Tag: security

Facebook for Business:  Use at Your Own Risk?

COVID-19 shutdowns naturally affected some businesses more acutely than others, and many who felt the sting turned to entrepreneurism. Some saw new ventures as their only options, while others viewed the crisis as a forced opportunity to try something they had long dreamed of pursuing. No matter what motivates people to take that career leap, it’s a safe bet that nearly every entrepreneur will make more extensive use of internet platforms like Facebook to promote and/or directly sell their products or services.

The opportunity for low-cost, DIY entrepreneurism has always been one of Big Tech’s most effusive promises. And in fairness, many self-starters, from jewelry designers to storytellers, do successfully use free platforms to attract fans and customers without the need for intermediaries or costly infrastructure—or even a unique website in many cases. But what the major Silicon Valley companies failed to mention, of course, is that the ways in which they built their platforms and their business models on a laissez-faire approach to online moderation also created new opportunities for entrepreneurs in hacking, identity theft, piracy, and scams.

In a recent example, I know of one an old school friend (we’ll call her Sally) whose storefront business was critically affected by COVID shutdowns, and among the choices she made in response was to launch a podcast series. Whether she expects the podcast itself to eventually generate revenue, or simply to be a vehicle that will keep her in touch with the market while she rebuilds the original business does not really matter. It was a new venture, and people started tuning in, and like any self-starter, she would see where the podcast might lead.

But a few weeks ago, Sally announced that both the Facebook page she had created for the podcast and the page for the original business were hijacked, apparently by foreign actors. The hackers took over the admin for Sally’s pages, renamed them, and (it appears) began promoting a completely unrelated line of products to a foreign market. Why the hackers slaved her pages, which did not have thousands of followers, rather than create their own Facebook presence is unclear, but what is clear is the remedy Facebook was willing to offer when Sally contacted them for help:  not a damn thing.

To put it bluntly, Facebook told Sally she wasn’t a big enough deal for them to do anything for her, and the implications of this Emperor’s New Tech Support should be chilling to every entrepreneur on the platform, whether they’re small retailers or artists. Facebook informed Sally that they could have helped her if her page were “verified,” which does not seem to mean much because bullet point Four under the requirements to receive a “verified” badge is that the user must be “Notable: Represent a well-known, often searched person, brand or entity.” So, a big deal then.

Facebook makes a fortune from the commercial uses of its platform, and it promotes those features to everyone, but apparently without any obligation to support everyone. Why the hell not? A company with the computing power and influence of Facebook ought to be able to at least shut down a hacked page, if not fully restore it to its rightful administrator. And if this really cannot be done, the company should be required to post a warning label for less “notable” users informing them that they’re basically on their own when it comes to security.

Meanwhile, I have seen friends put in “Facebook jail” for making jokes its moderators (or algorithms) don’t understand. In fact, my colleague David Lowery made a Bugs Bunny reference about “Killing the Wabbit” in one of his posts, and some Magoo flagged it for inciting violence and gave David a time out to think about his behavior. It seems to me that if Facebook can screw up so exquisitely and with such granularity that it homes in on a single Looney Tunes reference, the company has the ability and obligation to help the Sallys of the world recover their pages from hackers.

In no other context would consumers tolerate a company declaring that it has built a system too big to manage. Nowhere in Facebook’s promotion of its commercial services do we see bold, red warning signs that say Use at Own Risk. The reasonable expectation in the market remains that when a company sells something, it bears certain obligations to its customers. My bank has tens of millions of customers worldwide, and I am by no means a “notable” customer. But if a fraudulent use of my card were to occur, it will be immediately and effectively addressed, and the bank will even eat the fraudulent charges. So, really? Facebook can’t help victims of hackers get their pages back? Really?

Illustration by: VIGE

Piracy is increasingly hazardous, says Digital Citizens.

I imagine most people, whether they’re users of pirate sites or not, haven’t paid much attention to the growing number of safety warnings associating content theft with identity theft and related crimes against consumers.  For one thing, the whole idea of media piracy itself has, for too long, enjoyed undeserved credibility as a so-called victimless crime performing a social good broadly described as “sharing.” Or it’s been framed in economic terms by various pundits as a natural market reaction to outdated distribution and pricing models. And more than a few notable Internet activist organizations have either explicitly or implicitly evangelized the notion that piracy is fundamentally free speech, which enables said activists to label various efforts to mitigate piracy as “chilling speech.”

But over the last year or so, several studies have been conducted—I believe I have cited most of them—which demonstrate that piracy is one thing for sure:   dangerous.   Anyone with a computer, a bank account, a business, children, etc. should probably set aside both their preconceived attitudes and their ambivalence on the subject of piracy and read this new report commissioned by Digital Citizens Alliance (DCA) and conducted by RiskIQ.  Here’s just one hypothetical scenario that can happen to anybody:

You don’t visit pirate sites yourself, but your kid might without your knowledge, or even without necessarily knowing what he’s doing. Maybe he was just looking for mods for Minecraft or innocently trying to watch some anime cartoon, and you’ve never worried much whether he’s visiting legal or illegal sites.  But simply by stumbling onto a pirate site, this new DCA report indicates that your kid is at least 28 times more likely to infect the family computer with malware that can be used to drain your bank account, slave your computer for ad fraud (as described in my recent post citing the IAB report), or seize control of your computer to hold for ransom with a 72 hour window to pay several thousand dollars or kiss your data goodbye.

The DCA/RiskIQ report is aptly named Digital Bait in that it studies a growing sophistication among cybercriminals in the use of content theft sites—and presumably even misleading “free content” links—to hook users by downloading truly insidious malware to their devices. Businesses and entrepreneurs are particularly vulnerable to Denial of Services attacks in which the hacker takes down a website and demands a considerable ransom in order to restore the site to public visibility (y’know in the name of free speech and all).

RiskIQ estimates, just from the sites within the scope of this study, that 12 million U.S. users per month are being exposed to malware attacks, and DCA says this is merely the tip of the iceberg.  According to the U.S. Department of Justice 16.2 million consumers have been victims of identity theft representing financial losses totaling more than $24.7 billion. And the problem is currently growing in both scope and sophistication in the cybercriminals’ ability to use malware to scam their victims.

For instance, one of the more disturbing developments in malware is that a user no longer has to click on an infected link to contract the virus. Called “drive-by-downloads,” the Digital Bait report estimates that 45% of the malware in the scope of its study can be delivered invisibly without requiring the user to click on anything.  The report also indicates that more than half of the malware being delivered are Trojans, and many of these are Remote Access Trojans (RATs), which I discussed in this post after DCA published a report on this relatively unsophisticated form of hacking. Individuals can buy any of several RAT software kits for a few hundred dollars and start controlling a victim’s computer with an easy-to-use graphic interface that requires little-to-no coding skill.  RATs can be used to harvest financial information or to spy on victims, including turning on webcams and microphones. Personal data can then be used for ransom; or IP addresses,  particularly of young girls, may be sold in a black market exchange.

Not surprisingly, the report identifies that all of this growing malware activity is supported by a mature, underground “crimeware economy” operating on the Dark Web.  To quote the report:

“The DarkNet allows individual hacking groups to specialize in specific categories and to earn money for delivery of goods and services to other criminals. For example, one organization may specialize in developing the malware that is installed on consumer devices and sell it on the web. Another organization will be responsible for distributing and installing the malware on consumer PCs or mobile devices. A third group that runs a forum might also purchase stolen consumer credentials and resell them in the DarkNet.”

For years, copyright owners have focused on advertising, which remains the primary revenue source for many of the most popular sites dedicated to providing unlicensed “free” content.  But as the advertising community continues to collaborate on fixing the flaws in digital advertising ecosystem, which cause financial loss and harm to brand value, this  will likely motivate cybercriminals to more aggressively dangle the lure of “free” content to draw consumers into malware traps.

On the other hand, a likely silver lining in this growing relationship between mass copyright infringement and serious harm to consumers is that copyright holders and Internet companies should find common cause in seeking both voluntary and law-enforcement remedies to the problem.  After all, the spread of malware harms the entire Internet economy, and it as much in Google’s interests as it is in the creative industries’ interests to seek solutions.

2_Infographic JPEG

Journalism in the Digital Age with Christopher Dickey (Podcast)

Christopher Dickey has been a writer and reporter for nearly 40 years. He is the Paris Bureau Chief and Middle East Regional Editor for Newsweek Magazine and The Daily Beast. He has worked for The Washington Post and written for several other publications including Vanity Fair,  The New Yorker, and Foreign Affairs.  He is a frequent commentator on CNN, MSNBC, and NPR as well as other radio and television networks worldwide. Dickey is also a member of the Council on Foreign Relations and is arguably one of the world’s non-military experts on terrorism and counter-terrorism.

The author of six books, Dickey’s most recent non-fiction work, Securing the City, details the transformation of the NYPD into the world’s “gold standard” of counter-terrorism operations in the wake of 9/11.  His other books include  The Sleeper and Innocent Blood, both novels; Summer of Deliverance, a memoir of his father, the poet James Dickey; Expats, an account of foreigners living in the Arab world; and his first non-fiction work, With the Contras:  A Reporter in the Wilds of Nicaragua, published in 1986.

With a career that begins well before public use of the Web, Dickey is an old-school journalist who fully embraces the flexibility and editorial potential of new and social media.  His Shadowland Journal blog provides supplementary content corresponding to his columns on terrorism, security, and fanaticism that appear in Newsweek and The Daily Beast; he is an avid user of Twitter, Tumblr, and Facebook. Dickey is among an elite group of journalists I recommend following for anyone who wants to dig below the headlines.  Visit Christopher Dickey’s website.