Category Archives: Security and Privacy

Reporting fake Facebook profiles (group post bumping)

Posted on by

Facebook Group Post Bumping

Spammers or trolls like to bump posts on Facebook groups so that they push down other legitimate posts. It could be for ideological, monetary or trolling reasons.

This section looks at stopping post bumping on a group that’s done by a Fake Profile. This is a group member (we’ll call BUMPER) who may or may not have blocked the admins (or blocked the “victim”) but what the BUMPER does is create a fake profile and copy the profile image and name from a “victim”  then post and delete the post and then deactivate their account.

All the group members see is the “victim” posting on the group but can never find the post (as it is deleted) but the effect is that the post is bumped to the top of the group recent posts.  If the victim is a trusted commenter then the other group members then think the post was important. In effect the bumper is stealing the reputation of the victim.

Or the bumper is a troll and is trying to get other legitimate people deleted from a group. The group members complain that the “victim” is bumping posts. The admins then send a warning to the “victim” (who will obviously deny they bumped the thread as they didn’t ). If the BUMPER keeps bumping posts using the victim fake profile details then eventually the admins would probably give up and block the “victim”. The bumper then updates their profile name and picture to their next victim and the cycle repeats.

To trap this you have two ways:

Finding and Reporting Fake Profile

The first way is to get the image location of the fake profile image and extract the Facebook ID from the group notifications. You need to turn on notifications for all posts on the group. Then when the bump happens then you will see the post notification with the fake profile image. You need to not click on the notification but identify the  “background-image: url(‘   ‘); details. This varies by browser but you right-mouse and “inspect element” or you can look at the page info and under media hunt for the relevant background image and then copy that image url. If you have no idea what this is then get a IT/web friend to help.

Here is a example fake profile image (I have changed the URL),
hxxps://fbcdn-profile-a.akamaihd.net/hprofile-ak-prn2/t1.0-1/c0.0.56.56/p56x56/10561831_1556141646027754_1263222964170380984_s.jpg

You can see 3 sets of decimal numbers between underscores and the Facebook ID (fbid) is the middle set of numbers between the underscores e.g. 1556141646027754

To visit this profile simply visit, facebook.com/1556141646027754  i.e. facebook.com/fbid

If the page is NOT visible then they have Deactivated their profile. Before you ask they have NOT blocked you because if they blocked you then you would NOT see the fake post notification.

You now have to wait and pounce. You have to work out the pattern of  bumps. If it is utterly random then a bit of a problem but if it is triggered on e.g. legitimate posts rising to a top of a group and then immediately that happens the BUMPER bumps a stale post then you may be able to see their profile.

When you do get through then you see a timeline that will contain images and profile picture copied from the real profile and you quickly need to report the profile as a Fake that is impersonating you. If you see the page and then it goes then the person is deactivating the profile. You need to retry until you trap them in the Facebook reporting system.

Post bumping but no notifications

If you see post bumps but there is no notifications then you or the fake profile has a block. If others (or admins) are complaining that YOU are bumping posts then that means a fake profile is imitating you and has blocked you. You need the admins or others to get the fbid and then get them to do the step above with finding the Facebook ID.

Admins trapping posts

If as an admin you see post bumping and deleting then as an admin you need to have an idea when it happens and then switch the group to admin approval only. Then the BUMPER post will be trapped in the admin approval queue and can’t be deleted. If the admins can’t see the details then that means they are blocked so they need to promote someone else and then get that someone else to block permanently (and ideally report to Facebook). Whoever does the ban/block need to verify they are blocking the fake profile and not rely on the name.

If the group is a busy one then this may be tedious and you may have to revert to Finding the Fake profile ID and then find the name in the group member list and verify the target is the fake profile (by examining the facebook ID name) and then block that fake profile.

Removing Delta Search Open Tab in Internet Explorer and Firefox

Posted on by

Delta Search is ad-ware that hooks into your browser experience. It appears to leave behind a few bits when it is removed. The last bit to remove that I found is that Delta Search is launched when you open a new tab in Internet Explorer or Firefox.

For Windows Internet Explorer: in Windows use regedit then you can search for delta-search
The change is,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs

which should be as a default,

res://ieframe.dll/tabswelcome.htm

For Firefox: in Firefox go to the special URL about:config and find the parameter,

browser.newtab.url      

which should be

about:newtab

Opera Start tab doesn’t work in the same way so it doesn’t have this issue.

Using multiple avatars and your right to privacy

Posted on by

Over the years we have taught many people to use the Internet and they have gone from nothing to active users. We mainly focus on the older person and they have some very specific usability issues and use cases such as planning and booking flights, booking tickets, booking hotels, buying books/eBooks, movies or music and using VOIP-like systems as well as traditional email.

We’re very proud of getting some people who have never had an email address and who relied on a lot of walking or phoning about to have them being able to plan, book and pay for trips to see their friends; all online from their home. It’s a really nice feeling to get things like videochat going so they can talk and see their grandchildren on the other side of the world or to take and upload photos rather than developing and posting hard copy prints.

Naturally they are fearful of phishing and identify theft and they have a reason to be as they actually have money that could be stolen.

Children have different concerns: Now we don’t have much demand to teach children as that is the other way around – they are taught at school and have no problems with being online, they don’t have much money or credit cards but do have a risk of identity discovery and potential abuse that could follow from that with cyberbullying or people socially engineering them to revealing parent’s details (like parent credit card details).

Our approach is to teach people, old and young, to maintain multiple online identities. We say that they are in control here of their data and not the other system. Make it like a game so the created names are something like an amalgam of characters they like. They also have their real identity that parts are only known to friends they meet in real life and obviously real data needs to be given to companies for credit card purchases or plane tickets but for every other system then use one or more avatars: the decent of a human to the Internet.

This works well with children as they love character acting and especially as every modern electronic gadget wants Internet access. Our own children’s Playstation3 for instance has nothing on it that could ever be of any use to someone socially engineering our children online. Everything from names, dates of birth, address or ZIP/Postcodes, email addresses can and is made up. So who cares ?

Well the government and the online companies seem to care. Their approach is that children need parents permission and they imply that the private data that the person should provide is accurate and that they will keep it safe. Companies want data they can sell that points back to real people and the Government just wants to do whatever governments want to do.

No, sorry, a better approach is for the person, the parent and the child to collude and give out nonsense data that allows them to use a service but the data is of little relevance as data outside of that service. The loss of data by the company becomes irrelevant as the theft has no relationship to the person’s actual physical identity or real person. By getting into a mindset that nothing online is what it seems then you instil the idea of do not trust anything unless you can verify your trust.

 

Using DNS TXT records to effect EU/UK cookie law

Posted on by

It struck me that the most logical way of expressing what policy you have for a web site for the use of cookies or personal data is to detail this policy within the DNS records that a person (or their device) must look up BEFORE they hit your site. A bit like how SPF records detail email delivery policy for your systems and recipients can use this (or ignore it) when they look at emails that are claimed to be from your domains.

The suggestions of using web page forms or pinch pages or similar requires both the site operator and the site user to do things for no logical and practical gain to either party.

So how would this work ? Well you would add a TXT record that has an expiry and for each CNAME or A record or a default, it would list either a URI to a privacy policy which would include details on cookie use and/or a set of flags on cookie use the URL of the policy is a bit like the CRL within SSL)..

The user, before they visit the web site thus has the opportunity to examine the privacy and cookie use policy without actually visiting the web site.

Actually we know anonymous web site users won’t give two flying ducks about what cookies our web sites use given they probably already use anything from ad blocking software to browsers within virtual machines, but for some bizarre reason the UK Information Commissioner’s Office (ICO) has managed to gold-plate an equally bizarre EU cookie directive.  Yes the ICO is the same group that gets everyone who handles personal data from babysitters through to government departments to pay either Tier 1 of  £35 or Tier 2 of £500 (if you have 250 or more employees and £25.9 million revenues – yes logic isn’t their strong point) but the ICO doesn’t have an online payments system nor can it take credit/debit cards so you end up having to print out the forms you just filled in online and send those with your cheque or you can use a direct debit from your bank account only they can’t actually do direct debits if you had to pay a Tier 2 £500 fee. In sharp contrast the Companies House that is the regulator and registrar for companies does everything online and you can renew your annual company registration for the grand sum of £14 online as well.

Changing Joomla! MySQL user password without outages.

Posted on by

Changing your Joomla! MySQL database password without a loss of service is done as follows,

1) Open  the existing configuration.php file for Joomla! (found in your web site root) and print or save the details. This gives you a backup copy.

2) Use your cpanel (generally cpanel but there may be other hosting backends to access the MySQL database users) and add a new database user with a suitably strong password. Take care here and observe the cpanel error messages. Unless the password is strong enough it won’t save the values.

3) Assign this new MySQL database user to your existing Joomla database with all privileges.  Thus it is running in parallel with the existing MySQL database user.

4) Now edit the configuration.php file for Joomla! (found in your web site root) and change the two entries,

$db =
$password =

to these new MySQL database user values and then save that file back to the server. Joomla! will now be using this new database user.

5) Then you must verify this is true by going into the administration for Joomla and looking under Site -> Global Configuration ->Server and seeing that the database settings username is the new username.

6) If so then use cpanel to delete the old MySQL username or at  the very least change the password to something new.

Why do it this way – why not just change the MySQL database password ?  Because of timing, you cannot change the MySQL database password and the configuration.php file instantaneously. By adding a new database user that is waiting to be used and then changing Joomla configuration there is no loss of service and you can easily verify that it is working on the new setting by checking the Joomla administration screens.

A third party ideally should not know your MySQL passwords or be able to access your MySQL databases remotely but on shared hosting where there is just one MySQL engine running then any account on that machine can access your databases if they knew the database and username and password details.

Using write-locked SD cards when virus hunting on Windows PCs.

Posted on by

Sometimes you want to check a client Windows PC that is suspected of having a virus and you want to install software that the Windows machine doesn’t have installed e.g. ProcessExplorer or SiSoft Sandra or similar as part of your preliminary checks.

You should keep  the suspect Windows PC away from the Internet so you want a safe way to quickly copy software.  Obviously this is now USB keys but all cheap USB keys I know of don’t have a “write-protect” switch. If there is a virus you want to prevent it copying itself to your USB keys else you’ll make some mistake and could end up with a Windows virus moving around your Windows test systems.

The easiest way to get a cheap write-protected USB key is to use a low cost SD card like you would use in a camera and a SD-USB adapter. Most, if not all, SD cards have a write-protect switch and SD to USB adapters are cheap. Load all your software that you expect to use onto the SD card, set the write-protect switch to lock and then plug this into  the USB adapter and then you can safely plug that into the suspect machine and start your investigations.  As far as I know the write-protect logic is part of  the SD reader so few viruses would be able to override that without a good understanding of that device driver and truthfully if you’ve got something that ingenious then a high level process view of such a Windows PC will probably find nothing amiss.

 

UK Information Commissioner

Posted on by

The UK Information Commissioner’s Office is the independent regulatory authority whose role from our point of view is as the registrar for Data Protection and privacy in the UK. With the soft launch of Life Sign Press then we’ve moved from being a data processor to a data controller.

With the few queries that we have sent the ICO they have replied back with satisfactory answers. Their web site for registration is good (with one annoying flaw *see later on) but you really have to know exactly,

  • what data you plan to collect on the public,
  • how you plan to store and process this data,
  • what you plan to do with the data,
  • how you plan to secure the data and
  • how you plan to get rid of the data.

This is not decided on a whim and this is not a one-off project.

Both Security and Privacy are processes not projects. Expect to be paying for these for the rest of your business life and this cannot be avoided without significant penalties if you get caught.

Open Mutual has had years of experience with handling client data and use of crypto and we can help you with this process too.

* the one flaw is that you have to print the forms that they have created and then send them by post along with your cheque.