Saturday, June 25, 2022

Facebook knows you way more than you think!

We all know that Facebook collects data on all of us. They manage to do that with different ways including via 3rd-party web browser cookies; an explanation of 3rd-party cookies goes beyond the scope of this blog but you can read about it at the link here. Though 3rd-party cookies are slowly phased out, the alternative i.e. FLoC proposed by Google, as per many privacy advocates, is even worse i.e. so for now, just assume Facebook and other platforms will always have a way to spy on you.

While there are ways to restrict what Facebook collects (follow steps at end of this blog), there is not a whole lot you can do to make them stop other than just deleting your Facebook account. The reason is, Facebook generates substantially all of its revenue by selling ads so they have to monitor your online activity to slap you with targeted ads and curated content based on your web browsing behaviour i.e. the sites you visit, shop, like etc. At the end of the day, Facebook knowing I have T-mobile wireless, or shop at Amazon or browse Reddit is not a big deal for me, I just don't care. However, when I looked at what websites are sharing with Facebook, specifically, financial institution that I do business with, I was concerned. My financial institution (will not mention their name here) shared with Facebook something related to my activity, see below ...


It is unclear to me what they shared since I don't have the details other than Facebook telling me they did. I have the habit of clearing all cookies on banking and financial websites frequently, so unfortunately, I can no longer access this specific cookie in my browser to see the content! However, based on the name of activity shared i.e. "COMPLETE_REGISTRATION", I can only assume it is not something I would like them to share, whatever it is. If it was just "PAGE_VIEW" like all other sites, I would be ok with it. The only thing I remember is opening a new account, transferring money on those 2 days at that exact time mentioned which caused my concern. Why on earth Facebook needs this information? Just to give some perspective, this is just one specific instance of a website I have discussed above, there could be crap ton of them we visit everyday sharing all kinds of stuff w/ Facebook 😮


Finally, if you got this far, you can follow the steps below to tell Facebook to quit doing this, at least for now, until they figure out new ways of profiting on you 😃


While logged in Facebook ...

  1. Navigate to https://www.facebook.com/settings?tab=your_facebook_information
  2. Click "View" on Off-Facebook activity
  3. Click on "Disconnect future activity" [Note: this will also clear all the stored activity so you don't need to clear that]
For visual reference, The screenshots for steps 2 and 3 are below.








Sunday, July 29, 2018

Simple Encrypted Drive

Simple Encrypted Drive.

We all have sensitive data that we need to keep them away from prying eyes. While there are so many free software and solutions available, they all have some advantages and disadvantages in using them. A discussion of available solutions are outside the scope of this blog. If you are interested in using a simple solution where you have 100% control of your sensitive information, read on.

Here is a simple shell script to encrypt your data locally in your hard drive or on a portable USB stick to take it anywhere. If your USB stick is lost or stollen, the data stored in there are of course useless to anyone. The way the script works is by creating an encrypted disk using a special filesystem driver (encfs) and allows you to copy your ordinary files (i.e. unencrypted) through the driver just like copying a file with your operating system's copy command. To access these files, you have to mount the drive with your passphrase. Once the filesystem is mounted, they are available through a mounted drive in plain form to retrieve or update your files. Once the file system is unmounted, they stay in your hard drive or usb stick in encrypted from. 

Here is how to use it.

./encrypted_drive.sh -d /tmp -m

In the screenshot below, I am using /tmp as the destination for my encrypted file storage. It can be anything like an ordinary directory in your computer or a USB disk mount ex: /Volumes/<mydisk> on Mac for example. Here is the screenshot of running the first time. Note: you need to choose a strong passphrase and remember that to access your files later.



Once the drive is mounted (see the screenshot above shows mounted drive on your desktop), you can simply copy your sensitive files using operating system copy command like shown below, or just drag and drop files like you'd do with any other drive/path. The mounted drive will stay mounted for 5 minutes and unmount itself automatically for security.


As you can see from the above screenshot the files are now accessible through the mount point (/tmp/decrypted) for reading and writing in plain form. Once you unmount using -u command, you see the files in /tmp/decrypted are gone and the actual files in encrypted form are in /tmp/encrypted which is useless if anyone got a hold of your USB drive or your computer containing these files.

The script is available in my GIT repo below. Download it and follow the instructions (below) to install the encfs which is required for this script to operate. Love to hear feedback.

GIT: https://github.com/aselvan/scripts/blob/master/security/encrypted_drive.sh

Instructions for installing encfs

#   Mac
#   run the following 2 commands on mac terminal (assumed you have brew installed)
#     brew cask install osxfuse
#     brew install encfs
#   
#   Linux:
#     Ubuntu/Debian: apt-get install encfs
#     Redhat/CentOS: yum install encfs  
#     Other: refer to your distro manual
#
#   Windows:
#      Sorry, wipe that crap and install Linux or get a Mac!
#

Sunday, August 30, 2015

How to protect your Facebook account with encrypted notifications




As part of the Facebook account security feature, Facebook sends various notification e-mails. All these notification e-mail messages are in plain text. For notification e-mails like "Login Alert", it is not a big problem if the mail content is plain text as it does not contain anything important. However, in the case of password reset request e-mail, it is a problem since the reset code is sent in plain text. If your e-mail account is compromised, for example by a session hijacking method, the hacker has access to your e-mail account until the session expires so they can request Facebook password reset and easily take over your Facebook account.

Note: How your account got session hijacked is outside the scope of this blog but typically, it can happen when clicking on phishing e-mails or visiting infected websites etc.

Recently (Jun 2015), Facebook introduced an option for users to request all notification e-mails in encrypted form. If you are already using or familiar with PGP, you can now provide your public key to Facebook so it will use it to encrypt all e-mail communications to you. Go to your Facebook profile and navigate your way to the "Contact and Basic Info" section of the "About" page (or click here https://www.facebook.com/me/about?section=contact-info).

See the screen shot below where I entered my public key.





Once you enter your public key (make sure to check the box to enable encrypted notifications) and save changes, you will get an encrypted mail from Facebook. You then decrypt the mail using your PGP tool and confirm using the link Facebook sends you. After this, all e-mails from Facebook will be encrypted using your public key so only you can decrypt it. In addition, you need to add Facebook's public key to your PGP keyring so you can verify the signature of the encrypted e-mail to ensure it is from Facebook. The key is at link below.


See this whole process in action--- Few days ago, someone tried multiple times to reset my Facebook account. For every attempt, I get an encrypted e-mail from Facebook as shown in the screen shot below.




Below is the screen shot after I decrypted the content using my private key.





So even if my e-mail account was compromised (highly unlikely), the hacker can't read the code sent by Facebook to reset my password since he can't decrypt the mail without my private keys. For PGP encryption/decryption, I use Google's 'End-To-End' chrome plug-in (not available in chrome Web Store yet but you can download source code and compile it). However, there are other tools and browser plug-ins readily available which you can easily install in your browser (chrome or firefox) to use PGP.


If you are new to PGP, the read the link below for a quick introduction before getting started on using Facebook encrypted e-mails.