Facebook Compromises Two-Factor Authentication

They say they want your phone number to enhance your security.
Then they sell it to advertisers.

Two-factor authentication is hardly a phrase to set your pulse racing, but it’s the latest craze in the tech world. It even has its own TLA, (that’s an acronym for Three-letter Acronym for all you non-geeks), namely “2FA”.

Passwords don’t work because most people are idiots. Wikipedia even lists the most common passwords year by year. It shows the passwords “password” and “123456” have vied for the top slot for the last seven years running. If your password happens to be on the 2017 list, I refer you to the start of this paragraph …

Passwords are essentially “1FA” – one-factor authentication – which is to say, something only you know (hopefully). The three “FA” levels are often put like this:

  • Something you know: like a password.
  • Something you own: like an access card or a mobile phone number.
  • Something you unique to you: like a fingerprint or a retina scan.

Obviously, two factors are better than one. If your Gmail password is stolen for example, how do you prove it to Google? Clicking the Send Me a Password Reset link is pointless as they’ll just email the link to the account you can no longer access. But if your 2FA is a mobile phone number, they can send you a reset code that you can enter online and take back control of your account.

(Yes, your mobile phone number really is unique since it’s prefixed by a country code.)

There are other uses for 2FA too. I sincerely hope your bank uses it before granting you online access to your accounts. The most common “second factors” here are the Entrust Datacard or Vasco’s Digipass.

A Datacard (not mine) and a Digipass (not mine either).

So all in all, 2FA is a Good Thing.

Except …

It now appears that Facebook are taking your second-factor ID (your mobile phone number) and adding it to the bundle of personal information they sell to advertisers. According to this report from the Electronic Frontier Foundation, the number you give to Facebook for security purposes “can become fair game for advertisers within weeks”.

It’s important to stress that this is NOT a problem with two-factor authentication.

[T]his is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations.

Yep, Facebook. Again. A few days after the EFF piece, Zuckerbergia admitted to a programming bug that delivered 50–90 million users’ accounts into the hands of hackers. According to their VP of Global Marketing Solutions (whatever the hell that is), Facebook were hacked by:

an “odourless, weightless intruder” … which Facebook could only detect “once they made a certain move.”

“Odourless” and “weightless” certainly wouldn’t describe any of the hackers I’ve ever met, and I’m really curious about what that “certain move” might be. Perhaps it’s one of these:

(Incidentally, did you know Michael Jackson actually patented a pair of shoes used in his famous anti-gravity lean? No, really. He did!)

With those shoes, I could do that too.

WTF …? Somehow we’ve gone from two-factor authentication to dance shoes. Whatever. The executive summary is: 2FA, good. Facebook, bad. But you probably knew that last bit already.

Freeing up space on a Raspberry Pi

Partway through a big compile, the process died with “No space left on device”. Aaarrgh! What to do?

The Pi had an 8GB card and check with df -h showed this:

Filesystem      Size  Used Avail Use% Mounted on
/dev/root       7.2G  6.8G   34M 100% /

So that’s me stuffed. Or is it?

Option 1

Use a bigger memory card; 16GB, 32GB … Yeah, great. I’m 30% through a compile based on a complicated setup using lots of downloads and additions. Either I’d have to start again from square one or image the existing card and copy it onto the new one. Helluva hassle. Besides, first I’d have go out and buy a new card. Not an option.

Option 2

Install Raspbian Lite. It’s Raspbian without all the extras.

This is what I should have done at the outset. Hindsight’s a great thing, but I’d still be faced with starting from square one. What else?

Option 3

Expand the filesystem. Run the command sudo raspi-config. You’ll get this:

Select Advanced Options:

Choose Expand Filesystem. After a reboot you’ll hopefully you’ll have more space. But not in my case. So that left …


Option 4

Delete unneeded programs.

The beauty of Linux is it’s easy to reinstall stuff later, so I tried deleting things I didn’t need and charting my progress.Here are the results.



sudo apt-get purge wolfram-engine
677M recovered
sudo apt-get purge libreoffice*
250M recovered
sudo apt-get purge minecraft-pi*
5M recovered
sudo apt-get purge sonic-pi*
134M recovered

I finishing up with:

sudo apt-get clean
sudo apt-get autoremove

which freed up another 100M+ and re-ran df -h:

Filesystem      Size  Used Avail Use% Mounted on
/dev/root       7.2G  5.6G  1.3G  82% /

That’s 1.3GB freed up. Almost 20% of my 8GB card. Result!

Now back to that compile …


Beware: Ransomware!

Hackers demanded US$3.6 million to unlock the hospital’s files

In February 2016, a staff member at the Hollywood Presbyterian Medical Centre (HPMC) in Los Angeles opened an invoice in an emailed Word document and accidentally activated Locky, a nasty piece of ransomware that spread rapidly across the hospital’s systems, encrypting files as it went. Within hours, doctor’s were unable to access patients’ records or share x-rays, scans or medical test results. Admin staff had to resort to pen and paper to do admissions. According to some reports, the hackers initially demanded US$3.6 million to unlock the hospital’s files. In the end, HPMC paid US$17,000 in untraceable bitcoins, and ten days after that fateful click their systems were back on line.

A decade ago, computer viruses were system-crashing, file-deleting monsters that threatened to trash your PC. They don’t get much press these days, but they’re still around, working quietly in the background, encrypting files, stealing signons, or linking to botnets to send out spam and further propagate themselves. Within a fortnight of the HPMC attack, Symantec had deleted more the five million emails containing Locky, and at its peak it was reckoned to be infecting five thousand machines an hour in Germany alone.

Once defence forces mustered, the attacks declined, then resurfaced briefly in August and November as new vectors were discovered: JavaScript attachments on bogus emails and code hidden in downloadable image files on Facebook and LinkedIn.

Viruses hidden in Word macros are one of the oldest tricks in the book, dating all the way back to the notorious “I Love You” virus that infected one-tenth of all internet-connected computers in the year 2000. But there are plenty of other ways you can be caught out.


A special note about Windows XP
I’ll say this as quietly as I can: Aaaarrgghh!

If you still have a machine running Windows XP, disconnect it from the internet immediately and make plans to replace it, today! Support for XP ran out in April 2014 (extended from its original planned phase-out in 2009) and the operating system is remotely exploitable via numerous security holes discovered in the last three years, none of which have been patched. Despite this, a mid-2016 survey found that around 7% of all desktops were still running XP.


Phishing, like its sporty-sounding equivalent, involves throwing out a baited line in the hope that an unwary victim will snap at it. The lure in this case is an email, typically from your bank, warning of a security problem and asking you to click a link to confirm your details. That link will take you to a perfect copy of your bank’s web site where you attempt to sign in – and fail. (It is a fake site, after all.) You’ll be prompted to try again, and this time be redirected to the bank’s genuine site where your second attempt will succeed. Most people will blame the initial failure on a typing error, not realising they’ve just given away their login details to hackers.

There are three main types of phishing. Spear phishing uses personal information to improve an email’s apparent legitimacy. (Social media’s a great source of information.) Clone phishing updates a previously sent legitimate message with new links, while whaling is targeted at businesses and senior executives, typically taking the form of a legal document or a customer complaint.

They’re all after one of two things…

All phishing is a numbers game. Send out a million emails, and even if only 0.01% of people click your link, you’ve got a hundred hits. It also takes a huge variety of forms. You may have won a lottery you never entered, inherited money from a relative you didn’t know you had, be offered an incredible investment opportunity or asked to help “liberate” funds from a third-world country in exchange for a percentage. It may be an invoice, a tax refund, or – in a local variant of Locky that surfaced here last September – a message from CourierPost about re-delivering a package. There are scams involving tech support, employment offers, visas to work in other countries, cheap holidays or tickets to major events. They’re all after one of two things: money up front and/or personal information such as bank account and credit card details or usernames and passwords.

Sometimes it’s hard to see where the catch is. Clever scammers may string you along for weeks or even months, establishing trust before asking for assistance in the form of a bank transfer. Online dating scams work this way. Suddenly your new friend is robbed, or stuck in a foreign country. Please help!

How to protect yourself

If the possibilities seem daunting, prevention is a matter of caution and common sense.

  • If the concept of computer security leaves you cold (or even just lukewarm) get professional advice! Threats change on a daily basis – sometimes hourly – and every site uses different hardware and has a different risk profile. You may need a firewall, better antivirus software, or that old router may require an update. Security isn’t something you set and forget. It’s more like a pet: it needs regular attention.

  • Treat any and every email with suspicion – especially if it contains attachments or convenient links to fix a problem you didn’t know you had. One quick way to check a link is to hold your cursor over it and look at the address that pops up. A second way is to look for the green padlock in your browser. All banks and financial institutions use certificates that verify they are who they claim to be. Hackers don’t. A trusted connection will look like this;

  • Keep your software up to date. Windows is way more secure than it used to be (even without antivirus software) and OS X remains streets ahead. And don’t forget third-party browsers. Firefox and Chrome blacklist hazardous add-ons and warn users of the latest suspect sites and potential phishing attacks, but can only can only do so if they’re up to date.

  • Do backups. Regularly. You don’t need to backup the whole machine, only the stuff you can’t buy, like personal documents and photos. And it needn’t be an onerous process. Once set up, even a huge backup will usually only take a few seconds because the software will only backup the files that have changed.

  • Keep an off-site backup. If your house burns down, that backup in the top drawer of your desk will probably go with it. Off-site could be a shed at the bottom of the garden, your desk at work or “in the cloud” via Dropbox, Google Drive or OneDrive.


What to do if you’re hit by ransomware
If you receive a message saying your files have been encrypted and that you can only recover them by paying a fee – typically US$200-400 – switch off immediately and call your IT support person. Encrypting files takes a while so you may have only lost a handful. And anyway, you’ve got backups, right?

A new, even more cunning variation is simply a message saying that your files have been encrypted when they haven’t even been touched. Some people panic and pay up anyway.


Business Considerations

For businesses – small or large – all of the above applies to each and every one of your users, and there are some extra considerations too. By far the biggest threat comes, not from without, but from within: disgruntled employees. In over a thousand incidents documented by the Computer Emergency Response Team in the States, employees were found to have deliberately deleted data, blocked access to it, or copied, modified or disclosed it to third-parties. In one case, a former employee continued to reek havoc four months after he was dismissed because his access to the company’s systems hadn’t been revoked.

Add to this accidents, careless or uninformed staff and the Bring Your Own Device hazard – where unpatched or vulnerable personal devices like laptops, phones, tablets and USB drives may be connected to your network – and you’re probably already starting to get a headache.

Identify and manage your “privileged data”

The only reasonable way to manage all this is to have a security policy. Think of it as health and safety for your data. What can and can’t be connected to your system? Who’s the go-to person for problems or questions? What’s allowed and not allowed? (Playing games? Probably not. What about social media …?) Above all, you need to identify and manage what’s known as “privileged data” – the stuff critical to your business – and control who has access to what parts of it. Individual signons are better than global ones. If Joe in Accounts quits tomorrow, you need to be able to shut off his access right away. What’s more, individual signons can be logged, providing details of who did what and when.

Some other considerations:

  • Do backups, do backup, do backups! And keep a set off site.

  • Test your backups regularly. Are you really saving everything you’d need in the event of a disaster?

  • Restrict access to critical hardware. Keep the server room locked or put routers, servers and backup drives in a lockable cabinet.

  • Don’t forget hardware updates. Though less frequent, routers, servers and disc stations also fall foul of security bugs so it’s important to keep them up to date too.

  • Consider taking out cyber-insurance. (See below.)

The HPMC ransomware attack highlighted two key failures: the hospital had a no real security policy and they had insufficient backups. The latter alone would have mitigated the attack. Instead of being down for days and having to pay a ransom to recover their data, they could have been back up within hours. Make sure you don’t get caught out!


The insurance option
Data is critical to modern businesses, perhaps even more so than your premises or equipment, so why not consider insuring it too?

Cyber-insurance can cover you for the obvious things like business interruption, third-party liabilities, theft and the cost of restoring data after an attack, and the better policies also cover less obvious things like legal expenses, data forensic costs and even provide assistance with public relations to manage the muddle.


This article first appeared in the Autumn 2017 issue of On MAS, the magazine
for members of the Medical Assurance Society.
© Geoff Palmer 2017

Watch out for this sneaky domain name con!


If you own a domain name – something like www.yourdomain.com – your registrant details are a matter of public record, which is where this sneaky con comes in.

Nearing the time you’re next due to update your website registration, (also a matter of public record), you may receive and email like this:

From:    Your Website
Subject: Domain Notification: YOUR NAME This is your Final Notice of Domain Listing – YOURDOMAIN.COM
Attention: Important Notice , DOMAIN SERVICE NOTICE
Call: 1-716-805-3253
Domain Owner YOUR NAME
Requested Reply Before
April 18,2017
Attn: Domain Owner YOUR NAME

As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration.This letter is to inform you that it's time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine subscription includes domain name search engine submission.

You are under no obligation to pay the amounts stated below unless you accept this offer. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: WWW.YOURDOMAIN.COM will expire on April 18, 2017 Act today!

[ ] 1 year 04/18/2017 - 04/18/2018 $75.00
[ ] 2 year 04/18/2017 - 04/18/2019 $119.00
[ ] 5 year 04/18/2017 - 04/18/2022 $199.00
[ ] 10 year -Most Recommended- 04/18/2017 - 04/18/2027 $295.00
[ ] Lifetime (NEW!) Limited time offer - Best value! Lifetime $499.00

Payment by Credit Card or Check
Call our New York main office: (716)805-3253


If you read it closely, you’ll see that they’re asking you to register for “Domain name search engine registration”, an utterly meaningless “service”. Search engines like Google search the entire web. Automatically. For free!

The real gotcha comes after some dotted lines at the bottom of the email in what looks like standard legal boilerplate. I’ve highlighted the bits you may have overlooked:

By accepting this offer, you agree not to hold DS liable for any part. Note that THIS IS NOT A BILL. This is a solicitation. You are under no obligation to pay the amounts stated unless you accept this offer. The information in this letter contains confidential and/or legally privileged information from the notification processing department of the DS 3501 Jack Northrop Ave. Suite #F9238 Hawthorne, CA 90250 USA, This information is intended only for the use of the individual(s) named above. There is no pre-existing relationship between DS and the domain mentioned above. This notice is not in any part associated with a continuation of services for domain registration. Search engine submission is an optional service that you can use as a part of your website optimization and alone may not increase the traffic to your site. If you do not wish to receive further updates from DS reply with Remove to unsubscribe. If you are not the intended recipient, you are hereby notified that disclosur

And that’s where the message cuts off. At “disclosur”.

In short, the whole thing is a con. From a bunch of scumbags trying to make a fast buck out of the busy or unwary. Avoid!!