Zoom was doing so well.... And now we have this:
Corporate clients will get access to Zoom's end-to-end encryption service now being developed, but Yuan said free users won't enjoy that level of privacy, which makes it impossible for third parties to decipher communications.
"Free users for sure we don't want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose," Yuan said on the call.
This is just dumb. Imagine the scene in the terrorist/drug kingpin/money launderer hideout: "I'm sorry, boss. We could have have strong encryption to secure our bad intentions from the FBI, but we can't afford the $20." This decision will only affect protesters and dissidents and human rights workers and journalists.
Here's advisor Alex Stamos doing damage control:
Nico, it's incorrect to say that free calls won't be encrypted and this turns out to be a really difficult balancing act between different kinds of harms. More details here:
Some facts on Zoom's current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues. The E2E design is available here: https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e.pdf
I read that document, and it doesn't explain why end-to-end encryption is only available to paying customers. And note that Stamos said "encrypted" and not "end-to-end encrypted." He knows the difference.
Yuan sought to assuage users' concerns Wednesday in his weekly webinar, saying the company was striving to "do the right thing" for vulnerable groups, including children and hate-crime victims, whose abuse is sometimes broadcast through Zoom's platform.
"We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to vulnerable groups," he said. "I wanted to clarify that Zoom does not monitor meeting content. We do not have backdoors where participants, including Zoom employees or law enforcement, can enter meetings without being visible to others. None of this will change."
Notice that is specifically did not say that he was offering end-to-end encryption to users of the free platform. Only to "users we can verify identity," which I'm guessing means users that give him a credit card number.
The Twitter feed was similarly sloppily evasive:
We are seeing some misunderstandings on Twitter today around our encryption. We want to provide these facts.
Zoom does not provide information to law enforcement except in circumstances such as child sexual abuse.
Zoom does not proactively monitor meeting content.
Zoom does no have backdoors where Zoom or others can enter meetings without being visible to participants.
AES 256 GCM encryption is turned on for all Zoom users -- free and paid.
Those facts have nothing to do with any "misunderstanding." That was about end-to-end encryption, which the statement very specifically left out of that last sentence. The corporate communications have been clear and consistent.
Come on, Zoom. You were doing so well. Of course you should offer premium features to paying customers, but please don't include security and privacy in those premium features. They should be available to everyone.
And, hey, this is kind of a dumb time to side with the police over protesters.
I have emailed the CEO, and will report back if I hear back. But for now, assume that the free version of Zoom will not support end-to-end encryption.
EDITED TO ADD (6/4): Another article.
EDITED TO ADD (6/4): I understand that this is complicated, both technically and politically. (Note, though, Jitsi does it.) And, yes, lots of people confused end-to-end encryption with link encryption. (My readers tend to be more sophisticated than that.) My worry that the "we'll offer end-to-end encryption only to paying customers we can verify, even though there's plenty of evidence that 'bad purpose' people will just get paid accounts" story plays into the dangerous narrative that encryption itself is dangerous when widely available. And disagree with the notion that the possibility child exploitation is a valid reason to deny security to large groups of people.
As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option. “Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday. Zoom encryption and … More
The post Zoom to offer end-to-end encryption only to paying customers appeared first on Help Net Security.
When hungry consumers want to know how many calories are in a bag of chips, they can check the nutrition label on the bag. When those same consumers want to check the security and privacy practices of a new IoT device, they aren’t able to find even the most basic facts. Not yet, at least. The solution A team of researchers in Carnegie Mellon University’s CyLab have developed a prototype IoT security and privacy “nutrition … More
The post Researchers develop IoT security and privacy label appeared first on Help Net Security.
Cybercriminals exposed over 5 billion records in 2019, costing over $1.2 trillion to U.S. organizations, according to ForgeRock. Coupled with breaches in 2018 costing over $654 billion, breaches over the last two years have cost U.S. organizations over $1.8 trillion. Healthcare: The most targeted industry Healthcare emerged as the most targeted industry in 2019, accounting for 382 breaches and costing over $2.45B, an increase from 164 incidents costing over $633 million in 2018. Despite healthcare … More
The post Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion appeared first on Help Net Security.
Police are hoping to stop kids becoming cybercriminals by bombarding them with Google Ads, phishers rub their hands in glee at the NHS track and trace service, and just how does a nano-layer of quantum holographic catalyzer technology make a USB stick cost hundreds of pounds?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast.
Tor Browser 9.5 includes important security updates to Firefox, users on desktop will be able to opt-in for using onion sites automatically whenever the website makes them available.
Starting with the release of Tor Browser 9.5, new features will make accessing onion addresses easier.
Now, there is also an opt-in mechanism available for websites that want Tor users to know about their onion service that suggest them to upgrade their connection using the .onion address.
This feature will be available to Tor desktop users who have the ‘Onion Location’ option enabled.
“For the first time, Tor Browser users on desktop will be able to opt-in for using onion sites automatically whenever the website makes them available. For years, some websites have invisibly used onion services with alternative services (alt-svc), and this continues to be an excellent choice.” reads the post published by the Tor Project. “Now, there is also an opt-in mechanism available for websites that want their users to know about their onion service that invites them to upgrade their connection via the .onion address.”
Website publishers now can advertise their hidden services to Tor users by adding an HTTP header that can suggest visitors switch to the version of the site that is published using the Onion service.
To promote their onion sites, web site owners need to add an additional ‘Onion-Location’ header that contains the URL to their Tor site.
When a user visits a website that has both an .onion address and Onion Location enabled via Tor Browser, the browser will suggest the onion version of the site.
Tor Browser 9.5 also introduces Onion Authentication to allows admins of Onion services to add an extra layer of security to their website by setting a pair of keys for access control and authentication. Tor Browser users can save keys and manage them via about:preferences#privacy section of the Onion Services Authentication settings.
The latest version of the Tor Browser has improved URL bar security indicators and improved error messages that are displayed when Tor users are not able to reach an onion site.
“In this release, we have improved the way Tor Browser communicates with users about service-, client-, and network-side errors that might happen when they are trying to visit an onion service,” the Tor Project added.
“Tor Browser now displays a simplified diagram of the connection and shows where the error occurred.”
(SecurityAffairs – Tor, cybersecurity)
The post Tor Browser 9.5 is available for download, with new interesting features appeared first on Security Affairs.
Security researchers have tested nearly 1,000 enterprise apps offered on Google’s G Suite Marketplace and discovered that many ask for permission to access to user data via Google APIs as well as to communicate with (sometimes undisclosed) external services. “The request to ‘Connect to an external service’ is notable, as it indicates apps can communicate with other online APIs that neither Google nor the app developer might not control,” they pointed out. They also noted … More
The post Things to keep in mind when downloading apps from G Suite Marketplace appeared first on Help Net Security.
IAM priorities differ by industry vertical, and a one-size-fits-all approach to IAM doesn’t work when every industry and business within that industry is unique, according to LastPass and Vanson Bourne. Each industry vertical has unique business needs, and as a result has different areas of focus when it comes to their IAM program. Finance focused on reducing risk, while integrating IAM infrastructure Financial service organizations deal with higher stakes than most verticals, which inevitably impacts … More
I’m concerned that fraudsters will disguise themselves as the NHS Test and Trace Service, and trick people into giving over sensitive personal information – and maybe even some money.
Maybe something could be learnt from the banks?
A Canadian maker of smart padlocks has agreed to implement a comprehensive security program and not misrepresent its privacy and security practices under an agreement with the U.S. Federal Trade Commission.
Earlier this month, the FTC gave final approval to a settlement with Tapplock Inc. of Toronto, maker of a fingerprint-enabled padlock sold to enterprises and consumers, related to allegations it falsely claimed that its internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data collected through a mobile app.
Security researchers identified both physical and electronic vulnerabilities with Tapplock’s smart locks, according to the complaint. The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.
Under the settlement, Tapplock is required to implement a comprehensive security program and obtain independent biennial assessments of the program by an assessor that the FTC approves. The company also is prohibited from misrepresenting its privacy and security practices.
The two sides came to an agreement on a settlement of the allegations in April. That needed final approval of the commission.
Under the consent order, Tapplock agreed to not transfer, sell, share, collect, maintain, or store personal information or manufacture or sell devices unless it implements a comprehensive security program that protects the security of devices and the security, confidentiality, and integrity of personal information.
According to its website this week, the company sells two models: The Tapplock one+, described as “Sturdy” and “Secure” and stores up to 500 fingerprints per lock; and the Tapplock lite, described as having a “strong, lightweight chassis” and stores up to 100 fingerprints. Bluetooth lets users share remote access.
For organizations that issue and control multiple padlocks, the company offers an enterprise software-based management console allowing an administrator to set custom permissions for users and manage them by groups. Customers listed on the site include Bombardier, Lufthansa and Foxconn.
The FTC’s background complaint document supporting the consent order says that in 2018 “security researchers identified critical physical and electronic vulnerabilities” with Tapplock smart locks. “Some could be opened within a matter of seconds, simply by unscrewing the back panel.”
One alleged vulnerability in the API could have been exploited to bypass the account authentication process in order to gain full access to the accounts of all Tapplock users and their personal information, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks. Because the company failed to encrypt the Bluetooth communication between the lock and the app, a second vulnerability could have allowed a bad actor to lock and unlock any nearby Tapplock smart lock. Finally, a third vulnerability prevented users from effectively revoking access to their smart lock once they had provided other users access to that lock.
The second count alleges that Tapplock deceived consumers about its data security practices by falsely representing that it took reasonable precautions and followed industry best practices to protect the personal information provided by consumers.
Tapplock neither admitted nor denied any of the allegations in the complaint other than those stated in the final decision and consent order.
The company didn’t respond to an email request Wednesday for comment.
On this special splinter episode of the podcast, we’re joined by actor and comedian Clare Blackwood in the hope of convincing her that cybersecurity is no laughing matter.
Hear what happens in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Ring, Nest, SimpliSafe and eight other manufacturers of internet-connected doorbell and security cameras have been alerted to systemic design flaws discovered by Florida Tech computer science student Blake Janes that allows a shared account that appears to have been removed to actually remain in place with continued access to the video feed. Privacy flaws in security and doorbell cameras Janes discovered the mechanism for removing user accounts does not work as intended on many camera … More
The post Computer science student discovers privacy flaws in security and doorbell cameras appeared first on Help Net Security.
Today’s e-threats have evolved. We, the digital denizens of the Internet, are faced with such intricately-crafted malware, that makes us ponder whether ‘tis better to abandon all hope and disconnect or search for better ways to protect our endpoints and personal information. Half a century ago, the Creeper System was released into the wild. It was to be the first mention of a ‘self-replicating computer virus’ in history.
Today, viruses like the Creeper System, The Form, Ghostball, or Father Christmas belong behind a digital display case, being no longer able to harm our systems. However, ‘old’ habits die hard (or don’t). Viruses and worms have survived their own extinction, taking more virulent forms – ransomware, spyware, adware, fileless malware, and many other ‘ware’ that are bound to make you question your digital life etiquette.
In cybersecurity, there’s this well-trodden saying: “antivirus software is not enough”. Leaving aside the marketing implications, AVs are simply too ill-equipped to deal with sophisticated, high-end e-threats that are engineered to avoid rudimentary, behavioral-based detection.
This game-changing modus operandi would have needed an appropriate retort, on the Defenders’ side. Endpoint Detection and Response (EDR) was born.
Deconstructing Endpoint Detection and Response
The term ‘EDR’ was first brought to the public attention in 2013 by Anton Chuvakin, Gartner’s Research Director for Technical Professionals, and the head of the Security and Risk Management Strategies team. Chuvakin reaffirmed the need for a new malware-hunting methodology and tools capable of “detecting and investigating suspicious activities (and traces of such) other problems on host/endpoints.”
EDR is a strategical approach to malware, emphasizing digital prophylaxis (prevention), screening, and detection over mitigation (‘damage control’). It’s undoubtedly a huge leap from the classical detection and remediation methodology, based on post-intrusion behaviorism.
In other words, AV engines can only recommend security actions (i.e. cleaning, quarantining, deletion, etc.) based on how the potentially-malicious file or element behaves while interacting with various processes.
Most ‘modern’ malicious content is specifically engineered to ‘do’ as much damage as possible after establishing a beachhead (i.e. infiltrating your endpoint and/or network). From these statements, we can infer the following – the epistemological distinction between EDR and C.A.V.C.D.M. (Canonical AV-Centric Detection-Mediation methodology) is causality; antivirus-centric detection-mediation systems ‘deal’ with the e-threat after it has successfully infiltrated the endpoint and/or network, while EDR focuses on D&M before malware infiltration.
There are other aspects worth taking into consideration – under EDR, digital/computer forensics become the ‘backbone’ of threat-detection.
Even the terminology expedites the same conclusion – I.O.A (Indicator of Attack), I.O.C (Indicator of Compromise), HIPS (Host-Intrusion Prevention System), and HIDS (Host-Intrusion Detection System).
My colleague covered all of the forensics parts of EDR and other technicalities in a recently published material. Feel free to consult her article for more information on how EDR changed the rules of the threat-hunting game.
Embracing the Endpoint Detection and Response Model
Full-scale adoption and deployment of the Endpoint Detection and Response model have been the primary goal of many businesses and institutions since 2011 – most cybersecurity analysts and researchers regard this year as a turning point (or boiling point) in malware evolution. A Varonis report reveals that in Q3 2011, approximately 60,000 new ransomware strains have been detected.
The number of novel ransomware strains would have increased by a factor of three, reaching 200,000 by the end of Q3 2011. Marked by the rise of the infamous Chimera, 2015 is officially proclaimed the year of the ransomware – over 700,000 new ransomware strains and 300$ million disbursed to malicious actors.
Considering the (exponential) growth rate, the pervasiveness, and the mutational factor (hundreds of new strains were engineered every single day by committing minute modifications to an existing strain). There was an electrifying outcry from the public – some form of counterstrike was required, else the entire economy could have been brought to its heels in a matter of nanoseconds.
EDR, is by far, the only threat-hunting/threat-mitigation methodology capable of offsetting the balance. It was a gambit, but it paid off – slowly, but steadily, more and more companies and public institutions are integrating EDR into their cybersecurity ecosystems.
Of course, one cannot but wonder why all companies implement some of this, much-needed, EDR ‘padding’?
A NinjaRMM report offers some insight into this seemingly ‘intractableness’ on behalf of company owners and decision-makers. The report, which mostly targeted MSPs and IT Internal teams, pointed out that the greatest ‘showstopper’ for adopting EDR is the lack of budget.
Over 50% of respondents declared that EDR in IT Internal teams is not feasible since it entails costs that exceed the allotted budget for cybersecurity software/solutions. On the other hand, from an MSP’s point of view, the only objection behind EDR adopting is the lack of manpower (i.e. not enough qualified personnel to manage this type of cybersecurity ecosystem).
For some geographical areas, it was necessary to fast-track the implementation of EDR. As a result, the United States was among the first countries to recognize the merits of this approach and to expedite its deployment. A report made by Statista reveals that in 2019, over 10 billion malicious attacks were carried out.
Furthermore, the same report states that more than 50% of these attacks occurred in the United States. Other countries would soon follow in its steps: China, India, Indonesia, United Arab Emirates, Qatar, and several South American countries. Europe was among the last regions to greenlight the deployment of EDR.
Endpoint Detection and Response is an efficient threat-hunting/threat-remediation technology. Still, the cost alone can deter company owners or decision-makers from implementing it.
In the interim, if you plan on placing EDR on the company’s roadmap, a test-drive is warranted. Fortunately, if you’re not ready to commit extensive resources to implement EDR, there are some free, open-source EDR tools you can try out. Below, you will find a small list of the most popular EDR tools on the web and how you can use them to increase your company’s ROI.
Simple Antivirus protection is no longer enough.
Thor Premium Enterprise
to organizational defense.
- Next-gen Antivirus which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
Open-source EDR tools
OSSEC is open-source and free software that offers HIDS, HIPS, log analysis, real-time Windows registry monitoring, and other EDR features. The software can be downloaded from the official website or the developer’s GitHub page. OSSEC is mostly addressed to large enterprises, SMBs, and governmental agencies in search of server intrusion detection systems and/or solutions.
OSSEC EDR features
- LIDS (Log-based Intrusion Detection)
Scans and analyses log data coming from multiple endpoints.
- Malware and Rootkit Detection capabilities
Employs process- and file-level scanning to detect dormant or active malicious applications, rootkits included.
- Active response
Firewall policy benchmarking, support for integrating with/in 3rd party apps. OSSEC’s active response feature also mentions something about “self-healing actions” but fails to elaborate.
- FIM (File Integrity Monitoring)
Real-time windows and file registry monitoring. Capable of producing forensic copies to facilitate data analysis in case of system changes.
- System inventory
Information-gathering platform. Able to retrieve various types of software and hardware data: listeners, hardware info, installed software, versioning, utilization rate, and network services.
OSSEC boasts compliance with many of the common industry standards such as CIS and PCI-DSS. The software is compatible with Windows, Linux, OpenBSD, macOS, Solaris, and FreeBSD. No support for mobile platforms such as Android or Mac OSX.
For more information about the software and its EDR capabilities, please refer to the official OSSEC website.
2. TheHive Project
TheHive Project is a “security incident response (platform) for the masses”, leveraging open-source, scalable, and free solutions. The product is designed to aid CERTs, SOCs, and CSIRTs in drafting security incident reports faster and elaborate actionable strategies based on various cues such as observables or custom-created alerts.
In essence, TheHive Project is a collaboration platform, that allows multiple users (i.e. investigators or analysts) to work on the same investigation at the same time. The platform offers powerful collaboration features such as live streaming, real-time information, task assignation, and more.
TheHive Project features
- Dynamic dashboard
OTA, cloud-hosted, real-time collaboration. Advanced note-drafting functions: customized tags, password-protected ZIP or RAR archives, progress tracker, import ZIP archives containing suspicious data and/or malware, custom templates, simple or elaborate metric, and much more.
- Advanced filtering options
Capable of handling hundreds of observables. Users can import or create alerts based on any event or alarm. Customer filtering is available. Once the investigation draft is completed, the template can be quickly exported and used to describe other similar occurrences.
- Forensics and Incident Response
Cortex, TheHive Project’s proprietary “observable analysis and active response engine” grants a granular overview of the observables (i.e. IP, URL, mail address, domain name, hashes, files, etc.) via a web interface. Other forensics and incident response features – custom scrips, AP integration, advanced containment functions.
Incident reports can be drafted using analyzers from popular web services such as PassiveTotal, Google’s Safe Browsing, Onyphe, Shodan, VirusTotal, etc via the Cortex module. Multi-format parser (OLE, OpenXML); can be used to detect Visual Basic macros embedded in documents.
- Python API for polling analyzers from various sources
TheHive4py’s Python API is an EDR tool that facilitates case-creation by granting the investigator access to sources such as SIEM and/or email. According to the product description, this API can become an invaluable tool in the fight against Business Email Compromise.
Refer to the API’s documentation for more information regarding the product’s B.E.C capabilities.
osQuery is an open-source, Apache-licensed device querying software that increases the visibility over your connected devices. The product uses very basic SQL commands to create complex “relational data-models”, simplifying investigations and/or audits. osQuery is intended for SMBs and enterprises.
A ‘lighter’, home-centric version is also available on the product’s official website. The software is compatible with Windows, macOS, CentOS, FreeBSD, and Linux (with some limitations).
- Interactive querying console.
Comprehensive SQL-powered console that gives you a bird’s eye view of your operating system. Augmented with tables and other tools, the console can help the user or investigator to quickly gather valuable system data.
- Modular codebase
Language binding is available. All components are modular and developed using open-source APIs.
- Powerful host-monitoring daemon
Osqueryd, osQuery’s daemon can aggregate all query results and help you generate logs much faster. The resulting logs can provide you with insight into your system’s security, as well as other useful information: configuration, performance, infrastructure health, etc.
Other features: AWS logging, file integrity monitoring, YARA scanning, anomaly detection, process auditing, remote settings, advanced log aggregations settings, and more.
Refer to osQuery’s documentation for additional information regarding the product’s EDR capabilities.
4. Nessus Vulnerability scanner
Nessus’ lightweight and open-source software is a communication port-scanning tool useful for detecting system vulnerabilities – entry points that can be exploited by malicious actors. This tool does not have full EDR capabilities, nonetheless, efficient in identifying security breaches. Nessus is compatible with devices running Linux, Windows, and macOS.
- Custom scripting and multiple plug-ins
Nessus allows the user to write custom scripts by providing him with a scripting language. The agent also allows multiple plug-ins: server detection, processor information, Microsoft Windows ARP table, recent file history, Windows scan not performed with Admin Privileges, Microsoft Windows Last Boot Time, etc.
- Patching indicator
Upon vulnerability detection, the port-scanner will also offer suggestions on how to resolve the vulnerability.
- In-depth vulnerability scanning
After Nessus is deployed on the machine, it will perform up to 1,200 checks (passes) to detect system vulnerabilities.
For additional information, please consult Nessus’ official website.
SNORT is an open-source and robust intrusion prevention software that allows the user to identify e-threats by analyzing packet logging and real-time network traffic. The product is fully compatible with Fedora, Centos, FreeBSD, and Windows. SNORT is marketed as an easy-to-use EDR tool, useful for audits or investigations.
- Multi-mode deployment
SNORT can be configured to run in three modes: sniffer (reads network packets and displays them on your console), packet logger (logs the content of each packet and stores them on your local disk), and NIDS (short for Network Intrusion Detection system; real-time analysis of network traffic.)
- Tunneling Protocol Support for most common formats
SNORT supports the following tunneling protocols: PPTP over GRE, MPLS, GRE, IP in IP, ERSPAN.
- Multiple NIDS Mode Output options
The NIDS module supports multiple output options: Fast alert (the alert is jotted down in a simple format that includes the source, destination IP and/port, alert header and message, and the timestamp), Full Alert mode, Unsock (can send the alert to a Unix-type socket), No alert (disables alerts), Console (displays fast-type alerts on your screen), and CMG (displays alerts in the CMG style).
For additional information on how to configure SNORT, please refer to the developer’s official website.
6. Ettercap Project
Ettercap Project is a cross-platform, open-source EDR tool that simulates ARP Poisoning and Man-in-the-Middle attacks on LAN. This tool boasts various security options such as network traffic interception, active eavesdropping for the most common protocol, network security auditing, and protocol dissection. Ettercap Project is compatible with Linux, Solaris, BSD, MacOS X, and Microsoft Windows.
Ettercap Project features
Ettercap Project can reconfigure the network interface to rune in two modes: Promiscuous, whereas a wired or wireless network interface controller causes the controller to route the incoming traffic directly to the CPU instead of controller-specific frames ARP poisoning. Both modes yield precious forensic information. The user can determine how the system will act and react during a MiM attack.
- OS fingerprinting
Analyze how OS fingerprinting works in real-time.
- IP-based filtering
Use this option to filter incoming and outgoing packets by destination and IP source.
- Plug-in support
Ettercap’s capabilities can be enhanced through publicly available APIs and plug-ins.
7. Infection Monkey
Infection Monkey is a free and open-source cybersecurity posture assessment tool that simulates system breaches and APTs (Advanced Persistent Attacks). Guardicore’s software was developed for sysadmins who want to probe a company’s security infrastructure in search of vulnerabilities and investigators. Infection Monkey is compatible with Microsoft Windows, Linux, and macOS X.
Infection Monkey features
- Run real-life infection scenarios
Infection Monkey can simulate numerous types of malicious actions such as Shellshock, Sambacry, ElasticGroovy, Struts2, Weblogic, Hadoop, Credential Stealing, Brute-Force logins.
- Advanced detection capabilities
Guardicore’s tool boasts numerous detection methods such as Alerts on cross-segment traffic (check to determine if your global segmentation policies and rest are correctly enforced), tunneling (alerts the user if tunneling is detected), and credential analysis.
8. Cuckoo Sandbox
Cuckoo Sandbox is an open-source sandboxing environment that allows the user to quarantine, analyze, and dissect files exhibiting malicious behavior. The tool is compatible with Microsoft Windows, Linux, Mac OS X, and Android.
Cuckoo Sandbox features
- Powerful file analyzer
Can probe various file formats and types (documents, pdf files, executables, emails, etc.). The engine also allows the user to execute Cuckoo Sandbox in VM-type environments.
- Advanced memory and network analysis
Probe process memory using YARA and Volatility. Network traffic can also be analyzed before dumping. It also applies to traffic encrypted with TLS or SSL.
9. GRR Rapid Response
GRR Rapid Response is an Apache-licensed, open-source incident response framework used in remote live forensics. The tool can be used to perform minute forensic analyses on a large number of endpoints. GRR, Rapid response is compatible with Microsoft Windows, macOS X, and most Linux builds.
GRR Rapid Response Features
- YARA Library support.
- Search and download features for registry entries and files.
- API developed in RESTful JSON and Web UI made with AngularJS. Client libraries include Go, PowerShell, and Python.
- Increase the scalability factor.
- It can be automated – schedule tasks for your clients.
- Extensive monitoring capabilities – I/O usage, CPU, memory, and user-defined parameters.
10. MIG by Mozilla
Mozilla’s MIG is a free-to-use forensics platform for remote endpoints. The tool is compatible with Windows, Linux, and Mac OSX. A beginner’s tool, but very helpful in providing accurate IOCs.
MIG’s features include – log analysis, memory inspection, files, and network inspection, full system auditing, vuln management, and more. As an open-source forensics tool, Mozilla’s MIG has limited capabilities mostly since Mozilla has stopped maintaining the product.
Endpoint Detection and Response has become the next gold standard of cybersecurity. Despite the slow and somewhat problematic adoption, companies and institutions have realized the importance of this extra security ‘padding’. EDR tools such as the ones described in the article are reasonable first steps towards global tech assimilation.
The post Ten Open-Source EDR Tools to Enhance Your Cyber-Resilience Factor appeared first on Heimdal Security Blog.
A data dump containing account information of over 26 million LiveJournal users has been offered for sale on dark web marketplaces and is now being shared for free on underground hacker forums. The data dump, supposedly originating from a 2014 LiveJournal breach, contains email addresses, usernames, profile URLs and plain text passwords of 33+ million users. After removing duplicates, Troy Hunt has added the dump to the Have I Been Pwned? service, which potentially affected … More
The post Account credentials of 26+ million LiveJournal users leaked online appeared first on Help Net Security.
Two years after the GDPR went into effect, official data show that Data Protection Authorities (DPAs), crippled by a lack of resources, tight budgets, and administrative hurdles, have not yet been able to create adequate GDPR enforcement. Worse, some public authorities have grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press, Access Now reveals. The GDPR’s first two years have been marked by … More
For much of the last decade, technology companies have been in an uphill battle to save encryption, a battle that has seen an increasing number of skirmishes that tech companies often lose. Throughout this ongoing clash, governments across the world have been pushing to backdoor encryption in the name of combating child abuse and terrorism. The battle has come to a head several times in recent years, including when the FBI demanded Apple assist in … More
The post Why building backdoors into encryption won’t make us safer appeared first on Help Net Security.
Security is of paramount importance in any IT context today, especially when you are looking to protect something as precious and potentially vulnerable to attack as an SQL server.
Here is a quick primer on the basic aspects of security which matters most for SQL server solutions, since the cost of a breach will vastly outweigh the effort of learning and following best practices.
There is no doubt that encryption should be part of any modern DataOps strategy, particularly given the scope and scale of the threats that exist in the age of unfettered connectivity.
You can encrypt data stored on your SQL server, and indeed you should make sure that this is enabled as standard. You also need to take into account how the data is protected when it is in transit, when it might be exposed to exploitation while passing through public networks and devices.
There are different types of encryption to consider, with SSL encryption keeping data safe when it is on the move while cell-level encryption will allow comprehensive protection even while the data is cached on server RAM. The greater the level of encryption you choose, the more potential complications can arise, so it is a matter of balancing your needs against the risks.
All the security measures in the world will be for naught if your SQL server is breached, damaged or otherwise compromised in such a way that leaves the information it contains inaccessible or unrecoverable for some reason.
This is why a good SQL server backup solution needs to be factored into your security efforts, providing you with a lifeline to restore mission-critical data in the direst of circumstances.
There are quite a few points to consider when selecting a backup strategy. Opting for a differential backup, for example, will allow you to perform the backup process faster and without the same penalty in terms of storage requirements. A full backup will form the foundations of a differential backup as well as being used to underpin transaction log backups, which allow for time-specific restoration.
All backup varieties take time and require a commitment of hardware and network resources, while also posing a security risk in their own right, so remember not to overlook this aspect.
Managing access to your SQL server is vital, not just in terms of taking control of which users and apps can retrieve data or make changes to the database, but also with regards to the physical hardware itself.
This is not something that will immediately seem obvious, especially at a time when more and more organizations are choosing to migrate to remotely hosted or hybrid cloud setups, but even if your IT resources feel nebulous, they are still founded on tangible servers.
If you are directly responsible for housing this hardware, restricting physical access to it is just as crucial as vetting digital access. Locking server rooms is a minimum; making sure that only employees with a legitimate reason to access them should also be part of your security protocols.
Although cybersecurity threats are growing and evolving all the time, software firms do a good job of fixing vulnerabilities and patching problems whenever they rear their heads.
This means that it is the responsibility of SQL server specialists to keep their software up to date, installing vital security patches as soon as possible. Failure to do so will leave you exposed unnecessarily and could lead to breaches that would have been entirely preventable. Both the SQL software and the OS it runs on need to be updated as a matter of urgency.
May 25th is the second anniversary of the General Data Protection Regulation (GDPR) and data around compliance with the regulation shows a significant disconnect between perception and reality. Only 28% of firms comply with GDPR; however, before GDPR kicked off, 78% of companies felt they would be ready to fulfill data requirements. While their confidence was high, when push comes to shove, complying with GDPR and GDPR-like laws – like CCPA and PDPA – are … More
Here’s how encryption can help keep your data safe from prying eyes – even if your device is stolen or your cloud account is hacked
The post How encryption can help protect your sensitive data appeared first on WeLiveSecurity
In today’s remote working situation most people, if not everyone, is working more at home...
The post How To Use Browserleaks.com To Check Your Home Secure Browsing Posture appeared first on Binary Blogger.
Google has announced that advertisers on its platforms will have to verify their identities and their businesses. They will have 30 days to comply.
On its face, this seems like common sense and a good idea. The Internet has been rife with fraudulent Covid-19 schemes targeting stimulus checks, selling snake oil cures and price gouging on hard to acquire products. The reality is less clearcut.
Where’s The Data?
The first issue here is Google’s track record when it comes to data mining and privacy. The company is the most successful, and also one of the most appetitive compilers of personal information in digital media.
While it’s fairly common knowledge that Google’s Chrome browser is no stranger to controversy when it comes to tracking users and collecting data, there is more worrisome activity that gets far less attention. The company aggregates data from its phones, tablets, home media devices, personal assistants, website searches, analytics platform, and even offline credit card transactions. To say that it already has access to data about businesses and individuals would be an understatement and only serves to underscore what’s wrong with this latest initiative.
There has been plenty of opportunity for Google put its vast stores of data to use in the identification of bad actors on its platforms with a greater level of sophistication than anything that could be gleaned from digital copies of personal and employee identification numbers or business incorporation documents. They already have everything they need to determine if someone is from the U.S. or Uzbekistan.
Occam’s Razor points to two explanations. First, Google is doing what it does best: collecting more information. Two, Google is doing what it does best: using information to solve an information problem. Either way, it’s not a very memorable solution.
Ignoring the Realities of Business Identity Theft
it seems naive to take the position that the submission of digital copies of documents can provide a reliable way to establish the identity of a particular business. In an era where Social Security numbers and tax IDs can be bought by the millions on the dark web and computers are capable of rendering real-time deepfakes on video conference calls, faking a document or credentials is child’s play for any scammer worth his or her Bitcoin.
For starters, this easily flouted protocol engenders a false sense of security for internet users who assume Google’s verification process works. If this sounds cynical, remember that Facebook tried something like this following the widespread manipulation of its platform during the 2016 election. It failed.
This practice also puts a target on businesses. At a minimum, it will require the widespread transmission of digital copies of potentially sensitive business documents, which opens the door to scammers trying to intercept that data. Business identity theft is a very real threat, and access to a business’s credentials can leave it vulnerable to data breaches, fraud, cyberattacks, and worse. At a maximum, it could actually boost the market for illicit or compromised information on businesses as a means of supplying fake credentials to Google.
We’ve seen time and again that scammers are creative and extremely persistent when it comes to gaining access to sensitive data, and we can only assume any ill-considered move to protect data will be viewed as a growth opportunity for cybercriminals.
The term “security theater” gained popularity after the implementation of TSA security measures in the wake of the 9/11 attacks, and it seems applicable here.
Google’s new policies seem like marketing more than security. While it’s likely to make customers and businesses that use its online advertising platform feel more safer, it could easily have the opposite effect.
A company with Google’s reach, resources, and oftentimes incredibly granular data isn’t likely to be made any more secure by collecting and gathering digital documents from its clients. It might, however, be putting businesses at greater risk of fraud and data compromise.
Signal has fixed a vulnerability affecting its popular eponymous secure communications app that allowed bad actors to discover and track a user’s location. The non profit organization has also announced on Tuesday a new mechanism – Signal PINs – that will, eventually, allow users not to use their phone number as their user ID. About the vulnerability The vulnerability, discovered by Tenable researcher David Wells, stems from the fact that the WebRTC fork used by … More
The post Signal fixes location-revealing flaw, introduces Signal PINs appeared first on Help Net Security.
Apps that belch out sensitive military information, what could the world learn from South Korea’s digital response to the Coronavirus pandemic, and who has been deepfaking Bill Clinton, Jay-Z, and Donald Trump… and why?
All this and much much more is discussed in the latest episode by computer security veterans Graham Cluley and Carole Theriault, joined this week by Brian Klaas of the “Power Corrupts” podcast.
Bart Gellman's long-awaited (at least by me) book on Edward Snowden, Dark Mirror: Edward Snowden and the American Surveillance State, will finally be published in a couple of weeks. There is an adapted excerpt in the Atlantic.
It's an interesting read, mostly about the government surveillance of him and other journalists. He speaks about an NSA program called FIRSTFRUITS that specifically spies on US journalists. (This isn't news; we learned about this in 2006. But there are lots of new details.)
One paragraph in the excerpt struck me:
Years later Richard Ledgett, who oversaw the NSA's media-leaks task force and went on to become the agency's deputy director, told me matter-of-factly to assume that my defenses had been breached. "My take is, whatever you guys had was pretty immediately in the hands of any foreign intelligence service that wanted it," he said, "whether it was Russians, Chinese, French, the Israelis, the Brits. Between you, Poitras, and Greenwald, pretty sure you guys can't stand up to a full-fledged nation-state attempt to exploit your IT. To include not just remote stuff, but hands-on, sneak-into-your-house-at-night kind of stuff. That's my guess."
I remember thinking the same thing. It was the summer of 2013, and I was visiting Glenn Greenwald in Rio de Janeiro. This was just after Greenwald's partner was detained in the UK trying to ferry some documents from Laura Poitras in Berlin back to Greenwald. It was an opsec disaster; they would have been much more secure if they'd emailed the encrypted files. In fact, I told them to do that, every single day. I wanted them to send encrypted random junk back and forth constantly, to hide when they were actually sharing real data.
As soon as I saw their house I realized exactly what Ledgett said. I remember standing outside the house, looking into the dense forest for TEMPEST receivers. I didn't see any, which only told me they were well hidden. I assumed black-bag teams from various countries had been all over the house when they were out for dinner, and wondered what would have happened if teams from different countries bumped into each other. I assumed that all the countries Ledgett listed above -- plus the US and a few more -- had a full take of what Snowden gave the journalists. These journalists against those governments just wasn't a fair fight.
I'm looking forward to reading Gellman's book. I'm kind of surprised no one sent me an advance copy.
Over on my sister blog, Security In Five, episode 749 of the Security In Five...
The post Interview With the CEOs Of Vivaldi And Startpage.com appeared first on Binary Blogger.
Google has released version 83 of it’s popular Chrome web browser, which includes new security and privacy features and fixes for security issues. Chrome 83: New and improved security and privacy features The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites. “Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users,” Google explained. “Turning on Enhanced Safe Browsing will … More
The post Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check appeared first on Help Net Security.
A security bug in the iOS app has impacted over 6,400 Edison Mail users, the issue allowed some users to access other people’s email accounts.
An update released for iOS application of the Edison Mail introduced a security bug that resulted in some users being given access to other people’s email accounts.
“On Friday, May 15th, 2020, a software update enabled users to manage accounts across their Apple devices. This update caused a technical malfunction that impacted approximately 6,480 Edison Mail iOS users. The issue only impacted a fraction of our iOS app users (and no Android or Mac users were affected). This temporary issue was a bug, and not related to any external security issues.” reads a post published by the company.
“Data from these individual’s impacted email accounts may have been exposed to another user. No passwords were compromised. “
The Edison Mail app allows users to manage their Gmail, Yahoo, Outlook, iCloud, and other email services in a single place. The company offers apps for iOS, Android and macOS, and says its products are used by millions of individuals.
The update was rolled out on May 15, it included a feature that allows users to manage their accounts across their Apple devices.
Shortly after the patch was released, some users started reporting they could access other people’s email accounts from the iOS app without authentication.
Edison quickly solved the issue, the company confirmed that the bug potentially impacted 6,480 iOS users.
Edison Mail also confirmed that user credentials were not exposed.
The company addressed the issue with two updates, the first one on Saturday that prevented impacted users from accessing any account from the Edison app, the second one on Sunday morning, which re-enabled access for impacted users.
“A new version of the application was made available early Sunday morning in the App Store that restores full functionality for these 6,480 users. Other users were not impacted and no action is required.” added the company.
“We have notified all individual users who may have been impacted by this issue via email, and as an additional safety precaution, suggested that impacted users also change their email account password. If you did not receive an email on this issue then your account was not impacted,”
(SecurityAffairs – Edison Mail, hacking)
The post A bug in Edison Mail iOS app impacted over 6,400 users appeared first on Security Affairs.
The makers of a popular iOS email app have warned their users that their accounts may have been compromised after a buggy software update made it possible to see strangers’ emails.
Read more in my article on the Hot for Security blog.
In this final part of the series, I discuss why everyone should consider reviewing their OPSEC (Operations Security), not just those with something to hide. If you haven’t read the previous articles then please check them out first (Part I & Part II), as they provide key background information about the techniques discussed in this […]… Read More
The post Why OPSEC Is For Everyone, Not Just For People With Something To Hide – Part III appeared first on The State of Security.
Canadian governments are planning to approve COVID-19 mobile contact tracing apps to help health authorities track the spread of the infectious disease. However, two recent surveys offer conflicting numbers on whether residents here want the apps to be voluntary or mandatory.
The issue is crucial: Health experts say wide adoption of an app — perhaps as much as 50 per cent of the population — is needed for it to be useful.
In the most recent survey, released this morning by KPMG Canada, 55 per cent of respondents said digital contact tracing should be voluntary, citing privacy concerns and potential abuse of civil liberties. Two-thirds of respondents said they wouldn’t download such an app, calling it still “too invasive.”
Yet 57 per cent of respondents don’t believe such an app would be effective unless it is mandatory.
On the other hand, a survey commissioned by three Canadian Senators released last week found 65 per cent of respondents support the mandatory use of contact tracing apps.
However, in an interview one of those senators acknowledged the question on mandatory/voluntary adoption may not have been neutral. And Canadian privacy expert Ann Cavoukian said the Senate survey question “has no validity.” (See below for more detail)
Most privacy experts around the world say COVID contact tracing apps must be voluntary to get widespread adoption. That’s the position of federal and provincial privacy commissioners as part of a statement of principles they urge governments here follow on tracing apps. Alberta, the first Canadian jurisdiction to release an app, has made its adoption voluntary. But some privacy experts worry that if adoption is low a government will be tempted to make it mandatory.
Despite Alberta jumping the gun, federal and provincial officials are looking at about a dozen proposed apps for approval.
A number of contact tracing apps are being developed around the world, some — like Alberta’s — based on one of the earliest developed by Singapore. Broadly speaking, tracing apps use Bluetooth to capture encrypted ID signals from closeby mobile devices that also have an app, usually with a time limiter. (For example, Alberta’s app won’t obtain an ID number unless a person is nearby another for a total of 15 minutes over 24 hours). Depending on the app, each mobile device holds a list of contacts for a set number of days.
Depending on the app, one of two things happens if a person tests positive for COVID-19: Either the list of encrypted digital IDs is uploaded by the user so a health authority can notify and trace those who have been in contact with the victim, or the app transmits an alert directly to the apps of those on the list for those users to see. Either way, recipients of warnings would be expected to take appropriate steps, such as notify their doctors, monitor their health or take a COVID-19 test.
KPMG Canada surveyed 2,000 Canadians online between May 7 and 12.
Among the highlights:
- 62 per cent of respondents are in favour of letting the government use location tracking to send phone alerts to people who have come into contact with a person infected by COVID-19;
- 82 per cent would be more comfortable with an app run by the health system that shows aggregate community “hot spots” for COVID-19 so they can make their own decisions about their health;
- 65 per cent say any contact-tracing program needs to be administered by an independent body from the provincial or federal government.
“It’s clear that Canadians understand that contact-tracing apps are effective if participation is high, but the design of such apps must limit threats to privacy as most people aren’t comfortable letting the government have free rein to track their phones,” Sylvia Kingsmill, partner and national digital privacy leader for KPMG, said in a statement. “To make this work, governments will need to be completely transparent on how data will be collected, stored, erased, and managed – it’s about trust.
“There should be clarity about the circumstances under which that data will be shared, now and in the future. To this end, policies should be implemented and enforced to prevent misuse and/or abuse of the data to provide assurances to the public that principles of accountability and data minimization are being respected.”
The Senate’s online survey of 1,530 respondents was commissioned by Senators Colin Deacon, Donna Dasko and Rosemary Moodie and conducted between May 2 and May 4.
Among the findings:
- In the absence of a vaccine or treatment for COVID-19, 90 per cent of respondents believe that it will be necessary to continue contact tracing in general (that may or may not include an app).
- 80 per cent of respondents support the use of mobile device data by public health officials to notify those who have
been close to someone who has tested positive for COVID-19.
- 87 per cent of respondents believe contact tracing apps should trigger testing of themselves and others.
- If assured that their data was kept confidential, large numbers of Canadians would share information from contact tracing apps with their physician (96 per cent), their family (95 per cent), public health officials (91 per cent) and health researchers (87 per cent). Fewer would share with employers and co-workers (75 per cent), other government officials (73 per cent), law enforcement (68 per cent), and social media platforms (35 per cent).
- 65 per cent of respondents support the mandatory use of contact tracing apps.
[UPDATE, May 14, 3:30 pm EST]: In an interview this afternoon, Senator Colin Deacon acknowledged the question on mandatory/voluntary use of an app may not have been fair. The question was: “In some countries the installation of this app is mandatory. How supportive would you be for this to be the case in Canada.” Twenty-three per cent were very supportive and 42 per cent were somewhat supportive.
Asked if he thought that was a loaded question, Deacon said “potentially it is … I don’t know that it does. It asks, ‘What are your thoughts.'”
When it was suggested a neutral question would be ‘Should adoption be mandatory or voluntary,’ Deacon said, “That’s a fair point.”
Some experts object to the use of a mobile contact tracing app on privacy grounds, saying any system that collects personal data puts a user at risk. However, Deacon said the use of a contact tracing app has to be looked at as an aid to COVID-19 infection control. He said any approved app must protect privacy first. But, he added, many critics use smartphones and social media and manage access to their data. “As long as the [contact] data doesn’t leave your phone” except to notify people they should get tested “I don’t see how that is any more invasive” than people who test positive for the virus have to tell health authorities who they have recently been in close contact, with, he said.
“Alongside this strong support for the use of contact tracing apps, we do find concerns about personal privacy and the security of personal data,” said a report that analyzed the Senate survey findings. “Accordingly, any roll-out of an app(s) will require robust privacy protection to be in place in a manner that earns the support of potential users of the app.”
A contact tracing app could help health authorities who do manual contact tracing he said. It’s “unsustainable” to have large numbers of Canadians at home and not working because of the virus.
Former Ontario privacy commissioner Ann Cavoukian denounced the Senate survey mandatory adoption question. “It’s crazy,” she said in an interview. “It’s so skewed. To me this [question and result] has no validity … It creates the myth that the app is going to be mandatory,”
To her, the response to the KPMG Canada survey question is more credible.
Asked how an app should be introduced in Canada, Cavoukian urged governments to follow the Apple/Google framework, which doesn’t send the mobile IDs gathered by an app to health authorities for decryption and follow-up with individuals. Instead, when a user tests positive for COVID-19 they instruct the app to send a warning direct to those with a similar app whose mobile ID has been connected. That’s why Apple and Google have recently changed the description of their framework from a contact tracing app to “exposure notification,” she said.
(This story has been updated from the original by adding comments by Senator Colin Deacon and Ann Cavoukian)
It’s bad enough that hackers are able to exploit software vulnerabilities in IT environments to make off with sensitive data, but too often mistakes and misconfigurations by employees also lead to data being exposed. Two incidents reported this week show how serious this can be.
CBC News discovered the first incident recently which involved perhaps a decade’s worth of unedited appeal decisions of the Nova Scotia Workers Compensation Board being posted on a legal website name of workers. Some of the informati0n also included intimate personal information about claimants. Usually, names and other identifying information in those cases are deleted.
- Configuration mistakes blamed for bulk of stolen records last year
- Errors blamed for 21 per cent of data breaches
Nova Scotia removed the unedited documents after being told of their discovery by CBC.
“It’s terrible to hear,” the broadcaster quoted one WCB claimant whose 2009 case was posted. “I was shocked more than anything.”
The incident involves decisions between 1998 and 2009 of the Nova Scotia Workers Compensation Appeals Tribunal (WCAT) that were uploaded to the website of the Canadian Legal Information Institute (CANLII). Lawyers and legal researchers use the decisions filed there to support their cases. However, the database is open to the public.
According to the CBC, all WCAT cases filed after 2010 had the names of the worker and their employer redacted.
Asked for comment, the tribunal issued a statement saying it “is aware of this situation, and WCAT is following the Province’s privacy breach protocol. The WCAT has reported this incident to the Privacy Review Officer.”
The provincial information and privacy commissioner’s office has been notified of the incident. Provincial legislation doesn’t mandate that victims of a WCAT data breach be notified.
In the second case, Wired.com discovered a presumably confidential U.K. health department document on a public Google drive with possible new features for the country’s COVID-19 contact tracing app. The series of slides, marked ‘OFFICIAL – SENSITIVE’, was part of a group of documents intended to be open so the public can see how the app, now in a trial, was developed.
Wired says the sensitive document was part of a group published by the U.K. National Health Service (NHS) on a Google Drive. It was accompanied by a privacy impact assessment of a U.K. COVID-19 contact tracing app now being tested and could be seen by anyone with a link. While other documents could not be accessed without approval, the sensitive slide deck with potential features wasn’t.
What could make the slide deck embarrassing to the government is it contains possible features to be added to the already controversial app now being tested among the population of the Isle of Wight. In addition to disputes over whether such mobile apps are effective in helping control the rate of infection, privacy and health experts are fighting over whether an approved app should hold encrypted contact information on a mobile device (the decentralized model pushed by Google and Apple) or uploaded to a government-controlled server (the centralized model). The U.K. app being tested uses a centralized model. However, this week news emerged that the U.K. government is also paying for the development of a decentralized app.
The slides say a future version of the app being tested could allow users to periodically enter their personal health status, as well as their postal code, demographic and location information to help the NHS in infection planning.
Graham shares stories of email storms, Carole describes the steps being taken by firms as they try to coax employees back to the office, and special guest Lisa Forte details a hack that has impacted Lady Gaga and other celebrities.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with computer security veterans Graham Cluley and Carole Theriault.
The California Consumer Privacy Act is a lesson in missed opportunities. It was passed in haste, to stop a ballot initiative that would have been even more restrictive:
In September 2017, Alastair Mactaggart and Mary Ross proposed a statewide ballot initiative entitled the "California Consumer Privacy Act." Ballot initiatives are a process under California law in which private citizens can propose legislation directly to voters, and pursuant to which such legislation can be enacted through voter approval without any action by the state legislature or the governor. While the proposed privacy initiative was initially met with significant opposition, particularly from large technology companies, some of that opposition faded in the wake of the Cambridge Analytica scandal and Mark Zuckerberg's April 2018 testimony before Congress. By May 2018, the initiative appeared to have garnered sufficient support to appear on the November 2018 ballot. On June 21, 2018, the sponsors of the ballot initiative and state legislators then struck a deal: in exchange for withdrawing the initiative, the state legislature would pass an agreed version of the California Consumer Privacy Act. The initiative was withdrawn, and the state legislature passed (and the Governor signed) the CCPA on June 28, 2018.
Since then, it was substantially amended -- that is, watered down -- at the request of various surveillance capitalism companies. Enforcement was supposed to start this year, but we haven't seen much yet.
And we could have had that ballot initiative.
It looks like Alastair Mactaggart and others are back.
Advocacy group Californians for Consumer Privacy, which started the push for a state-wide data privacy law, announced this week that it has the signatures it needs to get version 2.0 of its privacy rules on the US state's ballot in November, and submitted its proposal to Sacramento.
This time the goal is to tighten up the rules that its previously ballot measure managed to get into law, despite the determined efforts of internet giants like Google and Facebook to kill it. In return for the legislation being passed, that ballot measure was dropped. Now, it looks like the campaigners are taking their fight to a people's vote after all.
The new proposal would add more rights, including the use and sale of sensitive personal information, such as health and financial information, racial or ethnic origin, and precise geolocation. It would also triples existing fines for companies caught breaking the rules surrounding data on children (under 16s) and would require an opt-in to even collect such data.
The proposal would also give Californians the right to know when their information is used to make fundamental decisions about them, such as getting credit or employment offers. And it would require political organizations to divulge when they use similar data for campaigns.
And just to push the tech giants from fury into full-blown meltdown the new ballot measure would require any amendments to the law to require a majority vote in the legislature, effectively stripping their vast lobbying powers and cutting off the multitude of different ways the measures and its enforcement can be watered down within the political process.
I don't know why they accepted the compromise in the first place. It was obvious that the legislative process would be hijacked by the powerful tech companies. I support getting this onto the ballot this year.
EDITED TO ADD(5/17): It looks like this new ballot initiative isn't going to be an improvement.
Imagine you’re the UK Government in the middle of the biggest crisis the country has faced since World War II.
How are you going to instill some confidence that citizens should install a new Coronavirus tracing app?
What can X Æ A-12 Musk teach us about passwords? How did our guest finally hunt down in Manila the author of one of history’s biggest virus outbreaks? And what on earth is a hacker doing breaching Roblox security?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.
Smartphones can be used to digitally trace Covid-19. But not if the public don’t download an app over privacy fears – or find it won’t work on their device
The idea of the NHS tracing app is to enable smartphones to track users and tell them whether they interacted with someone who had Covid-19. Yet this will work only if large proportions of the population download the app. No matter how smart a solution may appear, mass consent is required. That will not be easy. Ministers and officials have failed to address the trade-offs between health and privacy by being ambiguous about the app’s safeguards.
Instead of offering cast-iron guarantees about the length of time for which data would be held; who can access it; and the level of anonymity afforded, we have had opacity and obfuscation. It is true that we are dealing with uncertainties. But without absolute clarity about privacy the public is unlikely to take up the app with the appropriate gusto.Continue reading...
Your password passing habit may not be as be as harmless as you think. And yes, that includes Netflix login info too.
That’s one finding to come out of our newly released study of 2020’s Most (and Least) Cyber-Secure States. In this year’s analysis of the cyber readiness of all 50 U.S. states, and in partnership with Wakefield Research, we created a “Cyber Risk Hygiene Index” based on 10 metrics meant to measure individual and state-level cyber resilience against adverse online events.
If you’re unfamiliar with the report, you can read an introduction here.
Unfortunately for many Americans, two of those cyber hygiene metrics involved questions about their password habits:
- Do you avoid sharing passwords with others?
- Do you avoid reusing passwords?
Now, these questions weren’t the only reason no American received a passing grade on our Cyber Risk Hygiene Index, or that no state scored higher than a D, but they didn’t help. In all, the report found that more than one-third (34%) of Americans admit to sharing passwords and login credentials with others. Nearly half (49%) report having more accounts than passwords, meaning passwords are being reused across accounts.
Perhaps even more troubling is the finding that sharing passwords for streaming services—that famously widespread and supposedly benign new-age habit—has a worrying correlation: Americans who share passwords for streaming services (38%) are twice as likely to say they have had their identity stolen than those who do not (18%).
This is alarming because sharing and reusing passwords is especially dangerous during this golden age of phishing attacks. It means that, as soon as a cybercriminal achieves success in one phishing attack, those pinched credentials are likely to work for several other popular sites. A single successful phishing expedition could yield catches on banking sites, credit card applications, online marketplaces, and in a host of other potentially lucrative instances.
Even by sharing passwords with those a smidge less than trustworthy—or just careless—you’re increasing your attack surface area. Now that network of individuals who now have access to your accounts are susceptible to giving your information away if they take the bait in a phishing attack.
“Instead of giving away the keys to the guest room when you share passwords, it’s more like giving away keys to the castle if they are reused across multiple accounts,” says Webroot threat analyst Tyler Moffitt, “you could begiving away the keys to the whole kingdom if that’s the only password you use.”
More password facts from the report
- Tech Experts, one of the riskiest categories of users studied in our report, are more likely to share passwords (66%) than the average American (44%). Clearly, we at Webroot are in no position to point fingers.
- On brand, 66 percent of so-called “Mile Markers” refrained from sharing passwords, compared to 63 percent for the average American. This group scored the highest on our index and is defined by having progressed through life markers such as earning a degree, owning a home, or having children.
- Home-based Very Small Businesses (VSBs) are less likely to work with a dedicated IT team. As a result, they are more likely to use their personal devices for work and share passwords. Of these, 71 percent use the same passwords for home and business accounts, potentially cross contaminating their work and personal lives with the same security gaps.
- By generation, Gen Z is most likely to share passwords (56%), followed by Millennials (47%), Gen X (33%), and Boomers (19%).
How to address poor password practices
In terms of a personal password policy, it’s important to set yourself up for success. Yes, it’s true the amount of passwords one is responsible for can be dizzying, 191 per business according to one popular study.
That, and the parameters for creating a sound password seemingly grow more complex by the day. It used to be enough just to have a password. But now, they must be x characters long, contain one number and one special characters and so-on… And did we mention we recommend it be a passphrase, not a traditional password?
You get the gist.
That’s why our single strongest piece of advice to users looking to upgrade their cyber resilience is to use a password manager. This allows you to create long, alphanumeric and otherwise meaningless passwords without the need to keep tabs on them all.
After you’ve created a strong bank of passwords, managed through a password management service, supplement your security by adding two-factor authentication (2FA). Measures like 2FA pair your login credentials—something you know—with something you have, like a biometric feature or a mobile phone. This will ensure lifting your password (a unique one for each account, no doubt) isn’t even enough to crack your account.
“Put simply, an account simply isn’t as secure as it could be without 2FA,” says Moffitt. “And that means your credit card info, home address, or bank accounts aren’t as safe as they could be.”
No more reusing passwords. And, hopefully, no more sharing passwords. But that part’s up to you. You just have to ask yourself, is Netflix access worth having your identity stolen?
The post Poor Password Practices: The Curse of the Cybersecurity Risk Index Score appeared first on Webroot Blog.
…and why are they selling it to other security vendors and product testers?
The post Professional data leakage: How did that security vendor get my personal data? appeared first on WeLiveSecurity
Listen and subscribe to our new podcast! Tripwire’s cybersecurity podcast features 20-minute conversations with the people who protect people from cyber threats. Hosted by Tripwire’s VP of Product Management and Strategy, Tim Erlin, each episode brings on a new guest to explore the evolving threat landscape, technology trends, and cybersecurity best practices. Spotify: https://open.spotify.com/episode/5wXKv9DiQjfsZNf6heXg67 Stitcher: […]… Read More
The post Podcast Episode 6: Taking Over IoT Devices with MQTT appeared first on The State of Security.
I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking:
Ok folks, let's talk about the Coronavirus tracking app as news of Australia adopting Singapore's "TraceTogether" gains momentum. I'd willingly run it and I want to explain why because there's also some very valid concerns. Let's begin:— Troy Hunt (@troyhunt) April 16, 2020
On Sunday night, that app finally landed here, branded as COVIDSafe. I installed it the day after, capturing a bunch of my own thoughts and linking to efforts from the community to dissect what it was actually doing:
I've just installed #covidsafe and want to capture my thoughts on the experience and the general principles behind the app here, especially as they relate to privacy and trust in the government. My last thread on this was 11 days ago and is still relevant: https://t.co/YCoA6x3zql— Troy Hunt (@troyhunt) April 27, 2020
The efforts of fellow community members (several of them fellow Microsoft MVPs) garnered a lot of attention so we banded together to run a public panel yesterday. That 2-hour panel discussion has now been published to YouTube and it's chock-a-block full of real world observations about what the app actually does, what it collects, what it sends and what the real world privacy and security implications are. I loved being a part of this panel as it allowed us to step away from the speculation and conspiracy theories and instead focus on the facts of how the thing works. None of us have any commercial interests in this (we all went through a disclosure process in the video), it's just pure independent, fact-based discussion. Enjoy:
From late 2019, MAZE Ransomware started becoming infamous for its Encryption, data stealing and the subsequent selling of the stolen data. Few other reasons behind its popularity are also its unique targets and the ransom demands. From its inception around May 2019, MAZE actors are targeting multiple sectors, prominent ones…
Names, addresses and birthdates of more than 100 people shared in privacy breach
The company responsible for delivering traffic reports on radio and TV stations across Australia accidentally sent out the dates of birth, names and home addresses of more than 100 current and former staff to potentially thousands of people as the company seeks to apply for the jobkeeper payments.
Australian Traffic Network provides short traffic report updates during news bulletins to 80 radio and television stations, including the ABC, Seven, Nine, 10, 2GB and Triple M.Continue reading...
An app that logs movements and contacts might seem like a fair trade now but we risk giving away our privacy for good
Even when the lockdown is lifted, there is no guarantee that life will ever return to normal. To prevent a future outbreak of coronavirus, the UK will need to roll out mass testing, maintain some social distancing measures and closely monitor communities to curb future flare-ups.
In pursuing that last aim, governments across the world are developing technology to track our movements. When lockdown ends, technology could be a valuable means of controlling future outbreaks, alerting people to cases of Covid-19 in their area and hopefully preventing future shutdowns.Continue reading...
Whereas Apple computer infections show a growing trend, users can fall victim to other cyber-attacks that involve phishing and may lead to identity theft, financial losses, and other serious issues. Phishing is one of the dominating forms of today’s online attacks. With social engineering at its core, it mainly relies on booby-trapped links, typically arriving with emails, to hoodwink recipients into disclosing their personal information to fraudsters.
The particularly unnerving thing is that phishing kits available on darknet sources can be easily accessed by individuals who don’t have a solid programming background. It means that even people with basic computer skills may zero in on you.
Here’s some food for thought: there are currently about 1.5 billion Apple devices in use worldwide. All of them require unique Apple IDs to access the manufacturer’s proprietary services such as iCloud, App Store, iMessage, Apple TV, Apple Music, FaceTime, and many others. It means the potential attack audience is huge and the entry point is the Apple ID password, one secret combo of characters and numbers.
Why may fraudsters want to steal your Apple ID?
Apple ID is your key to using all Apple services and implies unlimited access to a plethora of sensitive information. Here’s a brief overview of its common use cases:
- No matter if you own an iDevice or a Mac, you use your Apple ID to sign in to it and unleash its full potential and features. It’s within the realms of possibility that it will also be a way to log in to Apple’s future self-driving electric car, which is rumored to be a work in progress at this point.
- Apple ID retains your payment and shipping details to facilitate the process of buying apps, service subscriptions, and devices from Apple.
- Your Apple ID is the conduit to accessing your security settings and extensive details on all app and service purchases you completed with it.
- You use Apple ID to access your iCloud account, a place where you store your photos, videos, and other personal data. If stolen, these files can be mishandled to perpetrate blackmail attacks.
Techniques used to dupe you into visiting Apple ID phishing pages
The scammers’ repertoire spans quite a few types of Apple ID phishing mechanisms. Familiarize yourself with some of the most widespread methods to make sure you don’t fall for them down the road.
- Spoof payment statement email
You should be able to identify this phishing attempt by looking at the subject line of the received email. It says “Payment Statement,” “Receipt ID,” “Receipt Order,” or something similar. The goal of this phony message is to make you think your credit card has been used to pay for some products or services.
The natural reaction of most users is to plunge headlong into canceling the order they are clueless about. The email contains a link you can click to supposedly go to the appropriate billing information page. Instead, you will be redirected to a phishing site that instructs you to verify your personal data, including your credit card number and Apple ID password.
There are usually a few giveaways in these emails. First off, the sender field will contain a string that isn’t a valid Apple email address. Furthermore, the message may contain an attachment in MS Word format, a type of file Apple wouldn’t send to its customers. Also, pay attention to the URL that shows up when you hover the mouse over the “Cancel and Manage Orders” (or similar) link – it’s typically something absolutely unrelated to Apple.
With that said, you should refrain from clicking any suspicious links received via email. Unfortunately, there are payment-related phishing messages that look really true to life and feign urgency. They may forward you to a web page that looks just like the legit Apple site, except that some words can be misspelled and the navigation icons at the top aren’t clickable. You should exert caution with dubious emails like that.
- Apple ID fraudulent phone calls
Hoaxes aimed at wheedling out Apple IDs don’t only revolve around sketchy emails. Some of them may cash in on scam phone calls. To instill a false sense of legitimacy into users, crooks often take advantage of the caller ID spoofing trick so that the phone number displayed on your phone looks like a real Apple number. When you look at the call details, they may even include the authentic company logo and official website. The impostors will usually ask you to provide your sensitive details for account validation or to ensure that you comply with the purportedly updated Terms of Service and can continue to use certain features.
- Bogus text messages
Apple ID phishing campaigns can also involve text messages sent to your phone. They typically say something like “Your Apple account is suspended” and instruct you to follow a link to find out how to sort out the alleged predicament. You’ll be asked to enter your personal information in a fake form on the linked-to website mimicking an Apple support page.
- Misleading pop-ups
This type of phishing originally surfaced as a proof of concept, and fortunately, there have been no reports about real-world attacks of that sort so far. However, a researcher named Felix Krause has demonstrated that it’s a viable exploitation vector, and therefore such phishing attempts may appear in the wild anytime soon.
The idea is simple: a malicious app triggers a rogue dialog asking the victim to enter their Apple ID password to sign in to the iTunes store. The authentication details go to the attacker once typed in. Most users take such pop-ups for granted and don’t mind entering their sensitive information to keep using an app they like. To top it off, the alerts look identical to ones routinely generated by iOS.
To check whether the dialog is legit, the above-mentioned security enthusiast recommends tapping the Home button. If the application quits, then you are definitely dealing with a spoof pop up. If it doesn’t close, there is no reason to worry because it’s a genuine iOS request. The difference is that regular system pop-ups like that stem from a separate process rather than posing as a component of an application.
Best practice tips to identify Apple phishing attempts
Although some phishing hoaxes may be harder to pinpoint than others, all of them share a number of telltale signs. Here are some common red flags to look out for:
- Spelling and grammar inaccuracies;
- Incompetently designed an email or web page;
- Dubious sender address unrelated to Apple;
- Requests to verify sensitive info over email or phone (something Apple never does);
- Suspicious-looking or shortened hyperlinks;
- Dodgy email attachments.
How to avoid falling victim to Apple ID phishing scams?
In order to be a moving target, adhere to a number of practices that will help you keep your Apple ID intact and strengthen your personal security posture overall.
- Stay abreast of cybersecurity news covered by reputable sources.
- Opt for web browsers equipped with anti-phishing features (Google Chrome is a good example).
- Abstain from opening email attachments sent by someone you don’t know.
- Get into the habit of hovering your mouse over hyperlinks before you click. If you notice the slightest hint of danger, don’t click the link.
- Set up 2FA (two-factor authentication) for your Apple ID and other personal accounts.
- Make sure you are using the latest macOS or iOS version supported by your device.
Additionally, you should do your homework and peruse some security tips provided by Apple. Many users don’t bother exploring these recommendations until they have been scammed. You are better off safeguarding your accounts proactively and nurturing your phishing awareness. Here are the sources on your must-read checklist:
- How to tell if an email was actually sent by Apple.
- What to do if you suspect someone has unauthorized access to your Apple ID.
- General phishing information.
- Ways to avoid phishing attacks and other scams.
- Apple ID security fundamentals.
Amid the coronavirus outbreak, Zoom Video Communication, the California-based video remote conferencing company that has become the backbone of the entire work-from-home effort, struggles to contain what can easily turn into a massive data leak.
Coined the UNC patch injection issue by @_g0dmode “Mitch”, the cybersecurity researcher who identified it in the first place, this vulnerability can be exploited to steal Windows login credentials and network information. Despite being notified in regards to the issue, Zoom has yet to come up with a more permanent solution.
Zoom has, no doubt, become an indispensable communication tool and an asset for companies who want to ensure business continuity for the duration of the pandemic.
According to The Guardian, the company has registered a 1,500% growth in shares, as more and more investors rally around Zoom’s banner. As we speak, Yuan’s brainchild has overtaken its competitors including Skype for Business, Microsoft Teams, Google’s Meet, Slack, etc. However, this “voracity” comes at a cost, as cybersecurity researcher @_g0dmode recently pointed out.
The choice for using Zoom is an obvious one – video over audio and text. Facetime is as important as exercising during remote work to promote solidarity among employees. Zoom, as most of its competitors, has many useful business-oriented features such as link-sharing, online collaboration, workspaces.
UNC Patch Injection Issue
In regards to link-sharing, tools such as Zooms usually convert URLs to shareable hyperlinks. Nothing out of the ordinary about that; in fact, this process allows the user to open the link in a web browser. This is where things tend to get a little complicated.
Per observations, Zoom’s agent doesn’t only transform URL’s into shareable hyperlinks but, at the same time, discloses UNCs (Universal Naming Convention) paths. Why does this point toward a data breach?
Going back to the basics, as you know, UNC is the standard that allows you, the user, to identify files, servers, printers, or other resources in a network (i.e. company network, home network, etc.).
UNC provides a bird-eye view to every device, file or resource that exists in a pre-defined network.
Here’s what a regular UNC path looks like “//Kansas\Example\Wicked.txt”. Now, to access the text document Wicked, you would have to call up the directory (“Example”) and the shared server it’s hosted on (“Kansas”).
So, what happens if someone would open a UNC path link? Your endpoint will attempt to open a connection to a remote site. This is achieved via an SMB (Server Message Block), a network-sharing protocol. During this negotiation, your OS shares, by default, your login name and the NTLM (NT Lan Manager) credential hash.
If the SMB server that handles these requests would be under the control of a malicious actor (hacker), then, on clicking the UNC path link, Windows will automatically leak all this info. One would be inclined to say that the malicious actor has no use for this info since nothing is stored in plaintext.
However, as @_g0dMode (Mitch) pointed out, this hash can be cracked in the blink of an eye, using open-source tools. It gets even worse – if the user forgot to change his password or uses a one, the cracking process becomes even easier.
Following the cybersecurity analyst’s disclosure, Zoom has informed all of its customers that it has taken the necessary steps to solve (and, possibly, mitigate) this issue. No timeline has been announced. Meanwhile, Microsoft has released a possible workaround for the UNC patch injection issue. I will cover this in the upcoming section.
Zoom’s #1 on the hitlist
This isn’t Zoom’s only blunder. In July 2019, EPIC (Electronic Privacy Information Center) filed a complaint against the Californian company, after several cybersecurity analysts brought to attention the fact that the Zoom app was, allegedly, designed to bypass several layers of security imposed by web browser, to access the user’s camera.
This was (allegedly) done without the user’s express consent or knowledge, for that matter. Zoom’s retort was to take down all the remote servers.
Unfortunately, Zoom’s list of blunders doesn’t end here. Recently, the company received a major backlash after Motherboard revealed that Zoom’s iOS application was covertly harvesting user data and sending it to third-parties, including Facebook.
Allegedly, this data, which included chat rolls, personal notes, audio, and video recordings, would be used in targeted Facebook advertisements and other marketing endeavors. The purpose of this article is to provide you with insight on the latest UNC patch injection issue, not to do a ‘Zoom blunders body-count’, so I’m going to stop right here.
Antivirus is no longer enough to keep an organization’s systems secure.
Thor Foresight Enterprise
before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
How to use Zoom safely while working from home
I’ve put together a small list of useful advice on how to protect your data and privacy while using Zoom from home.
Restricting NTLM: Outgoing NTLM traffic to remote servers
Let’s talk about the elephant in the room, which in this case is Microsoft’s ‘hotfix’. While waiting for Zoom to remediate the issue, you can try out this temporary solution. Note that this solution only works for machines running Windows 10.
If you have admin-type rights, run the Group Policy Editor and select Computer Configuration. From there, head to Windows Setting à Security Options àNetwork security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Select the Deny all option and save changes.
If you’re denied access to the Group Policy Editor, try this workaround. Run the registry editor. Select HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0. Right-click on the screen, select “New”, and then select “DWORD (32-bit) Value”. Rename the newly created DWORD value to RestrictSendingNTLMTraffic. Double-click on the renamed parameter and assign it the value “2”.
Review and update your Zoom privacy settings
Before reviewing your privacy settings, ensure that your machine runs the latest Zoom version. Do keep in mind that malicious actors will always try to exploit security breaches such as unpatched or outdated apps. On the latter, I would recommend an automatic updater app to avoid the need of having to manually update them.
Thor Foresight Enterprise, our company’s award-winning DNS traffic-filtering solution, solves two major issues: blocks malicious connections to prevent malware from reaching your device and updating your apps and software on the fly.
In regards to Zoom privacy, I would also advise you to use a second device for other tasks (i.e. replying to a colleague’s DM, checking your email, Googling) to avoid Zoom’s notorious attention-tracking widget. Also, it would be a good idea to log in with your Zoom credentials than with your Facebook account to avoid data harvesting.
The UNC patch injection issue remains unsolved. We are (eagerly) expecting some sort of articulated response from Zoom, considering that a whopping number of companies relies on Zoom’s software to ensure business continuity. I will update this article as soon as Zoom releases a permanent fix for the issue.
The post SECURITY ALERT: Zoom Under Scrutiny in Wake of UNC Patch Injection Issue Disclosure appeared first on Heimdal Security Blog.
The company has seen a 535% rise in daily traffic in the past month, but security researchers say the app is a ‘privacy disaster’
As coronavirus lockdowns have moved many in-person activities online, the use of the video-conferencing platform Zoom has quickly escalated. So, too, have concerns about its security.
In the last month, there was a 535% rise in daily traffic to the Zoom.us download page, according to an analysis from the analytics firm SimilarWeb. Its app for iPhone has been the most downloaded app in the country for weeks, according to the mobile app market research firm Sensor Tower. Even politicians and other high-profile figures, including the British prime minister, Boris Johnson, and the former US federal reserve chair Alan Greenspan, use it for conferencing as they work from home.Continue reading...
UK supreme court says retailer not to blame for actions of employee with grudge
The UK’s highest court has ruled that Morrisons should not be held liable for the criminal act of an employee with a grudge who leaked the payroll data of about 100,000 members of staff.
The supermarket group brought a supreme court challenge in an attempt to overturn previous judgments which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the internet.Continue reading...
WhatsApp one of the largest instant messengers and considered by many a social network of its own. So, in continuing our app safety discussion, we’re diving into some of the top security hacks and questions many WhatsApp app users and parents may have.
But first, what’s a security hack? In short, it’s an attempt to exploit the weaknesses in an app, network, or digital service to gain unauthorized access, usually for some illicit purpose. Here are just some of the concerns WhatsApp users may have and some suggestions on boosting security.
WhatsApp Hack FAQ
Are WhatsApp conversations private?
Yes — but there are exceptions. More than any other app, WhatsApp offers greater privacy thanks to end-to-end encryption that scrambles messages to ensure only you and the person you’re communicating with can read your messages or listen to your calls. Here’s the catch: WhatsApp messages (which include videos and photos) are vulnerable before they are encrypted and after they are decrypted if a hacker has managed to drop spyware on the phone. Spyware attacks on WhatsApp have already occurred. Safe Family Tip: No conversation shared between devices is ever 100% private. To increase your WhatsApp security, keep sensitive conversations and content offline, and keep your app updated.
Can anyone read my deleted WhatsApp messages?
A WhatsApp user can access his or her own deleted messages via the chat backup function that automatically backs up all of your messages at 2 a.m. every day. WhatsApp users can delete a message by using the Delete for Everyone button within an hour after sending though it’s not foolproof. Here’s the catch: Anyone who receives the message before it’s deleted can take a screenshot of it. So, there’s no way to ensure regrettable content isn’t captured, archived, or shared. There are also third-party apps that will recall deleted messages shared by others. Another possibility is that a hacker can access old chats stored in an app user’s cloud. Safe Family Tip: Think carefully about sharing messages or content you may regret later.
Can WhatsApp messages be deleted permanently?
Even if a WhatsApp user decides to delete a message, it’s no guarantee of privacy since conversations are two-way, and the person on the receiving end may screenshot or save a copy of a chat, video, or photo. On the security side, you may delete a message and see it disappear, but WhatsApp still retains a “forensic trace of the chat” that can be used by hackers for mining data, according to reports. Safe Family Tip: For extra security, turn off backups in WhatsApp’s Settings.
How can I secure my WhatsApp?
It’s crucial when using WhatsApp (or any other app) to be aware of common scams, including malware, catfishing, job and money scams, spyware, and file jacking. To amplify security, turn on Security Notifications in Settings, which will send an alert if, for some reason, your security code changes. Other ways to boost security: Use two-step verification, never share your 6-digit SMS verification code, disable cloud back up, and set your profile to private. Safe Family Tip: Install comprehensive family security software and secure physical access to your phone or laptop with a facial, fingerprint, or a passcode ID. Don’t open (block, report) messages from strangers or spammers. Never share personal information with people you don’t know.
How do I delete my WhatsApp account from another phone?
To delete a WhatsApp account go to > Settings > Account > Delete My Account. Deleting your account erases message history, removes you from groups, and deletes your backup data. According to WhatsApp, for users moving from one type of phone to another, such as from an iPhone to an Android, and keeping the same phone number, your account information stays intact, but you won’t be able to migrate messages across platforms. If you’re not keeping your number, you should delete WhatsApp from your old phone, download WhatsApp to your new phone, and verify your new phone number. Upgrading the same phone type will likely include options to migrate messages. Safe Family Tip: Before you give away or exchange an old phone, wipe it clean of all your data.
How do you know your WhatsApp is scanned?
WhatsApp users can easily sync devices by downloading the WhatsApp web app and activating it (Settings > WhatsApp Web/Desktop). Devices sync by scanning a QR code that appears on your laptop screen. You know your device is scanned when you see the green chat screen appear on your desktop. Safe Family Tip: It’s possible for a person with physical access to your desktop to scan your QR code and to gain account access. If you think someone has access to your account log out of all your active web sessions in WhatsApp on your mobile phone.
How long are WhatsApp messages stored?
According to WhatsApp, once a user’s messages are delivered, they are deleted from WhatsApp servers. This includes chats, photos, videos, voice messages, and files. Messages can still be stored on each individual’s device. Safe Family Tip: The moment you send any content online, it’s out of your control. The person or group on the receiving end can still store it on their device or to their cloud service. Never send risky content.
How secure is WhatsApp?
There’s no doubt, end-to-end encryption makes it much more difficult for hackers to read WhatsApp messages. While WhatsApp is more secure than other messaging apps — but not 100% secure.
Is it true that WhatsApp has been hacked?
Yes. Several times and in various ways. No app, service, or network has proven to be unhackable. Safe Family Tip: Assume that any digital platform is vulnerable. Maximize privacy settings, never share risky content, financial information, or personal data.
Is WhatsApp safe to send pictures?
Encryption ensures that a transmission is secure, but that doesn’t mean WhatsApp content is safe or that human behavior is predictable. People (even trusted friends) can share private content. People can also illegally attempt to gain access to any content you’ve shared. This makes WhatsApp (along with other digital sharing channels) unsafe for exchanging sensitive information or photos. Safe Family Tip: Nothing on the internet is private. Never send or receive pictures that may jeopardize your privacy, reputation, or digital footprint.
WhatsApp isn’t the only popular app with security loopholes hackers exploit. Every app or network connected to the internet is at risk for some type of cyberattack. We hope this post sparks family discussions that help your kids use this and other apps wisely and helps keep your family’s privacy and safety online top of mind.
The post WhatsApp Security Hacks: Are Your ‘Private’ Messages Really Ever Private? appeared first on McAfee Blogs.
Everyone’s talking about the TikTok app. In addition to talking, tweens and teens are swiping, laughing, and sharing TikTok videos. Meanwhile, parents are concerned with one thing: Is TikTok safe?
What is TikTok?
Based out of China, TikTok is a video-based social networking app that replaced the Musical.ly app, which ended its digital run in 2017. The app allows users to create an account, make and post short 15-60-second videos, as well as view, comment on, and share videos from other users. According to reports, TikTok has 1 billion active users in 155 countries. Approximately 60 percent of TikTok’s audience is between 16 and 24. Guidelines state that anyone 12+ can use the app, though there’s no age-verification process.
Why Do Kids Love TikTok?
TikTok is the latest and greatest digital hangout that has become the main channel for kids to discover new and creative ways to express themselves. They can follow their interests, be entertained, and be rewarded with views, likes, and shares for their artistic efforts. Tik Tok has built-in editing tools, free music, and dialogue clips, and filters that make creating videos easy for any skill level. Users can share funny sketches, lip-sync videos, and spontaneous, personal raves or rants. According to app reviews posted by teens, TikTok is also a go-to creative outlet, a place to de-stress, and a confidence-builder.
What are the risks?
Apps aren’t inherently risky. Rather, it’s the way individuals use an app that puts themselves or others at risk. That’s why understanding how your kids engage on TikTok, and how to make the experience as safe as possible, is important. Here are some of the risks your child could encounter on TikTok:
Contact from strangers. According to news reports, predators use TikTok to connect with kids. Anyone who follows a TikTok user can privately message them and initiate private conversations outside of the app.
Exposure to mature content and lyrics. Apps attract users of all ages, which means if your child has a TikTok account, he or she has access to the public video feed. With 1 billion users, your child will likely see videos containing sexually suggestive or explicit images and hear explicit lyrics (we saw and heard plenty). They may even unknowingly use music clips for their videos that contain explicit lyrics.
Spam and malware. Recent reports reveal software flaws that could potentially open up TikTok accounts to a range of malicious attacks. Researchers say hackers could have exploited the flaws to send legitimate-looking text messages loaded with malware, made private videos public, and accessed personal data.
Excessive screentime. TikTok is a curiosity magnet for kids, which can lead to excessive screen time, lack of sleep, and a host of other negative outcomes from too much time online.
Cyberbullying. TikTok users have been known to create “cringe compilations,” which are videos they deem to be odd, uncool, or cringe-worthy. Several of these cruel compilations have been posted outside of TikTok and have gone viral.
Quest for likes. As with any social network, some users can become preoccupied with amassing views, likes, and followers. This obsession can lead to bad decisions, risky behavior (such as challenges), cyberbullying, and sharing harmful content.
Oversharing. Some kids share their daily activities through TikTok videos and inadvertently expose personal information such as their school, their location, home address, and other personal data.
10 Family Safety Tips
Should you allow your child to use TikTok? The answer to that question depends on a few things, including the age of the child using the app and how they use it. Here are a few tips that may help in that decision.
- Download the app. The best way to understand TikTok is to download it, create an account, and explore. Take some solo time to search a few hashtags, scroll some feeds, and get a feel for the content. Visit the app’s safety center for an overview of safety tools. Visit the privacy center to see how your child’s data is being used.
- Go through the app together. Sit and browse content with your child. Discuss the pros and cons of the content and how it does or doesn’t align with your family’s digital ground rules.
- Max privacy settings. By making a TikTok account private, only approved followers (known friends) can view your child’s videos or send your child messages. When an account is public, anyone can comment, send messages, or share your child’s videos.
- Explore restricted mode. TikTok has a Restricted Mode for minors that will allow you to filter out inappropriate content.
- Explore Family Safety Mode. This TikTok feature allows a parent to link their TikTok account to their child’s to manage screen time, direct messages, set restrictions, and control friend and comment filters.
- Control interactions. Users can disable comments on a specific video, block people they don’t know from following them, and report abuse.
- Monitor social circles. Kids can change privacy settings and eventually be wooed into making more connections and getting more exposure. Consider monitoring who your child follows and who is following them. Consider the TikTok influencers they follow and the type of content they share.
- Monitor screen time. It’s easy to burn through countless hours on TikTok. The app has a digital wellbeing element that alerts users every two hours. Consider filtering software that adds another way to set screen limits.
- Talk about being an upstander. Creating and sharing original content online takes courage — and attracts bullies, making TikTok a potentially unsafe environment for kids. Encourage your child to be an upstander online and offer encouragement and support to peers when needed.
- Block the app. If you determine TikTok’s content isn’t a good fit for your family or that the risks outweigh the opportunities, both Android and iOS have built-in parental controls in Settings that allow you to block any app (consider rechecking these settings weekly).
One look at today’s headlines, and it’s tempting for a parent to want to delete every app like TikTok. Only we know a similar app will soon surface. Another approach is to jump into the digital mix. Know what apps your kids love and why. Understand how they use their favorite apps and who they are talking to. And, always remember: It’s never too early or too late to start these critical conversations with your kids. You’ve got this, parents!
Machine learning and artificial intelligence are changing the way that businesses operate. Whether it’s on the factory floor or in back-end IT, automated services and machines are increasing speed and productivity all while freeing up workers to focus on tasks which require a totally different set of skills.
Alongside this, we are seeing the role of AI in cyber security increase as well as the number of artificial intelligence security tools being used too. This is all because AI is trained to learn, develop and grow using the data it is provided with. Essentially, an AI system is constantly in a state of change and improvement. In an environment where hackers and security threats are everywhere and constantly looking for a way into a system, protecting company data has never had such a high priority. With this in mind, it’s important to understand exactly what is AI in cyber security and just how is AI in security being implemented?
The Purpose of Cybersecurity
AI is proving to be one of the most influential and game-changing technology advancements in the business world. As more and more enterprises embrace the digital sphere, companies are finding new and exciting ways to implement AI-based functions into every platform and software tool at their disposal. However, one of the natural consequences of this is that cybercriminals view this increasing digitization as a definite window of opportunity.
A cyber threat is basically any act that intends to steal, harm or digitally affect data in some way. They are more than just a nuisance, they can have serious and damaging effects. Cyber-attacks can cause electrical blackouts, involve the theft of valuable or sensitive data like medical records, disrupt phone and computer networks or just paralyze entire systems making any data unavailable. They can cripple a company in a heartbeat.
Some of the most common forms of cyber threats include:
- Phishing – Email-borne attacks that involve tricking recipients into disclosing confidential information or downloading malware by clicking on a link.
- Malware – This is usually a piece of software that performs a malicious task on a targeted device or network such as corrupting data or taking control of a system.
- Trojans – A form of malware that enters a system looking like one thing, such as a standard piece of software, before letting out a malicious code once inside.
- DDoS – An attacker takes over many devices at once and uses them to invoke the functions of a target system causing it to crash from an overload of demand.
- Data Breaches – A data breach is simply where an attacker hacks or finds a way into a system before stealing data directly.
Cyber threats never stay the same for very long. There are millions of them being created every year all becoming more potent than the last and this is where machine learning and artificial intelligence is so important in regards to combatting cyber threats.
How AI Can Help in Cyber Defence?
This is where AI can help massively. Machine learning-based technologies are particularly efficient at detecting unknown threats to a network. This is where computers use and adapt algorithms depending on the data received and improve their functions. Essentially, this attempts to create a machine that can predict threats and identify anomalies with much greater accuracy and speed than a human equivalent could do.
One of the other examples of AI in cyber security involves using supervised algorithms. These can uncover threats based on the labelled data they have been trained on. Based on this, the system can then make educated decisions pertaining to new data and determine whether it is harmful or not. Thousands of instances of malware code can be used as learning data for supervised algorithms to learn from, creating an extremely efficient system for detecting incoming threats.
The Future of Cyber Defence
As it is an environment that changes at a lightning-quick pace, trying to stay ahead of technological developments as the importance of cybersecurity for digital marketing and other sectors is crucial to business sustainability. However, there are some trends to say aware of regarding cyber defences in 2020:
- Predicting Threats Is Critical – More and more we’ll see companies concentrating on detecting and predicting cyber threats using AI. As technology and awareness develop in regards to using and adopting AI as a part of cyber defences, the need to predict and respond swiftly and accurately will increase in turn.
- It Will Become Prevalent For Consumers – Consumers are starting to realize that passwords are not providing enough account protection and that their accounts are increasingly vulnerable. AI can recognize returning users and will be key in protecting the entire customer journey, from creation through to transaction. This should allow businesses to form trusting bonds with their customers as they are protected by more than just a password.
- AI Will See A Sharp Rise In Usage – According to Capgemini, 69% of enterprises believe AI will be necessary in order to respond to cyberattacks. The majority of companies say they are counting on AI to help identify and thwart attacks that could cause increasingly expensive losses.
It can be a worrying time for businesses out there who are concerned about the growing threat of cyber-attacks. However, by combining security methods with AI and machine learning it is possible to protect yourself accordingly. By being proactive, staying up-to-date with the latest threats and working with industry professionals, you’ll be able to stay on top of even the most serious of cyber threats out there and ensure your data stays protected.
About the author
David Pittaway is a creative content writer for Aumcore, a digital marketing agency based in New York. He writes on a variety of topics that range from SEO, Machine Learning to crafting the perfect creative content marketing plan.
The post Cyber Defence: How Machine Learning and AI are Eliminating the Complexity appeared first on CyberDB.
Digital news that affects families seems to be dominating the headlines these days. To keep parents in the know, here are some of the stories you may want to give extra family discussion time to this week.
Skull Breaker Challenge Proving Unfunny
Apps — video apps especially — can help kids tap into their creativity and give kids a critical way to connect. Where the fun can take a dangerous turn is in the way kids choose to use their technology. In this case, the poor choice is in the Skull Breaker Challenge (also called the Trip Jump Challenge), a prank resulting in some kids being hospitalized.
The prank, designed to get laughs and accumulate TikTok views, includes two kids tricking a third friend into making a dance video together. Three kids line up side by side for a planned group dance that will be videotaped and posted. As everyone jumps as planned, the two kids on either side swipe the legs out from under the middle person causing him or her to fall backward. According to reports, the prank is surfacing mainly on TikTok but also Youtube.
Safe Family Tip: Consider talking to your child about the dangers of online challenges and the risks already reported in the news. 1) Discuss the physical dangers doctors are warning the public about, including neck strain, concussion, skull fracture, long-term complications, or even death. 2) Using current news stories, explain personal responsibility and what can happen legally if your child hurts another person during a prank.
Snapchat’s Hoop App Being Called ‘Tinder for Teens’
Snapchat users (over 2.5 million in fact) are flocking to a new Tinder-like app called Hoop that interfaces with Snapchat. The developer app allows other Hoop users to swipe through other Hoop users and request to connect via their Snapchat profile name.
While the app asks a user’s age, much like other social sites, there’s no way to prove a user’s age. And, users can change their age at any time after creating an account. This type of app format can be tempting for kids who are naturally curious and seeking to meet new friends outside of their familiar social circle. There’s a potential for common issues such as catfishing, predator behavior, and inappropriate content. Kids as young as 12 can form connections with strangers. While their profile may be harmless, they can’t control the type of content that pops up on their screen from other users. Another red flag: Hoop users are rewarded with “diamonds” for sharing their Snapchat name and getting others to join Hoop, so the incentive to daily share and connect with a wide circle outside of one’s known friend group may prove tough for some kids to resist.
Safe Family Tip: While it’s challenging to stay on top of the constant array of new apps, it’s not impossible. One way to understand where your child spends his or her time online is with comprehensive monitoring software. Another way of monitoring activity is to physically check your child’s phone once a week for new app icons (see right) and take the time to talk about his or her favorite apps. Consider explaining the dangers of connecting with strangers and the real possibility that a new “cute 16-year-old” may be a predator attempting to win your child’s trust (it happens every day). Review and agree on which apps are considered safe and the expectations you have for your family’s online choices.
Another app to keep on your radar is Wink. Nearly identical to Hoop, Wink interfaces with Snapchat and is being promoted as a “new friend finder.” It has a similar “swipe” feature that connects kids to random Wink users and is currently ranked #15 in the app store.
Should phones be banned from schools?
A conversation gaining a quiet but consistent buzz is the merit of prohibiting phones from schools — a law France has enforced for two years that has parents, educators, and legislators talking. Several recent studies reveal that phone bans can lead to higher test scores, higher test grades and attention spans, and increased cognitive capacity. Some schools in the U.S. have independently taken steps to curb and ban phones in hopes of focusing on distracted students.
Proponents of phones in school say a ban would be impossible to enforce and that technology is needed to help parents stay in touch with kids during the school day, especially for emergencies. Others say phones at school are a critical part of learning and raising self-sufficient, tech-savvy students prepared for a digital workforce.
Safe Family Tip: Begin the discussion with your child about the pros and cons of devices at school. Listen closely to his or her perspective. Discuss potential device-related issues that can be amplified during the school day such as cyberbullying, group chat conflicts, sexting, gaming during class, and using devices to cheat. Review expectations such as using phones only before and after school to connect with parents.
Stay tuned in the weeks to come as we take a closer look at other apps such as TikTok and WhatsApp Messenger that — when used unwisely — can lead to some surprising risks for kids. Until then, keep the digital safety conversation humming in your home. You’ve got this, parents!
The post TikTok Challenge, Hoop App, and Other Headlines You May Have Missed appeared first on McAfee Blogs.
Not so long ago we searched Google. Now we seem quite happy to let Google search us
Probably too late to ask, but was the past year the moment we lost our technological innocence? The Alexa in the corner of the kitchen monitoring your every word? The location-betraying device in your pocket? The dozen trackers on that web page you just opened? The thought that a 5G network could, in some hazily understood way, be hardwired back to Beijing? The spooky use of live facial recognition on CCTV cameras across London.
With privacy there have been so many landmarks in the past 12 months. The $5bn Federal Trade Commission fine on Facebook to settle the Cambridge Analytica scandal? The accidental exposure of a mind-blowing 1.2 billion people’s details from two data enrichment companies? Up to 50m medical records spilled?
We gleefully carry surveillance machines in our pockets and install them in our homesContinue reading...
We all know that data breaches have been on the rise, and hackers are finding clever, new ways to access our devices and information. But sometimes it takes a little push to get us to take action when it comes to protecting our most sensitive information. That’s why this Data Privacy Day, on January 28th, we have the perfect opportunity to own our privacy by taking the time to safeguard data, and help others do the same.
After all, there are now roughly four billion consumers connected online, living various moments of truth that could potentially put them at risk. From sharing photos and socializing with friends, to completing bank transactions—people expect to do what they desire online whenever and wherever they want. But as the saying goes, “with great power comes great responsibility”, and it is imperative that consumers take accountability, not just by enjoying the advantages of connecting online, but by protecting their online identities, too.
Remember, your personal information and online presence are as valuable as money, and what you post online can last a lifetime. Data Privacy Day is a reminder for everybody to make sure that they are protecting what matters most to them: their personal data, as well as their families and friends.
So, let’s get started. Even if you have a large online footprint, protecting this information doesn’t have to be overwhelming.
Here are a few tips:
Update your privacy and security settings—Begin with the websites and applications that you use the most. Check to see if your accounts are marked as private, or if they are open to the public. Also, look to see if your data is being leaked to third parties. You want to select the most secure settings available, while still being able to use these tools correctly. Here’s a guide from StaySafeOnline to help you get started.
Start the New Year with a new digital you— When opening new online accounts for sharing personal information such as your email address or date of birth, create a new digital persona that has alternative answers that only you would know. This will limit online tracking of your real personal information.
Lockdown your logins—At the same time, secure your logins by making sure that you are creating long and unique passphrases for all of your accounts. Use multi-factor identification, when available. This is a security protocol that takes more than just one step to validate your login, such as a password and a code sent to your mobile device, or a fingerprint. It is exponentially more secure than a simple password.
Spread the word and get involved— Once you have done your own privacy check, help others do the same. It’s important that we all feel empowered to protect our privacy, so share the safety tips in this article with your family, coworkers, and community. Here are some helpful resources to create privacy awareness where you live.
Protect your family and friends – If you are a parent, you can make a big difference by helping raise privacy-savvy kids. After all, today’s kids represent the future of online security. If they start building their digital footprints with solid safety habits, it makes all of us more secure.
Begin with this handy tip sheet.
Own your information—It’s time for everyone to feel empowered to own their information. While there will always be online threats, you can minimize any potential harm by committing yourself to the action steps we listed above. Once you have, spread the word by using the hashtag #privacyaware on Twitter, Instagram, or Facebook.
Let’s make this 12th annual international Data Privacy Day the most effective ever! Stay up to date with all the event happenings, here, and keep informed year-round on the latest threats and security tips.
Is it a legal requirement to include T&Cs?
What should you include in the T&Cs?
- How to make a purchase
- How to make a payment
- How they will receive their products
- How they can cancel orders
What kind of protection can you expect from the T&Cs? It may not be uncommon for disputes to arise between you and your online customers or visitors. Therefore, it is essential to ensure that the terms and conditions are accessible, preferably on your website.
You also need to protect your website from copyright infringements. You can avoid potential disputes and confusion by specifying which sections are copyrighted and which are your intellectual property. You should also stipulate what visitors can do with your data. If there is any breach of your copyright or intellectual property, the terms and conditions should clearly explain how the problem will be resolved.
Are there standard T&Cs which apply to all websites?
There are general formats or templates of T&Cs that you can obtain for free online. However, there is always the possibility that these documents will not cover specific aspects of your business or will not include the relevant terms. If you omit an essential term from your website, you may find yourself vulnerable if a dispute arises. Therefore, it is critical that you customise your terms and conditions so they are suitable for your website and business.
- Product and service offerings – No two businesses are alike, even if you sell the same products and services. For example, your competitor may only accept PayPal but you may allow other modes of payment.
- Industry or target audience – In every industry, there are specific provisions that need to be included in the T&Cs. For example, customers may have a legal right to cancel or return their purchases within a specified period.
Your T&Cs are like any other enforceable contract. Nevertheless, you must ensure that they don’t contravene existing consumer laws or government regulations. Remember, you should only incorporate clauses that you can legally apply.
Terms and conditions are necessary for all businesses, including e-commerce sites. It is essential that you create T&Cs that are suitable for your products and services, and that they are legally enforceable. You also need to periodically review your T&Cs, especially if there have been any significant changes to your business structure or the law. Moreover, they must be accessible to your online customers and visitors. If they are not aware of your T&Cs, you may find it difficult to enforce them if a problem arises.
Written by Kerry Gibbs, a legal expert at BEB Contract and Legal Services.
The new General Data Protection Regulations (GDPR) which came into effect in 2018 meant some big changes in the way businesses collect and handle personal data. The idea behind the new legislation is to give individuals better access and control over their own personal data. While this is great news for individuals, it requires a little extra work from businesses who must now provide legal grounds for collecting data and must only use it for the intended purpose. What’s more, they need to follow these regulations to the letter and remain GDPR compliant at all times.
This applies to companies of all sizes – even your small business. If you collect personal data in any form, such as emails, addresses, names or financial details, your business needs to be GDPR compliant. If it’s found that you’re not effectively managing and protecting your data you could face a big fine. Though regulators may be a bit more lenient with smaller businesses depending on how much data you hold, an unwanted fine is always bad news. That’s why we’ve put together this checklist to help ensure your small business is GDPR compliant. In this guide we’ll look at:
- Understanding your data and responsibilities
- Defining your data consent policy
- Access requests and disposing of old data
- Setting up a data storage and security policy
- Training all staff on GDPR
- Creating data processing notices
- Understanding your data and responsibilities
In order to be GDPR compliant it’s important that you understand what data you’re collecting and your responsibilities as a business. It’s therefore a good idea to get clued up on what is defined as ‘personal data’ and set out strict guidelines on how much information you need to collect. This is because a huge part of GDPR is ensuring that you only collect personal information you actually need and that it is only used for the intended purpose. The less you collect the easier it is to stay compliant.
You’ll also want to ensure anyone that is involved in the handling of data understands how to collect and store the data effectively, as well as how to process it in line with GDPR. As you collect data, it’s a good idea to keep a note of how consent is being obtained and what processes the data goes through once it has been collected.
- Setting out your data consent policy
Getting clear and explicit consent from individuals to collect and use their data is one of the most important aspects of GDPR. For this reason, you need to outline to customers or those using your services why you’re collecting their data and how you intend to use it in the future. Once they have actively agreed, you can then collect their data – this is usually done through sign-up forms or pop-ups. However, if they do not give you permission then under no circumstances should you record their personal information.
You must be able to show that they have obtained consent for all the data that you have collected. Otherwise, you run the risk of being fined. Another point worth noting is that you can no longer rely on underhand tactics such as pre-ticked boxes to gain consent. This is now illegal under GDPR and can land you in trouble. Finally, you must make it easy for individuals to opt-out of receiving your communications. The best way to do this is by adding an unsubscribe button at the bottom of all emails.
- Access requests and disposing of old data
If you haven’t already, GDPR states that you must get re-permission from customers whose information you held before the new guidelines were implemented in May 2018. If they do not give you their consent once again or they do not reply to your email at all, you must delete their data as soon as possible. An important part of your GDPR checklist should be getting auditing processes in place that determine how long you will store data. For example, if a customer has not engaged with your brand in 12 months it is no longer necessary to keep their information and it should therefore be deleted.
What’s more, as part of GDPR every EU individual has the right to access their data. Therefore you need a system in place to deal with access requests. You’ll have 30 days from receiving the request to provide them with an electronic copy of all the information you have on them. They can also request that this be deleted, so you need a system in place to get this done as quickly as possible.
- Setting up a data storage and security policy
GDPR is set out to protect the rights and personal information of individuals, therefore you need to make sure you’re taking care of the data you’re collecting. This means knowing where it is stored and ensuring you’ve got the security measures in place to keep it safe. Mapping out all the places where you store data, be that email, databases or cloud-based systems, makes it easier to find and deal with access or deletion requests. Your storage and security policy should outline where everything is stored, how it is protected and who has access to said data.
You also need to know how data is being transferred and the flow of information around your business. This stops information seemingly getting lost or falling into the wrong hands. It also pays to have a system in place just in case your hardware is accessed or lost, whilst containing sensitive information. For example, if a laptop full of information is misplaced, having the data encrypted means you’re less likely to fall victim to a breach or face a fine.
- Training all staff on GDPR
Most data breaches or security mistakes come as a result of human error. But unfortunately, in this case ignorance isn’t bliss, you cannot use ignorance as an excuse for mishandling data. For this reason, it’s important that all members of your team are clued up on GDPR, their personal responsibilities for looking after personal data, and how to recognise a breach. As part of GDPR, you must report any data breaches within 72 hours, this becomes much easier if everyone in your team is educated on what this looks like and who they need to report to.
- Creating data processing notices
Finally, data handling needs to be a clear and transparent process and therefore it’s a good idea to create a notice to explain how your business collects and processes data. This is often called a Fair Processing Notice and can be sent out to customers/users as well as being displayed somewhere on your website. It should outline how you capture, use and store data, as well as giving instructions on how an individual can make and access or deletion request. This helps them to understand how you are protecting their data and can be great for building your reputation as a legitimate and caring business.
Editor’s Note: This is part II of a series on Digital Minimalism in 2020.
Is this the year you rethink and rebuild your relationship with technology? If so, embracing digital minimalism may be the most powerful way to achieve that goal.
We learned last week in our first post on this series tht digital minimalism isn’t about chucking your devices and going off the grid. It’s about being hyper intentional that your technology choices support the things you value.
And, as outlined by Cal Newport in his book, Digital Minimalism: Choosing a Focused Life in a Noisy World, the first step in the process is clarifying your values. Your values are the guiding principles that motivate you and give your life meaning such as family, education, work/life balance, community service, friendship, integrity, health, or wealth. With values clearly defined, you can evaluate every piece of technology, app, or social network you use to be sure it aligns with those values.
For instance, if you establish your top values to be family and volunteering, then maybe it’s time to let go of all the podcasts, apps, and email subscriptions that no longer support those priorities. The online social communities you habitually peruse may trigger anxiety and be taking time from activities that could be far more fulfilling.
If you get overwhelmed amid your technology pruning, come back to these two critical questions:
- Does this technology directly support something that I deeply value?
- Is this technology the best way to support this value?
There’s a ton of great information as well as passion online around the concept of digital minimalism. But to keep this new idea “minimal” and easy to grasp, we’ve chosen 5 things you can do today to help you and your family jumpstart this new way of thinking.
5 ways to jumpstart a ‘digital minimalist’ mindset
- Make social accounts private. Last week we suggested cutting all non-essential media for 30 days. Another way to mentally shift into a minimalist mindset is to transition your social media accounts from public to private if you haven’t already. Not only will this small change increase your online privacy, but it could also help you become more aware of the amount of content you share, the people with whom you share it, and the value of what you share. For people who post frequently (and often out of habit), this may prove to be a game-changer. The goal of digital minimalism isn’t a digital detox or white-knuckling no-or-less-tech life. The goal is to consciously, willingly, and consistently be rebuilding your relationship with technology into a formula that decreases distraction and increases value.
- Audit those apps! Want to feel a rush of minimalist adrenaline? Whack some apps! Most of us have amassed a galaxy of apps on our phones, tablets, and laptops. Newport suggests getting rid of any apps or devices that continuously distract and are “outside of work.” Those brain games, cooking apps, calorie trackers, and delivery apps you rarely use or value, may no longer be relevant to your values. Some will find this exercise exhilarating, while others may feel panicked. If that’s the case, pace yourself and delete a handful of apps over the next few weeks. The goal is more peace, not panic. On a security note: Remember, apps are one of the main channels for malware. Consider adding security software to your family devices, reading app reviews, and only downloading trusted products.
- Reclaim your space. Do you carry your phone with you into restaurants, upstairs, on a walk, and even to the bathroom? If so, this step may be especially tricky but incredibly beneficial. Think about it — you weren’t born with a phone. Over the years, it became a companion, maybe even an extra appendage. So start small to reclaim your birthright to phone-free space. If you go outside to walk your dog, leave your phone inside. Are you headed into a restaurant? Leave the phone in the car. Newport also suggests leaving your phone in a fixed spot in your home and treating it like the “house phones” of the past. When you go to bed, leave your phone in another room. Over time, hopefully, these small changes will add more hours, sleep, relaxation, conversation, and contemplation to your day.
- Condense home screens, turn off all notifications. Clutter — especially digital clutter — can trigger feelings of chaos and anxiety. By creating folders for random files and apps on your laptop, tablet, and phone, you can declutter and breathe a little easier. If later you can’t find a document, use the search tool on your device. Also, turn off all notifications, including your phone ringer, to reduce interruptions and to avoid the temptation to phub (phone snub) the person in front of you.
- Replace device time with more productive activities. The pain and regret of the social media time suck are very real. We lose days, even years going down digital rabbit holes and getting emotionally invested in random social media posts and exchanges. Some ideas: If you are a night scroller, opt to read a physical book. If you take breaks to scroll during work hours, put your phone in a drawer — out of sight, out of mind. If you’ve defined “relaxing” as curling up with your coffee and phone and reading through social feeds, reclaim those hours by calling a friend, taking a walk, connecting with your family, reading, or getting outside.
Embracing a new mindset, especially when it comes to our sacred technology habits, won’t be an easy task. However, if you know (and yes, you do know) that technology is taking up too much of your time, attention, and emotional bandwidth, then 2020 may the perfect time to release digital distractions, rethink your technology choices, and reclaim the things that matter most.
The post Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset appeared first on McAfee Blogs.
It’s the turn of a new decade and a new privacy law has gone into effect — the California Consumer Privacy Act or CCPA. A quick check with some of my fellow privacy pros on how many consumer information requests received at the end of the day on Jan. 1, puts retail at higher numbers […]
By 2021, cybercrimes will cost companies USD 6 trillion, according to a study.
The number of internet users has grown from an estimated at 2 billion in 2015 to 4.4 billion in 2019, but so have the cybercrimes which are expected to cost companies USD 6 trillion worldwide, according to a study by Cybersecurity Ventures.
Similarly, the number of smartphone users has grown from 2.5 billion in 2016 to 3.2 billion in 2019 and is forecasted to grow to 3.8 billion by 2021. Smartphones and the internet will make further inroads to our economic system. But there are certain risks involved as well.
Mobile phones are becoming targets of cybercriminals because of their widespread use and increasing computing power. Consider the fact that more than 60 % of online fraud occurs through mobile phones. This threat is not just towards individual users but businesses as well. It does not matter how large the company is either. 43% of the cyberattacks in 2019 were aimed at smaller businesses because they do not have adequate protection.
Given how vulnerable smartphones are and that the threat from cyber attacks is only expected to increase, here are some measures you can take to protect your business from cybercriminals:
Bring Your Own Devices (BYOD) offers several benefits to both the organization and employees. Such a policy allows employees at a company to use their mobile phones, tablets, or laptops for work, saving companies the hassle to purchase devices.
However, you need to rethink if you are saving more than what you are losing. Employees have confidential company information on their devices. Such a door into your organization can cost you heavily. Set aside the funds to obtain company devices for use by employees at the office. Consider such an investment as part of your cybersecurity strategy.
The cybersecurity threat landscape is ever-evolving due to the fast nature of innovation. Develop a comprehensive cybersecurity program that includes a regular assessment of your company’s security needs. Identify the strengths of your IT infrastructure against potential attacks, and do not let advances in technology or techniques take that away from you. Similarly, you should identify the vulnerabilities in your systems. Make sure any gaps in your defenses are appropriately plugged. A threat assessment should be an integral component of any cybersecurity policy.
Make sure that employees at your organization are informed and up to date on the latest in cyber threats. This way they can protect themselves and the company from cybercriminals. Even a single mistake by one employee can end up creating a door for individuals or groups wishing your company harm. All employees must be trained as a matter of policy. This way, they can identify phishing attacks and manage social engineering scams. Another factor your employees must be mindful of is resource monitoring. Suspicious resource use on company devices, whether it is excess internet or battery usage, should raise alarm bells. However, employees may not look into such things in detail because they do not own the devices. Train your staff to keep track of resource use too.
Most organizations have some form of an employee monitoring policy and track their workers. If you haven’t done so already, develop such a policy, and keep your employees informed to ensure transparency. If you have decided to use company devices, you can opt to install monitoring apps on them. There are several modern monitoring apps currently available such as XNSPY. The app can keep track of online activities, generate a list of call logs, and remote control the device. Furthermore, you can track the location of the device in real-time, and use features such as geofencing and GPS history. There are other powerful features too, such as ambient recording, multimedia access, and online activity tracking. You can also wipe off all the data from a device in case of theft. Monitoring apps such as XNSPY should be a part of your strategy against cybercriminals.
Don’t forget physical infrastructure:
Cybersecurity may involve software updates and training policies, but making sure your physical infrastructure is safe is just as important. Re-evaluate how exposed your digital infrastructure is to physical access. Furthermore, go through the profiles of suppliers and vendors to vet them properly. A small door in any piece of equipment can let cybercriminals through and bypass your entire cybersecurity foundation. Be aware of this threat and make sure that suppliers work by following specific regulations.
Develop a threat monitoring policy:
Anticipating an attack and stopping it is an important part of comprehensive cybersecurity policy. Make sure that you are monitoring your digital infrastructure round the clock.
Invest in threat monitoring software and a team of professionals that can identify, track, and stop an attack.
The concept of designing a cybersecurity system as a fortification is changing to an adaptable system that can accommodate evolving security threats. Furthermore, a monitoring policy also needs to have a clear response plan.
Such a plan details what needs to happen and when in case of an attack. This ensures that there is a speedy response by your company against any threat.
Smartphones have become powerful enough that they can be considered as computers in their own right. While this has created scores of opportunities, there are also clear threats posed by cybercrime. These threats are only going to increase as the internet and smartphone use increases. While protecting your business against cyber criminals requires a considerable investment of time and money, it will pay off in the long run.
Clark Thomas is an expert in VOIP. He helps businesses both small and medium-sized, in implementing and adopting the best security methods for their organization and network. He gives great advice regarding and assists people in boosting the security measures for their website and business.
The post Cybercrime is moving towards smartphones – this is what you could do to protect your company appeared first on CyberDB.
Give yourself a high-five, parents. Pour yourself a cup of coffee or your favorite celebratory drink and sip it slow — real slow. Savor the wins. Let go of the misses. Appreciate the lessons learned. You’ve come a long way in the last decade of raising digital kids, and not all of it has been easy.
As we head into 2020, we’re tossing parenting resolutions (hey, it’s a victory to make it through a week let alone a year!). Instead, we’re looking back over the digital terrain we’ve traveled together and lessons learned. Need a refresher? Here’s a glimpse of how technology has impacted the family over the past decade.
In the last decade
• Smartphone, social, gaming growth. Social media and gaming platforms have exploded to usage and influence levels no one could have imagined. Smartphone ownership has increased and as of 2019: 81% of adults own a smartphone and 72% use social media, 53% of kids own a smartphone by the age of 11, and 84 % of teenagers have phones.
• Video platform growth. Video platforms like YouTube have become the go-to for teens and tweens who spend nearly three hours a day watching videos online.
• Streaming news. Smartphones have made it possible for all of us to carry (and stream) the world in our pockets. In 2018, for the first time, social media sites surpassed print newspapers as a news source for Americans.
• Dating apps dominate. We’re hooking up, dating, and marrying using apps. A Stanford study found that “heterosexual couples are more likely to meet a romantic partner online than through personal contacts and connections.”
• The rise of the Influencer. Internet influencers and celebrities have reached epic levels of fame, wealth, and reach, creating an entire industry of vloggers, gamers, micro and niche-influencers, and others who have become “instafamous.”
• Lexicon changes. Every day, technology is adding terms to our lexicon that didn’t exist a decade ago such as selfie, OMG, streaming, bae, fake news, the cloud, wearables, finsta, influencers, emojis, tracking apps, catfish, digital shaming, screen time, cryptojacking, FOMO, and hashtag, along with hundreds of others.
What we’ve learned (often the hard way)
Most people, if polled, would say technology has improved daily life in incalculable ways. But ask a parent of a child between five and 18 the same question, and the response may not be as enthusiastic. Here are some lessons we’ve learned the hard way.
Connection brings risk. We’ve learned that with unprecedented connection comes equally unprecedented risk. Everyday devices plug our kids directly into the potential for cyberbullying, sexting, inappropriate content, and mental health issues. Over the past decade, parents, schools, and leaders have worked to address these risks head-on but we have a long way to go in changing the online space into an emotionally safe and healthy place.
Tech addiction isn’t a myth. To curb the negative impact of increased tech use, we’ve learned ways to balance and limit screen time, unplug, and digitally detox. Most importantly, it’s been confirmed that technology addiction is a medical condition that’s impacting people and families in very painful ways.
The internet remembers. We’ve witnessed the very public consequences of bad digital choices. Kids and adults have wrecked scholarships, reputations, and careers due to careless words or content shared online. Because of these cases, we’re learning — though never fast enough — to think twice about the behaviors and words we share.
We’re equipping vs. protecting. We’ve gone from monitoring our kids aggressively and freaking out over headlines to realizing that we can’t put the internet in a bottle and follow our kids 24/7. We’ve learned that relevant, consistent conversation, adding an extra layer of protection with security software, and taking the time to understand (not just monitor) the ways our kids use new apps, is the best way to equip them for digital life.
The parent-child relationship is #1. When it comes to raising savvy digital kids and keeping them safe, there’s not a monitoring plan in existence that rivals a strong parent-child relationship. If you’ve earned your child’s heart, mind, and respect, you have his or her attention and can equip them daily to make wise choices online.
The dark web is . . . unimaginably dark. The underbelly of the internet — the encrypted, anonymous terrain known as the Dark Web — has moved from covert to mainstream exposure. We’ve learned the hard way the degree of sophistication with which criminals engage in pornography, human trafficking, drug and weapon sales, and stolen data. With more knowledge, the public is taking more precautions especially when it comes to malware, phishing scams, and virus attacks launched through popular public channels.
There’s a lot of good going on. As much negative as we’ve seen and experienced online over the past decade, we’ve also learned that its power can be used equally to amplify the best of humanity. Social media has sparked social movements, helped first responders and brought strangers together in times of tragedy like no other medium in history.
Privacy is (finally) king. Ten years ago, we clicked on every link that came our way and wanted to share every juicy detail about our personal lives. We became publishers and public figures overnight and readily gave away priceless chunks of our privacy. The evolution and onslaught of data breaches, data mining, and malicious scams have educated us to safeguard our data and privacy like gold.
We’ve become content curators. The onslaught of fake news, photo apps, and filter bubbles have left our heads spinning and our allegiances confused. In the process, we’ve learned to be more discerning with the content we consume and share. While we’re not there yet, our collective digital literacy is improving as our understanding of various types of content grows.
Parents have become digital ninjas. The parenting tasks of monitoring, tracking, and keeping up with kids online have gone from daunting to doable for most parents. With the emotional issues now connected to social media, most parents don’t have the option of sitting on the sidelines and have learned to track their kids better than the FBI.
This is us
We’ve learned that for better or worse, this wired life is us. There’s no going back. Where once there may have been doubt a decade ago, today it’s clear we’re connected forever. The internet has become so deep-seated in our culture and homes that unplugging completely for most of us is no longer an option without severe financial (and emotional) consequences. The task ahead for this new decade? To continue working together to diminish the ugly side of technology — the bullying, the cruelty, the crime — and make the internet a safe, fun experience for everyone.
The way we work and the spaces we work in have evolved considerably in the last fifty years. Corporate culture is nothing like what it used to be back in the 80’s and 90’s. Cabins and cubicles have given way to open offices. Many in the work-force today prefer to work remotely and maintain flexible hours. As such, hot-desking is common in many multi-national companies including those who have large office spaces. As the start-up culture evolved, there was a need for multiple small offices. This growing breed of self-employed professionals and start-up owners need other resources that are commonly required in the office environment like printers, shredders, Wi-Fi, meeting rooms, video-conferencing abilities etc . They also need a common place to meet people, network and exchange ideas because working solo could be monotonous at some time. Co-working has provided an all-in-one solution for the needs of such individuals and small groups of people by providing a common space where equipment and utilities could be shared between businesses who rent the space. Co-working spaces have thus become very popular across the world and especially in cities where real-estate is very expensive. According to statistics the number of co-working spaces has increase by 205% between 2014 and 2018
In any business however, security is paramount. Corporate espionage is very much a reality for small businesses that are very often the breeding ground for great ideas and innovations. Co-working spaces provide a melting pot for all kinds of unrelated people some of who cannot really be trusted. Thus it is necessary that when sharing space, equipment and utilities, users do not unknowingly end up sharing information and trade secrets. Ensuring data privacy and cyber security in a shared office can be very difficult but may be achieved by laying down the ground rules and ensuring that everyone follows it. Following are some of the security best practices for a co-working space.
- Ensuring network Security: While shared Wi-Fi access is probably one of the most popular and over utilized services provided by a co-working space, it is also the most vulnerable from a cyber security perspective. Following are some of the practices that would ensure secure access of Wi-Fi networks for all users.
- Having a dedicated administrator who would ensure that networks are set up correctly and securely. This person can also liaise with users to ensure that they are following the guidelines
- Setting up strong passwords for every network and ensuring that all passwords are changed frequently. This would also prevent old or previous members from accessing the network.
- Setting up individual networks and access pages for every business that is using the space including a separate network for guests.
- Securing smart devices: IoT has enabled intelligence in every device like TV, refrigerators, coffee machines and printers. A co-working space may be home to many such devices which are connected to the network. Tampering with any of these devices can allow people to access the Wi-Fi network or vice-versa. Therefore it is necessary to secure these devices by ensuring that their hardware is tamperproof and firmware is continuously updated. All devices that can connect to the network including laptops and phones should be password protected and should not be left around unlocked and/or unattended.
- Blocking websites: It is best to block potentially malicious websites which are not likely to do anyone any good. Corporate offices have always taken this step to prevent unwanted traffic and ensure network and data security. There is no reason why co-working spaces cannot offer this as a service.
- Vetting users: Co-working spaces may do a minimum background check on users to ensure that they fit-in with the business culture of the space and would not disrupt the normal functioning of the users in any way.
- Physical monitoring: Physical monitoring using cameras can ensure that users do not try to steal any data or equipment that does not belong to them. Providing physical access cards, logging in and out time of users and installing cameras can contribute to the overall security system of the space.
While these guidelines are general they should be useful to both the co-working space operators and users and would provide an idea on what to look out for and how to secure their private data and intellectual property.
Despite its negative connotations, the Dark Web is nothing to be afraid of. Few know that the Dark Web was actually thought out as a means of preserving privacy and security. However, this also enabled it to become a breeding ground for illegal activity.
There are certainly things to be distrustful of when navigating the Dark Web, and before venturing into it head-first, you should understand certain things about it.
What is the Dark Web?
The first thing you need to know is that there is no actual database for the Dark Web. Instead, there are only what are known as “peer to peer connections”, which means that the data you are accessing is not stored in just one place.
Instead, it is found on thousands of different computers that are part of the network, so that no one can actually identify where the information is coming from. You can upload to the network, but when downloading, there is no telling where you’re getting the data from.
Why do people use the Dark Web?
There are all kinds of uses for the dark web. Some of them are downright nefarious; others, not so much.
- Drug sales
Taking into consideration the anonymous nature of the Dark Web, it was only a matter of time before it came into use to sell illegal drugs. It is the ideal avenue for this kind of transaction, because of the anonymity factor that is inherent to the Dark Web.
- Illegal commerce
To say that you can buy anything on the Dark Web would be an understatement. Anything you can imagine, no matter how gruesome, can be purchased on the Dark Web, from guns to stolen data to organs.
- Child porn
Is it really a surprise that child porn is rampant on the Dark Web? It’s one of the darker aspects of it, but the anonymous nature of it does lend itself to concealing horrible realities like this.
For all its negative connotations and activities, the Dark Web can also be a way to foster open communication that can sometimes save lives or make a change. Especially in cases where governments monitor online activity, having a place to speak out freely can be invaluable.
The Dark Web can be used as an excellent source for journalists because sources can remain anonymous. Additionally, no one can track their activity, so it cannot attract consequences from authorities.
How to access
You may be wondering how you can access the Dark Web – after all, you can’t just Google it or access it in a regular browser.
Here are some of the aspects you need to keep in mind about accessibility, including the browser you need to use, the URLs, personal credentials you may need, and even acceptable currency, should you decide to make a purchase.
- TOR browser
The most common way to access the Dark Web is via The Onion Router (TOR), the browser used by most people for this purpose. This ensures that your identity will remain concealed, as will your activity, because it encrypts everything.
You can obtain the TOR browser by downloading it from the official website. It’s as easy as installing it and running it like any normal program. And if you were worried about the legality of it – have no fear.
Both accessing the Dark Web and downloading the means to do so are entirely legal. While this can enable some pretty dark human behavior, it can also give us very necessary freedom to do positive things, as you will see. Not everyone uses it for nefarious purposes.
- Exact URLs
Something that makes it difficult to navigate the Dark Web is the fact that the pages are not indexed by browsers. That means that anything you may be looking for will require an exact URL. That does limit the amount of people who can access the Dark Web, as well as the scope of the pages one can gain access to.
Unless you know exactly where to look, you may not have a lot of luck finding what you want. That can deter you from searching, or on the contrary, it can determine you to go looking for someone who is well versed in illegal activity and who can help you out.
- Criminal activity
It comes as no surprise that the Dark Web is a hotbed of criminal activity. No one is advocating that one pick up criminal undertakings in order to use the Dark Web. But generally speaking, the people who will most likely be looking to access URLs here are people who are engaged in all manner of criminal activity.
All transactions on the Dark Web are completed via Bitcoin, as this type of currency cannot be traced. That increases the degree of safety of the transaction, both for buyers and for sellers.
However, that does not mean that these transactions are always safe. There is a high degree of uncertainty that accompanies these transactions, regardless of what you are purchasing.
You might find that the person you are buying from is a scammer who can end up taking your money, but not sending over your product. While identities are protected, transactions are not, so a degree of care is always necessary.
The future of the Dark Web
While authorities are always making efforts to cut down on the number of sites present on the Dark Web, more are always created. In the end, it proves to be a bit of a wasted effort. The more websites get shut down, the more pop up in their place.
Does that mean that the Dark Web will continue in perpetuity? No one can say with any degree of certainty. It is entirely possible that people will seek refuge in the anonymity of the Dark Web as the degree of surveillance grows, or the opposite can happen and we can grow to accept surveillance as a means of ensuring a thin veneer of security.
The Dark Web will always be controversial, but it’s not nearly as scary as it seems. It’s true that it certainly conceals some illegal and immoral behavior, but it can also be used for good. The anonymous and untraceable aspects of it help it remain a somewhat neutral space where one can find the freedom to communicate, investigate, search, trade, make purchases, etc.