In four months the EU General Data Protection Regulation (GDPR) comes into force, and companies are racing against time to comply with the new rules (and avoid being brutally fined if they fail).

One of the things that the regulation mandates is that EU citizens must be able to get access to their personal data held by companies and information about how these personal data are being processed.

Facebook users to get new privacy center

With that in mind, Facebook is getting ready to roll out a new global privacy center, through which users will be able to tweak core privacy settings for Facebook. This should make it easier for users to manage their data, i.e., make informed choices about their privacy.

“Our apps have long been focused on giving people transparency and control and this gives us a very good foundation to meet all the requirements of the GDPR and to spur us on to continue investing in products and in educational tools to protect privacy,” Sandberg said at a Facebook event in Brussels on Tuesday.

Microsoft users get diagnostic data viewer and updated privacy dashboard

Microsoft has already added a new Activity History page to the Microsoft Privacy Dashboard. Through this page, users can see what data are saved with their Microsoft account, as well as to adjust privacy settings on their device or browser.

In the coming months, users will be given the ability to view and manage media consumption data, product and service activity, export any of the data they see on the dashboard and delete specific items. (GDPR also mandates data portability and right to erasure of personal data).

The Windows Diagnostic Data Viewer, currently available only to Windows Insiders, is set to be introduced to the broader Windows user base with the release of Windows 10 Redstone 4 in March or April.

Through this tool, Windows users will be able to see and search all Windows diagnostic data that’s in the Microsoft cloud related to their specific device.

This will include:

• Common data (OS name, version, device ID, etc.)
• Device Connectivity and Configuration data (device properties and capabilities, preferences and settings, peripherals, and device network information)
• Product and Service Performance data (device health, performance and reliability data, movie consumption functionality on the device and device file queries). “It’s important to note that this functionality is not intended to capture user viewing or, listening habits,” says Marisa Rogers, Privacy Officer with Microsoft’s Windows and Devices Group.
• Product and Service Usage data (device, OS, applications, services).
• Software Setup and Inventory (installed applications and install history, device update information).

from Help Net Security http://ift.tt/2rMGP47

It’s been rather too long coming but Reddit users can finally secure their accounts with two-factor authentication (2FA).

Read the announcement:

You asked for it, and we’re delivering!

Which ignores that Reddit is probably the last of the big internet brands to offer what, by 2018, has become a standard security option.

It is at least easy to turn on, by clicking on a link at the bottom of the preferences tab, which is also used to set the account password.

A small glitch Naked Security noticed is that the words “two factor authentication” don’t appear on all accounts in the appropriate space on the page. If that’s the case, look for the term ‘status’, beside which should be the phrase ‘click to enable’ to turn on authentication.

Using a 2FA app supporting the TOTP (Time-Based One-Time) protocol, such as Google’s Authenticator or Authy, the process is completed by scanning the QR code and entering a one-time six-digit verification code. A different code will be generated for every subsequent login.

Once finished, it’s important to generate and print out 10 backup codes in case there is a problem with the authentication app or the user mislays their smartphone.

The positive aspect of the announcement is that Reddit has jumped straight to app-based 2FA, eschewing the established but now insecure SMS text-based codes still offered by many sites.

It’s just a pity it’s taken so long. Pioneer Google first offered multi-factor authentication (called two-step verification) as long ago as 2011, as did Facebook (Login Approvals), both after noticing increases in attacks fuelled by weak passwords, password re-use and phishing attacks.

Twitter and Microsoft added the same in 2013 (login verification), while even Instagram and WhatsApp had it by 2016 and 2017, respectively.

A turning point for Reddit was the 2016 incident when a hacker broke into moderator accounts and defaced subreddits. This drew attention to the weakness of securing accounts using passwords alone – which some speculated might have been the point of the attack.

After eventually resetting the passwords on 100,000 accounts, the company admitted it was looking at implementing 2FA. As it said at the time:

Reddit itself has not been exploited, but even the best security in the world won’t work when people are reusing passwords between sites.

Equally, enabling 2FA will only make a difference to security if people bother to activate it.

A week ago, a Google engineer fessed that fewer than 10% of its Gmail users had bothered to turn on its 2-step verification security – and that’s after seven years in which the company has nagged its users relentlessly to do this.

It’s possible that users have grown weary of having to enable 2FA on lots of sites but apps like Google’s Authenticator (which works for multiple sites) is one way to streamline this.

from Naked Security http://ift.tt/2BuBhdR