Category Archives: Privacy

Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode

A $5 billion class-action lawsuit filed in a California federal court alleges that Google's Chrome incognito mode collects browser data without people’s knowledge or consent.

Zoom’s Commitment to User Security Depends on Whether you Pay It or Not

Zoom was doing so well.... And now we have this:

Corporate clients will get access to Zoom's end-to-end encryption service now being developed, but Yuan said free users won't enjoy that level of privacy, which makes it impossible for third parties to decipher communications.

"Free users for sure we don't want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose," Yuan said on the call.

This is just dumb. Imagine the scene in the terrorist/drug kingpin/money launderer hideout: "I'm sorry, boss. We could have have strong encryption to secure our bad intentions from the FBI, but we can't afford the $20." This decision will only affect protesters and dissidents and human rights workers and journalists.

Here's advisor Alex Stamos doing damage control:

Nico, it's incorrect to say that free calls won't be encrypted and this turns out to be a really difficult balancing act between different kinds of harms. More details here:

Some facts on Zoom's current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues. The E2E design is available here: https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e.pdf

I read that document, and it doesn't explain why end-to-end encryption is only available to paying customers. And note that Stamos said "encrypted" and not "end-to-end encrypted." He knows the difference.

Anyway, people were rightly incensed by his remarks. And yesterday, Yuan tried to clarify:

Yuan sought to assuage users' concerns Wednesday in his weekly webinar, saying the company was striving to "do the right thing" for vulnerable groups, including children and hate-crime victims, whose abuse is sometimes broadcast through Zoom's platform.

"We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to vulnerable groups," he said. "I wanted to clarify that Zoom does not monitor meeting content. We do not have backdoors where participants, including Zoom employees or law enforcement, can enter meetings without being visible to others. None of this will change."

Notice that is specifically did not say that he was offering end-to-end encryption to users of the free platform. Only to "users we can verify identity," which I'm guessing means users that give him a credit card number.

The Twitter feed was similarly sloppily evasive:

We are seeing some misunderstandings on Twitter today around our encryption. We want to provide these facts.

Zoom does not provide information to law enforcement except in circumstances such as child sexual abuse.

Zoom does not proactively monitor meeting content.

Zoom does no have backdoors where Zoom or others can enter meetings without being visible to participants.

AES 256 GCM encryption is turned on for all Zoom users -- free and paid.

Those facts have nothing to do with any "misunderstanding." That was about end-to-end encryption, which the statement very specifically left out of that last sentence. The corporate communications have been clear and consistent.

Come on, Zoom. You were doing so well. Of course you should offer premium features to paying customers, but please don't include security and privacy in those premium features. They should be available to everyone.

And, hey, this is kind of a dumb time to side with the police over protesters.

I have emailed the CEO, and will report back if I hear back. But for now, assume that the free version of Zoom will not support end-to-end encryption.

EDITED TO ADD (6/4): Another article.

EDITED TO ADD (6/4): I understand that this is complicated, both technically and politically. (Note, though, Jitsi does it.) And, yes, lots of people confused end-to-end encryption with link encryption. (My readers tend to be more sophisticated than that.) My worry that the "we'll offer end-to-end encryption only to paying customers we can verify, even though there's plenty of evidence that 'bad purpose' people will just get paid accounts" story plays into the dangerous narrative that encryption itself is dangerous when widely available. And disagree with the notion that the possibility child exploitation is a valid reason to deny security to large groups of people.

Zoom to offer end-to-end encryption only to paying customers

As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option. “Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday. Zoom encryption and … More

The post Zoom to offer end-to-end encryption only to paying customers appeared first on Help Net Security.

Researchers develop IoT security and privacy label

When hungry consumers want to know how many calories are in a bag of chips, they can check the nutrition label on the bag. When those same consumers want to check the security and privacy practices of a new IoT device, they aren’t able to find even the most basic facts. Not yet, at least. The solution A team of researchers in Carnegie Mellon University’s CyLab have developed a prototype IoT security and privacy “nutrition … More

The post Researchers develop IoT security and privacy label appeared first on Help Net Security.

Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion

Cybercriminals exposed over 5 billion records in 2019, costing over $1.2 trillion to U.S. organizations, according to ForgeRock. Coupled with breaches in 2018 costing over $654 billion, breaches over the last two years have cost U.S. organizations over $1.8 trillion. Healthcare: The most targeted industry Healthcare emerged as the most targeted industry in 2019, accounting for 382 breaches and costing over $2.45B, an increase from 164 incidents costing over $633 million in 2018. Despite healthcare … More

The post Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion appeared first on Help Net Security.

Smashing Security podcast #181: Anti-cybercrime ads, tricky tracing, and a 5G Bioshield

Police are hoping to stop kids becoming cybercriminals by bombarding them with Google Ads, phishers rub their hands in glee at the NHS track and trace service, and just how does a nano-layer of quantum holographic catalyzer technology make a USB stick cost hundreds of pounds?

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast.

Tor Browser 9.5 is available for download, with new interesting features

Tor Browser 9.5 includes important security updates to Firefox, users on desktop will be able to opt-in for using onion sites automatically whenever the website makes them available. 

Starting with the release of Tor Browser 9.5, new features will make accessing onion addresses easier. 

Now, there is also an opt-in mechanism available for websites that want Tor users to know about their onion service that suggest them to upgrade their connection using the .onion address.

This feature will be available to Tor desktop users who have the ‘Onion Location’ option enabled.

“For the first time, Tor Browser users on desktop will be able to opt-in for using onion sites automatically whenever the website makes them available. For years, some websites have invisibly used onion services with alternative services (alt-svc), and this continues to be an excellent choice.” reads the post published by the Tor Project. “Now, there is also an opt-in mechanism available for websites that want their users to know about their onion service that invites them to upgrade their connection via the .onion address.”

Website publishers now can advertise their hidden services to Tor users by adding an HTTP header that can suggest visitors switch to the version of the site that is published using the Onion service.

Tor Browser 2

To promote their onion sites, web site owners need to add an additional ‘Onion-Location’ header that contains the URL to their Tor site.

When a user visits a website that has both an .onion address and Onion Location enabled via Tor Browser, the browser will suggest the onion version of the site.

Tor Browser 9.5 also introduces Onion Authentication to allows admins of Onion services to add an extra layer of security to their website by setting a pair of keys for access control and authentication. Tor Browser users can save keys and manage them via about:preferences#privacy section of the Onion Services Authentication settings.

The latest version of the Tor Browser has improved URL bar security indicators and improved error messages that are displayed when Tor users are not able to reach an onion site.

“In this release, we have improved the way Tor Browser communicates with users about service-, client-, and network-side errors that might happen when they are trying to visit an onion service,” the Tor Project added.

“Tor Browser now displays a simplified diagram of the connection and shows where the error occurred.”

The latest Tor Browser version also addresses several high severity security vulnerabilities, the new release can be downloaded from the Tor Browser download page.

Pierluigi Paganini

(SecurityAffairs – Tor, cybersecurity)

The post Tor Browser 9.5 is available for download, with new interesting features appeared first on Security Affairs.

Things to keep in mind when downloading apps from G Suite Marketplace

Security researchers have tested nearly 1,000 enterprise apps offered on Google’s G Suite Marketplace and discovered that many ask for permission to access to user data via Google APIs as well as to communicate with (sometimes undisclosed) external services. “The request to ‘Connect to an external service’ is notable, as it indicates apps can communicate with other online APIs that neither Google nor the app developer might not control,” they pointed out. They also noted … More

The post Things to keep in mind when downloading apps from G Suite Marketplace appeared first on Help Net Security.

How do industry verticals shape IAM priorities?

IAM priorities differ by industry vertical, and a one-size-fits-all approach to IAM doesn’t work when every industry and business within that industry is unique, according to LastPass and Vanson Bourne. Each industry vertical has unique business needs, and as a result has different areas of focus when it comes to their IAM program. Finance focused on reducing risk, while integrating IAM infrastructure Financial service organizations deal with higher stakes than most verticals, which inevitably impacts … More

The post How do industry verticals shape IAM priorities? appeared first on Help Net Security.

Canadian smart padlock maker rapped by Federal Trade Commission

A Canadian maker of smart padlocks has agreed to implement a comprehensive security program and not misrepresent its privacy and security practices under an agreement with the U.S. Federal Trade Commission.

Earlier this month, the FTC gave final approval to a settlement with Tapplock Inc. of Toronto, maker of a fingerprint-enabled padlock sold to enterprises and consumers, related to allegations it falsely claimed that its internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data collected through a mobile app.

Tapplock padlocks can be managed through enterprise console.

Security researchers identified both physical and electronic vulnerabilities with Tapplock’s smart locks, according to the complaint. The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.

Under the settlement, Tapplock is required to implement a comprehensive security program and obtain independent biennial assessments of the program by an assessor that the FTC approves. The company also is prohibited from misrepresenting its privacy and security practices.

The two sides came to an agreement on a settlement of the allegations in April. That needed final approval of the commission.

Under the consent order, Tapplock agreed to not transfer, sell, share, collect, maintain, or store personal information or manufacture or sell devices unless it implements a comprehensive security program that protects the security of devices and the security, confidentiality, and integrity of personal information.

According to its website this week, the company sells two models: The Tapplock one+, described as “Sturdy” and “Secure”  and stores up to 500 fingerprints per lock; and the Tapplock lite, described as having a “strong, lightweight chassis” and stores up to 100 fingerprints. Bluetooth lets users share remote access.

For organizations that issue and control multiple padlocks, the company offers an enterprise software-based management console allowing an administrator to set custom permissions for users and manage them by groups.  Customers listed on the site include Bombardier, Lufthansa and Foxconn.

The FTC’s background complaint document supporting the consent order says that in 2018 “security researchers identified critical physical and electronic vulnerabilities” with Tapplock smart locks. “Some could be opened within a matter of seconds, simply by unscrewing the back panel.”

One alleged vulnerability in the API could have been exploited to bypass the account authentication process in order to gain full access to the accounts of all Tapplock users and their personal information, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks. Because the company failed to encrypt the Bluetooth communication between the lock and the app, a second vulnerability could have allowed a bad actor to lock and unlock any nearby Tapplock smart lock. Finally, a third vulnerability prevented users from effectively revoking access to their smart lock once they had provided other users access to that lock.

The second count alleges that Tapplock deceived consumers about its data security practices by falsely representing that it took reasonable precautions and followed industry best practices to protect the personal information provided by consumers.

Tapplock neither admitted nor denied any of the allegations in the complaint other than those stated in the final decision and consent order.

The company didn’t respond to an email request Wednesday for comment.

Smashing Security podcast #180: Taking care of Clare

On this special splinter episode of the podcast, we’re joined by actor and comedian Clare Blackwood in the hope of convincing her that cybersecurity is no laughing matter.

Hear what happens in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Computer science student discovers privacy flaws in security and doorbell cameras

Ring, Nest, SimpliSafe and eight other manufacturers of internet-connected doorbell and security cameras have been alerted to systemic design flaws discovered by Florida Tech computer science student Blake Janes that allows a shared account that appears to have been removed to actually remain in place with continued access to the video feed. Privacy flaws in security and doorbell cameras Janes discovered the mechanism for removing user accounts does not work as intended on many camera … More

The post Computer science student discovers privacy flaws in security and doorbell cameras appeared first on Help Net Security.

Account credentials of 26+ million LiveJournal users leaked online

A data dump containing account information of over 26 million LiveJournal users has been offered for sale on dark web marketplaces and is now being shared for free on underground hacker forums. The data dump, supposedly originating from a 2014 LiveJournal breach, contains email addresses, usernames, profile URLs and plain text passwords of 33+ million users. After removing duplicates, Troy Hunt has added the dump to the Have I Been Pwned? service, which potentially affected … More

The post Account credentials of 26+ million LiveJournal users leaked online appeared first on Help Net Security.

GDPR enforcement over the past two years

Two years after the GDPR went into effect, official data show that Data Protection Authorities (DPAs), crippled by a lack of resources, tight budgets, and administrative hurdles, have not yet been able to create adequate GDPR enforcement. Worse, some public authorities have grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press, Access Now reveals. The GDPR’s first two years have been marked by … More

The post GDPR enforcement over the past two years appeared first on Help Net Security.

Why building backdoors into encryption won’t make us safer

For much of the last decade, technology companies have been in an uphill battle to save encryption, a battle that has seen an increasing number of skirmishes that tech companies often lose. Throughout this ongoing clash, governments across the world have been pushing to backdoor encryption in the name of combating child abuse and terrorism. The battle has come to a head several times in recent years, including when the FBI demanded Apple assist in … More

The post Why building backdoors into encryption won’t make us safer appeared first on Help Net Security.

SQL Server Security Basics

Security is of paramount importance in any IT context today, especially when you are looking to protect something as precious and potentially vulnerable to attack as an SQL server.

Here is a quick primer on the basic aspects of security which matters most for SQL server solutions, since the cost of a breach will vastly outweigh the effort of learning and following best practices.

Encryption

There is no doubt that encryption should be part of any modern DataOps strategy, particularly given the scope and scale of the threats that exist in the age of unfettered connectivity.

You can encrypt data stored on your SQL server, and indeed you should make sure that this is enabled as standard. You also need to take into account how the data is protected when it is in transit, when it might be exposed to exploitation while passing through public networks and devices.

There are different types of encryption to consider, with SSL encryption keeping data safe when it is on the move while cell-level encryption will allow comprehensive protection even while the data is cached on server RAM. The greater the level of encryption you choose, the more potential complications can arise, so it is a matter of balancing your needs against the risks.

Backup

All the security measures in the world will be for naught if your SQL server is breached, damaged or otherwise compromised in such a way that leaves the information it contains inaccessible or unrecoverable for some reason.

This is why a good SQL server backup solution needs to be factored into your security efforts, providing you with a lifeline to restore mission-critical data in the direst of circumstances.

There are quite a few points to consider when selecting a backup strategy. Opting for a differential backup, for example, will allow you to perform the backup process faster and without the same penalty in terms of storage requirements. A full backup will form the foundations of a differential backup as well as being used to underpin transaction log backups, which allow for time-specific restoration.

All backup varieties take time and require a commitment of hardware and network resources, while also posing a security risk in their own right, so remember not to overlook this aspect.

Access

Managing access to your SQL server is vital, not just in terms of taking control of which users and apps can retrieve data or make changes to the database, but also with regards to the physical hardware itself.

This is not something that will immediately seem obvious, especially at a time when more and more organizations are choosing to migrate to remotely hosted or hybrid cloud setups, but even if your IT resources feel nebulous, they are still founded on tangible servers.

If you are directly responsible for housing this hardware, restricting physical access to it is just as crucial as vetting digital access. Locking server rooms is a minimum; making sure that only employees with a legitimate reason to access them should also be part of your security protocols.

Updates

Although cybersecurity threats are growing and evolving all the time, software firms do a good job of fixing vulnerabilities and patching problems whenever they rear their heads.

This means that it is the responsibility of SQL server specialists to keep their software up to date, installing vital security patches as soon as possible. Failure to do so will leave you exposed unnecessarily and could lead to breaches that would have been entirely preventable. Both the SQL software and the OS it runs on need to be updated as a matter of urgency.

The post SQL Server Security Basics appeared first on CyberDB.

Reality bites: Data privacy edition

May 25th is the second anniversary of the General Data Protection Regulation (GDPR) and data around compliance with the regulation shows a significant disconnect between perception and reality. Only 28% of firms comply with GDPR; however, before GDPR kicked off, 78% of companies felt they would be ready to fulfill data requirements. While their confidence was high, when push comes to shove, complying with GDPR and GDPR-like laws – like CCPA and PDPA – are … More

The post Reality bites: Data privacy edition appeared first on Help Net Security.

Google’s New Ad Policy Overlooks A Bigger Threat

Google has announced that advertisers on its platforms will have to verify their identities and their businesses. They will have 30 days to comply. 

On its face, this seems like common sense and a good idea. The Internet has been rife with fraudulent Covid-19 schemes targeting stimulus checks, selling snake oil cures and price gouging on hard to acquire products. The reality is less clearcut.

Where’s The Data?

The first issue here is Google’s track record when it comes to data mining and privacy. The company is the most successful, and also one of the most appetitive compilers of personal information in digital media. 

While it’s fairly common knowledge that Google’s Chrome browser is no stranger to controversy when it comes to tracking users and collecting data, there is more worrisome activity that gets far less attention. The company aggregates data from its phones, tablets, home media devices, personal assistants, website searches, analytics platform, and even offline credit card transactions. To say that it already has access to data about businesses and individuals would be an understatement and only serves to underscore what’s wrong with this latest initiative. 

There has been plenty of opportunity for Google put its vast stores of data to use in the identification of bad actors on its platforms with a greater level of sophistication than anything that could be gleaned from digital copies of personal and employee identification numbers or business incorporation documents. They already have everything they need to determine if someone is from the U.S. or Uzbekistan. 

Occam’s Razor points to two explanations. First, Google is doing what it does best: collecting more information. Two, Google is doing what it does best: using information to solve an information problem. Either way, it’s not a very memorable solution.  

Ignoring the Realities of Business Identity Theft

it seems naive to take the position that the submission of digital copies of documents can provide a reliable way to establish the identity of a particular business. In an era where Social Security numbers and tax IDs can be bought by the millions on the dark web and computers are capable of rendering real-time deepfakes on video conference calls, faking a document or credentials is child’s play for any scammer worth his or her Bitcoin. 

For starters, this easily flouted protocol engenders a false sense of security for internet users who assume Google’s verification process works. If this sounds cynical, remember that Facebook tried something like this following the widespread manipulation of its platform during the 2016 election. It failed.

This practice also puts a target on businesses. At a minimum, it will require the widespread transmission of digital copies of potentially sensitive business documents, which opens the door to scammers trying to intercept that data. Business identity theft is a very real threat, and access to a business’s credentials can leave it vulnerable to data breaches, fraud, cyberattacks, and worse. At a maximum, it could actually boost the market for illicit or compromised information on businesses as a means of supplying fake credentials to Google. 

We’ve seen time and again that scammers are creative and extremely persistent when it comes to gaining access to sensitive data, and we can only assume any ill-considered move to protect data will be viewed as a growth opportunity for cybercriminals.

Security Theater

The term “security theater” gained popularity after the implementation of TSA security measures in the wake of the 9/11 attacks, and it seems applicable here. 

Google’s new policies seem like marketing more than security. While it’s likely to make customers and businesses that use its online advertising platform feel more safer, it could easily have the opposite effect. 

A company with Google’s reach, resources, and oftentimes incredibly granular data isn’t likely to be made any more secure by collecting and gathering digital documents from its clients. It might, however, be putting businesses at greater risk of fraud and data compromise. 

The post Google’s New Ad Policy Overlooks A Bigger Threat appeared first on Adam Levin.

Signal fixes location-revealing flaw, introduces Signal PINs

Signal has fixed a vulnerability affecting its popular eponymous secure communications app that allowed bad actors to discover and track a user’s location. The non profit organization has also announced on Tuesday a new mechanism – Signal PINs – that will, eventually, allow users not to use their phone number as their user ID. About the vulnerability The vulnerability, discovered by Tenable researcher David Wells, stems from the fact that the WebRTC fork used by … More

The post Signal fixes location-revealing flaw, introduces Signal PINs appeared first on Help Net Security.

Smashing Security podcast #179: Deepfake Jay-Z, and beer apps spilling your data

Apps that belch out sensitive military information, what could the world learn from South Korea’s digital response to the Coronavirus pandemic, and who has been deepfaking Bill Clinton, Jay-Z, and Donald Trump… and why?

All this and much much more is discussed in the latest episode by computer security veterans Graham Cluley and Carole Theriault, joined this week by Brian Klaas of the “Power Corrupts” podcast.

Bart Gellman on Snowden

Bart Gellman's long-awaited (at least by me) book on Edward Snowden, Dark Mirror: Edward Snowden and the American Surveillance State, will finally be published in a couple of weeks. There is an adapted excerpt in the Atlantic.

It's an interesting read, mostly about the government surveillance of him and other journalists. He speaks about an NSA program called FIRSTFRUITS that specifically spies on US journalists. (This isn't news; we learned about this in 2006. But there are lots of new details.)

One paragraph in the excerpt struck me:

Years later Richard Ledgett, who oversaw the NSA's media-leaks task force and went on to become the agency's deputy director, told me matter-of-factly to assume that my defenses had been breached. "My take is, whatever you guys had was pretty immediately in the hands of any foreign intelligence service that wanted it," he said, "whether it was Russians, Chinese, French, the Israelis, the Brits. Between you, Poitras, and Greenwald, pretty sure you guys can't stand up to a full-fledged nation-state attempt to exploit your IT. To include not just remote stuff, but hands-on, sneak-into-your-house-at-night kind of stuff. That's my guess."

I remember thinking the same thing. It was the summer of 2013, and I was visiting Glenn Greenwald in Rio de Janeiro. This was just after Greenwald's partner was detained in the UK trying to ferry some documents from Laura Poitras in Berlin back to Greenwald. It was an opsec disaster; they would have been much more secure if they'd emailed the encrypted files. In fact, I told them to do that, every single day. I wanted them to send encrypted random junk back and forth constantly, to hide when they were actually sharing real data.

As soon as I saw their house I realized exactly what Ledgett said. I remember standing outside the house, looking into the dense forest for TEMPEST receivers. I didn't see any, which only told me they were well hidden. I assumed black-bag teams from various countries had been all over the house when they were out for dinner, and wondered what would have happened if teams from different countries bumped into each other. I assumed that all the countries Ledgett listed above -- plus the US and a few more -- had a full take of what Snowden gave the journalists. These journalists against those governments just wasn't a fair fight.

I'm looking forward to reading Gellman's book. I'm kind of surprised no one sent me an advance copy.

Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check

Google has released version 83 of it’s popular Chrome web browser, which includes new security and privacy features and fixes for security issues. Chrome 83: New and improved security and privacy features The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites. “Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users,” Google explained. “Turning on Enhanced Safe Browsing will … More

The post Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check appeared first on Help Net Security.

FBI finally unlock shooter’s iPhones, Apple berated for not helping

The FBI's Apple problem.

A bug in Edison Mail iOS app impacted over 6,400 users

A security bug in the iOS app has impacted over 6,400 Edison Mail users, the issue allowed some users to access other people’s email accounts.

An update released for iOS application of the Edison Mail introduced a security bug that resulted in some users being given access to other people’s email accounts.

“On Friday, May 15th, 2020, a software update enabled users to manage accounts across their Apple devices. This update caused a technical malfunction that impacted approximately 6,480 Edison Mail iOS users. The issue only impacted a fraction of our iOS app users (and no Android or Mac users were affected). This temporary issue was a bug, and not related to any external security issues.” reads a post published by the company.

“Data from these individual’s impacted email accounts may have been exposed to another user. No passwords were compromised. “

The Edison Mail app allows users to manage their Gmail, Yahoo, Outlook, iCloud, and other email services in a single place. The company offers apps for iOS, Android and macOS, and says its products are used by millions of individuals.

edison mail assistant-ios

The update was rolled out on May 15, it included a feature that allows users to manage their accounts across their Apple devices.

Shortly after the patch was released, some users started reporting they could access other people’s email accounts from the iOS app without authentication.

Edison quickly solved the issue, the company confirmed that the bug potentially impacted 6,480 iOS users.

Edison Mail also confirmed that user credentials were not exposed.

The company addressed the issue with two updates, the first one on Saturday that prevented impacted users from accessing any account from the Edison app, the second one on Sunday morning, which re-enabled access for impacted users.

“A new version of the application was made available early Sunday morning in the App Store that restores full functionality for these 6,480 users. Other users were not impacted and no action is required.” added the company.

“We have notified all individual users who may have been impacted by this issue via email, and as an additional safety precaution, suggested that impacted users also change their email account password. If you did not receive an email on this issue then your account was not impacted,”

Pierluigi Paganini

(SecurityAffairs – Edison Mail, hacking)

The post A bug in Edison Mail iOS app impacted over 6,400 users appeared first on Security Affairs.

Why OPSEC Is For Everyone, Not Just For People With Something To Hide – Part III

In this final part of the series, I discuss why everyone should consider reviewing their OPSEC (Operations Security), not just those with something to hide. If you haven’t read the previous articles then please check them out first (Part I & Part II), as they provide key background information about the techniques discussed in this […]… Read More

The post Why OPSEC Is For Everyone, Not Just For People With Something To Hide – Part III appeared first on The State of Security.

Surveys show conflicting support by Canadians for COVID-19 tracing app

Canadian governments are planning to approve COVID-19 mobile contact tracing apps to help health authorities track the spread of the infectious disease. However, two recent surveys offer conflicting numbers on whether residents here want the apps to be voluntary or mandatory.

The issue is crucial: Health experts say wide adoption of an app — perhaps as much as 50 per cent of the population — is needed for it to be useful.

In the most recent survey, released this morning by KPMG Canada, 55 per cent of respondents said digital contact tracing should be voluntary, citing privacy concerns and potential abuse of civil liberties. Two-thirds of respondents said they wouldn’t download such an app, calling it still “too invasive.”

Yet 57 per cent of respondents don’t believe such an app would be effective unless it is mandatory.

On the other hand, a survey commissioned by three Canadian Senators released last week found 65 per cent of respondents support the mandatory use of contact tracing apps.

However, in an interview one of those senators acknowledged the question on mandatory/voluntary adoption may not have been neutral. And Canadian privacy expert Ann Cavoukian said the Senate survey question “has no validity.” (See below for more detail)

Most privacy experts around the world say COVID contact tracing apps must be voluntary to get widespread adoption. That’s the position of federal and provincial privacy commissioners as part of a statement of principles they urge governments here follow on tracing apps. Alberta, the first Canadian jurisdiction to release an app, has made its adoption voluntary. But some privacy experts worry that if adoption is low a government will be tempted to make it mandatory.

Despite Alberta jumping the gun, federal and provincial officials are looking at about a dozen proposed apps for approval.

Related:

Skepticism from a Canadian panel

A number of contact tracing apps are being developed around the world, some — like Alberta’s — based on one of the earliest developed by Singapore. Broadly speaking, tracing apps use Bluetooth to capture encrypted ID signals from closeby mobile devices that also have an app, usually with a time limiter. (For example, Alberta’s app won’t obtain an ID number unless a person is nearby another for a total of 15 minutes over 24 hours). Depending on the app, each mobile device holds a list of contacts for a set number of days.

Depending on the app, one of two things happens if a person tests positive for COVID-19: Either the list of encrypted digital IDs is uploaded by the user so a health authority can notify and trace those who have been in contact with the victim, or the app transmits an alert directly to the apps of those on the list for those users to see. Either way, recipients of warnings would be expected to take appropriate steps, such as notify their doctors, monitor their health or take a COVID-19 test.

KPMG Canada surveyed 2,000 Canadians online between May 7 and 12. 

Among the highlights:

  • 62 per cent of respondents are in favour of letting the government use location tracking to send phone alerts to people who have come into contact with a person infected by COVID-19;
  • 82 per cent would be more comfortable with an app run by the health system that shows aggregate community “hot spots” for COVID-19 so they can make their own decisions about their health;
  • 65 per cent say any contact-tracing program needs to be administered by an independent body from the provincial or federal government.

“It’s clear that Canadians understand that contact-tracing apps are effective if participation is high, but the design of such apps must limit threats to privacy as most people aren’t comfortable letting the government have free rein to track their phones,” Sylvia Kingsmill, partner and national digital privacy leader for KPMG, said in a statement. “To make this work, governments will need to be completely transparent on how data will be collected, stored, erased, and managed – it’s about trust.

“There should be clarity about the circumstances under which that data will be shared, now and in the future. To this end, policies should be implemented and enforced to prevent misuse and/or abuse of the data to provide assurances to the public that principles of accountability and data minimization are being respected.”

The Senate’s online survey of 1,530 respondents was commissioned by Senators Colin Deacon, Donna Dasko and Rosemary Moodie and conducted between May 2 and May 4.

Among the findings:

  • In the absence of a vaccine or treatment for COVID-19, 90 per cent of respondents believe that it will be necessary to continue contact tracing in general (that may or may not include an app).
  • 80 per cent of respondents support the use of mobile device data by public health officials to notify those who have
    been close to someone who has tested positive for COVID-19.
  • 87 per cent of respondents believe contact tracing apps should trigger testing of themselves and others.
  • If assured that their data was kept confidential, large numbers of Canadians would share information from contact tracing apps with their physician (96 per cent), their family (95 per cent), public health officials (91 per cent) and health researchers (87 per cent). Fewer would share with employers and co-workers (75 per cent), other government officials (73 per cent), law enforcement (68 per cent), and social media platforms (35 per cent).
  • 65 per cent of respondents support the mandatory use of contact tracing apps.

[UPDATE, May 14, 3:30 pm EST]: In an interview this afternoon, Senator Colin Deacon acknowledged the question on mandatory/voluntary use of an app may not have been fair. The question was: “In some countries the installation of this app is mandatory. How supportive would you be for this to be the case in Canada.” Twenty-three per cent were very supportive and 42 per cent were somewhat supportive.

Asked if he thought that was a loaded question, Deacon said “potentially it is … I don’t know that it does. It asks, ‘What are your thoughts.'”

When it was suggested a neutral question would be ‘Should adoption be mandatory or voluntary,’ Deacon said, “That’s a fair point.”

Some experts object to the use of a mobile contact tracing app on privacy grounds, saying any system that collects personal data puts a user at risk. However, Deacon said the use of a contact tracing app has to be looked at as an aid to COVID-19 infection control. He said any approved app must protect privacy first. But, he added, many critics use smartphones and social media and manage access to their data. “As long as the [contact] data doesn’t leave your phone” except to notify people they should get tested “I don’t see how that is any more invasive” than people who test positive for the virus have to tell health authorities who they have recently been in close contact, with, he said.

“Alongside this strong support for the use of contact tracing apps, we do find concerns about personal privacy and the security of personal data,” said a report that analyzed the Senate survey findings. “Accordingly, any roll-out of an app(s) will require robust privacy protection to be in place in a manner that earns the support of potential users of the app.”

A contact tracing app could help health authorities who do manual contact tracing he said. It’s “unsustainable” to have large numbers of Canadians at home and not working because of the virus.

Former Ontario privacy commissioner Ann Cavoukian denounced the Senate survey mandatory adoption question. “It’s crazy,” she said in an interview. “It’s so skewed. To me this [question and result] has no validity … It creates the myth that the app is going to be mandatory,”

To her, the response to the KPMG Canada survey question is more credible.

Asked how an app should be introduced in Canada, Cavoukian urged governments to follow the Apple/Google framework, which doesn’t send the mobile IDs gathered by an app to health authorities for decryption and follow-up with individuals. Instead, when a user tests positive for COVID-19 they instruct the app to send a warning direct to those with a similar app whose mobile ID has been connected. That’s why Apple and Google have recently changed the description of their framework from a contact tracing app to “exposure notification,” she said.

(This story has been updated from the original by adding comments by Senator Colin Deacon and Ann Cavoukian)

Employee mistakes lead to information exposure in Nova Scotia, U.K.

It’s bad enough that hackers are able to exploit software vulnerabilities in IT environments to make off with sensitive data, but too often mistakes and misconfigurations by employees also lead to data being exposed. Two incidents reported this week show how serious this can be.

CBC News discovered the first incident recently which involved perhaps a decade’s worth of unedited appeal decisions of the Nova Scotia Workers Compensation Board being posted on a legal website name of workers. Some of the informati0n also included intimate personal information about claimants. Usually, names and other identifying information in those cases are deleted.

Related:

Nova Scotia removed the unedited documents after being told of their discovery by CBC.

“It’s terrible to hear,” the broadcaster quoted one WCB claimant whose 2009 case was posted. “I was shocked more than anything.”

The incident involves decisions between 1998 and 2009 of the Nova Scotia Workers Compensation Appeals Tribunal (WCAT) that were uploaded to the website of the Canadian Legal Information Institute (CANLII). Lawyers and legal researchers use the decisions filed there to support their cases. However, the database is open to the public.

According to the CBC, all WCAT cases filed after 2010 had the names of the worker and their employer redacted.

Asked for comment, the tribunal issued a statement saying it “is aware of this situation, and WCAT is following the Province’s privacy breach protocol. The WCAT has reported this incident to the Privacy Review Officer.”

The provincial information and privacy commissioner’s office has been notified of the incident. Provincial legislation doesn’t mandate that victims of a WCAT data breach be notified.

In the second case, Wired.com discovered a presumably confidential U.K. health department document on a public Google drive with possible new features for the country’s COVID-19 contact tracing app. The series of slides, marked ‘OFFICIAL – SENSITIVE’, was part of a group of documents intended to be open so the public can see how the app, now in a trial, was developed.

Wired says the sensitive document was part of a group published by the U.K. National Health Service (NHS) on a Google Drive. It was accompanied by a privacy impact assessment of a U.K. COVID-19 contact tracing app now being tested and could be seen by anyone with a link. While other documents could not be accessed without approval, the sensitive slide deck with potential features wasn’t.

What could make the slide deck embarrassing to the government is it contains possible features to be added to the already controversial app now being tested among the population of the Isle of Wight. In addition to disputes over whether such mobile apps are effective in helping control the rate of infection, privacy and health experts are fighting over whether an approved app should hold encrypted contact information on a mobile device (the decentralized model pushed by Google and Apple) or uploaded to a government-controlled server (the centralized model). The U.K. app being tested uses a centralized model. However, this week news emerged that the U.K. government is also paying for the development of a decentralized app.

The slides say a future version of the app being tested could allow users to periodically enter their personal health status, as well as their postal code, demographic and location information to help the NHS in infection planning.

Smashing Security #178: Office pranks, meat dresses, and robocop dogs

Graham shares stories of email storms, Carole describes the steps being taken by firms as they try to coax employees back to the office, and special guest Lisa Forte details a hack that has impacted Lady Gaga and other celebrities.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with computer security veterans Graham Cluley and Carole Theriault.

Another California Data Privacy Law

The California Consumer Privacy Act is a lesson in missed opportunities. It was passed in haste, to stop a ballot initiative that would have been even more restrictive:

In September 2017, Alastair Mactaggart and Mary Ross proposed a statewide ballot initiative entitled the "California Consumer Privacy Act." Ballot initiatives are a process under California law in which private citizens can propose legislation directly to voters, and pursuant to which such legislation can be enacted through voter approval without any action by the state legislature or the governor. While the proposed privacy initiative was initially met with significant opposition, particularly from large technology companies, some of that opposition faded in the wake of the Cambridge Analytica scandal and Mark Zuckerberg's April 2018 testimony before Congress. By May 2018, the initiative appeared to have garnered sufficient support to appear on the November 2018 ballot. On June 21, 2018, the sponsors of the ballot initiative and state legislators then struck a deal: in exchange for withdrawing the initiative, the state legislature would pass an agreed version of the California Consumer Privacy Act. The initiative was withdrawn, and the state legislature passed (and the Governor signed) the CCPA on June 28, 2018.

Since then, it was substantially amended -- that is, watered down -- at the request of various surveillance capitalism companies. Enforcement was supposed to start this year, but we haven't seen much yet.

And we could have had that ballot initiative.

It looks like Alastair Mactaggart and others are back.

Advocacy group Californians for Consumer Privacy, which started the push for a state-wide data privacy law, announced this week that it has the signatures it needs to get version 2.0 of its privacy rules on the US state's ballot in November, and submitted its proposal to Sacramento.

This time the goal is to tighten up the rules that its previously ballot measure managed to get into law, despite the determined efforts of internet giants like Google and Facebook to kill it. In return for the legislation being passed, that ballot measure was dropped. Now, it looks like the campaigners are taking their fight to a people's vote after all.

[...]

The new proposal would add more rights, including the use and sale of sensitive personal information, such as health and financial information, racial or ethnic origin, and precise geolocation. It would also triples existing fines for companies caught breaking the rules surrounding data on children (under 16s) and would require an opt-in to even collect such data.

The proposal would also give Californians the right to know when their information is used to make fundamental decisions about them, such as getting credit or employment offers. And it would require political organizations to divulge when they use similar data for campaigns.

And just to push the tech giants from fury into full-blown meltdown the new ballot measure would require any amendments to the law to require a majority vote in the legislature, effectively stripping their vast lobbying powers and cutting off the multitude of different ways the measures and its enforcement can be watered down within the political process.

I don't know why they accepted the compromise in the first place. It was obvious that the legislative process would be hijacked by the powerful tech companies. I support getting this onto the ballot this year.

EDITED TO ADD(5/17): It looks like this new ballot initiative isn't going to be an improvement.

Smashing Security #177: Elon Musk, Roblox, and Love Bug author found

What can X Æ A-12 Musk teach us about passwords? How did our guest finally hunt down in Manila the author of one of history’s biggest virus outbreaks? And what on earth is a hacker doing breaching Roblox security?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.

The Guardian view on an NHS coronavirus app: it must do no harm | Editorial

Smartphones can be used to digitally trace Covid-19. But not if the public don’t download an app over privacy fears – or find it won’t work on their device

The idea of the NHS tracing app is to enable smartphones to track users and tell them whether they interacted with someone who had Covid-19. Yet this will work only if large proportions of the population download the app. No matter how smart a solution may appear, mass consent is required. That will not be easy. Ministers and officials have failed to address the trade-offs between health and privacy by being ambiguous about the app’s safeguards.

Instead of offering cast-iron guarantees about the length of time for which data would be held; who can access it; and the level of anonymity afforded, we have had opacity and obfuscation. It is true that we are dealing with uncertainties. But without absolute clarity about privacy the public is unlikely to take up the app with the appropriate gusto.

Continue reading...

Poor Password Practices: The Curse of the Cybersecurity Risk Index Score

Reading Time: ~ 3 min.

Your password passing habit may not be as be as harmless as you think. And yes, that includes Netflix login info too.

That’s one finding to come out of our newly released study of 2020’s Most (and Least) Cyber-Secure States. In this year’s analysis of the cyber readiness of all 50 U.S. states, and in partnership with Wakefield Research, we created a “Cyber Risk Hygiene Index” based on 10 metrics meant to measure individual and state-level cyber resilience against adverse online events.

If you’re unfamiliar with the report, you can read an introduction here.

Unfortunately for many Americans, two of those cyber hygiene metrics involved questions about their password habits:

  • Do you avoid sharing passwords with others?
  • Do you avoid reusing passwords?

Now, these questions weren’t the only reason no American received a passing grade on our Cyber Risk Hygiene Index, or that no state scored higher than a D, but they didn’t help. In all, the report found that more than one-third (34%) of Americans admit to sharing passwords and login credentials with others. Nearly half (49%) report having more accounts than passwords, meaning passwords are being reused across accounts.

Perhaps even more troubling is the finding that sharing passwords for streaming services—that famously widespread and supposedly benign new-age habit—has a worrying correlation: Americans who share passwords for streaming services (38%) are twice as likely to say they have had their identity stolen than those who do not (18%).

This is alarming because sharing and reusing passwords is especially dangerous during this golden age of phishing attacks. It means that, as soon as a cybercriminal achieves success in one phishing attack, those pinched credentials are likely to work for several other popular sites. A single successful phishing expedition could yield catches on banking sites, credit card applications, online marketplaces, and in a host of other potentially lucrative instances.

Even by sharing passwords with those a smidge less than trustworthy—or just careless—you’re increasing your attack surface area. Now that network of individuals who now have access to your accounts are susceptible to giving your information away if they take the bait in a phishing attack.

“Instead of giving away the keys to the guest room when you share passwords, it’s more like giving away keys to the castle if they are reused across multiple accounts,” says Webroot threat analyst Tyler Moffitt, “you could begiving away the keys to the whole kingdom if that’s the only password you use.”

More password facts from the report

  • Tech Experts, one of the riskiest categories of users studied in our report, are more likely to share passwords (66%) than the average American (44%). Clearly, we at Webroot are in no position to point fingers.
  • On brand, 66 percent of so-called “Mile Markers” refrained from sharing passwords, compared to 63 percent for the average American. This group scored the highest on our index and is defined by having progressed through life markers such as earning a degree, owning a home, or having children.
  • Home-based Very Small Businesses (VSBs) are less likely to work with a dedicated IT team. As a result, they are more likely to use their personal devices for work and share passwords. Of these, 71 percent use the same passwords for home and business accounts, potentially cross contaminating their work and personal lives with the same security gaps.
  • By generation, Gen Z is most likely to share passwords (56%), followed by Millennials (47%), Gen X (33%), and Boomers (19%).

How to address poor password practices

In terms of a personal password policy, it’s important to set yourself up for success. Yes, it’s true the amount of passwords one is responsible for can be dizzying, 191 per business according to one popular study.

That, and the parameters for creating a sound password seemingly grow more complex by the day. It used to be enough just to have a password. But now, they must be x characters long, contain one number and one special characters and so-on… And did we mention we recommend it be a passphrase, not a traditional password?

You get the gist.

That’s why our single strongest piece of advice to users looking to upgrade their cyber resilience is to use a password manager. This allows you to create long, alphanumeric and otherwise meaningless passwords without the need to keep tabs on them all.

After you’ve created a strong bank of passwords, managed through a password management service, supplement your security by adding two-factor authentication (2FA). Measures like 2FA pair your login credentials—something you know—with something you have, like a biometric feature or a mobile phone. This will ensure lifting your password (a unique one for each account, no doubt) isn’t even enough to crack your account.

“Put simply, an account simply isn’t as secure as it could be without 2FA,” says Moffitt. “And that means your credit card info, home address, or bank accounts aren’t as safe as they could be.”

No more reusing passwords. And, hopefully, no more sharing passwords. But that part’s up to you. You just have to ask yourself, is Netflix access worth having your identity stolen?

The post Poor Password Practices: The Curse of the Cybersecurity Risk Index Score appeared first on Webroot Blog.

Podcast Episode 6: Taking Over IoT Devices with MQTT

Listen and subscribe to our new podcast! Tripwire’s cybersecurity podcast features 20-minute conversations with the people who protect people from cyber threats. Hosted by Tripwire’s VP of Product Management and Strategy, Tim Erlin, each episode brings on a new guest to explore the evolving threat landscape, technology trends, and cybersecurity best practices. Spotify: https://open.spotify.com/episode/5wXKv9DiQjfsZNf6heXg67 Stitcher: […]… Read More

The post Podcast Episode 6: Taking Over IoT Devices with MQTT appeared first on The State of Security.

COVIDSafe App Teardown & Panel Discussion

COVIDSafe App Teardown & Panel Discussion

I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking:

On Sunday night, that app finally landed here, branded as COVIDSafe. I installed it the day after, capturing a bunch of my own thoughts and linking to efforts from the community to dissect what it was actually doing:

The efforts of fellow community members (several of them fellow Microsoft MVPs) garnered a lot of attention so we banded together to run a public panel yesterday. That 2-hour panel discussion has now been published to YouTube and it's chock-a-block full of real world observations about what the app actually does, what it collects, what it sends and what the real world privacy and security implications are. I loved being a part of this panel as it allowed us to step away from the speculation and conspiracy theories and instead focus on the facts of how the thing works. None of us have any commercial interests in this (we all went through a disclosure process in the video), it's just pure independent, fact-based discussion. Enjoy:

Way Out of The MAZE: A Quick Guide For Defending Against Maze Ransomware

From late 2019, MAZE Ransomware started becoming infamous for its Encryption, data stealing and the subsequent selling of the stolen data. Few other reasons behind its popularity are also its unique targets and the ransom demands. From its inception around May 2019, MAZE actors are targeting multiple sectors, prominent ones…

Email bungle at company seeking jobkeeper payments exposes staff’s personal details

Names, addresses and birthdates of more than 100 people shared in privacy breach

The company responsible for delivering traffic reports on radio and TV stations across Australia accidentally sent out the dates of birth, names and home addresses of more than 100 current and former staff to potentially thousands of people as the company seeks to apply for the jobkeeper payments.

Australian Traffic Network provides short traffic report updates during news bulletins to 80 radio and television stations, including the ABC, Seven, Nine, 10, 2GB and Triple M.

Related: As Australia takes on Google and Facebook over news content, the world is watching | Margaret Simons

Continue reading...

Using Big Tech to tackle coronavirus risks swapping one lockdown for another | Adam Smith

An app that logs movements and contacts might seem like a fair trade now but we risk giving away our privacy for good

Even when the lockdown is lifted, there is no guarantee that life will ever return to normal. To prevent a future outbreak of coronavirus, the UK will need to roll out mass testing, maintain some social distancing measures and closely monitor communities to curb future flare-ups.

In pursuing that last aim, governments across the world are developing technology to track our movements. When lockdown ends, technology could be a valuable means of controlling future outbreaks, alerting people to cases of Covid-19 in their area and hopefully preventing future shutdowns.

Related: The expansion of mass surveillance to stop coronavirus should worry us all | Veena Dubal

Continue reading...

Apple Phishing Is on the Rise

Whereas Apple computer infections show a growing trend, users can fall victim to other cyber-attacks that involve phishing and may lead to identity theft, financial losses, and other serious issues. Phishing is one of the dominating forms of today’s online attacks. With social engineering at its core, it mainly relies on booby-trapped links, typically arriving with emails, to hoodwink recipients into disclosing their personal information to fraudsters.

The particularly unnerving thing is that phishing kits available on darknet sources can be easily accessed by individuals who don’t have a solid programming background. It means that even people with basic computer skills may zero in on you.

Here’s some food for thought: there are currently about 1.5 billion Apple devices in use worldwide. All of them require unique Apple IDs to access the manufacturer’s proprietary services such as iCloud, App Store, iMessage, Apple TV, Apple Music, FaceTime, and many others. It means the potential attack audience is huge and the entry point is the Apple ID password, one secret combo of characters and numbers.

Why may fraudsters want to steal your Apple ID?

Apple ID is your key to using all Apple services and implies unlimited access to a plethora of sensitive information. Here’s a brief overview of its common use cases:

  • No matter if you own an iDevice or a Mac, you use your Apple ID to sign in to it and unleash its full potential and features. It’s within the realms of possibility that it will also be a way to log in to Apple’s future self-driving electric car, which is rumored to be a work in progress at this point.
  • Apple ID retains your payment and shipping details to facilitate the process of buying apps, service subscriptions, and devices from Apple.
  • Your Apple ID is the conduit to accessing your security settings and extensive details on all app and service purchases you completed with it.
  • You use Apple ID to access your iCloud account, a place where you store your photos, videos, and other personal data. If stolen, these files can be mishandled to perpetrate blackmail attacks.

Techniques used to dupe you into visiting Apple ID phishing pages

The scammers’ repertoire spans quite a few types of Apple ID phishing mechanisms. Familiarize yourself with some of the most widespread methods to make sure you don’t fall for them down the road.

  1. Spoof payment statement email

You should be able to identify this phishing attempt by looking at the subject line of the received email. It says “Payment Statement,” “Receipt ID,” “Receipt Order,” or something similar. The goal of this phony message is to make you think your credit card has been used to pay for some products or services.

The natural reaction of most users is to plunge headlong into canceling the order they are clueless about. The email contains a link you can click to supposedly go to the appropriate billing information page. Instead, you will be redirected to a phishing site that instructs you to verify your personal data, including your credit card number and Apple ID password.

There are usually a few giveaways in these emails. First off, the sender field will contain a string that isn’t a valid Apple email address. Furthermore, the message may contain an attachment in MS Word format, a type of file Apple wouldn’t send to its customers. Also, pay attention to the URL that shows up when you hover the mouse over the “Cancel and Manage Orders” (or similar) link – it’s typically something absolutely unrelated to Apple.

With that said, you should refrain from clicking any suspicious links received via email. Unfortunately, there are payment-related phishing messages that look really true to life and feign urgency. They may forward you to a web page that looks just like the legit Apple site, except that some words can be misspelled and the navigation icons at the top aren’t clickable. You should exert caution with dubious emails like that.

  • Apple ID fraudulent phone calls

Hoaxes aimed at wheedling out Apple IDs don’t only revolve around sketchy emails. Some of them may cash in on scam phone calls. To instill a false sense of legitimacy into users, crooks often take advantage of the caller ID spoofing trick so that the phone number displayed on your phone looks like a real Apple number. When you look at the call details, they may even include the authentic company logo and official website. The impostors will usually ask you to provide your sensitive details for account validation or to ensure that you comply with the purportedly updated Terms of Service and can continue to use certain features.

  • Bogus text messages

Apple ID phishing campaigns can also involve text messages sent to your phone. They typically say something like “Your Apple account is suspended” and instruct you to follow a link to find out how to sort out the alleged predicament. You’ll be asked to enter your personal information in a fake form on the linked-to website mimicking an Apple support page.

  • Misleading pop-ups

This type of phishing originally surfaced as a proof of concept, and fortunately, there have been no reports about real-world attacks of that sort so far. However, a researcher named Felix Krause has demonstrated that it’s a viable exploitation vector, and therefore such phishing attempts may appear in the wild anytime soon.

The idea is simple: a malicious app triggers a rogue dialog asking the victim to enter their Apple ID password to sign in to the iTunes store. The authentication details go to the attacker once typed in. Most users take such pop-ups for granted and don’t mind entering their sensitive information to keep using an app they like. To top it off, the alerts look identical to ones routinely generated by iOS.

To check whether the dialog is legit, the above-mentioned security enthusiast recommends tapping the Home button. If the application quits, then you are definitely dealing with a spoof pop up. If it doesn’t close, there is no reason to worry because it’s a genuine iOS request. The difference is that regular system pop-ups like that stem from a separate process rather than posing as a component of an application.

Best practice tips to identify Apple phishing attempts

Although some phishing hoaxes may be harder to pinpoint than others, all of them share a number of telltale signs. Here are some common red flags to look out for:

  • Spelling and grammar inaccuracies;
  • Incompetently designed an email or web page;
  • Dubious sender address unrelated to Apple;
  • Requests to verify sensitive info over email or phone (something Apple never does);
  • Suspicious-looking or shortened hyperlinks;
  • Dodgy email attachments.

How to avoid falling victim to Apple ID phishing scams?

In order to be a moving target, adhere to a number of practices that will help you keep your Apple ID intact and strengthen your personal security posture overall.

  • Stay abreast of cybersecurity news covered by reputable sources.
  • Opt for web browsers equipped with anti-phishing features (Google Chrome is a good example).
  • Abstain from opening email attachments sent by someone you don’t know.
  • Get into the habit of hovering your mouse over hyperlinks before you click. If you notice the slightest hint of danger, don’t click the link.
  • Set up 2FA (two-factor authentication) for your Apple ID and other personal accounts.
  • Make sure you are using the latest macOS or iOS version supported by your device.

Additionally, you should do your homework and peruse some security tips provided by Apple. Many users don’t bother exploring these recommendations until they have been scammed. You are better off safeguarding your accounts proactively and nurturing your phishing awareness. Here are the sources on your must-read checklist:

The post Apple Phishing Is on the Rise appeared first on CyberDB.

‘Zoom is malware’: why experts worry about the video conferencing platform

The company has seen a 535% rise in daily traffic in the past month, but security researchers say the app is a ‘privacy disaster’

As coronavirus lockdowns have moved many in-person activities online, the use of the video-conferencing platform Zoom has quickly escalated. So, too, have concerns about its security.

In the last month, there was a 535% rise in daily traffic to the Zoom.us download page, according to an analysis from the analytics firm SimilarWeb. Its app for iPhone has been the most downloaded app in the country for weeks, according to the mobile app market research firm Sensor Tower. Even politicians and other high-profile figures, including the British prime minister, Boris Johnson, and the former US federal reserve chair Alan Greenspan, use it for conferencing as they work from home.

Related: Coronavirus and app downloads: what you need to know about protecting your privacy

Continue reading...

Morrisons not liable for massive staff data leak, court rules

UK supreme court says retailer not to blame for actions of employee with grudge

The UK’s highest court has ruled that Morrisons should not be held liable for the criminal act of an employee with a grudge who leaked the payroll data of about 100,000 members of staff.

The supermarket group brought a supreme court challenge in an attempt to overturn previous judgments which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the internet.

Continue reading...

WhatsApp Security Hacks: Are Your ‘Private’ Messages Really Ever Private?

WhatsApp hacks

WhatsApp one of the largest instant messengers and considered by many a social network of its own. So, in continuing our app safety discussion, we’re diving into some of the top security hacks and questions many WhatsApp app users and parents may have.

But first, what’s a security hack? In short, it’s an attempt to exploit the weaknesses in an app, network, or digital service to gain unauthorized access, usually for some illicit purpose. Here are just some of the concerns WhatsApp users may have and some suggestions on boosting security.

WhatsApp Hack FAQ

Are WhatsApp conversations private?

Yes — but there are exceptions. More than any other app, WhatsApp offers greater privacy thanks to end-to-end encryption that scrambles messages to ensure only you and the person you’re communicating with can read your messages or listen to your calls. Here’s the catch: WhatsApp messages (which include videos and photos) are vulnerable before they are encrypted and after they are decrypted if a hacker has managed to drop spyware on the phone. Spyware attacks on WhatsApp have already occurred. Safe Family Tip: No conversation shared between devices is ever 100% private. To increase your WhatsApp security, keep sensitive conversations and content offline, and keep your app updated. 

Can anyone read my deleted WhatsApp messages?

A WhatsApp user can access his or her own deleted messages via the chat backup function that automatically backs up all of your messages at 2 a.m. every day. WhatsApp users can delete a message by using the Delete for Everyone button within an hour after sending though it’s not foolproof. Here’s the catch: Anyone who receives the message before it’s deleted can take a screenshot of it. So, there’s no way to ensure regrettable content isn’t captured, archived, or shared. There are also third-party apps that will recall deleted messages shared by others. Another possibility is that a hacker can access old chats stored in an app user’s cloud. Safe Family Tip: Think carefully about sharing messages or content you may regret later.

Can WhatsApp messages be deleted permanently?

Even if a WhatsApp user decides to delete a message, it’s no guarantee of privacy since conversations are two-way, and the person on the receiving end may screenshot or save a copy of a chat, video, or photo. On the security side, you may delete a message and see it disappear, but WhatsApp still retains a “forensic trace of the chat” that can be used by hackers for mining data, according to reports. Safe Family Tip: For extra security, turn off backups in WhatsApp’s Settings.

WhatsApp hacksHow can I secure my WhatsApp?

It’s crucial when using WhatsApp (or any other app) to be aware of common scams, including malware, catfishing, job and money scams, spyware, and file jacking. To amplify security, turn on Security Notifications in Settings, which will send an alert if, for some reason, your security code changes. Other ways to boost security: Use two-step verification, never share your 6-digit SMS verification code, disable cloud back up, and set your profile to private. Safe Family Tip: Install comprehensive family security software and secure physical access to your phone or laptop with a facial, fingerprint, or a passcode ID. Don’t open (block, report) messages from strangers or spammers. Never share personal information with people you don’t know. 

How do I delete my WhatsApp account from another phone?

To delete a WhatsApp account go to > Settings > Account > Delete My Account. Deleting your account erases message history, removes you from groups, and deletes your backup data. According to WhatsApp, for users moving from one type of phone to another, such as from an iPhone to an Android, and keeping the same phone number, your account information stays intact, but you won’t be able to migrate messages across platforms. If you’re not keeping your number, you should delete WhatsApp from your old phone, download WhatsApp to your new phone, and verify your new phone number. Upgrading the same phone type will likely include options to migrate messages. Safe Family Tip: Before you give away or exchange an old phone, wipe it clean of all your data.

How do you know your WhatsApp is scanned?

WhatsApp users can easily sync devices by downloading the WhatsApp web app and activating it (Settings > WhatsApp Web/Desktop). Devices sync by scanning a QR code that appears on your laptop screen. You know your device is scanned when you see the green chat screen appear on your desktop. Safe Family Tip: It’s possible for a person with physical access to your desktop to scan your QR code and to gain account access. If you think someone has access to your account log out of all your active web sessions in WhatsApp on your mobile phone.

How long are WhatsApp messages stored?

According to WhatsApp, once a user’s messages are delivered, they are deleted from WhatsApp servers. This includes chats, photos, videos, voice messages, and files. Messages can still be stored on each individual’s device. Safe Family Tip: The moment you send any content online, it’s out of your control. The person or group on the receiving end can still store it on their device or to their cloud service. Never send risky content. 

How secure is WhatsApp?

There’s no doubt, end-to-end encryption makes it much more difficult for hackers to read WhatsApp messages. While WhatsApp is more secure than other messaging apps — but not 100% secure.

Is it true that WhatsApp has been hacked?

Yes. Several times and in various ways. No app, service, or network has proven to be unhackable. Safe Family Tip: Assume that any digital platform is vulnerable. Maximize privacy settings, never share risky content, financial information, or personal data.

Is WhatsApp safe to send pictures?

Encryption ensures that a transmission is secure, but that doesn’t mean WhatsApp content is safe or that human behavior is predictable. People (even trusted friends) can share private content. People can also illegally attempt to gain access to any content you’ve shared. This makes WhatsApp (along with other digital sharing channels) unsafe for exchanging sensitive information or photos. Safe Family Tip: Nothing on the internet is private. Never send or receive pictures that may jeopardize your privacy, reputation, or digital footprint.

WhatsApp isn’t the only popular app with security loopholes hackers exploit. Every app or network connected to the internet is at risk for some type of cyberattack. We hope this post sparks family discussions that help your kids use this and other apps wisely and helps keep your family’s privacy and safety online top of mind.

The post WhatsApp Security Hacks: Are Your ‘Private’ Messages Really Ever Private? appeared first on McAfee Blogs.

Is the TikTok App Safe for Kids?

TikTok safety

Everyone’s talking about the TikTok app. In addition to talking, tweens and teens are swiping, laughing, and sharing TikTok videos. Meanwhile, parents are concerned with one thing: Is TikTok safe?

What is TikTok?

Based out of China, TikTok is a video-based social networking app that replaced the Musical.ly app, which ended its digital run in 2017. The app allows users to create an account, make and post short 15-60-second videos, as well as view, comment on, and share videos from other users. According to reports, TikTok has 1 billion active users in 155 countries. Approximately 60 percent of TikTok’s audience is between 16 and 24. Guidelines state that anyone 12+ can use the app, though there’s no age-verification process.

Why Do Kids Love TikTok?

TikTok is the latest and greatest digital hangout that has become the main channel for kids to discover new and creative ways to express themselves. They can follow their interests, be entertained, and be rewarded with views, likes, and shares for their artistic efforts. Tik Tok has built-in editing tools, free music, and dialogue clips, and filters that make creating videos easy for any skill level. Users can share funny sketches, lip-sync videos, and spontaneous, personal raves or rants. According to app reviews posted by teens, TikTok is also a go-to creative outlet, a place to de-stress, and a confidence-builder.

What are the risks?

Apps aren’t inherently risky. Rather, it’s the way individuals use an app that puts themselves or others at risk. That’s why understanding how your kids engage on TikTok, and how to make the experience as safe as possible, is important. Here are some of the risks your child could encounter on TikTok:

Contact from strangers. According to news reports, predators use TikTok to connect with kids. Anyone who follows a TikTok user can privately message them and initiate private conversations outside of the app.

Exposure to mature content and lyrics. Apps attract users of all ages, which means if your child has a TikTok account, he or she has access to the public video feed. With 1 billion users, your child will likely see videos containing sexually suggestive or explicit images and hear explicit lyrics (we saw and heard plenty). They may even unknowingly use music clips for their videos that contain explicit lyrics.

Spam and malware. Recent reports reveal software flaws that could potentially open up TikTok accounts to a range of malicious attacks. Researchers say hackers could have exploited the flaws to send legitimate-looking text messages loaded with malware, made private videos public, and accessed personal data.

Excessive screentime. TikTok is a curiosity magnet for kids, which can lead to excessive screen time, lack of sleep, and a host of other negative outcomes from too much time online.

TikTok safety

Cyberbullying. TikTok users have been known to create “cringe compilations,” which are videos they deem to be odd, uncool, or cringe-worthy. Several of these cruel compilations have been posted outside of TikTok and have gone viral.

Quest for likes. As with any social network, some users can become preoccupied with amassing views, likes, and followers. This obsession can lead to bad decisions, risky behavior (such as challenges), cyberbullying, and sharing harmful content.

Oversharing. Some kids share their daily activities through TikTok videos and inadvertently expose personal information such as their school, their location, home address, and other personal data.

10 Family Safety Tips

Should you allow your child to use TikTok? The answer to that question depends on a few things, including the age of the child using the app and how they use it. Here are a few tips that may help in that decision.

  1. Download the app. The best way to understand TikTok is to download it, create an account, and explore. Take some solo time to search a few hashtags, scroll some feeds, and get a feel for the content. Visit the app’s safety center for an overview of safety tools. Visit the privacy center to see how your child’s data is being used.
  2. Go through the app together. Sit and browse content with your child. Discuss the pros and cons of the content and how it does or doesn’t align with your family’s digital ground rules.
  3. Max privacy settings. By making a TikTok account private, only approved followers (known friends) can view your child’s videos or send your child messages. When an account is public, anyone can comment, send messages, or share your child’s videos.
  4. Explore restricted mode. TikTok has a Restricted Mode for minors that will allow you to filter out inappropriate content.
  5. Explore Family Safety Mode. This TikTok feature allows a parent to link their TikTok account to their child’s to manage screen time, direct messages, set restrictions, and control friend and comment filters.
  6. Control interactions. Users can disable comments on a specific video, block people they don’t know from following them, and report abuse.
  7. Monitor social circles. Kids can change privacy settings and eventually be wooed into making more connections and getting more exposure. Consider monitoring who your child follows and who is following them. Consider the TikTok influencers they follow and the type of content they share.
  8. Monitor screen time. It’s easy to burn through countless hours on TikTok. The app has a digital wellbeing element that alerts users every two hours. Consider filtering software that adds another way to set screen limits.
  9. Talk about being an upstander. Creating and sharing original content online takes courage — and attracts bullies, making TikTok a potentially unsafe environment for kids. Encourage your child to be an upstander online and offer encouragement and support to peers when needed.
  10. Block the app. If you determine TikTok’s content isn’t a good fit for your family or that the risks outweigh the opportunities, both Android and iOS have built-in parental controls in Settings that allow you to block any app (consider rechecking these settings weekly).

One look at today’s headlines, and it’s tempting for a parent to want to delete every app like TikTok. Only we know a similar app will soon surface. Another approach is to jump into the digital mix. Know what apps your kids love and why. Understand how they use their favorite apps and who they are talking to. And, always remember: It’s never too early or too late to start these critical conversations with your kids. You’ve got this, parents!

The post Is the TikTok App Safe for Kids? appeared first on McAfee Blogs.

Cyber Defence: How Machine Learning and AI are Eliminating the Complexity

Machine learning and artificial intelligence are changing the way that businesses operate. Whether it’s on the factory floor or in back-end IT, automated services and machines are increasing speed and productivity all while freeing up workers to focus on tasks which require a totally different set of skills.

Alongside this, we are seeing the role of AI in cyber security increase as well as the number of artificial intelligence security tools being used too. This is all because AI is trained to learn, develop and grow using the data it is provided with. Essentially, an AI system is constantly in a state of change and improvement. In an environment where hackers and security threats are everywhere and constantly looking for a way into a system, protecting company data has never had such a high priority. With this in mind, it’s important to understand exactly what is AI in cyber security and just how is AI in security being implemented?    

The Purpose of Cybersecurity

AI is proving to be one of the most influential and game-changing technology advancements in the business world. As more and more enterprises embrace the digital sphere, companies are finding new and exciting ways to implement AI-based functions into every platform and software tool at their disposal. However, one of the natural consequences of this is that cybercriminals view this increasing digitization as a definite window of opportunity.

A cyber threat is basically any act that intends to steal, harm or digitally affect data in some way. They are more than just a nuisance, they can have serious and damaging effects. Cyber-attacks can cause electrical blackouts, involve the theft of valuable or sensitive data like medical records, disrupt phone and computer networks or just paralyze entire systems making any data unavailable. They can cripple a company in a heartbeat.

Some of the most common forms of cyber threats include:

  • Phishing – Email-borne attacks that involve tricking recipients into disclosing confidential information or downloading malware by clicking on a link.
  • Malware – This is usually a piece of software that performs a malicious task on a targeted device or network such as corrupting data or taking control of a system.
  • Trojans – A form of malware that enters a system looking like one thing, such as a standard piece of software, before letting out a malicious code once inside.
  • DDoS – An attacker takes over many devices at once and uses them to invoke the functions of a target system causing it to crash from an overload of demand.
  • Data Breaches – A data breach is simply where an attacker hacks or finds a way into a system before stealing data directly.

Cyber threats never stay the same for very long. There are millions of them being created every year all becoming more potent than the last and this is where machine learning and artificial intelligence is so important in regards to combatting cyber threats.

How AI Can Help in Cyber Defence?

This is where AI can help massively. Machine learning-based technologies are particularly efficient at detecting unknown threats to a network. This is where computers use and adapt algorithms depending on the data received and improve their functions. Essentially, this attempts to create a machine that can predict threats and identify anomalies with much greater accuracy and speed than a human equivalent could do.

One of the other examples of AI in cyber security involves using supervised algorithms. These can uncover threats based on the labelled data they have been trained on. Based on this, the system can then make educated decisions pertaining to new data and determine whether it is harmful or not. Thousands of instances of malware code can be used as learning data for supervised algorithms to learn from, creating an extremely efficient system for detecting incoming threats.

The Future of Cyber Defence

As it is an environment that changes at a lightning-quick pace, trying to stay ahead of technological developments as the importance of cybersecurity for digital marketing and other sectors is crucial to business sustainability. However, there are some trends to say aware of regarding cyber defences in 2020:

  • Predicting Threats Is Critical – More and more we’ll see companies concentrating on detecting and predicting cyber threats using AI. As technology and awareness develop in regards to using and adopting AI as a part of cyber defences, the need to predict and respond swiftly and accurately will increase in turn.
  • It Will Become Prevalent For Consumers – Consumers are starting to realize that passwords are not providing enough account protection and that their accounts are increasingly vulnerable. AI can recognize returning users and will be key in protecting the entire customer journey, from creation through to transaction. This should allow businesses to form trusting bonds with their customers as they are protected by more than just a password.
  • AI Will See A Sharp Rise In Usage – According to Capgemini, 69% of enterprises believe AI will be necessary in order to respond to cyberattacks. The majority of companies say they are counting on AI to help identify and thwart attacks that could cause increasingly expensive losses.

Final Thoughts

It can be a worrying time for businesses out there who are concerned about the growing threat of cyber-attacks. However, by combining security methods with AI and machine learning it is possible to protect yourself accordingly. By being proactive, staying up-to-date with the latest threats and working with industry professionals, you’ll be able to stay on top of even the most serious of cyber threats out there and ensure your data stays protected.

About the author

David Pittaway is a creative content writer for Aumcore, a digital marketing agency based in New York. He writes on a variety of topics that range from SEO, Machine Learning to crafting the perfect creative content marketing plan

The post Cyber Defence: How Machine Learning and AI are Eliminating the Complexity appeared first on CyberDB.

TikTok Challenge, Hoop App, and Other Headlines You May Have Missed

TikTok Challenge

Digital news that affects families seems to be dominating the headlines these days. To keep parents in the know, here are some of the stories you may want to give extra family discussion time to this week.

Skull Breaker Challenge Proving Unfunny 

Apps — video apps especially — can help kids tap into their creativity and give kids a critical way to connect. Where the fun can take a dangerous turn is in the way kids choose to use their technology. In this case, the poor choice is in the Skull Breaker Challenge (also called the Trip Jump Challenge), a prank resulting in some kids being hospitalized.

The prank, designed to get laughs and accumulate TikTok views, includes two kids tricking a third friend into making a dance video together. Three kids line up side by side for a planned group dance that will be videotaped and posted. As everyone jumps as planned, the two kids on either side swipe the legs out from under the middle person causing him or her to fall backward. According to reports, the prank is surfacing mainly on TikTok but also Youtube.

Safe Family Tip: Consider talking to your child about the dangers of online challenges and the risks already reported in the news. 1) Discuss the physical dangers doctors are warning the public about, including neck strain, concussion, skull fracture, long-term complications, or even death. 2) Using current news stories, explain personal responsibility and what can happen legally if your child hurts another person during a prank.

Snapchat’s Hoop App Being Called ‘Tinder for Teens’

Snapchat users (over 2.5 million in fact) are flocking to a new Tinder-like app called Hoop that interfaces with Snapchat. The developer app allows other Hoop users to swipe through other Hoop users and request to connect via their Snapchat profile name.

While the app asks a user’s age, much like other social sites, there’s no way to prove a user’s age. And, users can change their age at any time after creating an account. This type of app format can be tempting for kids who are naturally curious and seeking to meet new friends outside of their familiar social circle. There’s a potential for common issues such as catfishing, predator behavior, and inappropriate content. Kids as young as 12 can form connections with strangers. While their profile may be harmless, they can’t control the type of content that pops up on their screen from other users. Another red flag: Hoop users are rewarded with “diamonds” for sharing their Snapchat name and getting others to join Hoop, so the incentive to daily share and connect with a wide circle outside of one’s known friend group may prove tough for some kids to resist.TikTok Challenge

Safe Family Tip: While it’s challenging to stay on top of the constant array of new apps, it’s not impossible. One way to understand where your child spends his or her time online is with comprehensive monitoring software. Another way of monitoring activity is to physically check your child’s phone once a week for new app icons (see right) and take the time to talk about his or her favorite apps. Consider explaining the dangers of connecting with strangers and the real possibility that a new “cute 16-year-old” may be a predator attempting to win your child’s trust (it happens every day). Review and agree on which apps are considered safe and the expectations you have for your family’s online choices.

Another app to keep on your radar is Wink. Nearly identical to Hoop, Wink interfaces with Snapchat and is being promoted as a “new friend finder.” It has a similar “swipe” feature that connects kids to random Wink users and is currently ranked #15 in the app store.

Should phones be banned from schools?

A conversation gaining a quiet but consistent buzz is the merit of prohibiting phones from schools — a law France has enforced for two years that has parents, educators, and legislators talking. Several recent studies reveal that phone bans can lead to higher test scores, higher test grades and attention spans, and increased cognitive capacity. Some schools in the U.S. have independently taken steps to curb and ban phones in hopes of focusing on distracted students.

Proponents of phones in school say a ban would be impossible to enforce and that technology is needed to help parents stay in touch with kids during the school day, especially for emergencies. Others say phones at school are a critical part of learning and raising self-sufficient, tech-savvy students prepared for a digital workforce.

Safe Family Tip: Begin the discussion with your child about the pros and cons of devices at school. Listen closely to his or her perspective. Discuss potential device-related issues that can be amplified during the school day such as cyberbullying, group chat conflicts, sexting, gaming during class, and using devices to cheat. Review expectations such as using phones only before and after school to connect with parents.

Stay tuned in the weeks to come as we take a closer look at other apps such as TikTok and WhatsApp Messenger that — when used unwisely — can lead to some surprising risks for kids. Until then, keep the digital safety conversation humming in your home. You’ve got this, parents!

The post TikTok Challenge, Hoop App, and Other Headlines You May Have Missed appeared first on McAfee Blogs.

Will we just accept our loss of privacy, or has the techlash already begun? | Alan Rusbridger

Not so long ago we searched Google. Now we seem quite happy to let Google search us

Probably too late to ask, but was the past year the moment we lost our technological innocence? The Alexa in the corner of the kitchen monitoring your every word? The location-betraying device in your pocket? The dozen trackers on that web page you just opened? The thought that a 5G network could, in some hazily understood way, be hardwired back to Beijing? The spooky use of live facial recognition on CCTV cameras across London.

With privacy there have been so many landmarks in the past 12 months. The $5bn Federal Trade Commission fine on Facebook to settle the Cambridge Analytica scandal? The accidental exposure of a mind-blowing 1.2 billion people’s details from two data enrichment companies? Up to 50m medical records spilled?

We gleefully carry surveillance machines in our pockets and install them in our homes

Related: Cybercrime laws need urgent reform to protect UK, says report

Continue reading...

Take Action This Data Privacy Day

We all know that data breaches have been on the rise, and hackers are finding clever, new ways to access our devices and information. But sometimes it takes a little push to get us to take action when it comes to protecting our most sensitive information. That’s why this Data Privacy Day, on January 28th, we have the perfect opportunity to own our privacy by taking the time to safeguard data, and help others do the same.

After all, there are now roughly four billion consumers connected online, living various moments of truth that could potentially put them at risk. From sharing photos and socializing with friends, to completing bank transactions—people expect to do what they desire online whenever and wherever they want. But as the saying goes, “with great power comes great responsibility”, and it is imperative that consumers take accountability, not just by enjoying the advantages of connecting online, but by protecting their online identities, too.

Remember, your personal information and online presence are as valuable as money, and what you post online can last a lifetime. Data Privacy Day is a reminder for everybody to make sure that they are protecting what matters most to them: their personal data, as well as their families and friends.

So, let’s get started. Even if you have a large online footprint, protecting this information doesn’t have to be overwhelming.

Here are a few tips:

Update your privacy and security settings—Begin with the websites and applications that you use the most. Check to see if your accounts are marked as private, or if they are open to the public. Also, look to see if your data is being leaked to third parties. You want to select the most secure settings available, while still being able to use these tools correctly.  Here’s a guide from StaySafeOnline to help you get started.

Start the New Year with a new digital you— When opening new online accounts for sharing personal information such as your email address or date of birth, create a new digital persona that has alternative answers that only you would know. This will limit online tracking of your real personal information.

Lockdown your logins—At the same time, secure your logins by making sure that you are creating long and unique passphrases for all of your accounts. Use multi-factor identification, when available. This is a security protocol that takes more than just one step to validate your login, such as a password and a code sent to your mobile device, or a fingerprint. It is exponentially more secure than a simple password.

Spread the word and get involved— Once you have done your own privacy check, help others do the same. It’s important that we all feel empowered to protect our privacy, so share the safety tips in this article with your family, coworkers, and community. Here are some helpful resources to create privacy awareness where you live.

Protect your family and friends – If you are a parent, you can make a big difference by helping raise privacy-savvy kids. After all, today’s kids represent the future of online security. If they start building their digital footprints with solid safety habits, it makes all of us more secure.

Begin with this handy tip sheet.

Own your information—It’s time for everyone to feel empowered to own their information. While there will always be online threats, you can minimize any potential harm by committing yourself to the action steps we listed above. Once you have, spread the word by using the hashtag #privacyaware on Twitter, Instagram, or Facebook.

Let’s make this 12th annual international Data Privacy Day the most effective ever! Stay up to date with all the event happenings, here, and keep informed year-round on the latest threats and security tips.

The post Take Action This Data Privacy Day appeared first on McAfee Blogs.

What Website Owners Should Know About Terms and Conditions

All website owners should consider terms and conditions (T&Cs) to be a form of legal protection as they establish the responsibility and rights of the involved parties. T&Cs provide full security should anything go amiss and they also help you settle any disputes quickly without having to resort to the courts.

Is it a legal requirement to include T&Cs?
No, but it’s always best to include terms and conditions on your website as they will enable you to reduce your potential liabilities. It is essential that you let your customers or visitors know about their rights; if you’re not clear about your policies, they may dispute matters such as cancellation options, item returns and other rights, putting your company at a disadvantage. Additionally, if areas are unclear in your terms and conditions or even not mentioned, it may mean that you are liable to give your customer additional rights than are given under statutory.
Do you have to include GDPR provisions?
Website owners, even those outside the European Union (EU), should also consider incorporating the General Data Protection Regulation. Inserting a data protection clause can reassure your customers that their data will not be used for inappropriate purposes. You can include the majority of the GDPR obligations in your site’s privacy policy.

What should you include in the T&Cs?
If you are an online seller, it is essential to explain to customers the various processes involved, such as:
  • How to make a purchase
  • How to make a payment
  • How they will receive their products
  • How they can cancel orders
T&Cs help you establish boundaries by outlining what specific rights customers have. In return, you also inform them about your obligations as a seller and the limits of your legal liability.

What kind of protection can you expect from the T&Cs? It may not be uncommon for disputes to arise between you and your online customers or visitors. Therefore, it is essential to ensure that the terms and conditions are accessible, preferably on your website.

You also need to protect your website from copyright infringements. You can avoid potential disputes and confusion by specifying which sections are copyrighted and which are your intellectual property. You should also stipulate what visitors can do with your data. If there is any breach of your copyright or intellectual property, the terms and conditions should clearly explain how the problem will be resolved.

Are there standard T&Cs which apply to all websites?
There are general formats or templates of T&Cs that you can obtain for free online. However, there is always the possibility that these documents will not cover specific aspects of your business or will not include the relevant terms. If you omit an essential term from your website, you may find yourself vulnerable if a dispute arises. Therefore, it is critical that you customise your terms and conditions so they are suitable for your website and business.
  • Product and service offerings – No two businesses are alike, even if you sell the same products and services. For example, your competitor may only accept PayPal but you may allow other modes of payment.
  • Industry or target audience – In every industry, there are specific provisions that need to be included in the T&Cs. For example, customers may have a legal right to cancel or return their purchases within a specified period.
Can website owners enforce their T&Cs?
Your T&Cs are like any other enforceable contract. Nevertheless, you must ensure that they don’t contravene existing consumer laws or government regulations. Remember, you should only incorporate clauses that you can legally apply.

Conclusion
Terms and conditions are necessary for all businesses, including e-commerce sites. It is essential that you create T&Cs that are suitable for your products and services, and that they are legally enforceable. You also need to periodically review your T&Cs, especially if there have been any significant changes to your business structure or the law. Moreover, they must be accessible to your online customers and visitors. If they are not aware of your T&Cs, you may find it difficult to enforce them if a problem arises.

Written by Kerry Gibbs, a legal expert at BEB Contract and Legal Services.

GDPR Checklist For Small Businesses

The new General Data Protection Regulations (GDPR) which came into effect in 2018 meant some big changes in the way businesses collect and handle personal data. The idea behind the new legislation is to give individuals better access and control over their own personal data. While this is great news for individuals, it requires a little extra work from businesses who must now provide legal grounds for collecting data and must only use it for the intended purpose. What’s more, they need to follow these regulations to the letter and remain GDPR compliant at all times.

This applies to companies of all sizes – even your small business. If you collect personal data in any form, such as emails, addresses, names or financial details, your business needs to be GDPR compliant. If it’s found that you’re not effectively managing and protecting your data you could face a big fine. Though regulators may be a bit more lenient with smaller businesses depending on how much data you hold, an unwanted fine is always bad news. That’s why we’ve put together this checklist to help ensure your small business is GDPR compliant. In this guide we’ll look at:

  • Understanding your data and responsibilities
  • Defining your data consent policy
  • Access requests and disposing of old data
  • Setting up a data storage and security policy
  • Training all staff on GDPR
  • Creating data processing notices

  1. Understanding your data and responsibilities

In order to be GDPR compliant it’s important that you understand what data you’re collecting and your responsibilities as a business. It’s therefore a good idea to get clued up on what is defined as ‘personal data’ and set out strict guidelines on how much information you need to collect. This is because a huge part of GDPR is ensuring that you only collect personal information you actually need and that it is only used for the intended purpose. The less you collect the easier it is to stay compliant.

You’ll also want to ensure anyone that is involved in the handling of data understands how to collect and store the data effectively, as well as how to process it in line with GDPR. As you collect data, it’s a good idea to keep a note of how consent is being obtained and what processes the data goes through once it has been collected.

 

  1. Setting out your data consent policy

Getting clear and explicit consent from individuals to collect and use their data is one of the most important aspects of GDPR. For this reason, you need to outline to customers or those using your services why you’re collecting their data and how you intend to use it in the future. Once they have actively agreed, you can then collect their data – this is usually done through sign-up forms or pop-ups. However, if they do not give you permission then under no circumstances should you record their personal information.

You must be able to show that they have obtained consent for all the data that you have collected. Otherwise, you run the risk of being fined. Another point worth noting is that you can no longer rely on underhand tactics such as pre-ticked boxes to gain consent. This is now illegal under GDPR and can land you in trouble. Finally, you must make it easy for individuals to opt-out of receiving your communications. The best way to do this is by adding an unsubscribe button at the bottom of all emails.

 

  1. Access requests and disposing of old data

If you haven’t already, GDPR states that you must get re-permission from customers whose information you held before the new guidelines were implemented in May 2018. If they do not give you their consent once again or they do not reply to your email at all, you must delete their data as soon as possible. An important part of your GDPR checklist should be getting auditing processes in place that determine how long you will store data. For example, if a customer has not engaged with your brand in 12 months it is no longer necessary to keep their information and it should therefore be deleted.

What’s more, as part of GDPR every EU individual has the right to access their data. Therefore you need a system in place to deal with access requests. You’ll have 30 days from receiving the request to provide them with an electronic copy of all the information you have on them. They can also request that this be deleted, so you need a system in place to get this done as quickly as possible.

 

  1. Setting up a data storage and security policy

GDPR is set out to protect the rights and personal information of individuals, therefore you need to make sure you’re taking care of the data you’re collecting. This means knowing where it is stored and ensuring you’ve got the security measures in place to keep it safe. Mapping out all the places where you store data, be that email, databases or cloud-based systems, makes it easier to find and deal with access or deletion requests. Your storage and security policy should outline where everything is stored, how it is protected and who has access to said data.

You also need to know how data is being transferred and the flow of information around your business. This stops information seemingly getting lost or falling into the wrong hands. It also pays to have a system in place just in case your hardware is accessed or lost, whilst containing sensitive information. For example, if a laptop full of information is misplaced, having the data encrypted means you’re less likely to fall victim to a breach or face a fine.

 

  1. Training all staff on GDPR

Most data breaches or security mistakes come as a result of human error. But unfortunately, in this case ignorance isn’t bliss, you cannot use ignorance as an excuse for mishandling data. For this reason, it’s important that all members of your team are clued up on GDPR, their personal responsibilities for looking after personal data, and how to recognise a breach. As part of GDPR, you must report any data breaches within 72 hours, this becomes much easier if everyone in your team is educated on what this looks like and who they need to report to.

 

  1. Creating data processing notices

Finally, data handling needs to be a clear and transparent process and therefore it’s a good idea to create a notice to explain how your business collects and processes data. This is often called a Fair Processing Notice and can be sent out to customers/users as well as being displayed somewhere on your website. It should outline how you capture, use and store data, as well as giving instructions on how an individual can make and access or deletion request. This helps them to understand how you are protecting their data and can be great for building your reputation as a legitimate and caring business.

 

The post GDPR Checklist For Small Businesses appeared first on CyberDB.

Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset  

digital minimalism

Editor’s Note: This is part II of a series on Digital Minimalism in 2020.

Is this the year you rethink and rebuild your relationship with technology? If so, embracing digital minimalism may be the most powerful way to achieve that goal.

We learned last week in our first post on this series tht digital minimalism isn’t about chucking your devices and going off the grid. It’s about being hyper intentional that your technology choices support the things you value.

And, as outlined by Cal Newport in his book, Digital Minimalism: Choosing a Focused Life in a Noisy World, the first step in the process is clarifying your values. Your values are the guiding principles that motivate you and give your life meaning such as family, education, work/life balance, community service, friendship, integrity, health, or wealth. With values clearly defined, you can evaluate every piece of technology, app, or social network you use to be sure it aligns with those values.

For instance, if you establish your top values to be family and volunteering, then maybe it’s time to let go of all the podcasts, apps, and email subscriptions that no longer support those priorities. The online social communities you habitually peruse may trigger anxiety and be taking time from activities that could be far more fulfilling.

If you get overwhelmed amid your technology pruning, come back to these two critical questions:

  • Does this technology directly support something that I deeply value?
  • Is this technology the best way to support this value?

digital minimalism

 

 

There’s a ton of great information as well as passion online around the concept of digital minimalism. But to keep this new idea “minimal” and easy to grasp, we’ve chosen 5 things you can do today to help you and your family jumpstart this new way of thinking.

5 ways to jumpstart a ‘digital minimalist’ mindset

  1. Make social accounts private. Last week we suggested cutting all non-essential media for 30 days. Another way to mentally shift into a minimalist mindset is to transition your social media accounts from public to private if you haven’t already. Not only will this small change increase your online privacy, but it could also help you become more aware of the amount of content you share, the people with whom you share it, and the value of what you share. For people who post frequently (and often out of habit), this may prove to be a game-changer. The goal of digital minimalism isn’t a digital detox or white-knuckling no-or-less-tech life. The goal is to consciously, willingly, and consistently be rebuilding your relationship with technology into a formula that decreases distraction and increases value.
  2. Audit those apps! Want to feel a rush of minimalist adrenaline? Whack some apps! Most of us have amassed a galaxy of apps on our phones, tablets, and laptops. Newport suggests getting rid of any apps or devices that continuously distract and are “outside of work.” Those brain games, cooking apps, calorie trackers, and delivery apps you rarely use or value, may no longer be relevant to your values. Some will find this exercise exhilarating, while others may feel panicked. If that’s the case, pace yourself and delete a handful of apps over the next few weeks. The goal is more peace, not panic. On a security note: Remember, apps are one of the main channels for malware. Consider adding security software to your family devices, reading app reviews, and only downloading trusted products.
  3. Reclaim your space. Do you carry your phone with you into restaurants, upstairs, on a walk, and even to the bathroom? If so, this step may be especially tricky but incredibly beneficial. Think about it — you weren’t born with a phone. Over the years, it became a companion, maybe even an extra appendage. So start small to reclaim your birthright to phone-free space. If you go outside to walk your dog, leave your phone inside. Are you headed into a restaurant? Leave the phone in the car. Newport also suggests leaving your phone in a fixed spot in your home and treating it like the “house phones” of the past. When you go to bed, leave your phone in another room. Over time, hopefully, these small changes will add more hours, sleep, relaxation, conversation, and contemplation to your day.
  4. Condense home screens, turn off all notifications. Clutter — especially digital clutter — can trigger feelings of chaos and anxiety. By creating folders for random files and apps on your laptop, tablet, and phone, you can declutter and breathe a little easier. If later you can’t find a document, use the search tool on your device. Also, turn off all notifications, including your phone ringer, to reduce interruptions and to avoid the temptation to phub (phone snub) the person in front of you.
  5. Replace device time with more productive activities. The pain and regret of the social media time suck are very real. We lose days, even years going down digital rabbit holes and getting emotionally invested in random social media posts and exchanges. Some ideas: If you are a night scroller, opt to read a physical book. If you take breaks to scroll during work hours, put your phone in a drawer — out of sight, out of mind. If you’ve defined “relaxing” as curling up with your coffee and phone and reading through social feeds, reclaim those hours by calling a friend, taking a walk, connecting with your family, reading, or getting outside.

Embracing a new mindset, especially when it comes to our sacred technology habits, won’t be an easy task. However, if you know (and yes, you do know) that technology is taking up too much of your time, attention, and emotional bandwidth, then 2020 may the perfect time to release digital distractions, rethink your technology choices, and reclaim the things that matter most.

The post Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset   appeared first on McAfee Blogs.

CCPA and University Surveillance Apps

It’s the turn of a new decade and a new privacy law has gone into effect — the California Consumer Privacy Act or CCPA. A quick check with some of my fellow privacy pros on how many consumer information requests received at the end of the day on Jan. 1, puts retail at higher numbers […]

The post CCPA and University Surveillance Apps appeared first on Privacy Ref.

Cybercrime is moving towards smartphones – this is what you could do to protect your company

By 2021, cybercrimes will cost companies USD 6 trillion, according to a study.

The number of internet users has grown from an estimated at 2 billion in 2015 to 4.4 billion in 2019, but so have the cybercrimes which are expected to cost companies USD 6 trillion worldwide, according to a study by Cybersecurity Ventures.

Similarly, the number of smartphone users has grown from 2.5 billion in 2016 to 3.2 billion in 2019 and is forecasted to grow to 3.8 billion by 2021. Smartphones and the internet will make further inroads to our economic system. But there are certain risks involved as well.

Mobile phones are becoming targets of cybercriminals because of their widespread use and increasing computing power. Consider the fact that more than 60 % of online fraud occurs through mobile phones. This threat is not just towards individual users but businesses as well. It does not matter how large the company is either. 43% of the cyberattacks in 2019 were aimed at smaller businesses because they do not have adequate protection.

Given how vulnerable smartphones are and that the threat from cyber attacks is only expected to increase, here are some measures you can take to protect your business from cybercriminals:

Rethink BYOD:

Bring Your Own Devices (BYOD) offers several benefits to both the organization and employees. Such a policy allows employees at a company to use their mobile phones, tablets, or laptops for work, saving companies the hassle to purchase devices.

However, you need to rethink if you are saving more than what you are losing. Employees have confidential company information on their devices. Such a door into your organization can cost you heavily. Set aside the funds to obtain company devices for use by employees at the office. Consider such an investment as part of your cybersecurity strategy.

 

Cybersecurity assessments:

The cybersecurity threat landscape is ever-evolving due to the fast nature of innovation. Develop a comprehensive cybersecurity program that includes a regular assessment of your company’s security needs. Identify the strengths of your IT infrastructure against potential attacks, and do not let advances in technology or techniques take that away from you. Similarly, you should identify the vulnerabilities in your systems. Make sure any gaps in your defenses are appropriately plugged. A threat assessment should be an integral component of any cybersecurity policy.

Retrain staff:

Make sure that employees at your organization are informed and up to date on the latest in cyber threats. This way they can protect themselves and the company from cybercriminals. Even a single mistake by one employee can end up creating a door for individuals or groups wishing your company harm. All employees must be trained as a matter of policy. This way, they can identify phishing attacks and manage social engineering scams. Another factor your employees must be mindful of is resource monitoring. Suspicious resource use on company devices, whether it is excess internet or battery usage, should raise alarm bells. However, employees may not look into such things in detail because they do not own the devices. Train your staff to keep track of resource use too.

 

Employee monitoring:

Most organizations have some form of an employee monitoring policy and track their workers. If you haven’t done so already, develop such a policy, and keep your employees informed to ensure transparency. If you have decided to use company devices, you can opt to install monitoring apps on them. There are several modern monitoring apps currently available such as XNSPY. The app can keep track of online activities, generate a list of call logs, and remote control the device. Furthermore, you can track the location of the device in real-time, and use features such as geofencing and GPS history. There are other powerful features too, such as ambient recording, multimedia access, and online activity tracking. You can also wipe off all the data from a device in case of theft. Monitoring apps such as XNSPY should be a part of your strategy against cybercriminals.

 

Don’t forget physical infrastructure:

Cybersecurity may involve software updates and training policies, but making sure your physical infrastructure is safe is just as important. Re-evaluate how exposed your digital infrastructure is to physical access. Furthermore, go through the profiles of suppliers and vendors to vet them properly. A small door in any piece of equipment can let cybercriminals through and bypass your entire cybersecurity foundation. Be aware of this threat and make sure that suppliers work by following specific regulations.

Develop a threat monitoring policy:

Anticipating an attack and stopping it is an important part of comprehensive cybersecurity policy. Make sure that you are monitoring your digital infrastructure round the clock.

Invest in threat monitoring software and a team of professionals that can identify, track, and stop an attack.

The concept of designing a cybersecurity system as a fortification is changing to an adaptable system that can accommodate evolving security threats. Furthermore, a monitoring policy also needs to have a clear response plan.

Such a plan details what needs to happen and when in case of an attack. This ensures that there is a speedy response by your company against any threat.

 Conclusion:

Smartphones have become powerful enough that they can be considered as computers in their own right. While this has created scores of opportunities, there are also clear threats posed by cybercrime. These threats are only going to increase as the internet and smartphone use increases. While protecting your business against cyber criminals requires a considerable investment of time and money, it will pay off in the long run.

 

Clark Thomas is an expert in VOIP. He helps businesses both small and medium-sized, in implementing and adopting the best security methods for their organization and network. He gives great advice regarding and assists people in boosting the security measures for their website and business.  

The post Cybercrime is moving towards smartphones – this is what you could do to protect your company appeared first on CyberDB.

Lessons Learned: A Decade of Digital Parenting

digital parenting

Give yourself a high-five, parents. Pour yourself a cup of coffee or your favorite celebratory drink and sip it slow — real slow. Savor the wins. Let go of the misses. Appreciate the lessons learned. You’ve come a long way in the last decade of raising digital kids, and not all of it has been easy.

As we head into 2020, we’re tossing parenting resolutions (hey, it’s a victory to make it through a week let alone a year!). Instead, we’re looking back over the digital terrain we’ve traveled together and lessons learned. Need a refresher? Here’s a glimpse of how technology has impacted the family over the past decade.

In the last decade

• Smartphone, social, gaming growth. Social media and gaming platforms have exploded to usage and influence levels no one could have imagined. Smartphone ownership has increased and as of 2019: 81% of adults own a smartphone and 72% use social media, 53% of kids own a smartphone by the age of 11, and 84 % of teenagers have phones.

• Video platform growth. Video platforms like YouTube have become the go-to for teens and tweens who spend nearly three hours a day watching videos online.

• Streaming news. Smartphones have made it possible for all of us to carry (and stream) the world in our pockets. In 2018, for the first time, social media sites surpassed print newspapers as a news source for Americans.

• Dating apps dominate. We’re hooking up, dating, and marrying using apps. A Stanford study found that “heterosexual couples are more likely to meet a romantic partner online than through personal contacts and connections.”

• The rise of the Influencer. Internet influencers and celebrities have reached epic levels of fame, wealth, and reach, creating an entire industry of vloggers, gamers, micro and niche-influencers, and others who have become “instafamous.”

• Lexicon changes. Every day, technology is adding terms to our lexicon that didn’t exist a decade ago such as selfie, OMG, streaming, bae, fake news, the cloud, wearables, finsta, influencers, emojis, tracking apps, catfish, digital shaming, screen time, cryptojacking, FOMO, and hashtag, along with hundreds of others.

What we’ve learned (often the hard way)

Most people, if polled, would say technology has improved daily life in incalculable ways. But ask a parent of a child between five and 18 the same question, and the response may not be as enthusiastic. Here are some lessons we’ve learned the hard way.

Connection brings risk. We’ve learned that with unprecedented connection comes equally unprecedented risk. Everyday devices plug our kids directly into the potential for cyberbullying, sexting, inappropriate content, and mental health issues.  Over the past decade, parents, schools, and leaders have worked to address these risks head-on but we have a long way to go in changing the online space into an emotionally safe and healthy place.

Tech addiction isn’t a myth.  To curb the negative impact of increased tech use, we’ve learned ways to balance and limit screen time, unplug, and digitally detox. Most importantly, it’s been confirmed that technology addiction is a medical condition that’s impacting people and families in very painful ways.

The internet remembers. We’ve witnessed the very public consequences of bad digital choices. Kids and adults have wrecked scholarships, reputations, and careers due to careless words or content shared online. Because of these cases, we’re learning — though never fast enough — to think twice about the behaviors and words we share.

We’re equipping vs. protecting. We’ve gone from monitoring our kids aggressively and freaking out over headlines to realizing that we can’t put the internet in a bottle and follow our kids 24/7. We’ve learned that relevant, consistent conversation, adding an extra layer of protection with security software, and taking the time to understand (not just monitor) the ways our kids use new apps, is the best way to equip them for digital life.

The parent-child relationship is #1. When it comes to raising savvy digital kids and keeping them safe, there’s not a monitoring plan in existence that rivals a strong parent-child relationship. If you’ve earned your child’s heart, mind, and respect, you have his or her attention and can equip them daily to make wise choices online.

The dark web is . . . unimaginably dark. The underbelly of the internet — the encrypted, anonymous terrain known as the Dark Web — has moved from covert to mainstream exposure. We’ve learned the hard way the degree of sophistication with which criminals engage in pornography, human trafficking, drug and weapon sales, and stolen data. With more knowledge, the public is taking more precautions especially when it comes to malware, phishing scams, and virus attacks launched through popular public channels.

There’s a lot of good going on. As much negative as we’ve seen and experienced online over the past decade, we’ve also learned that its power can be used equally to amplify the best of humanity. Social media has sparked social movements, helped first responders and brought strangers together in times of tragedy like no other medium in history.

Privacy is (finally) king. Ten years ago, we clicked on every link that came our way and wanted to share every juicy detail about our personal lives. We became publishers and public figures overnight and readily gave away priceless chunks of our privacy. The evolution and onslaught of data breaches, data mining, and malicious scams have educated us to safeguard our data and privacy like gold.

We’ve become content curators. The onslaught of fake news, photo apps, and filter bubbles have left our heads spinning and our allegiances confused. In the process, we’ve learned to be more discerning with the content we consume and share. While we’re not there yet, our collective digital literacy is improving as our understanding of various types of content grows.

Parents have become digital ninjas. The parenting tasks of monitoring, tracking, and keeping up with kids online have gone from daunting to doable for most parents. With the emotional issues now connected to social media, most parents don’t have the option of sitting on the sidelines and have learned to track their kids better than the FBI.

This is us

We’ve learned that for better or worse, this wired life is us. There’s no going back. Where once there may have been doubt a decade ago, today it’s clear we’re connected forever. The internet has become so deep-seated in our culture and homes that unplugging completely for most of us is no longer an option without severe financial (and emotional) consequences. The task ahead for this new decade? To continue working together to diminish the ugly side of technology — the bullying, the cruelty, the crime — and make the internet a safe, fun experience for everyone.

The post Lessons Learned: A Decade of Digital Parenting appeared first on McAfee Blogs.

Cybersecurity And Privacy for a Co-Working Space

The way we work and the spaces we work in have evolved considerably in the last fifty years. Corporate culture is nothing like what it used to be back in the 80’s and 90’s. Cabins and cubicles have given way to open offices. Many in the work-force today prefer to work remotely and maintain flexible hours. As such, hot-desking is common in many multi-national companies including those who have large office spaces. As the start-up culture evolved, there was a need for multiple small offices. This growing breed of self-employed professionals and start-up owners need other resources that are commonly required in the office environment like printers, shredders, Wi-Fi, meeting rooms, video-conferencing abilities etc . They also need a common place to meet people, network and exchange ideas because working solo could be monotonous at some time. Co-working has provided an all-in-one solution for the needs of such individuals and small groups of people by providing a common space where equipment and utilities could be shared between businesses who rent the space. Co-working spaces have thus become very popular across the world and especially in cities where real-estate is very expensive. According to statistics the number of co-working spaces has increase by 205% between 2014 and 2018

In any business however, security is paramount. Corporate espionage is very much a reality for small businesses that are very often the breeding ground for great ideas and innovations. Co-working spaces provide a melting pot for all kinds of unrelated people some of who cannot really be trusted. Thus it is necessary that when sharing space, equipment and utilities, users do not unknowingly end up sharing information and trade secrets. Ensuring data privacy and cyber security in a shared office can be very difficult but may be achieved by laying down the ground rules and ensuring that everyone follows it. Following are some of the security best practices for a co-working space.

  1. Ensuring network Security: While shared Wi-Fi access is probably one of the most popular and over utilized services provided by a co-working space, it is also the most vulnerable from a cyber security perspective. Following are some of the practices that would ensure secure access of Wi-Fi networks for all users.
    1. Having a dedicated administrator who would ensure that networks are set up correctly and securely. This person can also liaise with users to ensure that they are following the guidelines
    2. Setting up strong passwords for every network and ensuring that all passwords are changed frequently. This would also prevent old or previous members from accessing the network.
    3. Setting up individual networks and access pages for every business that is using the space including a separate network for guests.

 

  1. Securing smart devices: IoT has enabled intelligence in every device like TV, refrigerators, coffee machines and printers. A co-working space may be home to many such devices which are connected to the network. Tampering with any of these devices can allow people to access the Wi-Fi network or vice-versa. Therefore it is necessary to secure these devices by ensuring that their hardware is tamperproof and firmware is continuously updated. All devices that can connect to the network including laptops and phones should be password protected and should not be left around unlocked and/or unattended.

 

  1. Blocking websites: It is best to block potentially malicious websites which are not likely to do anyone any good. Corporate offices have always taken this step to prevent unwanted traffic and ensure network and data security. There is no reason why co-working spaces cannot offer this as a service.

 

  1. Vetting users: Co-working spaces may do a minimum background check on users to ensure that they fit-in with the business culture of the space and would not disrupt the normal functioning of the users in any way.

 

  1. Physical monitoring: Physical monitoring using cameras can ensure that users do not try to steal any data or equipment that does not belong to them. Providing physical access cards, logging in and out time of users and installing cameras can contribute to the overall security system of the space.

 

While these guidelines are general they should be useful to both the co-working space operators and users and would provide an idea on what to look out for and how to secure their private data and intellectual property.

 

 

The post Cybersecurity And Privacy for a Co-Working Space appeared first on CyberDB.

The Dark Web: What You Need to Know

Despite its negative connotations, the Dark Web is nothing to be afraid of. Few know that the Dark Web was actually thought out as a means of preserving privacy and security. However, this also enabled it to become a breeding ground for illegal activity.

There are certainly things to be distrustful of when navigating the Dark Web, and before venturing into it head-first, you should understand certain things about it.

What is the Dark Web?

The first thing you need to know is that there is no actual database for the Dark Web. Instead, there are only what are known as “peer to peer connections”, which means that the data you are accessing is not stored in just one place.

Instead, it is found on thousands of different computers that are part of the network, so that no one can actually identify where the information is coming from. You can upload to the network, but when downloading, there is no telling where you’re getting the data from.

Why do people use the Dark Web?

There are all kinds of uses for the dark web. Some of them are downright nefarious; others, not so much.

  • Drug sales

Taking into consideration the anonymous nature of the Dark Web, it was only a matter of time before it came into use to sell illegal drugs. It is the ideal avenue for this kind of transaction, because of the anonymity factor that is inherent to the Dark Web.

  • Illegal commerce

To say that you can buy anything on the Dark Web would be an understatement. Anything you can imagine, no matter how gruesome, can be purchased on the Dark Web, from guns to stolen data to organs.

  • Child porn

Is it really a surprise that child porn is rampant on the Dark Web? It’s one of the darker aspects of it, but the anonymous nature of it does lend itself to concealing horrible realities like this.

  • Communication

For all its negative connotations and activities, the Dark Web can also be a way to foster open communication that can sometimes save lives or make a change. Especially in cases where governments monitor online activity, having a place to speak out freely can be invaluable.

  • Reporting

The Dark Web can be used as an excellent source for journalists because sources can remain anonymous. Additionally, no one can track their activity, so it cannot attract consequences from authorities.

How to access

You may be wondering how you can access the Dark Web – after all, you can’t just Google it or access it in a regular browser.

Here are some of the aspects you need to keep in mind about accessibility, including the browser you need to use, the URLs, personal credentials you may need, and even acceptable currency, should you decide to make a purchase.

  • TOR browser

The most common way to access the Dark Web is via The Onion Router (TOR), the browser used by most people for this purpose. This ensures that your identity will remain concealed, as will your activity, because it encrypts everything.

You can obtain the TOR browser by downloading it from the official website. It’s as easy as installing it and running it like any normal program. And if you were worried about the legality of it – have no fear.

Both accessing the Dark Web and downloading the means to do so are entirely legal. While this can enable some pretty dark human behavior, it can also give us very necessary freedom to do positive things, as you will see. Not everyone uses it for nefarious purposes.

  • Exact URLs

Something that makes it difficult to navigate the Dark Web is the fact that the pages are not indexed by browsers. That means that anything you may be looking for will require an exact URL. That does limit the amount of people who can access the Dark Web, as well as the scope of the pages one can gain access to.

Unless you know exactly where to look, you may not have a lot of luck finding what you want. That can deter you from searching, or on the contrary, it can determine you to go looking for someone who is well versed in illegal activity and who can help you out.

  • Criminal activity

It comes as no surprise that the Dark Web is a hotbed of criminal activity. No one is advocating that one pick up criminal undertakings in order to use the Dark Web. But generally speaking, the people who will most likely be looking to access URLs here are people who are engaged in all manner of criminal activity.

  • Bitcoin

All transactions on the Dark Web are completed via Bitcoin, as this type of currency cannot be traced. That increases the degree of safety of the transaction, both for buyers and for sellers.

However, that does not mean that these transactions are always safe. There is a high degree of uncertainty that accompanies these transactions, regardless of what you are purchasing.

You might find that the person you are buying from is a scammer who can end up taking your money, but not sending over your product. While identities are protected, transactions are not, so a degree of care is always necessary.

The future of the Dark Web

While authorities are always making efforts to cut down on the number of sites present on the Dark Web, more are always created. In the end, it proves to be a bit of a wasted effort. The more websites get shut down, the more pop up in their place.

Does that mean that the Dark Web will continue in perpetuity? No one can say with any degree of certainty. It is entirely possible that people will seek refuge in the anonymity of the Dark Web as the degree of surveillance grows, or the opposite can happen and we can grow to accept surveillance as a means of ensuring a thin veneer of security.

Conclusion

The Dark Web will always be controversial, but it’s not nearly as scary as it seems. It’s true that it certainly conceals some illegal and immoral behavior, but it can also be used for good. The anonymous and untraceable aspects of it help it remain a somewhat neutral space where one can find the freedom to communicate, investigate, search, trade, make purchases, etc.

 

 

The post The Dark Web: What You Need to Know appeared first on CyberDB.