This Week in Data #2019-2
Hello everyone. This is week #2 on This Week In Data. Our focus today is more on privacy. We will be going over the following topics:
- Tracking people's locations in Instagram
- Big Tech's Shift to Privacy
- Searching YouTube by location
- Facebook is using 2FA #s for ad targeting
- Using Shodan like a pro
- Clearing out your zombie apps and online accounts
Article: Tracking people's locations in Instagram
There's an app called "Who's in Town" that shows you where the people you follow on Instagram have checked in throughout the duration of their account, complete with a pretty interactive map. To most people in security it's not surprising that you can view information like check-ins and location tags which are public, however the general public is rightfully concerned about this. Similar to how tracking the private planes of executives around the country can help determine what companies they might acquire or where they may relocate their new headquarters (*cough Amazon cough*), a random Instagram follower could determine the pattern of life for you and do anything with it. This isn't to say don't use Instagram, just be cognizant about what you choose to share with the world.
the app can tell you what coffeeshops or restaurants your Instagram-using friends frequent, when they last told the digital world they were there, and give a look inside their daily routine that wouldn’t be evident from just looking at their profile. https://t.co/sQXgjWKnJy pic.twitter.com/tffgdyyU3t
— paris martineau (@parismartineau) July 19, 2019
Article: Big Tech's Shift to Privacy
Mitchell Noordyke from IAPP (International Association of Privacy Professionals) has a great overview of the tech sector’s public expressions of privacy initiatives and values. In the site below is a PDF chart summarizing each's stance on data privacy along with references. Facebook, Microsoft, Apple, and Google are covered in the chart. Surprisingly Amazon was left out.
Big tech approach to informing consumers about privacy. It’s interesting to observe that different companies emphasize on different aspects of privacy. Example: Both Facebook and Apple emphasize on encryption more. Read more here: https://t.co/Y4FCywz5co @PrivacyPros pic.twitter.com/ytKA7u3XZY
— Smirity Kaushik (@Smirity) July 18, 2019
Tool: Searching YouTube by Location
YouTube is a the best platform for finding funny cat videos, pranks, miscellaneous vloggers, among other things of course. This tool let's you drop an arrow on any point in Google maps, you can then specify a radius and it will show you all of the videos uploaded tagged with a location within that radius. I find this really useful to discover a new city or college campus. You can find more genuine videos made by smaller creators as opposed to whatever is driven by YouTube's algorithm whenever you search by what's popular. I did a test case with the tool looking up my university and was able to find two vloggers on campus.
Search YouTube on date, time and location https://t.co/XF93nGEgiN pic.twitter.com/yZNtlYaWLN
— ʜᴇɴᴋ ᴠᴀɴ ᴇss (@henkvaness) July 14, 2019
Paper: Facebook is using 2FA #s for ad targeting
It came out earlier in 2018 that Facebook was using phone numbers that people connected for 2FA security reasons were instead bombarded with notifications related to their accounts and friends activity. It turns out that Facebook also used the phone numbers to sell ads. Researchers at Northeastern went down the rabbit hole recreating how a phone number is ingested into Facebook and then used in advertising. This is a really fun paper for anyone on the technical side of privacy or data science.
Facebook asks users to add their phone numbers for 2-factor authentication, then misuses that info to target ads. Researchers at Northeastern uncovered this by signing up as an advertiser and finding many clever tricks to reverse-engineer FB's targeting. https://t.co/EDvVJmkDIW pic.twitter.com/au5qZEGZrx
— Arvind Narayanan (@random_walker) July 18, 2019
Tutorial: Using Shodan like a pro
If you haven't already heard of Shodan before, a good analogy could be that it's the "Google search engine for the internet of things (IoT)" You can find anything on Shodan, from traffic cams and outdated servers all the way to construction equipment and critical infrastructure. Navigating Shodan your first time is a bit hard but fear not, our good friends online have written some tutorials. The only thing I dislike about this specific tutorial is they do not go over using Shodan's API. Working with APIs is necessary in the long run if you want to do anything at scale or automate. You can find another tutorial that does go over the API linked below. TIP: If you have a .edu email you can get the highest tier of Shodan for free! Just email them for an upgrade.
“How to use shodan like a pro ?” by Cipher https://t.co/uutRJDjyez
— Emad Shanab (@Alra3ees) July 14, 2019
Link: https://medium.com/@woj_ciech/ꓘamerka-build-interactive-map-of-cameras-from-shodan-a0267849ec0a
Tutorial: Clearing out your zombie apps and online accounts
Our friends at Wired wrote this useful guide on how to get rid of accounts you made for one-off apps and websites. You may want to do this to decrease the attack surface you have online. Wired's pitch is essentially "companies get hacked all the time, why not do your part to decrease the chance of your data getting exposed in a breach." I'm not sure how I feel about this. In the US we don't have GDPR, so just because you request to have your account 'removed' does not mean that companies are required to delete your data internally. It might not be worth the time to go through this exhausting process. Let me know what you think.
The more unused, unloved accounts you've got hanging around, the more targets would-be hackers have got to aim at. Figure out what brings you joy and erase your tracks on the rest. https://t.co/M3fgmPz6j6
— WIRED (@WIRED) July 14, 2019