron Dome. According to Raytheon, a partner in developing this system, the Iron Dome “works to detect, assess and intercept incoming rockets, artillery and mortars. Raytheon teams with Rafael on the production of Iron Dome’s Tamir interceptor missiles, which strike down incoming threats launched from ranges of 4-70 km.” With this system comes the Red Alert, which notifies Israelis in highly populated areas of incoming attacks, in case the system couldn’t stop the missile in time. Since implementation in 2011 and with more people receiving warnings due to growing cell phone use, Israelis have been kept safe and are notified promptly, leading to a 90% success rate of the system and keeping civilian injuries/casualties at very low levels.

If this Hawaiian missile alert was true, this could have saved many lives. In an instant, everyone was notified and people took their own precautions to be aware of the situation at hand. This crucial muff in the alert system can be worked on in the future, leading to faster, more effective approaches to missile detection, protection, and warnings, saving lives in the process.

In an era of constant complaint about the ubiquity of cell phone use, some of the most positive implications of our connected world have been obscured. Think back to 1940: London bombing raids were almost surprises, with very late warnings and signals that resulted in the destruction of London and many casualties. With more advanced weapons, agencies are designing even more advanced defense notification systems, making sure to reach every possible victim as fast as possible. In an age where just about everyone has a cell phone, saving lives has never been easier.

 

For more reading, check out these articles on Washington Post and Raytheon:

https://www.washingtonpost.com/news/post-nation/wp/2018/01/14/hawaii-missile-alert-how-one-employee-pushed-the-wrong-button-and-caused-a-wave-of-panic/?utm_term=.9898f44541cd

https://www.raytheon.com/capabilities/products/irondome/

Categories
Security Web

Private Data in the Digital Age

Former U.S. spy agency contractor Edward Snowden is wanted by the United States for leaking details of U.S. government intelligence programs
Former U.S. spy agency contractor Edward Snowden is wanted by the United States for leaking details of U.S. government intelligence programs

In a scenario where someone has a file of information stored on a private server with the intent to keep it private, is it ever justified for someone else to expose a security flaw and post the information anonymously on the internet? There exists a fine line where “It depends” on the scenario. But this classification simply does not do the case justice as there are extraneous circumstances where this kind of theft and distribution is justifiable.

One such case is whistle-blowing. Edward Snowden is still a man of much controversy. Exiled for leaking sensitive government documents, some label him a hero, others a traitor. Snowden was former Special Forces and later joined the CIA as a technology specialist. He stole top-secret documents pertaining to the National Security Agency and FBI tapping directly into the central servers of leading U.S Internet companies to extract personal data. Snowden leaked these documents to the Washington Post, exposing the PRISM code, which collected private data from personal servers of American citizens. This program was born out of a failed warrantless domestic surveillance act and kept under lock and key to circumvent the public eye. Americans were unaware and alarmed by the breadth of unwarranted government surveillance programs to collect, store, and search their private data.

Although Snowden illegally distributed classified information, the government was, in effect, doing the same but with personal data of its constituents. I would argue that Snowden is a hero. He educated the American people about the NSA overstepping their bounds and infringing upon American rights. Governments exist to ensure the safety of the populace, but privacy concerns will always be in conflict with government surveillance and threat-prevention. The government should not operate in the shadows; is beholden to its people, and they are entitled to know what is going on.

The United States government charged Snowden with theft, “unauthorized communication of national defense information,” and “willful communication of classified communications intelligence information to an unauthorized person.” The documents that came to light following Snowden’s leaks only pertained to unlawful practices, and did not compromise national security. Therefore, it appears as though the government is trying to cover up their own mistakes. Perhaps this is most telling in one of Edward Snowden’s recent tweets :

“Break classification rules for the public’s benefit, and you could be exiled.
Do it for personal benefit, and you could be President.” – @Snowden

This commentary on Hillary Clinton shows that in the eyes of the government who is right and wrong changes on a case to case basis. In many ways, Snowden’s case mirrors Daniel Ellsberg’s leak of the Pentagon Papers in 1971. The Pentagon Papers contained evidence that the U.S. Government had mislead the public regarding the Vietnam war, strengthening anti-war sentiment among the American populace. In both cases, whistle-blowing was a positive force, educating the public about abuses happening behind their back. While in general practice, stealing private information and distributing it to the public is malpractice, in these cases, the crime of stealing was to expose a larger evil and provide a wake-up call for the general population.

Alternatively, in the vast majority of cases accessing private files via a security flaw is malicious, and the government should pursue charges. While above I advocated for a limited form of “hacktivism,” it was a special case to expose abuses by the government which fundamentally infringed on rights to privacy. In almost all cultures, religions and societies stealing is recognized as wrongdoing and should rightfully be treated as such. Stealing sensitive information and posting it online should be treated in a similar manner. Publishing incriminating files about someone else online can ruin their life chances. For example, during the infamous iCloud hack, thousands of nude or pornographic pictures of celebrities were released online. This was private information which the leaker took advantage of for personal gain. For many female celebrities it was degrading and humiliating. Therefore, the leaker responsible for the iCloud leaks was not justified in  taking and posting the files. While the definition of leaking sensitive information for the “common good” can be in itself a blurred line, but a situation like the iCloud leak evidently did not fit in this category. Hacking Apple’s servers to access and leak inappropriate photos can only be labeled as a malevolent attack on female celebrities, which could have potentially devastating repercussions for their career.

While the iCloud hack was a notorious use of leaking private data in a hateful way, there are more profound ways which posting private data can destroy someone’s life. Most notably, stealing financial information and identification (such as SSID) can have a huge, detrimental effect on someone’s life. My grandmother was a victim of identity theft, where someone she knew and trusted stole her personal information and used it for personal gain. This same scenario plays out online constantly and can drain someone’s life savings, reduce their access to credit and loans, and leave them with a tarnished reputation. Again, we draw a line between leaking something in the public’s interest and exposing a security flaw for the leaker’s benefit. By gaining access to personal files, hackers could wreck havoc and destroy lives. Obviously this type of data breach is unacceptable, and cannot be justified.

Overall, taking sensitive material and posting it anonymously online can generally be regarded as malpractice, however, their are exceptions such as whistle-blowing where the leaker is doing so for the common good. These cases are far and few between, and the “bad cases” have harming repercussions which can follow someone throughout their life. Ultimately, to recall Snowden’s case, everyone has a right to privacy. This is why someone leveraging a security flaw and posting files online is wrong from the get go, because it supersedes personal secrecy. In an increasingly digital world it is difficult to keep anything private, but everyone has a fundamental right to privacy which should not be disrespected or infringed upon.

Categories
Hardware Security

Disproving Einstein: the Phenomenon of Quantum Entanglement and Implications of Quantum Computing

Quantum-Entanglement

Albert Einstein famously disparaged quantum entanglement as “spooky action at a distance,” because the idea that two particles separated by light-years could become “entangled” and instantaneously affect one another was counter to classical physics and intuitive reasoning. All fundamental particles have a property called spin, angular momentum and orientation in space. When measuring spin, either the measurement direction is aligned with the spin of a particle -classified as spin up- or the measurement is opposite the spin of the particle -classified as spin down. If the particle spin is vertical but we measure it horizontally the result is a 50/50 chance of being measured spin up or spin down. Likewise, different angles produce different probabilities of obtaining spin up or spin down particles. Total angular momentum of the universe must stay constant, and therefore in terms of entangled particles, they must have opposite spins when measured in the same direction. Einstein’s theory of relativity was centered around the idea that nothing can move faster than the speed of light, but somehow, these particles appeared to be communicating instantaneously to ensure opposite spin. He surmised that all particles were created with a definite spin regardless of the direction they were measured in, but this theory proved to be wrong. Quantum entanglement is not science fiction; it is a real phenomenon which will fundamentally shape the future of teleportation and computing.

Categories
Security Virus/Malware

Cyber Security Awareness: What is Malware?

What is Malware?

Malware is any type of malicious software that can infect your computer and slow performance, monitor usage, steal sensitive information, or gain access to privileged areas on your computer.  These can be harmful to your computer and your files. This post will discuss the different types of malware, how to tell if your computer is infected, prevention, and removal. For more detailed information about computer security resources, check out the IT Help Services Security Center online or stop into the IT Help Center for a free Security Check-up.

Categories
Security Virus/Malware

Operation “Aurora”: Zero Day Exploit

Users of Microsoft Internet Explorer should be aware of a new zero-day exploit dubbed “Operation ‘Aurora'”. This exploit, which has been demonstrated effective in Internet Explorer 6, 7, and 8, allows a remote attacker to gain full control over a target computer.

Users who fall victim to this attack are usually the targets of “spear phishing” (a phishing attacked directed to a specific person or group of people.) They receive a link from someone (e.g. over IM, e-mail) and are directed to a website with specially crafted Javascript code. At this point, if the person being attacked is using Internet Explorer, the code causes a moment of confusion that allows the attacker to inject arbitrary code into the target system. In the worst case, this allows the attacker to take full control over the exploited computer. The entire process can be viewed below thanks to the crew at the security blog Praetorian Prefect. They have a great explanation of the exploit here and a video here.

OIT Software Support recommends that users of Internet Explorer switch to another web browser for the time being. A list of supported browsers can be found here on our website. Follow the link for your operating system.

As always, make sure to update your operating system often. Directions for that process can be found here.

Categories
Operating System Security Software Virus/Malware

Virus Prevention

As a general rule of thumb, there are some things that are good to do to keep your computer running its best.

  1. Keep everything up to date!
  2. Don’t click links you’re unsure about.
  3. Don’t visit questionable websites.
  4. Run an anti-virus program.
  5. Scan with an anti-virus program and an anti-spyware program at least once a month.

Keeping programs up to date is one of the easiest ways to prevent a Virus or Spyware infection. Windows XP, Vista, and Mac OS X will all prompt you to install updates if you have it configured to do so. It is configured as such by default.

As for updating all the other programs installed, we use a program called Secunia PSI. It scans your computer for all the programs installed that it has in its database. It then checks it against the current versions of those programs and provides you with links to where to download updates. You can download it here. It’s an amazing tool to know what to update.

As a general rule, you should keep your Operating System (XP, Vista, OSX) as well as Java and Adobe Flash Player up to date. Those are the most common ways viruses and spyware can gain access to your computer.

As a rule of thumb, don’t click on links to suspicious websites. In many programs, you can mouse over the link to see the HTTP address. Just remember to air on the side of caution.

Don’t go to suspicious sites.  If you’re not sure about the site, try searching Google for it.  If a lot of hits come up like “Spyware, removal of spyware, virus related” etc, don’t go to that site.  Also, if you had gotten a virus in the past from a questionable website, don’t go to that website again.

Run an anti-virus program.  This should be really easy for people affiliated with UMass.  UMass has a site license for McAfee Enterprise Virus Scan.  You can get it on the OIT website here.  If you have an older version of McAfee Enterprise Virus Scan installed, uninstall it first.  It might cause weird errors to occur if installing just over the older version.  Also, if you have any other anti-virus programs installed, you should only have one installed.  You shouldn’t have more that one anti-virus program installed, as they tend to fight each other and slow everything down.  Uninstall all but one anti-virus program.

The last way to protect yourself is to run full scans with your anti-virus and anti-spyware software once per month, whether you think you need it or not.  Think of it like an oil change for your car.  It cleans out all the sludge that may build up, whether you see it or not.  If you have the version of McAfee Enterprise Virus Scan distributed from the OIT site mentioned above, McAfee will update itself every day, and run a full scan in the background once a week.  You should also run a full scan once a month with your anti-spyware software of your choice.  We use Spybot Search and Destroy, which can be found here.

Categories
Security Windows

I Hate Change or: the Dangers of Getting Attached to Applications and Operating Systems

Change can be difficult. When you’ve invested time and energy in learning something new, especially something as complicated as an operating system (e.g. Windows 98, Windows XP, Mac OS 9), it can be quite frustrating to be told that you should upgrade to something new. Waiting a little while to perform upgrades is actually a good idea. As any early adopter of Windows Vista can tell you, making the switch from Windows XP was extremely painful because there were many kinks to work out of Vista. However, with a few years under its belt, Vista is, arguably, a more secure operating system.

Of course, many users still prefer Windows XP, which is okay, but users need to stay extra vigilant. Hanging on to an older application or operating is fine until the developer stops supporting it and providing updates. This is the case with operating systems such as Windows 98 and Mac OS 9. When, this happens it is important to upgrade! This means switching to any new version of an application or operating system. For example, an upgrade from Windows 2000 could be any version of Windows XP or any version of Windows Vista. An upgrade for Adobe Acrobat Reader would be from Version 8 to Version 9. Upgrades often add new features to software

Updates are different from upgrades in that they work to fix existing problems in software. They are important because they help keep your application or operating system secure. When you apply updates to Windows or Mac OS X, you are improving the security and stability of your computer. Here are some advantages of performing updates:

  1. Bug Fixes: No one is perfect. When a programmer develops an application and distributes it to users, there are often “bugs” waiting to be found. Bugs are simply unexpected situations that cause programs to crash or malfunction. Programs are not smart. They do what they are programmed to do and handle situations that they are programmed to handle. Programmers try to think about all the sorts of things that could go wrong when an application is running in the real world by giving users error messages or warnings. (e.g. If a program asks a user for a date in the format MM/DD/YYYY and the user types in YYYY/MM/DD, the program will ask the user to type the information in correctly.) However, sometimes there are problems which programmers don’t consider. When an application runs into these situations, it could crash, malfunction (i.e. appear to be working correctly, but really processing information incorrectly. This is especially dangerous because users don’t know that something has gone wrong!) Updates often fix these “bugs.”
  2. Security: Bugs can leave your operating system or application open to attack. A bug can be exploited by a virus or an attacker to do bad things to your files or even turn your computer into a zombie computer! Zombie computers can be used to attack other computers, send out spam messages, and even delete or ransom your files.
  3. Improvements: Many developers like getting user input. When they come out with a new version or update for a program, they often add new features which will make the program more useful or usable.

The main reasons to perform upgrades are:

  1. To take advantage of new features. Upgrades often change how existing features work or offer new features altogether.
  2. Your current application / operating system is no longer supported. When your program or operating system is no longer supported by the developer, they will no longer patch the program to ensure that it remains secure. When this happens, it’s important to take the step to upgrade to a supported version of the application or operating system.

The moral of the story is: keep yourself up-to-date to keep yourself sane and your computer secure. OIT Software Support suggests that you use a program called Secunia PSI if you run Windows. Secunia PSI will scan all the programs on your computer and will tell you which ones are out-of-date. It will then show you what to do to update them.

As always, if you have any questions, please call OIT Help Services at 413.545.9400.

Categories
Hotfix Operating System Security Software Virus/Malware

“Conficker Worm Could Create World’s Biggest Botnet”

I saw this article on Slashdot today and wanted to warn everyone out there. Nine million infected computers running Microsoft systems is an incredible amount of machines compromised.

Make sure your McAfee Enterprise is up to date and your Windows machine has installed all the latest updates!

As the article states, the worm propagates through un-patched Windows systems and through USB thumb-drives. This means that having a secure system or up-to-date virus protection is NOT ENOUGH! You need a combination of both. This is good computer usage in practice anyway, but we see an incredible amount of un-patched XP and Vista systems come in with virus infections.

What you see when an infected USB-drive is plugged-in
What you see when an infected USB-drive is plugged-in
The above image shows what happens when you plug-in an infected USB-stick into a machine. Notice the “Publisher not Specified,” text in gray under the open option? That should be your first clue right there. Do NOT click on this, as this will launch the virus and infect your computer.

It’s just that little yellow icon in your system tray, that little place with icons by the time in the bottom left. Click – Express Install – Done. It’s really that simple.

For those that are interested, the Microsoft Security Bulletin can be read here.