Connect with us

Biz & IT

Facebook will shut down its spyware VPN app Onavo

Published

on

Facebook will end its unpaid market research programs and proactively take its Onavo VPN app off the Google Play store in the wake of backlash following TechCrunch’s investigation about Onavo code being used in a Facebook Research app the sucked up data about teens. The Onavo Protect app will eventually shut down, and will immediately cease pulling in data from users for market research though it will continue operating as a Virtual Private Network in the short-term to allow users to find a replacement.

Facebook has also ceased to recruit new users for the Facebook Research app that still runs on Android but was forced off of iOS by Apple after we reported on how it violated Apple’s Enterprise Certificate program for employee-only apps. Existing Facebook Research app studies will continue to run, though.

With the suspicions about tech giants and looming regulation leading to more intense scrutiny of privacy practices, Facebook has decided that giving users a utility like a VPN in exchange for quietly examining their app usage and mobile browsing data isn’t a wise strategy. Instead, it will focus on paid programs where users explicitly understand what privacy they’re giving up for direct financial compensation.

Onavo billed itself as a way to “limit apps from using background data and “use a secure VPN network for your personal info” but also noted it would collect the “Time you spend using apps, mobile and Wi-Fi data you use per app, the websites you visit, and your country, device and network type” A Facebook spokesperson confirmed the change and provided this statement: “Market research helps companies build better products for people. We are shifting our focus to reward-based market research which means we’re going to end the Onavo program.”

Facebok acquired Onavo in 2013 for a reported $200 million to use its VPN app the gather data about what people were doing on their phones. That data revealed WhatsApp was sending over twice as many messages per day as Messenger, BuzzFeed’s Ryan Mac and Charlie Warzel reported, convincing Facebook to pay a steep sum of $19 billion to buy WhatsApp. Facebook went on to frame Onavo as a way for users to reduce their data usage, block dangerous websites, keep their traffic safe from snooping — while Facebook itself was analyzing that traffic. The insights helped it discover new trends in mobile usage, keep an eye on competitors, and figure out what features or apps to copy. Cloning became core to Facebook’s product strategy over the past years, with Instagram’s version of Snapchat Stories growing larger than the original.

But last year, privacy concerns led Apple to push Facebook to remove the Onavo VPN app from the App Store, though it continued running on Google Play. But Facebook quietly repurposed Onavo code for use in its Facebook Research app that TechCrunch found was paying users in the U.S. and India ages 13 to 35 up to $20 in gift cards per month to give it VPN and root network access to spy on all their mobile data.

Facebook ran the program in secret, obscured by intermediary beta testing services like Betabound and Applause. It only informed users it recruited with ads on Instagram, Snapchat and elsewhere that they were joining a Facebook Research program after they’d begun signup and signed non-disclosure agreements. A Facebook spokesperson claimed in a statement that “there was nothing ‘secret’ about this”, yet it had threatened legal action if users publicly discussed the Research program.

But the biggest problem for Facebook ended up being that its Research app abused Apple’s Enterprise Certificate program meant for employee-only apps to distribute the app outside the company. That led Apple to ban the Research app from iOS and invalidate Facebook’s certificate. This shut down Facebook’s internal iOS collaboration tools, pre-launch test versions of its popular apps, and even its lunch menu and shuttle schedule to break for 30 hours, causing chaos at the company’s offices.

To preempt any more scandals around Onavo and the Facebook Research app and avoid Google stepping in to forcibly block the apps, Facebook is now taking Onavo off the Play Store and stopping recruitment of Research testers. That’s a surprising voluntary move that perhaps shows Facebook is finally getting in tune with the public perception of its shady actions. The company has repeatedly misread how users would react to its product launches and privacy invasions, leading to near constant gaffes and an unending news cycle chronicling its blunders.

Without Onavo, Facebook loses a powerful method of market research, and its future initiatives here will come at a higher price. Facebook has run tons of focus groups, surveys, and other user feedback programs over the past decade to learn where it could improve or what innovations it could co-opt. And with more apps recently turning on encryption, Onavo likely started learning less about their usage. But given how cloning plus acquisitions like WhatsApp and Instagram have been vital to Facebook’s success, it’s likely worth paying out more gift cards and more tightly monitoring its research practices. Otherwise Facebook could miss the next big thing that might disrupt it.

Hopefully Facebook will be less clandestine with its future market research programs. It should be upfront about its involvement, make certain that users understand what data they’re giving up, stop researching teens or at the very least verify the consent of their parents, and avoid slurping up sensitive information or data about a user’s unwitting friends. For a company that depends on people to trust it with their content, it has a long way to go win back our confidence.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Ransomware crooks post cops’ psych evaluations after talks with DC police stall

Published

on

A ransomware gang that hacked the District of Columbia’s Metropolitan Police Department in April posted personnel records on Tuesday that revealed highly sensitive details for almost two dozen officers, including the results of psychological assessments and polygraph tests, driver license images, fingerprints, social security numbers, dates of birth, and residential, financial and marriage histories.

The data, included in a 161GB download from a website on the dark web, was made available after negotiations broke down between members of the Babuk ransomware group and MDP officials, according to screenshots purporting to be chat transcripts between the two organizations. After earlier threatening to leak the names of confidential informants to crime gangs, the operators agreed to remove the data while they carried out the now-aborted negotiations, the transcripts showed.

This is unacceptable

The operators demanded $4 million in exchange for a promise not to publish any more information and provide a decryption key that would restore the data.

“You are a state institution, treat your data with respect and think about their price,” the operators said, according to the transcript. “They cost even more than 4,000,000, do you understand that?”

“Our final proposal is to offer to pay $100,000 to prevent the release of the stolen data,” the MPD negotiator eventually replied. “If this offer is not acceptable, then it seems our conversation is complete. I think we understand the consequences of not reaching an agreement. We are OK with that outcome.”

“This is unacceptable from our side,” the ransomware representative replied. “Follow our website at midnight.”

A post on the group’s website said: “The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers.” The 161MB file was password protected. The operators later published the passphrase after MPD officials refused to raise the price the department was willing to pay.

Three of the names listed in the personnel files matched the names of officers who work for the MPD, web searches showed. The files were based on background investigations of job applicants under consideration to be hired by the department.

MPD representatives didn’t respond to questions about the authenticity of the transcripts or the current status of negotiations.

Like virtually all ransomware operators these days, those with Babuk employ a double extortion model, which charges not only for the decryption key to unlock the stolen data but also in exchange for the promise not to make any of the data available publicly. The operators typically leak small amounts of data in hopes of motivating the victims to pay the fee. If victims refuse, future releases include ever more private and sensitive information.

The ransomware attack on the MPD has no known connection to the one that has hit Colonial Pipeline.

Continue Reading

Biz & IT

Amazon “seized and destroyed” 2 million counterfeit products in 2020

Published

on

Enlarge / Amazon trailers backed into bays at a distribution center in Miami, Florida, in August 2019.

Amazon “seized and destroyed” over 2 million counterfeit products that sellers sent to Amazon warehouses in 2020 and “blocked more than 10 billion suspected bad listings before they were published in our store,” the company said in its first “Brand Protection Report.”

In 2020, “we seized and destroyed more than 2 million products sent to our fulfillment centers and that we detected as counterfeit before being sent to a customer,” Amazon’s report said. “In cases where counterfeit products are in our fulfillment centers, we separate the inventory and destroy those products so they are not resold elsewhere in the supply chain,” the report also said.

Third-party sellers can also ship products directly to consumers instead of using Amazon’s shipping system. The 2 million fakes found in Amazon fulfillment centers would only account for counterfeit products from sellers using the “Fulfilled by Amazon” service.

The counterfeit problem got worse over the past year. “Throughout the pandemic, we’ve seen increased attempts by bad actors to commit fraud and offer counterfeit products,” Amazon VP Dharmesh Mehta wrote in a blog post yesterday.

Counterfeiting is a longstanding problem on Amazon. Other problems on Amazon that harm consumers include the sale of dangerous products, fake reviews, defective third-party goods, and the passing of bribes from unscrupulous sellers to unscrupulous Amazon employees and contractors. One US appeals court ruled in 2019 that Amazon can be held responsible for defective third-party goods, but Amazon has won other similar cases. Amazon is again arguing that it should not be held liable for a defective third-party product in a case before the Texas Supreme Court that involves a severely injured toddler.

Amazon tries to reassure legit sellers

Amazon’s new report was meant to reassure legitimate sellers that their products won’t be counterfeited. While counterfeits remain a problem for unsuspecting Amazon customers, the e-commerce giant said that “fewer than 0.01 percent of all products sold on Amazon received a counterfeit complaint from customers” in 2020. Of course, people may buy and use counterfeit products without ever realizing they are fake or without reporting it to Amazon, so that percentage may not capture the extent of the problem.

Amazon’s report on counterfeits describes extensive systems and processes to determine which sellers can do business on Amazon. While Amazon has argued in court that it is not liable for what third parties sell on its platform, the company is monitoring sellers in an effort to maintain credibility with buyers and legitimate sellers.

Amazon said it “invested over $700 million and employed more than 10,000 people to protect our store from fraud and abuse” in 2020, adding:

We leverage a combination of advanced machine learning capabilities and expert human investigators to protect our store proactively from bad actors and bad products. We are constantly innovating to stay ahead of bad actors and their attempts to circumvent our controls. In 2020, we prevented over 6 million attempts to create new selling accounts, stopping bad actors before they published a single product for sale, and blocked more than 10 billion suspected bad listings before they were published in our store.

“This is an escalating battle with criminals that attempt to sell counterfeits, and the only way to permanently stop counterfeiters is to hold them accountable through litigation in the court system and through criminal prosecution,” Amazon also said. “In 2020, we established a new Counterfeit Crimes Unit to build and refer cases to law enforcement, undertake independent investigations or joint investigations with brands, and pursue civil litigation against counterfeiters.”

Amazon said it now “report[s] all confirmed counterfeiters to law enforcement agencies in Canada, China, the European Union, UK, and US.” Amazon also urged governments to “increase prosecution of counterfeiters, increase resources for law enforcement fighting counterfeiters, and incarcerate these criminals globally.”

Stricter seller-verification system

Amazon said it had a “new live video and physical address verification” system in place in 2020 in which “Amazon connects one-on-one with prospective sellers through a video chat or in person at an Amazon office to verify sellers’ identities and government-issued documentation.” Amazon said it also “verifies new and existing sellers’ addresses by sending information including a unique code to the seller’s address.”

Most new attempts to register as a seller were apparently fraudulent, as Amazon said that “only 6 percent of attempted new seller account registrations passed our robust verification processes and listed products.” Overall, Amazon “stopped over 6 million attempts to create a selling account before they were able to publish a single listing for sale” in 2020, more than double “the 2.5 million attempts we stopped in 2019,” Amazon said.

The verification process isn’t enough on its own to stop all new fraudulent sellers, so Amazon said it performs “continuous monitoring” of sellers to identify new risks. “If we identify a bad actor, we immediately close their account, withhold funds disbursement, and determine if this new information brings other related accounts into suspicion. We also determine if the case warrants civil or criminal prosecution and report the bad actor to law enforcement,” Amazon said.

Amazon monitors product detail changes for fraud

One problem we wrote about a few months ago involves “bait-and-switch reviews” in which sellers trick Amazon into displaying reviews for unrelated products to get to the top of Amazon’s search results. In one case, a $23 drone with 6,400 reviews achieved a five-star average rating only because it had thousands of reviews for honey. At some point, the product listing had changed from a food item to a tech product, but the reviews for the food product remained. After a purging of the old reviews, that same product page now lists just 348 ratings at a 3.6-star average.

Amazon is trying to prevent recurrences of this problem, saying in its new report that it scans “more than 5 billion attempted changes to product detail pages daily for signs of potential abuse.”

Amazon also provides self-service tools to companies to help them block counterfeits of their products. Amazon’s report said that 18,000 brands have enrolled in “Project Zero,” which “provides brands with unprecedented power by giving them the ability to directly remove listings from our store.” The program also has an optional product serialization feature that lets sellers put unique codes on their products or packaging.

The self-service tool only accounts for a tiny percentage of blocked listings. “For every 1 listing removed by a brand through our self-service counterfeit removal tool, our automated protections removed more than 600 listings through scaled technology and machine learning that proactively addresses potential counterfeits and stops those listings from appearing in our store,” Amazon said.

Continue Reading

Biz & IT

Hackers who shut down pipeline: We don’t want to cause “problems for society”

Published

on

Enlarge / Problems with Colonial Pipeline’s distribution system tend to lead to gasoline runs and price increases across the US Southeast and Eastern seaboard. In this September 2016 photo, a man prepared to refuel his vehicle after a Colonial leak in Alabama.

On Friday, Colonial Pipeline took many of its systems offline in the wake of a ransomware attack. With systems offline to contain the threat, the company’s pipeline system is inoperative. The system delivers approximately 45 percent of the East Coast’s petroleum products, including gasoline, diesel fuel, and jet fuel.

Colonial Pipeline issued a statement Sunday saying that the US Department of Energy is leading the US federal government response to the attack. “[L]eading, third-party cybersecurity experts” engaged by Colonial Pipeline itself are also on the case. The company’s four main pipelines are still down, but it has begun restoring service to smaller lateral lines between terminals and delivery points as it determines how to safely restart its systems and restore full functionality.

Colonial Pipeline has not publicly said what was demanded of it or how the demand was made. Meanwhile, the hackers have issued a statement saying that they’re just in it for the money.

Regional emergency declaration

In response to the attacks on Colonial Pipeline, the Biden administration issued a Regional Emergency Declaration 2021-002 this Sunday. The declaration provides a temporary exemption to Parts 390 through 399 of the Federal Motor Carrier Safety Regulations, allowing alternate transportation of petroleum products via tanker truck to relieve shortages related to the attack.

The emergency declaration became effective immediately upon issuance Sunday and remains in effect until June 8 or until the emergency ends, whichever is sooner. Although the move will ease shortages somewhat, oil market analyst Gaurav Sharma told the BBC the exemption wouldn’t be anywhere near enough to replace the pipeline’s missing capacity. “Unless they sort it out by Tuesday, they’re in big trouble,” said Sharma, adding that “the first areas to hit would be Atlanta and Tennessee, then the domino effect goes up to New York.”

Russian gang DarkSide believed responsible for attack

Unnamed US government and private security sources engaged by Colonial have told CNN, The Washington Post, and Bloomberg that the Russian criminal gang DarkSide is likely responsible for the attack. DarkSide typically chooses targets in non-Russian-speaking countries but describes itself as “apolitical” on its dark web site.

Infosec analyst Dmitry Smilyanets tweeted a screenshot of a statement the group made this morning, apparently concerning the Colonial Pipeline attack:

NBC News reports that Russian cybercriminals frequently freelance for the Kremlin—but indications point to a cash grab made by the criminals themselves this time rather than a state-sponsored attack.

Dmitri Alperovitch, a co-founder of infosec company CrowdStrike, claims that direct Russian state involvement hardly matters at this point. “Whether they work for the state or not is increasingly irrelevant, given Russia’s obvious policy of harboring and tolerating cybercrime,” he said.

DarkSide “operates like a business”

This sample threat was posted to DarkSide's dark web site in 2020, detailing attacks made on a threat management company.
Enlarge / This sample threat was posted to DarkSide’s dark web site in 2020, detailing attacks made on a threat management company.

London-based security firm Digital Shadows said in September that DarkSide operates like a business and described its business model as “RaaC”—meaning Ransomware-as-a-Corporation.

In terms of its actual attack methods, DarkSide doesn’t appear to be very different from smaller criminal operators. According to Digital Shadows, the group stands out due to its careful selection of targets, preparation of custom ransomware executables for each target, and quasi-corporate communication throughout the attacks.

DarkSide claims to avoid targets in medical, education, nonprofit, or governmental sectors—and claims that it only attacks “companies that can pay the requested amount” after “carefully analyz[ing] accountancy” and determining a ransom amount based on a company’s net income. Digital Shadows believes these claims largely translate to “we looked you up on ZoomInfo first.”

It seems quite possible that the group didn’t realize how much heat it would bring onto itself with the Colonial Pipeline attack. Although not a government entity itself, Colonial’s operations are crucial enough to national security to have brought down immediate Department of Energy response—which the group certainly noticed and appears to have responded to via this morning’s statement that it would “check each company that our partners want to encrypt” to avoid “social consequences” in the future.

Continue Reading

Trending