SDL Episode57

From Paul's Security Weekly
Jump to: navigation, search

Secure Digital Life #57

Recorded on March 27, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Coming soon!

Hosts

  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Russell Beauchemin
    Cybersecurity & Network Security Program Advisor and Director of Instructional Support & Learning Innovation at Roger Williams University.
  • Topic:

    Facebook: We hardly knew ye.

    BSIDES Orlando Shootout at Full Sail Live on 7 - April. You really need to get to this. Check out bsidesorlando2018.eventbrite.com and bsidesoirlando.org. Students are free with your ID. Labs, speakers, challenges. What's not to like.

    RSA -- I will be speaking at RSA 2018 in San Francisco on the 18th of April so be sure and come by. I will be there shooting SDL on Tuesday at the NetSparker booth so if you want to see the show live, now's your chance. I am speaking at 8 am on the 18th but the show will be there on the 17th at the Marriott Marquis.

    So, facebook. What a mess, but hey you knew that right. You signed the agreement, you clicked the box you have agreed to be part of a human centipede. What are you gonna do?

    Facebook sold your data. Thanks Zuck. They did, they always did, they have been doing it all along. That's how they make money. Why do you think Zuck lives in that mansion and Winklevoss twins are jealous? Because he is making lots of money.

    Ok, ok. Let's talk about the details.

    First -- Mad Men

    Then, Cambridge Analytica -- this is UK company that does Big Data analytics. Explain big data.

    They bought/obtained/acquired/scraped I don't know, supposedly 50 million users data from fbook. Not a hack but using API!!!!! (remember, an API is a library of tools that allows developers to access things across a platform)

    Basically, it's like this: You want to play farmville, so, you click, "ok". When you do that, you likely also clicked an "accept" or something that agreed to ten pages of legal text about rights and use etc. We all do it all the time. But did you read the agreement? Did your five attorneys read it and try to determine what was going on, probably not. So, you most likely just told farmville that it could access your profile.

    Now, your profile...Click the down triangle, settings, click download a copy of your facebook data (start my archive) and facebook will download all yrou info for you and you can examine it. This is what they have on you. You will be astounded. Facebook tracks your posts, likes, friends, all their information basically, it's massive surveilance. But that's not the end.

    In mine: 158 MB. My email, my PO Box, my mobile, my birthday, my wife's name, My father's name, my niece's name, places I worked. a massive list of music, Dr. Zoidberg. Books, I liked, Movies, I liked, Television I liked, giant list of things I like, the fact that apparently my favorite athelete is Julia Mancuso, my favorite restaurant is Founding Farmers, that I love Claire Fleury Clothing, and that I admin a page called Namshub of Enki. That's just a small part. Creepy and a lot of it makes no sense.

    How facebook makes money. They sell this stuff. Back to big data. What if I could predict your behaviour (shout out to PKD for Minority Report, no, not the lousy movie)? Think about it like this. What if you are a member of "Firefly Fanclub", "Buffy fanclub", and you like Joss Whedon's page? Well, that's big data. If I can predict that you may like a new show called "Buffy the Reaver Hunter", then I can target you. But Big Data is more than that. Big data is about lots of numbers. If I can process massive numbers, my statistics get better. Take a step further. What if Wintermute and Neuromancer can review hundreds of millions of actions, from clicks to likes, to everything you did on an app. (get paranoid and cover up your cam so they can't see where your eyes are looking). AI can start to find patterns in the data that you didn't expect. So, maybe I figure out that people who clicked an ad for Gin, love sloths, work in New England, owns a cat, has a podcast, and is interested in phone hacking, often also likes sappy romantic comedies. If I can narrow my market segment, I just saved a LOT of money because this is now "targeted marketing". (mention old cigarette ads and market segmentation). Marketing companies pay a LOT of money for this kind of thing.

    So, what about elections (Do not congratulate)? What if I want a candidate to win because I was hired to market them? Nothing bad, no politics, just basic facts. Red, blue, it doesn't matter. Ok. What if I knew that a market segment would vote for my candidate. What if my candidate should wear a confederate flag tie or a hat supporting the Red Sox? If I can both determine who will vote for my candidate, how my candidate should behave to get certain votes, but also which voters and where will vote for certain things, Wintermute can go through it all and develop a segmented strategy where I maximize my spending on ad buys! Eeek. Money in politics, say it ain't so. But it works. Humans are stupid and easy to manipulate.

    Whew! So, all this leads to what all did Facebook do. Well, Apps can extract information and share information because you gave permission. CA did just that. Wrote an app that talked to other apps and asked for their data. Suddenly, you have a massive target database to let your AI work on. So, now I can tell candidate X to put on a Red Sox cap and wear a blue tie and they will win district Z. In district C, they talk about the need for controls on Wombat breeding to prevent Wombat abuse and wear a Cubs hat. In district D, they don't wear a tie, smoke a pipe, and talk about IPAs. This is nothing new, it's just a new way to collect information about who you are. It was also apparently used to manipulate people using false information as well. What if I know that in District C they really hate the Piggers football club. I mean hate them. They are fans of the Baconeers. So, I make a meme showing the opponent wearing a Piggers hat and talk about how the opponent is not only a Piggers fan but is probably working for the evil owner of the Piggers. Boom. Again, nothing new, but a very rapid and nasty way to do it. (Zuck will apologize, promise to never do it again in a a charming way, and then do it again).

    Russ is going to show us how to look at the apps we have enabled and control the way they work with some permissions.

    [Russ Here]