With the large number of tech stories that have been happening so far this year, I’ve decided that there was too much important topical stuff to only cover one thing per week.
To fix that, I’ve decided to do a catch-all article at the end of this month. Depending on how things go in the coming months, this may or may not be a regular occurance.
February Security News:
Most of the items in this month’s round-up involve security – I predict this will be a common theme in many of these articles, but I would not be upset to be wrong about this.
Ring Cameras
There was a pretty big news story earlier this month, when the Electronic Frontier Foundation (EFF) released a story about an investigation into the Ring doorbell app on Android and found it contained several third-party trackers.
The trackers are for Facebook, Branch.io, AppsFlyer, and MixPanel.
All of these trackers get unique identifiers so that companies can track specific device usage history, but some can get more specific information. AppsFlyer can get information from your device sensors, Facebook gets information about your device and information about app usage (even if you have no Facebook account), and MixPanel gets information about the user’s name, email address, Bluetooth, the number of locations a user has Ring devices installed, and more.
The data was sent to the third-party services using encryption, which is good for security, but makes it harder to tell precisely what is sent. This is made more troubling by the fact that only MixPanel was on the list of third-party services in Ring’s Terms of Service.
Why Ring would not inform users about the data collection done by its own app is anyone’s guess.
If you have a Ring app running on an Android phone, you should read the full report.
Chrome Extensions
While they seem innocuous, extensions to the Chrome (and Firefox) browser can do quite a bit of damage.
Most of what people do on their computers today is done in the browser, and if the Avast/AVG situation showed us anything, it’s that Chrome extensions can suck up a large amount of sensitive data.
The Avast extension wasn’t the only one to watch out for, though.
Jamila Kaya, a security researcher, worked with Duo Security and identified 71 Chrome Web Store extensions (with more than 1.7 million downloads) that were uploading private browsing data without the user’s knowledge or consent.
After reporting these findings (privately) to Google, Google did some more digging and found more than 430 additional extensions that were doing similar behavior.
Google removed the offending extensions from its web store and users that had a malicious extension installed received a notification than the extension contained malware and it was automatically disabled.
The moral of the story – beware of unnecessary Chrome (or Firefox) extensions. Just like you shouldn’t install or download random files from the internet, don’t install random plugins!
One small note: this is one of the places ChromeOS is very vulnerable. With Android app support still flaky sometimes, many people (me included) resort to Chrome browser extensions for certain tasks. I’m definitely rethinking that idea!
WordPress Vulnerabilities
Nothing new, but if you have WordPress this is a(nother) reminder about how important it is to keep it up-to-date.
The big plugins that got hit this month:
- ThemeGrill
- ThemeRX
- Duplicator
These disclosures are all varying degrees of very bad (i.e. someone can take over your entire site) so if you have any of these on your WordPress site, make sure to update (or remove) them today.
Like I’ve said before, the biggest vulnerability for any site (but especially WordPress) is unnecessary or out-of-date plugins, so make sure you keep yours up-to-date.
I do WordPress management for individuals and small businesses, so if you want someone else to manage your site, get in touch with me.
More information on each of these vulnerabilities:
Privacy
This section is covering privacy-related matters that I think were important (or overlooked).
Facebook Off-Site Activity Portal
After years of tracking users both on-and-off its site, Facebook is finally showing people (some) of what they’ve been collecting.
The Off-Facebook Activity portal gives users a more detailed look at the data it collects from other sties.
From this portal (which you can get to directly by clicking here) you can delete your history. This does not disconnect future activity, though.
To disable future activity, you have to individually select the services, and turn them off one-by-one. Additionally, even with the service off, your activity from that service will still be sent to Facebook. It just won’t be associated with your account (yeah, right).
I trust Facebook 0% to actually honor what they say, since they have a long history of making these kinds of “mistakes” with data.
Remember, also, that once they feed 3rd-party site data into their algorithm, it doesn’t really matter that the data is deleted – they’ve already gotten all the use out of it they need.
It’s also worth noting that Facebook tracks the off Facebook activity of even non-users. How can non-users delete their Off-Facebook data without logging into Facebook? They can’t.
Miscellanious
The FCC Uses Bad Data
The FCC claimed 21.3 million American’s live in areas without access to fixed broadband connections (more than 25 Mbps down and 3 Mbps up), but the real number is probably twice as high.
A study by BroadbandNow, a company that provides an online tool for checking high-speed internet availability, shows the disparity.
It seems that if one home in a census block has access to these speeds, the FCC counts the entire census block as having access to broadband. Since a census block has an average of 4,000 people living in it, this can quickly distort the actual availability of high-speed internet.
The FCC knows this, since they voted in August of 2019 to require ISPs to send in more detailed maps of their service, instead of only reporting in census blocks. Of course, this lack of correct data isn’t stopping FCC Chairman Ajit Pai from distributing $16 billion dollars (of a $20.4 billion fund) to rural ISPs with no high-speed internet.
The remaining part of the fund will be allocated to under-served areas, but I can’t help but wonder if more homes could be connected by starting with under-served areas.
