Facebook Users Still Don’t Know How Facebook Works

Pew researchers called up almost a thousand Americans and asked them if they knew about the list of “traits and interests” that Facebook keeps for almost all active users. The company provides users easy access to it – you can see your own list here – yet 74 percent of respondents to the survey said they did not know about the list’s existence.

Furthermore, 51 percent of those surveyed said they were “not comfortable with Facebook compiling this information.”

Facebook Didn’t Sell Your Data; It Gave It Away

More accurately, they shared your personal data with Amazon, Netflix, Spotify, Microsoft, and other companies in exchange for even more data about you.

The New York Times has once again gotten its hands on a cache of documents from inside Facebook, this time detailing data-sharing arrangements between the company and other corporations, which had “more intrusive access to users’ personal data than [Facebook] has disclosed” for most of the past decade, the article revealed.

Face your GDPR fears with this enlightening infographics

GDPR is a bit of an annoyance if you’re an ordinary individual, but it’ll at least mean more control over the data that companies hold on you. If you’re running a business, though, even if it’s just a small operation, you need to be GDPR-compliant.

So if you want to sleep better tonight, you’ll need some easy to digest information about GDPR and what you need to do about it. Thankfully the European Commission has produced the excellent infographics that covers everything you need to know, and Creative Bloq added some helpful thoughts too.

Twitter admits to password storage blunder – change your password now!

Today Twitter admitted that the company had made a serious security blunder: it had been storing unencrypted copies of passwords.

Twitter claims that it has now “fixed the bug” and that its investigation “shows no indication of breach or misuse by anyone”.

Twitter therefore suggests merely that you “consider changing your password”.

Please do change your password(s) as soon as possible. There is no information about how long passwords have been out there in plain text or whether hackers managed to harvest any of them.

With 4 months to switch on HTTPS, are web hosting companies ready?

Like it or not, if your website isn’t using HTTPS (the encrypted version of the web’s HTTP protocol) by July then you’re likely to lose traffic.

That’s because in July 2018 Google Chrome, the world’s most popular browser, will start warning users that web pages served over HTTP are not secure (they aren’t).

This isn’t an empty threat, Chrome has been turning the screw on HTTP for a number of years and Google Search already gives sites with HTTPS a boost in its search rankings. You should expect other browsers to follow Chrome’s lead.

As Mark Stockley explains, if you’re buying web hosting you’re going to want HTTPS.

Cloudflare now offers unmetered DDoS attack mitigation

Cloudflare turns seven this week and it wants to give your network a present. Should your website come under Distributed Denial of Service (DDoS) attack, it will never charge you additional fees, or (and this is important) kick you off the network.

Cloudflare CEO Matthew Prince has pledged unmetered DDoS mitigation, regardless of the size of the attack and no matter what level of service you have from the free tier all the way up to the enterprise level.

This is wonderful news for small business owners. Take advantage of it if you haven’t done so yet.

Next steps toward more connection security

Google has sent out a warning that HTTP sites that contain forms and other input fields will be marked Not Secure staring this October.

The search giant gave a notice of this a few months ago but has now takes the next step to formally notify those who will be affected with the upcoming change.

The notification states: “Beginning in October 2017, Chrome will show the ‘Not secure’ warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”

The original Google Chrome post can be found here: https://blog.chromium.org/2017/04/next-steps-toward-more-connection.html

Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

There is a phishing attack that is receiving much attention today in the security community.

A phishing attack happens when an attacker sends you an email with a link to a malicious website. You click on the link because it appears to be trusted and may either infect your computer or be tricked into signing into the malicious site with credentials from the real website. The attacker then has access to your username, password and any other sensitive information you may inadvertently provide.

This particular phishing attack uses malicious registered domains that look identical to real domains in your browser.

WordFence, the force behind of one of the best WordPress security plugins set up a test case to demonstrate how this attack works in case you are interested in technicalities, but the most important thing to do if you are using Chrome or Firefox is staying safe, and the easiest thing to do when you are about to log into a website you trust is this.

Copy the URL in the location bar and paste it into any program on your device that allows to paste as plain text.

A fake domain will appear as starting with https://xn--. A real website will look exactly as in your browser’s location bar.

In Chrome, you can even copy the domain and paste it right back into the location bar and the fake website’s domain will reveal itself.

Facebook explains when and why it peeps at your account

Venture Beat reached out to Facebook to find out when, exactly, employees can access a user’s account without entering their login credentials.

A Facebook spokesperson sent this answer:

We have rigorous administrative, physical, and technical controls in place to restrict employee access to user data. Our controls have been evaluated by independent third parties and confirmed multiple times by the Irish Data Protection Commissioner’s Office as part of their audit of our practices.

Access is tiered and limited by job function, and designated employees may only access the amount of information that’s necessary to carry out their job responsibilities, such as responding to bug reports or account support inquiries. Two separate systems are in place to detect suspicious patterns of behavior, and these systems produce reports once per week which are reviewed by two independent security teams.

We have a zero tolerance approach to abuse, and improper behavior results in termination.