Cambridge Analytica Data Mining on Facebook, supporting Trump Campaign

Cambridge Analytica, a data analytics firm is under fire for the ilegal mining of user data from Facebook profiles between 2014-2015. The company was revealed to journalists working for the Observer to have used personal information taken without authorization in early 2014 to build a system that could profile individual US voters. The purpose of this was to target Facebook users with personalized political ads.

Facebook itself confirmed the harvesting of information on an enourmous scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals.”

Cambridge Analytica themselves had contracted another company to obtain user data, this company being Global Science Research. Analytica says that once they found out that GSR had not obtained the user data in line with Facebook’s terms of service, they deleted all the information that was provided by GSR. The statement went onto say that “No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign.”

Facebook updated this statement on the March 17, adding: “The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up for his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

Cambridge Analytica was created in 2013 by american multi-millionare Robert Mercer, one of Trump’s main supporters. It is claimed that with the deceive of using the database for academic purposes, through russian-american psychologist Aleksandr Kogan, the company obtained permission to ask for user data through an application that claimed to be a personality test. The act of Kogan sharing this information with Cambridge Analytica was a violation to Facebook’s terms of service, resulting in Cambridge Analytica being suspended from using Facebook’s API.

The PRI here on Mexico was about to get in on some trouble, seeing as Meade’s political campaign is already dwindling, his campaign was about to hire Cambridge Analytica’s services a few months ago, however no business was made due to the lack of an economic agreement. This after Cambridge Analytica settled their offices in Mexico City on 2016. With all the recent talks about Russian interference in the US elections, it is not crazy to think that due to the ties that Cambridge Analytica has to russian-american Kogan, there could be and there will likely be attemps at interfering with campaigns and results here in the July presidential elections.

Advertisements

Website certification – How safe is it?

If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host, certificate. There are two elements that indicate that a site uses encryption:

  • a closed padlock, which, depending on your browser, may be located in the status bar at the bottom of your browser window or at the top of the browser window between the address and search fields
  • a URL that begins with “https:” rather than “http:”

By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information. You want to make sure you know where your information is going before you submit anything.

If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics:

  1. The web site address matches the address on the certificate
  2. The certificate is signed by a Certificate Authority that the browser recognizes as a “trusted” authority

Can you trust a certificate?

The level of trust you put in a certificate is connected to how much you trust the organization and the certificate authority. If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site you want to visit is actually the site that you are visiting. However, unless you personally verify that certificate’s unique fingerprint by calling the organization directly, there is no way to be absolutely sure.

How to see a certificate’s information?

Usually next to the website’s URL you can see a ‘Secure’ logo. On Google Chrome  this will allow you to check that the certificate is valid, although most web browsers nowadays will warn you if a website has no certificate before you go in.

certificatechrome.png

 

 

Clicking on ‘Valid’ will show you further information about the certificate, the certifation authority and the validity of the certificate.

 

certificateinfo

 

  • Who issued the certificate – You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
  • Who the certificate is issued to – The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
  • Expiration date – Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.

Mirai – IoT Botnet Malware

Mirai (Japanese for “the future”, 未来) is a malware that turns networked devices running Linux into remotely controlled “bots” that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.

First let’s define some terms:

Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of harmful or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Malware is defined by its malicious intent, acting against the requirements of the computer user — and so does not include software that causes unintentional harm due to some deficiency.

A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word “botnet” is a combination of the words “robot” and “network”.

Mirai was first discovered in 2016 by MalwareMustDie, a white hat security research group and according to leaked chat logs of the creator ‘Anna-senpai’, the malware is named after the anime series ‘Mirai Nikki’ (Future Diary in english). The malware’s source-code is published in a GitHub repository here. The malware is written in C for the agent infecting each device  and Go for the master controller of all the devices.

Resultado de imagen para mirai nikki

Mirai Nikki

This botnet malware was used to attack Brian Kreb’s website Krebs on Security, making the site reach 620 Gbit/s of traffic, there were also reports of attacks to French web services providers reaching 1Tbit/s of traffic to their website. Other attacks include in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, resulting in the inaccessibility of several high-profile websites such as GitHub, Twitter, Reddit, Netflix, Airbnb and many others.

Mirai was later revealed to have been used during the DDoS attacks against Rutgers University from 2014 to 2016, which left faculty and students unable to access the outside Internet on-campus for several days at a time; additionally, a failure of the Central Authentication Service caused course registration and other services unavailable during critical times in the academic semester. The university reportedly spent $300,000 in consultation and increased the cyber-security budget of the university by $1 million in response to these attacks. The university cited the attacks among its reasons for the increase in tuition and fees for the 2015-2016 school year.

On January 17, 2017, previously mentioned computer security journalist Brian Krebs posted an article on his blog, Krebs on Security, where he disclosed the name of the person who he believed to have written the malware. Krebs stated that the likely real-life identity of Anna-senpai, the author of Mirai, was actually Paras Jha. Jha is the owner of a DDoS mitigation service company ProTraf Solutions and a student of Rutgers University. In an update to the original article, Paras Jha responded to Krebs and denied having written Mirai. FBI was reported to have questioned Jha on his involvement in the October 2016 Dyn cyberattack. On December 13, 2017 three men including Paras Jha entered a guilty plea to crimes related to the Mirai botnet.

Government and Business Ethics on Personal Devices Security

 

In the not too distant past, employees had no choice but to work at a company’s office or on a company laptop or phone.  As mobile electronic devices (tablets and smartphones, for example) became both more accessible and affordable, this changed.  Now employees can work virtually anywhere and it’s becoming more and more common for them to use devices for both personal and work purposes.

Many individuals own multiple mobile devices.  One person may own a smartphone, tablet, and laptop computer.  An employer may also offer employees one or more company-owned devices. For some, it’s both inconvenient and less productive to carry company-issued and personal devices.  Others may prefer a specific technology or brand, or simply be annoyed by having to carry multiple devices.

Employers will assume legal, security, reputational, and other business-related risks when their employees use a device for both personal and work-related purposes. This is largely because employers lose control when employees use their own devices and networks to store and transmit company data.  The same is true when employees use company-owned devices for personal purposes.

There is also the issue with the government having access to our data. With the cases of the NSA Mass Surveillance program PRISM coming to light, we have to ask ourselves how much privacy we actually have, because the way the NSA obtained all this information was by DEMANDING that Internet Service Providers, Cellphone Carriers and many big tech companies submit their user data to the NSA.

There is also the recent case of the San Bernarding mass shooting in 2015, where the FBI requested access to the iPhone to one of the shooters to Apple, essentially requesting them to create a backdoor that would let them have access to the device. Apple opposed and denied the request, smart move by them, because if they would have allowed it, it would have given a precedent for the use of this backdoor in other cases, violating the privacy of those involved in a crime, even felons have rights. “Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation,” wrote Tim Cook, CEO of Apple. You can read more about it in detail, here.

We really should be grateful for Apple sticking to their principles , because even though they recollect user data, they always keep it anonymous and have never given direct access to any organization to their user’s information and devices.