allheart55 Cindy E

I shop online all of the time and never use a VPN. I do, however, only use ONE particular computer for all online purchases and for banking. As long as you have good layered security and are careful with your passwords, you should be good. My husband uses a VPN to connect from his laptop at home to his work computer.

Facebook hit back at press reports this week that highlighted a deep network of privileged data-sharing partnerships between the social media company and other large organisations. The bi-lateral relationships saw companies including Amazon, Netflix, Microsoft and Spotify exchange user data that helped both them and Facebook extend their reach by learning more about their users, often without those users being aware. They also extended to businesses in other sectors ranging from finance to the auto industry. The New York Times explained that there were over 150 of these partnerships, so many that the social network giant needed a technology tool to keep track. Some of the deals raised privacy concerns due to the private information that they exchanged, the paper said. Information flowed both ways. Not only could partners see data including the contact details of peoples’ friends and some private messages, but Facebook also received data about individuals from those companies: Among the revelations was that Facebook obtained data from multiple partners for a controversial friend-suggestion tool called “People You May Know.” The story sheds new light on a pattern of relationships that Facebook had already announced in 2010 at its F8 conference. Called instant personalization, it shared Facebook user information with other websites to help them personalize a person’s experience when they visited. The company closed down the instant personalization feature, which shared public data, but the New York Times story is one of several that documented links between Facebook and some companies that existed beyond that point. In some cases, those relationships persisted until this year. In June, Reuters revealed data sharing partnerships between Facebook and four companies including Huawei, which the US government has labelled a security risk. In its blog post responding to the news report, Facebook argued that it wasn’t giving away any information that it wasn’t entitled to share: To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC. The consent decree stemmed from a 2011 FTC case against Facebook that accused it of sharing information that people had thought was private. The settlement required Facebook’s provision of… …clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established. According to the Times, Facebook executives deem these partnerships exempt from the settlement. It views those companies as service providers and therefore an extension of the social network, it said. However, the Times also quoted former FTC officials that disputed that notion and believed that the company may have violated the agreement. Instant personalization was reportedly switched on by default in 2010, meaning that users had to explicitly opt out by navigating the company’s privacy settings. Facebook also explained what it was doing in relatively vague terms in its data policy. In January 2013, after it had reached its consent decree with the FTC, the policy said: We use the information we receive about you in connection with the services and features we provide to you and other users like your friends, our partners, the advertisers that purchase ads on the site, and the developers that build the games, applications, and websites you use. It updated its policy in April, coinciding with a decision to restrict developer access to its APIs. The policy now clarifies the definitions of companies that it shares data with, along with the data that it shares. It also says that it is taking further steps to tighten up third-party access to user data. In another blog post yesterday, Facebook took issue with another assertion, that companies had been able to read users’ private messages without their knowledge. Not so, it said. It gave four partners – Spotify, Netflix, Dropbox and the Royal Bank of Canada – read/write access to peoples’ messages, sure, but only so they could use Facebook Messenger to tell people what Spotify tracks they were listening to, what they were watching on Netflix, send links to Dropbox folders, or acknowledge money transfers. It said: These experiences were publicly discussed. And they were clear to users and only available when people logged into these services with Facebook. In spite of its assertions that it didn’t violate any legal agreements or user rights, Facebook did offer a mea culpa in its first blog post: Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs. We’re already in the process of reviewing all our APIs and the partners who can access them. It added: We shouldn’t have left the APIs in place after we shut down instant personalization. All of which is to say that Facebook has a long journey ahead if it hopes to win back the trust of many users. Source:

Oh, those incorrigible password abusers. After all these years of being shamed (if they cared or were paying attention), they’re still using “123456” as a password. This year, according to SplashData’s annual worst password list, that stale cracker came in at No. 1. Again. “password” was the No. 2 dust bunny to roll out from under the bed. Again. “Donald” made it onto this year’s list, at No. 23, as either a feeble nod to POTUS No. 45 or to the Disney duck. Or both. This is what we always say: For shame. Unleash the cybersecurity Harpies, we say; let fly the mocking winged monkeys, etc. etc., yadda yadda yadda. The security industry, and the media that covers it, keeps trying to get across the message that simple passwords like that are too easy to guess: we’re talking about fractions of microseconds for a brute-force attack. And so, every year around listicle time, we suggest the fix of password composition policies. Those are sets of rules such as “your password should be at least eight characters long and contain at least one uppercase letter, one number and one special character”. They’re popular because the rules are easy to check, and they increase the entropy of your password (which can be important, but it’s not the same thing as password strength). Well, the shtick is getting old. As we’ve said before, composition rules are annoying (to everyone, even to people choosing really strong passwords); they measure something that isn’t password strength; and they restrict the pool of possible passwords (the “password space”), which just makes it all the easier for password crackers. More to the point, while it’s true that, as SplashData CEO Morgan Slain says, “using your name or any common name as a password is a dangerous decision,” blaming the user clearly isn’t working. If it were, the same passwords wouldn’t keep showing up, year after year. For this year’s list, SplashData says it evaluated more than five million leaked passwords. But it shouldn’t be surprising that the enormous cache contained so many celebrity names, terms from pop culture and sports, and simple keyboard patterns. They’re easy to remember. Of course people are going to use them… …if websites and services keep allowing them to be used. How about websites stop allowing 123456?! There is another option. It’s not going to relieve our carpal tunnel, because it still involves finger-wagging. The option is for websites and services to simply stop users from choosing a password that’s on the list of the worst passwords. Or, say, disallow creating any of the 10,000 worst passwords. The lists of worst passwords are brought to us courtesy of all the websites and services that accept feeble passwords. Disallow it, and you’ll never contribute to a list like this again. Were your website/service to use zxcvbn – a password strength meter made by Dropbox (also used by WordPress and available to us all, for free) that actually tries to measure password strength – your users would have been warned if they’d chosen one of those terrible passwords. Then again, if your website/service makes two-factor authentication (2FA) mandatory, then users would have been well-protected even if they’d chosen one of the awful passwords. If your website/service uses rate limiting, then even the weakest password gets a serious upgrade. Limiting the number of times a user can try a wrong password means that attacks take a long time. Attackers have to be far more circumspect about how many guesses they make: just ask the FBI about how inconvenient, or impossible, it can make the task of forcing your way in past an unknown login. None of this means that users are off the hook when it comes to picking a strong password, though. There’s no way to know that their passwords are being securely stored, and they have no control over the measures that sites use to defeat online guessing – aside from adopting 2FA whenever it’s available. This all means that the onus is still on users to make sure that every password they choose is unique and strong enough to withstand an offline guessing attack. And it means that yes, websites still have to promote a password composition rule: make each password a random collection of at least 14 letters, numbers and special characters. And users, if you can’t remember all of your passwords – and how many of us can? – you can always rely on a password manager to keep them safe. Source: Sophos