6 C
Wednesday, November 22, 2017
Home Tags Pinterest

Tag: Pinterest

EFF's annual ratings show that the industry's biggest names have a ways to go.
Etsy, Kickstarter, Pinterest, and Tumblr say site moderation hangs in the balance.
EnlargeGetty Images/Urich Baumgartgen reader comments 5 Share this story Google has rebutted the European Commission's anti-competitive charges against the ad giant's alleged abuse of dominance in its price comparison, specialised search services, and AdSense businesses. The company—after a number of deadline extensions from Brussels—came out fighting in a blog post penned by Google's chief counsel Kent Walker that was published on Thursday: In recent years, we’ve improved the format of our ads to include more informative displays with pictures, prices, and links where you can buy products. Showing more useful ads benefits us, our advertisers, and most of all, you, our users. That’s why we disagree with the European Commission’s argument that our improved Google Shopping results are harming competition. It claimed that EC antitrust chief Margrethe Vestager's charge on the company favouring its own price comparison and specialised search—or, as Google prefers to describe it, "shopping services"—over its competitors carried too "narrow" a definition, arguing that it excluded the "competitive significance" of Amazon and other players in that market. Walker said: Our response demonstrated that online shopping is robustly competitive, with lots of evidence supporting the common-sense conclusion that Google and many other websites are chasing Amazon, by far the largest player on the field. UK price comparison site Foundem—the original complainant in the EC case against Google, which was formally opened in 2010—said it was disappointed with the multinational's response. It said that "Google continues to publicly defend its anti-competitive search manipulation practices by misrepresenting both the charges it faces and the important differences between 'shopping' and 'shopping comparison'." Google—to ram home its argument—added that Brussels' case "just doesn’t fit the reality of how most people shop online." It repeatedly talked about how the ad market is constantly shifting, in comments that appeared to largely ignore the historic nature of some of the EC's charges against Google. "There are hundreds of shopping comparison sites and over the past 10 years, some gained traffic, others lost traffic. Some exited the market, others entered," Walker said. "This kind of dynamic competition is undeniable. Online advertising is evolving rapidly, with companies like Facebook, Pinterest, and many others re-inventing what it means to connect merchants with consumers." He claimed that "a rapidly increasing amount of traffic flowed from our search pages to popular sites like Amazon and eBay as they expanded in Europe." Foundem countered: Unfortunately for Google, its continuing protestations about the flourishing fortunes of Amazon and eBay remain the red herrings they have always been. Google does not (yet) have an eCommerce, auction, or merchant-platform service that competes with Amazon or eBay. Therefore, Google does not (yet) have any incentive to anti-competitively penalise Amazon or eBay in its natural search results, and it does not (yet) have any competing service of its own to anti-competitively favour. Separately in the same blog post, Google also disputed the commission's charge against its AdSense business tactics—though it didn't flesh out the reasons for its beef with Vestager in that particular case. Similarly, Google said that it would respond in the next few days to the commission's charge against its Android operating system. Presumably, this too will publicly rebut the bloc's competition chief. The commission is now mulling over Google's responses before it decides on how it might proceed on the three separate charges levelled against the ad giant. If fines are imposed on Google, it faces penalties of up to five percent of its annual turnover for each charge—potentially billions of euros. This post originated on Ars Technica UK
It's apparently possible that a DDoS attack can be big enough to break the internet -- or, as shown in the attack against ISP Dyn, at least break large parts of it. The DDoS attack against Dyn that began Friday went far past taking down Dyn's servers.

Beyond the big-name outages, organizations could not access important corporate applications or perform critical business operations. As one of the largest ISPs in the world, Dyn going offline took down a significant chunk of the DNS, the internet's address directory.

DNS lets users connect to websites and online services around the world using easy-to-remember addresses instead of the server's numeric IP designation.

Thus, when the servers are unavailable, internet users cannot access any of those belonging to organizations that are Dyn customers. "Imagine all the street signs of your city suddenly goes blank. No one knows where to go," said Marc Gaffan, general manager of Imperva Incapsula. With DDoS attacks, the tendency is to focus on organizations directly affected.

Thus, when hacktivists target financial services or gaming sites, the victims are those trying to access those applications.

The information is intact, albeit temporarily unavailable. With Dyn, however, the target was core internet infrastructure, which means any organization that relies on Dyn or works with a service provider dependent on Dyn is affected. Attack on data availability Information security has three core elements: confidentiality, integrity, and availability. While the focus tends to fall on keeping information safe and ensuring no one tampers with the data, the attack shows that “availability is just as important as the other two elements of information security,” said Justin Harvey, a security consultant to Gigamon, a network traffic monitoring company. Sure, it's a bad day for Dyn, trying to beat back the large volume of junk traffic pummeling its datacenter -- as of Friday afternoon, the company was seeing a third wave of attacks -- and it's frustrating that users couldn't get to the New York Times, Twitter, Pandora, Reddit, Pinterest, and so on. But consider the plight of the IT administrator who has to explain to the rest of the organization certain corporate applications are unavailable because Okta, the service that handles authentication for those applications, is affected by the outage. Or the marketing teams that couldn't do anything about the empty Twitter widgets on their sites. Imagine the consternation at an e-commerce company when the Shopify apps aren't working. Perhaps service representatives had to field complaints from customers who were unable to complete their purchases because the Shopify-powered shopping carts weren't available or the entire storefront was loading slowly.

The manager was unable to pull weekly sales reports from the dashboard, which would affect business decisions. “It's a network administrator's nightmare.

Everything is working just fine, but no one can find you,” Gaffan said. All IT could do is sit and wait When the attack is against core internet infrastructure like DNS, the collateral damage is huge.

But as is usually the case with indirect victims, there isn't much they could have done differently. With the growth in size, sophistication, and frequency of DDoS attacks, network administrators have been adding anti-DDoS defenses to their infrastructure.
In this case, none of those measures would have helped (other than Dyn, and it's a solid bet it had made significant investments in this area already) because the attack traffic didn't hit their networks at all.

Enterprises relying on SaaS apps had no choice but to sit and wait and hope their providers got back online as soon as possible. From the SaaS providers' perspective, their options are limited, since again, the attack is happening upstream. However, they may have been able to reduce the impact somewhat if they had multiple DNS providers. Dyn's domino effect DNS works as a hierarchy.
Servers query a DNS server for information regarding an address.
If the server doesn't know, the query gets passed on to a server higher in the chain and so forth until finally reaching the authoritative name server. Organizations frequently select name servers in different datacenters; if one datacenter becomes unavailable for whatever reason, the other one would seamlessly pick up the traffic.

Dyn's problems initially affected the East Coast of the United States, but the issues appeared to impact other areas throughout the course of the attack.

Failing over to a different DNS provider gives organizations options, Imperva Incapsula's Gaffan. In every hierarchy, there is eventually a limit to how high you can go.

Dyn is one of the largest ISPs, which means many smaller providers eventually feed into Dyn's infrastructure. When attacks hit this high, there aren't many alternate players to consider. Organizations that had set a longer duration for the DNS record's Time to Live (TTL) could have possibly seen less impact from Dyn's outage than those with shorter cache periods. With a longer TTL, the various servers would have saved the DNS information locally and avoided going all the way to the authoritative name server for each query.

DNS records with 24 hours TTL, for example, would have been cached for most of the attack and been available to users. Of course, there is a downside from having an overly lengthy TTL -- administrators still have to figure out what makes the most sense for their networks. DDoS attacks are no longer minor inconveniences, nor are they solely used by unsophisticated adversaries.

As attackers harness botnets made of IoT devices or launch amplification attacks using NTP and other network protocols, these attacks will get bigger and more damaging.

Experts have long warned that DNS is vulnerable to attack and needs better security.

There must be a change in how DDoS attacks are viewed and an effort to solve the availability problem -- it's very likely attackers are going to use this tactic again in another assault on another day.

LogDog (for Android)

If hackers target a secure website to steal a gazillion passwords, there's really nothing you can do to protect your password. Your best bet is to render that stolen information useless by switching to a new password immediately. Of course, you can only do that if you know about the breach.

The free LogDog (for Android) app monitors your secure accounts and notifies you immediately of any events that suggest tampering.
In-app purchases let you protect multiple accounts at the same website, or add credit card monitoring. LogDog monitors Dropbox, Evernote, Facebook, Google, Twitter, and Yahoo; Twitter support is new since I tested the service last year.

The company tells me that Support for Instagram and LinkedIn is in the works. LogDog (for iPhone) doesn't yet have all the features of the Android edition.
I'll review it separately when it's fully up to speed. Note that while you must use a mobile device to receive notifications from LogDog, it tracks access from any kind of device.

A suspicious login attempt is suspicious whether it comes from Windows, Mac, Android, iOS, or even Linux. Easy SetupGetting started with LogDog is a simple matter of downloading and running the app. You don't have to create an account. LogDog doesn't save any of your data online.

The program, along with all of its data, remains on your device. To extend LogDog's protection to one of the supported sites, you log in to that site from within LogDog.

This lets LogDog perform an initial scan of the account, and also lets it track when and how that account is used.

The login screen includes a reminder that LogDog doesn't retain your credentials. Hey, this is a privacy tool, so that's reassuring! Each time you add a secure site, LogDog displays a screen that lets you share your experience with friends via LinkedIn, Facebook, Google+, WhatsApp, or email.
If three friends sign up based on your referral, you get a t-shirt; seven referrals earns an entry in a drawing to win a smartphone. At the free level, you can protect exactly one of each account type, which may well be plenty.
If you need more, you can sign up for Accounts+, which costs $1.99 per month or $19.90 per year. That's it. You now go about your usual routine, logging in to accounts as needed, from whatever device and network you normally use. LogDog lies doggo, gradually developing a profile of what's normal.

After a week it ends this learning mode, ready to alert you if it detects any account activity that deviates from the norm. CardProtectorNew since the last time I looked at LogDog, the CardProtector feature aims to alert you if any of your credit cards have shown up for sale on Dark Web commerce sites.

Adding this feature is an in-app purchase of $3.99 per month or $39.90 per year. Interestingly, the app does not ask you to supply any particular credit card numbers.
Its scan is wholly based on your full name and location.

The scan takes place automatically, once per day, or you can launch it manually. When I ran the scan, it reported about 2.2 million stolen card numbers on record, roughly 1.6 million of them in the U.S. None of them were mine, thankfully.

This feature works best if you have an uncommon name, like my own.
If other people in your zip code share your name, you might well encounter false positives.
Sorry, John Smith! LogDog AlertsI put LogDog to the test by logging in to my Gmail account using the Tor Browser, which made my login seem to be taking place in Canada. LogDog immediately displayed a notification of suspicious activity. When I tapped for details, it displayed an explanation and offered two simple buttons, one to dismiss the alert because it really was me, and another to continue investigating.
If your own activity really did trigger the alarm, perhaps because you logged in using a friend's computer, you just tap the first button. For testing, I tapped the second button, which brought up another set of choices.
I got a second chance to dismiss the alert as my own activity.
I could choose to ignore this warning but still get an alert if it happened again. Or I could choose to change my Google password from within LogDog.

Easy as pie! Changing your password locks the intruder out, but there's more you should do to protect your privacy.

The LogDog website is absolutely loaded with advice. Right from the main menu, you can access detailed advice for how to deal with a hacked account on Dropbox, Facebook, Gmail, Yahoo, or Twitter.
In each case, the advice page recommends running LogDog's Inbox Detective to clear exposed private data from your email Inbox—more about Inbox Detective shortly.

Each page continues with useful instructions for recovering from a breach on that particular service. But wait! There's more! Paging through the site's blog (called BlogDog), I found posts about recovering from hacked accounts on many other sites.

These include eBay, Snapchat, Pinterest, Tumblr, and more.

And, I'll admit it, I tried the Game of Thrones themed hacking awareness quiz.
I am Drogon! Inbox DetectiveThere's always the possibility that hackers will get a chance to rifle through your email before you manage to change the password. You can help protect your privacy by making sure you don't have too-sensitive information lying around exposed in your Inbox.

That's where Inbox Detective comes in. Inbox Detective searches your email inbox for credit card numbers, passwords, social security numbers, bank accounts, and malicious links.
It's somewhat similar to the PII (Personally Identifiable Information) search performed by Identity Finder's Data Discover 7.5, but at a much simpler level.

At present it supports Gmail, Hotmail, and Outlook online.
Support for finding sensitive information on Evernote, Twitter, Drop box, and Facebook is in the works. A link in LogDog takes you to the Inbox Detective online, but this feature is also available separately, at https://detective.getlogdog.com.

At the time of this writing, the site states that Inbox Detective is free, for a limited time. You log in with your email credentials, which gives the app permission to read and analyze your account.
It scans up to 10,000 recent messages and comes up with a report. For each possibly problematic email, the report offers two buttons. One opens the full message in your webmail client, so you can review and perhaps delete it.

The other automatically notifies the sender about the problem.
In testing, I found that the Open button correctly opened the message from Chrome on Windows, but on the Android tablet it just opened the Gmail Inbox. When I ran it on my personal Gmail account, it gave me a "detective score" of 10 percent, along with a note stating that the average user's score is 85 percent. However, when I dug a bit deeper I determined that my real score should have been better. The app found 12 credit card numbers in my Inbox, or rather, it found 12 number that were 16 digits long.
In truth, not one of them was actually a credit card number.

Two of them involved communications from my auto insurance, containing my 16-digit account number.

The rest were reminders from the local library telling me which books would soon be due, with a 16-digit bar code number for each book. The report correctly revealed three passwords sent in plain text via email.

Fortunately they were for accounts from long ago.
It found what it thought were two SSNs, but were actually just my accountant explaining that I should enter the SSN in the format 111-22-3333.

And it warned me about the recently-revealed MySpace breach. I permanently deleted all of the offending messages. Or rather, I tried to.

The report showed one message with no date or subject, and clicking the Open button had no effect.
Still, I managed to reach a score of 95 percent. This is a nice feature, but it could use some fine-tuning.
I'd like to see LogDog run apparent credit card numbers through the available validation algorithms.

Also, I'd love to be able to click away erroneously flagged items.

But I'll bet that once these things happen, the service won't be free anymore. Use for Free, Not for FeeAnyone who uses one of the six popular sites tracked by LogDog can benefit from installing this free service. You'll know right away of any abnormal account activity, and it's a snap to change a compromised password or dismiss a false alarm.
In addition, the handy Inbox Detective helps you clear out exposed credit card numbers, passwords, and other personal data from your Inbox. I'm not sure I'd pay extra to track two accounts at the same service. Maybe just install the app on a second Android device? And nearly $40 per year to check a database of stolen credit cards seems a little high to me.

But the free app is dandy. Back to top PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.
With the presidential nominating conventions looming, the candidates are getting ready to add to the hundreds of millions they've already spent to tell you about themselves -- but only what they want you to know about themselves. Meanwhile, they have also been spending millions of dollars collecting information about you -- and you have no say in what is collected. Which means that, in the era of big data, if you're a potential voter, they know a lot more about you than you know about them. The desire to know what will turn a voter to, or from, a candidate is not new, of course.

Campaigns have been chopping up voters into interest groups for decades -- minorities, gays, blue-collar workers, soccer moms, the religious right, progressives, boomers, NASCAR dads, union members, retirees, the rich, plus a host of occupational groups ranging from health care to law to the food and beverage industry. They have been tracking voting history, political contributions and volunteer history as well. But the information being collected now is much more, as they say, "granular." It includes social media -- everything from "friends" and "likes" on Facebook to YouTube views, LinkedIn profiles, activity on Pinterest, Tumblr, Instagram and Reddit to who a person follows on Twitter, or who they retweet. It includes magazine subscriptions, the types of cars or boats they own, where they shop, charitable contribution history, memberships, where they live, whether they rent or own a dwelling, whether they have a vacation home, permits and licenses, own a gun, and more. All of which is designed to help candidates "micro-target" their message to groups of voters.

They call it better communication, although it has an obvious element of manipulation to it. Joseph Lorenzo Hall, chief technologist, the Center for Democracy & Technology "It can be as simple as swapping out a phrase that might have been found to be more appealing to one kind of voter, via focus groups, etc., or more complicated things like changing the visual demographics or traits of people appearing in ads," said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology. Josef (Joey) Ansorge, New York attorney and author of "Identify & Sort," which includes a focus on the political implications of big data, said the ZIP code is among the most important pieces of information collected because, "where they live, where they work and where they went to school tell us a lot about individuals." When it is correlated with information gathered from contacts, then, "calls or visits inform the campaign how an individual is tending to vote." Josef (Joey) Ansorge, New York attorney and author of Identify & Sort This, he said, lets campaigns create "micro" groups of voters, the most important of which is those considered "sway-able." Obviously, that is the group the campaigns will try the hardest to influence. But such detail about people's lives, preferences and opinions -- even their personal health -- also raises both privacy and security concerns. How many people have access to it? How well is it being protected from online attacks? Will it be discarded after the election is over, or kept indefinitely? Could it be used by those who get elected and want to track those who supported their opponent? Ansorge has a problem with using big data to send very different messages to different groups. "There is an elemental universalism to democracy that is undermined by these kind of practices," he said, adding that he thinks voters ought to be made aware of how campaigns feed them information based on their profiles. Andrew Hay, CISO of DataGravity, said he is not overly concerned about the collection of voter data itself, or even the tweaking of the message. "Candidates have a lot of information to remember, and the analysis of data simply helps them match the needs and wants of clusters of voters to a particular message," he said. But he said data security and governance is crucial. "I'm less concerned about the government keeping a ‘burn list' of clusters of voters and more concerned with the protection, retention, and destruction of the data collected," he said. "This includes raw data as well as any derived analysis from said data." Andrew Hay, CISO, DataGravity That is also the view of Brenda Leong, senior counsel and director of operations at the Future of Privacy Forum. big data analytics offers, "great new ways to engage with voters on the things that really matter to them, which results in more motivated, and hopefully better informed, participants in the electoral process, and likely higher turnouts on election day," she said. But she said "proper handling of the data" is not always easy for campaigns that tend to ramp up quickly from nothing to, "multi-million-dollar -- even billion-dollar -- enterprises, made up with large sections of volunteers or temporary staff.  "Every campaign needs to treat security and privacy needs seriously, and have meaningful training for workers. We strongly recommend that every campaign have a chief privacy officer to monitor just these issues," she said. Brenda Leong, senior counsel and director of operations, Future of Privacy Forum Ansorge agrees. "These databases have afterlives that are not under the control of the government or the party," he said. "There is always a risk of abuse, by domestic and foreign actors. Here there is a perfect storm of data collected for a specific purpose potentially being abused for another." Unfortunately, there is ample evidence that it is more than just potential. Just three weeks ago, MacKeeper security researcher Chris Vickery discovered that a client of the data brokerage firm L2 was hosting a database with 154 million U.S. voter registration records and, "leaking information on a dizzying array of intimate details, including gun ownership, Facebook profiles, address, age, position on gay marriage, ethnicity, email addresses and whether a voter is ‘pro-life.'" That wasn't the only case.
Six months earlier, Vickery discovered a "misconfigured" voter database with 191 million voter records -- including his -- that was, "just sitting in the public, waiting to be discovered by anyone who happens to be looking," according to CSO's "Salted Hash" columnist Steve Ragan. Vickery told Ragan he was outraged to see his own record with, "details that could lead anyone straight to me. How could anyone with 191 million such records be so careless?" Yet another breach, of 56 million records, included 19 million profiles that had not only voting history but also personal information like "Christian values, Bible study, and gun ownership." Hall said those cases, along with nation-state hacking of campaign information systems, make it obvious that voters should be concerned about the data collection of modern political campaigning. "Campaigns only seem to care about the security of data when they're protecting it from their political rivals," he said. "Voters should be especially concerned because there are zero repercussions for campaigns mistreating or improperly protecting these data.

The FTC has no jurisdiction over non-profits -- there are serious First Amendment problems with government telling political speakers (campaigns) what to do. "And there is zero chance that politicians will pass laws that reduce their capacity to micro-target, even if it means more robust protection of voter data." Beyond that, political databases are more likely to be hacked because they are shared more than those collected by commercial companies. Leong noted that, "companies routinely promise not to share your data, but campaigns and political advocacy organizations share data as a standard, so reading the disclosures or policies when submitting data is more important than ever. "If you sign up for a particular cause or issue, that organization is likely telling you that they intend to share that information with ‘like-minded' organizations, and you will end up on the mailing list for multiple causes," she said. Hall agreed. "If you donate to a campaign, one of the first things you see -- and will see periodically after that -- is a ‘We'd like to get to know you better!' survey," he said, adding that they will seek information on things like gun ownership and views on abortion, "that the campaign can't easily infer or purchase from other sources." He said even when voters volunteer that information, he is not sure they understand that it is used to get, "highly granular information about the voters for targeting, and in a number of cases this year, to get information about households around a given voter's address that might not be as forthcoming or politically involved, such as, ‘Do you know if any of your neighbors are gun owners too?'" Ansorge said he thinks it would not be too difficult to create laws to limit data collection, especially governing presidential campaigns. "Candidates would self-discipline and would not want to create the potential scandal of their campaign being identified as law-breaking." He said voters could decide to give more of their personal information to the campaign they support -- "we could think of it as donating your data," he said -- but the choice would be up to them. Given the detail of the data collected, there is general agreement that there should be regulations on destroying it after a campaign ends. Hay recommended that the U.S. adopt something like the General Data Protection Regulation (GDPR) in the EU, "specifically the Right to Erasure (right to be forgotten) language. "If, as a citizen, I give consent to my data being collected and used in this manner I should also have the right to request what has been collected and the right to have it erased," he said. This story, "Big data and elections: The candidates know you better than you know them" was originally published by CSO.