Category Archives: data protection

In Such Transformative Times, the CISO Is Key to Delivering Digital Trust

For organizations today, staying competitive means undergoing rapid digital transformation, yet few appear to have a solid approach for handling the security and privacy implications of such a change. However, ensuring organizations adapt while also retaining a high level of digital trust is exactly where the chief information security officer (CISO) can help. CISOs are adept at reviewing the security of digital crown jewels — sensitive, business-critical data — aligning security to business goals, and ensuring that disruptive technologies such as artificial intelligence (AI), internet of things (IoT) devices and augmented reality are adopted with adequate security and privacy controls.

Conveniently, there are resources to guide CISOs on how to engage on these issues. One such resource is PwC’s “Digital Trust Insights” report, which replaces their long-running Global State of Information Security Survey (GSISS) series with a broader view of cyber risks awaiting the cognitive enterprise. The report — which is based on a survey of 3,000 executives and only about a dozen pages — provides advice for CISOs, boards and business executives to rally around key issues of digital trust as they work to build a reasonably secure digital world.

Get Security Involved Early On

It will come as no surprise to anyone in cybersecurity that the best way to avoid costly and awkward security fixes — or worse, an embarrassing and damaging breach — is to bring in the security function early on in a project. The stakes are even higher for digital transformation projects. While 91 percent of companies executing transformations bring in security and privacy as stakeholders, only 53 percent are proactively managing security and privacy risks “fully from the start.” This varies somewhat by sector, and as expected, the financial services sector is in the lead with 66 percent engaging security and privacy from the start, followed by the healthcare sector (65 percent). The consumer markets sector comes in last, at 49 percent.

Bringing in stakeholders from cybersecurity and privacy from the very beginning of transformation initiatives is key. As the report noted, “Most respondents say emerging technologies are critical for business, but fewer are very confident they have sufficient ‘digital trust’ controls in place.” This is reflected in the survey results with 4 out of 5 organizations reporting that the IoT is critical to at least some parts of their business, yet only 39 percent are “very comfortable” with the digital trust controls deploying alongside their IoT adoption.

Early involvement of the security function will also improve alignment of security efforts with the business, a concern that was raised in the report as few organizations regularly assess that their security controls, frameworks and strategies are still appropriate in light of the digitization of the enterprise and the changing privacy landscape.

Review Security Talent and Workforce Awareness

In most organizations, the security function is already stretched thin and thus not in a position to handle the many new challenges posed by an organization undergoing rapid digital transformation. When the CISO is spending most of his or her time fighting fires or pleading for budget and support, there is little time left to review high-level security strategy, ensure appropriate privacy controls around sensitive data, and adequately communicate enterprisewide security issues to top leadership and the board. Another concern is the low number of organizations that report having a security awareness program (34 percent), and even fewer require training on privacy policies and practices (31 percent).

The way forward is to perform a workforce gap assessment specifically for the cybersecurity and privacy functions, and to commit to filling key roles in security and privacy with the required level of talent. In addition, organizations should review and update — or implement if absent — policies about their IT assets and sensitive data. Security awareness campaigns should be conducted regularly, but avoid the one-size-fits-all web-based approach. Instead, look for or create engaging security awareness materials and evaluate the effectiveness of each campaign. As attackers are continuously refining their tactics, so should you with your security awareness activities.

Improve Communications and Engagement With the Board

As years go by, we get further validation that an increasing number of CISOs are providing the board with updates about cyber risks. Findings from the PwC report echo this progression, with 80 percent of organizations stating their board was provided a risk management strategy. However, only 27 percent of organizations report being “very comfortable” that the board is getting adequate metrics on cyber risk management. Instead, a greater number, 29 percent, report being “uncomfortable” with the adequacy of information reported.

Changing the nature of the engagement between the CISO and the C-suite will take time. But the change needs to get under way, starting with communicating how threats, regulations and third-party risks impact the organization’s cyber risks. CISOs should focus on producing metrics that track the risks to business objectives and how security activities are having a measurable impact to bring those risks down to an acceptable level. Greater emphasis should be placed on the nature and quality of interactions between the CISO and the decision-makers rather than having the CISO deliver a quarterly five-minute broadcast about the organization’s security posture.

Instead, CISOs should spend a little more time learning about their audience, what drives each line of business and their particular concerns, provide materials to prime questions ahead of time, and actively invest in their relationship with the rest of the C-suite and business directors.

Test Cyber Resilience and Improve Strategies

While awareness, engagement and being there from the start are important, the only way to know for sure that the organization is prepared to deal with a data disruption or full-blown cyberattack is to put its cyber defenses to the test. Testing the cyber resilience of the organization can take many forms, depending on the level of the staff or the executives involved. The PwC report found that fewer than half of mid-to-large organizations are “very comfortable” that they have adequately tested their cyber resilience.

Once again, the CISO can and should play a key role on this issue, but doesn’t have to start from an empty slate. Several key organizations have produced reports on cyber resilience, some written specifically for the C-suite and the board, while others were written with chief information officers (CIOs) and CISOs specifically in mind.

Among the many resilience reports available are those from IBM Security and Ponemon Institute, the World Economic Forum (WEF) and the U.S. Department of Homeland Security (DHS). The latter defines resilience in cyberspace as the “ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.” Organizations should evaluate their ability to adapt to changing conditions and threats, including adapting organizational strategies; prepare for (including anticipating and planning ahead of disruptions); withstand (an area that should be tested more regularly than during the yearly pen test); and recover from an adverse event.

The CISO Is Key to Successful Digital Transformation

“Companies that show the connected world how to lead in safety, security, reliability, privacy, and data ethics will be the titans of tomorrow.” — PwC “Digital Trust Insights” report

Becoming a cognitive enterprise will require major changes, changes that can shake the foundation of trust in the organization’s customers and partners. Organizations will need to balance digital innovation with cyber resilience by ensuring early engagement of the security function in major projects and seeking whole-enterprise visibility and awareness of digital risks. The CISO is key to the organization maintaining a high level of digital trust in such transformative times.

The post In Such Transformative Times, the CISO Is Key to Delivering Digital Trust appeared first on Security Intelligence.

10 Chrome Extensions to Boost Your Online Safety in 2019

Chrome is the most popular internet browser nowadays, so we’ve decided to research extensions that increase your online safety. Even though it claims to automatically protect you from security issues, such as phishing attacks and dangerous websites, as the online threatscape evolves, it never hurts to add extra layers of protection.

pasted image 0 40

Web Browser Market Share, March 2019, according to W3Counter

In this guide, we’ll walk you through a variety of Chrome extensions, ranging from anti-tracking solutions, ad blockers, password managers, and VPN solutions, to name a few.

We hand-picked the add-ons from a wide palette of solutions, with the intention to help you browse safely on the internet.

So let’s jump in.

Here are some of the best privacy and safety-related Chrome extensions.

1. Privacy Badger

Privacy Badger is a browser add-on developed by The Electronic Frontier Foundation (EFF), that blocks advertisers and third-party trackers from tracking the web pages you visit. Essentially, whenever it detects advertisers who track you across different websites without your consent, it automatically stops them from inserting any more content into your browser.

image13 1

Keep in mind this isn’t a standard ad blocker, as it wasn’t created with the intention to completely block ads.

What it really does is focus on stopping any visible or invisible third-party scripts or images that seem to be tracking your activity despite the fact that you specifically refused to be tracked by sending a Do Not Track header. Most of these third-party trackers happen to be advertisements, so that’s why most of them will be blocked.

Does it make sense to simultaneously use Privacy Badger and a standard ad blocker? If you really despise ads, EFF advises on using a combination between Privacy Badger and uBlock Origin.

Download: Privacy Badger

2. Ghostery

Ghostery is similar to Privacy Badger – it detects and blocks third-party technologies which track you and it also markets itself as an ad blocker. Thus, it provides a clean and fast browsing experience, while preventing advertisers from tracking your activity.

image18 1

The Smart Blocking feature increases the pages’ loading speed, by automatically blocking and unblocking trackers.

image7 1

Download: Ghostery

3. HTTPS Everywhere

HTTPS Everywhere is an add-on created by the Electronic Frontier Foundation (EFF) and the Tor Project, that changes websites from insecure “HTTP” to secure “HTTPS”.

image10 1

Why use “HTTPS” instead of “HTTP?”

“HTTP” is not encrypted and can be vulnerable to threats, such as man-in-the-middle attacks. HTTPS should be used especially on insecure networks (such as public Wi-Fi), as these are most likely to be accessed by people on the same network who can steal your private information.

image2 2

Many websites do offer some support for encryption over HTTPS, but they make it difficult to use. For example, they can link unencrypted sites to encrypted pages.

HTTPS Everywhere takes care of those issues by rewriting requests to these sites to HTTPS.

Here you can access information about the project’s Git repository and also get involved in development if you are interested to do that.

Download: HTTPS Everywhere

4. LastPass

LastPass is a password manager which stores all of your passwords so you don’t have to remember them.

Using the same password for all your accounts is the worst thing you can do, so LastPass will contribute to your overall security hygiene.

image14 1

What you do need to remember is the master password used to guard the rest of your passwords. This tool uses strong encryption algorithms, so even the folks from LastPass don’t have access to your data.

image1 3

It integrates with a variety of two-factor authentication options so you can protect yourself with an extra layer of security. You should really turn on this feature just in case someone manages to steal your master password, and this way they can be stopped from accessing your account.

Download: LastPass 

5. Vanilla Cookie Manager

Vanilla Cookie Manager is an extension that allows you to delete unwanted cookies. It gives you the option to shut off cookies completely or just remove third-party cookies.

image11 1

Vanilla Cookie Manager allows you to whitelist the cookies that you would like to keep from websites trusted by you.

image20 1

Does it make sense to manage cookies?

Let’s start off by briefly explaining what they are and what they do.

Cookies are text strings stored on your computer in a directory. They are harmless, in the sense that they can’t infect your PC with malware. Yet, they can store information about your activity on websites.

So how do cookies work?

Web servers transmit cookies that are stored in your browser, and the next time a page is referenced, the browser returns the cookie to the server.

Obviously, it’s your choice if you want to alter cookies. Some users prefer to browse the internet without concerning too much about their information being collected, while others prefer to remain completely anonymous.

Download: Vanilla Cookie Manager

6. Perspective Guard

The Perspective Guard extension is based on a rather unique concept running on artificial intelligence, and its main purpose is to let you know if you might come across fake news.

image17 1

Its developers promise not to store your data so you can rest assured you are browsing the internet privately.

What it does is monitor the social networks and websites you access and gives you an overview of the type of content you encounter.

The content you see is classified as Negative, Neutral, or Positive.

image3 1

You also have the option to be notified if you are likely to become a victim of social engineering campaigns.

Download: Perspective Guard

7. minerBlock

minerBlock is an add-on used against those malicious hackers who try to steal your computer processing power to mine cryptocurrency without your consent.image19 1

This technique is called “crypto jacking”, short for “cryptocurrency hijacking”. For a full overview of the concept and a guide on how to avoid becoming a victim, access our article.

How does the minerBlock extension work?

It uses two different ways to stop crypto miners: by blocking requests/scripts loaded from a blacklist, and by detecting suspicious behavior inside loaded scripts and deleting them right away.

Download: minerBlock

8. uBlock Origin

For all of you out there who simply don’t want to see any ads, uBlock Origin is a great Chrome extension to help you block them all.

image22 1

This ad blocker also seems to be the easiest on CPU and memory, as per their comparison below:

image5 1

image6 1

Source: Google Chrome uBlock Origin Store

Download: uBlock Origin

9. CyberGhost VPN Free Proxy

VPN tools are a great way to access websites from countries that would otherwise not be available in your location. Not only that, but you are also protected against malicious actors and data miners since a VPN hides your real IP address and encrypts your connection.

image16 1

CyberGhost has all of these features in place and has been awarded the “Best Value” category at the BestVPN.com Awards in 2019, so we recommend you check it out.

image9 1

Download: CyberGhost VPN Free Proxy

10. Hotspot Shield VPN Free Proxy

Hotspot Shield VPN is another Chrome extension you should try out.

image12 1

It has both a free and paid version. The free one lets you access 95% of its features – hides your IP, prevents personal information theft, encrypts your activity on any network, and you can automatically secure popular websites or bypass unwanted ones.

image8 1

Download: Hotspot Shield VPN Free Proxy

Do Chrome extensions work in Incognito Mode?

Chrome extensions will not work in Incognito mode by default since this browsing alternative stops the browser from saving your history, cookies, and website data.

Yet, you do have the possibility to activate the Chrome add-ons manually so they run in Incognito as well.

Here is how:

Step #1: Open an Incognito window, and click on the Settings option.

image21 1

Step #2: The Extensions menu will open in a new Tab. Select the Details option from the add-on you would like to activate.

image23 1

Step #3: Activate Allow in incognito.

image15 1

And you’re all set. You can now use the add-ons you want in Incognito mode.

Are all Chrome extensions safe to use?

As a general rule, be careful when you browse the Chrome Web Store for extensions, as there are chances you run into add-ons that can compromise your security and privacy.

Here are some guidelines to keep in mind:

  • Always look at the extensions’ rating and try to choose the ones that have at least 4.3 out of 5 stars. And also make sure you read the user reviews.
  • Install extensions from trusted sources. You may want to look into who actually developed the add-on and see if the source looks suspicious or not.
  • Pay attention to what permissions the extensions require. If an extension you are already using suddenly asks you to grant another permission, this means it may have been compromised.
  • Never install too many extensions. Stick to the ones you really need. Too many of them can both slow down your browser and make it difficult to keep an eye on to notice if something fishy is going on.
  • Don’t rely on security browser extensions exclusively and also install an anti-malware solution on your computer.
The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

What security and privacy add-ons have we missed? Are there any Chrome extensions that you would advise against? Share your thoughts in the comments section below.

The post 10 Chrome Extensions to Boost Your Online Safety in 2019 appeared first on Heimdal Security Blog.

Which organizations place a premium on security and privacy?

70 percent of websites qualified for the 2018 Online Trust Audit and Honor Roll, the highest proportion ever, and up from 52 percent in 2017, driven primarily by improvements in email authentication and session encryption. This tenth annual audit of more than 1,200 predominantly consumer-facing websites was expanded this year to include payment services, video streaming, sports sites, and healthcare. The Federal government category surged to the front with 91 percent of sites placing on … More

The post Which organizations place a premium on security and privacy? appeared first on Help Net Security.

Spear Phishing Report Card: Perfect Scores in School Security Pen Testing

In a new U.K.-based study, 100 percent of test spear phishing attacks gained access to sensitive university data in less than two hours.

That’s the word from joint efforts by nonprofit research firm Jisc and the U.K.’s Higher Education Policy Institute (HEPI), which evaluated 173 higher education providers recently. As noted by We Live Security/ESET, researchers were able to “reach student and staff personal information, override financial systems and access research databases,” often in less than an hour. Jisc also achieved perfect scores in breaching security when spear phishing was part of the test attack.

For Your Immediate Attention

Well-designed phishing attacks worked against both students and staff. The Jisc/HEPI report noted that “particularly at the start of the academic year, there has been an increase in student grant fraud.” In this type of attack, students receive emails promising free grant money if they supply banking details or click through to malicious attachments.

Staff members, meanwhile, are often sent supposedly urgent documents they need to unlock using university credentials, effectively giving attackers unfettered network access. Using available social data and published department structures on university websites enabled white-hat hackers to create custom-built emails that bypassed security at every participating institution.

It’s also worth noting that post-secondary distributed denial-of-service (DDoS) attacks are on the rise. In 2018, HEPI reported more than 1,000 DDoS attacks across 241 U.K. education and research facilities. These attacks are doubly concerning: As Jisc noted, data availability is critical to school success, especially during “clearing,” which sees unfilled university spaces matched with new student candidates.

Inability to access course or applicant data during this time could be financially and reputationally devastating. In addition, DDoS attacks are often used to mask other threat vectors. For example, a high-volume DDoS attack could increase the efficacy of spear phishing efforts by shifting security focus away from email compromise.

Avoiding the Hook of Spear Phishing

While higher learning institutions were the target industry in Jisc’s study, the lesson is applicable at scale: Well-written phishing emails are corporate compromise kryptonite.

Avoiding the spear phishing hook starts with recognizing the critical link between employees and email. Most users believe they’re above average when it comes to recognizing the danger signs of phishing, but this doesn’t pan out in practice. By implementing low-key warning processes that recognize key phishing tactics, companies can ensure staff are notified without fighting the “it won’t happen to me” battle.

IBM security experts also recommend implementing identity and access management (IAM) solutions that leverage user behavior analytics (UBA) to identify normal user behaviors and sound the alarm if strange access requests or odd resource use patterns emerge.

The post Spear Phishing Report Card: Perfect Scores in School Security Pen Testing appeared first on Security Intelligence.

Foregenix And Tranwall Partner To Tackle Global ATM Cashout Fraud In The Banking Industry.

A leading UK cyber security firm has joined forces with an Australian pioneer in payment card control technology to fight against the rise of global ATM Cashout fraud.

Australian-based Tranwall’s transaction security software will be offered with Foregenix’s Managed Detection and Response (MDR) and Threat Sweep. Both services provide security visibility of business critical assets in a single pane of glass and prevent advanced targeted attacks with early detection and skilled response.

Tranwall software will provide a second layer of security to issuing banks and is used widely by financial institutions in the Middle East and Africa. It gives banks and their customers granular control of bank accounts and cards and allows them to lock down entire ranges to top certain transaction types such as international ATM withdrawals and commerce payments. Additionally it offers additional control to the end customer on two-factor authentication on all customer bank accounts as well as limit setting to a.

UK headquartered Foregenix is a leading global authority on ATM Cashout fraud through their PCI Forensic Investigations and Incident Response service. They have worked a significant number of ATM Cashout incidents in Africa where the problem is especially acute.

Cashouts have affected regions across the globe, with high profile attacks including an India-based bank system being accessed through malware which resulted in over US $13m being stolen and an attack in Japan which saw another US$13m stolen through ATMs in three hours as ~14,000 fraudulent withdrawals were made.

Often referred to as the FASTCash Campaign, the attacks are attributed to the Hidden Cobra cyber criminal syndicate with strong links to nation-state attackers from North Korea. These criminals are targeting issuing banks and payment card processors. The initial access mechanisms are varied but are often through poor digital hygiene and phishing or unpatched Internet-facing systems.

The cyber criminals subsequently exploit the poor architecture as well as lack of security of internal systems, manipulate limits or intercept transactions on the backend and use stolen or cloned cards at ATMs to fraudulently withdraw large amounts of hard cash. The cashouts are typically performed by associates or ‘mules’ who copy and imprint the stolen data on magnetic cards and perform the physical cash withdrawals in hundreds of locations, simultaneously.

Andrew Henwood, CEO of Foregenix, the leading authority on preventing ATM Cashouts comments: ‘Tranwall has a fantastic track record, its solutions have reduced fraud reduction rates by as much as 75% to 95%. We believe our partnership will be a major new step in tackling the issue of ATM Cashouts for banks worldwide.’

www.foregenix.com

www.tranwall.com

The post Foregenix And Tranwall Partner To Tackle Global ATM Cashout Fraud In The Banking Industry. appeared first on IT Security Guru.

April Scams May Ruin Plans: Threat Actors Ramp Up for Tax Scam Season

Threat actors are taking advantage of tax season to target both individuals and enterprises with tax scam attacks.

As reported by Dark Reading, these scams ramp up as tax deadlines loom but can potentially exploit victims’ data month after month or year after year. And while private citizens remain easy targets for malicious actors — Forbes noted that 143 million “negative robocalls” were made on tax day in 2018 — recent IBM research revealed that attackers are now using tax-themed campaigns to subvert corporate security policies.

Tax Scam Tactics

Cybercriminals are taking steps to make enterprise-level scam emails seem entirely legitimate. It starts with typosquatting to create fake payroll and tax service domains and bolster the “from” field by mimicking common corporate email address formats. Email bodies are brief but well-written, while the signature includes popular business components, such as names, job titles, contact numbers and mock footers. Infected attachments — typically filled with TrickBot malware — round out these messages.

At scale, these scams pose a real problem: If even one corporate recipient is fooled, threat actors could gain access to critical network resources.

Watch Out for Malicious Tax Apps

Application-driven tax fraud is also on the rise. Given the sheer number of mobile apps now available, it’s no surprise that malware makers created their own versions of popular tax-filing apps. As Dark Reading pointed out, the apps often “impersonate popular tax-filing services to get people to give up sensitive data.”

Here, key indicators of potential issues include limited or missing developer information along with excessive permission demands. With more than 90 percent of tax returns now being prepared electronically, app control needs to be on the corporate IT radar. Otherwise, remote users or those using company networks for personal business could expose critical services to undue risk.

How to Evade a Costly Tax Scam

Once tax scammers have their hands on personal or corporate data, it’s a gift that keeps on giving. Attackers can use this information to redirect returns, open new credit accounts and generally cause havoc for months or years after initial compromise takes place.

According to IBM security experts, evading these tax tricks starts with the basics: Make sure macros are disabled by default in Office and ensure antivirus tools are capable of detecting and defeating TrickBot.

User education also plays a role. During scam season, it’s worth reminding staff that the IRS never communicates via email and supposed tax attachments from payroll or accounting services should always be vetted before opening.

The post April Scams May Ruin Plans: Threat Actors Ramp Up for Tax Scam Season appeared first on Security Intelligence.

SecurityWeek RSS Feed: Blue Cross of Idaho Hacked, Some Member Information Accessed

One of Idaho’s largest insurance companies said Friday that someone hacked its website and obtained access to the personal information of about 5,600 customers, including their names, claim payment information and codes indicating medical procedures they may have undergone.

read more



SecurityWeek RSS Feed

What Is Endpoint Security Today? Big Data and Mobile Trends Point to the ‘Startpoint’

Where does “it” end?

We can probably all agree that securing and protecting the devices that communicate with our networks is a fair definition of endpoint security. Similarly, these devices are one of the best places to start when figuring out how to secure your networks because they are a particular pain point for security teams, responsible for 70 percent of breaches and a source of daily headaches.

But within this traditional definition, what, really, is the endpoint of today? How we answer that question has significant security implications.

While the conversation has focused on devices thus far, consider that the “2019 IBM X-Force Threat Intelligence Index Report” found that “human error continues to facilitate breaches,” and the 2018 edition of the report noted, “To err is human … When it comes to data security, the potentially detrimental impact of an inadvertent insider on IT security cannot be overstated.”

If human error and manipulation are sources of so much frustration, are the devices really the problem?

Data Production and Consumption Are Going Big and Going Mobile

Let’s go through some quick points before diving deeper. Threat actors are taking advantage of devices with malicious intent, but we know that humans also facilitate breaches. Trends show a rising mobile-first preference, which has attackers moving away from malware. Phishing is increasing and remains the preferred attack method, according to Microsoft. In addition, as reported by Threatpost, with more and more organizations deploying mobile devices in professional settings, employees are using these devices for personal functions.

In fact, people are going mobile-first for their internet usage at such high rates that attackers are now tailoring their tactics for mobile viewing.

For example, Threatpost described a recent campaign in which threat actors used malicious tool kits to attack Verizon Wireless customers due to their deep understanding of the provider’s infrastructure, creating spoofs of seemingly legitimate subdomains. According to Lookout security researcher Jeremy Richards, this type of attack looks sloppy and obviously not legitimate when opened on a desktop. However, when opened on a mobile device, “it looks like what you would expect from a Verizon customer support application.”

For good measure, let’s add in some data production numbers. According to Forbes:

  • Half of all web searches are conducted from a mobile phone.
  • Every minute, we send 16 million text messages and 156 million emails (and some 103 million spam emails).
  • Uber riders take nearly 46,000 trips every minute.
  • Internet of things (IoT) devices are exploding, from 2 billion devices in 2006 to a projected 200 billion by 2020.

Clearly, part of the issue is manageability. You simply cannot keep your network secure without some kind of endpoint security solution because every minute counts once you have been breached. But big data and mobile are two factors that are testing the limits of manageability, giving way to a completely new meaning of identity and access management (IAM) and how we address the problem as a whole.

Where Is the Endpoint?

From these trends, statistics and developments, we need to ask some questions that, depending on the answers, could completely change how we think about and manage endpoint security.

Unconscious Data

Unlike in the past, when users were more conscious of their data production and consumption (access a stationary terminal, use it and walk away from it), today there is a great deal of unconscious data production and consumption (mobile devices are always on, always broadcasting and always connected to some secondary device such as a health monitor or watch). How does this situation of unconscious data production and consumption alter the meaning of endpoint security?

Continuous Data

Previously, users were producing and consuming data in finite blocks, whereas today, there is a seemingly endless stream of continuous data consumption and production, mainly due to our mobile devices. This is one of the reasons we have big data, and the situation will only get worse as we integrate more IoT, wearable and peripheral devices — which, in part, explains why enterprises are adopting unified endpoint management (UEM) systems. Remember, humans are responsible for much of this data. How does this continuous stream of data alter the meaning of endpoint security?

Device or User?

Finally, given recent trends — specifically the shift to social engineering attacks — ask yourself: Is the attacker going after the device or the human to gain access to the network? Put another way, is it the device that is vulnerable, or the user? It’s not clear-cut who or what the target is anymore.

I’d assert that both the device and the human are targets because they each have their own unique vulnerabilities, and the intent will determine the method of attack. But that’s probably the easiest answer, and the nuance of the question deserves attention.

It’s the attack’s intent that throws all of this into a conundrum. Because you don’t know what you don’t know, the attacker has the upper hand. This reinforces why beginning with endpoints is a great way to protect your network.

But I’ll take it one step further: If your endpoint is the device, then your “startpoint” is the human. Attackers are always tweaking their tactics to get past the technology to the human. We haven’t even begun to discuss the human/tech interaction, but Verizon’s “Insider Threat Report” described five very possible scenarios that illustrate that interaction:

  1. The Careless Worker (misusing assets, resources and policies).
  2. The Inside Agent (stealing information on behalf of outsiders).
  3. The Disgruntled Employee (seeking to destroy company property).
  4. The Malicious Actor (stealing information for personal gain).
  5. The Feckless Third-Party (business partners compromising security).

So what’s the solution? To quote Lewis Carroll, “‘Begin at the beginning,’ the King said gravely, ‘and go on till you come to the end: then stop.'”

If Machines Are the End, Then Humans Are Very Much the Start

I don’t expect a couple generations’ worth of people to begin thinking of endpoints any differently; an endpoint will continue to be defined as a device that communicates with a network. But that definition puts into our mind that the device is the terminus point of data production and consumption. It’s a bit of a mental barrier, whether we like it or not.

Big data and mobile trends indicate that devices are not the terminus points; we are. We make the final decision to click the link. We make the final decision to send that information. We make the final decision to produce and consume data and where from.

Therefore, let’s step up our endpoint game by using technology to manage security while spending equal time addressing the problems caused by the “startpoint” of the system, the human. Looking at these issues as a looping continuum of data flow that is mobile, instead of as distinct and discrete issues with terminus points, may better position us to reduce the risk we face.

The post What Is Endpoint Security Today? Big Data and Mobile Trends Point to the ‘Startpoint’ appeared first on Security Intelligence.

Attackers Use EternalBlue and PowerShell Scripts to Spread Cryptomining Malware Across Asia

A cryptomining malware campaign originally discovered in January is now using the EternalBlue exploit to target users in Asia, according to security researchers.

The investigation by Trend Micro showed the campaign involves several different approaches to infect machines and avoid detection while it mines Monero, most of which involve taking advantage of older applications and obfuscated PowerShell scripts.

In addition to EternalBlue — an exploit developed by the National Security Agency (NSA) that was linked to the widespread WannaCry and NotPetya ransomware attacks three years ago — the cryptomining malware also uses open-source tools, such as PowerDump, Invoke-SMBClient and Server Message Block (SMB) v1 protocol.

The campaign currently targets users based in Japan, Hong Kong, Taiwan, India and Vietnam, the researchers said.

How Miner Malware Uses Pass the Hash

Threat actors behind the attacks start by trying a list of commonly used passwords, such as “123456” and “welcome,” to break into a machine and gain network access. The campaign also makes use of a technique known as pass the hash in which attackers steal credentials stored in memory to connect to a remote server. Other options have included attacking targets with weak passwords using the Invoke-WMIMethod PowerShell script or EternalBlue for those with stronger passwords.

Once a machine has been infected and the media access control (MAC) address has been captured, the cybercriminals behind the cryptomining malware campaign try to get ahead of detection attempts by scanning for any antivirus products that may be in use.

Researchers also discovered five different components that have been used as part of the campaign, including a larger copy of the malware — essentially a dropped Trojan — that can get past sandboxes, as well as a binary executable compiled using Python and other PowerShell scripts. An open-source tool known as Invoke-ReflectivePEIInjection is used to drop the XMRig cryptominer onto the compromised machines using its own PowerShell process, rather than storing it as a file.

Keep Cryptomining Malware Off Servers, Too

While targeting individual machines with cryptomining malware is commonplace, the researchers noted that those behind this campaign were also trying to break into database servers by searching for those using weak SQL passwords.

This is similar to a recent investigation from IBM X-Force Incident Response and Intelligence Services (IRIS), which showed cryptojacking infections that took advantage of misconfigured servers in multinational corporations. Besides patching vulnerable systems and closing ports on external servers, IBM experts also recommend disabling legacy protocols such as SMB v1 and keeping a close eye on any data that leaks out through SMB ports.

The post Attackers Use EternalBlue and PowerShell Scripts to Spread Cryptomining Malware Across Asia appeared first on Security Intelligence.

The most Popular Free Encryption Software Tools to Protect Your Data

In this internet-connected world, it’s become more important than ever to keep our information safe. Whether it’s personal or work-related, our data is always at risk of falling into the wrong hands.

What is data encryption?

On a basic level, encryption is one of the best protection methods available to keep all your digital assets safe.

The encryption process uses a key and an algorithm to transform the accessible data into an encoded piece of information which can only be deciphered by authorized persons.

Public key encryption keys 1 1

Source.

Encryption helps you secure sensitive information from cyber criminals or other online threats and make access harder to them. At the same time, it’s a way that can be used to archive large amounts of data or to secure private communication over the Internet.

According to “The 2019 Global Encryption Trends Study” released by the Ponemon Institute, 45% of the organizations surveyed said they have an encryption policy in place to secure the most important data.

Both Internet users and organization can do that with the help of free encryption tools which can enhance protection by keeping valuable information hidden from malicious actors.

Encryption is essential to protect critical data, no matter if it is stored locally, on the PC, or sent over the Internet. So which are the encryption tools?

We’ve put together this list of free encryption software to choose from.

Before we jump to these encryption software products available for free, we outline the importance of always using strong and unique passwords for all your online accounts. When setting up your encryption process, you’ll be asked to choose a password as your decryption key.

Before you do that, make sure you apply these actionable security tips to manage passwords like an expert and make them more secure and unbreakable by cybercriminals.

  • Set unique and strong passwords, which contain different characters, like uppercase and lowercase letters and numbers, and are more than 15 characters long. There are several tools you can use to test if your passwords are strong enough.
  • Also, you’ll need to set passwords which are not easy to remember or guess, and aren’t used for more than one online account.
  • To enhance your online security, you should not keep your passwords saved in text files or browsers;
  • Never use/reuse the same password for more than one account;
  • Do not share your passwords in emails, instant messages or other online platforms.

We carefully curated and put together some of the best free encryption software tools you can use to keep your most valuable data safe and secure.

1. LastPass

Probably one of the most popular password manager tools out there, LastPass can be used for free with limited features, but will still secure your passwords and personal data. Using an encryption software tool like this one, you’ll no longer have to remember or note a password in a notebook or any other physical place.

LastPass comes with an easy-to-use and intuitive interface and can simplify things for you. There are extensions available for the main web browsers, such as Mozilla Firefox and Google Chrome. Also, you can use the mobile app available for both Android and Apple.

LastPass tool

When you create a new online account, it offers the option to save the new credentials.

This tool encourages you to set a unique and hard to break password and discourages users to reuse it. If you’re using the same password for multiple accounts, it simply recommends selecting a different password.

Other password management tools you can use Sticky Password or RoboForm come with an intuitive and easy-to-use interface and can provide good password security.

To safely manage passwords, we encourage users to follow these security steps included in this guide and use the use two-factor authentication system, whenever possible.

2. BitLocker

Bitlocker for Windows 10 1

Source: Windows Central

While there are many encryption tools available you can use to encrypt your data locally, most users prefer to use Microsoft’s BitLocker software. You can either use it to encrypt a particular disk partition or the entire hard disk.

BitLocker is a full-disk encryption tool built-in in the latest Windows operating systems (Windows 10), which uses AES (128 and 256-bit) encryption to encrypt data on the drives.

The Advanced Encryption Standard has been tested and improved and is now used worldwide by the most security vendors due to its high level of security and optimization.

Why you should choose BitLocker:

  • Easy to use and it’s already integrated into your Windows operating system, so there’s no need to add another encryption software;
  • It’s a free data encryption software tool you can use to prevent data breaches and data exfiltration from your hard disk.
  • It encrypts your entire drive, which makes it impossible for malicious actors stealing your laptop to remove the hard drive and access your files.
  • When BitLocker Drive Encryption is activated, and you add new files, BitLocker will encrypt them automatically.

However, as an encryption technology built into Microsoft, it’s been a target for researchers looking for flaws in popular tools used by people. That’s why a researcher was able to find a new and relatively simple way that Windows BitLocker encryption keys can be sniffed in less secure configurations as they travel from Trusted Platform Modules (TPMs) during boot.”

3. VeraCrypt

Another free encryption software tool you can use which is available for Windows, OS X and Linux operating systems.

Just like BitLocker, it supports Advanced Encryption Standard (AES) and can hide encrypted volumes within other volumes. It is an open source program which means developers and researchers can download and use the source code.

Veracrypt 1.24

Source: GHacks.net

This encryption software is a great alternative to TrueCrypt tool and is constantly getting improvements and security enhancements. VeraCrypt 1.24, the upcoming next version of VeraCrypt is currently available for beta tests and can be downloaded from here.

The new version is expected to come with lots of security and functionality improvements to better secure users’ data.

4. FileVault 2

Looking to encrypt your data stored on devices featuring macOS and Mac hardware? FileVault 2 is a free encryption software tool we recommend checking out.

Just like BitLocker and VeraCrypt tools, FileVault 2 (FileVault full-disk encryption) uses XTS-AES-128 encryption with a 256-bit key “to help prevent unauthorized access to the information on your startup disk”.

If you’re interested in installing it on your Mac computer, this guide will come in handy.

FileVault 1

5. DiskCryptor

Yet another open-source and free encryption software you can use to secure your internal and external drive, including system partition, and even ISO images, or USB flash drives or any other storage devices.

Just like BitLocker, it is a full-disk encryption tool for Windows OS and includes multiple encryption algorithms such as AES, Twofish, and Serpent. The interface is simple and intuitive,  all you need to do is select the drive and click on “Encrypt” to protect your data.

6. 7-Zip

Many users are not interested in encrypting the entire hard disk, but only specific files and documents that store sensitive information.

It’s a free and open source encryption software, as well as a lightweight solution known for its simplicity. This software tool is capable of extracting most archives and features strong AES-256 encryption.

7 zip encryption tool

Source: GHack.net

After the critical security vulnerability that affected all WinRAR versions and other programs, a  stable version of 7-Zip 19.00 has been released and can be downloaded from the 7-Zip site.

7. AxCrypt

Similar to 7-Zip, AxCrypt is an open source file encryption tool offering both a free solution and a premium version for Windows, macOS, Android, and iOS.

It features AES-256 file encryption and can efficiently encrypt one file, an entire folder or a group of files with a simple right-click. Files can be encrypted for a specific period of time or can be auto-decrypted later on when that file reaches the destination.

So, how can I increase my online security without creating too many barriers that may slow down my access to the information posted online?

See below a few simple tools you can use to access online content and stay safe from data breaches at the same time.

8. HTTPS Everywhere 

Encrypting your files is not enough. To be one step ahead of cybercriminals, you need to enhance online protection, you need to make sure no one can eavesdrop on your communication over the Internet.

To make sure you always access secure web pages that use encryption mechanisms, we recommend trying a browser extension like HTTPS Everywhere, which is compatible with Mozilla Firefox, Opera, and Google Chrome.

The extension was created as a collaboration between EFF and Tor Project, and automatically switches from unsecured sites using “HTTP” to secure “https”.

HTTPS Everywhere tool

Using an extension like HTTPS Everywhere, which encrypts your communication with major websites you access on a daily basis, will make your online activities more secure from multiple online threats.

9. Tor Browser

If you want to access the Internet anonymously, Tor browser can be a great option to encrypt your online traffic and keep your browsing activities from prying eyes.

Tor Browser will block popular browser plugins such as Flash, RealPlayer, Quicktime, and others which can be manipulated into finding out your IP address.

It is recommended not to install additional add-on or plugins into Tor Browser, because it may bypass Tor and compromise your privacy and security.

The special Tor browser has been designed to be used by anyone who wants to conceal any browsing activity from prying eyes.

The most recent version of this browser, Tor Browser 0.4.0.4, is in the release candidate available for download, and it fixes several bugs from previous versions.

Remember this is not a stable release yet, but “packages should be available over the coming weeks, with a new alpha Tor Browser release by early next week.”

For those who don’t know,  Tor is the short version of “The Onion Router” and directs your Internet traffic by encrypting the IP address from where it came.

Using encryption software like Tor will make it more difficult for your online activities to be traced by malicious actors.

10. CyberGhost

Another way to hide your online identity is to use a VPN (Virtual Private Network) which can encrypt your communication and keep it safe from constant interception attempts.

This private network is able to spread across the normal Internet space, using its resources to create an encrypted channel and protect your data from hackers or the prying eyes of others.

It uses strong encryption mechanisms to hide your IP address, secure banking transactions, or keep yourself and your information safe when accessing Wifi networks.

A VPN software program like Cyberghost can be used when trying to connect to unsafe public networks or when needed to access content whose distribution is restricted to a certain geographical area. You can browse in a private mode from another country and get access to more than 1,000 servers across 50+ countries.

Cyberghost

CyberGhost is a popular VPN solution to ensure that your web traffic and valuable information remain encrypted. It is the winner of the “Best Value” category at the BestVPN.com Awards 2019.

It includes a 30-day money-back guarantee for everything else and friendly support. A VPN service provider like Cyberghost helps you keep your data protected and secure your digital assets. Cyberghost works with Windows, macOS, iOS, Android, Linux or routers.

11. ExpressVPN

For privacy enthusiasts, here’s another VPN service you can use to encrypt your data and keep cybercriminals at bay.

Similar to CyberGhost, this one uses 256-bit AES encryption technology and the set-up is simple. Simply download, install and connect to ExpressVPN with a few clicks.

Compatible with multiple devices, it works on Windows, Mac, iOS, Android, or Linux and connects to more than 148 locations in 90+ countries. It’s not entirely free, but you can use it free of charge for up to one month and get a 30-day money back guarantee. Express VPN 1Source: VPNMentor.com

Apply these security measures to enhance your online safety

When it comes to securing your most important information, encryption is not enough. Oftentimes, in our blog articles and protection guides, we often emphasize the importance of using multiple layers of security to be one step ahead of hackers.

Since there are so many online threats out there and cybercriminals keep changing their tactics, we recommend following these actionable security measures to improve your online security:

  • Keep your browser and operating system updated with the latest security patches. Make sure you have the latest versions running on your system. Online criminals spread malicious tools by using security exploits to take advantage of your system’s vulnerabilities. Patching is key, as the experts said it again and again.
  • Use a reliable antivirus product, and consider adding multiple layers of protection and use proactive cybersecurity software like our Thor Premium Home, which provide complete, all-in-one protection for your digital life.
  • Be very careful when connecting to public and free wireless networks. One of the favorite methods used by online criminals to retrieve your credentials is to use wireless sniffers to access data you send over unprotected networks.
  • Education remains the main key to better secure your digital assets, so we recommend checking out our free educational resources and signing in for any course that will teach you more about online protection.

When you think about encryption, have in mind the entire picture and know how important its role is in the overall security strategy.

What about you? How do you see encryption in the bigger picture of Internet security? Are you using any type of encryption for your data at the moment?

Let us know your thoughts in a comment below.

The post The most Popular Free Encryption Software Tools to Protect Your Data appeared first on Heimdal Security Blog.

Russia Fines Facebook $47 Over Citizens’ Data Privacy Dispute

Yes, you read that right! Russia has fined Facebook with 3,000 rubles, roughly $47, for not complying with the country's controversial Data Localization law. It's bizarre and unbelievable, but true. <!-- adsense --> In December last year, Russian Internet watchdog Roskomnadzor sent notifications to Twitter and Facebook asking them to provide information about the location of servers that

Excited for the Final Season of Game of Thrones? Be Careful Where You Watch It!

All Game of Thrones fans know it by now – the long-awaited final season is starting on Sunday, April 14th. While you may be overly excited to watch it, you may also be tempted to stream it online for free or resort to torrent websites and download it illegally.

By turning to these resources you are not only breaking copyright laws but possibly your computer as well.

According to the anti-malware researcher Muso, almost 190 billion visits were made to illegal piracy websites in 2018. Nearly half of these people visited the websites in search for television shows, and almost one in five visitors were looking for the latest movie.

Two years ago, before Season 7 of Game of Thrones was released, over 10 million Americans were planning to watch it illegally, and it would be safe to assume the numbers would look equally shocking this year.

Winter is coming, but so is malware

We decided to take a look at what domains our users have tried to access in the past two weeks, to see what type of content Thor Foresight blocked. We investigated all the domains containing keywords related to TV and videos in general.

Below you can see the keywords we looked at. The percentages were calculated out of the total number of TV and video-related keywords.

Thor Blocked Domains April0

According to another recent report, the number of users who ran into TV shows-related malware in 2018 is one-third less than in 2017. But the rest of the findings don’t fall on the bright side at all. Interestingly enough, although there was a one-year gap between Season 7 and Season 8, Game of Thrones was the top target for malware in 2018.

This show alone was accounted for 17% of all the infected pirated content in 2018, with almost 21,000 users attacked.

Where did malicious actors hide the largest number of infected files? Obviously, in the first and last episodes of each season of Game of Thrones, since you are most likely not to miss these.

The same research showed Trojan was the most frequent malware type.

So what can happen if you watch TV shows and movies illegally?

Let’s go through some of the recently discovered security threats in the realm of torrents.

At the beginning of January 2019, a malicious Windows shortcut file was discovered on The Pirate Bay torrent tracker. It injected content from the attacker into browsers and altered search results from Google and other search engines or Wikipedia, also trying to steal cryptocurrency. The malware was hiding in files for the movie The Girl in the Spider’s Web.

At first glance, it looked like just some annoying adware, but after taking a closer look, researchers found the malicious activity is extending to webpages and on Wikipedia entries. The attackers are monitoring websites for Bitcoin and Ethereum wallet addresses, looking to replace them with the ones of the attacker.

On Google, the malware creates fake ads on the top search results. And when searching for certain terms, such as “spyware”, the first two results take you to a cybersecurity solution called “Total AV”.

image1 2

Source: bleepingcomputer.com

What’s more, attackers have also created a Wikipedia donation scam, where they insert a fake banner that says Wikipedia now also accepts cryptocurrency donations. For more details, you can read the full story here.

The chain of recent malware events associated with torrent websites doesn’t stop here.

In March 2019, the “PirateMatryoshka” scheme was also brought to light.

What did the torrent files contain? Instead of the software you were hoping to download from The Pirate Bay, you would come across a Trojan, which was disguised as genuine software. If you were to install it onto your computer, you’d ended up buried in adware. This doesn’t stop here, as additional installers can be introduced to bring even more malware and wreak havoc into your PC.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

Traps can be hidden anywhere

Unfortunately, malicious actors are finding more and more ways to attack you. It seems they are now also relying on popular search terms to infiltrate into your system.

Even searching for your favorite actor’s name could result in some unwanted results. For example, returns for “Emilia Clarke” are among those most likely to be infected with malware, according to a recent study. By clicking on these results, users are tricked into visiting malicious websites. What these websites can do is steal passwords or other personal info.

Malware could be hiding anywhere when you try to watch your favorite TV show illegally. To be one step ahead of cybercriminals, we recommend you also read our in-depth explanation:

Here are also a few key pieces of advice to keep in mind before watching Game of Thrones:

Never access suspicious links that promise you leaked episodes or exclusive early premiers.

Always look up the TV show’s episodes release dates. If something looks too good to be true, it probably is. Here is the Game of Thrones Season 8 complete schedule (the official US release dates):

  • Episode 1: April 14, 2019
  • Episode 2: April 21, 2019
  • Episode 3: April 28, 2019
  • Episode 4: May 5, 2019
  • Episode 5: May 12, 2019
  • Episode 6: May 19, 2019

Ditch the torrents and illegal streaming websites.

Here is what you can do instead:

  • Use subscription-based services, such as HBO Go or HBO Now, Hulu, Amazon, Playstation Vue, or Roku.
  • Download the episodes on iTunes, Google Play, or Amazon Prime. Yes, these options are pricier than using subscriptions, but if you don’t want to be committed to a subscription that’s perfectly fine.
  • If these services are not available in your current region, you can consider using a VPN. A VPN deals with these issues and on top of that, it’s crucial for online security. For instance, a VPN can provide good protection against man-in-the-middle attacks. In this case, someone could intercept your online traffic, and the data you think you share securely (for example, financial data) could be easily deciphered by hackers.
  • Beware illegal streaming services that may look legit and could ask for your money just like a normal streaming service would!

Apply software updates constantly.

We can’t stress this enough – lack of updates create security holes that can be easily exploited by hackers.

Use an anti-malware solution to secure your digital life.

Thor Premium offers you protection in front of the most advanced malware threats and blocks them before they can reach your PC.

Final Words

Are the risks of watching TV shows and movies illegally actually worth it? We warned you, but it’s your decision to make.

Meanwhile, until the first episode of season eight is out, enjoy this version of GoT’s soundtrack, played by an old computer hardware orchestra:


What are your thoughts on online piracy? How are you planning to watch the final season of Game of Thrones? Share your comments in the section below.

The post Excited for the Final Season of Game of Thrones? Be Careful Where You Watch It! appeared first on Heimdal Security Blog.

Microsoft Security: Forcepoint DLP integration with Microsoft Information Protection—protecting your critical data

Many organizations are undergoing a rapid digital transformation that is challenging their traditional approach to data security. Organizations in highly regulated industries or who partner with organizations in regulated industries are often faced with accelerated timelines and requirements to protect sensitive data such as protected health information, personal identifiable information, and intellectual property. Failure to comply could have significant financial and brand consequences. Even organizations who aren’t yet impacted by regulatory compliance requirements find it imperative to protect their critical data in a changing digital landscape.

Organizations often engage their employees in the data labeling process by providing tools to enable safe data handling practices. This engagement empowers employees to take ownership in the process and reinforces ongoing awareness of how to properly handle sensitive data. This traditional approach can be quite effective. But what if you could enhance it? Humans will make mistakes—whether through neglect or by accident. Augmenting this approach with additional controls, such as automation, can provide greater capabilities and minimize the risk of human error.

That’s where Forcepoint Data Loss Prevention (DLP) and Microsoft Information Protection solutions can help. As a member of Microsoft Intelligent Security Association, Forcepoint has worked closely with Microsoft to develop an integrated solution that makes it easy to discover, classify, label, and protect critical business data.

Microsoft Information Protection simplifies the process by integrating sensitivity labeling capabilities into commonly used Microsoft applications. Users can utilize document and email labeling to properly identify the sensitivity of the data being accessed or created. But user-applied data labeling may not be enough.

For example, let’s assume a user is working on a document that contains sensitive information (perhaps it contains details about an upcoming acquisition that is intended for executive leadership eyes only) and the user labels the document as “Private” instead of “Restricted.” The user may not fully understand which labels designate what information is limited to executive leadership audiences versus all management audiences within the organization. It’s an honest mistake but could lead to sensitive data inadvertently being shared with unauthorized users within the organization.

Proper data protection requires the ability to detect and control how sensitive data moves in and out of an organization without disrupting a user’s ability to do their job. DLP solutions, such as Forcepoint DLP, empower organizations with enhanced visibility and control of their data across all channels where people work and collaborate across networks, endpoints, and the cloud. With single console policy management, organizations can define and deploy policies across their enterprise with ease to detect and respond when incidents of mislabeled documents arise—as described in the previous scenario. With a DLP solution in place, employee coaching (via pop-up windows) could provide addition guidance to users, educating them on what action was done in error and providing guidance on how to remediate the risk in real-time.

When Microsoft Information Protection is utilized with Forcepoint DLP, the combined data protection capabilities enable more accurate detection and protection of critical data. The integration enables three core capabilities: (1) Ability to import label schemas, (2) Ability to create custom classifiers, and (3) Ability to automate document labeling.*

Label taxonomy

With the Forcepoint Security Manager (FSM), practitioners can seamlessly import label schemas available in Microsoft Information Protection, leveraging pre-define labels to reduce the need for manual label creation. It ensures label taxonomy consistency between the Microsoft 365 Security & Compliance Center and those made available via FSM. Practitioners can apply those labels based on defined policies. For example, encryption of any document sent via email to an internal recipient that is labeled as “Highly confidential.” With FSM, practitioners can control and manage these policies across all channels—endpoints, network, web, email, and the cloud—from a single console, providing a single pane-of-glass view of everywhere users access data.

Custom classifier creation

Practitioners have the flexibility to create user-defined classifiers for the labels appropriate to their business. These classifiers are used in policies to trigger an alert when detected by DLP. By enabling custom classifiers, an organization has the flexibility to create a classification or category for sensitive data that may be unique to their organization. For example, perhaps an organization uses an employee identifier such as an employee badge ID number with non-standard characters or passwords with abnormally long alphanumeric characters. Custom classifiers make it categorize and define which classifiers should be linked to policies that will trigger an alert when this data is detected. Fingerprinting capabilities in Forcepoint DLP would detect the sensitive data (based on the classifier) and would alert the practitioner when data exfiltration attempts are made.

Automated labeling

This integration establishes the framework to automate the application of classification labels and validation of Microsoft Information Protection sensitivity labels and rights management at endpoints using Forcepoint DLP. This soon-to-be-released capability will reduce the risk of data exfiltration as a result of user error or neglect associated with document labeling.

Real-life scenario

So, what do these capabilities look like in a real-life scenario? Let’s assume a user copies partial content from a sensitive document labeled as “Highly confidential” and pastes that content to a new Microsoft Word document (a method commonly used to get around the security policies). They proceed to label that document as “Public” (accidently or intentionally). When the user attempts to save that file to a USB, advanced detection capabilities in Forcepoint DLP (such as fingerprinting) detect the sensitive data (such as keywords or classifications linked to highly confidential content), triggering a rule and alert.

Utilizing the Microsoft Information Protection API, the correct sensitivity label “Highly confidential” is retrieved and enforced on the DLP side via a policy that automatically applies the correct label to the document. The result is protection against data exfiltration and reduced risk of compromised IP or compliance violation.

We recognize one size does not fit all. Organizations want the flexibility to select their preferred data classification and rights management solutions while getting optimal protection from their DLP solution. This integration establishes the framework to enable flexibility for enhanced capabilities with Microsoft Information Protection, as well as other labeling and classification technologies. The result: solutions that keep your critical data protected while helping you gain data handling efficiencies and accuracy.

Learn more

Regardless of where you are on your security maturity journey, data protection should enable you to reduce risk by giving you control and oversight of your data. Forcepoint solutions can help you get there. To learn more about how Forcepoint DLP can help you on your security maturity journey, visit www.forcepoint.com.

*Automated data labeling for Forcepoint DLP and Microsoft Information Protection will be available later this year.

The post Forcepoint DLP integration with Microsoft Information Protection—protecting your critical data appeared first on Microsoft Security.



Microsoft Security

The New EU Copyright Law and Its Security Risks: An Interview with Alex Lungu

The new EU copyright law was passed at the end of March, in a highly controversial move. There were many voices campaigning against it, with prominent critics foreseeing that although this initiative means to tackle many of today’s online copyright problems, it might end up doing more harm.

More than 5 million people signed a petition against the initiative. The vote itself was a close call, but, sadly, a lot of the representatives who had a right to vote on the new law failed to attend. The opposing voices say that at least two issues of the EU copyright law are problematic: the so-called link tax and the upload filter. Both have been under intense scrutiny and suspicion, as critics claim they could be the end of internet and online free speech as we know it.

It’s true that the old laws regarding relations between businesses and consumers need to be updated after the internet revolutionized everything. The EU has done everyone a solid with the updated law on private data collection, namely the GDPR. With the new EU copyright law, however, it seems to have been more of a miss.

alex lungu delivering his tedx talk

Alex Lungu delivering his TedTalk alongside his colleague, Ioana Pelehatai. Image source: TedXBucharest.

To help bring the voice of an expert to the table, I sat down (virtually) with Alex Lungu, one of the heads behind the Copy-Me web series, internet freedom campaigner and TedX speaker. Here’s what he had to say about the current concerns about the freshly passed copyright law.

Setting More Context for Discussing the EU Copyright Law

You can read more about the EU copyright law here, and more takes on why the new law is problematic on ZDNet, on the blog of Julia Reda, the German Member of EU Parliament who was among the most vocal critics of the law, and on the Electronic Frontier Foundation.

My Interview with Alex Lungu of Copy-Me: Does the New Law Bring Cybersecurity Risks?

Alex lungu copy me portrait

Image source: Animation Worksheep.

Miriam Cihodariu: What does the new copyright law actually affect for the regular citizen (not for journalists or professional publishers)?

Alex Lungu: Everything you post online in the EU will have to go through an automatic filtering system. Robots can’t read irony or humor. So a lot of what we now post online could be flagged as a copyright violation. And automatically be taken down the minute you hit that “post” or “upload” button.  It will essentially establish private censorship police, in which private, for-profit players get to decide what you can say online.

M.C.: How about small and medium companies, how will they get impacted by the new law?

A.L.: The new rules grant an exception for SMEs only for the first three years of an online service’s existence. You lose that privilege if you attain more than 5 million visitors or hit more than 10 million Euros in annual revenue. So if you want to grow, you will be forced to invest in an automatic filtering system sooner rather than later. Google spent 100 million dollars on YouTube’s ContentID, and it’s really inaccurate and prone to over-blocking. And you will prefer to over-block content in order to not risk being sued.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

M.C.: From a cybersecurity point of view, will this make data better protected somewhat? + 4. Will the new law bring new cybersecurity risks?

A.L.: On the contrary, there are just a few filter companies out there, so an EU-wide filtering system is bad news for your private data. Germany’s Federal Data Protection Commissioner has already warned that the oligopoly of these filtering companies put people’s data at risk. There is a lot of data and internet habits to collect if you plan to filter everything that your users post on your website. Think of all the health data your app collects.

M.C.: Critics of the new copyright law say this will lead to a more centralized data management, in the hands of just a few companies. Will this mean more potential for hacking or for abuse?

A.L.: Of course. Fewer players on the market means that there is more data in a single place. There’s tons of information a bad actor can collect about you, and one place to get it all. From the private conversations with your close friends to the one nude photo you once sent to a friend by accident and immediately deleted.

M.C.: How about the voices that say this could negatively impact human rights in certain regimes?

A.L.: As far as I know, they are right to issue these warnings. A study from 2017 concluded that this filtering system is “incompatible with the Charter of Fundamental Rights of the EU”. These filters will certainly censor a film critic’s video if they use even a second of video from that movie. Or a political opinion if you use audio to illustrate the errors in a politician’s speech. These are unfortunate realities that people are already dealing with. An EU-wide adoption will only hinder free speech for the sake of protecting a very small percent of the industries out there.

M.C.: Does the new law inadvertently aid extra surveillance? Is that a good thing or a bad thing for cyber-security?

A.L.: In my book, any extra surveillance is bad. Most terrorists, for example, were already on watch lists and they even planned their attacks by communicating in plain text over unencrypted networks. The problem with today’s cyber surveillance isn’t that it doesn’t surveil enough. It’s that it casts a net which is way too wide. With such a big database, law enforcement doesn’t have the manpower or the capabilities to sift through all of it and detect the bad actors in time.

M.C.: Finally, how would you connect the new law to the risk of identity theft?

A.L.: Well, there’s plenty of evidence of maleficence already. Today’s filtering systems don’t call for any verification process for the person/company who claims a particular work. Anyone can claim that a video is theirs without any countermeasure. This leads to plenty of abuses. Music artists have had their music taken down from SoundCloud out of pure spite. Other bad actors have even tried to extort creators in exchange of releasing the copyright claim. We are just seeing the first wave of what can happen once you give people the power to censor someone else’s content.

M.C.: Thank you, Alex.

A few closing thoughts:

I guess we’ll all have to just wait and see how well the new EU copyright law will be implemented and how much of these pitfalls we will manage to avoid. Knowing how inertia in institutions works at a macro scale, I, personally, am not very optimistic.

But to make the best of the situation, I will follow-up this interview with more posts in which I’ll try to navigate with you how to protect your data, privacy and digital rights from the negative effects of this law. Whether you’re a small company, a blogger or a non-profit organization, I think I’ll manage to provide some actionable advice for everyone. Stay tuned by subscribing to our blog!

The post The New EU Copyright Law and Its Security Risks: An Interview with Alex Lungu appeared first on Heimdal Security Blog.

Don’t build a maginot line of data security because without cyber security you are still vulnerable

Data security and cyber security overlap, but they are different, and there is a risk that if you focus too much on data security you could be left exposed. Bridewell’s

The post Don’t build a maginot line of data security because without cyber security you are still vulnerable appeared first on The Cyber Security Place.

SecurityWeek RSS Feed: Cost of Data Breach in UK Increases More Than 41% in Two Years

The UK government, in the form of the Department for Digital, Culture, Media and Sport (DCMS) has published its fourth annual breaches survey: the Cyber Security Breaches Survey 2019. It was carried out by Ipsos Mori in partnership with the Institute for Criminal Justice Studies at the university of Portsmouth.

read more



SecurityWeek RSS Feed

Why Encryption Is the Cornerstone of Your Cloud Security

While cloud computing is far from a magic bullet for all your data storage and security woes, organizations are enjoying meaningful benefits in the form of cost-efficiency, on-demand scalability, heavy upfront capital shifted to recurring operational expenses, augmented resources and skills now at their fingertips, and more.

The predecessor to cloud, shared/multitenant computing, goes all the way back to our early history of using mainframes, including time-sharing, virtual machines and remote access. Cryptography and encryption techniques are nothing new to us; they’ve been used repeatedly throughout history. Some of us may even be old enough to remember the now-retired subscription-based hosted frameworks, such as Compuserve and Prodigy, and email and portal frameworks such as Excite@Home. Today, these all could be referred to as cloud-based software-as-a-service (SaaS) offerings. So what makes today’s shared computing frameworks different?

First of all, it’s plainly too expensive to maintain brick-and-mortar frameworks today compared to eliminating all such costs through shared hosted environments. We’re seeing this not only in enterprises, but also in consumer-oriented areas such as retail. By moving to the public cloud, organizations can focus on the core competencies supporting their specific business model. The interesting twist is that many non-IT businesses today, with their considerable investments and IT overhead, now appear as though IT is their core business.

We can agree that shared computing models are now widely accepted culturally, and it has become difficult to justify holding onto costlier on-premises models. This is especially true when you consider the indirect cost of maintaining data centers and consistent challenges in scaling and aligning resources and finances to demand, which increases and decreases periodically.

To facilitate wider acceptance, the remote access barriers of yesteryear have been removed. We’re all happy to have evolved from slow, dial-up remote access to our high-speed internet access from myriad devices. In fact, there’s likely no recognizable difference in performance from a consumer’s point of view between on-premises access and remote access. This will keep us all in multitenant computing models for many years to come. So where’s the rub?

Remote Users, Fast Access and Shared Frameworks Increase the Risk

With high-speed remote access to shared multitenant computing environments comes increased risk. I’ve heard several chief information security officers (CISOs) indicate that cloud computing has widened their attack surface to all in the public testing their fences. Leaning on a false sense of — as I like to call it — “security by obscurity” is no longer an effective strategy.

While cloud customers are entrusted with and liable for the protection of confidential customer information, the cloud provider controls much of the security. In fact, providers often do not disclose their security controls or open them to audit. Doing so is considered an unnecessary risk; for example, openly sharing details about their architecture and security products could expose known vulnerabilities and attack surfaces to threat actors (there’s that outmoded idea of security by obscurity once again). While the cloud provider is responsible for physical security, business continuity, disaster recovery and network security, additional security controls and responsibilities shift depending on the type of cloud service model chosen.

Before diving into who owns what and when, let’s think about the fundamental security responsibilities you are entrusting to the cloud provider. Remember that you as a cloud customer carry the ultimate liability for securely maintaining your customer’s confidential information, and you make the final call on whether it should be maintained securely on your premises or placed elsewhere. Moving your entrusted data or services to the cloud equates to moving to a shared/multitenant environment in the sense that you are blindly trusting your cloud provider to adequately isolate and secure your data — not only your data at rest while in storage, but also in transit and in memory.

Of course, you’d hope the cloud provider’s employees and third parties, whether in physical proximity to your environment or able to access it remotely, are properly vetted, trained and trustworthy. Throughout the history or IT, we’ve relied upon cryptography to keep prying eyes from our confidential information. The cloud is no exception.

You Can’t Eliminate Cloud Security Risk

There are three ways to deal with risk: accept it, avoid it or share/transfer it. Unfortunately, none of those options involve eliminating the risk altogether. An example of accepting risk is deciding to live with it because the cost of protection outweighs the potential cost associated with the threat. You may decide to avoid the risk entirely by scrapping the initiative, or otherwise transfer the risk to an insurance agency or other firm so that liability is shared.

When deciding whether to place your trust in a cloud provider, consider the service-level agreement and/or any regulatory assertions on the part of the vendor. There could be third-party audits that you have access to, for example, or you may be able to collect analytics from your own isolated environment within the public cloud. These are just a few of the many things to consider during negotiations.

Understanding the 3 Most Common Cloud Offerings

While there are many cloud models and offshoots of models to choose from, let’s look at the three most common: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS). The customer is still liable for protecting confidential customer data, but how do other cloud security responsibilities differ between them?

Infrastructure-as-a-Service

The cloud customer is typically responsible for installing, securing, patching and upgrading the operating systems. Cloud providers typically only provide a bare-bones virtual computing environment of central processing units (CPUs), memory and storage within a shared computing environment.

The benefit is basically a scalable computing environment maintained on your behalf at lower cost than if you architected it yourself. The cloud provider is commonly responsible for physical access, networking to and from your environment, and remote access. You are responsible for the rest of the security controls, including installing and hardening the operating systems, patching vulnerabilities, granting individuals appropriate permissions in the environment, and, of course, any errors or omissions your team may have introduced.

Platform-as-a-Service

The cloud vendors for this model provide a hosted infrastructure within a shared computing environment (including CPUs, memory and storage) and typically secure, patch and upgrade the operating systems. Based on the contract, the provider may also oversee databases and other data modeling capabilities. The customer may give IT professionals appropriate access to the platforms, including privileged access. Again, any errors or omissions are on you.

Software-as-a-Service

This is by far the most hands-off environment for cloud customers when it comes to securing the hosted environment. Think about your free cloud-provided email; it’s safe to assume we’re all using them. You just provide an email account and access it by submitting a user ID and password. Enterprises using similar SaaS models commonly give authorized users access to the services within the environment, and you as customers grant your users/constituents appropriate permissions to specific services.

We sometimes refer to the adding and deleting of user accounts as provisioning and deprovisioning, or onboarding and offboarding. While it may be clear that you are responsible for adding and authorizing your new users to the service, remember that you’re equally responsible for removing them when they should no longer require access to your services and the environment. Potential errors and omissions associated with this model include who you let in, what you authorize those users to do, and whether you remove them when they move on from the company or no longer require access.

What Can We Control When We’re Not in Control?

When it comes to responsibility for security, the lines may blur among different cloud offering models, but customers are ultimately liable for the confidentiality, integrity and accessibility of sensitive data. There will always be blind spots in public cloud environments — areas cloud customers are simply not permitted to control. Instead, they must simply trust that the provider and any third parties are doing their due diligence.

The most effective cloud security measure — if not the single most paramount security measure cloud customers can take — is to encrypt confidential data in the public cloud. This includes data at rest inside the cloud and archived and backed-up data, regardless of whether it stays in the cloud storage area or is ported elsewhere.

Encryption is necessary to protect data in transit as well. This way, should your data be exposed due to blind spots, it remains unreadable and confidential based on your encryption decisions.

Considerations for Selecting a Cloud Provider

When choosing a cloud provider, look for a vendor that’s recognized for its experience in securing, separating and isolating multitenant data from exposure. Sophisticated data encryption and protection offerings are always valuable features. Consider uncovering public cloud blind spots wherever you can using advanced tools such as artificial intelligence (AI)-powered monitoring.

Since most cloud customers will use more than one solution, align yourself with providers that do not lock you or your data in. Providers that support sharing of information in and out of their cloud without breaking your bank are good candidates. Otherwise, moving from one provider to another could be costly — and the worst time to become aware of this surprise expense is during a crisis situation.

The post Why Encryption Is the Cornerstone of Your Cloud Security appeared first on Security Intelligence.

5 Common Myths about Software Updates You Need to Know About

After every major data breach or ransomware attacks happens, you probably hear at least someone saying: “If they had applied software updates in time, maybe these attacks could have been prevented or avoided”.

When it comes to closing vulnerabilities found in computers and systems, the go-to solution is always patching the software, but how many of us really apply updates in a timely manner?

Many cybersecurity specialists and practitioners, ourselves included, keep focusing on raising awareness on this topic and urging both Internet users and organizations to update (or patch) their software as soon as they are available.

Besides constant, friendly warnings and all the efforts made to address this issue, software updating remains one of those things that no one does, ignore or postpone it as much as possible.

Patching is often considered challenging, and hard or, at least, that’s what most of us believe it is. But not applying software updates – especially the critical ones – quickly and regularly only makes everyone (Internet users and organizations) more vulnerable to ransomware, data breaches, and other online threats.

The cybersecurity risks of not keeping software up to date

Two of the most devastating and serious cyber attacks examples we can think of, were only possible because security updates weren’t installed in time. The Equifax data breach was caused by a security hole in the Apache Struts web application framework which wasn’t updated. The WannaCry ransomware attack of “unprecedented level” also did a lot of damage, but mainly affected those computers that were unpatched and unprotected.

In light of the recent Asus malware attack which was spread through software updates, Matt Blaze, a professor at Georgetown University, shared his thoughts on the topic of patching, in which he emphasized the importance of applying updated to be safer online.

To protect against the insidious threat of malicious updates, it might be tempting to immediately disable these mechanisms on your computers and smartphones. But that would be a terrible idea, one that would expose you to far more harm than it would protect against. In fact, now would be a fine time to check your devices and make sure the automatic system update features are turned on and running.

New research mentions the security risks caused by unpatched vulnerabilities, by stating that “55% of all programs installed on personal computers running Windows are outdated”.

The same thing applies to the mobile industry where one of the most concerning security threats is related to outdated software. The most frequent ones are found on the Android operating system, which is a targeted OS by cybercriminals.

But Google is investing all efforts in improving the ecosystem with its Android Security Improvement Program with the main goal to help Android developers built and release apps without known vulnerabilities. The company already helped more than 300,000 developers fix more than 1 million apps on Google Play and will probably continue doing it.

Today, any software is running, it is exposed to attacks and hackers don’t miss any opportunity to find security holes and exploit them.

Why it is important to apply software updates

Talking about software updates is like talking about whether you should go see a doctor or not. Some find it like being a precautionary measure, others just ignore it. Same goes with applying available updates: they are not only important for our online safety but software updates are hardly necessary.

To simply put it, applying available updates for operating systems and applications such as plugins, browsers, desktop apps (which include both security and feature patches) mean to fix and improve the software you are currently using.

Some of you may affirm that after finishing the updating process, there have been side (negative) effects, and something didn’t work as it did before, some features just vanished, or the interface of the app/software is different. And you need hours to figure out how it works or how to adapt, I understand.

Yes, we all find updates annoying sometimes, just by popping up when we try to work on a project, or watch a movie. But it doesn’t mean we don’t have to do it.

We have to make patching a top priority! Plus, you can always have the option to turn on the “automatic updates” feature (if available) or use a specialized security solution to handle software updates, automatically and silently, by saving time and energy.

Applying software updates is one of the most proactive things we can do to seriously enhance online protection and improve security. Also, we do it so we don’t get hacked and see our valuable data in the hands of cybercriminals. The faster we update it, the better it is.

While doing an expert roundup with cybersecurity professionals to get a more in-depth opinion on the topic of applying software updates, we found out that all of them advocate for installing security updates as early and as often as possible. If you read carefully what these security experts have to say about software patching, next time you’ll not ignore or postpone another update.


Check out these myths about #softwareupdates that you need to know about.
Click To Tweet


Also, it is important to apply patches because:

  •  They address a specific and critical vulnerability which can be fixed and closed in a timely manner before malicious actors can exploit it;
  • It is a proactive security measure that lower the risks for both home users and companies to be exposed to cyber attacks in which cybercriminals target their sensitive data;
  • They improve the operating system and make the app more stable, and also enhance the overall security posture;
  • Your data is more secure – Probably the most important docs, photos, or personal information are stored on the devices you use daily. They could get easier in the hands of cybercriminals which encrypt data and block access to it. Applying patches help keep malicious actors at bay;
  • They bring the latest features and improve the existing ones – Software updates not only close security vulnerabilities but also improve your OS or app, by adding the newest features and making your device work smoothly.
The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

With all these strong reasons in mind to keep programs and apps up to date, there are still various security myths integrated into our general knowledge.

Whether it’s easier to believe different misconceptions or more comfortable to listen to “best practices” from others – even if they aren’t true – we still accept them and spread around as general beliefs.

That’s why we wanted to address some of the most common myths related to software patching that could help you and I better understand why applying updates for apps and OS is of utmost importance.

 5 frequent software updates myths you probably hear (but you need to forget about)

Let’s have a look at these myths and analyze them to better understand why action and proactivity are vital when it comes to keeping your software up to date.

Myth#1 – “This is not a priority, I can just skip the updating part for another time

Probably one of the most harmful thinking you need to forget about. And that “another time” decision may be too late if you want to better secure your digital assets.

Security specialists advise to make patching a priority and apply updates within the first hours of becoming available. Not tomorrow, not in one week or month. As soon as possible, because the speed of patching will make a difference.

If you spend more than one week (or even day) in getting up to date with your software, it might be late. Cybercriminals operate fast and find innovative ways to exploits software vulnerabilities. That’s why we have to keep applying these updates and begin with the most important service/app we’re using.

However, before prioritizing we first need to acknowledge what are the security risks and consequences and how big the impact is for your online safety.

It should not be only a priority, but a basic and standard cyber hygiene for everyone.

Myth#2 – “If I focus on apps that carry the most prevalent vulnerabilities I am safer”

Here’s another myth we recommend letting go and try seeing things from a different perspective.

We strongly recommend applying all available updates for all apps that you’ve installed and used. Focusing only on those apps with a higher risk doesn’t make you safer.

Every app will ask users for regular updates, and they’ll (probably) nag you with notifications until you patch it. As annoying as it may be, keeping your installed apps up to date is still important for security reasons.

You can also look for the “settings” section of your apps and select the option to receive apps update automatically when a new version is available.

Nevertheless, it is important to understand that installing updates will also make a difference in terms of performance (bringing new features), not only security wise (bug fixing).

At a business level, many organizations decide to focus on patching a specific pool of software products and apps which are considered to be among the most popular when it comes to vulnerabilities.

This is not entirely true. A Fortinet report concluded that “90% of organizations the company protects have experienced cyber-attacks during which intruders tried to exploit vulnerabilities that were three years or older. In addition, 60% of organizations were attacked with exploits ten years or older.”

It is easier for cybercriminals to find a working exploit in one vulnerability and launch an attack within a targeted organization.

Myth#3 – “If I apply only software updates for Microsoft apps is enough”

Here is another common myth that we’ve been hearing and reading about.

If you decide to patch only the Microsoft OS and applications it is not enough to keep your system protected from advanced forms of malware and hackers’ attempts to gain access to sensitive data.

Don’t forget about the third-party applications, such as Adobe Flash or Firefox, have become an attractive and major attack vectors for hackers.

Researchers at Recorded Future observed that Adobe Flash vulnerability still ranked as “the second most used exploit by hacking groups.”

If you want to dive deeper and know more Flash vulnerabilities, how to disable Adobe Flash and how you can avoid getting your data compromised, read our detailed article about it.

Here’s also some insights from Microsoft MVP Brien Posey explaining how to get third-party patches deployed.

Myth #4 – “Cybercriminals usually target and get in through perimeters, so it’s better to focus on keeping them up to date”

Rather than focusing on securing the perimeter, we encourage users and companies to have a broader security mindset and take into consideration all risks that could lead to malicious actors harvesting data and causing business disruption.

For those who don’t know, perimeter security means using traditional solutions such as firewalls or antivirus to build defenses and protect a defined boundary (system) from unauthorized physical intrusions.

Patching perimeters are just one part of securing your most valuable digital assets, but it’s not enough.

According to a 2018 report, 15 hours it took for most of the cybercriminals to breach a target system, identify critical data and exfiltrate it.

Here’s another point of view highlighting the idea of thinking beyond the security perimeter:

Focusing on a strong perimeter to keep the bad guys out seemed to work well enough for a while. But now that attackers routinely reuse credentials or low-tech phishing techniques to enter, and now that data is no longer kept within a perimeter, this outside-in approach is no longer practical.

Security specialists consider perimeter security just basic hygiene and the first line of defense, but we need to adopt a multi-layered security approach to enhance online protection.

Mikko Hypponen, one of the most known cybersecurity experts and Chief Officer at F-Secure recently underlines the importance of patching:

Patch your systems, use the automatic updates. The updates will make you safer. And here it was the update which burned them. Nobody expects to get hacked through automatic updates.

Myth#5 – “If I patch my software once, I can rest assured that my computer is secure”

Patching your operating systems and apps is vital to fix vulnerabilities and stop hackers from exploiting them. But it’s not enough to do it just once to protect your computer.

The best practice is that you need to patch constantly, as soon as new updates are available.

If we talk about critical vulnerabilities that have published exploit code, users and companies are urged to address patches immediately.

In terms of patching frequency, it’s worth mentioning that each OS vendor and application vendor releases updates at a specific frequency (see Microsoft Patch Tuesday) or in special cases, for newly discovered and critical vulnerabilities.

As we already said, the speed and timing of patching can be crucial, because if you don’t apply updated after they’ve been released, you leave an open window for cybercriminals to exploit them and launch new attacks.

Final thoughts

Software updates myths will probably continue to exist, as long as we look for easy solutions and basic answers to our most common security fears.

But we need to keep in mind that software patching remains an important issue to address if we want to maintain a high level of security. And, at the same time, a challenge for both users and companies.

This is why it’s essential to leverage the key advantages of patching as a proactive security measure and urge everyone to cultivate a healthy and constant habit of keeping their software up to date.

If they want to be less prone to cyber attacks, home users need to adopt the proactivity mindset and keep their software updated. And, when (if) possible, to enable automatic updates or search for alternatives that provide automatic updates.

At a corporate level, it is essential to spread a security culture within an organization and implement basic patch management practices that will help them better control and protect valuable data.

What’s your opinion on this topic? Do you believe in these myths and how much attention do you pay to software updates?

We are curious to know your thoughts, so feel free to share them in a comment below.

And remember! Next time you see the “we’ve got an update for you” message displayed on your computer’ screen, make sure you apply it immediately, not another time.

Stay safe!

The post 5 Common Myths about Software Updates You Need to Know About appeared first on Heimdal Security Blog.

Are Hackers Threatening the Adoption of Self-Driving Cars?

Automotive manufacturers have realized the future lies in self-driving cars. We may be taking small steps, yet we would like to be headed to an autonomous driving utopia. Here, every road is safe, smart, connected, fast, reliable.

It may be just a dream right now, but how far are we from achieving this goal?

In this article, we will walk you through the current state of autonomous vehicles, and most importantly, examine how safe driverless cars actually are from a cybersecurity perspective.

A brief history of self-driving cars

Let’s start off with a little bit of history.

You may be amazed to hear people started working on driverless cars prototypes since the 1920s. Back then, a radio-controlled car was invented by Francis Houdina, which he controlled without a person behind the steering wheel on the streets of New York.

Impressive, right?

Throughout time, there have been multiple attempts to develop the industry and encourage driverless cars’ adoption. You can access this resource to go through a quick timeline of self-driving cars.

Moving fast forward to more recent days, Waymo, formerly known as Google’s self-driving car project, is the first commercial self-driving car and was launched in December 2018. Through an app, Waymo offers ride-hailing services to people in from the United States, Phoenix area.

Will 2019 be the year of self-driving cars?

Here are a few facts and predictions for 2019:

  • This year, companies such as General Motors, Uber, Volkswagen, and Intel are competing in the ride-hailing movement and are making promises regarding when their fully autonomous vehicles will be available. The general answer seems to be between 2019 and 2022.
  • Elon Musk, CEO of Tesla, is expecting to see Tesla’s self-driving feature fully available by 2020.
  • The UK government has announced its commitment to having completely autonomous vehicles on the roads by 2021.
  • 2019 will be the year of Level 4 autonomous vehicles.

Did you know a car can have six automation levels?

In the image below you can see exactly what Level 0 to Level 5 actually mean.

image4 1

Source

How do people view self-driving cars?

Autonomous vehicle manufacturers promise to deliver a safe, enjoyable, and fast experience, freeing the drivers of the stress of driving, while allowing them to fulfill other tasks.

But what is the general opinion towards autonomous cars?

According to Deloitte’s 2019 Global Automotive Study, consumer perception of the safety of autonomous cars has stalled in the last year. This attitude is predominantly influenced by media reports of accidents involving self-driving cars, many of which were fatal.

Here you can read a report on these type of accidents.

Source: Deloitte

The concern around safety is also reinforced by Perkincoie’s research, which shows that consumers’ perception of safety is the biggest roadblock to the development of self-driving vehicles in the next five years.

As per another study conducted by the American Automobile Association (AAA), almost 3 in 4 Americans are afraid of self-driving cars. According to the same research, only 19% would trust self-driving cars to transport their loved ones.

What’s more, there are some people who seem to despise the autonomous vehicle’s technology and even manifest violent behavior towards it. At least 21 attacks against Waymo cars have been reported. People have tried to run the vehicles off the road, thrown rocks at them, slashed the tires, or even yelled at them to leave the neighborhood. This behavior seems to be fueled by people’s concern with safety and even potential job losses.

Some also believe self-driving will most likely cause traffic congestions.

What is the reason for that, you may be wondering since they were created to simplify traffic movement in the first place?

The autonomous cars could be programmed to aimlessly drive on the streets, without parking, in order to avoid payments. Basically, the price for recharging an electric autonomous car would be much lower than the overall parking fee.

The concerns around data collection and privacy

The same Deloitte 2019 report shows most people are worried about biometric data being collected by self-driving car manufacturers through their connected vehicles and sent to other parties.

Source: Deloitte

In truth, data does need to be collected in order to improve functionalities, but this could also cause the invasion of your privacy.

So the question is where that data ends up and how it’s actually used. Some may argue that it could be shared with the government or used for marketing purposes.

Thus, authorities need to put strict rules and regulations in place.

Solving the cybersecurity question

Without a doubt, autonomous vehicles need state-of-the-art cybersecurity.

According to a recent study which surveyed auto engineers and IT experts, 84% of respondents were concerned that car manufacturers are not keeping pace with the industry’s constantly increasing cybersecurity threats.

Since self-driving cars have been involved in numerous accidents, this means they still have flaws, which can become exploited by malicious actors. Although taking care of aspects such as having proper navigation systems and avoiding collisions are obvious priorities for manufacturers, cybersecurity should also be top of mind.

According to Skanda Vivek, a postdoctoral researcher at the Georgia Institute of Technology, if people were to hack even a small number of internet-connected self-driving cars on the roads of the United States, the flow of traffic would be completely frozen. And emergency vehicles would not even be able to pass through.

image5

Source: Skanda Vivek/ Georgia Tech

“Compromised vehicles are unlike compromised data,” argues Vivek in the study’s press release. “Collisions caused by compromised vehicles present physical danger to the vehicle’s occupants, and these disturbances would potentially have broad implications for overall traffic flow.”

Around four years ago, researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee as an experiment. They used a laptop to do it while being at a 10-mile distance and managed to take full control of the vehicle.

Watch below what happened:

This was not even a self-driving vehicle, but the same scenario can be applied to one. In fact, this can even be more plausible in the case of autonomous cars due to their increased internet connectivity.

Right now, you won’t find two identical automation systems in the industry. Yet, according to the University of Michigan’s report, as systems become more generic, or even using open-source software, one attack could spread across every car deploying the same system. Just like it happened with the WannaCry ransomware attack, which infected more than 300,000 computers in 150 countries during, at an estimated cost of $4 billion.

But are things really that bad?

On a more positive note, there are cybersecurity experts who believe in the future, fully-autonomous cars will be much harder to be hacked than we might think. This “fully-autonomous” technology (remember Level 5 we were talking about above?), will rely on multiple sensors and communication layers.

At the moment, self-driving cars are only using one or two sensors for object detection, according to Craig Smith, research director of cyber analytics group Rapid7.

In his view, since it’s already quite difficult to hack a single sensor, a malicious criminal will find it even harder to override a complex sensor system.

“If we’re having a discussion about what’s safe, it’s more likely that you’ll get into a car accident today than someone will hack into your car tomorrow”, Smith pointed out.

How can we stop self-driving cars from being hacked?

The good news is that experts are constantly working on developing better security systems.

For instance, just a few weeks ago, SK Telecom announced the launch of a solution based on Quantum Encryption.

image3

Source

How does it work?

As per SK Telecom, this is an “integrated security device that will be installed inside cars and protect various electronic units and networks in the vehicle”.

Also, the gateway, which was developed together with the controller maker GINT, will be used to secure the all the vehicle systems: Vehicle-2-Everything (V2X) and Bluetooth communication systems, car’s driver assistance, radar, and smart keys. Drivers will also be alerted of any suspicious behavior.

The gateway basically transfers a quantum random number generator and Quantum Key along with the vehicle’s data that will “fundamentally prevent hacking and make the cars unhackable”, according to SK Telecom. The company also added that this move was to facilitate security in the 5G era.

This is not the first initiative of this kind. In another project, the cyber-security group at Coventry University’s Institute for Future Transport and Cities (FTC) teamed up with the quantum experts at cybersecurity start-up Crypta Labs and they also reportedly worked on this quantum technology that can prevent hacking.

Here’s a bonus

We stumbled upon a great video that we’d like to share with you, in which Victor Schwartz, a partner at Shook, Hardy & Bacon, talks about the potential risks of driverless cars – privacy issues and cybersecurity.

You can watch the full video here:

Conclusion

At the moment, concerns around the self-driving technology clearly outweigh the benefits. It’s now crucial for manufacturers to focus on autonomous cars cybersecurity problems, employing dedicated staff to work on these issues. However, with proper security measures in place, hacking risks can be, in time, dramatically reduced.

Would you trust a self-driving car? What’s your opinion on the overall security of autonomous vehicles? We would love to hear your thoughts in the comments section below.

The post Are Hackers Threatening the Adoption of Self-Driving Cars? appeared first on Heimdal Security Blog.

Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness

The European Union (EU)’s General Data Protection Regulation (GDPR) is about to celebrate its first birthday, and similar regulations scheduled to go into effect early in 2020 — such as Brazil’s Lei Geral de Proteção de Dados (LGPD) and the California Consumer Privacy Act (CCPA) — will press organizations to look more holistically at how they address privacy. Because I’m an optimist, I think it’s possible a U.S. federal privacy law could also be passed in the next 18 months. In my experience, modern data privacy readiness and controls are largely based on common privacy principles and practices from the GDPR, which began enforcement on May 25, 2018.

But what does that really mean?

Apply GDPR Best Practices to Your CCPA Readiness Plan

Let’s take a step back and look at several of the high-level overlaps between the GDPR and the CCPA as an example. Keep in mind that within each regulation there are fine points that clearly differentiate them. While those are beyond the scope of this article, we suggest seeking legal advice should you need further help on this topic. Here is a high-level review:

  • While definitions vary, the general definition of “personal data” or “personal information” is virtually anything that can be used to identify an individual. Both regulations define and enumerate rules to enforce protecting an individual’s rights around his or her personal information.
  • According to the important right of disclosure or access, individuals have rights to transparency around the collection of their personal data and also to receipt or deletion of the data altogether.
  • The CCPA does not directly impose specific data security requirements, but establishes a right of action for certain data breaches caused by business failure to maintain reasonable security practices and procedures appropriate to the risk. Somewhat similarly, the GDPR requires appropriate technical and organizational measures necessary to ensure security appropriate to the risk.

As these basic overlaps between the GDPR and the CCPA illustrate, there is a set of common principles about transparency, including an individual’s right to access or request deletion of personal data, the need for security, and the potential for substantial penalties for noncompliance. While there are implementation differences between the various regulations — such as which organizations and individuals qualify, personal data definitions and individual rights (access, correction, deletion) — the IT best practices required to help your compliance program are largely the same. Some of these include:

  1. Security and privacy by design and by default;
  2. Locating, identifying and classifying personal data;
  3. Tracking personal data use via audit trails to demonstrate compliance;
  4. Providing for response capabilities to individual requests for access, correction, deletion and transfer of personal data and audit trails to demonstrate compliance;
  5. Implementing security controls according to risk (vulnerability assessments, access controls, activity monitoring, encryption); and
  6. Effectively preparing for and responding to breaches.

A Repeatable Framework for Protecting Regulated Data

In my experience as a practitioner, I find that it’s often helpful to follow a framework that guides you as you bring these best practices to life in your data privacy program. That’s why IBM created a five-step program to help you establish a repeatable process for protecting personal and regulated data, known as the Critical Data Protection Program:

Key features of an approach to protecting personal data

Figure 1: IBM’s Critical Data Protection Program

When it comes to preparing for the CCPA (and other regulations down the road), consider what steps you can take as an IT organization and how you will be working with your privacy/legal/compliance organizations. Your privacy team will undertake many of these activities, including assessments, policy setting and creating business processes.

  1. Start by obtaining executive sponsorship and budgets to support your privacy program. The higher up the executive chain, the better. The changes you may need to make will cross organizational boundaries, so support from the top will be critical to your success.
  2. Next, assess and understand your obligations — in other words, do a gap analysis. This may mean seeking legal counsel. Review your existing privacy policies, notices and statements. Do you have them? Where are they presented, and when were they last updated? Are they clearly written and easy to understand?
  3. Create a cross-functional team. When it comes to implementation, be sure to have all the right stakeholders involved. Privacy is not just a security issue, or even just a privacy issue; your cross-functional team should include departments such as marketing and HR, for example, due to the potentially regulated data they may be dealing with.
  4. Regardless of regulation, you will need to know what personal data assets you store, where they are located and how they are used. You will hear this often referred to as a data map. Data discovery is an essential part of creating a data map; it’s the process of identifying, inventorying and mapping personal data and data flows across your organization. A data security solution can help automate the process to avoid approaching it manually — after all, who couldn’t use fewer spreadsheets and more time?
  5. Review data retention schedules. How long do you retain the personal data you collect? It should be either as long as required for a legitimate business need or as required by law.
  6. Document privacy compliance activities, including processing operations involving personal data.
  7. Develop audit capabilities and processes. You will be required to demonstrate what you are doing to address your compliance obligations. You will need a robust audit plan and process to monitor ongoing conformity and help mitigate risk, both internally and with your data processors and other vendors.
  8. Implement privacy by design and security by design. Although not spelled out in the CCPA, this is an important GDPR requirement and it can save you a lot of redundant work regardless of the regulation. Going forward, if you develop new services and systems, it is likely that you will be expected to embed — by default and by design — processes and features that will help ensure privacy of personal data.
  9. Create breach response and notification protocols. In the event of a breach with the GDPR, under certain scenarios, you have 72 hours to notify the regulatory authority. Other states and jurisdictions have varied timelines; sectoral regulations such as New York’s Department of Financial Services 23 NYCRR 500 also mandate 72 hours. Achieving these tight deadlines may depend on having defined processes and protocols in place for investigating, containing and responding to data breaches.

The bottom line is that approaching any privacy regulation requires a combination of people, process and technology. There is no one solution that can meet all needs. There are many technologies from IBM Security that can help — from data activity monitoring solutions to software-as-a-service (SaaS)-based risk analysis to encryption — and our privacy experts can help you get started in creating or augmenting your privacy program with services such as a CCPA readiness assessment.

Accelerate Your Readiness for New Data Privacy Regulations

Privacy regulations will continue to evolve, both in the U.S. and abroad. While there are many implementation differences, the IT controls and requirements for protecting personal data are largely the same. As you build out your program, don’t forget to leverage the existing investments you’ve made in preparing for other regulations — from both an organizational and technology perspective — to accelerate your readiness for new regulations.

With the right tools in place, you can implement a consolidated approach to help organize and automate your privacy controls program and, in the process, help build trust and accountability, whether with consumers, business partners or employees.

Learn more about privacy regulations: Download the white paper

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness appeared first on Security Intelligence.

Preparing for the Unpredictable: Security in a New World of Mobile Malware

Mobile malware is nothing new. But in recent months, attackers have been getting more creative and resourceful with how they conceal, distribute and deploy these threats.

This newfound creativity is part of a mobile threat trend that can be summarized as follows: Attacks are on the rise, they’re focusing on mobile devices and they’re getting far more aggressive with their methods.

Mobile Threats by the Numbers

The numbers are staggering. Kaspersky Lab’s “Mobile Malware Evolution 2018” report found that the number of devices attacked by malware increased from 66.4 million in 2017 to 116.5 million in 2018 — and we should assume another big rise for 2019. The researchers also found that the “quality” of malware — its precision and impactfulness — is on the rise. The number of so-called “Trojan-droppers” — malware that gets past security to deliver its payload — doubled from 2017 to 2018, according to the report.

In its most recent “Mobile Threat Report,” McAfee detailed how mobile phones are being increasingly targeted with mobile app backdoors, banking Trojans and cryptomining malware. One alarming trend is the number of fake apps appearing in dozens of app stores, raising from around 10,000 fake apps in the middle of 2018 to approximately 65,000 by the end of the year.

In addition, Verizon’s most recent “Mobile Security Index 2019” found that a majority of those surveyed believed their organization is at risk of mobile threats. One-third of companies reported suffering a compromise that involved mobile devices. Despite this, more than half said they had sacrificed security to “get the job done.” An incredible 81 percent of respondents said they had personally used insecure public WiFi for work, despite knowing that the practice is both unsafe and prohibited by company policy.

All this is to say that the threat from mobile devices is increasing at an extremely high rate, yet most organizations are woefully unready.

A New World of Mobile Malware

All that data around the rising threat of mobile-based attacks doesn’t fully address the quality of the latest malware. Just look at the creative thinking behind a recent incarnation of malware called Anubis.

Anubis’ Motion-Based Evasion Tactics

Distributed inside at least two apps available on the Google Play store, Anubis banking malware concealed itself using the target phones’ motion sensors. Researchers often use emulators to hunt for Trojans in apps — or they search on real phones, which are often mounted and motionless. The Anubis creators figured out that one difference between security researchers and real-life users is motion. By activating only after motion was detected, the malware could remain invisible to many researchers but still activate on phones in the wild.

Trend Micro reported in January that the motion-activated Anubis appeared in two seemingly legitimate apps: a battery extender app with a 4.5-star rating and a currency converter. Once activated, Anubis installed a keylogger for stealing credentials or took screenshots for the same purpose.

Preinstalled Mobile Malware

Downloading apps is one way to sneak malware onto phones. Preinstalling it is another. The technology firm Upstream discovered in January that the Alcatel smartphone models Pixi 4 and A3 Max contained malware out of the box. The malware was hidden in a preinstalled weather app called Weather Forecast-World Weather Accurate Radar. The app was also available separately on the Google Play store and was downloaded more than 10 million times. It has since been removed.

The malware collected various bits of data, such as location data, user email addresses and International Mobile Equipment Identity (IMEI) numbers and may have loaded adware. It also subscribed users to a for-pay phone number service.

Clipper Malware on Google Play

Another unwelcome trend is the appearance of older methods of compromise in legitimate app stores. For example, the first clipper malware ever discovered on the official Google Play store was found by the security company ESET in February: Android/Clipper.C. Previously, clipper malware was the exclusive province of desktop PCs or unauthorized app stores.

Clipper apps replace the clipboard contents of a device with other data. For example, a clipper app might switch the account for a deposit during a cryptocurrency transaction, redirecting the transaction to the attacker’s account.

In addition, Android/Clipper.C attempted to nab credentials and private keys and send them to the attacker’s Telegram account to steal Ethereum funds, but it could also replace either an Ethereum or a bitcoin wallet address.

Attack Campaigns on a Massive Scale

Yet another new trend is that some malware is being distributed on a massive scale. Some 150 million Android users were impacted recently by malware called SimBad. The malware disguises itself as advertising, according to Check Point, mostly inside a large number of mobile games.

In fact, SimBad carries out phishing attacks that lead users to websites where even more malware is downloaded. Once launched, SimBad is difficult to stop or uninstall. Apps containing the SimBad malware have since been removed from the store.

Distributing Malware via Image Files

Malware can even be smuggled onto a phone without apps. A new Android bug enabled a standard photo file format to serve as the vehicle for an attack. Google discovered the method, fixed it with a February patch, then described it in a security bulletin. The flaw enabled hacks of Android smartphones via PNG files by way of a purpose-built PGN that could execute code. It’s worth noting that the vast majority of Android phones are not updated frequently and did not get the patch quickly.

What Can We Do to Combat Creative New Malware Strains?

The bottom line is that mobile malware techniques to compromise security cannot be easily predicted. What can be predicted is that threats will continue to rise, new methods will continue to be devised and mobile devices will continue to be the focus of intense malware activity.

The point of all this is not to guard specifically against the examples in this article, but to understand the growing threat — and reflect on the fact that far too many organizations are unprepared. So what can they do to prepare for the unpredictable?

To get started, here are some mobile security best practices and policies to follow and enforce:

  • Keep devices current with the latest updates.

  • Stick to official and authorized app stores. While many of the threats reported here actually appeared on the official Google Play store, it’s important to note that affected apps are removed immediately once discovered. The same can’t be said for unauthorized sources for mobile apps.

  • Minimize the number of apps installed and favor reputable app developers.

  • Embrace a comprehensive approach to mobile security that can protect against even unreported or unpredicted threats.

  • Understand that some of the newest threats can only be stopped with powerful artificial intelligence-based tools.

  • Improve and enforce policies against using public WiFi and in favor of using good password management.

Nobody can predict how creative new malware methods will infiltrate the mobile devices used by employees at your organization. But it’s easy to predict that these attempts will be made. Security decision-makers can no longer think about these threats as theoretical or secondary in importance to other work. It’s time to act on what we know is coming: something unpredictable.

The post Preparing for the Unpredictable: Security in a New World of Mobile Malware appeared first on Security Intelligence.

79% of organizations want a federal privacy law amid lack of compliance

There is a significant enthusiasm for a federal privacy law amid organizations’ lack of ability to comply with data privacy rules stemming from both mushrooming government regulations and complex data sharing agreements between companies. Organizations are also overconfident in knowing where private data resides, and tend to use inadequate tools such as spreadsheets to track it. Integris Software’s 2019 Data Privacy Maturity Study gathered detailed responses from 258 mid to senior executives from IT, general … More

The post 79% of organizations want a federal privacy law amid lack of compliance appeared first on Help Net Security.

As fraud attacks grow more sophisticated, a need for contextual detection strategies increases

Fraudsters are using a complex array of tools to build armies of fake accounts, 74% of all fraudulent accounts are created from desktops, and cloud service provider IP ranges are at a higher risk. How fraudsters behave Fraudsters rely heavily on cloud datacenter IP ranges and cloud services are becoming a favorite attack tool; whether to mask the true origin of fraudulent accounts or to easily orchestrate attacks at scale by exploiting virtual servers, according … More

The post As fraud attacks grow more sophisticated, a need for contextual detection strategies increases appeared first on Help Net Security.

Online Criminal Impersonation 101: Our Own Case of CEO Fraud

You’re probably familiar with the legal term of criminal impersonation, but how does this felony take place when it’s online?

What is the usual approach employed by hackers or someone with malicious intent towards you personally?

What can you expect from it?

Are the impersonators risking anything?

How can you find out and protect yourself from its effects?

All these questions and more will be addressed below. In the following story, I’ll share with you the key facts of online criminal impersonation, as well as show you what happened in our own organization.

Wondering what you will learn from this post?

First, the ground facts on what is criminal impersonation in general and online criminal impersonation in particular.

Then, the basics of what is CEO fraud, how it usually works, how to spot it and how to prevent becoming a victim of it.

Finally, a look inside a real-life example from our own company. A group of not very smart hacker wannabes tried to impersonate our CEO in a bad attempt at CEO fraud. As much as we were amused, we know this tactic can be successful if you’re not careful, so we decided to share the story with you all, as a cautionary tale.

Ready?

Here we go!

What Is Defined as Criminal Impersonation?

First of all, and this may be a bit of a surprise, you should know that it’s not always illegal to impersonate a person or business entity, or to claim you are them although you are not.

Shocked?

We understand.

One of the virtues and curses of the internet is that some degree of anonymity and creative falsehood are always allowed. If a strict forbiddance would be set in stone about this, people could never perform satire, fantasy humor, role-playing and so on. These are all quasi-harmless activities but crucial for nurturing a climate of free speech.

As much as it can be dismaying to discover that pictures of you or your family members are used by fake profiles and the like, it’s not a criminal offense.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

At most, the platform where the fake profiles were created will take them down after you report the fraud. But the people who were behind it are not criminally liable (prosecutable).

There have been some attempts to redefine current laws in order to criminalize more hacking actions, such as breaking into IT systems, IP spoofing and the like. While it’s definitely on the table, it’s not a reality yet.

Ok… so what then counts as criminal impersonation?

Definition: Criminal impersonation refers to those cases of impersonation committed as part of an attempt to gain benefits, or to cause harm to their victim. For example, hackers could be looking to commit something illegal while posing as you or to gain financial benefits (such as obtaining a loan in your name).

In other cases, it’s not about what they can gain, but about what you can lose.

A disgruntled ex, or former employee, or simply someone out to get you can impersonate you just for the purpose of causing harm. Creating fake explicit profiles in your name (and with your pictures) on adult dating websites, or hacking into your social media accounts to post embarrassing updates are just a few examples of how this can go down.

Sometimes, it’s entirely offline, although this takes considerably more effort to pull off. In a very disturbing news story, it was reported that some men pose as police officers in order to coerce women. In other cases, real flesh-and-bone people pose as attorneys, accountants, private detectives, real estate agents and so on. They meet with you, offer preliminary consultation and charge you an advance fee. You’re convinced that it’s all legit. Nevertheless, they disappear with your money afterward.

What Is Online Criminal Impersonation and What Forms Can It Take?

While criminal impersonation, in general, includes all offline and online activities pertaining to this type of behavior, online criminal impersonation is obviously restricted to just the digital aspects.

For individuals:

There are many ways in which you can become a victim of online impersonation (criminal or not) as an individual.

If the hackers are impersonating you:

  • Financial loss (opening up credit or new accounts in your name);
  • Reputational loss (posting compromising things or using your faked identity to spread their operations further under its guise);
  • Hacking into your workplace using your identity (the target here is the company, but your credentials are used for the hack, so you could be held liable for any wrongdoing);

If the hackers are impersonating your conversation partner:

  • Catfishing (A type of social scam where a new romantic partner you’re chatting with is actually a hacker looking for financial gain);
  • Spear-fishing and BEC (business email compromise) attacks, where hackers are impersonating an entity you trust, like your bank or a business partner;
  • If hackers are impersonating your boss (like in the example of CEO fraud we’ll discuss below);
  • If hackers are impersonating a family member (by stealing their social accounts and phone, texting you that they’re in trouble and need a large sum of money right away, for example);

More examples can follow; to cut a long story short, the bottom line is that hackers are always creative about finding new ways to exploit identity theft and online criminal impersonation.

Here’s a crunch-down on the most common ways in which the information of victims was misused in 2017, according to iii.org.

types of identity theft damage

For Businesses:

For business entities, online criminal impersonation can get much more sophisticated than for private persons, and the stakes are much higher, too. The impersonation is also almost always of a criminal nature since the attackers are aiming to gain fa inancial advantage or to harm the business.

This means that online criminal impersonation can take many forms.

One of them is for the malicious parties to claim they are another company with which you are already working with, and send invoices to your company. If you expect those invoices and if the virtual identity of the hackers is almost indistinguishable from the one of the real company they are impersonating, then you won’t be surprised by this.

The hackers may even send you invoices with the exact amounts you expected (if they managed to get into the systems of the company they are impersonating). Then, of course, after you pay up, the hackers disappear and you are left to deal with the real third party which still needs those invoices paid.

You think it sounds like something only rookies could fall for? Think again. A Lithuanian man has been caught (and pleaded guilty) for stealing 100 million from Google and Facebook using this method. If it can happen to tech giants such as Google and Facebook, it can happen to anyone.

Out of all these forms, business email compromise (also known as BEC) is one of the hacker’s favorite ways of causing mayhem.

What you need to understand is that this is a very lucrative business for hackers.

How lucrative?

Well, according to the FBI, malicious hackers managed to make over $3 billion from this type of B2B scam from October 2013 to May 2016. Since then, the numbers are probably much higher.

And you know what?

That’s just the amount of money with which they managed to get away with. As I said, it’s a very lucrative business, and if you’ve been following our blog you’re aware that malware is getting more and more creative.

What Is CEO Fraud?

CEO fraud is a particular type of BEC (business email compromise) and online criminal impersonation. It’s when you receive an email that seems to be from your top boss (or CEO), asking you to do something on their behalf and keep it secret.

If you’re not paying attention and you fall for it, hackers will be able to either gain access into the company’s systems or steal money from accounts and so on.

Surprise, surprise.

That email was not actually from the CEO. But sometimes, it can be difficult to tell and you don’t want to appear silly or to waste your boss’s time by asking for a confirmation or questioning the info.

Do you know what this is called?

Social hacking or social engineering.

It’s precisely because hackers are anticipating these all-too-human reactions (shame, fear, doubt, the desire to be helpful and ingratiate yourself with the boss) that they get their way. They are counting on our ability to be social (hence the name of social hacking).

But don’t fear and practice critical thinking. Educate yourself. Subscribe to our blog. Get a second opinion. It never hurts to be extra cautious.

How to Spot CEO Fraud: Tell-tale Signs

Here are a few ways in which you can immediately tell that you’re dealing with CEO fraud:

  • The email address is not the legitimate one, with the exact domain name. Be extra mindful of typos, since almost accurate domain names are a hackers’ favorite.
  • The CEO is asking you to handle something in secret. If it was really such a sensitive issue, wouldn’t they ask you this in person? Use your better judgment.
  • They are asking you to disclose a piece of particular informatio, or to install something on your computer.
  • The message is written with some mistakes since English is not really the strong suit of most cybercriminals.

Remember, sometimes the CEO fraud is a really good one, with perfect English and the right email address. It still doesn’t mean it’s legit and it never hurts to check with the boss in person.

What to Do If You’re a Target of CEO Fraud or Online Criminal Impersonation

First of all, do not engage with the fake account in any way. Do not give in to ransom attempts or do what they ask.

If it’s a simple matter of CEO fraud, just report it to your company executives and to the authorities.

If it seems to be a more serious matter of online impersonation, do your best to recover your accounts, and get in touch with all possible parties to alert them about this (your family, your employer, your bank, the police).

Here is where you can report identity theft:

The Heimdal Security Case: Hackers Pretended to Be Our CEO Morten Kjaersgaard

As I mentioned above, it recently happened to us too. Several of our employees received emails which seemed to come from our CEO, asking them to reply to them with some financial data. Of course, the text mentioned the urgency and secrecy of the project. Furthermore, if you look carefully, the email contains several spelling mistakes which are tell-tale signs of foul play.

screenshot of ceo fraud

Take a look at the blurred lines in the email body. The hackers were using there the names of very prominent (and legitimate) attorneys and law firms, as a way of adding credibility to the claim.

In other wide-spread cases, hackers simply invent law firms to start with. This way, if you contact the so-called attorneys to verify the claim, you’re talking to the initial hackers and, of course, they will confirm their own story.

In our case, this attempt of CEO fraud was a poorly executed one. The email of our CEO was not correct, the text was full of mistakes and the pretext laughable. But attacks like these still manage to go through, and businesses lose money and sensitive data to such attackers every day. Stay vigilant, informed, and safe.

The post Online Criminal Impersonation 101: Our Own Case of CEO Fraud appeared first on Heimdal Security Blog.

Unnam3d Ransomware Moves Files Into Protected RAR Archives, Demands Amazon Gift Card

Security researchers discovered a new ransomware family called Unnam3d that moves targeted files into protected RAR archives and demands an Amazon gift card as ransom.

Bleeping Computer first learned about the malware after a user submitted a sample to its site and asked for help in recovering stolen files. Currently distributed via email, the cyberthreat first extracts a bundled WinRar.exe executable to the %Temp% folder. It then executes a command to move the victim’s files stored in Documents, Pictures and Desktop to a specific directory in a password-protected archive. At that point, the ransomware displays a ransom note demanding that the victim send a $50 Amazon gift card in exchange for the archive’s password.

The developer of Unnam3d told Bleeping Computer they conducted an attack campaign near the end of March in which they sent out around 30,000 emails. These messages were disguised as correspondence from Adobe warning the recipient to update their Flash Player software. Clicking on the “update” link subsequently downloaded the ransomware.

Ransomware’s History With Gift Cards and Adobe Flash

Unnam3d isn’t the only cyberthreat that’s demanded gift cards as ransom payments. In March 2017, for instance, researchers at Lookout spotted a scareware campaign in which scammers blocked victims’ use of Mobile Safari until they received an iTunes gift card. In December 2017, Quick Heal Security Labs spotted an Android ransomware family demanding that victims submit an iTunes gift card as their ransom payment.

This also isn’t the first time a threat has masqueraded as an Adobe Flash Player update. For example, Heimdal Security observed attackers using the disguise to distribute Bad Rabbit ransomware back in October 2017. A year later, Palo Alto Networks discovered some threat actors leveraging fake Flash Player updates to push cryptocurrency miners onto unsuspecting users.

How to Defend Against Threats Like Unnam3d

Security professionals can help defend their organizations against threats like Unnam3d by using an endpoint management solution that allows them to inventory all endpoint devices and manage their configurations. Organizations should complement this visibility with a tool that uses artificial intelligence to determine the legitimacy of certain behaviors and mitigate the impact of zero-day malware.

The post Unnam3d Ransomware Moves Files Into Protected RAR Archives, Demands Amazon Gift Card appeared first on Security Intelligence.

Encryption deployment increases as organizations struggle to address compliance requirements

As organizations embrace the cloud and new digital initiatives such as the IoT, blockchain and digital payments the use of trusted cryptography to protect their applications and sensitive information is

The post Encryption deployment increases as organizations struggle to address compliance requirements appeared first on The Cyber Security Place.

How to be Secure in the Challenging Business Landscape

Data security is far from a side issue, of interest only to big players. On the contrary, it applies in equal measure to start-ups, small- and medium-sized enterprises, and global

The post How to be Secure in the Challenging Business Landscape appeared first on The Cyber Security Place.

The US Is Slow to Adopt EHRs, But That Might Actually Be a Good Thing for Healthcare Security

The healthcare industry is moving toward the universal use of electronic health records (EHRs), digital documentation that represents a secure record of our complete health history. With EHRs, your healthcare provider gets real-time access to your relevant medical data, enabling them to make faster and more accurate treatment decisions.

But all this data has to be stored somewhere. It’s no secret that the healthcare industry is hit hardest when it comes to data breaches, and healthcare security is going to play a huge role if the utopian vision of a purely digital ecosystem is to be realized.

In some countries, however, the medical system is already well on its way to becoming fully digital. In Sweden, for example, 41 percent (about 4.1 million) of the population had already created their own account to use personal e-services on the country’s online portal by June 2017, according to Philips. And in Canada, there are private initiatives to facilitate the EHR process by providing Canadians secure access to their health records.

So why is the U.S. not moving as quickly to adopt a digital system? There are many reasons for this reluctance — some political, some ethical and some based on the sheer number of healthcare providers and the population.

Still, cybersecurity may be the most critical factor. Perhaps incidents such as the flaw that left 170,000 hours of 2.7 million medical calls exposed online for six years in Sweden are prompting us to take our time.

Two Nations, Two Disparate Health Ecosystems

To get an idea of where the U.S. may be headed, we can look to Canada, a country with an estimated population of around 37 million. There, the Toronto-based Dot Health already has relationships with 3,000 healthcare providers across the country and provides an app for Canadians to display their health information in one place. The app updates data whenever it changes and the company goes over and above to secure it. How it protects the data is paramount, but we’ll address this later on.

In Canada, each province and territory is responsible for organizing and delivering health services and supervising providers. This territorial split represents the largest stumbling block for companies like Dot Health that want to be a catalyst for a fully digital system.

“If [healthcare] was federally done, it would be very different,” said Huda Idrees, founder and CEO of Dot Health. “It makes it really difficult when it seems each of the provinces is trying to compete with each other.”

Idrees explained that while a fully digital healthcare system in Canada may have its own set of challenges, the U.S. faces a particularly bumpy road ahead.

“Going digital [in the U.S.] is especially difficult in healthcare, where it’s completely out-of-pocket,” Idrees said. “There are very difficult innovations around EHR, and providers may not want to talk to each other because they have business interests that are in conflict.”

Surpassing Healthcare Security Standards

When it comes to data, the most coveted for threat actors is probably that which comes from the healthcare industry. Understandably, Idrees gets a lot of questions about security, privacy and information protection — a core focus for her company from the very beginning. For Dot Health, security must not only be much better than the healthcare providers, but strive for excellence in data protection to exceed standards in any industry, let alone healthcare.

To achieve this on a technical level, one example Idrees provided is in how they store health records. Instead of monolithic databases, the company spreads data over several databases that contain bits and pieces of what makes up a whole electronic health record.

“You would need to breach 12 different databases and also have the patient’s own login key in order to decipher one complete health record,” Idrees said.

Before going live, Dot Health spent eight months with third-party security specialists to help ensure compliance with all related legislation. On top of that, the company undergoes penetration testing from a third-party vendor three times a year.

In writing about healthcare security, I’ve learned that, unfortunately, pen testing rarely occurs that frequently for healthcare companies. But shouldn’t it, especially when providers are protecting our most sensitive health data?

Not So Fast, We Still Have Work to Do

Perhaps we’re getting ahead of ourselves. Before healthcare data becomes completely digital — or even partially digital — the industry has to be prepared for change. Independent security researcher Rod Soto said that healthcare in the U.S. has a long way to go before going all-in on EHRs.

“Although government regulation has helped to move [the industry] in the digital direction, the evolution of technology and standards sometimes goes faster than the speed of the industry’s willingness to keep up,” Soto said. “This situation where many of the acquired technologies quickly become outdated or obsolete does not match the conservative mindset of the healthcare industry, [and] pushes many organizations to just wait or simply not embrace digital transformation.”

The seemingly endless news about successful breaches and destructive attacks against healthcare institutions doesn’t help, either. So is there any sort of shift that needs to happen to turn the tide?

According to Soto, while a shift may occur, it won’t be anytime soon. “The healthcare industry is known for dealing with significant amounts of legacy, outdated, unmanaged and unpatched systems,” he said. “Malicious actors know this and actively target healthcare organizations.”

Threat actors know the value of the information those systems hold. Because they’ve had success with past breaches, they understand these institutions will pay a ransom if pressed and, if not, they can easily sell the information on the dark web.

Why We Should Wait to Go All-In on EHRs

This may be belaboring the obvious, but we need to be more proactive in keeping systems up to date and patching them to reduce the attack surface.

“That includes more manpower and stricter security controls,” Soto said. “I notice that a lot of the attacks on those organizations usually come from outdated, unmanaged systems.”

Soto does not recommend going fully digital without having a hard copy of records or an off-site backup.

“As antiquated as it may sound, in many instances, where either outages, destructive crimeware or ransomware campaigns have been successful, the hard copy and off-site backups have helped the affected organizations,” he added.

It sure seems like we need to take our time before transitioning to electronic health records. Given the current healthcare breach statistics — more than 2 million healthcare records were compromised in February 2019 alone, a 330 percent increase from January, according to HIPAA Journal — sitting back and watching how the transformation plays out in other countries may be the most prudent strategy.

In the meantime, those in the health industry should follow the Department of Health and Human Services’ cybersecurity guidelines for the healthcare sector, where professionals can share healthcare security best practices to mitigate risk and boost cybersecurity programs across the industry.

The post The US Is Slow to Adopt EHRs, But That Might Actually Be a Good Thing for Healthcare Security appeared first on Security Intelligence.

Here Are the Free Ransomware Decryption Tools You Need to Use

If your computer gets infected with ransomware, follow the steps below to recover your data:


Step 1: Do not pay the ransom because there is no guarantee that the ransomware creators will give you access to your data.

Step 2: Find any available backups you have, and consider keeping your data backupss in secure, off-site locations.

Step 3: If there are no backups, you have to try decrypting the data locked by ransomware using the best ransomware decryption tools available.

In this anti-ransomware guide, we included these free decryption tools you can use to avoid all types of malware.

Navigate through these links to learn more.

How to identify the ransomware you’ve been infected with
Ransomware decryption tools
Explanation on ransomware families and tools for decryptio
How to avoid ransomware in the future
Quick checklist for ransomware protection

How to identify the ransomware you’ve been infected with

Oftentimes, the ransom note provides details about the type of ransomware your files have been encrypted with, but it can happen that you don’t have this information at hand. Readers have asked us to show which encryption extensions belong to which ransomware families. Many of these extensions signaled new types of encrypting malware, for which there are no decryptors available.

If you need help with identifying what type of ransomware is affecting your system, you can use these two tools below:

Crypto Sheriff from No More Ransom

ID Ransomware from MalwareHunter Team

Ransomware decryption tools – an ongoing list

Disclaimer:

You should know that the list below is not complete and it will probably never be. Use it, but do a documented research as well. Safely decrypting your data can be a nerve-wrecking process, so try to be as thorough as possible.

We’ll do our best to keep this list up to date, and add more tools to it. Contributions and suggestions are more than welcome, as we promise to promptly follow up on them and include them on the list.

Some of the ransomware decryption tools mentioned below are easy to use, while others require a bit more tech knowledge to decipher. If you don’t have technical skills, you can always ask for help on one of these malware removal forums, which feature tons of information and helpful communities.

OpenToYou decryption tools

Globe3 decryption tool

Dharma Decryptor

CryptON decryption tool

Alcatraz Decryptor tool // direct tool download

HiddenTear decryptor (Avast)

NoobCrypt decryptor (Avast)

CryptoMix/CryptoShield decryptor tool for offline key (Avast)

Damage ransomware decryption tool

.777 ransomware decrypting tool

7even-HONE$T decrypting tool

.8lock8 ransomware decrypting tool + explanations

7ev3n decrypting tool

AES_NI Rakhni Decryptor tool

Agent.iih decrypting tool (decrypted by the Rakhni Decryptor)

Alcatraz Ransom decryptor tool

Alma decrypting tool

Al-Namrood decrypting tool 

Alpha decrypting tool

AlphaLocker decrypting tool

Amnesia Ransom decryptor tool

Amnesia Ransom 2 decryptor tool

Apocalypse decrypting tool

ApocalypseVM decrypting tool + alternative

Aura decrypting tool (decrypted by the Rakhni Decryptor)

AutoIt decrypting tool (decrypted by the Rannoh Decryptor)

Autolocky decrypting tool

Badblock decrypting tool + alternative 1

BarRax Ransom decryption tool

Bart decrypting tool

BitCryptor decrypting tool

BitStak decrypting tool

BTCWare Ransom decryptor

Cerber decryption tool

Chimera decrypting tool + alternative 1 + alternative 2

CoinVault decrypting tool

Cry128 decrypting tool

Cry9 Ransom decrypting tool

Cryakl decrypting tool (decrypted by the Rannoh Decryptor)

Crybola decrypting tool (decrypted by the Rannoh Decryptor)

CrypBoss decrypting tool

Crypren decrypting tool

Crypt38 decrypting tool

Crypt888 (see also Mircop) decrypting tool

CryptInfinite decrypting tool

CryptoDefense decrypting tool

CryptoHost (a.k.a. Manamecrypt) decrypting tool

Cryptokluchen decrypting tool (decrypted by the Rakhni Decryptor)

CryptoMix Ransom decrypting tool

CryptoTorLocker decrypting tool

CryptXXX decrypting tool

CrySIS decrypting tool (decrypted by the Rakhni Decryptor – additional details)

CTB-Locker Web decrypting tool

CuteRansomware decrypting tool

Damage ransom decrypting tool

Dharma Ransom Rakhni decryptor tool

DeCrypt Protect decrypting tool

Democry decrypting tool (decrypted by the Rakhni Decryptor)

Derialock ransom decryptor tool

DMA Locker decrypting tool + DMA2 Locker decoding tool

Fabiansomware decrypting tool

Everbe Ransomware decrypting tool

Encryptile decrypting tool

FilesLocker decrypting tool

FenixLocker – decrypting tool

Fury decrypting tool (decrypted by the Rannoh Decryptor)

GhostCrypt decrypting tool

Globe / Purge decrypting tool + alternative

Gomasom decrypting tool

GandCrab decrypting tool

Harasom decrypting tool

Hacked decrypting tool

HydraCrypt decrypting tool

HiddenTear decrypting tool

Jaff decrypter tool

Jigsaw/CryptoHit decrypting tool + alternative

KeRanger decrypting tool

KeyBTC decrypting tool

KimcilWare decrypting tool

Lamer decrypting tool (decrypted by the Rakhni Decryptor)

LambdaLocker decryption tool

LeChiffre decrypting tool + alternative

Legion decrypting tool

Linux.Encoder decrypting tool

Lock Screen ransomware decrypting tool

Locker decrypting tool

Lortok decrypting tool (decrypted by the Rakhni Decryptor)

Marlboro ransom decryption tool

MarsJoke decryption tool

Manamecrypt decrypting tool (a.k.a. CryptoHost)

Mircop decrypting tool + alternative

Merry Christmas / MRCR decryptor

Mole decryptor tool

Nanolocker decrypting tool

Nemucod decrypting tool + alternative

NMoreira ransomware decryption tool

Noobcrypt decryption tool

ODCODC decrypting tool

Operation Global III Ransomware decrypting tool

Ozozalocker ranomware decryptor

PClock decrypting tool

Petya decrypting tool + alternative

Philadelphia decrypting tool

PizzaCrypts decrypting tool

Pletor decrypting tool (decrypted by the Rakhni Decryptor)

Pompous decrypting tool

PowerWare / PoshCoder decrypting tool

Popcorn Ransom decrypting tool

PyLocky Ransomware decrypting tool

Radamant decrypting tool

Rakhni decrypting tool

Rannoh decrypting tool

Rector decrypting tool

Rotor decrypting tool (decrypted by the Rakhni Decryptor)

Scraper decrypting tool

Shade / Troldesh decrypting tool + alternative

SNSLocker decrypting tool

Stampado decrypting tool + alternative

SZFlocker decrypting tool

Teamxrat / Xpan decryption tool

TeleCrypt decrypting tool (additional details)

TeslaCrypt decrypting tool + alternative 1 + alternative 2

Thanatos decryption tool

TorrentLocker decrypting tool

Umbrecrypt decrypting tool

Wildfire decrypting tool + alternative

WannaCry decryption tool + Guide

XData Ransom decryption tool

XORBAT decrypting tool

XORIST decrypting tool + alternative
MoneroPay Ransomware decrypting tool

Explanation on ransomware families and tools for decryption

As you may have noticed, some of these ransomware decryption tools work for multiple ransomware families, while certain strains have more than one solution (although this is rarely the case).

From a practical perspective, some of the decryptors are easy to use, but some require some technical know-how. As much as we’d want this process to be easier, it doesn’t always happen.

No matter how much work and time researchers put into reverse engineering cryptoware, the truth is that we’ll never have a solution to all of these infections. It would take an army of cyber security specialists working around the clock to get something like this done.


This list of #ransomware decryption tools could help you get your data back for free
Click To Tweet


How to avoid ransomware in the future

One of the most efficient ways to prevent the threat of ransomware from wreaking havoc and locking your sensitive data is to remain vigilant and be proactive.

In fact, we strongly recommend you to apply these basic and simple steps we outlined in the anti-ransomware security plan, that can help you prevent this type of cyber attack.

Even if cyber criminals get access to your computers and infect them with malware, you can just wipe the system clean and restore your latest backup. No money lost and, most importantly, no important information compromised! So, please, do not postpone the process of doind a backup of your data. Not tomorrow, not this weekend, not next week. Do it NOW!

Also, it helps raising awareness on this topic and share the basics of proactive protection with your friends and family, because it could prevent them from being a ransomware victim.

As new types of ransomware emerge, researchers decrypt some strains , but others get new variants, and it may look like a cat and mouse game, in which proactivity is vital.

Quick checklist for ransomware protection

Following this actionable protection guide will help both Internet users and organizations to better prevent ransomware attacks causing so much damage.  Take the time to read this actionable checklist in which you can learn more about enhancing your online protection.

your anti ransomware checklist petya 1

This article was originally published by Andra Zaharia on October 5th, 2016 and was updated by Ioana Rijnetu in March 2019.

The post Here Are the Free Ransomware Decryption Tools You Need to Use appeared first on Heimdal Security Blog.

A Busy IT Infrastructure Can Lead to Security Disaster

Who doesn’t love new technology, especially when it promises to make tasks easier and improve productivity? That eagerness to add new technology — something IT staff often encourages security leadership to do — has led to the digital transformation, the use of digital technology to solve problems. Smartphones, tablets and cloud computing have been leading the way in the workplace’s digital makeover, but the growing popularity of the internet of things (IoT) could totally change the look of IT infrastructure.

However, digital transformation isn’t all fun and games for security staff. While security teams may enjoy new technology, it can also add cybersecurity complications, particularly when these technologies share an infrastructure.

The PCI-Compliant Vending Machine

During his keynote address at CPX 360 in February, Jeff Schwartz, vice president of North American engineering at Check Point, told a story of the upgraded break room vending machine. Because fewer people carry paper money or loose change, a company decides to upgrade its snack machine to take credit cards. That’s great news for the employee who wants his or her 3 p.m. chip fix but only uses plastic to pay.

However, as Schwartz pointed out, now that the vending machine accepts credit cards, it must follow payment card industry (PCI) compliance standards. If that gets overlooked, the vending machine could end up costing the company in fines. The vending machine will also be hooked up to the internet so it can process the transactions. Now it is at risk of being hacked. If the vending machine is hacked, it opens a door for threat actors to enter your network.

So, what initially looked like a convenience turned into a security headache. With the growth of the IoT and digital transformation, expect this to become a burgeoning risk vector. As Schwartz told his audience, shared resources and IT infrastructure create more opportunities to lose data.

Increased Reliance on Technology Impacts Risk

Simply put, new technology almost always has an impact on risk. New endpoints offer new potential openings for threat actors to exploit. That’s not saying that we don’t need or want the technology; instead, to better secure networks and data, we need to better understand what’s going on with those new endpoints.

With the IoT, devices, appliances and machinery we once never gave a second thought to are all now connected to the internet — but what do you know about that connectivity? New elevators are now smart elevators, for example, so not only are they adding another endpoint to your network, they are also collecting data.

A device such as an elevator is likely controlled by a third party, meaning that they also have access to the network and data. If the building is shared by a dozen companies, you add in a mixture of data and networks. Who is in charge of the security for the elevator? Who is responsible for the data collected and its protection? What do you know about the elevator company’s security practices? Did you even think you had to worry about the elevator?

Be Mindful of Customer Data

Digital transformation is accomplished not just with business efficiency in mind, but also for customer convenience. In fact, your customers want an easier interaction with your company, and that often comes through technologies such as artificial intelligence (AI), machine learning (ML) and the IoT. Customer-facing AI, such as chatbots, can improve customer communications, for example.

“Customer expectations are far exceeding what you can really do,” George Westerman, principal research scientist with the MIT Sloan Initiative on the Digital Economy, told CIO. “That means a fundamental rethinking about what we do with technology in organizations.”

So, yes, customers have high expectations for the technology your company uses to facilitate better consumer relationships. However, thanks to high-profile data breaches and increasing awareness about data privacy regulations, customers also want to make sure their data is safe. In fact, Schwartz noted in his speech that you shouldn’t be surprised if consumers begin to make their purchasing decisions based on the way your company collects, uses and stores customer data.

Are You in Control of Your IT Infrastructure?

This takes us back to shared IT infrastructure. It isn’t a matter of knowing what endpoints are on the network and collecting data, but how those endpoints have shifted as technology shifts. Having a coffee pot operated by an app is a great convenience for your staff, but how does that impact data gathering? Same with that chatbot: It is certainly a convenient and perhaps cost-efficient way to build customer relations, but your security team better know how the conversations are collected and how the company uses that data or it could turn into a privacy nightmare.

We are still learning how much information sharing is happening on some infrastructures. For example, a smart TV may be an excellent way for an organization to view sensitive corporate or consumer (e.g., a patient in a hospital room) information, but at the same time, employees (or that patient) could use that same TV to tune into their Netflix or Hulu account during their lunch break. Suddenly, you have corporate data mingling with personal data. If it turns out that Netflix is the victim of a data breach, that sensitive corporate data is now at risk.

The more common the IoT and other emerging technologies become in the workplace, the more chief information security officers (CISOs), IT leaders and other decision-makers will need to consider the overall impact of every device using that IT infrastructure. It isn’t a matter of what is connected to your network, but how it is connected and whether you are able to control that connection’s security.

The post A Busy IT Infrastructure Can Lead to Security Disaster appeared first on Security Intelligence.

Let’s Make 2019 the Year of Fewer Records Compromised in Data Breaches

The first quarter of every year produces dozens of reports that both reflect on the threats of the previous year and look ahead to understand how to avoid future security breaches. No single report can offer a foolproof approach to data protection, but the findings in the Identity Theft Resource Center (ITRC)’s “2018 End-of-Year Data Breach Report” serve as a stark reminder of why companies should take a layered approach to security.

A notable and somewhat confounding takeaway from the report was that, despite fewer reported data breaches compared to the previous year, 2018 saw a 126 percent uptick in the number of records breached containing personally identifiable information (PII). In many cases, these breaches were the result of the continued use and reuse of passwords and usernames, as well as vulnerabilities caused by third-party vendors.

How can industry leaders turn last year’s surge in stolen records into a record-breaking year of cybersecurity success?

The Perfect Cyber Threat Storm

Unfortunately, a lack of resources in budget and skilled staff remain the top reasons why many organizations lag in their overall security postures. All the while, though, today’s cybercriminals are increasingly monetizing their activities in various creative ways.

Additionally, the report found that consumers are continuing to choose convenience over security, believing that it is the business’ responsibility to protect the data it collects. That’s why only safeguarding networks is not enough, according to Byron Rashed, vice president of marketing at Centripetal Networks.

“It’s a combination of layered security best practice and user cybersecurity education that will greatly mitigate risk,” said Rashed. “From phishing to ransomware, the attackers’ schemes have become more complex and, in many circumstances, extremely damaging. Add into the equation human error and you now have the perfect cyber threat storm.”

A Familiar Weather Pattern of Data Breaches

What some might see as the brewing of a perfect threat storm, others recognize as a familiar threat. Here, the old adage that hindsight is 20/20 rings true, and it gives defenders a slight advantage. Armed with the insight of what went wrong last year, security professionals can be more proactive in building defense in depth. The enormous jump in the number of exposed sensitive records indicates that organizations should strengthen their data privacy efforts. Looking at a breakdown of the types of compromises from the ITRC report, 39 percent of breaches resulted from hacking and 30 percent resulted from unauthorized access.

Understanding attack methods will inform mitigation, but it’s also important to push through fear, uncertainty and doubt to see that things may not be as bleak as they appear. After all, the report did find that the actual number of data breaches fell by 23 percent from 2017. The business industry, which had the largest number of breaches, also had the least number of records exposed.

“Yes, hackers continue to succeed at stealing more records, but really, how many times can they steal the same Social Security number?” said John Gunn, chief marketing officer at OneSpan. “More importantly, the methods for verifying the identity for someone conducting a remote digital transaction have experienced huge gains in the past year with biometric and behavioral techniques enhanced by artificial intelligence (AI).”

While threat actors may be getting more data, banks and merchants are getting better at stopping the fraud these cybercriminals would otherwise commit with that compromised data, according to Gunn. By sharing massive amounts of information, financial institutions can leverage AI, machine learning-based analyses and anti-fraud platforms to enable the detection of new malware threats and previously hidden attacks in real time.

Build a Foundation of Proactive Cybersecurity Measures

There is arguably no way to say that any particular security strategy can completely prevent a cyberattack, but there are many ways companies can prepare for threats so they are better able to detect and respond to cyberattacks when they do happen.

“Organizations need to build a foundation of proactive measures, such as frequent employee training, preventative security controls and staying up to date with industry best practices,” said Andy Wright, regional director, Northern Europe for Check Point.

Because innovation is moving so swiftly, keeping abreast of industry best practices can seem like a full-time job on its own. Added to that is the reality that attackers are constantly evolving their campaigns, often exploiting zero-day vulnerabilities with attacks that have no known signature — meaning they evade the detection of most antivirus tools.

Making everyone within the organization aware of security risks to the company will help create a security-aware culture in which end users are encouraged to report security issues without the fear of negative consequences. “Reporting a human error early on can help identify and prevent intrusions, which will stop the attack earlier in the kill chain,” said Chad Cragle, information security officer at FormAssembly. If employees feel that their jobs are not at risk for reporting human errors, they are more inclined to share useful information with the security team.

Part of training employees includes education about spear phishing and common malware exploits so that workers are familiar with and better able to identify these threats — and also less likely to fall victim to newer, emerging threats. When employees know what to look for, they are more risk-aware and more likely to report errors early on.

In addition, implementing password updates and two-factor or multifactor authentication will help mitigate the risk of unauthorized access to systems and resources.

“This can be supported by using encrypted PCs and devices. These measures should also be extended to third-party vendors to ensure they’ve enabled the proper security protocols that prevent hackers from accessing their network and jumping across,” Wright said.

Fight the Storm With a Layered Approach to Security

Organizations can build defense in depth through a layered approach to security, which includes intrusion prevention and threat detection and response tools, encryption, access controls, and data loss prevention tools. Because security is not only about technology, it’s also important to think about defense as it relates to people and processes. Another critical piece of preventing and blocking threats is having clear policies that are tested and consistently updated, particularly when it comes to risk management and software updates.

If your security program has all these aspects, you’re well on your way to helping make 2019 a record-breaking year of cybersecurity success.

The post Let’s Make 2019 the Year of Fewer Records Compromised in Data Breaches appeared first on Security Intelligence.

Top 550+ Funny Passwords Ever Encountered

Here it is ladies, gents, and rascals: the ultimate list of funny passwords ever encountered online! Browse through every funny idea someone ever had, delight yourself with funny face-palm moments from sysadmins, and smirk to your heart’s content!

Passwords are something we all struggle with, since we need so many of them and, for security reasons, they need to be different. (If you’ve been using the same password for several accounts, I won’t judge you, but you need to fix this ASAP because you’re vulnerable to credential stuffing attacks).

A word of caution first: There are plenty of online blogs publishing similar lists of funny passwords or Wi-Fi user names and so on. Some users might feel encouraged to actually use these for their accounts when they lack inspiration for what password to set. Maybe you also think that if you set a funny password, it will be easier to remember it later on.

I cannot stress enough what a dangerous strategy this is. First of all, hackers are continuously trying out all account and password combos they can get their hands on. Just like in those credential stuffing attacks linked above. That means that once a password idea appeared in text form somewhere online, you can be sure it will get uploaded into a credential stuffing script sooner or later.

Second of all, if that password makes sense to the human mind (if it’s semantically logical), then it’s not a very secure one. Obviously, funny passwords aren’t made up of random strings of varied characters and numbers, such as security guidelines suggest. So, as much as I feel your frustration, I believe I should insist that you don’t pick an easy to remember but funny password. Here’s our password security guide for creating a strong password in case you don’t know where to start.

web comic xkcd about password strength

‘Password strength’, from my favorite webcomic source, XKCD.

That being said, this doesn’t mean we can’t share a laugh about all the funny passwords that can be found online. Here are my absolute faves, compiled from all over the world wide web, from crazy stories from friends and coworkers and so on:

A. Passwords for really forgetful people

1. password
2. ineedapassword
3. changeme
4. secret
5. iamforgetful
6. newpassword
7. IamACompleteIdiot
8. nothing
9. nothingagain
10. iforgot
11. whydoialwaysforget
12. qwerty
13. asdf
14. aslpls (old-school mIRC users will remember this)
15. user
16. YouWontGuessThisOne
17. PasswordShmashword
18. youmoron
19. doubleclick
20. iamnottellingyoumypw
21. masterpassword
22. yetanotherpassword
23. nomorepasswords
24. password123
25. myonlypassword
26. cantremember
27. dontaskdonttell
28. memorysucks
29. earlyalzheimers
30. passwordforoldpeople

Do these all seem kind of dumb? I personally know of at least a few real-life examples of businesses which used one or more passwords from the list so far. But don’t judge! The truth is, we’re not meant to remember long strings of chars effortlessly. That’s why 2FA and password managers help.

B. Passwords with movie or pop culture references

31. SayHelloToMyLittleFriend
32. HastaLaVistaBaby
33. IllBeBack
34. ThereIsNoSpoon
35. FranklyMyDear
36. HappyBirthdayMrPresident
37. WellAlwaysHaveParis
38. GoAheadMakeMyDay
39. NotInKansasAnymore
40. TheForceIsStrongInThisOne
41. ElementaryMyDearWatson
42. MyPreciousssPasssword
43. HoustonWeHaveAProblem
44. LifeIsLikeABoxOfChocolates
45. YouCantHandleThePassword
46. NobodyPutsBabyInACorner
47. YouHadMeAtPassword
48. InternetTheFinalFrontier
49. PasswordKarmaChameleon
50. ChewieWereHome
51. ImNoMan
52. ThereCanOnlyBeOneImmortal
53. HulkLikeRagingFireThorLikeSmolderingFire (obviously, considering the name of our Thor security product, this Marvel reference cracked us up the most)
54. DontWorryBeHappy
55. ForTheHorde
56. IAmMrRobot
57. WinterIsComing
58. SpaceTrooper
59. BeamMeUpScotty
60. ISolemnlySwearImUpToNoGood (as a Potterhead I really love this one but I’ll refrain from using it, of course)

C. Passwords with brand references

61. ColaCola*insert random number here* (believe it or not, this is one of the most common weak but funny passwords people use)
62. BigMacforevah
63. MacIsForWoosies
64. TheAxeEffect
65. Tastetherainbow
66. justdoit
67. HaveaBreakHaveaKitKat
68. NoMoreRockyRoads
69. Pepsinotcola
70. ImsuchaGAPgirl
71. CowabungaDude
72. DontGoogleThis
73. Ilovepopsicles
74. MacLippies
76. HakunaMatata
77. MotherOfDragons
78. TheOneAndOnlyKhaleesi
79. AryaStarkWasHere
80. FedoraTheExplorer
81. XeroxThis
82. NotOnMySwatch
83. KentuckyFriedChicks
84. WorksLikeAPandoraCharm
85. JustNukeIt
86. NokiaConnectingPeople
87. AMacADayKeepsNoobsAway
88. MyPapaWasARollingStone
89. AreMilkaCowsReallyPurple
90. FizzieFizzleSticks
91. Bond007
92. GuinessTheRealTasteiofIreland
93. Corvette1313
94. ChicagoBullsFan
95. AlwaysAmericanApparel
96. Playboy
97. FerrariGolfer
98. Oreocookies
99. YabadabadooYahoo
100. OldMacDonaldHadaBurger
101. LOGGRedneck
102. FasterThanFedEx
103. TrailerParkIBMEngineer
104. SellMySoulonEbay
105. Amazonsonline
106. LikeAVirginiaSlim
107. WorldWildlifeFun
108. Shellpitstop
109. NoMoreBucksforStarbucks
110. Disneymonster
111. JingleTacoBells
112. RollsAnotherRoyce
113. FidelCastroCigars
114. EssieFingerTips
115. dragonballZ
116. giants
117. Marlboro
118. Yamaha
119. harleydavidson
120. jaguar
121. armaniman
122. magnum
123. broncos
124. Nascar
125. thunderbird
126. doubletwix
127. mustang
128. diablo777
129. devilwearsprada
130. barnesandnoble

D. Passwords with musical references

131. SmellsLikeNirvana
132. KurtCobainWasHere
133. Listentothesoundofsilence
134. simonandgarfield
135. DJphantomoftheopera
136. gregorianchants (I love whoever thought of this one!)
137. Beatles
138. IAintNoHollabackGirl
139. PrinceofAllPurpleRains
140. StairwaytoHeaven
141. SummertimeHapiness
142. NothingElseMatters
143. WeretheLordsoftheBoards
144. BluejeanbabyLALady
145. DieAntwoortPassword
146. HelterSkelter66
147. IbelieveIcanfly
148. BornInTheUSofA
149. TheGreenGreenGrassofHomepage
150. CameinlikeaWr3kkB4ll
151. GiveANametoAlltheAnimals
152. LeonardodiCohen
153. HitMeBaby1MoreTime
154. HotelCaliforniaDreaming
155. CottonEyeJoe
156. Celticsounds
157. HappyNation
158. LaVieEnRose
159. WakeMeUpSeptemberEnds
160. Firestartah
161. YYYDelilah
162. BillieJeanNotMyGirl
163. RockULikeaHurricane
164. GalileoGalileo
165. PutYourLightsOn
166. BrimfulOfAsha45
167. StillGotTheBlues
168. StraightOuttaCompton
169. Walktheline
170. theramones
171. IWishIwasaPunkRocker
172. Another1BitestheDust
173. EveryBreathYouTake
174. lacrimosa
175. requiem
176. HelloMyNameIsDoctorGreenthumb
177. IfIWasARichGirlNanana
178. WhotheFisAlice
179. ThieveryCorp
180. BrickIntheWall
181. RollOverBethoven
182. 2princes
183. GenesisPhil
184. Ke$$a
185. ImagineAllThePeople
186. WaterlooSunset
187. ISaidMaybe
188. hallelujah
189. GoodBeachVibrations
190. FamilyAffair
191. SultansOfSwing
192. RiverDeepMountainHigh
193. MarvinGayeFan
194. ShouldIStayOrShouldIGo
195. RealSlimShadyPlsStandUp
196. BehindBlueEyes
197. MyBabyWorksfrom9to5
198. CloseMyEyesandCountto10
199. 19thNervousBreakdown
200. 50WaystoLeaveYourLover
201. SummerOf69
202. ICantGetNoSatisfaction
203. SmoothCriminal
204. LikeTheDesertsMissTheRain
205. TooSexyForMyCat
206. Route66
207. DancingQueen
208. SomebodyIUsedToKnow
209. NewKidInTown
210. Lambada
211. CloudNo9
212. BecauseYourGorgeous
213. IGotThePower
214. 1MilByciclesInBeijing
215. ImBlueDaBaDee
216. TeenageDirtBagBaby
217. Anaconda
218. OpaGangnamStyle
219. FightForUrRightToParty
220. HighwayToHell
221. HadTheTimeOfMyLife
222. CaroEmerald
223. Back2Black
224. TheyTried2MakeMeGoToRehab
225. MyFathersGun
226. RedHotChiliPipers
227. Moby123
228. PokerFace
229. RadioGagaRadioGugu
230. JustPushIt
231. UmbrellaElaEla
232. LoveOfMyLife
233. LiquidNarc
234. DontCallMyNameAlejandro
235. LadyInRed
236. AintNobodyLovesMeBetter
237. ByTheRiverOfBabylon
238. OhHackyDay
239. NothingButMammals
240. RussianRoulette
241. KissOfFire
242. IWillSurvive
242. LadyGodiva
243. AmazingGrace
244. ShowMustGoOn
245. CantHelpFalling
246. IWillGoDownWithThisShip
247. LikeARollingStone
248. MeAndBobbyMcGee
249. RowRowRowYourBoat
250. TheDayTheMusicDied
251. SameJeansOnFor4DaysNow
252. DiamondsAndRust
253. EyeOfTheTiger
254. ItsTheFinalCountdown
255. 6FootTallCameWithoutAWarning
256. Barcarole
257. WinnerTakesItAll
258. Carmen
259. MusicOfTheNight
260. LikeAPrayer
261. InMySecretLife
262. StillLovinU
263. TheUnforgiven
264. WarriorsOfTheWorld
265. NeverGonnaGiveUUp
266. ManWhoSoldTheWorld
267. LaIslaBonita
277. LetItBe
278. NoMoreILoveYous
279. TheTimesTheyAreaChangin
280. MadeItThroughTheWilderness

E. Funny names and passwords for Wi-Fi networks

Funny Wi-Fi names (meant to jokingly freak out neighbors or anyone else looking to freeload, or simply for fun):

281. FBISurveillanceVan
282. Pretty_Fly_For_A_Wi-Fi
283. IPronounceUManAndWifi
284. IdentityTheftForFree
285. It_burns_when_IP
286. Troy_and_abed_in_the_modem
287. TheLANBeforeTime
288. LongHairedFreakyPeopleNeedNotApply
289. ImUnderYourBed
290. WuTangLAN
291. WIFightTheInevitable
292. SkynetGlobalDefenseNetwork
293. Bill_Wi_The_Science_Fi
294. ALannisterAlwaysSurfsTheNet
295. FriendlyNeighborhoodSpiderLAN
296. ClickHereforViruses
297. MySonIsAHacker
298. TellMyWifiLoveHer
299. AllUrWifiRBelongToUs
300. GoJihad (not a very politically correct one, but reported by other users as a funny Wi-Fi name meant to scare)
301. ChtulhuIsMyBitch
302. C:Virus.exe
303. MomUsesThis1
304. ConnectAndDie
305. YoureDoneNow
306. TopSecretNetwork
307. PasswordIsPassword
308. ComeAndCleanUpMyHouse
309. WiFi10$PerMinute
310. DontEvenTryIt
311. Anonymouse
312. RedHatHacker
313. GetOffMyLawnYankee
314. I_Can_See_Your_Pixels
315. HeyYou
316. CrazyCatLady
317. SayMyName
318. BondageClub
319. HaHaNextTimeLockYourRouter
320. HackersConference
321. IKilledAManOnce
322. GetYourOwnWiFiLosers
323. TheBeavisAndButtheadResidence
324. DavidCameron
325. TheMysteryVan
326. PaperAirplanes
327. IHatePeopleWithAccents
328. ClickToDonate
329. IRSBackgroundCheck
400. ZombieWedding
401. YourHomeIsBugged
402. TheyAreWatching
403. NSAPhoneTapVan
404. NoFreeInternetHereKeepLooking
405. IfUBuildIt
406. NoCreepyClownsHereHaha
407. ZodiacLetters
408. MrLecterLookingToHaveAFriendforDinner
409. 99_Problems_But_WIFI_Aint1
410. ICanHazWireless
411. LookMaNoWires
412. YourMusicIsAnnoying
413. ShutYourDogUpAlready
414. YouLostYourConnection
415. VirusWiFi
416. PorqueFi
417. WhyFiWhyNot
418. ToFiOrNotToFi
419. StopSnooping
420. TheInternetIsAssur
421. ICanHearYouSnoreFromOverHere
422. PleaseUseMe
423. TakeBackTheEmpire
424. 404NetworkUnavaillable
425. ICanReadYourEmails
426. LANofMilkAndHoney
427. LANDownUnder
428. ThePromisedLAN
429. HugsForDrugs
430. BillNyeTheRussianSpy
431. TheFastAndTheCurious
432. AskYoGirlAboutMe
433. InternetNotUploaded
434. AsFastAsInternetExplorer
435. HairyPoppins
436. SoyMilkBroflakes
437. ToxicMacho
438. OldHaciendaJefes
439. TheBigKahuna
440. BeenThereDoneThat
441. Loading…
442. NameAlreadyInUse
443. Searching…
444. NetworkNotFound…
445. UmbrellaCorporation
446. UDontNeedPantsfortheVictoryDance
447. TheyLaughedAtMeSoIKilledThem
448. Viruses_But_YOLO
449. MalwareInside
450. TheRussianGovernment

Funny Wi-Fi names and passwords (where the fun derives precisely from the combo):

451. Wi-Fi Name: PeekABoo
Wi-Fi Password: ISeeYou
452. Wi-Fi Name: YouShallNotPass
Wi-Fi Password: Runyoufools
453. Wi-Fi Name: WhereDoUCYourselfin5Y
Wi-Fi Password: TheInterviewIsALie
454. Wi-Fi Name: TargetLocated
Wi-Fi Password: RightBehindU
455. Wi-Fi name: QuestionEverything
Wi-Fi Password: Why?
456. Wi-Fi name: MaybeShesBornWithIt
Wi-Fi Password: MaybeItsCaffeine
457. Wi-Fi name: NoMoreExcuses
Wi-Fi Password: Sorry
458. Wi-Fi name: IsthereaDoctorintheHouse
Wi-Fi Password: DrHouse
459. Wi-Fi name: WhoLetTheDogsOut
Wi-Fi Password: hoohoohoo
460. Wi-Fi name: TheShire
Wi-Fi Password: FilthyHobbitses
461. Wi-Fi name: CUL8R_Alligator
Wi-Fi Password: AfterAWhileCrocodile
462. Wi-Fi name: WhatMeatloafWontDoForLove
Wi-Fi Password: That!
463. Wi-Fi name: AliBabasCave
Wi-Fi Password: OpenSesame
464. Wi-Fi Name: MammaMia
Wi-Fi Password: HereIGoAgain
465. Wi-Fi Name: TonyStarksLAN
Wi-Fi Password: PepperPotts
466. Wi-Fi Name: VirusDistributionCenter
Wi-Fi Password: DisHalf
467. Wi-Fi Name: OutOfTheStone
Wi-Fi Password: Excalibur
468. Wi-Fi Name: TitanicSynching
Wi-Fi Password: Iceberg
469. Wi-Fi Name: IWillLoseMyTemper
Wi-Fi Password: FoundIt
470. Wi-Fi Name: HogwartsGreatHall
Wi-Fi Password: AstronomyTower

F. Geeky passwords for wiseguys and wisegals

471. Fishyredherring
472. whistleblower101
473. YouCantGuessThis
474. SnowdenIntelInside
475. BlackHatCat
476. TheItchyAndScratchyShow
477. Lagertha
478. OneDoesNotSimplyLogIntoMordor
479. DHARMAInitiative
480. ZergersGonnaZerg
481. SpeakFriendAndEnter
482. PrincessofBelAir
483. Irecodedthis3times
484. ShiftingKeys
485. MacheteDontPassword (Love this one!)
486. snoopysecret
487. testingtime
488. OcuppyInternetStreet
489. RaidersoftheLostDark
490. BaldursGateway
491. Rajastan895
492. WhiteWalker
493. WeForgotKevin
494. TheyCallMeTrinity
495. Cyberwinter
496. SilentWinter
497. NuclearDeath
498. ToBoldlyGo
499. TheVoyagerAppolo
500. PlatinumConundrum
501. BatmanAndRobbin
502. HarleyQuinnForQueen
503. MermaidsDontDoHomework
504. IAmTheRealZuckerberg
505. IKnowHowToSpell
506. ICanTypeReallyFast
507. TheElderMouseScrolls
508. WorldOfNetcraft
509. ThrallforWarchief
510. Dirge! (WoW players will get this)
511. gingereinstein
512. yourdigitalfantasy
513. QAsniper
514. P@$$w0rd
515. JackAndJillRunUpTheHill
516. FoundaUnicornNamedItFluffy
517. You&M=Serotonin
518. MomFreudWouldBeProud
519. TheyRWatching
520. DropItLikeItsHotspot
521. IAmSherlocked
522. IAmLordVoldemort
523. TheRedQueen (another lovely nod to ResidentEvil)
524. MickeyMinnieGoofyPluto
525. UnfinishedSentenc
526. OP_rah
527. CryptoLifehack
528. HeresJ0hnnY
529. 2SmokingBarrels
530. ShowMeTheLANey
531. NoMorePuns
532. ComeInChosenOne
533. NathanDrakeScalesWalls
534. Gr34tPowerGr34tResponsability
535. MakeLoveNotWarcraft
536. 4chan$ucks
537. KnightsOftheOldRepublik
538. MakeStarcraftGreatAgain
539. ChineseG$$ldFarmer
540. HoboHoboGoblin
541. FataMorgana
542. EagleHasLanded
543. 2$tupidWoofWoof
544. DickDastardlyFlyBy
545. NatashaRomanoffIsOff
546. TheCaffeineBelt
547. 3in4WontGetThis
548. Z1ON0101 (A nod to Zion, the last human city in the Matrix movie trilogy)
549. IAmHeisenberg
550. lastoneisakeeper4real
551. Cecinestpasunepassword
552. LegendOfZelda
553. TheCakeIsALie
554. StillPlayAngband
555. DarkSoulsMasochist

F. Funny passwords reported by sysadmins and other IT people

As a system admin, you sometimes have to ask people for their passwords and many times the insights you get are crazy funny. Here are the best such stories on funny passwords, gathered up from sysadmins all over.

556. A man going through a divorce had set his password to something like ‘DIEMcConnellDIE’, where ‘McConnell’ was the name of his wife’s divorce lawyer.
557. A sysadmin who wanted to poke a bit of fun at a new team member routinely sets their initial password to ‘why’, resulting in hilarious dialogues. ‘What’s the password?’ / ‘Why’ / ‘Because I need to do work’ / ‘Why’ etc.
558. A company’s sales department actually encouraged users to set their password to ‘sales’. Seriously. I hope I don’t need to stress again how dangerous such password-setting habits are.

advice to set your password to sales
559. Another company was routinely setting new passwords to balls1. Talk about professionalism.

company setting a bad default password
560. Yohohoandabottleofrum (my personal fave from a sysadmin acquaintance).

How about you? What funny passwords did you encounter (or maybe even used yourself, back when you were an internet baby)?

If you’re sitting on top of a funny one you haven’t seen some variation of above, please do share in the comment field below. I’d really love to hear more!

The post Top 550+ Funny Passwords Ever Encountered appeared first on Heimdal Security Blog.

Data Leak Involving Family Tracking App Exposed 238,000 Users’ Real-Time Locations for Weeks

A data leak involving a family tracking app exposed the real-time locations of more than 238,000 users for weeks as a result of a database misconfiguration.

According to TechCrunch, security researcher and GDI Foundation member Sanyam Jain recently came across a back-end MongoDB database belonging to Family Locator, an app that enables families to track each other in real time. It also allows families to receive notifications when a user in their network leaves a certain location if they’ve designated it using geofenced alerts.

Jain found that the database contained account records for more than 238,000 users of the app. Each of these records consisted of a user’s name, email address, profile picture and passwords in plain text. In addition, the database came with a record of both the user’s and their family members’ real-time locations, as well as the coordinates for their geofence.

TechCrunch independently verified the contents of the database and attempted to contact the app’s developer. When its messages went unanswered, the online publisher asked Microsoft, through which the developer hosted the database using Azure, to contact the individual. Hours later, the database went offline.

Not the First MongoDB Data Leak This Year

We’ve seen similar data leaks of sensitive information already this year. As of this writing, security researcher Bob Diachenko alone has already discovered several unprotected MondoDB databases. In March, for instance, Diachenko came across a misconfigured asset containing more than 250,000 legal documents. This discovery came just days after the researcher found a MongoDB instance with more than 800 million email records stored inside.

Diachenko isn’t the only one who’s come across these types of incidents in 2019, either. Also in March, Victor Gevers of GDI Foundation found 18 unprotected MongoDB databases containing information generated by accounts on several online social services in China. Bleeping Computer reported that a surveillance program implemented in China was likely responsible for that data’s collection.

How to Protect Your Organization’s Data

Security professionals can help avoid a costly data leak by identifying and securing systems that store sensitive details. Security teams should also regularly assess and investigate potential vulnerabilities that digital attackers could exploit to gain access to those systems.

From there, organizations should secure their MongoDB instances using encryption, access controls and other proven security measures.

The post Data Leak Involving Family Tracking App Exposed 238,000 Users’ Real-Time Locations for Weeks appeared first on Security Intelligence.

Washington D.C. takes a leaf from GDPR book, introduces new data privacy bill

The US capital region is on track to implement new regulations akin to the EU’s GDPR, the local government of Washington D.C. said in a press release. The law seeks to expand protections for residents’ personal data and includes new compliance requirements for entities handling data of D.C. residents.

Attorney General Karl A. Racine says D.C. residents have been among those recently hit by some of the most serious data breaches in history. The Equifax breach alone, which exposed personal information of over 143 million people, affected 350,000 District residents, he said.

“Data breaches and identify theft continue to pose major threats to District residents and consumers nationwide,” Racine said. “The District’s current data security law does not adequately protect residents. Today’s amendment will bolster the District’s ability to hold companies responsible when they collect and use vast amounts of consumer data and do not protect it. I urge the Council to pass this legislation quickly for the benefit of District residents.”

The Security Breach Protection Amendment Act of 2019 seeks to:

  • Expand the definition of personal information subject to legal protection, including passport numbers, military ID numbers, health and biometric data, and even genetic information.
  • Create new compliance requirements for companies that handle personal information, so as to provide identity theft protection if they expose Social Security numbers, and to inform customers of their rights when a breach occurs and their personal data is at risk.

The Office of the Attorney General would also become the go-to authority for reporting any violation of the District’s Consumer Protection Procedures Act, according to the news release. Readers can view the full bill here.

HOTforSecurity: Washington D.C. takes a leaf from GDPR book, introduces new data privacy bill

The US capital region is on track to implement new regulations akin to the EU’s GDPR, the local government of Washington D.C. said in a press release. The law seeks to expand protections for residents’ personal data and includes new compliance requirements for entities handling data of D.C. residents.

Attorney General Karl A. Racine says D.C. residents have been among those recently hit by some of the most serious data breaches in history. The Equifax breach alone, which exposed personal information of over 143 million people, affected 350,000 District residents, he said.

“Data breaches and identify theft continue to pose major threats to District residents and consumers nationwide,” Racine said. “The District’s current data security law does not adequately protect residents. Today’s amendment will bolster the District’s ability to hold companies responsible when they collect and use vast amounts of consumer data and do not protect it. I urge the Council to pass this legislation quickly for the benefit of District residents.”

The Security Breach Protection Amendment Act of 2019 seeks to:

  • Expand the definition of personal information subject to legal protection, including passport numbers, military ID numbers, health and biometric data, and even genetic information.
  • Create new compliance requirements for companies that handle personal information, so as to provide identity theft protection if they expose Social Security numbers, and to inform customers of their rights when a breach occurs and their personal data is at risk.

The Office of the Attorney General would also become the go-to authority for reporting any violation of the District’s Consumer Protection Procedures Act, according to the news release. Readers can view the full bill here.



HOTforSecurity

When It Comes to Incident Response, Failing to Plan Means Planning to Fail

If there’s one thing I’ve learned from working in cybersecurity, it’s that security incidents do not simply occur, they are caused — either by legitimate users who unintentionally expose company data or malicious actors who seek to breach enterprise systems undetected. Unfortunately, it is much easier for attackers to identify exploitable vulnerabilities than it is for security teams to fix every flaw in the company’s network.

While it would seem the odds are insurmountably stacked against cyberdefenders, there is at least one element of an effective incident response program that even the most ingenious attackers cannot take away from security teams: preparedness and thorough planning.

Why the Time to Contain a Breach Matters

One of the most important metrics in incident response is the time its takes to respond to and contain a security event. According to the “2018 Cost of a Data Breach Study,” the costs associated with a breach were 25 percent lower for organizations that managed to contain the incident within 30 days. That’s a difference of more than $1 million when you consider the overall average cost of a breach, which is particularly concerning since the average time between detection and containment is 69 days.

This so-called mean time to contain (MTTC) depends on the organization’s level of preparedness to rapidly switch into emergency response mode and execute the right tasks in the right order — all under the intense pressure and confusion that invariably arises from a crisis situation. That’s why MTTC is a crucial metric in any emergency response plan template.

6 Steps to Strengthen Your Incident Response Plan

Companies with a mature security posture don’t just take a proactive approach to mitigating threats, they also train their employees on what to do in a worst-case scenario and how to implement a break-glass policy within their organizations. This requires security leaders to continuously review their plans for gaps and inefficiencies and adjust them accordingly to thoroughly understand the impact of a potential breach from a remediation perspective.

Below are six key steps organizations can take to step beyond proactive measures and prepare to respond in a worst-case scenario.

1. Get Management Support

An incident response plan does not just apply to IT and security. You will need cooperation and resources from people outside the security organization, including legal, human resources and other departments.

2. Know Your Risks

To develop your incident response plan, you must understand the kind of events you are addressing and their potential impact to your organization. The loss and exposure of data is one example that is critical to virtually all companies, and not just since the General Data Protection Regulation (GDPR) took effect. Other risks to consider include production outages, flawed products and third-party breaches. Security leaders should work closely with risk officers to identify the threats with the greatest potential business impact.

3. Define Roles and Responsibilities

It takes a lot of hard work from a variety of people and business functions to identify, contain and eradicate an incident. Roles must be clear in advance, and everyone must know his or her responsibility in the event of a security incident.

Typically, this is where a predefined group of response specialists, known as a computer security incident response team (CSIRT), steps in. In addition to security experts, this team should include representatives from management as well as other business units.

4. Determine Communication Channels

In case of emergency, it’s critical to define the relevant communication channels. Communication channels must be open at all times, even if the normal channels are compromised or temporarily unavailable. It’s also important to establish guidelines for what details should be communicated to IT, senior management, relevant departments, affected customers and the public.

5. Rules of Engagement

A lot can go wrong during incident response activities. Valuable information can be destroyed through recklessness and thoughtlessness or, worse, by an attacker who is just waiting to exploit poor user behaviors. Therefore, incident response steps should follow a clear structure and methodology, such as the SANS Institute’s six-step incident response framework and other publicly available resources that can be adapted to fit an organization’s unique needs.

6. Train the Plan

The worst thing you can do is wait until a crisis occurs to execute your incident response process for the first time. Tabletop exercises and run books are always beneficial, but it is most critical to regularly drill the response flow and strive to improve its results in every subsequent drill. It’s also helpful for team members to join discussion groups and share successful practices with other teams to sharpen incident response plans and reduce the potential damage from an impending attack.

The Benefits Outweigh the Costs

While a break-glass policy can add more layers of protection in the event of a breach, it also adds to the workload of your already overwhelmed staff. That’s why many organizations are hesitant to step forward. But the benefits of containing the damage within a short period of time outweigh the value of this investment by far. By adapting a tried-and-true emergency response plan template to your organization’s incident response needs and business goals, you will be in a much better position to minimize the damage associated with a data breach.

The post When It Comes to Incident Response, Failing to Plan Means Planning to Fail appeared first on Security Intelligence.

How to Lift the Veil on Mobile Application Security Threats

Mobile applications have revolutionized the way we consume information. Nowadays, most organizations leverage these powerful tools to enhance their employees’ agility with services that are available 24/7. But granting applications access to highly sensitive corporate data also widens the mobile attack surface, which is why it’s crucial to not overlook the associated application security threats.

Mobile Apps Complicate the Data Privacy Picture

A mobile application is like an iceberg; most of its behaviors are executed silently. On one hand, it can be inherently malicious and feature malware that, when hosted on a device, targets the user’s data, credentials, transactions and more. These behaviors are mostly found in applications available on third-party stores, but sometimes also in major commercial app stores. In 2019, Pradeo Lab discovered that 5 percent of Android and 2 percent of iOS apps hosted malicious programs.

On the other hand, a mobile application doesn’t need to be malicious to hurt collaborators’ privacy. Greyware is a category of application that comprises intrusive apps that exfiltrate user data to the network (67 percent of Android apps and 61 percent of iOS apps) as well as vulnerable apps developed without following security best practices (61 percent of Android apps).

Either way, mobile apps have the power to severely compromise corporate data privacy. Today, security heads are stuck with the major challenge of complying with data privacy laws and enhancing user productivity while preserving their agility.

Shed Light on Mobile Application Security Threats in Your Network

Organizations that distribute mobile apps are encouraged — and required by law in some industries — to diagnose their security levels prior to release. To shed light on all aspects of a mobile app, it is necessary to audit it with a mobile application security testing (MAST) tool. MAST solutions perform multidimensional analyses (static and dynamic) that allow security teams to detect all app behaviors and vulnerabilities. This way, organizations can ensure that the apps they are about to release do not threaten the privacy of any corporate or personal data. If they do, this process will help the relevant parties repackage them.

MAST solutions are available as software-as-a-service (SaaS) and sometimes as an application programming interface (API) to integrate within developers’ environments. In addition, some unified endpoint management (UEM) solutions are starting to integrate this kind of service within their platform to facilitate security heads’ experience.

Register for the webinar to learn more

The post How to Lift the Veil on Mobile Application Security Threats appeared first on Security Intelligence.

Adopting the NIST 800-53 Control Framework? Learn More About the Anticipated Changes in 2019

The final version of the National Institute of Standard and Technology (NIST)’s Special Publication (SP) 800-53 Revision 5 is on the horizon for 2019. What does the initial public draft tell us about what we can expect in its final version? Even more importantly, what does it mean for organizations seeking to adopt the new guidelines?

NIST SP 800-53 Revision 5 is expected to deliver major updates to the existing fourth revision, which was originally published in 2013. Since its inception, this publication has been the de facto guideline for security control implementations, security assessments and Authorization to Operate (ATO) processes for government information systems. There are many draft changes in the fifth revision, but one of the most significant impacts is that it marks a departure from limiting the control sets to federal information systems. The framework is now recommended for all systems in all industries.

In addition to control baseline updates, other major changes NIST anticipates will be in the final version include:

  • Organizations must now designate a senior management official responsible for managing the security policies and procedures associated with each control family.
  • Changing the structure of the controls to be more outcome-based, which leads to increased clarity, consistency and understanding.
  • Full integration of privacy controls into the security control catalog to create a consolidated view of all controls.
  • The addition of two new privacy control families: Individual Participation (IP) and Privacy Authorization (PA).
  • Program Management (PM) control family nearly doubles in scope (includes additional emphasis on privacy and data management).
  • New appendices to detail the relationship between security and privacy controls.

What Will NIST 800-53 Rev. 5 Mean For Organizations?

The changes expected in the fifth revision touch on a variety of subjects and affect a wide range of business and security functions. Below are some areas that will be particularly affected and considerations that will have a significant impact on how organizations manage their security programs.

Senior Management Ownership

First and foremost, leadership accountability is given much greater emphasis across the framework. Organizations will need to identify key senior management personnel to own specific policy efforts and oversight actions for the life of each system. By driving accountability from the top down, organizations stand to benefit from executive sponsorship of security policies and gain better visibility into the effectiveness of governance controls and the organization’s overall security status.

Data Privacy

Dedicated privacy control families and new privacy guidance woven into existing controls drive greater focus on privacy and sensitive data management. Privacy needs to be ingrained into all aspects of cybersecurity now and in the future, especially with new regulations in place to protect personal data. Organizations may need to review their org chart to ensure it provides the most effective strategic alignment between C-suite, security and privacy teams. Ownership of control implementations between security and privacy will be a key decision point when transitioning to the final release of Revision 5 in the near future.

Third-Party Assessments

NIST SP 800-53A will undergo a fifth revision in conjunction with the updates to SP 800-53. This is the companion document third-party assessors use as part of the ATO process to determine the effectiveness of control implementations and evaluate risk posture. Implementing and adapting the updated controls will be crucial to new or existing ATO renewals in the long term.

How Can Business Leaders Enhance Security Over Time?

Chief information officers (CIOs), chief information security officers (CISOs) and other organizational leaders need to start thinking about how to advance security and privacy initiatives in unison to achieve business goals and manage risk effectively. The update to NIST 800-53 will affect each organization differently. It’s still important to perform due diligence to determine how the final changes apply in each unique situation; however, as a whole, adopting recommended guideline serves to unify security standards and help all organizations strengthen their security posture as the threat and regulatory landscapes evolve.

Additional information and the full list of changes in the NIST 800-53 Revision 5 draft can be found on the NIST website, along with the publication schedule.

The post Adopting the NIST 800-53 Control Framework? Learn More About the Anticipated Changes in 2019 appeared first on Security Intelligence.

SecurityWeek RSS Feed: Watchdog: FEMA Wrongly Released Personal Data of Victims

The Federal Emergency Management Agency wrongly released to a contractor the personal information of 2.3 million survivors of devastating 2017 hurricanes and wildfires, potentially exposing the victims to identity fraud and theft, a government watchdog reported Friday.

read more



SecurityWeek RSS Feed

Watchdog: FEMA Wrongly Released Personal Data of Victims

The Federal Emergency Management Agency wrongly released to a contractor the personal information of 2.3 million survivors of devastating 2017 hurricanes and wildfires, potentially exposing the victims to identity fraud and theft, a government watchdog reported Friday.

read more

McAfee Blogs: Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home

Like most parents, before you go to sleep each night, you take extra care to lock doors and windows to keep your family safe from any outside threats. The only thing you may have overlooked is the smartphone illuminated on your nightstand. And if you were to add up the smartphones humming all over your house, suddenly you’d have a number of unlocked doors that a determined criminal could enter through. Maybe not tonight — but eventually.

Digital Ecosystem

Over time you’ve purchased and plugged in devices throughout your home. You might have a voice assistant, a baby monitor, a thermostat, a treadmill, a gaming system, a fitness watch, smart TVs, a refrigerator, and many other fun, useful gadgets. Each purchase likely connects to your smartphone. Take stock: You now have a digital ecosystem growing all around you. And while you rarely stop to take notice of this invisible power grid around you, hackers can’t stop thinking about it.

This digital framework that pulsates within your home gives cybercriminals potential new entryways into your life and your data. Depending on your devices, by accessing your smartphone, outsiders may be able to unlock your literal doors while you are away (via your home security system), eavesdrop on your family conversations and collect important information (via your voice assistant), access financial information (via your gaming system, tablet, or laptop).

What you can do:

  • Change factory security settings. Before you fire up that smart TV, drone, or sound system, be sure to change each product’s factory settings and replace it with a bulletproof password to put a layer of protection between you and would-be hackers.
  • Protect your home network. We are connected people living in connected homes. So, part of the wired lifestyle is taking the lead on doing all we can to protect it. One way to do that is at the router level with built-in network security, which can help secure your connected devices.
  • Stay on top of software updates. Cybercrooks rely on consumers to ignore software updates; it makes their job so much easier. So be sure to install updates to your devices, security software, and IoT products when alerted to do so.

Smartphone = Front Gate

The most common entry point to all of these connected things is your smartphone. While you’ve done a lot of things to protect your phone — a lock screen, secure passwords on accounts, and system updates — there are hacking tactics you likely know nothing about. According to McAfee’s recent  Mobile Threat Report, you don’t know because the scope and complexity of mobile hacks are increasing at alarming rates.

Hidden Apps

The latest statistics report that the average person has between 60-90 apps installed on their phones. Multiply that between all the users in your home, and you are looking at anywhere from 200-500 apps living under your digital roof. Hackers gravitate toward digital trends. They go where the most people congregate because that’s where they can grab the most money. Many of us control everything in our homes from our apps, so app downloads are off the charts, which is why crooks have engineered some of their most sophisticated schemes specifically around app users.

Hidden apps are a way that crooks trick users into letting them inside their phones. Typically, hidden apps (such as TimpDoor) get to users via Google Play when they download games or customized tools. TimpDoor will then directly communicate with users via a text with a link to a voice message that gives detailed instructions to enable apps from unknown sources. That link downloads malware which will run in the background after the app closes. Users often forget they’ve downloaded this and go on with life while the malware runs in the background and can access other internal networks on the smartphone.

What you can do:

  • Stay alert. Don’t fall for the traps or click links to other apps sent via text message.
  • Stay legit. Only download apps hosted by the original trusted stores and verified partner sites.
  • Avoid spam. Don’t click on any email links, pop-ups, or direct messages that include suspicious links, password prompts, or fake attachments. Delete and block spam emails and texts.
  • Disable and delete. If you are not using an app, disable it. And, as a safety habit, remove apps from your phone, tablet, or laptop you no longer use.

Fake Apps

Again, crooks go where the most people congregate, and this year it is the 60 million+ downloaded game Fortnite. The Fortnite craze has lead hackers to design fake Fortnite apps masquerading as the real thing. The fraudulent app designers go to great lengths to make the download look legitimate. They offer enticing downloads and promise users a ton of free perks and add ons. Once users download the fake app, crooks can collect money through ads, send text messages with more bad app links, crypto jack users, or install malware or spyware.

What you can do:

  • Don’t install apps from unknown sources. Not all gaming companies distribute via Google Play or the App Store. This makes it even harder for users to know that the app they are downloading is legit. Do all you can to verify the legitimacy of the site you are downloading from.
  • Delete suspicious acting apps. If you download an app and it begins to request access to anything outside of its service, delete it immediately from your device.
  • Update devices regularly. Keep new bugs and threats at bay by updating your devices automatically.
  • Monitor bank statements. Check statements regularly to monitor the activity of the card linked to your Fortnite account. If you notice repeat or multiple transactions from your account or see charges that you don’t recognize, alert your bank immediately.
  • Be a savvy app user. Verify an app’s legitimacy. Read other user reviews and be discerning before you download anything. This practice also applies to partner sites that sell game hacks, credits, patches, or virtual assets players use to gain rank within a game. Beware of “free” downloads and avoid illegal file-sharing sites. Free downloads can be hotbeds for malware. Stick with the safer, paid options from a reputable source.

The post Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home appeared first on McAfee Blogs.



McAfee Blogs

Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home

Like most parents, before you go to sleep each night, you take extra care to lock doors and windows to keep your family safe from any outside threats. The only thing you may have overlooked is the smartphone illuminated on your nightstand. And if you were to add up the smartphones humming all over your house, suddenly you’d have a number of unlocked doors that a determined criminal could enter through. Maybe not tonight — but eventually.

Digital Ecosystem

Over time you’ve purchased and plugged in devices throughout your home. You might have a voice assistant, a baby monitor, a thermostat, a treadmill, a gaming system, a fitness watch, smart TVs, a refrigerator, and many other fun, useful gadgets. Each purchase likely connects to your smartphone. Take stock: You now have a digital ecosystem growing all around you. And while you rarely stop to take notice of this invisible power grid around you, hackers can’t stop thinking about it.

This digital framework that pulsates within your home gives cybercriminals potential new entryways into your life and your data. Depending on your devices, by accessing your smartphone, outsiders may be able to unlock your literal doors while you are away (via your home security system), eavesdrop on your family conversations and collect important information (via your voice assistant), access financial information (via your gaming system, tablet, or laptop).

What you can do:

  • Change factory security settings. Before you fire up that smart TV, drone, or sound system, be sure to change each product’s factory settings and replace it with a bulletproof password to put a layer of protection between you and would-be hackers.
  • Protect your home network. We are connected people living in connected homes. So, part of the wired lifestyle is taking the lead on doing all we can to protect it. One way to do that is at the router level with built-in network security, which can help secure your connected devices.
  • Stay on top of software updates. Cybercrooks rely on consumers to ignore software updates; it makes their job so much easier. So be sure to install updates to your devices, security software, and IoT products when alerted to do so.

Smartphone = Front Gate

The most common entry point to all of these connected things is your smartphone. While you’ve done a lot of things to protect your phone — a lock screen, secure passwords on accounts, and system updates — there are hacking tactics you likely know nothing about. According to McAfee’s recent  Mobile Threat Report, you don’t know because the scope and complexity of mobile hacks are increasing at alarming rates.

Hidden Apps

The latest statistics report that the average person has between 60-90 apps installed on their phones. Multiply that between all the users in your home, and you are looking at anywhere from 200-500 apps living under your digital roof. Hackers gravitate toward digital trends. They go where the most people congregate because that’s where they can grab the most money. Many of us control everything in our homes from our apps, so app downloads are off the charts, which is why crooks have engineered some of their most sophisticated schemes specifically around app users.

Hidden apps are a way that crooks trick users into letting them inside their phones. Typically, hidden apps (such as TimpDoor) get to users via Google Play when they download games or customized tools. TimpDoor will then directly communicate with users via a text with a link to a voice message that gives detailed instructions to enable apps from unknown sources. That link downloads malware which will run in the background after the app closes. Users often forget they’ve downloaded this and go on with life while the malware runs in the background and can access other internal networks on the smartphone.

What you can do:

  • Stay alert. Don’t fall for the traps or click links to other apps sent via text message.
  • Stay legit. Only download apps hosted by the original trusted stores and verified partner sites.
  • Avoid spam. Don’t click on any email links, pop-ups, or direct messages that include suspicious links, password prompts, or fake attachments. Delete and block spam emails and texts.
  • Disable and delete. If you are not using an app, disable it. And, as a safety habit, remove apps from your phone, tablet, or laptop you no longer use.

Fake Apps

Again, crooks go where the most people congregate, and this year it is the 60 million+ downloaded game Fortnite. The Fortnite craze has lead hackers to design fake Fortnite apps masquerading as the real thing. The fraudulent app designers go to great lengths to make the download look legitimate. They offer enticing downloads and promise users a ton of free perks and add ons. Once users download the fake app, crooks can collect money through ads, send text messages with more bad app links, crypto jack users, or install malware or spyware.

What you can do:

  • Don’t install apps from unknown sources. Not all gaming companies distribute via Google Play or the App Store. This makes it even harder for users to know that the app they are downloading is legit. Do all you can to verify the legitimacy of the site you are downloading from.
  • Delete suspicious acting apps. If you download an app and it begins to request access to anything outside of its service, delete it immediately from your device.
  • Update devices regularly. Keep new bugs and threats at bay by updating your devices automatically.
  • Monitor bank statements. Check statements regularly to monitor the activity of the card linked to your Fortnite account. If you notice repeat or multiple transactions from your account or see charges that you don’t recognize, alert your bank immediately.
  • Be a savvy app user. Verify an app’s legitimacy. Read other user reviews and be discerning before you download anything. This practice also applies to partner sites that sell game hacks, credits, patches, or virtual assets players use to gain rank within a game. Beware of “free” downloads and avoid illegal file-sharing sites. Free downloads can be hotbeds for malware. Stick with the safer, paid options from a reputable source.

The post Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home appeared first on McAfee Blogs.

SecurityWeek RSS Feed: D.C. Attorney General Introduces New Data Security Bill

Karl A. Racine, the attorney general for the District of Columbia, on Thursday announced the introduction of a new bill that aims to expand data breach notification requirements and improve the way personal information is protected by organizations.

read more



SecurityWeek RSS Feed

Vulnerability Assessments Versus Penetration Tests: A Common Misconception

X-Force Red is an autonomous team of veteran hackers within IBM Security that is hired to break into organizations and uncover risky vulnerabilities that criminal attackers may use for personal gain. Our team recently unveiled new statistics collected from its penetration testing engagements. One statistic that stood out, although not surprisingly, was that out of 1,176 phishing emails sent to employees within five organizations from October 2017 to November 2018, 198 people clicked on the malicious link inside the email and 196 people submitted valid credentials.

While those numbers do not appear significantly high, they still show that criminals had 196 unique opportunities to move around inside a target organization and access sensitive data. And considering one set of valid credentials is all it might take for a criminal to launch an attack, 196 of them is a gold mine.

These security mistakes are the types of vulnerabilities that can be identified by penetration testers. On the other hand, vulnerability assessments, which typically require an automated scanning tool, are designed to identify known system vulnerabilities. However, despite those differences, some vendors, cybersecurity professionals, marketing teams and others often use the terms “penetration testing” and “vulnerability assessment” interchangeably, mixing two completely different security engagements.

It’s a misconception that should be corrected so that security professionals understand exactly what they are buying and receiving and how that investment will help solve the challenge at hand. If they are unwittingly misled into buying the wrong solution for their environment, a critical unknown vulnerability exposing a high-value asset could be missed.

A Q&A With X-Force Red Penetration Testing Consultant Seth Glasgow

Seth Glasgow, an X-Force Red penetration testing consultant, has participated in many conversations with clients and security professionals where he has had to clarify the difference between vulnerability assessments and penetration testing. I chatted with Seth about the misconception, including how it came to be and what the difference is between penetration testing and vulnerability assessments.

Question: Seth, thank you for chatting with me about this topic. Can you provide more details about how some in the industry use penetration testing and vulnerability assessments interchangeably?

Glasgow: Sure, Abby. Some vendors, security professionals and others in the industry believe penetration testing is a substitute for vulnerability scanning, or vice versa. Basically, they say they don’t need both; they need one or the other. Sometimes, the two names alone cause confusion. Some may say “vulnerability testing” or “penetration scanning.” Others may say they offer penetration testing, but it’s really just an automated scan that can find known vulnerabilities. It does not involve actual manual testing.

To cover all your bases, it’s best to use a combination of manual penetration testing and vulnerability assessments. I like to compare it to clubs in a golf bag. Not every club is needed for every shot, but to play the whole game, you need all of them.

I like that analogy. How do you think this mixing of the two terms came to be? Was it marketing-related where marketers used the same language to describe the different solutions?

Glasgow: There are a few reasons, none of which began with marketing. One is related to compliance. Some mandates lump penetration testing and vulnerability assessments into one requirement, which muddies the water. At a technical level, the conversations are like a game of telephone. Information is repeated in the wrong context, and before you know it, a vendor is offering to sell a low-cost “penetration test,” but it’s really an automated scan. Also, in the past, the two terms could have been used interchangeably based on the threat and vulnerability landscape at the time. Whereas today, the two are very different and solve different problems.

Can you provide an example of how the evolution of the industry has caused significant differentiation between the two?

Glasgow: Sure, I have a couple examples. In the past, before the cloud became popular, most companies worked with physical servers. A vulnerability assessment, which involved scanning servers before they went into production, was often all that was needed to find critical vulnerabilities and make sure they were patched. After all, the servers were managed locally, making it somewhat easier to control the security around them (such as who can access them). Today, an increasing number of companies are migrating to the cloud, which has a large variety of other security implications. At a minimum, this means more server configurations need to be set up, and there can be less control and visibility into who’s accessing which data from which network. In this new security environment, penetration testing is essential in identifying configuration and access control vulnerabilities and can link those vulnerabilities together to show how an attacker could leverage them to compromise a cloud environment.

Another example is with the Payment Card Industry Data Security Standard (PCI DSS). Companies could comply with older versions of the standard by just doing a vulnerability assessment and possibly a light penetration test. However, in the PCI DSS version 3.2, the requirements specify companies implement a penetration testing methodology (see requirement 11.3) and say companies must “validate segmentation,” which can only be done by performing a manual penetration test.

So, what is the difference between the two? Can you break it down for us?

Glasgow: Whereas vulnerability scanning is 10 miles wide and one mile deep, penetration testing is 10 miles deep and one mile wide. Vulnerability assessments involve automated scanning, which cast a wide net across the entire network. Scanning evaluates every in-scope system to identify known vulnerabilities. Vulnerability assessments review systems for patching and security configuration items that represent security risk. They also include confirmation that the vulnerabilities are real and not false positives; however, they do not include exploitation of the vulnerability. Frequent assessments are important because they enable companies to understand what their attack surface looks like on a regular basis. The vulnerability landscape is constantly evolving as new discoveries are made and patches are released. I could scan a system today and have a clean bill of health, but I could scan that same system next month and find critical vulnerabilities.

Penetration testing is a manual exercise that focuses on identifying and exploiting vulnerabilities within the in-scope networks and applications. It can assess all facets of the security of a company, including networks, applications, hardware, devices and human interactions. The facets to test are decided prior to the engagement. Testing involves hackers actively exploiting vulnerabilities, emulating how a criminal would leverage and link vulnerabilities together to move laterally and/or deeper into the network to access the crown jewels. As testers, we are less concerned about vulnerabilities we cannot exploit, or those that don’t lead to anywhere valuable.

For example, let’s say you have a webpage that hosts an online brochure and has minimal user engagement. A vulnerability assessment will treat that page the same as if it were a webpage with a high level of user engagement. A penetration test would not focus on that page because the testers know it wouldn’t lead them to a highly valuable place. They may be able to use information from the brochure to move elsewhere within the network; however, they would focus on other components that would give them the most access.

Think of it this way: A vulnerability assessment identifies if the office doors in a building are unlocked. A penetration test identifies what criminals would do once they are inside the office.

Chart demonstrating characteristisc of vulnerability assessments vs. penetration testing

Figure 1: Top differentiators between vulnerability assessments and penetration testing (source: X-Force Red)

I have one final question: If I am a cybersecurity leader looking for penetration testing services, which red flags should I look for that may indicate a vendor is actually offering a vulnerability assessment but says it’s a penetration test?

Glasgow: Be wary of the timeline. A good penetration test doesn’t adhere to a strict timeline, but it should take at least a week’s worth of work. And that’s on the low end. If a vendor is saying they can perform a test with a much quicker turnaround, that’s a sign they are probably going to use an automated scanning tool and quickly send you a report of all the findings. Also, ask about the deliverable. What kind of information will be in the findings report? If it’s a spreadsheet with scan results, that’s a sign it’s a vulnerability assessment. A penetration testing report typically includes the findings, a detailed narrative of what the testers did and remediation recommendations.

The report should also include the types of testing performed to help ensure security professionals know where remediation emphasis should be placed to make a network more difficult for hackers to gain access, maintain access and exfiltrate data.

Download the free white paper, “Penetration Testing: Protect Critical Assets Using an Attacker’s Mindset,”

The post Vulnerability Assessments Versus Penetration Tests: A Common Misconception appeared first on Security Intelligence.

The privacy risks of pre-installed software on Android devices

Many pre-installed apps facilitate access to privileged data and resources, without the average user being aware of their presence or being able to uninstall them. On the one hand, the permission model on the Android operating system and its apps allow a large number of actors to track and obtain personal user information. At the same time, it reveals that the end user is not aware of these actors in the Android terminals or of … More

The post The privacy risks of pre-installed software on Android devices appeared first on Help Net Security.

SecurityWeek RSS Feed: Norsk Hydro Restoring Systems, But Not Paying Ransom

Norwegian metals and energy giant Norsk Hydro is working on restoring systems after being hit by ransomware, but the company says it does not plan on paying the hackers.

read more



SecurityWeek RSS Feed

Unsurprisingly, only 14% of companies are compliant with CCPA

With less than 10 months before the California Consumer Privacy Act (CCPA) goes into effect, only 14% of companies are compliant with CCPA and 44% have not yet started the implementation process. Of companies that have worked on GDPR compliance, 21% are compliant with CCPA, compared to only 6% for companies that did not work on GDPR, according to the TrustArc survey conducted by Dimensional Research. “At TrustArc, we’ve seen a significant increase in the … More

The post Unsurprisingly, only 14% of companies are compliant with CCPA appeared first on Help Net Security.

2019 may be a record year for enterprise breaches, but secure collaboration tools could help

Despite business executives agreeing that cybersecurity is a major challenge, businesses globally are severely unprepared for cyberattacks. 44% of business executives from Europe and the United States said they shared sensitive information over email, yet 35% admitted they are unaware of the ways in which their organization is protecting its sensitive information, communications and data, according to the results of the annual Communication and Security survey released by Wire. Despite 2018 being a record year … More

The post 2019 may be a record year for enterprise breaches, but secure collaboration tools could help appeared first on Help Net Security.

Security fatigue leads many to distrust personal data protection, can you blame them?

20 percent of Americans suffer from security fatigue and don’t trust anyone to protect their personal data. As a result, some people feel they need to take matters into their own hands or at least work with organizations that give them a greater sense of control. Findings from the nCipher Security survey of more than 1,000 American adults reveal many people want more control over their personal data privacy. Most want tighter controls of how … More

The post Security fatigue leads many to distrust personal data protection, can you blame them? appeared first on Help Net Security.

E-Commerce Company Gearbest Leaked User Information

Chinese e-commerce company Gearbest has failed to properly secure some of its databases, thus leaking users’ personally identifiable information (PII), VPNMentor’s researchers have discovered. Gearbest has downplayed the impact of the incident, which it has blamed on an error made by a member of its security team.

read more

SecurityWeek RSS Feed: E-Commerce Company Gearbest Leaked User Information

Chinese e-commerce company Gearbest has failed to properly secure some of its databases, thus leaking users’ personally identifiable information (PII), VPNMentor’s researchers have discovered. Gearbest has downplayed the impact of the incident, which it has blamed on an error made by a member of its security team.

read more



SecurityWeek RSS Feed

Do people with malicious intent present the biggest threat to personal data?

Against the backdrop of a complex and growing cyber threat landscape, organizations are waking up to the fact that one of the biggest chinks in their armour against a data security breach is humans. According to Apricorn’s latest social media poll, sixty five percent of respondents believe that humans pose the biggest threat to their personal data. A staggering fifty two percent of respondents believe that people with malicious intent present the biggest danger, whilst … More

The post Do people with malicious intent present the biggest threat to personal data? appeared first on Help Net Security.

Breaking Down the Incident Notification Requirements in the EU’s NIS Directive

Our society relies on the availability, security and reliability of network and information systems (NIS). Various security frameworks provide standards and guidance as to which measures organizations should implement to protect IT systems and increase resilience. However, since such recommendations are not ingrained as actual laws in most countries, these best practices and guidelines are often followed solely on a voluntary basis.

This is contrary to the European Union (EU)’s NIS Directive; a legislation that sets a range of network and information security requirements to augment IT security across all EU member states. While the directive covers a few different domains, including preparedness, cross-EU collaboration and incident response (IR), one of its main pillars focuses on breach notification requirements.

In this post, we will focus specifically on the aspects of incident notification contained in the NIS Directive as they apply to operators of essential services (OES).

Regulations Versus Directives

The NIS Directive is a different type of legal act compared to, say, the General Data Protection Regulation (GDPR). The latter is immediately applicable and enforceable by law in all member states. A directive is somewhat different.

While it also applies to all member states, instead of being immediately applicable, it sets goals, requirements and results that must be achieved. It is then up to each member state to devise its own laws on how to reach these goals and what types of penalties noncompliance will carry. The NIS Directive also sets a floor. There can be greater requirements applicable based on the organization’s industry sector and member state(s) it operates in.

This legal status reveals one of the possible issues with a directive: Whereas a regulation is direct law, a directive needs to be transposed into local laws by each member state. These transpositions can result in differences in the implementation of the directive into law, in some cases complicating matters for organizations that operate across borders.

Variance in Incident Notification Definitions

One of the articles in the NIS Directive that has received a lot of attention is Article 14, which outlines requirements for security and incident notification. It stipulates that member states must ensure that OES notify the national competent authority and the national computer security incident response team (CSIRT) in case of an incident that significantly impacts the continuity of an essential service. This is not entirely new — depending on the type of activity or sector, there are already requirements for incident reporting in Europe, including Article 13a of the Telecom Framework Directive.

An additional element of complexity is that, according to Article 5, the identification of OES per sector needs to happen individually within each member state. Although organizations might give input to this process, the actual identification is out of their hands. This process is another way by which the directive could result in various interpretations that end up adding complexity.

The Benefits of Incident Notification

One of the drivers for notification in the context of the directive is to be compliant with legal requirements. However, if the starting point of your organization is to only comply with the bare minimum of these notification requirements, then you will miss out on the opportunities provided by the directive.

Additionally, the bulk of these requirements, including notification and detection capabilities, should already be covered in large part by your existing security environment. If this is not the case, you can use the NIS Directive as a wake-up call to improve your security posture.

From a policymaker’s point of view, the notification requirements can help better identify the challenges within a sector and propose mitigation measures that are based on actual facts and figures. These facts and figures can then be used by CSIRTs (or a responsible authority) to provide more relevant warnings and situation reports together with sector-specific threat intelligence. Similarly, this information can also be used to evaluate cross-border impact of incidents or threats and optionally notify other member states.

Breaking Down Notification Requirements

Now, let’s dive into some details of the NIS Directive. There are essentially three main parts to the notification requirement.

First, prior to notification, organizations need to be able to detect security incidents — i.e., they must possess appropriate detection capabilities. The second part involves defining what a significant incident is and what risks, either directly or indirectly, can have significant impact on an essential service. The last part of the notification requirement involves understanding when, what, how and to whom organizations must report incidents.

First Things First — Detection

Every notification starts with proper detection of an incident. You can find guidelines on detection capabilities in a reference publication from the NIS Cooperation Group on security measures.

The core principles for these security measures include being effective, tailored, compatible, proportionate, concrete, verifiable (evidence of the effective implementation of security policies) and inclusive (includes all security domains that may contribute to reinforcing cybersecurity).

Applying NIS measures to the domain of detection and resilience can be done by:

  • Setting up a detection system to analyze files and protocols — this can include, for example, network intrusion detection systems (NIDSs) or malware sandboxes;
  • Enabling logging on critical systems (log entries should include time stamps);
  • Collecting the logs centrally; and
  • Conducting log correlation and analysis on the events coming from critical systems.

All of the above actions can also be automated with a security information and event management (SIEM) solution.

After Detection — Defining Incidents

But what, exactly, is a security incident? Article 4 defines it as any event that has an actual “adverse effect” on the security of network and information systems. As a side note, the directive does not include a definition of what is covered by “adverse.”

Based on the information from the NIS Cooperation Group, we can combine the definition of an incident with the definition of security of network and information systems. This would redefine an incident to be any event that affects the authenticity, confidentiality, integrity or availability of network and information systems, and has a significant impact on the continuity of the essential service itself.

What Is a Significant Incident?

A set of three parameters from Article 14 of the NIS Directive can be used to determine what is considered a significant incident:

  • The number of users that are affected by the disruption of the essential service.
  • The duration of the incident.
  • The geographic spread of those affected by the incident.

Additionally, the parameters from Article 6 are also helpful in defining what qualifies as a significant incident:

  • What is the dependency of other OES on the service affected by the incident?
  • What is the impact (degree, duration) on economic and social activities or on public safety? In particular, the impact on social activities can be hard to measure for OES.
  • How large is the market share of the affected service?
  • What is the geographic spread that could be affected?
  • How important is the affected element for maintaining a sufficient level of service?

In general, these parameters are most often already included in what OES are accustomed to using to define crises within their services that are unrelated to IT.

The actual criteria, thresholds and parameters for determining substantial incidents are defined by member states. This can include the parameters defined in the NIS Directive, possibly extended with other states or by sector-specific criteria.

The Directive’s Notification Timeline

According to Article 14, organizations need to notify without undue delay, although this timeline can be shortened or specified based on the member state. The term “undue” can also be subjective, but in most cases, this means the organization must send a preliminary notification whenever an incident is first detected, even if all the details are not available yet. The goal is to raise awareness. As your investigation progresses, you can provide intermediate follow-ups, and when the incident is closed, you can provide a full report.

It’s fairly simple to implement this step. Your IR plan should already include a notification and escalation path for certain types of critical incidents during the detection and analysis phases. It should also foresee a final incident report as part of the lessons-learned phase.

In essence, this requirement is an extension of an already established IR plan and recovery process.

Where to Report?

Each member state is free to choose its own reporting framework. This can be the national authority, sectorial authorities or a combination of both in addition to notifying the national CSIRTs.

As an organization, it is important to identify to whom you have to report, exchange contact details between your security team and the notification body, and establish and test this communication process.

Use the NIS Directive as an Opportunity

Similar to the GDPR, you can approach this directive as a roadblock or a nuisance, or you can consider it an excellent opportunity to improve your security posture. The fact that some security requirements are legal requirements can help you further establish your security program.

There are many articles in the directive to take into account, but you should start by focusing on the following:

  • Article 4, which defines a security incident;
  • Article 5, which mandates that member states should identify OES;
  • Article 6, which sets additional parameters to define significant incidents; and
  • Article 14, which requires you to implement security measures and notification processes. This article also contains the three base parameters to define what is a significant incident and describes the accepted delay for notifications.

Unfortunately, despite the fact that the bulk of the NIS Directive has been well-known for quite some time, not all EU member states have finalized the phase of transposing the recommendations into actual laws.

If this is the case for your environment, you might benefit from the situation and provide your lawmakers with input for security measures that would actually improve the level of security for network and information systems in your sector.

The post Breaking Down the Incident Notification Requirements in the EU’s NIS Directive appeared first on Security Intelligence.

Moving from traditional on-premise solutions to cloud-based security

In this Help Net Security podcast recorded at RSA Conference 2019, Gary Marsden, Senior Director, Data Protection Services at Gemalto, talks about the feedback they’re getting from the market and how Gemalto

The post Moving from traditional on-premise solutions to cloud-based security appeared first on The Cyber Security Place.

You Rang? New Voice Phishing Attack Tricks Unsuspecting Users

In this digital day and age, the average user is likely familiar with the techniques and avenues cybercriminals use to get ahold of personal data and money. With this knowledge, we’ve become smarter and keen to the tricks of the cybercrime trade. However, cybercriminals have become smarter too, and therefore their attacks have become more complex. Take phishing, for example. There has been a dramatic shift in phishing attacks, from simple and general to complex and personalized. What was once spoofing emails or websites has now evolved into something more devious – vishing, or voice phishing. This method involves a cybercriminal attempting to gain access to a victim’s personal or financial information by pretending to be a financial institution via phone call. And now a new vishing attack is proving to be more difficult to detect than the typical phishing scams.

In April 2018, Min-Chang Jang, a manager at Korea Financial Security Institute and Korea University, made a breakthrough in his investigation into malicious apps designed to intercept calls to users from legitimate numbers. This tactic puts a new but troubling twist on the original voice phishing cyberattack. To be successful in this venture, a hacker must first convince a user to download a fake app. To do this, a link is sent to the victim, luring them in with an amazing offer around loan refinancing or something similar, which then prompts the user to download the faulty app. If the target takes the bait, calls will start to come in from the financial institution following up on the possible loan refinancing offer. The call, however, isn’t connected to the actual financial company, rather it is intercepted and connected to the bad actor.

We know that as we adjust to the world around us and become smarter about our security, cybercriminals will do the same with their thievery. Today it’s an advanced vishing attack, tomorrow it could be a different type of phishing vector. However, users can rest assured that companies like McAfee are working tirelessly to ensure our users can thwart any cyberattack that comes their way. While this voice phishing attack is hard to detect, here are some proactive steps you can take to ensure you don’t fall victim to cybercriminals’ schemes:

  • Only install apps from authorized sources. To avoid malicious apps getting ahold of your data, only download apps from authorized vendors. For Android users, use the Google Play Store. For iPhone users, use the Apple App Store. Never trust a third-party app with information that could be exploited in the wrong hands.
  • Turn on caller ID or other services. Numerous carriers now offer free services that notify users of possible scam calls. And a lot of phones come with call-identifying capabilities that can give the user a quick diagnostic of whether the call is legitimate or not. With this feature, users can report scam calls to a database too.
  • Always think twice. In addition to tips and apps, there’s no better judge than common sense so if an offer or deal sounds too good to be true, it most likely is.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post You Rang? New Voice Phishing Attack Tricks Unsuspecting Users appeared first on McAfee Blogs.

809 Million Records Left Exposed: How Users Can Protect Their Data

It’s no secret that technological advancements and online threats are directly proportional to each other. So now more than ever, it’s imperative that users prioritize the security of their digital presence, especially in the face of advanced malware attacks and massive data leaks. Speaking of the latter — less than two months after the Collection #1 data breach exposed 773 million email addresses, it seems we have another massive data dump in our midst. Last week, researchers discovered a 150-gigabyte database containing 809 million records exposed by the email validation firm, Verifications.io.

You may be wondering how Verifications.io had so much data left to be exposed. Most people have heard of email marketing, but very few realize that these companies often vet user email addresses to ensure their validity. Enter Verifications.io. This company serves as a way email marketing firms can outsource the extensive work involved with validating mass amounts of emails and avoid the risk of having their infrastructure blacklisted by spam filters. Verifications.io was entrusted with a lot of data provided by email marketing firms looking to streamline their processes, creating an information-heavy database.

This unusual data trove contains tons of sensitive information like names, email addresses, phone numbers, physical addresses, gender, date of birth, personal mortgage amounts, interest rates, social media accounts, and characterizations of people’s credit scores. While the data doesn’t contain Social Security Numbers or credit card information, that amount of aggregated data makes it much easier for cybercriminals to run new social engineering scams or expand their target audience. According to security researcher Troy Hunt, owner of HaveIBeenPwned, 35% of the data exposed by Verifications.io is new to his database. With that said, it was the second largest data dump added in terms of email addresses to Hunt’s website, which allows users to check whether their data has been exposed or breached.

Upon discovery, the firm was made aware of the incident. And while proper security measures were taken, users can take various steps themselves to protect their information in the event of largescale data exposure. Check out the following tips:

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your individual accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords on a consistent basis to further protect your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 809 Million Records Left Exposed: How Users Can Protect Their Data appeared first on McAfee Blogs.

Don’t Let Thunderclap Flaws Strike Your Device

If you own a Mac or PC, odds are you’ve used your laptop’s Thunderbolt port to connect another device to your machine. Thunderbolt ports are convenient for charging other devices using your laptop or desktop’s battery power. However, a new flaw called Thunderclap allows attackers to steal sensitive information such as passwords, encryption keys, financial information, or run detrimental code on the system if a malicious device is plugged into a machine’s port while it’s running.

So, how can attackers exploit this flaw? Thunderbolt accessories are granted direct-memory access (DMA), which is a method of transferring data from a computer’s random-access memory (RAM) to another part of the computer without it needing to pass through the central processing unit (CPU). DMA can save processing time and is a more efficient way to move data from the computer’s memory to other devices. However, attackers with physical access to the computer can take advantage of DMA by running arbitrary code on the device plugged into the Thunderbolt port. This allows criminals to steal sensitive data from the computer. Mind you, Thunderclap vulnerabilities also provide cybercriminals with direct and unlimited access to the machine’s memory, allowing for greater malicious activity.

Thunderclap-based attacks can be carried out with either specially built malicious peripheral devices or common devices such as projectors or chargers that have been altered to automatically attack the host they are connected to. What’s more, they can compromise a vulnerable computer in just a matter of seconds. Researchers who discovered this vulnerability informed manufacturers and fixes have been deployed, but it’s always good to take extra precautions. So, here are some ways users can defend themselves against these flaws:

  • Disable the Thunderbolt interface on your computer. To remove Thunderbolt accessibility on a Mac, go to the Network Preference panel, click “OK” on the New Interface Detected dialog, and select “Thunderbolt Bridge” from the sidebar. Click the [-] button to delete the option as a networking interface and choose “Apply.” PCs often allow users to disable Thunderbolt in BIOS or UEFI firmware settings, which connect a computer’s firmware to its operating system.
  • Don’t leave your computer unattended. Because this flaw requires a cybercriminal to have physical access to your device, make sure you keep a close eye on your laptop or PC to ensure no one can plug anything into your machine without permission.
  • Don’t borrow chargers or use publicly available charging stations. Public chargers may have been maliciously altered without your knowledge, so always use your own computer accessories.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Don’t Let Thunderclap Flaws Strike Your Device appeared first on McAfee Blogs.

How To Secure Your Smart Home

Do you live in a “smart” home? If you look around and see interactive speakers, IP cameras, and other internet-connected devices like thermostats and appliances, you are now one of the millions of people who live with so-called “smart” devices. They bring convenience and comfort into our lives, but they also bring greater risks, by giving cybercrooks new opportunities to access our information, and even launch attacks.

You may remember a couple of years ago when thousands of infected devices were used to take down the websites of internet giants like Twitter and Netflix by overwhelming them with traffic. The owners of those devices were regular consumers, who had no idea that their IP cameras and DVRs had been compromised. You may also have heard stories of people who were eavesdropped on via their baby monitors, digital assistants, and webcams when their private networks were breached.

Unfortunately, these are not rare cases. In recent months, the “Internet of Things” (IoT) has been used repeatedly to spy on businesses, launch attacks, or even deliver cryptojacking malware or ransomware.

Still, given the benefits we get from these devices, they are probably here to stay.  We just need to acknowledge that today’s “smart” devices can be a little “dumb” when it comes to security. Many lack built-in security protections, and consumers are still learning about the risks they can pose. This is particularly concerning since the market for smart devices is large and growing. There are currently 7 billion IoT devices being used worldwide, and that number is expected to grow to 22 billion by 2025.

Cybercrooks have already taken note of these opportunities since malware attacks on smart devices have escalated rapidly. In fact, McAfee reported that malware directed at IoT devices was up 73%in the third quarter of 2018 alone.

So, whether you have one IoT device, or many, it’s worth learning how to use them safely.

Follow these smart home safety tips:

  • Research before you buy—Although most IoT devices don’t have built-in protection, some are safer than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks many of these features, consider upgrading it.
  • Safeguard your devices—Before you connect a new IoT device to your home network — allowing it to potentially connect with other data-rich devices, like smartphones and computers— change the default username and password to something strong, and unique. Hackers often know the default settings and share them online.Then, turn off any manufacturer settings that do not benefit you, like remote access. This is a feature some manufacturers use to monitor their products, but it could also be used by cybercrooks to access your system. Finally, make sure that your device software is up-to-date by checking the manufacturer’s website. This ensures that you are protected from any known vulnerabilities.
  • Secure your network—Your router is the central hub that connects all of the devices in your home, so you need to make sure that it’s secure. If you haven’t already, change the default password and name of your router. Make sure your network name does not give away your address, so hackers can’t locate it. Then check that your router is using an encryption method, like WPA2, which will keep your communications secure. Consider setting up a “guest network” for your IoT devices. This is a second network on your router that allows you to keep your computers and smartphones separate from IoT devices. So, if a device is compromised, a hacker still cannot get to all the valuable information that is saved on your computers. Check your router’s manual for instructions on how to set up a guest network. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
  • Install comprehensive security software –Finally, use comprehensive security software that can safeguard all your devices and data from known vulnerabilities and emerging threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Secure Your Smart Home appeared first on McAfee Blogs.

How to Steer Clear of Tax Season Scams

It’s that time of year again – tax season! Whether you’ve already filed in the hopes of an early refund or have yet to start the process, one thing is for sure: cybercriminals will certainly use tax season as a means to get victims to give up their personal and financial information. This time of year is advantageous for malicious actors since the IRS and tax preparers are some of the few people who actually need your personal data. As a result, consumers are targeted with various scams impersonating trusted sources like the IRS or DIY tax software companies. Fortunately, every year the IRS outlines the most prevalent tax scams, such as voice phishing, email phishing, and fake tax software scams. Let’s explore the details of these threats.

So, how do cybercriminals use voice phishing to impersonate the IRS? Voice phishing, a form of criminal phone fraud, uses social engineering tactics to gain access to victims’ personal and financial information. For tax scams, criminals will make unsolicited calls posing as the IRS and leave voicemails requesting an immediate callback. The crooks will then demand that the victim pay a phony tax bill in the form of a wire transfer, prepaid debit card or gift card. In one case outlined by Forbes, victims received emails in their inbox that allegedly contained voicemails from the IRS. The emails didn’t actually contain any voicemails but instead directed victims to a suspicious SharePoint URL. Last year, a number of SharePoint phishing scams occurred as an attempt to steal Office 365 credentials, so it’s not surprising that cybercriminals are using this technique to access taxpayers’ personal data now as well.

In addition to voice phishing schemes, malicious actors are also using email to try and get consumers to give up their personal and financial information. Even back in December, we saw a surge of new email phishing scams trying to fool consumers into thinking the message was coming from the IRS or other members of the tax community. In a typical email phishing scheme, scammers try to obtain personal tax information like usernames and passwords by using spoofed email addresses and stolen logos. In many cases, the emails contain suspicious hyperlinks that redirect users to a fake site or PDF attachments that may download malware or viruses. If a victim clicks on these malicious links or attachments, they can seriously endanger their tax data by giving identity thieves the opportunity to steal their refund. What’s more, cybercriminals are also using subject lines like “IRS Important Notice” and “IRS Taxpayer Notice” and demanding payment or threatening to seize the victim’s tax refund.

Cybercriminals are even going so far as to impersonate trusted brands like TurboTax for their scams. In this case, DIY tax preparers who search for TurboTax software on Google are shown ads for pirated versions of TurboTax. The victims will pay a fee for the software via PayPal, only to have their computer infected with malware after downloading the software. You may be wondering, how do victims happen upon this malicious software through a simple Google search? Unfortunately, scammers have been paying to have their spoofed sites show up in search results, increasing the chances that an innocent taxpayer will fall victim to their scheme.

Money is a prime motivator for many consumers, and malicious actors are fully prepared to exploit this. Many people are concerned about how much they might owe or are predicting how much they’ll get back on their tax refund, and scammers play to both of these emotions. So, as hundreds of taxpayers are waiting for a potential tax return, it’s important that they navigate tax season wisely. Check out the following tips to avoid being spoofed by cybercriminals and identity thieves:

  • File before cybercriminals do it for you. The easiest defense you can take against tax seasons schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a cybercriminal.
  • Obtain a copy of your credit report. FYI – you’re entitled to a free copy of your credit report from each of the major bureaus once a year. So, make it a habit to request a copy of your file every three to four months, each time from a different credit bureau. That way, you can keep better track of and monitor any suspicious activity and act early if something appears fishy.
  • Beware of phishing attempts. It’s clear that phishing is the primary tactic crooks are leveraging this tax season, so it’s crucial you stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double check their legitimacy with a manager or the security department before you respond. Remember: the IRS only contacts people by snail mail, so if you get an email from someone claiming to be from the IRS, stay away.
  • Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search.
  • Consider an identity theft protection solution. If for some reason your personal data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Steer Clear of Tax Season Scams appeared first on McAfee Blogs.

McAfee Partners With Telefónica To Help Secure Consumers Worldwide

These days, cyberattacks can feel relentless. Due to the interconnected nature of the world we live in, cybercriminals have managed to infiltrate our personal devices, our networks, and even our homes. That’s why we at McAfee believe it’s important now more than ever to secure every facet of the modern consumer lifestyle. And we’ve partnered with Telefónica to do just that.

This partnership first began back in February of last year, when ElevenPaths, Telefónica Cyber Security Unit, and McAfee announced we’re working together to reinforce the online security of Telefónica’s broadband and mobile customers across multiple markets. This partnership covers Europe and Latin America with plans to progressively roll out solutions in the different countries where Telefónica operates. It’s the first time a telecommunications company has delivered a security service to all of its customers, regardless of where they connect from. Fast forward to present day, and this partnership has only expanded. The global product developed by Telefónica and powered by McAfee was first launched in Spain as Movistar Conexión Segura, a service that protects home and mobile customers’ connectivity. Telefónica protects Fusión customers’ home connections with a smart router, thanks to the ElevenPaths solution powered by McAfee Secure Home Platform, which enables seamless security and easy activation. Conexión Segura is also available for Movistar mobile customers, including network protection and one license of Seguridad Dispositivo, a multi-device security protection. Only a few weeks after Spain, Movistar Argentina launched the solution for its fixed and mobile customers. These services help realize Telefónica’s “Security by Default” strategy, offering customers a more robust security solution that protects against threats like viruses, malware, phishing, and emerging IoT threats.

Telefónica and McAfee’s 360 partnership is dedicated to protecting the productivity of consumers everywhere. “This agreement gives customers current and contextual information on their cybersecurity status so they can stay connected with confidence,” said Pedro Pablo Pérez, Global Security VP of Telefónica and CEO of ElevenPaths, Telefónica Cybersecurity Unit.

ElevenPaths and Mcafee’s joint vision to create a more secure tomorrow brings us a step closer to stopping widespread cyberattacks. By joining forces to implement more robust security solutions around the world, we can ensure that our connectivity goes undisrupted. Because together is power.

To learn more about consumer security and our approach to it, be sure to follow us at @ElevenPaths and @McAfee.

The post McAfee Partners With Telefónica To Help Secure Consumers Worldwide appeared first on McAfee Blogs.

MWC 2019: The Key to Establishing Digital Trust with Intelligent Connectivity

These days, it’s rare to walk into a home that doesn’t have a smart device in use. From voice assistants, smart TVs, tablets, and more, these devices have greatly enhanced our way of life through intelligent connectivity. Intelligent connectivity is defined by the highly contextualized and personal experiences offered by the smart devices we utilize on a daily basis. However, as manufacturers continue to push out the latest technology to stay ahead of their competitors, device security isn’t always top-of-mind. As a result, the level of confidence consumers have in their devices is reduced. At McAfee, we understand that the notion of digital trust is imperative to the future of security as we adopt technologies shaped by the likes of 5G networks, the Internet of Things (IoT), artificial intelligence (AI), and big data. And as we head into Mobile World Congress 2019 (MWC), one can’t help but wonder, how will these advancements shape the future of mobile connectivity?

Almost every new device is built to connect, and as our 2019 Threats Predictions Report showed us, our dependence on technology is ubiquitous. Take your smartphone, for example. Everywhere you go, this minicomputer allows you to chat with your friends online, send emails, and look up new information with just the press of a button. Only upping the ante, 5G is set to roll out across the nation, bringing greater speed to handheld devices with more data and lower latency. These benefits will set the stage for more IoT devices, such as your smart refrigerator or smart plug, to connect to the network as well. The ability to control the temperature of your refrigerator from your smartphone is a pretty cool capability. But what happens if your smartphone gets hacked and a cybercriminal remotely disables your refrigerator? You may be left with a bigger problem than some spoiled food.

With all of your smart devices on the same 5G network, malicious actors can gain full access to the data that lives in your smart home technology through just your mobile phone. The increase in devices on the 5G network also increases the risk of Distributed Denial-of-service, or DDoS, attacks. These attacks are caused by cybercriminals flooding a network with so much traffic that it can’t operate or communicate as it normally would. And with more IoT devices operating on the 5G network, the consequences of such a cyberattack could be truly crippling. So, how can we continue to trust the devices we use on a daily basis despite the cybersecurity risks caused by greater connectivity?

Digital trust, or the level of confidence consumers have in their technology and mobile devices, is extremely delicate. And as our experiences with our devices become more and more personalized thanks to intelligent connectivity, it’s important to realize that it can’t be intelligent if there is no trust. That’s why consumers should embrace advancements in mobile technology but remember to keep cybersecurity practices at the forefront.

Whether you’re headed out to Barcelona for MWC 2019 or watching from afar, we here at McAfee are committed to helping you take the necessary precautions required in order to connect with confidence in a world where everything is built to connect.

Stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post MWC 2019: The Key to Establishing Digital Trust with Intelligent Connectivity appeared first on McAfee Blogs.

The Risks of Public Wi-Fi and How to Close the Security Gap

public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

The Risks

By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

Rising Star: VPNpublic wi-fi risks

The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

Who Needs a VPN?

If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

How VPNs work

To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

Stay Safe on Public Wi-Fi 

Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

How To Sidestep Popular Social Scams

Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you know what to look out for.

Nosy Quizzes & Questionnaires

Quizzes circulating on Facebook, Twitter, and other social platforms may look like a fun way to win free stuff, but often they are phishing attacks in disguise. Many appear to be sponsored by big-name brands such as airlines and major retailers, offering free products or discount tickets if you just answer a few questions. The questions are designed to get you to reveal personal information that can be used to guess your passwords or security questions, such as your mother’s maiden name, or your hometown.

Creepy Crypto Scams 

While cryptocurrencies lost a lot of value over the last year, the same cannot be said for cryptocurrency scams. The majority of them center on distributing crypto mining malware, which allows hackers to access a person’s computer or device without their permission in order to mine for cryptocurrencies. In fact, these scams have been so prolific that at the end of 2018 McAfee reported that coin mining malware had grown more than 4000% in the previous year.

Many of these miners were distributed through phishing emails and websites, using “giveaway” scams on social media, or even via crypto mining chat groups on platforms such as Slack. Cybercrooks enter the chat rooms, pretending to be fellow miners, and encourage users to download malware disguised as “fixes” to crypto issues.

Romance & “Sextortion” Scams 

The meteoric rise of online dating has led to a similar increase in romance scams. These often involve bad actors preying on lonely people who are looking to connect. Scammers build up a sense of trust over online dating and social media platforms, before asking for money. They often claim the money is for an emergency, or a plane ticket to visit. This kind of manipulation works so well that the Better Business Bureau estimates that victims in the U.S. and Canada lost nearly $1 billion to romance scams between 2015 and 2018.

And while romance is one way to manipulate users, another driver is fear. This is certainly the case with the recent rise in so-called “sextortion” scams, which scare users into paying money to prevent incriminating pictures or videos of them from getting out. The bad guys claim that they obtained the embarrassing content by infecting the victim’s device with malware, and often send part of an old, leaked password as proof that they could have accessed their account.

Topical News Hooks

Whenever a major story sweeps the news, chances are the scammers are looking for ways to capitalize on it. This is exactly what happened during the recent U.S. government shutdown, which left 800,000 federal employees out of work for over a month. Since many of these workers were looking for extra income, job scams abounded. Some phony job ads asked workers to fill out detailed job application forms, in order to steal their Social Security numbers and other private information.

In another ruse, scammers sent out phony emails that appeared to be from the IRS, saying that the recipient could get a discount on their tax bills if they paid during the shutdown.

Tried-and-True Scams

Package Delivery— Phony package delivery emails usually spike around the holidays, but in the age of Amazon Prime delivery scams are circulating year-round. Be on the lookout for more recent Amazon scams that come in the form of a phishing email, asking you to review a product to get rewards. If you click on the link it could deliver malware, or even ransomware.

Tech Support— This is one of the oldest, but most persistent scams to date. Phishing websites and phony pop-up warnings that a computer or device is infected have led thousands of people to hand over personal and financial information to fix a problem they don’t really have.

Even though consumers have become savvier about these scams, a recent Microsoft survey found that 3 out of 5 people have been exposed to tech support scams over the last year.

So, now that you know what to look out for, here are our top tips for sidestepping the scammers:

  • Be careful where you click—Don’t open suspicious links and attachments, and never click on pop-up messages from an unknown source. If you get a suspicious login or payment request, go directly to the provider’s official website to see if the request is legitimate.
  • Know how to spot the fake—Phony messages or documents will often look like a simplified version of the real thing, with poor quality graphics, incorrect grammar and spelling, and a generic personal greeting.
  • Keep your personal information private—Avoid online quizzes, and never share personal or financial details with someone you don’t know in real life. Review your privacy and security settings on social sites to make sure that you aren’t leaking information.
  • Be a smart online shopper—Only buy from reputable websites, and steer away from deals that seem too good to be true. Be suspicious of unusual payment requests, such as buying gift cards or using virtual currency.
  • Become a password pro—Choose complex and unique passwords for all of your accounts. Consider using a password manager to help you create and store complicated passwords securely.
  • Protect your computers and devices—Use comprehensive security software that can safeguard you from the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Sidestep Popular Social Scams appeared first on McAfee Blogs.

How to Keep Your Kids Safe on the Internet (10 Actionable Tips)

These 10 actionable tips will improve Internet safety for your kids and we recommend you follow them right now.

Safer Internet Day 2019 is an international event happening on the 5th of February and is aimed at raising awareness on online safety by promoting safer and positive use of technology for children.

This year’s main theme was “Together for a better Internet” calling everyone to take action and join the movement for creating a better Internet for kids and young people.

For the past years, technology has evolved beyond our control and has improved many aspects of our lives and kids knowledge base, but what about its risks?

According to one report from US-based PCMag, 76% of parents are worried about their kids’ online safety and have major concerns over the danger they are exposed to.

Kids nowadays grow with technology and parents’ core challenges are to find the best ways to limit and control their access on the Internet.

With so many information flooding on the Internet today, there’s an increasing danger for children to become an easy target for malicious actors trying to take advantage of their lack of knowledge.

From falling for online scams, sharing too much personal data to cyberbullying or meeting online sexual predator, these are some of the biggest risks that children face online.

Online protection for children is difficult to be detailed in just one article, as we can approach different aspects of it, but our main focus is to highlight the most actionable tips parents can apply to protect kids when navigating online.

Apply these 10 actionable tips to improve Internet safety for your children

1. Educate your kids about cybersecurity and online threats

You want your kids to spend time on the Internet and take advantage of the learning opportunities, but you also want them to be safe. To do that, you need to explain in simple and kid language about online threats and how to identify them.

When it comes to cybersecurity, education plays a vital role during the learning process,  and parents need to talk to their children about safe browsing on the Internet, malicious sites they can access, explain about different forms of cyberbullying, and other necessary topics that help them have a bigger picture of what’s going on.

The more you speak openly about online threats with your kids about their activity on the Internet, the easier is for them to understand what they see or hear online.

The following questions could prove useful for you and your kids and family. You’ll also find helpful information on key topics that will help you enhance your online safety:

These are just a few key topics you and your family should address and focus on to improve online safety.

2. Set usage limits and time spend on the Internet for your kids

The Internet might be a fascinating world for kids, but most parents become really concerned about the time spent there. If you notice your kid is developing an addiction to staying up all night to be on the Internet, it could be a sign to set usage limits and time spend on the Internet. Make sure you clearly tell them about the time they can spend on their computer or laptop.

Parents should also clarify what their kids can and can’t do when they navigate online.

3. Be patient and listen to your kids. Let them teach you

Staying online can be a daunting task and we cannot always predict where a discussion or comment will go or what type of people we find on social media networks.

You may check your kids’ computers, their smartphones or any other Internet-connected devices on a daily basis, but it really helps listen to them.

But how much do we actually know about our children?

In just a few words…not very much, because there will always be methods to evade our attention.

So, we strongly advise you to be patient and listen to your kids. Let them teach you about the social media platforms they use or the latest video that went viral on Youtube.

This is by far the easiest way to get information about their online habits, instead of losing time on spying their computers and trying to understand their browsing history.

So, just listen to them. Pretend that you don’t know too much about this Internet thing and let them start talking. There’s nothing more exciting for children than pretending to be teachers. Not to mention the trust they gain in themselves and finally, in you, as a parent.

4. Use parental control software to monitor your child’s online activities

Given the increasing number of devices kids use to connect on the Internet, it’s difficult for parents to supervise every time they’re online. Parental control apps can help. They are a great way to track your children online behavior and control what they are doing on their smartphones or other devices.

These software solutions act as an online guardian and help parents better monitor kids’ Internet usage, keep track of visited sites, control the Internet connection time, or block malicious websites and report any unusual online activity.

If you want to monitor your kids’ activity and are looking for free parental control software tools, this list comes in handy.

5. Install an antivirus solution on your kids’ devices

We all know that kids are naturally curious and attracted to new things, and they can easily access malicious links from untrusted websites or download video games from unknown web locations.

Thus, you need to consider installing a good antivirus solution from a reliable company that packs a real-time scanning engine, firewall and automatic update.

To help you decide what is the best solution for you and your family, whether you need free or paid antivirus, this in-depth security guide might help.

6. Keep your child’s software up-to-date

Here’s another Internet safety tip every parent should follow. Make sure you check if the Windows operating system used on your child device has all the latest and available security patches installed, such as browsers, plugins, desktop apps, etc. These updates include both security and feature patches and are meant to fix or improve the software you use.

If you aren’t aware of the importance of software patching, please read what security experts have to say about this topic.

Throughout our security alerts, we’ve learned that cybercriminals usually gain access to networks and systems by exploiting security flaws found in popular software tools like Adobe Flash, Java or browsers like Internet Explorer, Mozilla Firefox and Google Chrome.

That’s why you need to verify the device your children are using and make sure all necessary security patches are installed.

For monitoring your kid’s computer apps and securely deploying updates as soon as they’re available, you can use our Thor Free security solution which does an excellent job.

7. Don’t let kids navigate online without installing an anti-malware solution

If you hear your child complaining about slow-down issues, pop-ups all over the screen, new toolbars, a different default engine or random error messages, these could be warning signs of a malware infection.

An antivirus solution is no longer enough to protect you and your family against next-gen malware. To keep your kids safe on the Internet, we recommend using an anti-malware solution as an extra layer of protection to secure your digital assets.

8. Secure your Home Wireless network from prying eyes

The home Wi-Fi network is usually accessed only by members of the same house, but that doesn’t mean that malicious actors can’t get unauthorized access.

To better secure your home wireless network from prying eyes, the first thing to do is set up a strong and unique password so neighbors or other people can’t take control over your personal data.

But we have to take security seriously and do more than just adding a strong password. Online criminals might exploit your poor Wi-fi security measures and “listen” to your traffic in order to retrieve sensitive information or take advantage of your network to launch attacks such as Man-in-the-Middle attacks, network sniffing or data theft.

We recommend checking out this 12 simple, and essential steps guide we’ve included enhancing the security of your home wireless network.

9. Do NOT connect to unsecured WiFi networks outside your home

Your children may be safe at home, but with so many Wi-Fi public networks they connect to, how can we be sure they will remain safe?

We often go to public places and enjoy a coffee or tea, without even thinking about the online dangers or hackers that could wait for our connection to start.

Even if we can’t be anywhere, there are still a few things we can do to greatly improve their online security.

First, make sure the smartphone, laptop or tablet they use has some sort of protection, like anti-spyware or antivirus protection to keep the software protected against exploits and security breaches.

Secondly, information is the secret for your kids’ online safety, no matter where they are, so read these actionable measures on how you can improve the public Wi-Fi network.

10. Online habits have real-life consequences

As challenging as might be for children to understand the risks of being online, cybersecurity awareness is vital these days. We should teach them to avoid talking to strangers online, how to distinguish between fake and real news, and explain about the most frequent security risks out there.

Various choices and decisions should be made to increase our family’s security strategy, but we need to establish what is it that we are afraid of. The limits we set may increase our online security strategy, but at the same time, we could risk blocking the naturaldevelopment of our children being surrounded by tech gadgets.

Children need to acknowledge that online actions lead to real-life consequences and have cyber hygiene on how to use the Internet safely.

We put together these 4 resources to learn how to increase your kids’ online privacy and  secure your most valuable data:

Online Privacy in Under 1 Hour: Improve your Security Fast

Here are the Top Online Scams You Need to Avoid Today [Updated 2018]

The ABCs of Detecting and Preventing Phishing

Best free security and privacy tools in 2019

Final thoughts 

We need to teach children about cyber threats that put in danger their online safety. But we also need to “preach” online protection from malware threats and phishing attempts that usually target unaware or uneducated minds.

How do you keep your kids safe from online threats today? What methods are you using? Feel free to share your thoughts in a comment below.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

*This article was initially published by Andra Zaharia in March 2015 and updated by Ioana Rijnetu in February 2019.

The post How to Keep Your Kids Safe on the Internet (10 Actionable Tips) appeared first on Heimdal Security Blog.

Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You?

A classic meet-cute – the moment where two people, destined to be together, meet for the first time. This rom-com cornerstone is turned on its head by Netflix’s latest bingeable series “You.” For those who have watched, we have learned two things. One, never trust someone who is overly protective of their basement. And two, in the era of social media and dating apps, it’s incredibly easy to take advantage of the amount of personal data consumers readily, and somewhat naively, share online and with the cloud every day.

We first meet Joe Goldberg and Guinevere Beck – the show’s lead characters – in a bookstore, she’s looking for a book, he’s a book clerk. They flirt, she buys a book, he learns her name. For all intents and purposes, this is where their story should end – but it doesn’t. With a simple search of her name, Joe discovers the world of Guinevere Beck’s social media channels, all conveniently set to public. And before we know it, Joe has made himself a figurative rear-window into Beck’s life, which brings to light the dangers of social media and highlights how a lack of digital privacy could put users in situations of unnecessary risk. With this information on Beck, Joe soon becomes both a physical and digital stalker, even managing to steal her phone while trailing her one day, which as luck would have it, is not password protected. From there, Joe follows her every text, plan and move thanks to the cloud.

Now, while Joe and Beck’s situation is unique (and a tad dramatized), the amount of data exposed via their interactions could potentially occur through another romantic avenue – online dating. Many millennial couples meet on dating sites where users are invited to share personal anecdotes, answer questions, and post photos of themselves. The nature of these apps is to get to know a stranger better, but the amount of personal information we choose to share can create security risks. We have to be careful as the line between creepy and cute quickly blurs when users can access someone’s every status update, tweet, and geotagged photo.

While “You” is an extreme case of social media gone wrong, dating app, social media, and cloud usage are all very predominant in 2019. Therefore, if you’re a digital user, be sure to consider these precautions:

  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public, so turn your profiles to private in order to have control over who can follow you. Take it a step further and go into your app settings to control which apps you want to share your location with and which ones you don’t.
  • Use a screen name for social media accounts. If you don’t want a simple search of your name on Google to lead to all your social media accounts, consider using a different variation of your real name.
  • Watch what you post. Before tagging your friends or location on Instagram and posting your location on Facebook, think about what this private information reveals about you publicly and how it could be used by a third-party.
  • Use strong passwords. In the chance your data does become exposed, or your device is stolen, a strong, unique password can help prevent your accounts from being hacked.
  • Leverage two-factor authentication. Remember to always implement two-factor authentication to add an extra layer of security to your device. This will help strengthen your online accounts with a unique, one-time code required to log in and access your data.
  • Use the cloud with caution. If you plan to store your data in the cloud, be sure to set up an additional layer of access security (one way of doing this is through two-factor authentication) so that no one can access the wealth of information your cloud holds. If your smartphone is lost or stolen, you can access your password protected cloud account to lock third-parties out of your device, and more importantly your personal data.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You? appeared first on McAfee Blogs.

How Online Gamers Can Play It Safe

Online gaming has grown exponentially in recent years, and scammers have taken note. With the industry raking in over $100 billion dollars in 2017 alone[1], the opportunity to funnel some money off through fraud or theft has proven irresistible to the bad guys, leaving gamers at greater risk.

From malware and phishing scams, to phony game hacks, identity theft, and more, gamers of all stripes now face a minefield of obstacles online and in real life. So, if you’re going to play games, it’s best to play it safe.

Here’s what to look out for:

Dodgy Downloads

Gamers who play on their computer or mobile device need to watch out for dangerous links or malicious apps disguised as popular or “free” games. Hackers often use innocent-looking downloads to deliver viruses and spyware, or even sign you up for paid services, without your consent. In one prominent case, more than 2.6 million Android users downloaded fake Minecraft apps that allowed hackers to take control of their devices.

Researchers have even discovered a ransomware threat that targets gamers. TeslaCrypt was designed to encrypt game-play data until a ransom is paid. Originally distributed through a malicious website, it has since been circulating via spam.

And while it’s true that game consoles like PlayStation and Xbox aren’t as vulnerable to viruses, since they are closed systems, that doesn’t mean that their users don’t face other risks.

Social Scams

Players on any platform could wind up with malware, sent directly from other players via chat messages. Some scammers use social engineering tricks, like inviting other players to download “helpful” tools that turn out to be malware instead. When you consider that 62% of kids play games where they speak to others, the odds of a risky interaction with a stranger seems quite real.

Players of the Origin and Steam services, for instance, were targeted by hackers posing as other players, inviting them to play on their teams. Over chat message, they suggested the players download an “audio tool” that turned out to be a keystroke logger, aimed at stealing their access credentials for the game.

Other social scams include malicious YouTube videos or websites, offering game bonuses and currency, for free.

Another widespread social threat is account takeover, or ATO for short. This is when a scammer hacks a real account in order to post spammy links, and scam messages that appear to come from a trusted contact. Some accounts, for games like League of Legends, have even been stolen and sold online for money because they boasted a high level, or rare skins.

Phishing

Finally, be on the lookout for phishing websites, offering free games or bonuses, or phishy emails prompting you to login to your account, with a link leading to a copycat gaming site. Often, these are designed to steal your login credentials or distribute fake games that contain malware.

Players of the wildly popular Fortnite, for example, have been particularly targeted. The latest phishing scam is aimed at stealing the third-party sign-in tokens that allow cybercriminals to access a user’s account, and the payment details associated with it.

So now that you know about a little more about gaming threats, here’s how to win at playing it safe:

  1. Do Your Research—Before downloading any games from the Internet or app stores, make sure to read other users’ reviews first to see that they are safe. This also goes for sites that sell game hacks, credits, patches, or virtual assets typically used to gain rank within a game. Avoid illegal file-sharing sites and “free” downloads, since these are often peppered with malware. It’s always best to go for a safer, paid option from a reputable source.
  2. Play Undercover— Be very careful about sharing personal information, in both your profile information, and your chat messages. Private information, such as your full name, address, pet’s name, school, or work details, could be used to guess your account password clues, or even impersonate you. Consider playing under an alias.
  3. Be Suspicious—Since scammers use the social aspect of games to fool people, you need to keep your guard up when you receive messages from strangers, or even read reviews.
    Some YouTube and social media reviews are placed there to trick users into thinking that the game or asset is legitimate. Dig deep, and avoid looking for free hacks. Ask gamers you know in real life for recommendations that worked for them.
  4. Protect Yourself—Avoid using older versions of games, and make sure that games you do play are updated with patches and fixes. And if you think a gaming account may already have been compromised, change your passwords immediately to something unique and complex.Safeguard your computers and devices from known and emerging threats by investing in comprehensive security software, and keep yourself up-to-date on the latest scams.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

[1]According to The 2017 Year In Review Report by SuperData

The post How Online Gamers Can Play It Safe appeared first on McAfee Blogs.

Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure

Many of us rely on customer support websites for navigating new technology. Whether it’s installing a new piece of software or troubleshooting a computer program, we look to customer support to save the day. Unfortunately, cybercriminals are leveraging our reliance on customer support pages to access our personal information for financial gain. It appears that a malicious website is attempting to trick users into handing over their McAfee activation keys and personally identifiable information (PII) data by disguising themselves as the official McAfee customer support website.

So how exactly does this cyberthreat work? First, malicious actors advertise the fake website on Twitter. If a user clicks on the ad, they are presented with a “Download McAfee” button. When the user clicks on the download button, they are redirected to a screen prompting them to enter their name, email address, contact number, and product activation key to proceed with the download. However, when the user clicks on the “Start Download” button, they are redirected to a screen stating that their download failed due to an unexpected error.

 

At this point, the site owner has received the user’s personal data, which they could exploit in a variety of ways. And while this scheme may seem tricky to spot, there are a number of ways users can defend themselves from similar scams:

  • Be vigilant when clicking on social media links. Although it may be tempting to click on advertisements on your social media feed, these ads could possibly house sketchy websites developed by cybercriminals. Use caution when interacting with social media ads.
  • Go straight to the source. If you come across an advertisement claiming to be from a company and the link asks for personal data, it’s best to go directly to the company’s website instead. Use the official McAfee customer support page if you require technical support or assistance with your McAfee product.
  • Use security software. A security solution like McAfee WebAdvisor can help you spot suspicious websites and protect you from accidentally clicking on malicious links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure appeared first on McAfee Blogs.

Heimdal Security Supports the ROC Leeuwenborgh Capture the Flag (CTF) Challenge

We, at Heimdal Security, are focused on educating both our readers and customers through actionable and useful blog articles, security alerts, protection guides, online courses, and other helpful resources designed to enhance cybersecurity awareness.

Through every project, education remains a core focus. Our goal is to make online security and privacy simple and accessible to anyone, and we think this starts with understanding the basics.

We also believe in the power of the cybersecurity community and supporting it as much as possible.

Every time we have the chance to support young and passionate students with their educational endeavors, encourage them to develop security skills and dive deeper into the world of cybersecurity, we do it without hesitation.

With that in mind, we are happy to announce that we are supporting the students from ROC Leeuwenborgh in the Netherlands by providing security software during their upcoming CTF competition.

A Capture the Flag (CTF) competition is hosted at cybersecurity conferences and aims to challenge participants to use their security skills and solve problems by capturing “flags” from the compromised computer networks.

This type of event requires players to register with the red or a blue team and includes a series of challenges that vary in terms of difficulties.

Students from the ROC Leeuwenborgh are competing for the blue team by trying to build their own CTF network with several “flags” and defend them against attacks of the red team.

They will present the network at the Security Congress event, “The Journey of the Digital Experience over cybersecurity” in Brightlands, Netherlands, which takes place on the 1st of February. During this event, there will be security talks held by students, consisting of different workshops, presentations, and demonstrations.

How the Capture the Flag network works

The Dutch students have built their own network using components and resources from their education center, which includes a Ubiquiti Access Point, a router, switches, the RedSocks Malicious Threat Detector (MTD), Network-attached storage (NAS) and 7 servers.

The Capture the Flag environment will be divided into three different levels: beginner, advanced and expert, and will focus on cracking the passwords of the Access Points (which will be encrypted) to get access to the network.

There will be two dedicated servers for the beginner level in which attendees (participants) will have to use the “EternalBlue” exploit used as part of the massive WannaCry ransomware in 2017.

During the CTF competition, participants will solve puzzles of different levels of difficulty (cryptographic, steghide, and others) to get a password that will help them unlock password-protected Word documents placed on the desktop. These docs will give them access to “flags” that will break two more servers in the beginner network. Participants will face more challenges trying to solve more puzzles before they access the advanced network.

Same methods apply for the “expert” level, but at this point, students will use the Heimdal Security’s security solution, Thor Premium Home, to monitor networks and make the challenge more competitive.

During this event, participants will have to prove knowledge of offensive and defensive skills for hacking and protecting networks, cryptography, exploitation, etc, and they will work in the team to face challenges and capture all the flags in the specified timeframe.

The best team will be rewarded with attractive prizes.

The Dutch Police also joins the CTF competition

It’s worth mentioning that an important partner of this event is the Dutch Police which will have a separate Capture the Flag network. Given the rise of advanced online threats, phishing, or DDoS attacks, the role of the Police and the IT specialists is indispensable for raising awareness about the importance of cybersecurity.

This CTF competition offers participants the opportunity to “become” IT specialists within the Dutch Police and use their hacking skills to collect as many flags as possible ahead of other competitors. It is mainly focused on cryptography and forensics, and participants are encouraged to bring their own device to join the competition. They will compete in the same environment and the winners will be rewarded with attractive prizes.

This is a great way for students, or professional and amateur hackers from the Dutch region and other places to learn hacking techniques, improve their problem-solving skills, and, most important, gain hands-on practice.

Bottom line, every Capture the Flag competition is a huge opportunity for students and people passionate about cybersecurity to think out of the box and test their team player skills.

If you have all these, take the leap and join the competition on the 1st of February!

More details about the event can be found here and information about the registration is here.

If you are interested in cybersecurity, or you want to embark on a career in infosec, you can always check out our free educational resources and learn how to better protect yourself against cybercriminals attacks.

The post Heimdal Security Supports the ROC Leeuwenborgh Capture the Flag (CTF) Challenge appeared first on Heimdal Security Blog.

Sharing Isn’t Always Caring: 3 Tips to Help Protect Your Online Privacy

It’s 2019 and technology is becoming more sophisticated and prevalent than ever. With more technology comes greater connectivity. In fact, by 2020, there will be more than 20 billion internet-connected devices around the world. This equates to more than four devices per person. As we adopt new technology into our everyday lives, it’s important to consider how this emerging technology could lead to greater privacy risks if we don’t take steps to protect our data. That’s why the National Cyber Security Alliance (NCSA) started Data Privacy Day to help create awareness surrounding the importance of recognizing our digital footprints and safeguarding our data. To further investigate the impact of these footprints, let’s take a look at how we perceive the way data is shared and whose responsibility it is to keep our information safe.

The Impact of Social Media

Most of us interact with multiple social media platforms every day. And while social media is a great way to update your friends and family on your daily life, we often forget that these platforms also allow people we don’t really know to glimpse into our personal lives. For example, 82% of online stalkers use social media to find out information about potential victims, such as where they live or where they go to school. In other words, social media could expose your personal information to users beyond your intended audience.

Certain social media trends also bring up issues of privacy in the world of evolving technology. Take Facebook’s 10-year challenge, a recent viral trend encouraging users to post a side-by-side image of their profile pictures from 2009 and 2019. As WIRED reporter Katie O’Neill points out, the images offered in this trending challenge could potentially be used to train facial recognition software for age progression and age recognition. While the potential of this technology is mostly mundane, there is still a risk that this information could be used inequitably.

How to Approach Requests for Personal Data

Whether we’re using social media or other online resources, we all need to be aware of what personal data we’re offering out and consider the consequences of providing the information. While there are some instances where we can’t avoid sharing our personal data, such as for a government document or legal form, there are other areas where we can stand to be a little more conservative with the data that we divulge. For example, many of us have more than just our close family and friends on our social networks. So, if you’re sharing your location on your latest post, every single person who follows you has access to this information. The same goes for those online personality quizzes. While they may be entertaining, they put an unnecessary amount of your personal information out in the open. This is why it’s crucial to be thoughtful of how your data is collected and stored.

So, what steps can you take to better protect your online privacy? Check out the following tips to help safeguard your data:

  • Think before you post. Before tagging your friends on Instagram, sharing your location on Facebook, or enabling facial recognition, consider what this information reveals and how it could be used by a third-party.
  • Set privacy and security settings. If you don’t want the entire World Wide Web to be able to access your social media, turn your profiles to private. You can also go to your device settings and choose which apps or browsers you want to share your location with and which ones you don’t.
  • Enable two-factor authentication. In the chance your data does become exposed, a strong, unique password can help prevent your accounts from being hacked. Furthermore, you can implement two-factor authentication to stay secure. This will help strengthen your online accounts with a unique, one-time code required to log in and access your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Sharing Isn’t Always Caring: 3 Tips to Help Protect Your Online Privacy appeared first on McAfee Blogs.

How Safe is Your Child’s School WiFi?

School WiFi. For many of our digital natives, school WiFi may even be a more important part of their daily life than the canteen!! And that is saying something…

You’d be hard pressed to find a child who rocked up to school without a device in their backpack in our digital age. The vast majority of schools have embraced the many positive learning benefits that internet-connected devices offer our kids. The traditional blackboard and textbook lessons that were confined to the four walls of the classroom are gone. Instead our kids can research, discover, collaborate, create and most importantly, learn like never before.

But in order for this new learning to occur, our kids need to be internet connected. And this is where school WiFi comes into play.

Do Parents Need to Be Concerned About School WiFi?

As parents, we have a responsibility to ensure our kids are safe and not at risk – and that includes when they are using the WiFi at school. Ideally, your child’s school should have a secure WiFi network but unfortunately, that doesn’t mean that they do. School budgets are tight and top-notch secure WiFi networks are expensive, so in some cases, security maybe jeopardised.

The other factor we shouldn’t ignore is that our batch of digital natives are very tech literate. The possibility that one of them may choose to cause some mayhem to their school WiFi network should also not be ignored!!

At the end of the day, the security of a WiFi network is all about whether it has tight access controls. If it allows only approved devices and people to connect via a secure login then it is more secure than public WiFi. However, if it is open to anyone or easy for anyone to connect to it, then you need to treat it like public WiFi.

What Are the Risks?

An unsecured school WiFi network is as risky as public WiFi which, according to the Harvard Business Review, is as risky as rolling a dice,

Students and staff who use an unsecured WiFi network are at risk of receiving phishing emails, being the victim of a ransomware attack or even having their data or personal details stolen. There is also a risk that the entire school’s operations could be disrupted and possibly even closed down through a DDOS – a Denial of Service Attack.

What Can Parents Do to Ensure Their Kids Are Safe Using School WiFi?

There are several steps parents can take to minimise the risks when their offspring use school WiFi.

  1. Talk To Your School

The first thing to do is speak to your child’s school to understand exactly how secure their network is. I’d recommend asking who has access to the network, what security practices they have in place and how they manage your child’s private data.

  1. Install Security Software

Operating a device without security software is no different to leaving your front door unlocked. Installing security software on all devices, including smartphones, will provide protection against viruses, online threats, risky websites and dangerous downloads. Check out McAfee’s Total Protection security software for total peace of mind!

  1. Keep Device Software Up To Date

Software updates are commonly designed to address security issues. So ensuring ALL your devices are up to date is a relatively easy way of minimising the risk of being hacked.

  1. Schedule Regular Data Back Up

If you are the victim of a ransomware attack and your data is backed up then you won’t even have to consider paying the hefty fee to retrieve your (or your child’s) data. Backing up data regularly should be not negotiable however life can often get in the way. Why not schedule automatic backups? I personally love online backup options such as Dropbox and Google Drive however you may choose to invest in a hard drive.

  1. Public Wi-Fi Rules?

If after talking to your school, you aren’t convinced that your child’s school WiFi network is secure, then I recommend that your kids should treat it as if it was public WiFi. This means that they should NEVER conduct any financial transactions using it and never share any personal details. But the absolute best way of ensuring your child is safe using an unsecured WiFi network, is to use a Virtual Private Network (VPN). A VPN like McAfee’s Safe Connect creates an encrypted tunnel so anything that is shared over WiFi is completely safe.

As a mum of 4, I am very keen to ensure my kids are engaged with their learning. And in our digital times, this means devices and WiFi. So, let’s support our kids and their teachers in their quest for interactive, digital learning but please don’t forget to check in and ensure your kids are as safe as possible while using WiFi at school.

Take Care

Alex xx

The post How Safe is Your Child’s School WiFi? appeared first on McAfee Blogs.

5G Is Coming: Security Risks You Need to Know About

The future of connectivity is here ­– 5G. This new network is set to roll out across the nation this coming year and bring greater speed to our handheld devices, which means more data and lower latency. But perhaps one of the most anticipated and popular benefits is it will allow even more IoT devices to come online and encourage more connection between said devices. This would enable users to remotely connect to or monitor their IoT devices like kitchen or security gadgets. The promise of more connectivity, smoother IoT user experience, and even more devices online, means there are likely more opportunities and avenues for cyberattacks. 5G will no doubt shape the foreseeable future, let’s see how.

Today, interconnected devices operate on low-powered, low-data-rate networks, such as Cat-M and NB-IoT. With the introduction of 5G networks across the world, the capabilities of VR and AR, AI and ML, and automation and robotics will enhance immensely. Take self-driving cars, for example. These machines require close proximity to their computing to reduce the latency of decision making. The capabilities of 5G don’t end there either. From manufacturing, transportation and logistics, to public safety and the establishment of smart cities, industries are at the ready to take their business to the next level with 5G. With this newfound growing anticipation for the future of 5G, the question has to be asked, what are the security implications for smaller IoT devices?

From an innovation standpoint, 5G is a beacon of light, but from a cybersecurity standpoint, 5G is a “hotbed for a new era of intensified cyberwar.” Denial-of-service attacks, or DDoS, are particular causes of concern for cybersecurity researchers. Devices like refrigerators, thermometers, even light bulbs, will be able to come online because of 5G. Users will be able to remotely check on these appliances through a simple app, but these devices can also be usurped by malicious characters. This increased connectivity and power could see big name sites down for days, or even affect city utility capabilities. Government agencies and private entities are not immune either, but they do have plans in place in the event a DDoS attack occurs.

While consumers can only wait and see what happens with the rollout, industries across the board will want to harness the benefits of 5G. However, consumers and organizations alike need to be cautious in terms of how 5G could be used to help, or hinder, us in the future. Rest assured, even if malicious actors utilize this technology, McAfee’s security strategy will continue to keep pace with the ever-changing threat landscape.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post 5G Is Coming: Security Risks You Need to Know About appeared first on McAfee Blogs.

AI & Your Family: The Wows and Potential Risks

artificial intelligenceAm I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.

But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.

AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.

Just a few everyday examples of AI:

  • Cell phones with built-in smart assistants
  • Toys that listen and respond to children
  • Social networks that determine what content you see
  • Social networking apps with fun filters
  • GPS apps that help you get where you need to go
  • Movie apps that predict what show you’d enjoy next
  • Music apps that curate playlists that echo your taste
  • Video games that deploy bots to play against you
  • Advertisers who follow you online with targeted ads
  • Refrigerators that alert you when food is about to expire
  • Home assistants that carry out voice commands
  • Flights you take that operate via an AI autopilot

The Technology

While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.

AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.

An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.

No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.

Still, there are concerns. The self-driving cars. The robots that malfunction. The potential jobs lost to AI robots.

So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.

Talking points for families

Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.

Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.

Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.

IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.

The post AI & Your Family: The Wows and Potential Risks appeared first on McAfee Blogs.

The Collection #1 Data Breach: Insights and Tips on This Cyberthreat

As the cybersecurity landscape evolves to match new trends in technology, it’s important for consumers to prioritize the protection of their online presence. That means remaining aware of the internet’s more common cyberthreats, including malware, phishing, and data breaches, and how they could potentially affect you. And while most of us already know about the Equifax data breach, a new monster breach now has to become top of mind for us all. Say hello to Collection #1, a data set exposing 772,904,991 unique email addresses and over 21 million unique passwords.

Discovered by security researcher Troy Hunt, Collection #1 first appeared on the popular cloud service called MEGA. The Collection #1 folder held over 12,000 files that weigh in at over 87 gigabytes. When the storage site was taken down, the folder was then transferred to a public hacking site. What’s truly astonishing about this is that the data was not for sale; it was simply available for anyone to take.

You may be wondering, how was all this data collected? It appears that this data was comprised of a breach of breaches, aggregating over 2,000 leaked databases containing cracked passwords, in order to achieve maximum exposure. The sheer volume of this breach makes Collection #1 the second largest in size to Yahoo, and the largest public breach ever (given the data was openly exposed on the internet).

It appears that this data set is designed for use in credential-stuffing attacks, where cybercriminals will use email and password combinations to hack into consumers’ online accounts. The risks could be even greater for those who reuse credentials across multiple accounts. In order to help protect yourself from this threat, it’s vital that users act fast and use the following tips to help protect their data:

  • Use strong, unique passwords. In addition to making sure all of your passwords are strong and unique, never reuse passwords across multiple accounts. You can also enable a password manager to help keep track of your credentials.
  • Change your passwords. Even if it doesn’t appear that your data was breached, it’s better to err on the side of caution and change all of your passwords to better protect yourself.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Collection #1 Data Breach: Insights and Tips on This Cyberthreat appeared first on McAfee Blogs.

Children’s Charity or CryptoMix? Details on This Ransomware Scam

As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making a donation instead of a ransom payment. While CryptoMix has used this guise in the past, they’ve recently upped the ante by using legitimate information from crowdfunding pages for sick children to further disguise this scheme.

So, how does CryptoMix trick users into making ransom payments? First, the victim receives a ransom note containing multiple email addresses to contact for payment instructions. When the victim contacts one of the email addresses, the “Worldwide Children Charity Community” responds with a message containing the profile of a sick child and a link to the One Time Secret site. This website service allows users to share a post that can only be read once before it’s deleted. CryptoMix’s developers use One Time Secret to distribute payment instructions to the victim and explain how their contribution will be used to provide medical help to sick children. The message claims that the victim’s data will be restored, and their system will be protected from future attacks as soon as the ransom is paid. In order to encourage the victim to act quickly, the note also warns that the ransom price could double in the next 24 hours.

After the victim makes the payment, the ransomware developers send the victim a link to the decryptor. However, they continue to pretend they are an actual charity, thanking the victim for their contribution and ensuring that a sick child will soon receive medical help.

CryptoMix’s scam tactics show how ransomware developers are evolving their techniques to ensure they make a profit. As ransomware threats become stealthier and more sophisticated, it’s important for users to educate themselves on the best techniques to combat these threats. Check out the following tips to help keep your data safe from ransomware:

  • Back up your data. In order to avoid losing access to your important files, make copies of them on an external hard drive or in the cloud. In the event of a ransomware attack, you will be able to wipe your computer or device and reinstall your files from the backup. Backups can’t always prevent ransomware, but they can help mitigate the risks.
  • Never pay the ransom. Although you may feel that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments.
  • Use security software. Adding an extra layer of security with a solution such as McAfee Total Protection, which includes Ransom Guard, can help protect your devices from these types of cyberthreats.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Children’s Charity or CryptoMix? Details on This Ransomware Scam appeared first on McAfee Blogs.

2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 2)

In part 1 of this retrospective, we took stock of what happened in the first 6 months of 2018 and what we had to learn in terms of cybersecurity and privacy. Now, we review the second part of the year and inventory the most relevant insights and actionable advice.

Got anything else to add? Drop us a line.

July in cybersecurity review

The bad news:

This summer was more hot than usual for health care companies, with two of them losing incredible amounts of data and funds to malware attacks.

The same SamSam ransomware that hit the city of Atlanta and caused damages upwards of $10 million encrypted the machines of LabCorp, a major lab services provider.

In Canada, CarePartners found the medical histories and contact information of 80,000 of its patients stolen in a massive data breach and held for ransom. Some of those patients even had active credit card numbers and expiry dates on file.

“The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed,” highlighted a CBS News report.

The good news:

In July, Google took us all by surprise by announcing the end of phishing. Well, at least among Google’s ranks. The company reported it completely eliminated phishing among its employees by switching to physical keys for 2-factor authentication.

google titan security key

For those who missed this news, a physical key is simply a USB device that works the same as the codes online services text you or provide for you as an extra security layer after the password. With a physical key, to log in you input your password, then connect the device and it will authenticate you instead of that code.

Takeaways:


Why are physical keys better? Well, baring the hassle of having to buy a device, they work with most services and completely eliminate hackers’ ability to hijack your SMS messages to intercept the code.
Click To Tweet


That’s an easy thing to do for them and that’s why we always recommend using a dedicated app for 2FA, not SMS-based codes. Furthermore, with physical keys, you eliminate the hassle of having to open an app every time and putting in the unique code.

August in cybersecurity review

The bad news:

August kicked off with another big profile ransomware attack. A WannaCry strain hit TSMC (Taiwan Semiconductor Manufacturing Co.), one of Apple’s biggest suppliers of components for iPhones, Apple Watches and iPads.

TSMC traced the incident to a supplier who connected an infected device to a computer, without scanning it beforehand, which caused the ransomware to spread until it took down three plants.

Oh yes, and the Alaskan borough of Matanuska-Susitna was, as this outlet put it, “cast back to the dark ages” after BitPaymer ransomware took out almost 500 workstations and 120 out of 150 servers.

If ransomware wasn’t enough, the organization was also under fire from an external attacker, which gained access to the network and deployed the Emotet banking trojan. Everything from email to phones, doors and payment systems went down, which forced employees to actually pull out typewriters and pens to write receipts by hand.

“In 35 years in the business, this is the worst I’ve seen. It’s meant to disrupt our way of life,” said Eric Wyatt, the orgs’ IT director.

The good news:

While things were pretty dire during summer’s last month, there was one great thing that happened.

Apple removed Onavo Protect, a Facebook-owned VPN, from its app store. What for? Data collection, obviously. Apple wasted no time to tell Facebook that its Onavo Protect violated the App Store Guidelines, which specifically try to stop app developers from farming user data then selling it to third parties.

Why a VPN though?

Because Onavo Protect did more than just reroute users’ traffic to a Facebook-owned website, it also “improved” its service by “analyzing your use of websites, apps, and data.” It was a ham-fisted attempt by Facebook to collect even more information from those who, in theory, care about privacy. Fortunately, Apple continued their strategy of protecting user privacy and data security in their ecosystem.

As for Google, the company allowed the Onavo Protect to be available for download.

Takeaways:

If you truly care about privacy, not just accessing region-locked services or content, do your research on the VPN provider you pick. Otherwise, you’re paying for nothing, as some VPN services actually collect your data and sell it to third parties.

We put together a few tips on this here.

September in cybersecurity review

The bad news:

Summer ended with a big headache for 380,000 British Airways customers, after the company announced that, between August 21 and September 5, booking transactions were compromised in an attack.

Basic information like names and addresses were stolen but the travelers’ problems didn’t end there, because hackers also took off with payment card details. How did this happen?

The hackers performed a cross-site scripting attack which involves them targeting an unsecured web page component and injecting malicious Javascript code to hijack personal information.

Anyone who visited the baggage claim information page had their information stolen once they eventually used the payment form.

The good news:

After what seemed like endless months of waiting for perpetrators to be caught, the US Department of Justice announced that it had finally charged one of the hackers involved in the WannaCry attack.

hs-Do-you-know-what-antivirus-vendors-do-with-your-data_A90808

The fact that the hacker in question is North Korean and belongs to an organization also blamed for the massive Sony Breach and an $81 million robbery should surprise no one.  The positive takeaway here is that authorities managed to create a damning paper trail between the individual and the North Korean government, eliminating any doubt that WannaCry was a state-sponsored attack.

“The insight into how an adversary like this works can help defenders plan on what they might be up to,” explained Ben Read, senior manager of cyberespionage analysis at FireEye in a Wired article covering the event.

Takeaways:

The old “cybersecurity is a high-stake cat and mouse game” line comes to mind. This two news from September really do put into perspective hackers’ creativity (here is how they change tactics during attacks) and the challenges of apprehending them.

October in cybersecurity review

The bad news:

October showed that old tactics still work for new attacks.

Cyrptomining malware might be a 2018 “novelty”, but fake updates and installers are old as dirt. Combine them and you get fake Adobe installers that really do install a new version of Flash but also sneak a crypto jacking script that will enslave your PC to mine for the cryptocurrency.

We explained in this piece what cryptojacking really means, how you can secure your devices against it and what you need to be aware of. If you know the basics, it’s easier to avoid even more advanced attacks.

The good news:

The best news in October comes from Google, which released an important privacy app for all Android phones made in the last 7 years.

Called Intra, the free app encrypts Domain Name System (DNS) connections on mobile and covers an important gap in privacy measures.

In the past, visiting HTTPS-only websites is essential but still not totally private, as DNS is usually unencrypted and can be hijacked in order to steal your information. For journalists and other people operating in dangerous, surveillance-heavy areas, this tool is extremely valuable, as it protects from “DNS manipulation, a type of cyber attack used to block access to news sites, social media platforms, and messaging apps.”

Takeaways:

If you have an older smartphone running Android, Intra is a free download.

If you have a newer Android device running Android 9 Pie, you can control these settings by going to this path: Settings > Network & Internet > Advanced > Private DNS.

To avoid cryptojacking, the most basic of measures would be to either make sure you’re downloading patches and software from the official site or simply use a trusted software installer that makes sure updates are legitimate and deployed immediately.

November in cybersecurity review

The bad news:

Japan’s cybersecurity minister said point blank that he had never used a computer. He also revealed that, since the age of 25, he has “instructed” his employees and secretaries to use computers on his behalf.

Seriously-Computer-Guy-Reaction-Gif

Seeing how November 30 was Computer Security Day and security experts around the world took to social media to share helpful cybersecurity tips, we hope at least Mr. Sakurada’s employees and secretaries took note.

In any case, the incident did not do wonders for public confidence in how the Government approaches data security.

The good news:

The last few days of November saw a major, yet funny hacking incident. One user was inspired by how many unsecured printers he found using a popular security tool and decided to start a funny awareness campaign. He sent out this message to be printed on those unsecured devices and, at the same time, promote his favorite streamer with hilarious results.

 

 

Takeaways:

Cases like Japan’s questionable leadership make it even more necessary to learn cybersecurity basics yourself and protect your valuable information. Don’t have time to go hunting for that knowledge?

This quick course delivers one easily doable (and memorable!) security tip in your inbox every day, for a whole year.

We’re classifying the Pewdiepie event as good news because the hacker in question only wanted to spread awareness over insecure IoT devices.

Even better, they did it by tying into the humongous popularity of an Internet influencer, reaching a lot of people who otherwise wouldn’t have been exposed to good security practices.
With so many troublesome reports and devices hijacked for nefarious purposes, old-fashioned pranks like these seem like a breath of fresh air.

Curious to find out what can happen with insecure devices? We explained more here.

December 2018 in cybersecurity review

The bad news:

As 2018 was hurtling to the finish line, there was a massive Google+ data breach (resist the urge to roll your eyes), a massive Quora hack (another major service compromised) and bitcoin scams evolving into bomb threats (we told you hackers are creative!).

SplashData released again a list of the most common passwords in the world and how they changed compared to last year, showing just how lax users are when it comes to protecting their own devices and accounts.

  1. 123456 Unchanged
  2. password Unchanged
  3. 123456789 Up 3
  4. 12345678 Down 1
  5. 12345 Unchanged
  6. 111111 New
  7. 1234567 Up 1
  8. sunshine New
  9. qwerty Down 5
  10. iloveyou Unchanged

At least two-factor authentication is more widespread nowadays, with services forcing users to rely more than a single password on, so the list above might not spell doom like in the past years. You could also smile at so many I love yous that unlock devices if you’re feeling optimistic.

However, good password practices are mandatory, so try to be a bit more creative with them or use a password manager.

The good news:

Though the weather report for security was frightful in 2018, privacy-oriented Mozilla (mother company of Firefox, one of the browsers we highly recommend) managed to send out a very valuable message to its user base and beyond.

Just in time for the holiday bonanza, when Christmas scams and other dangers multiply exponentially, Mozilla released a holiday shopping guide named “Privacy Not Included.

Not only is it useful on its own, showing the trendiest gadgets if you’re looking for a gift, but it also brings security and privacy front and center, pinpointing the IoT and smart devices insecure by design.

Takeaways:

No doubt about it, 2018 has not been an easy year, not for regular users and not for businesses.

Just how many data breaches happened?

This handy visualization tool will probably burn itself on your eyelids. Hopefully, it will also kick you into gear and consider spending a bit of time to review the information you share with services.

biggest data breaches 2018-min

This AI-powered tool can go into the legalese of privacy policies and give you a much better overview of what happens to your data.

You should also consider getting the right online security so your digital life won’t besieged by malware, cryptojacking, phishing, and other major threats.

We put together these guides for you, so take the opportunity to step into a more secure, more private 2019:

Do you have any other recommendations and tools for data privacy and security? Feel free to share below.

 

The post 2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 2) appeared first on Heimdal Security Blog.

How to Protect Three Common IoT Devices in 2019

It’s no secret – IoT devices are creeping into every facet of our daily lives. In fact, Gartner estimates there will be 20.4 Billion IoT devices by the year 2020. More devices mean greater connectivity and ease of use for their owners, but connectivity also means more opportunities for hacks. With CES 2019 kicking off this week, we turn our focus toward the year ahead, and take a look at some of the IoT devices that are particularly high-profile targets for cybercriminals: gaming systems, voice tech, routers, and smart cars.

Routers

Routers are very susceptible to attacks as they often come with factory-set passwords that many owners are unaware of or don’t know how to change, making these devices easy targets for hackers. That’s bad news, since a router is the central hub in a connected home. If a router is compromised and all of the devices share the same Wi-Fi network, then they could potentially all be exposed to an attack. How? When an IoT device talks to its connected router, the device could expose many of its internal mechanisms to the internet. If the device does not require re-authentication, hackers can easily scan for devices that have poorly implemented protocols. Then with that information, cybercriminals can exploit manufacturer missteps to execute their attacks. To help protect your router (and thus all your other devices), a best practice is to consider one with a layer of protection built-in, and be sure to use a long and complex password for your Wi-Fi network.

Gaming Systems

Over ten years ago, researchers found that many video gaming consoles were being distributed with major security issues involved with the Universal Plug and Play protocol (UPnP), a feature that allows IoT devices on a network to see each other and interact with one another. However, not much has been done to solve the problem. Through exploiting the UPnP weaknesses in gaming systems to reroute traffic over and over again, cybercriminals have been able to create “multi-purpose proxy botnets,” which they can use for a variety of purposes.  This is just the jumping-off point for malicious behavior by bad actors. With this sort of access into a gaming system, they can execute DDoS attacks, malware distribution, spamming, phishing, account takeovers, click fraud, and credit card theft. Our recent gaming survey found that 64% of respondents either have or know someone who has been directly affected by a cyberattack, which is an astonishing uptick in attacks on gamers. Considering this shift, follow our tips in the section above for routers and Wi-Fi, never use the same password twice, and be weary of what you click on.

Voice Tech

In 2018, 47.3 million adults had access to smart speakers or voice assistants, making them one of the most popular connected devices for the home. Voice-first devices can be vulnerable largely due to what we enable them to be connected with for convenience; delivery, shopping, and transportation services that leverage our credit cards. While it’s important to note that voice-first devices are most often compromised within the home by people who have regular access to your devices (such as kids) when voice recognition is not properly configured, any digital device can be vulnerable to outside attacks too if proper security is not set up. For example, these always-on, always-listening devices could be infiltrated by cybercriminals through a technique called “voice squatting.” By creating “malicious skills,” hackers have been able to trick voice assistants into continuing to listen after a user finishes speaking. In this scenario an unsuspecting person might think they’re connecting to their bank through their voice device, when unbeknownst to them, they’re giving away their personal information.  Because voice-controlled devices are frequently distributed without proper security protocol in place, they are the perfect vehicle in terms of executing a cyberattack on an unsuspecting consumer. To protect your voice assistants, make sure your Wi-Fi password is strong, and be on the lookout for suspicious activity on linked accounts.

While you can’t predict the future of IoT attacks, here are some additional tips and best practices on how to stay ahead of hackers trying to ruin your year:

  • Keep your security software up-to-date. Software and firmware patches are always being released by companies and are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
  • Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for smart cars and other IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security.
  • Change your device’s factory security settings. This is the single most important step to take to protect all devices. When it comes to products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as opening the box. By changing the factory settings you’re instantly upgrading your device’s security.
  • Use best practices for linked accounts.  For gaming systems and voice-first devices in particular, if you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
  • Setup a separate IoT network. Consider setting up a second network for your IoT devices that don’t share access to your other devices and data. Check your router manufacturer’s website to learn how. You might also consider adding in another network for guests and unsecured devices from others. Lastly, consider getting a router with built-in security features to make it easier to protect all the devices in your home from one place.
  • Use a firewall. A firewall is a tool that monitors traffic between an Internet connection and devices to detect unusual or suspicious behavior. Even if a device is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. When looking for a comprehensive security solution, see if a Firewall is included to ensure that your devices are protected.
  • Up your gaming security. Just announced at CES 2019, we’re bringing a sense of security to the virtual world of video games. Get in on the action with McAfee Gamer Security, Beta, it’s free!

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post How to Protect Three Common IoT Devices in 2019 appeared first on McAfee Blogs.

Kicking off CES 2019 with New Security Solutions and Collaborations

Today, we at McAfee are announcing some exciting new security solutions and integrations at CES in Las Vegas. For those of you who are unfamiliar with CES, it is the global stage for innovators to showcase the next generation of consumer technologies. McAfee now delivers protection to more than 500 million customers worldwide, and we understand the importance of creating new solutions for those who want to live their connected lives with confidence. To help empower our customers to do this, we’ve added to our security lineup and are working with other tech innovators who understand the importance of protecting users’ online safety.

One addition to our lineup of security solutions is McAfee Gamer Security. In a recent gaming survey, we discovered that 75% of gamers are worried about the security of gaming as online threats continue to rise. To help combat these threats, we developed McAfee Gamer Security, which protects gamers while optimizing their gaming experience. Some of the product’s key features include Game Mode, a gamer-centric interface, and minimal security resource consumption. These features help optimize gamers’ computing resources, provide system status updates, and equip users with lightweight security protection.

In addition to our latest product advancements, we’ve also teamed up with other companies looking to better the cybersecurity landscape for consumers. The first is Google. In order to further simplify the process of securing today’s connected home, McAfee will provide McAfee Secure Home Platform voice commands for the Google Assistant. McAfee Secure Home Platform provides an extra layer of security to help automatically protect all of the connected devices on the user’s home network. Soon, Google Assistant users can easily manage their connected home security by just using their voice.

While it’s important to secure the connected home, it is also important to protect your mobile and IoT devices as well. According to McAfee Labs 2019 predictions, cybercriminals will leverage trusted devices like smartphones and tablets to try and access users’ IoT devices in the upcoming year. To help customers stay safeguarded from this threat, we’ve teamed up with Verizon to protect their home networks through Verizon Home Network Protection. This McAfee-powered solution helps Verizon Fios customers stay secured against malicious websites, provide parental controls, and protect all devices connected to their home network.

Furthermore, we at McAfee and Dell have teamed up to protect consumers and small businesses as they enjoy the benefits of today’s technology. To do this, we’ve expanded our collaboration to provide pre-installed McAfee software on PCs and laptops globally to both consumer and small business customers. Customers who purchase a new laptop or PC will also have the option to extend McAfee protection beyond their Dell device to their smartphones and tablets. This allows users to have a more robust security shield around all of their connected devices, creating a safer overall online experience. Dell consumer and small business customers who purchase Dell Inspiron, XPS, Vostro, and G-Series laptops will receive a 30-day or 1-year subscription. Customers who purchase Alienware, OptiPlex, Latitude, and Precision will have the option of adding a 30-day free subscription or purchasing a 1-year subscription.

Another one of our latest innovations is the addition of Cryptojacking Blocker to McAfee WebAdvisor. As we observed in our latest McAfee Labs report, coin mining malware is on the rise, growing more than  4000% in the last year. Cryptojacking Blocker helps protect users from having their devices hijacked without their knowledge or permission. The tool helps prevents websites from mining for cryptocurrency and is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

So far, CES 2019 has proven that innovation will continue to evolve, just as the cybersecurity landscape will continue to mature. By working together to improve the technology that protects connected devices, we can help users optimize their digital life without compromising their online safety.

To stay on top of McAfee’s CES news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Kicking off CES 2019 with New Security Solutions and Collaborations appeared first on McAfee Blogs.

What CES Can Show Us About Evolving Consumer Security Needs: A Timeline

Appropriately dubbed the ‘Global Stage for Innovation,’ it’s no wonder CES showcases the most cutting-edge consumer technologies coming out in the year ahead. No topic is off the table; Attendees will learn more about connected homes, smart cities and self-driving cars, try out shiny new digital health wearables, headsets, and other connected tech, explore AI-driven technologies, and so much more.

Although events like CES showcase breakthrough technologies, interestingly, they also highlight how rapidly new technology is replaced with the next new thing. The rate at which we are treading on new ground is shifting exponentially, and what we see at CES this January might be obsolete in just a few years.

This rapidly changing technological landscape poses a significant predicament to consumers, a ‘digital dilemma’ if you will: as new technologies accelerate and IoT devices that house them progress, new challenges arise with them. This is particularly the case when it comes to security and privacy. And, just as security and products change and adapt, so do our needs and wants as consumers. Those of a teen differ from those of a parent, from those of a baby boomer, and so on. Let’s see how those needs change over time.

A Digital Life Timeline

2015: The Teen Technologist

Born in the late ‘90s, this teen is an everyday gamer, who loves to play games online with friends. They also love their smartphone, mostly for the access to social media. A teen wouldn’t necessarily be concerned with security, so having a comprehensive system built in is crucial.

2021: The Young Professional

Entering the workforce for the first time, the young professional is finally able to buy the gadgets that were once luxuries. They might have two phones; one for work and a personal device. Additionally, they are bringing more connected devices into their home, so the need for a secure home network has become obvious. They are also always on the go and having to connect to public Wi-Fi, so a Virtual Private Network (VPN) should be considered.

2032: The Concerned Parent

Fast forward almost ten years, the young professional has become a worrying parent. Their kids are spending too much time on screens. Having a way to monitor what they are doing on the internet and limit their time online is crucial, and an application that could  provide parental controls would be welcomed. Also, as they bring larger, more connected devices into the home, like smart refrigerators and thermostats, they are excited about a platform that will bake in security through a home network.

2038: The Brand Loyalists

The concerned parent has found devices they like and those they do not like. But more importantly, they have found brands they love, and they may continue to purchase from to bring the latest technology into their family’s lives. A comprehensive security system that covers all types of devices is exactly what they would need to keep a layer of protection

2045: The Unacquainted User

At this point in a digital journey, our user has stopped keeping up with trends because things have changed so much. Almost to the point where they are unwilling to learn new tech, or are untrusting of it all together. But the need to maintain their security and privacy is still top of mind –especially as cybercriminals often prey on this demographic due to being an easy target. A person like this might worry about ransomware, viruses, and identity theft along with protecting their home network.

As you can see, a person’s security and safety needs, desires, and even their devices evolve depending on the moment in which they are within their life. With so much in flux, the last thing anyone wants to think about is security – but with constantly changing technology at an all-time high, it’s safe to bet that threats will evolve to keep pace, and so should the ways in which we protect devices. For these reasons, it’s important to leverage a security partner that will keep this in mind, and will grow with not only our evolving needs, but evolving technology, too.

To learn more about consumer security and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post What CES Can Show Us About Evolving Consumer Security Needs: A Timeline appeared first on McAfee Blogs.

Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.

12 Days of Hack-mas

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. The ways in which they exact their attacks are becoming more sophisticated and harder to detect. 2019 shows no sign of slowing down when it comes to the sophistication and multitude of cyberattacks targeted toward consumers.

Between the apps and websites we use every day, in addition to the numerous connected devices we continue to add our homes, there are a more ways than ever in which our cybersecurity can be compromised. Let’s take a look at 12 common, connected devices that are vulnerable to attacks –most of which our friends at the “Hackable?” podcast have demonstrated– and what we can do to protect what matters. This way, as we move into the new year, security is top of mind.

Connected Baby Monitors

When you have a child, security and safety fuels the majority of your thoughts. That’s why it’s terrifying to think that a baby monitor, meant to give you peace of mind, could get hacked. Our own “Hackable?” team illustrated exactly how easy it is. They performed a “man-in-the-middle” attack to intercept data from an IoT baby monitor. But the team didn’t stop there; next they overloaded the device with commands and completely crashed the system without warning a parent, potentially putting a baby in danger. If you’re a parent looking to bring baby tech into your home, always be on the lookout for updates, avoid knockoffs or brands you’re not familiar with, and change your passwords regularly.

Smart TVs

With a click of a button or by the sound of our voice, our favorite shows will play, pause, rewind ten seconds, and more – all thanks to smart TVs and streaming devices. But is there a sinister side? Turns out, there is. Some smart TVs can be controlled by cybercriminals by exploiting easy-to-find security flaws. By infecting a computer or mobile device with malware, a cybercriminal could gain control of your smart TV if your devices are using the same Wi-Fi. To prevent an attack, consider purchasing devices from mainstream brands that keep security in mind, and update associated software and apps regularly.

Home Wi-Fi Routers

Wi-Fi is the lifeblood of the 21st century; it’s become a necessity rather than a luxury. But your router is also a cybercriminal’s window into your home. Especially if you have numerous IoT devices hooked up to the same Wi-Fi, a hacker that successfully cracks into your network can get ahold of passwords and personal information, all of which can be used to gain access to your accounts, and launch spear phishing attacks against you to steal your identity or worse. Cybercriminals do this by exploiting weaknesses in your home network. To stay secure, consider a comprehensive security solution like McAfee® Secure Home Platform.

Health Devices and Apps

Digital health is set to dominate the consumer market in the next few years. Ranging from apps to hardware, the ways in which our health is being digitized varies, and so do the types of attacks that can be orchestrated. For example, on physical devices like pacemakers, malware can be implanted directly on to the device, enabling a hacker to control it remotely and inflict real harm to patients. When it comes to apps like pedometers, a hacker could source information like your physical location or regular routines.  Each of these far from benign scenarios highlight the importance of cybersecurity as the health market becomes increasingly reliant on technology and connectivity.

Smart Speakers

It seems like everyone nowadays has at least one smart speaker in their home. However, these speakers are always listening in, and if hacked, could be exploited by cybercriminals through spear phishing attacks. This can be done by spoofing actual websites which trick users into thinking that they are receiving a message from an official source. But once the user clicks on the email, they’ve just given a cybercriminal access to their home network, and by extension, all devices connected to that network too, smart speakers and all. To stay secure, start with protection on your router that extends to your network, change default passwords, and check for built-in security features.

Voice Assistants

Like smart speakers, voice assistants are always listening and, if hacked, could gain a wealth of information about you. But voice assistants are also often used as a central command hub, connecting other devices to them (including other smart speakers, smart lights or smart locks). Some people opt to connect accounts like food delivery, driver services, and shopping lists that use credit cards. If hacked, someone could gain access to your financial information or even access to your home. To keep cybercriminals out, consider a comprehensive security system, know which apps you can trust, and always keep your software up to date.

Connected Cars

Today, cars are essentially computers on wheels. Between backup cameras, video screens, GPS systems, and Wi-Fi networks, they have more electronics stacked in them than ever. The technology makes the experience smoother, but if it has a digital heartbeat, it’s hackable. In fact, an attacker can take control of your car a couple of ways; either by physically implanting a tiny device that grants access to your car through a phone, or by leveraging a black box tool and  your car’s diagnostic port completely remotely. Hacks can range anywhere from cranking the radio up to cutting the transmission or disabling the breaks. To stay secure, limit connectivity between your mobile devices and a car when possible, as phones are exposed to risks every day, and any time you connect it to your car, you put it at risk, too.

Smart Thermostats

A smart thermostat can regulate your home’s temperature and save you money by learning your preferences. But what if your friendly temperature regulator turned against you? If you don’t change your default, factory-set password and login information, a hacker could take control of your device and make it join a botnet

Connected Doorbells

When we think high-tech, the first thing that comes to mind is most likely not a doorbell. But connected doorbells are becoming more popular, especially as IoT devices are more widely adopted in our homes. So how can these devices be hacked, exactly? By sending an official-looking email that requests that a device owner download the doorbell’s app, the user unwittingly gave full access to the unwelcome guest. From there, the hackers could access call logs, the number of devices available, and even video files from past calls. Take heed from this hack; when setting up a new device, watch out for phishing emails and always make sure that an app is legitimate before you download it.

Smart Pet Cameras

We all love our furry friends and when we have to leave them behind as we head out the door. And it’s comforting to know that we can keep an eye on them, even give them the occasional treat through pet cameras. But this pet-nology can be hacked into by cybercriminals to see what’s get an inside look at your home, as proven by the “Hackable?” crew. Through a device’s app, a white-hat hacker was able to access the product’s database and was able to download photos and videos of other device owners. Talk about creepy. To keep prying eyes out of your private photos, get a comprehensive security solution for your home network and devices, avoid checking on your pet from unsecured Wi-Fi, and do your research on smart products you purchase for your pets.

Cell Phones

Mobile phones are one of the most vulnerable devices simply because they go everywhere you go. They essentially operate as a personal remote control to your digital life. In any given day, we access financial accounts, confirm doctor’s appointments and communicate with family and friends. That’s why is shocking to know how surprisingly easy it is for cybercriminals to access the treasure trove of personal data on your cell phone. Phones can be compromised a variety of ways; but here are a few: accessing your personal information by way of public Wi-Fi (say, while you’re at an airport), implanting a bug, leveraging a flaw in the operating system, or by infecting your device with malware by way of a bad link while surfing the web or browsing email.  Luckily, you can help secure your device by using comprehensive security such as McAfee Total Protection, or by leveraging a VPN (virtual private network) if you find yourself needing to use public Wi-Fi.

Virtual Reality Headsets

Once something out of a science fiction, virtual reality (VR) is now a high-tech reality for many. Surprisingly, despite being built on state of the art technology, VR is quite hackable. As an example, though common and easy-to-execute tactics like phishing to prompt someone to download malware, white-hat hackers were able to infect a linked computer and execute a command and control interface that manipulated the VR experience and disorientated the user. While this attack isn’t common yet, it could certainly start to gain traction as more VR headsets make their way into homes. To stay secure, be picky and only download software from reputable sources.

This is only the tip of the iceberg when it comes to hackable, everyday items. And while there’s absolutely no doubt that IoT devices certainly make life easier, what it all comes down to is control versus convenience. As we look toward 2019, we should ask ourselves, “what do we value more?”

Stay up-to-date on the latest trends by subscribing to our podcast, “Hackable?” and follow us on Twitter or Facebook.

The post 12 Days of Hack-mas appeared first on McAfee Blogs.

First Smartphone: Are You Putting Cyberbullies Under the Tree This Year?

first smartphone

There’s pressure — lots of pressure. And not the typical I-want-a-bike or a doll-that-poops kind of pressure your kids may have foisted upon you just a few Christmases ago. No, this is the big leagues. Your child wants his or her first smartphone to show up under the tree this year. Is your son or daughter ready? Bigger question: Are you ready?

A first smartphone is a big step in a family that can’t be unstepped. Because it’s not about what a phone used to be about, which is dialing the number of a person you need to speak with. Today, giving your child a cell phone unlocks a hidden wardrobe door that leads to a whole new Narnia-like world abounding in both hills of goodness and valleys of emotional punches.

A first cell phone isn’t a casual purchase. Besides the financial investment (these things aren’t cheap), there’s a family dynamic that will likely change and a peer-to-peer dynamic that will go through its tumultuous metamorphosis.

Here are a few things to consider and talk through with your family before making your final decision to purchase that first smartphone.

Family talking points

first smartphone

  1. Maturity milestones. A phone is a small computer your child will carry in his or her pocket from this point forward. Has your child demonstrated maturity in other areas? Can he or she stay home alone responsibly for short periods? Does your child take care of his or her possessions, complete chores, and homework on time and without you nagging? Does your child earn/save/spend his or her allowance in a mature way? Does your child show empathy for others or deal with conflict well? These milestones are worth examining. If you feel uneasy about your child’s overall maturity, you might consider setting some goals to move your child toward cell phone ownership sometime in the future.
  2. The cyberbully factor. We know you’d never willingly invite a cyberbully into your home and especially wouldn’t put one under the tree for your child to discover on Christmas morning. However, that’s the reality of what phone ownership will bring sooner or later. Is your child emotionally strong enough to handle mean comments, feeling excluded, or being criticized or joked with in public? How does your child handle peer conflict without a phone? The emotional impact of owning a phone is not something you will see advertised, but it’s a huge factor to consider.
  3. Peer pressure. Digital peer pressure is a real thing. There’s pressure to dress a certain way, post pictures a certain way, and post activities online to gain status points in certain social circles. The selfie craze, online dares, digital trends and hashtags, and other pressures are all part of the smartphone equation.
  4. Harmful content. There’s a lot of great content online — educational, entertaining, and fun — but there’s a lot of content that is harmful to kids such as pornography, hateful ideology, and cruelty. Can your child resist the temptation to seek out or look at concerning content? Can your child discern ideas? Are you as a parent willing to take the extra steps to filter inappropriate content?
  5. Privacy issues. With a new phone comes great responsibility toward guarding first smartphoneone’s personal information. Do you have the time to communicate, teach, and monitor your child’s online footprint? Getting kids off to a strong start will require much time and care up front until your son or daughter has a grasp on the value of personal data.
  6. Social media. Social media owns vast real estate on a child’s phone and includes everything from gaming, to social networks, to various “communities” attached to apps. Anywhere your child can create a username and profile and connect with others, opens him or her up to risks of cyberbullying, strangers, and scams. Discuss new apps and establish ground rules and phone usage boundaries that make sense for your family. The most important part of setting rules is to enforce the rules.
  7. Screentime ground rules. With a first smartphone comes the risk of too much screen time. Addiction to online gaming, social media, and phones, in general, have become a public health concern. Put family rules in place that set time limits and phone free zones. Keep communication open and consistent to keep your kids following healthy screen time habits.

 

 

The post First Smartphone: Are You Putting Cyberbullies Under the Tree This Year? appeared first on McAfee Blogs.

Affected by a Data Breach? 6 Security Steps You Should Take

It’s common for people to share their personal information with companies for multiple reasons. Whether you’re checking into a hotel room, using a credit card to make a purchase at your favorite store, or collecting rewards points at your local coffee shop, companies have more access to your data than you may think. While this can help you build relationships with your favorite vendors, what happens if their security is compromised?

A high-profile hotel and another popular consumer brand’s perks program recently experienced data breaches that exposed users’ personal information. If you think you were affected by one of these breaches, there are multiple steps you can take to help protect yourself from the potential side effects.

Check out the following tips if you think you may have been affected by a data breach, or just want to take extra precautions:

  • Change your password. Most people will rotate between the same three passwords for all of their personal accounts. While this makes it easier to remember your credentials, it also makes it easier for hackers to access more than one of your accounts. Try using a unique password for every one of your accounts or employ a password manager.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Update your privacy settings. Be careful with how much of your personal information you share online. Make sure your social media accounts and mobile apps are on private and use multi-factor authentication to prevent your accounts from being hacked.
  • Be vigilant about checking your accounts. If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Affected by a Data Breach? 6 Security Steps You Should Take appeared first on McAfee Blogs.

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Choose a password that is unhackable rather than one that is super easy to remember.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

GDPR Material and Territorial Scopes

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 […]

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability
Organizations are accountable for the data in their possession
Cross Border Personal information
Requirements.
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.