Author Archives: Adam Levin

Google’s New Ad Policy Overlooks A Bigger Threat

Google has announced that advertisers on its platforms will have to verify their identities and their businesses. They will have 30 days to comply. 

On its face, this seems like common sense and a good idea. The Internet has been rife with fraudulent Covid-19 schemes targeting stimulus checks, selling snake oil cures and price gouging on hard to acquire products. The reality is less clearcut.

Where’s The Data?

The first issue here is Google’s track record when it comes to data mining and privacy. The company is the most successful, and also one of the most appetitive compilers of personal information in digital media. 

While it’s fairly common knowledge that Google’s Chrome browser is no stranger to controversy when it comes to tracking users and collecting data, there is more worrisome activity that gets far less attention. The company aggregates data from its phones, tablets, home media devices, personal assistants, website searches, analytics platform, and even offline credit card transactions. To say that it already has access to data about businesses and individuals would be an understatement and only serves to underscore what’s wrong with this latest initiative. 

There has been plenty of opportunity for Google put its vast stores of data to use in the identification of bad actors on its platforms with a greater level of sophistication than anything that could be gleaned from digital copies of personal and employee identification numbers or business incorporation documents. They already have everything they need to determine if someone is from the U.S. or Uzbekistan. 

Occam’s Razor points to two explanations. First, Google is doing what it does best: collecting more information. Two, Google is doing what it does best: using information to solve an information problem. Either way, it’s not a very memorable solution.  

Ignoring the Realities of Business Identity Theft

it seems naive to take the position that the submission of digital copies of documents can provide a reliable way to establish the identity of a particular business. In an era where Social Security numbers and tax IDs can be bought by the millions on the dark web and computers are capable of rendering real-time deepfakes on video conference calls, faking a document or credentials is child’s play for any scammer worth his or her Bitcoin. 

For starters, this easily flouted protocol engenders a false sense of security for internet users who assume Google’s verification process works. If this sounds cynical, remember that Facebook tried something like this following the widespread manipulation of its platform during the 2016 election. It failed.

This practice also puts a target on businesses. At a minimum, it will require the widespread transmission of digital copies of potentially sensitive business documents, which opens the door to scammers trying to intercept that data. Business identity theft is a very real threat, and access to a business’s credentials can leave it vulnerable to data breaches, fraud, cyberattacks, and worse. At a maximum, it could actually boost the market for illicit or compromised information on businesses as a means of supplying fake credentials to Google. 

We’ve seen time and again that scammers are creative and extremely persistent when it comes to gaining access to sensitive data, and we can only assume any ill-considered move to protect data will be viewed as a growth opportunity for cybercriminals.

Security Theater

The term “security theater” gained popularity after the implementation of TSA security measures in the wake of the 9/11 attacks, and it seems applicable here. 

Google’s new policies seem like marketing more than security. While it’s likely to make customers and businesses that use its online advertising platform feel more safer, it could easily have the opposite effect. 

A company with Google’s reach, resources, and oftentimes incredibly granular data isn’t likely to be made any more secure by collecting and gathering digital documents from its clients. It might, however, be putting businesses at greater risk of fraud and data compromise. 

The post Google’s New Ad Policy Overlooks A Bigger Threat appeared first on Adam Levin.

Do Password Managers Make You More or Less Secure?

It’s World Password Day, and much like every other day of the year, the state of password security is terrible. 

Despite repeated warnings from security experts and IT departments, “123456” is still the most common password for the last seven years, narrowly edging out “password.”

The problem isn’t limited to easily guessed passwords: a recent study of remote workers found that 42 percent of employees physically write passwords down, 34 percent digitally capture them on their smartphones, and at least 20 percent admit to using the same password across multiple work accounts. 

Enter the password manager: an application or service that consolidates the credentials for all a user’s accounts. If you stop reading here: Password managers are not failsafe. 

While password managers provide a convenience to users, they are hackable. So while it provides a convenient place to store your long and complex passwords, the whole collection of access data is protected by a single, hackable password. 

If you’re in the habit of using the same or similar passwords across your universe of accounts, a password manager with a very strong password offers more security.

The issue with password managers from a security point of view is that they trade one of the biggest threats to account security–credential stuffing through the re-use of leaked or hacked passwords, for a potentially more serious one: The skeleton key for all of your accounts. Because password managers offer a one-for-all proposition, they make an appealing target for hackers who wouldn’t otherwise try to crack a unique password.

Additionally, password managers are not immune to the security issues that plague any other online service. A number of well-known password managers have either been breached or found to have severe vulnerabilities. 

Take away: While password managers add a layer of protection for online accounts, they’re not a silver bullet, and have the potential to open the door to even greater online threats. Regardless of the method to keep track of passwords, any account should also be protected with other measures such as multi-factor authentication, up-to-date security software, and a close eye on account activity.

 

The post Do Password Managers Make You More or Less Secure? appeared first on Adam Levin.

What E-Commerce Sites Can Learn from the Covid-19 Pandemic

For the last few years, cybersecurity experts have been sounding the alarm on something called e-skimming. In this kind of attack, hackers intercept payment card data and personal information from e-commerce sites by exploiting the architectural complexity of those e-commerce sites. 

While there have been several major breaches that were the result of e-skimming, including Macy’s and British Airways, the bulk of these hacking campaigns have been attributed to an individual or a group of hackers called Magecart. S/he or they usually target the Magento platform, often by injecting rogue code into outdated plugins and extensions for websites.

Magento isn’t the Covid moment here. E-skimming is. 

Enter WooCommerce 

Security researchers discovered what could be a game changer in e-skimming attacks earlier this month, one that exponentially expands our collective attackable surface.

Magento has about a 12% market share and represents less than 1% of the entire assemblage of code that comprises the Internet. 

The discovery I mentioned is that a new e-skimming hack has been targeting WooCommerce, which is a far more ubiquitous online shopping plugin used in 26% of all e-commerce sites. WooCommerce is native to and powered by WordPress, a platform that represents over 35% of websites currently online. It would be hard to find a larger attackable surface on the Internet.

The threat posed by a hack targeting WooCommerce isn’t bad only because of the technology’s ubiquity. The issue has to do with who uses it. The quick answer is: Anyone. Contrast that with Magento, which is designed for enterprise-level sites that have detailed inventory needs and other layers of complexity. Magento requires installation, development, and maintenance by trained web professionals certified by the company to understand its many nuances. 

WooCommerce, on the other hand, is easy to use and install; a user with little to no experience building websites—and even less knowledge of cybersecurity best practices—can use it to get an e-commerce site up and running with ease. 

This would be a bad situation in normal times, but with the Covid-19 pandemic making many businesses more reliant on e-commerce and virtual transactions, the potential for an increase in poorly secured websites built on the fly is a matter for concern. 

That said, the bigger issue may be the nature of the hack itself. While e-skimming attacks have usually involved the compromise of vulnerable third-party software, e-skimming injects malicious code into the core source code of WooCommerce which makes it much harder to detect–particularly for non-expert site builders.

“With credit card swipers it’s common for attackers to simply include/append malicious javascript from a third-party website,” said Sucuri researcher Ben Martin, who first wrote about the attack. “The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”

There are parallels with the early days of the Covid-19 pandemic. A relatively familiar threat has surfaced in a more dangerous form that is harder to detect and has the potential to impact a significantly larger number of victims. 

Like Covid-19 in January, the current WooCommerce hack is a nascent threat, but unlike the virus, you can prepare for the threat and mitigate the potential damage. 

A good place to start is for businesses and consumers to use a system I call the 3 Ms:

Minimize the Threat: Businesses doing e-commerce need to keep their website and security software up-to-date. Those companies that have the technical know-how should run regular scans for the presence of rogue code on their websites. If they don’t have that resource in house, they would be well advised to hire a cybersecurity expert to do it for them. Most important is to practice good data hygiene, especially when relying on a remote workforce. A single login and password hooked by a phishing email could provide hackers with the necessary credentials to compromise a website, as well as its customer and payment data. 

When making payments online, consumers should use credit cards instead of debit/bank cards, which can provide hackers a direct conduit to their bank accounts.

Monitor Accounts: Keep track of your bank and credit card accounts to know as quickly as possible when something isn’t right. The most effective way to do this is to sign up for transaction monitoring—offered for free by banks, credit unions and credit card companies— which notifies you of any activity in your credit or bank accounts.

Manage the Damage: If a business falls prey to an e-skimming campaign, it’s crucial to act as quickly as possible to alert the authorities, notify consumers and identify the source of the hack. Customers affected by an e-skimming breach should immediately contact their payment card companies, request new cards, and lock down any potentially impacted accounts.

Malware and viruses are opportunistic. With more businesses relying on e-commerce to make up for shuttered physical storefronts, newly remote workers struggling to secure their home offices from cyberthreats, and more customers using e-tailers for their day-to-day shopping, the circumstances are ideal for a new strain of malware to spread. 

The post What E-Commerce Sites Can Learn from the Covid-19 Pandemic appeared first on Adam Levin.

Rethinking Zoom? How WebEx, Teams, and Google Meet and Duo Compare on Privacy and Security

If you’re among the many looking for a new video conferencing tool after adding “zoombombing” to your vocabulary, you’re in luck. While a one-size-fits-all solution doesn’t exist, there are many other options with proven security features. Here’s a roundup of some of Zoom’s competitors and their privacy and security features.

Webex

The Webex video conference platform has been around since 1995 and is a favorite of the privacy-conscious health care, information technology, and financial services industries. This is partially due to the fact that all three industries commonly relied on virtual meetings well before the Covid-19 pandemic, but mostly because Webex has a reputation for maintaining robust cybersecurity. Cisco, its parent company, is an industry leader in network hardware, software, and security products.

Webex offers end-to-end encryption. Using it, however, limits popular video options, including remote computer sharing and personal meeting rooms. Worth noting: Webex and Cisco products have had security issues in the past.

Microsoft Teams

Like Zoom, Microsoft Teams experienced an uptick in the recent crisis, in part due to its integration with the company’s flagship Office365 cloud and productivity services. Microsoft says that Teams are encrypted “in transit and at rest,” but details about support for end-to-end encryption are vague.

Like Webex, one advantage of Teams is that its parent company is a major provider of networking, software, and cybersecurity services. Microsoft has an internal rating system for the security of its products, and has designated Teams to be Tier-D compliant, which means that it can adhere to the strictest government and industry security standards and legal requirements.

Neither Microsoft nor Teams are immune to security vulnerabilities, but as a company, Microsoft’s bandwidth to address them when they occur is probably unparalleled. Microsoft also has a more transparent privacy policy and a better track record when it comes to protecting user and customer data than many of its competitors, including Zoom.

Google Hangouts/Google Duo

Google offers Hangouts and Duo as its two primary video meeting platforms–both offer “free” and paid versions bundled in with its G Suite line of applications. While Google Hangouts offers similar functionality to Zoom, it has a limit of 25 attendees per video conference. Other considerations include a long history of security and privacy concerns and the fact that Google Hangouts don’t offer end-to-end encryption.

Duo is end-to-end encrypted, and can support video meetings with up to 12 attendees.

Like Cisco and Microsoft, Google has more resources dedicated to cybersecurity, but the company has a lengthy track record of mining user data, especially for “free” services. The company is also notorious for quickly and unceremoniously dropping support for many of its projects, and has done so with several previous video conferencing and meeting apps.

Is Zoom Worth Sticking With?

It depends on your business needs. Zoom’s rapid increase in popularity in an already crowded market is a testament to its many qualities, features, and ease of use.

The company has made some misleading claims about user privacy and data, and the recent discovery of multiple serious security vulnerabilities will test the company’s ability to support and sustain its user base.

A good sign is that Zoom announced a 90-day freeze on any new features so it can focus on security and privacy issues. This move could help the platform and the company to continue the meteoric rise in the number of people using the service.

For industries with stringent data privacy and security requirements, platforms like Webex or Microsoft Teams may be a better fit, but every company, platform, and technology has its own set of drawbacks and vulnerabilities. The main takeaway is that every company, regardless of size, needs to have a solid understanding of what its own internal security needs are in order to make an informed decision.

The post Rethinking Zoom? How WebEx, Teams, and Google Meet and Duo Compare on Privacy and Security appeared first on Adam Levin.