This Week in Data #2019-2
Hello everyone. This is week #2 on This Week In Data. Our focus today is more on privacy. We will be going over the following topics:
- Tracking people's locations in Instagram
- Big Tech's Shift to Privacy
- Searching YouTube by location
- Facebook is using 2FA #s for ad targeting
- Using Shodan like a pro
- Clearing out your zombie apps and online accounts
Article: Tracking people's locations in Instagram
There's an app called "Who's in Town" that shows you where the people you follow on Instagram have checked in throughout the duration of their account, complete with a pretty interactive map. To most people in security it's not surprising that you can view information like check-ins and location tags which are public, however the general public is rightfully concerned about this. Similar to how tracking the private planes of executives around the country can help determine what companies they might acquire or where they may relocate their new headquarters (*cough Amazon cough*), a random Instagram follower could determine the pattern of life for you and do anything with it. This isn't to say don't use Instagram, just be cognizant about what you choose to share with the world.
Article: Big Tech's Shift to Privacy
Mitchell Noordyke from IAPP (International Association of Privacy Professionals) has a great overview of the tech sector’s public expressions of privacy initiatives and values. In the site below is a PDF chart summarizing each's stance on data privacy along with references. Facebook, Microsoft, Apple, and Google are covered in the chart. Surprisingly Amazon was left out.
Tool: Searching YouTube by Location
YouTube is a the best platform for finding funny cat videos, pranks, miscellaneous vloggers, among other things of course. This tool let's you drop an arrow on any point in Google maps, you can then specify a radius and it will show you all of the videos uploaded tagged with a location within that radius. I find this really useful to discover a new city or college campus. You can find more genuine videos made by smaller creators as opposed to whatever is driven by YouTube's algorithm whenever you search by what's popular. I did a test case with the tool looking up my university and was able to find two vloggers on campus.
Paper: Facebook is using 2FA #s for ad targeting
It came out earlier in 2018 that Facebook was using phone numbers that people connected for 2FA security reasons were instead bombarded with notifications related to their accounts and friends activity. It turns out that Facebook also used the phone numbers to sell ads. Researchers at Northeastern went down the rabbit hole recreating how a phone number is ingested into Facebook and then used in advertising. This is a really fun paper for anyone on the technical side of privacy or data science.
Tutorial: Using Shodan like a pro
If you haven't already heard of Shodan before, a good analogy could be that it's the "Google search engine for the internet of things (IoT)" You can find anything on Shodan, from traffic cams and outdated servers all the way to construction equipment and critical infrastructure. Navigating Shodan your first time is a bit hard but fear not, our good friends online have written some tutorials. The only thing I dislike about this specific tutorial is they do not go over using Shodan's API. Working with APIs is necessary in the long run if you want to do anything at scale or automate. You can find another tutorial that does go over the API linked below. TIP: If you have a .edu email you can get the highest tier of Shodan for free! Just email them for an upgrade.
Link: https://medium.com/@woj_ciech/ꓘamerka-build-interactive-map-of-cameras-from-shodan-a0267849ec0a
Tutorial: Clearing out your zombie apps and online accounts
Our friends at Wired wrote this useful guide on how to get rid of accounts you made for one-off apps and websites. You may want to do this to decrease the attack surface you have online. Wired's pitch is essentially "companies get hacked all the time, why not do your part to decrease the chance of your data getting exposed in a breach." I'm not sure how I feel about this. In the US we don't have GDPR, so just because you request to have your account 'removed' does not mean that companies are required to delete your data internally. It might not be worth the time to go through this exhausting process. Let me know what you think.