Category Archives: Privacy

Political campaigns adopt surveillance capitalism at their own peril

Since the middle of the 20th century, commercial advertising and marketing techniques have made their way into the sphere of political campaigns. The tactics associated with surveillance capitalism – the commodification of personal data for profit as mastered by companies like Google and Facebook – have followed the same path. The race between competing political campaigns to out-collect, out-analyze and out-leverage voter data has raised concerns about the damaging effects it has on privacy and … More

The post Political campaigns adopt surveillance capitalism at their own peril appeared first on Help Net Security.

The NSA is Refusing to Disclose its Policy on Backdooring Commercial Products

Senator Ron Wyden asked, and the NSA didn’t answer:

The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others.

These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications.

The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.

[…]

The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws.

“At NSA, it’s common practice to constantly assess processes to identify and determine best practices,” said Anne Neuberger, who heads NSA’s year-old Cybersecurity Directorate. “We don’t share specific processes and procedures.”

Three former senior intelligence agency figures told Reuters that the NSA now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of warning if the back door gets discovered and manipulated by adversaries.

The article goes on to talk about Juniper Networks equipment, which had the NSA-created DUAL_EC PRNG backdoor in its products. That backdoor was taken advantage of by an unnamed foreign adversary.

Juniper Networks got into hot water over Dual EC two years later. At the end of 2015, the maker of internet switches disclosed that it had detected malicious code in some firewall products. Researchers later determined that hackers had turned the firewalls into their own spy tool here by altering Juniper’s version of Dual EC.

Juniper said little about the incident. But the company acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC as part of a “customer requirement,” according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere.

Juniper has never identified the customer, and declined to comment for this story.

Likewise, the company never identified the hackers. But two people familiar with the case told Reuters that investigators concluded the Chinese government was behind it. They declined to detail the evidence they used.

Okay, lots of unsubstantiated claims and innuendo here. And Neuberger is right; the NSA shouldn’t share specific processes and procedures. But as long as this is a democratic country, the NSA has an obligation to disclose its general processes and procedures so we all know what they’re doing in our name. And if it’s still putting surveillance ahead of security.

Researchers: LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes

Popular chat apps, including LINE, Slack, Twitter DMs and others, can also leak location data and share private info with third-party servers.

Amazon fires employee for leaking customer data

Multiple Amazon customers have turned to social media to describe how they have received a notification from the online retail giant that their email addresses have been leaked to an unnamed third party. Emails sent by Amazon to customers admit that a rogue employee unlawfully passed on users' personal email details to a third-party, violating the company's rules Read more in my article on the Hot for Security blog.

IMSI-Catchers from Canada

Gizmodo is reporting that Harris Corp. is no longer selling Stingray IMSI-catchers (and, presumably, its follow-on models Hailstorm and Crossbow) to local governments:

L3Harris Technologies, formerly known as the Harris Corporation, notified police agencies last year that it planned to discontinue sales of its surveillance boxes at the local level, according to government records. Additionally, the company would no longer offer access to software upgrades or replacement parts, effectively slapping an expiration date on boxes currently in use. Any advancements in cellular technology, such as the rollout of 5G networks in most major U.S. cities, would render them obsolete.

The article goes on to talk about replacement surveillance systems from the Canadian company Octasic.

Octasic’s Nyxcell V800 can target most modern phones while maintaining the ability to capture older GSM devices. Florida’s state police agency described the device, made for in-vehicle use, as capable of targeting eight frequency bands including GSM (2G), CDMA2000 (3G), and LTE (4G).

[…]

A 2018 patent assigned to Octasic claims that Nyxcell forces a connection with nearby mobile devices when its signal is stronger than the nearest legitimate cellular tower. Once connected, Nyxcell prompts devices to divulge information about its signal strength relative to nearby cell towers. These reported signal strengths (intra-frequency measurement reports) are then used to triangulate the position of a phone.

Octasic appears to lean heavily on the work of Indian engineers and scientists overseas. A self-published biography of the company notes that while the company is headquartered in Montreal, it has “R&D facilities in India,” as well as a “worldwide sales support network.” Nyxcell’s website, which is only a single page requesting contact information, does not mention Octasic by name. Gizmodo was, however, able to recover domain records identifying Octasic as the owner.

Adapt cybersecurity programs to protect remote work environments

Earlier this year, businesses across the globe transitioned to a remote work environment almost overnight at unprecedented scale and speed. Security teams worked around the clock to empower and protect their newly distributed teams. Protect and support a remote workforce Cisco’s report found the majority of organizations around the world were at best only somewhat prepared in supporting their remote workforce. But, it has accelerated the adoption of technologies that enable employees to work securely … More

The post Adapt cybersecurity programs to protect remote work environments appeared first on Help Net Security.

63 billion credential stuffing attacks hit retail, hospitality, travel industries

Akamai published a report detailing criminal activity targeting the retail, travel, and hospitality industries with attacks of all types and sizes between July 2018 and June 2020. The report also includes numerous examples of criminal ads from the darknet illustrating how they cash in on the results from successful attacks and the corresponding data theft. “Criminals are not picky — anything that can be accessed can be used in some way,” said Steve Ragan, Akamai … More

The post 63 billion credential stuffing attacks hit retail, hospitality, travel industries appeared first on Help Net Security.

Cybersecurity 101: How to Protect Yourself from Hackers

The internet has changed a lot of things; some for the better and others for the worst. Everything that we use in our homes, from mobile devices to the Internet of Thing (IoT) products, rely on the internet. The extensive use of these products have the potential to erode our privacy. When it comes to privacy, it is under attack from all sides. Whether we realize it or not, hackers are always trying to gain information about us so that they can control our lives. In order to make your devices, online identity, and everything that you do online more secure, you have to follow a few things. In this article, I am going to highlight five cybersecurity tips that you need to know.

Install an Antivirus

The first thing you have to do is make use of an antivirus that will protect you against malicious programs. With so many different kinds of viruses and malware, you need to ensure that you prevent these attacks. Once you have installed antivirus, update it regularly so that its security patch is fool-proof. However, installing an antivirus doesn’t mean that you can browse any site you want to. You will still have to be very careful as hackers can still find ways to get into your system.

Use Unique Passwords for Login

One of the easiest and most prevalent ways hackers get access to your information is by getting hold of your passwords. You must use a unique password for different platforms so that even if one account gets hacked, the hacker can’t access the rest of your accounts. Moreover, you should use a strong password for every account that contains a combination of numbers, upper-case and lower-case letters, special signs, etc. Every little thing that you do to make your password more secure goes a long way.

Get a VPN and Use It

You might have heard about using a VPN when browsing the internet, but most people don’t fully understand what a VPN does. Say that you go to a coffee shop and want to connect to its Wi-Fi. You can never be sure that the network you are using is secure. Whether you are using your home network or a public network, someone can easily steal data from your computer if he bypasses your network security. The best way to prevent that is by using a VPN as it encrypts all your data. Here are some best value VPNs that you can use to secure your computer files.

Use Two Factor Authentication

While I agree that using two-factor authentication can take a lot of time, but let me tell you that it is worth it. Two-factor authentication adds an extra layer of security in case someone bypasses the first one. For example, even if the hacker gets access to your password, he will never be able to access your account without bypassing the second level of authentication.

Protect Your Social Media Privacy

Last but not least, you have to pay some attention to how you use social media. Social media scams are at the peak nowadays as hackers fish for information through these platforms. You have to be extremely careful when using platforms like Facebook as you voluntarily give out your information and present it publically. Make sure that you have configured every social media platform and think twice before revealing any personal information. Once you give out your personal information yourself, you can blame it on anyone but you. After all, regardless of how many security protocols we put into place, the weakest link in the security chain is humans themselves.

The post Cybersecurity 101: How to Protect Yourself from Hackers appeared first on CyberDB.

Pharma Giant Pfizer Leaks Customer Prescription Info, Call Transcripts

Hundreds of medical patients taking cancer drugs, Premarin, Lyrica and more are now vulnerable to phishing, malware and identity fraud.

How Automation can help you in Managing Data Privacy

The global data privacy landscape is changing and everyday we can see new regulations emerge.

These regulations are encouraging organizations to be better custodians of the consumers data and create a healthier space for data privacy. In order to do so organizations will need to rework their operations and revamp their processes in order to comply with these regulations.

According to a report by the International Association of Privacy Professionals, 33% of respondents have considered revamping their technology solutions around data privacy. This is where data privacy comes into play and organizations are looking for data privacy management softwares that can fulfill their data privacy needs, while complying with data regulations in order to avoid fines.

Tracking Personal Data

Data is stored in a plethora of internal and external systems in structured or unstructured form all across the organization. These systems can even spread over a geographical area depending on the size of the organization. In order to retrieve information, manual methods can be seen as tedious and time-consuming, not to mention the factor of human error.

According to Aoife Harney, Compliance Manager at AON, “One of the most important aspects of any data protection program is having an in-depth and documented knowledge of the what, the why, the where, the who, and the how.”

Different data privacy softwares that incorporate data intelligence serve various purposes in the organization. Certain softwares deal with cookies and consent, while others could focus on breach notification.

Now a days, organizations need all in one privacy management software platform that can address all these requirements and integrate data privacy within all their operations:

Compliance Requirements

Data privacy regulations such as the CCPA and GDPR require organizations to take responsibility for their consumers’ data. All data privacy regulations impose obligations on businesses for the protection of privacy of consumers by restricting data capture mechanisms, providing privacy rights to consumers on their personal data and introducing accountability in businesses data policies. Furthermore it imposes responsibilities on data controllers who store and hold data to protect it from unauthorized disclosures and to inform consumers when and if their data is breached.

In order to comply with these obligations organizations need to revamp the following practices to stay in compliance with global data privacy regulations.

  • DSR Fulfillment: Organizations will be met with a plethora of Data Subject requests and will be required to fulfill them all in a specific time frame based on the regulations they are required to comply with. In order to make this process swift and seamless, organizations will have to automate their DSR fulfillment process.
  • Data Mapping: Organizations have stored immense amounts of data over their internal and external systems that can spread across on a geographic level. In order to quickly link this data to the owner to avoid any delays, data mapping automation plays a quintessential part in complying with any data privacy regulation.
  • Vendor Assessment: Manually assessing your third-party vendors and your own organization can be a tedious task that can present several bottlenecks and lack in collaboration. Whether you want to collaborate with key stakeholders or third-party vendors, there needs to be an automated system that can bring about this automation while simplifying the assessment process.
  • Consent Management: Regulations such as the CCPA and GDPR require organizations to take freely given consent from their consumers before processing their data. Doing this task manually leaves room for human error and also the use of time and resources. Organizations need to create a universal consent capture system that can make this process faster while freeing up resources as well.
  • Breach Notification: Privacy regulations require organizations to send a notification in case of a breach. Under the GDPR, for example,an obligatory 72-hour data breach notice for unauthorized access to systems and data, use and distribution of data is mandatory (Article 33). Recognizing a breach and then sending out a notification through manual means makes it virtually impossible to comply with the time frame given. Automating your breach notification system can save organizations thousands in fines.
  • Privacy Policy Management: One of the core parts of any regulation is the need to revamp an organization’s privacy policies. These policies need to be in line with the data privacy regulations in order to comply. Organizations will need to revisit their privacy policies and change them according to the guidelines provided by these privacy regulations.

Automation: the Future of Compliance

The future beckon the arrival of automation and organizations will have to quickly adopt this if they hope to improve their chances at complying with global privacy regulations. Irrespective of the current state of the globe, data regulations are still going into effect and being enforced. If an organization hopes to comply with these regulations they need to find a solution that will automate their operations and manage all the aforementioned privacy requirements.

Aoife Harney says “Being able to clearly see when a client’s personal data was collected, what legal basis is relied upon for that activity, who accesses that information, and when it’s appropriate to erase is incredibly useful to any organization,” 

Organizations need to find a solution that will help them with their compliance requirements. The ideal situation would be to get this solution from an organization that allows flexibility and customization, as well as one that considers your suggestions from early adopters.

Organizations can also consider SECURITI.ai which is reputed as the Privacy Leader that offers a one-stop data privacy solution to businesses.

Authors:

Ramiz Shah, Digital Content Producer at SECURITI.ai

Anas Baig, Team Lead at SECURITI.ai

Pierluigi Paganini

(SecurityAffairs – hacking, automation)

The post How Automation can help you in Managing Data Privacy appeared first on Security Affairs.

Rapper Scams $1.2M in COVID-19 Relief, Gloats with ‘EDD’ Video

"Nuke Bizzle" faces 22 years in prison after brazenly bragging about an identity-theft campaign in his music video, "EDD."

Hackers claim to have compromised 50,000 home cameras and posted footage online

A hacker collective claims to have hacked over 50,000 home security cameras and published their footage online, some of them on adult sites.

A group of hackers claims to have compromised over 50,000 home security cameras and published their private footage online.

Some footages were published on adult sites, experts reported that crooks are offering lifetime access to the entire collection for US$150.

The news was reported by The New Paper, which also confirmed that over 70 members already paid the US$150 subscription for lifetime access to the loot.

“Clips from the hacked footage have been uploaded on pornographic sites recently, with several explicitly tagged as being from Singapore.” reported The New Paper.”

“The group, which can be found on social messaging platform Discord, has almost 1,000 members across the globe. As of Saturday, it has claimed to have shared more than 3TB of clips with over 70 members who paid a subscription fee of US$150 (S$203) for lifetime access.”

The videos show people of varying ages in compromising positions, in some cases undressed.

Most of the videos appear to belong to people from Singapore, other private footages come from people living in Thailand, South Korea, and Canada.

The gang uses the instant messaging app Discord and has nearly 1,000 members, it focuses on the hacking security cameras.

As proof of the hacks, the gang is offering a free sample containing 700 megabytes worth of data, including over 4,000 clips and pictures. They would also offer access to all hijacked cameras with their customers.

“The group claims to have a list of more than 50,000 hacked cameras that members can access. It also claims that VIP members will be taught how to “explore, watch live and even record” hacked cameras through tutorials and personalised sessions.” continues the article.

The news is not surprising, unfortunately in many cases IoT devices, including IP cameras, are deployed without proper security measures.

At the time of publishing this post, it is still unclear how the hackers compromised the IP cameras, likely hackers exploited some vulnerabilities in the devices or simply guessed weak passwords used to protect them.

Let’s remind that accessing these IP cameras could be considered a serious crime, where the victims are under the age of 16, the users could be charged for child pornography.

“As worrying as it may seem, this comes as a clear reminder that when cameras are placed on the internet, they must be properly installed with security in mind. When smart devices are set up, they are still regularly placed around the home with no second thought for privacy,” said ESET Security Specialist Jake Moore.

In 2017, thousands of IP cameras have been hijacked by the Persirai IoT botnet that targeted more than 1,000 IP camera models.

In June 2017, security experts at security firm F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam.

The flaws could be exploited by attackers to take over the Internet-connected cameras, upload and download files from the built-in FTP server, and view video feeds.

Pierluigi Paganini

(SecurityAffairs – hacking, IP cameras)

The post Hackers claim to have compromised 50,000 home cameras and posted footage online appeared first on Security Affairs.

Global adoption of data and privacy programs still maturing

The importance of privacy and data protection is a critical issue for organizations as it transcends beyond legal departments to the forefront of an organization’s strategic priorities. A FairWarning research, based on survey results from more than 550 global privacy and data protection, IT, and compliance professionals outlines the characteristics and behaviors of advanced privacy and data protection teams. By examining the trends of privacy adoption and maturity across industries, the research uncovers adjustments that … More

The post Global adoption of data and privacy programs still maturing appeared first on Help Net Security.

IoT Devices: Privacy and Security in Abusive Relationships

A few weeks, ago, technology news site The Verge reported on a new Ring security camera that is in fact a drone that flies around inside your house. Available beginning next year, the ‘Always Home Cam’ is supposed to give its owners a total view of their home without the need for multiple cameras. Those […]… Read More

The post IoT Devices: Privacy and Security in Abusive Relationships appeared first on The State of Security.

Smashing Security podcast #200: Two flipping hundred

We're in celebratory mood as we celebrate our 200th episode, but there's still time to discuss Fatima the ballerina who the UK government wants to become a cybersecurity expert, why women are quitting the tech industry, and a smartwatch which might be putting your kids at risk. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Five Eyes countries press for back doors into applications, again

Canada has again joined its partners in the Five Eyes intelligence co-operative and is calling on tech companies to work with governments to find a legal way around their end-to-end encryption.

In a news release over the weekend, senior cabinet officials from Canada, the U.S., the United Kingdom, Australia and New Zealand, as well as the governments of India and Japan, urged the industry to address concerns that encryption in their products helps criminals by precluding any legal access to unlawful communications.

“Particular implementations of encryption technology … pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children,” officials wrote.

The governments are asking industry to help find “reasonable, technically feasible solutions” that do the following:

  • Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable.
  • Enable law enforcement access to content in a readable and usable format where a (court) authorization is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight.
  • Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.

The demand by governments and law enforcement agencies for lawful access to encrypted communications has been going on for years, and been resisted by privacy experts for just as long.

It’s being raised again, says the statement, because of proposals to apply end-to-end encryption across major messaging services. Many services including WhatsApp and Telegram already offer it. Zoom has been testing it since July.

The issue last hit headlines in the summer of 2019 when the University of Toronto’s Citizen Lab condemned then-Public Safety Minister Ralph Goodale for changing Canada’s policy on lawful access. Before then, Canada said it favoured strong encryption in products to protect citizens. However, after Goodale signed a Five Eyes communique urging tech companies to include “mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.”

Citizen Lab hit back. “In advancing an irresponsible encryption policy that would deny individuals and businesses access to strong encryption, [Ralph Goodale, Minister of Public Safety] and the Government of Canada have failed to publicly acknowledge and present the range of serious harms that would follow should companies voluntarily, or under compulsion, adopt the government’s current policy,” it said.

Briefly, privacy and many encryption experts argue that what governments want is a back door into systems so they can read communications of crooks and nation-states. However, they say even if any back door system needs judicial approval a hole is a hole, and it can be exploited by any skilled attacker. There is no such thing, they argue as a process that can only be used by governments. As a result, such back doors or processes end personal privacy.

The weekend communique acknowledges that technology companies use encryption to protect their users. But, the release also says, law enforcement must find a way to respond to “illegal content, child sexual exploitation and abuse, violent crime, terrorist propaganda and attack planning.” In fact, the Five Eyes argue, end to end encryption hobbles tech companies own efforts to fight these threats.

All that is being asked, according to the Five Eyes community, is for law enforcement agencies to access content “in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security.”

“We challenge the assertion that public safety cannot be protected without compromising privacy or cybersecurity,” the statement reads.  “We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.”

Suggestions include creating master decryption keys that, in theory, only law enforcement agencies can access with a court order; giving police the ability to get a court order to compel suspects to decrypt their conversations; or creating a way that allows third parties to lawfully listen in to encrypted conversations or messages.

The post Five Eyes countries press for back doors into applications, again first appeared on IT World Canada.

Google Responds to Warrants for “About” Searches

One of the things we learned from the Snowden documents is that the NSA conducts “about” searches. That is, searches based on activities and not identifiers. A normal search would be on a name, or IP address, or phone number. An about search would something like “show me anyone that has used this particular name in a communications,” or “show me anyone who was at this particular location within this time frame.” These searches are legal when conducted for the purpose of foreign surveillance, but the worry about using them domestically is that they are unconstitutionally broad. After all, the only way to know who said a particular name is to know what everyone said, and the only way to know who was at a particular location is to know where everyone was. The very nature of these searches requires mass surveillance.

The FBI does not conduct mass surveillance. But many US corporations do, as a normal part of their business model. And the FBI uses that surveillance infrastructure to conduct its own about searches. Here’s an arson case where the FBI asked Google who searched for a particular street address:

Homeland Security special agent Sylvette Reynoso testified that her team began by asking Google to produce a list of public IP addresses used to google the home of the victim in the run-up to the arson. The Chocolate Factory [Google] complied with the warrant, and gave the investigators the list. As Reynoso put it:

On June 15, 2020, the Honorable Ramon E. Reyes, Jr., United States Magistrate Judge for the Eastern District of New York, authorized a search warrant to Google for users who had searched the address of the Residence close in time to the arson.

The records indicated two IPv6 addresses had been used to search for the address three times: one the day before the SUV was set on fire, and the other two about an hour before the attack. The IPv6 addresses were traced to Verizon Wireless, which told the investigators that the addresses were in use by an account belonging to Williams.

Google’s response is that this is rare:

While word of these sort of requests for the identities of people making specific searches will raise the eyebrows of privacy-conscious users, Google told The Register the warrants are a very rare occurrence, and its team fights overly broad or vague requests.

“We vigorously protect the privacy of our users while supporting the important work of law enforcement,” Google’s director of law enforcement and information security Richard Salgado told us. “We require a warrant and push to narrow the scope of these particular demands when overly broad, including by objecting in court when appropriate.

“These data demands represent less than one per cent of total warrants and a small fraction of the overall legal demands for user data that we currently receive.”

Here’s another example of what seems to be about data leading to a false arrest.

According to the lawsuit, police investigating the murder knew months before they arrested Molina that the location data obtained from Google often showed him in two places at once, and that he was not the only person who drove the Honda registered under his name.

Avondale police knew almost two months before they arrested Molina that another man ­ his stepfather ­ sometimes drove Molina’s white Honda. On October 25, 2018, police obtained records showing that Molina’s Honda had been impounded earlier that year after Molina’s stepfather was caught driving the car without a license.

Data obtained by Avondale police from Google did show that a device logged into Molina’s Google account was in the area at the time of Knight’s murder. Yet on a different date, the location data from Google also showed that Molina was at a retirement community in Scottsdale (where his mother worked) while debit card records showed that Molina had made a purchase at a Walmart across town at the exact same time.

Molina’s attorneys argue that this and other instances like it should have made it clear to Avondale police that Google’s account-location data is not always reliable in determining the actual location of a person.

“About” searches might be rare, but that doesn’t make them a good idea. We have knowingly and willingly built the architecture of a police state, just so companies can show us ads. (And it is increasingly apparent that the advertising-supported Internet is heading for a crash.)

Podcast Episode 10 – Face off: Debating Facial Recognition with Thom Langford & Paul Edon

Recovering CISO and Director of (TL)2 Security Thom Langford joins the show to debate Tripwire’s Paul Edon on facial recognition vs. security. Spotify: https://open.spotify.com/episode/5wXKv9DiQjfsZNf6heXg67 Stitcher: https://www.stitcher.com/podcast/the-tripwire-cybersecurity-podcast RSS: https://tripwire.libsyn.com/rss YouTube: https://www.youtube.com/playlist?list=PLgTfY3TXF9YKE9pUKp57pGSTaapTLpvC3 The following is an edited excerpt from a recent episode of Tripwire’s Cybersecurity Podcast. Tim Erlin: Welcome everyone to the Tripwire Cybersecurity Podcast. I’m Tim […]… Read More

The post Podcast Episode 10 – Face off: Debating Facial Recognition with Thom Langford & Paul Edon appeared first on The State of Security.

Taking a screwdriver to unlock your IoT sex toy is nuts

The Bluetooth Qiui Cellmate attaches itself to a man's penis, allowing a remote partner to lock up your proverbials if they think you don't deserve to use them for a while. And with no umm.. manual over-ride, you could find your pickle in a right pickle if an unauthorised third-party exploits the flaws to lock the cage without your permission. Built from a mixture of polycarbonate and toughened steel, removal is non-trivial and might involve taking an angle grinder or bolt cutters to a delicate part of your anatomy. That's not when you want to find out that there is a security flaw in the sex toy's API that means anyone can hijack your cock lock.

Smashing Security podcast #199: A few tech cock-ups, and one cock lock-up

An internet-connected adult toy could leave its users encaged, the official NHS COVID-19 contact-tracing app alarms users, and would you be happy if a robot interviewed you for a job? All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by BBC technology correspondent Zoe Kleinman.

Privacy-Preserving Smart Input with Gboard

Google Keyboard (a.k.a Gboard) has a critical mission to provide frictionless input on Android to empower users to communicate accurately and express themselves effortlessly. In order to accomplish this mission, Gboard must also protect users' private and sensitive data. Nothing users type is sent to Google servers. We recently launched privacy-preserving input by further advancing the latest federated technologies. In Android 11, Gboard also launched the contextual input suggestion experience by integrating on-device smarts into the user's daily communication in a privacy-preserving way.

Before Android 11, input suggestions were surfaced to users in several different places. In Android 11, Gboard launched a consistent and coordinated approach to access contextual input suggestions. For the first time, we've brought Smart Replies to the keyboard suggestions - powered by system intelligence running entirely on device. The smart input suggestions are rendered with a transparent layer on top of Gboard’s suggestion strip. This structure maintains the trust boundaries between the Android platform and Gboard, meaning sensitive personal content cannot be not accessed by Gboard. The suggestions are only sent to the app after the user taps to accept them.

For instance, when a user receives the message “Have a virtual coffee at 5pm?” in Whatsapp, on-device system intelligence predicts smart text and emoji replies “Sounds great!” and “👍”. Android system intelligence can see the incoming message but Gboard cannot. In Android 11, these Smart Replies are rendered by the Android platform on Gboard’s suggestion strip as a transparent layer. The suggested reply is generated by the system intelligence. When the user taps the suggestion, Android platform sends it to the input field directly. If the user doesn't tap the suggestion, gBoard and the app cannot see it. In this way, Android and Gboard surface the best of Google smarts whilst keeping users' data private: none of their data goes to any app, including the keyboard, unless they've tapped a suggestion.

Additionally, federated learning has enabled Gboard to train intelligent input models across many devices while keeping everything individual users type on their device. Today, the emoji is as common as punctuation - and have become the way for our users to express themselves in messaging. Our users want a way to have fresh and diversified emojis to better express their thoughts in messaging apps. Recently, we launched new on-device transformer models that are fine-tuned with federated learning in Gboard, to produce more contextual emoji predictions for English, Spanish and Portuguese.

Furthermore, following the success of privacy-preserving machine learning techniques, Gboard continues to leverage federated analytics to understand how Gboard is used from decentralized data. What we've learned from privacy-preserving analysis has let us make better decisions in our product.

When a user shares an emoji in a conversation, their phone keeps an ongoing count of which emojis are used. Later, when the phone is idle, plugged in, and connected to WiFi, Google’s federated analytics server invites the device to join a “round” of federated analytics data computation with hundreds of other participating phones. Every device involved in one round will compute the emoji share frequency, encrypt the result and send it a federated analytics server. Although the server can’t decrypt the data individually, the final tally of total emoji counts can be decrypted when combining encrypted data across devices. The aggregated data shows that the most popular emoji is 😂 in Whatsapp, 😭 in Roblox(gaming), and ✔ in Google Docs. Emoji 😷 moved up from 119th to 42nd in terms of frequency during COVID-19.

Gboard always has a strong commitment to Google’s Privacy Principles. Gboard strives to build privacy-preserving effortless input products for users to freely express their thoughts in 900+ languages while safeguarding user data. We will keep pushing the state of the art in smart input technologies on Android while safeguarding user data. Stay tuned!

5 Reasons Why You Should Avoid Free VPNs

Virtual Private Network (VPN) is a technology that offers total security for all your digital activities. It serves as a barrier against third-party groups, hackers, cyber threats, malware, and sensitive data leakage. 

More than ever, we need to invest with high-end protection to ensure our privacy is never compromised. VPNs are of high demand due to the current condition where most people stay at home and work remotely. With increased online activity, it’s high time to protect your privacy. 

Free VPNs are enticing and offer ‘great’ security without extra cost. Their services are too-good-to-be-true, which you need to doubt and stay away from it. 

Are There Alternatives To Top-Rated VPN Providers? 

The threat of using free VPN is high as it does not offer robust encryption compared to paid services. It is better to pay for a cheap VPN service than to compromise your security. Affordable VPN services offer powerful data encryptions for people with limited budgets. They provide standard encryption technology to ensure your privacy is protected and your digital activities are secured. 

There are a few reliable and trusted VPN solutions that offer affordable VPN instead of using free services that threaten your security. These are great alternatives that won’t hurt your wallet but will surely be of great help, especially if you’re a constant internet explorer. 

5 Facts Why Free VPNs Are A No-No

Free VPN software keeps records of your digital activities and sells them to third parties. They offer encryptions that don’t ‘really’ mask your activities nor protect your identity. Free VPN services log all your sensitive data which is already a threat to your privacy. Aside from that, here are five things you need to remember: Free VPNs are a no-no. 

  1. Monitor And Sell All Collected Data

VPNs act as your protective barrier against digital threats while you’re online. It secures all your data, online activities, and private information against prying eyes, government surveillance, etc. VPNs blocked hackers and your ISP from collecting or selling data to gain profit. 

Free VPN shifts the message, and you become their milking cow to fund the service they offer in exchange for the data they collected from you. These sensitive data are then sold to third parties, and prose threats not just to your information, but your privacy is at stake. 

  1. Leaks IP Addresses

Robust VPN solutions offer total security and encryption on all your digital activities and traffic. It serves as your secret portal in the world wide web against cyber threats, hackers, and prying eyes. 

Using free VPN is like a tunnel with tons of holes that can leak your data or IP address. Hackers can track your activity, prying eyes can monitor you, and worse can expose you to tons of privacy threats. 

  1. They Are Not Safe

Free VPN solutions are risky. They are a dangerous threat to your security and privacy. Running a VPN service is pricey and offering it for free to users is fishy. That means your data are the menu served for other people to devour. 

  1. Aggressive Ads

Free VPNs practice aggressive ads that can go over a hit where you land into a hazardous site. It can expose you to tons of threats and hackers that can instantly access your information and files. High volume ads can also weigh your system down and affect browsing experience aside from privacy threats. 

  1. Malware Exposure 

Free VPN solutions contain malware that can damage not just your privacy but your devices. You have higher chances to get exposed with these nasty bugs when you download such software. Mobile ransomware and malware can steal your sensitive information like social security details and bank login details. 

Conclusion

Free VPNs are enticing and offer ‘robust security’ without the need to pay for hundreds of dollars a year. However, your security is at stake, together with your sensitive data, and information. 

Though it can help you stream region-restricted websites, you need to reconsider options and potential threats. Free VPNs are not safe; if you want to secure your digital presence, you can opt for an affordable VPN solution that offers high-end encryption to ensure your privacy and data is protected against potential hacks.

The post 5 Reasons Why You Should Avoid Free VPNs appeared first on CyberDB.

Answer these questions to find out how safe your social media profiles are

Unless you’re a hermit who lives under a rock, you probably use social media in some form or the other. You’re not alone; recent statistics reveal that you’re among 3.5 billion social media users worldwide. And it’s a rapidly increasing number that already constitutes half the world’s population. Social media…

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's missions to secure the web and of browser paradigms such as HSTS and upgrade-insecure-requests via content security policies to help make it a reality. Yet I also find myself constantly using VPNs for a variety of security and privacy related reasons and it got me thinking - why? I mean what's the remaining gap?

Last month I announced I've partnered with NordVPN as a strategic adviser and as part of that effort, I wanted to be a lot clearer in my own narrative around the value proposition of VPNs, especially as the web implements more encryption across more connections. As I started delving back through my own writing over the years, the picture became much clearer and it really crystallised just this week after I inadvertently landed on a nasty phishing site. I also started giving more thought to privacy and how it's constantly eroded in little bites, a thought process that highlighted just how far we still have to go as an industry, and where the value proposition of a VPN was strongest.

In the end I broke it down into 3 Ps: padlocks, phishing and privacy. Here's the value proposition of a VPN in the modern era:

1. HTTPS Still has a Long Way to Go

This is such a mess it's difficult to even know where to begin, so let me just start with the easy bits then progressively unveil just what a train wreck the current state of encrypted web traffic is. Here's one of our "Big 4" Aussie banks and as you can clearly see by virtue of the padlock, it's served over an HTTPS connection:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Goodo! I know that what's on the page hasn't been modified in transit as it was loaded over the internet nor could anyone intercepting my traffic read it. The last bit is particularly important as I logon and would firstly, like my password not to be eavesdropped on and secondly, would also like to keep my financial information on the website secure. The great thing about the padlock in the browser is that it's assigned automatically by the browser itself; ANZ can't just say "let's whack a padlock up in the omnibar", they only get it if the page (and everything on it) is served securely. If I choose, I can click that padlock and inspect the certificate just to give me that extra peace of mind. Now let's try the mobile app:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

What's the encryption story there? No idea! What I do know is that years ago I reported a bug to ANZ about their mobile app having turned off certificate validation so even though it made an HTTPS connection, it would trust any certificate returned to the app, including one injected by an attacker. Ouch!

I also know that when ANZ updated their app a couple of years ago, they pushed it out by asking people to click on an insecure link that looked just like a phishing attack:

And just to go down the rabbit hole even further, as commendable as the first ANZ screen grab of the HTTPS address in the browser is, you can only get there by first making an insecure request which is what the browser defaults to when you type in "anz.com.au":

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

If you want to get technical about it, yes, there's HSTS involved but it's not preloaded so the first request will always be insecure. But that shouldn't be that surprising given that only 2.3% of the world's top 1 million websites are forcing the first request to be secure:

This isn't meant to be an ANZ-bashing session because let's face it, plenty of banks have had plenty of problems getting their encryption right in the past, but it shows you  just how many place there are for it to go wrong. I was reminded of just what a mess the landscape is just the other day after someone pointed me at a new financial app:

In the ensuing discussions I had about how much we can trust the transport layer, someone pointed out that it was only a few months ago that TikTok was found to be loading videos insecurely allowing the contents of them to be manipulated whilst loading. It's kinda unfathomable to think that this sort of thing is still happening, I was dismayed enough 5 years ago when reporting vulnerabilities likes this, yet here we still are.

Then there's the long, long tail of websites that still to this day, simply don't want to protect their visitors' traffic. For example, one of Australia's most popular websites is the bureau of meteorology, still served insecurely:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

And just in case you thought you'd fix this by using a browser extension such as HTTPS Everywhere, no, you can't:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

This is a baffling approach given they were actually able to respond to a request over HTTPS (so they have a valid cert), but then consciously chose to redirect the traffic to a non-secure address. And before we go down the "yeah but it's a static site so nothing can go wrong" path, all static sites should serve traffic over an encrypted connection for many, many good reasons.

2. A Secure Connection to Satan is Still a Connection to Satan

This tweet by my friend Scott Hanselman has well and truly stood the test of time:

I was reminded of this only a few days ago when I came across yet another Windows virus scam, the kind that's been doing the rounds for a decade now but refuses to die. It all started with a Google alert I have set up for the term "have i been pwned":

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Initially, I was a little bit excited; does Netflix now have a way of checking your address directly against HIBP? Maybe they're plugging into the API directly from the account page there? Cool! However, moments later:

I saved you a copy of the audio as I'm sure the original one will disappear at some point. Imagine some poor unsuspecting person hearing that, seeing the warning on the screen then falling for the scam. These are massively prevalent and, per the screen grab, served over an encrypted HTTPS connection. But as Scott said earlier on, having privacy on your traffic doesn't mean you're communicating with someone you actually want to.

To test a theory, I fired up NordVPN which connected me to an exit node just up the road from me (that IP address is in Brisbane):

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

I've also got CyberSec enabled to kill nasty stuff off which I think it's fair to say, the scamming site above fits the bill:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Hitting the same URL sent to me in the original Google alert led to quite a different result this time:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

This is precisely how it went down just this week with me receiving that Google alert, clicking the link and copping the full brunt of the scam. Clearly, I know better than to fall for it, but it did make me stop and wonder how many people do get taken for a ride by these scams.

And just in case you're wondering, the host name in the image where DNS didn't resolve is different to the final scam site as a lot of these phishes bounce you around across multiple domains. Doing a quick check now, with NordVPN off, my Pi-hole still resolved the domain:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

But turning on NordVPN with CyberSec enabled, the domain was black-holed back to my local IP:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Now to be clear, I still love the Pi-hole (but let's face it, most people aren't going to be installing a Pi in their homes) and you're always going to have DNS block-lists at various states of readiness regarding new malicious domains, but I love CyberSec for the same reason in that by blocking content at the DNS level you can extend the reach well beyond an ad blocker alone. Every browser and every app on the device gets the benefit of known nasty content being binned as it's done at the OS level where DNS is defined and not on a per-client basis.

3. Security != Privacy

This is one of the most obvious value propositions of a VPN, but it deserves being examined in more detail anyway. Let's talk about privacy and I'll break it down into multiple layers beginning with this excellent drawing from Wassim Chegham:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

As soon as we hit the DNS box, privacy starts to go down the toilet as your browser (or other internet connected client) makes a plain text, unencrypted query to a DNS server which is usually your ISP's. Because it's a plain text query, the site your client it querying is immediately observable by anyone sitting on the connection. So what about DNS over HTTPS, or DoH? It solves the interception problem but of course the query still needs to be sent to a DNS server somewhere and at that point, the name being queried and the origin of the query (your IP address) is still visible. From a privacy perspective, this isn't necessarily doing a lot for you.

Side note: we saw a great illustration of how much value ISPs put in being able to intercept DNS queries after the industry body for ISPs in the UK named Mozilla an "Internet Villain" for their push towards DoH. In classic anti-encryption style, the moral neutrality of crypto has led to complaints about increased privacy being used to, well, do things more privately whether they be good things or bad things.

With the DNS dance done, what's the impact on privacy then? Well, per the earlier ANZ example the initial request from the browser is still almost always sent insecurely over HTTP so everyone along the way not only sees where the traffic is going, but can also read and modify the contents of it so again, from a privacy perspective, not good. Per Scott's earlier tweet, only 2.3% of the top million websites in the world are resilient to this courtesy of preloading HSTS. But let's imagine the client has already begun communicating over HTTPS before someone starts poking around in their traffic, what then? That brings us to the next problem:

SNI is Server Name Indication and it was born of a need to host multiple sites and certificates on a single IP address. It means that whilst the contents of your traffic is encrypted, the destination it's being sent to, is not:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

As Cloudflare's CEO wrote in the link above: "SNI leaks every site you go to online to your ISP and anyone else listening on the line". Which led him to talk about ESNI or "Encrypted" SNI. Which is great except... It's only supported in Firefox (Chrome support is going nowhere in a hurry). And it's not on by default. And it requires TLS 1.3. And secure DNS. If you want to check whether it works in your own browser, try Cloudflare's ESNI checker (hint: it almost certainly doesn't work). In time, we may see ESNI get traction, but that time is going to be measured in years, not months, at least for it to gain enough market share for you to genuinely browse the internet in private. Except even then, there's a problem:

Encrypted connections are great, but whilst you're connecting to services from your own IP address, can we really call the connection "private"? If it's my IP address, what can the site I'm visiting determine about me? Here's what NordVPN's "What is my IP address" service told me, right down to my suburb:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Not only may I not want to share this information with the site I visit, I might not want them knowing I'm the same person coming back on subsequent visits (and no, browsers' incognito and private modes don't fix this). I may also not want them joining the dots on who I am by matching my IP address to other public records; HIBP presently indexes 215 data breaches that exposed IP addresses alongside an extensive array of other personal information. Now, maybe your IP address is dynamic, maybe you browsed a service from 4G and it was your wired connection you used last time, maybe it wasn't the same on multiple different exposures. Maybe...

And now, just to make it even worse, consider all the other locations content gets pulled in from just to load your average web page. Take cnn.com as an example:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

There are 354 requests required to load the page including requests directly to CNN and their various subdomains, to Adnxs (a tracker), DoubleClick (a tracker) and if you scroll further down the report I've linked to above, amazon-adsystem.com (the hint is in the URL), outbrain.com (guess what - a tracker!) and by then I kinda figured I'd made my point and stopped scrolling. The privacy implications don't stop with the site you're visiting, they cascade all the way down the stack of requests that follow that initial one.

As the old saying goes, privacy isn't necessarily about having something to hide, it's also about not having something you want to share; if you're depressed and going to beyondblue.org.au then you may not wish to share that with other people. If you're having trouble with alcohol and visit aa.org.au then you may not want to share that either. If you're pregnant and hopping over to pregnancybirthbaby.org.au then, again, you may expect to keep that information private (let us not forget the story of how Target managed to "data-mine its way into [a teenage girl's] womb"). Just looking up those URLs I was imagining what sort of conclusions would be drawn about me if someone had access to my connection! (No, I'm not a depressed alcoholic teenager who's expecting...)

But privacy goes well beyond just the obvious issues too, for example folks in the US dealing with the death of net neutrality. When your ISP can see your traffic, they can shape your traffic and remember, HTTPS doesn't fix that problem, at least not today. It extends to censorship too and we start to get into a more contentious area here as that spans everything from the local cafe wifi using deny-lists to government-mandated blocks on content (the latter being particularly contentious regarding certain types of content in certain parts of the world). The point is that the privacy rights assured by a VPN are about a lot more than just protecting your source IP from being exposed to the website you're visiting; it goes well beyond that.

Summary

To be clear, using a VPN doesn't magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there's still the network segment between the VPN exit node and the site in question to contend with. It's arguably the least risky segment of the network, but it's still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won't be perfect. And privacy wise, a VPN doesn't remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I've always said I'd much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that's been independently audited to that effect.

The point of all this is that when we look at the value proposition of a VPN, it's about much more than just protecting a segment of the network that may already have HTTPS anyway. We rarely see TLS implemented to its full potential, phishing remains a massive problem and we have far too little privacy when browsing the web.

The Top 4 Tips for Keeping Your Digital Marketing Company Safe From Cyber Crime

As the Digital Age flourishes, more and more people are switching to working online and having businesses that revolve around all things digital and technological. A well-known example of this is the marketing industry. In recent years the marketing industry has converted to being almost entirely digital; thus creating the genre of marketing: digital marketing. Almost every company has or has the ability to reap the benefits of digital marketing, making this industry a lucrative and important one.

As more people are beginning or expanding their careers in digital marketing, there are some things that they should know; most notably, how to keep their digital marketing company safe from cybercrime. Cybercrime can impact and ruin people’s lives as hackers can steal, exploit, and tamper with personal information and accounts. And for a business that exists only digitally, it’s important to take the necessary precautions in order to keep the business safe.

What You Need to Know to Keep Your Company Safe

Whether you own a digital marketing business, or you work for one, it’s imperative that you take cybercrime seriously. An expert from a company that is a digital forensics investigator pointed out that cybercrime is becoming a common threat for internet users. He added that hackers are becoming more skilled as people’s dependence on technology increases. With that being said, here are 4 ways that you can protect your digital marketing business or your digital marketing job from cybercrimes.

1.    Be Sure to Keep All of Your Software Up to Date

This is perhaps one of the easiest ways that you can make sure that your digital marketing business is safe from cybercrime. One of the most common ways that hackers get into accounts and documents is by finding code defects in the software. When it comes to the software designers’ attention that there is a code defect, an update will come out that will fix this error. However, when people don’t update their software, hackers can see this and will enter the account, document, etc., through this code defect. Because hackers can see what software has been updated and what software hasn’t, it will be worth your while to keep all of your software up to date.

2.    Think About Email Marketing Security

To protect your marketing content and all of your clients’ personal information, you will have to make sure that your email marketing system is secure. Hackers are aware that email is one of the most essential tools in digital marketing, so will try to gain access to these accounts. 

Email marketing systems often hold crucial, yet sensitive information belonging to clients; therefore, you should utilize email marketing tools that feature security measures that will store sensitive information using encryption, and lock down access. To further ensure that your marketing email is secure, make it a point to train all employees on how to keep these systems secure and avoid data breaches.

3.    Encrypt and Back-Up Sensitive Data

Encrypting and backing up data is the best way to avoid a security breach and to prevent hackers from stealing all of your data in the event of cybercrime. Data encryption means to translate data into another code that only people with access to a decryption key/password can read it. Similarly, backing up data simply means to make copies of the data and store it on another device or in a cloud storage provider.

4.    Set Up Strict Limitations

It will be in digital marketing agencies’ best interest to set up strict limitations that will not allow employees to install unauthorized software or open files that contain viruses. Setting up strict digital limitations could potentially save you from a catastrophic event. By being proactive and setting up strict limitations will prevent malware from infecting your company’s computer and network.

Keep Your Digital Marketing Content Secure

Digital marketing companies are a common target when it comes to internet crime, so it’s necessary you do all that you can to avoid being hacked or exploited. To keep yourself, your employees, your clients, and your overall business safe and secure keep these 4 digital marketing security tips in mind.  Turning these tips into actions will significantly lower your chances of becoming a victim of cybercrime.

About the Author

Jennifer Bell is a freelance writer, blogger, dog-enthusiast, and avid beachgoer operating out of Southern New Jersey

The post The Top 4 Tips for Keeping Your Digital Marketing Company Safe From Cyber Crime appeared first on CyberDB.

Security settings nobody cares to check when installing new software and why it’s dangerous

We live in the age of cyberspace, and every day each of us is faced with the need to use information technology. The human online presence is boundless, starting from posting personal data on social networks, making online payments, and downloading new software. Thus, our smartphones and PCs contain a lot of information about us. And we become much more vulnerable to attackers online than in real life. Cybersecurity is one of the key aspects of life in the information era. All electronic information, services, and devices require protection and compliance with certain security rules. But users rarely use reliable anti-virus software or specialized solutions to protect against DDoS attacks and ignore security settings. What can be the outcome and how to avoid potential hazards?

What Is Cyber Threat?

Everyone must have met this term on social media. But what exactly does it mean? It is a malicious act that is aimed at data damaging and stealing or disrupting the smooth functioning of digital devices. One of the first known computer viruses was Elk Cloner spread in the wild in the early 1980s. But cyber threats do not remain static and become more sophisticated. Malware is often hidden in software that you install on your devices. And the likelihood of this risk increases if you download it not from a trusted source, but from the net. When installing new programs, it is important to be alerted by various warnings, especially if they want to access your personal data.

Types of Cyber Security Threats

Today there is a great variety of malicious programs that may unnoticeably pop in your computer and gadgets. The most common are the following ones:

Viruses are malware that joins another program and when it is launched (which usually happens through the user’s negligence), it begins to reproduce itself and modify other applications on the computer by implementing elements of its malicious code into them.

Worms are programs very similar to a virus. It is capable of self-replication and can lead to irreversible consequences for your system. However, the worms do not need to infect other files to reproduce.  They crawl into a computer and send their copies to all your contacts.

Trojans, also known as Trojan horses, are one of the most dangerous hazards. They usually try to trick you by disguising as useful programs. After entering the system, attackers gain free access to the infected computer. Trojans pave the way for other malicious objects, such as viruses and ransomware.

Ransomware is a program that blocks your device and encrypts your files. It demands a ransom to get the system restored. Ransomware is considered a weapon of choice for cybercriminals because it enables them to make significant profits in cryptocurrencies that are difficult to trace. The ransomware code can be easily obtained from the black market, and it is never easy to defend against it.

Adware is a code that is included in the software to display advertisements without the user’s knowledge. Often such programs collect and forward personal information about the user to their developer, change various browser settings, and create uncontrolled traffic by the user. All of this can lead to both security policy violations and direct financial losses.

Spyware collects information about an individual user or organization without their knowledge. This malware records which keys users press getting personal data such as usernames, passwords, or credit card details.

Rootkits are able to hide hazards from anti-virus programs. They give attackers access to administration of the infected computer. They usually go unnoticed by the user, other programs, and the operating system itself.

Cryptojacking is a type of malware that is becoming more widespread. These objects are used for hidden cryptocurrency mining and are usually installed using a Trojan program. As a result, intruders can use the resources of your computer to mine cryptocurrencies.

Main Mistakes That Cause Data Leakage

Sometimes users themselves create fertile ground for cyber threats. We ignore and neglect to implement many basic security measures. The risk of catching malware increases in the following cases:

·        A download of free software. Buy legal programs and register them. Free software often asks to install additional programs on your PC that may carry a serious threat.

·        Untimely software updates. Make sure your software is up to date. Take time to install automatic updates for your system as they reduce the vulnerability of your system. It should be downloaded from trusted software vendors.

·        Occasional downloads. Block pop-ups to prevent unwanted programs. The web browser you are using should be locked. This prevents potentially dangerous ads from being displayed on the screen. Google Chrome, Firefox, and Microsoft Edge have built-in blockers. Viruses often use the extensions .vbs, .shs, .exe, .scr, .chm, .bat. If the system asks to download or open such a file, cancel your previous actions.

·        Opening potentially unsafe attachments and links. Do not click on links or open attachments received from unknown e-mail addresses. One of the most important sources of malware is emails from scammers. It can initiate fishing even from the Spam folder. Remove unwanted emails from strangers or companies, no matter how friendly they may look. Immediately close sites that open on your computer without your consent. Never follow any links as a single click can lead to malicious software being downloaded to your computer.

·        Ignoring recommended security settings. There are some basic safety practices to follow to boost your device protection. Users often neglect them opening the way to attackers.

Steps on Protecting Your PC

Everybody can  And there is a whole list of such solutions that will optimize the security level of your devices.

1.      Create strong passwords

This is one of the key rules of cybersecurity. The password must consist of a complex combination of characters. Use a different password for each service and site and never share your passwords with anyone, keep them on paper, or enter them on third-party sites. Use other protection means where.  For Windows, for example, you can activate Windows Hello technology which uses the face recognition method to log in. You can also use password managers such as KeePass.

2.      Back up your system

This process ensures that all data is copied and stored in a separate place to avoid loss of information. If the original document is damaged, you can restore it from a copy stored in a safe place. OS developers give clear-cut instruction on how to do it:

 You can also use special cloud storage.

3.      Enable two-factor authentication

Most reputable online services support two-factor authentication. Enable it with a software token (available on Facebook, Twitter, Google, etc.) or with a one-time password with SMS delivery.

4.      Use VPN

Use a VPN to protect your network data from being stolen. Experts consider public Wi-Fi networks unsafe. When working with them, you should not enter access to passwords, logins, personal data. Use such an Internet connection only via a VPN.

5.      Install antivirus software

Reputable antivirus programs will allow you to more carefully select and examine any software for its potential danger. Besides, the antivirus software will additionally ask for confirmation of the download decision and make comments on the security of file installation.

Unfortunately, it is not possible to entirely eliminate the risk. But implementing good safety practices helps significantly reduce it. It is not difficult and often free of charge to boost your security. Timely actions can prevent a lot of potential hazards. It would be the best approach to create a safety checklist covering the above-mentioned tips and check its compliance regularly.

The post Security settings nobody cares to check when installing new software and why it’s dangerous appeared first on CyberDB.

The DRaaS Data Protection Dilemma

Written by Sarah Doherty, Product Marketing Manager at iland

Around the world, IT teams are struggling with choosing between less critical, but important tasks, versus focusing on innovative projects to help transform your business. Both are necessary for your business and need to be actioned, but should your team do all of it? Have you thought about allowing someone else to guide you through the process while your internal team continues to focus on transforming the business? 

DRaaS Data protection dilemma; outsourcing or self-managing?
Disaster recovery can take a lot of time to properly implement so it may be the right time to consider a third-party provider who can help with some of the more routine and technical aspects of your disaster recovery planning. This help can free up some of your staff’s valuable time while also safeguarding your vital data.

Outsourcing your data protection functions vs. managing them yourself
Information technology has raised many questions about how it really should be done. Some experts favour the Disaster Recovery as a Service (DRaaS) approach. They believe that data protection, although necessary, has very little to do with core business functionality. Organisations commonly outsource non-business services, which has driven many to consider the idea of employing third parties for other business initiatives. This has led some companies to believe that all IT services should be outsourced, enabling the IT team to focus solely on core business functions and transformational growth.

Other groups challenge the concept and believe that the idea of outsourcing data protection is foolish. An organisation’s ability to quickly and completely recover from a disaster - such as data loss or an organisational breach - can be the determining factor as to whether the organisation will remain in business. Some may think that outsourcing something as critical as data protection, and putting your organisation’s destiny into the hands of a third party, is a risky strategy. The basic philosophy behind this type of thinking can best be described as: “If you want something done right, do it yourself.”

Clearly, both sides have some compelling arguments. On one hand, by moving your data protection solution to the cloud, your organisation becomes increasingly agile and scalable. Storing and managing data in the cloud may also lower storage and maintenance costs. On the other hand, managing data protection in-house gives the organisation complete control. Therefore, a balance of the two approaches is needed in order to be sure that data protection is executed correctly and securely.

The answer might be somewhere in the middle
Is it better to outsource all of your organisation’s data protection functions, or is it better to manage it yourself? The best approach may be a mix of the two, using both DRaaS and Backup as a Service (BaaS). While choosing a cloud provider for a fully managed recovery solution is also a possibility, many companies are considering moving away from ‘do-it-yourself’ disaster recovery solutions and are exploring cloud-based options for several reasons.

Firstly, purchasing the infrastructure for the recovery environment requires a significant capital expenditure (CAPEX) outlay. Therefore, making the transition from CAPEX to a subscription-based operating expenditure (OPEX) model makes for easier cost control, especially for those companies with tight budgets.

Secondly, cloud disaster recovery allows IT workloads to be replicated from virtual or physical environments. Outsourcing disaster recovery management ensures that your key workloads are protected, and the disaster recovery process is tuned to your business priorities and compliance needs while also allowing for your IT resources to be freed up.

Finally, cloud disaster recovery is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. Furthermore, the time and expense to recover an organisation’s data is minimised, resulting in reduced business disruption.

Consequently, the disadvantages of local backups is that it can be targeted by malicious software, which targets backup applications and database backup files, proactively searching for them and fully encrypting the data. Additionally, backups, especially when organisations try to recover quickly are prone to unacceptable Recovery Point Objectives (RPO).

What to look for when evaluating your cloud provider

It is also essential when it comes to your online backups to strike a balance between micromanaging the operations and completely relinquishing any sort of responsibility. After all, it’s important to know what’s going on with your backups. Given the critical nature of the backups and recovery of your data, it is essential to do your homework before simply handing over backup operations to a cloud provider. There are a number of things that you should look for when evaluating a provider.
  • Service-level agreements that meet your needs.
  • Frequent reporting, and management visibility through an online portal.
  • All-inclusive pricing.
  • Failover assistance in a moment’s notice.
  • Do it yourself testing.
  • Flexible network layer choices.
  • Support for legacy systems.
  • Strong security and compliance standards.
These capabilities can go a long way towards allowing an organisation to check on their data recovery and backups, on an as-needed basis, while also instilling confidence that the provider is protecting the data according to your needs. The right provider should also allow you the flexibility to spend as much or as little time on data protection, proportional to your requirements.

Ultimately, using cloud backups and DRaaS is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. In most cases, the right disaster recovery provider will likely offer you better recovery time objectives than your company could provide on its own, in-house. Therefore as you review your options, cloud DR could be the perfect solution, flexible enough to deal with an uncertain economic and business landscape.

Parental Control – Here’s how you can regulate your child’s computer habits

Today’s generation of children is introduced to technology from the moment they are born. So it’s not a surprise to hear that, according to one study from 2013, children are using the Internet from the age of three! This year especially has seen a mass migration from the physical to…

All you need to know about API Security

An Application Programming Interface (API) is a way that allows applications to communicate with one another. It provides a way for developers to build software applications while enabling the extraction and sharing of data in an accessible manner. APIs can be used to facilitate cyberattacks as APIs are widely used…

Great Ways to Improve Mac’s Performance and Security

You are bound to run into Macbook performance problems. And when that time comes, the computer becomes more prone to cybersecurity threats on top of performance issues, such as stuttering and crashing.

It is important to ensure that your Mac is in the best possible shape for as long as possible. You need to create a maintenance routine and stick to it. Doing so would help to avoid potential risks. After all, even a very small problem can evolve into something you will not be able to manage.

The ways you can take better care of the Macbook are mentioned below. Implement them in your strategy and stick to that maintenance routine.

Way #1 – Pay Attention to Activity Monitor

App management might not seem like that big of a deal, but if you have been using a Mac for a while, some stuff is bound to be nothing but a hindrance. 

Launch Activity Monitor and sort the processes by relevant metrics. CPU or memory usage is the best to determine which applications require the most resources. 

Applications that you can remove should be removed. Also, it is worth mentioning that looking for alternatives might also be a good course of action. And not just for those that are not so resource-hungry. Mackeeper is a good example. It is not the best antivirus in terms of features and performance. Not to mention all the shady stuff that surrounds the software.

You can uninstall mackeeper and look for better antiviruses that will provide security as well as performance improvements. And this is just one of the examples of how you can change things by taking better care of app management.

Way #2 – Disable Visual Effects

Visual effects should be off the list regardless. They offer nothing of considerable value and are only consuming battery life as well as the resources of the computer. Look at your settings and see which of these effects can be disabled. 

Way #3 – Scan for Potential Viruses

A sudden drop in the computer’s performance out of nowhere could mean that you are dealing with viruses and malware. Cybersecurity threats can attack you even if the computer is for personal use only. 

A reliable antivirus does not guarantee that the system is protected. You also need to be more wary of the links you click on. Enabling the firewall and taking other precautions, like auto-login feature or VPN when browsing, could also be of use.

Way #4 – Update the System

System updates should be one of your priorities. While most of these happen automatically, you should still look now and then to make sure that there OS is using the latest version.

Even if small, an update will still introduce new features and improvements to stability, security, and overall performance. In case an update takes a while to finish installing, let it take all the time it needs. These things should not be rushed.

Way #5 – Free up Disk Space

Lack of disk space happens to be one of the biggest problems for Mac users, especially when they switch the OS for the first time. It is no secret that it will take time to get used to how little drive storage is available. 

However, if you are not careful with how you approach things, you will end up with only a few gigabytes left. When that happens, expect a Macbook to cause you quite a headache.

So what are the possible solutions to eliminate the issue? Well, there are a few things you can do.

For one, getting rid of useless applications and junk files like caches, old backups, and extensions will help. Removing files like language packs, old email attachments, as well as downloads ought to do the work, too.

Finally, you can look to transfer some data to clouds or external storage devices. Lastly, there is a way around keeping large media files on the computer, including music tracks. There are a lot of streaming platforms, such as Netflix or Spotify, that will make everything a lot easier.

Way #6 – Stop Memory Leaks

Memory leaks can run out of control if you are not careful. The distribution of memory is not something you can solve that easily. The simplest solution would be to restart the computer regularly. Every few hours should do the trick just fine.

Way #7 – Optimize Internet Browser

Internet browsers could cause the most problems, and if you do a lot of work with them, or cannot enjoy the time you spend surfing the web, it will be an issue. 

Changing to another browser is the easiest path to take, but if you have a lot of information, such as bookmarks, stored on your current browser, you will need to find another way out.

Removing excessive extensions and add-ons certainly helps. Keeping the number of open browser tabs will also make a difference. 

The post Great Ways to Improve Mac’s Performance and Security appeared first on CyberDB.

Data Security: How HIPAA Rules Affect Your Organization

Every organization has to ensure that all of its data is stored securely and that any possibility of data leaks or information theft are minimized as much as possible. Healthcare providers must also ensure that they comply with the Health Insurance Portability and Accountability Act (HIPAA). Here are some of the ways in which HIPAA rules can affect your practice and steps you can take to ensure you comply.

HIPAA Rules

The two fundamental components of HIPAA are the Privacy Rule and Security Rule. The key aspects of HIPAA’s Privacy Rule relate to who can have access to personal health information (PHI), how it is used and disclosed. Policies and procedures should be implemented to ensure that only the minimum information necessary is disclosed and that written patient authorization is obtained prior to their information being disclosed. Failing to follow the HIPAA Privacy Rule can lead to civil and even criminal penalties. The HIPAA Security Rule requires that all ePHI which is created, sent or received be kept confidential, that data integrity is maintained and that data is available when needed.

Safe Storage Of Electronic Records

Most patient healthcare information is now stored digitally, making it easier for clinical data to be access between providers. However, this data is still subject to the same HIPAA rules. It may include information about the patient’s medications, medical history and billing information. Crucially, this means that all electronic health records need to be stored securely and that adequate security measures need to be in place to prevent improper access.

Adequate Encryption

It is essential that safeguards are put in place to ensure that security threats and breaches are minimized.

One of the most important safeguards to implement is secure encryption of data. To ensure maximum security, it’s essential that you use software that encrypts the data when you back up health records. The same applies to any platforms you may use to transfer patient information with other healthcare professionals or patients themselves.

Prevention Of Data Breaches

Whenever anyone without authorization accesses personal health information, this is considered a data breach. This may be a hacker, a member of the team with malicious intent or just a curious employee. Organizations need to take steps to protect patient information from being improperly accessed, as far as they reasonably can, to prevent avoidable data breaches. Whenever a data breach is discovered, it is imperative that the organization provides a breach notification, as specified in by the HIPAA Breach Notification Rule.

Safeguard Against Cyber-Attacks

Organizations also need to ensure that they have adequate safeguards in place to protect against ransomware and cyber-attacks. Ransomware attacks involve malicious software encrypting the data on a computer or network and denying access to the data until a ransom payment has been made.

Healthcare providers are particularly vulnerable to ransomware and cyber-attacks.  Most of these attacks aim to steal electronic healthcare data which can then be sold on. The best strategy to ensure you can recover from any sort of cyber-attack is to have offline backups. You also need to ensure that any data kept on the cloud is stored securely. You risk fines, damage to your reputation and even poor healthcare outcomes if you don’t have proper security in place.

Safeguarding Public Health

Whilst individual privacy must always be adhered to, there are instances in which PHI can be released en masse. These will be specific instances which impact on public safety. For example, any situation which requires disease or death to be identified, monitored and responded to. Other situations include terrorism, surveillance, outbreak investigation and research. You need to be clear about what information can be disseminated and used in each case.

Conclusion

In order to ensure that you and your business associates are complying with HIPAA and properly and securely protecting PHI, you need to minimize the risk of any health information becoming compromised, improperly disclosed or stolen and encrypted. Ensure that you have the latest security management initiatives in place in order to protect your digital platforms and ensure that patient information remains secure and uncompromised.

Beatrix Potter is a cybersecurity writer at Essay Services website. 

The post Data Security: How HIPAA Rules Affect Your Organization appeared first on CyberDB.

How To Keep Your Mac Secure Even If You Use Public Wi-Fi

Taking a moment to bolster up your Mac security is always a smart move. It becomes absolutely essential if you regularly access public networks, be it in your campus or your favorite cafe. 

The internet is vast and can sometimes be unsavory. There are plenty of hackers and malicious bots out there trying to steal your information. But never fear! We are here to give you a few easy tips to make sure your MacOS remains impenetrable. 

Public Wi-Fi Threats

Before moving on to the solutions, you should know what kind of security issues come from using public wi-fi. Here are some of the risks.

Unencrypted Networks

Encryption ensures that the information passed between your device and the router stays secure by using a code. However, most routers have encryption turned off as a default factory setting, and unless an IT professional has set up the public network, it might be unencrypted and vulnerable.

Malware Distribution

If you have a software vulnerability, it might get targeted while on public wi-fi. Hackers often try to exploit these breaches by slipping in malware designed for that specific vulnerability. 

Man-in-the-Middle attacks

Man-in-the-Middle (MitM) attacks are one of the most common threats that plague public networks. When you connect to the internet, data is sent from your device to the website. Hackers use security vulnerabilities to step in between and alter the information as it passes through. 

Packet Sniffing

When you log into an unencrypted wi-fi network, hackers can potentially intercept and read any information, including your login credentials. This digital eavesdropping is called packet sniffing.

Malicious Hotspots 

You might log in to a wi-fi with a  familiar name, only to find out later that it was a malicious hotspot mimicking another network. Your software might not always spot the difference if both of these networks are named the same.

How to Protect Your Mac?

The security risks of public wi-fi are substantial. But that does not mean you have to swear off public networks altogether. Here are a few steps to ensure you can freely roam around the internet without worry.

Use a VPN

Using a VPN can solve most of your security issues. VPN creates an encrypted tunnel connecting your Mac to an off-site VPN host or provider.  A good VPN will ensure that all information between your computer and the internet is safe even when you log in to a public WiFi.

There are plenty of VPN providers to choose from. But be aware of its encryption capabilities before you choose. Most ‘Free VPNs’ are unreliable and tend to inject advertisements on top of web pages you may visit. A trusted VPN provider like MacKeeper will hide what you browse and from where. You can read reviews on MacUpdate about this tool.

If you do not prefer VPN then there are still a few steps you can take to minimize the risks.

  • Always make sure that the website you visit starts with ‘https://’.  This means that the website is taking measures to secure the transfer of data between your Mac and the website through some form of encryption.
  • Be sure of the network you are logging into. There are plenty of free-to-use wi-fi hotspots trying to lure unsuspecting users into giving up their information. Avoid connecting to unknown networks.
  • Avoid sensitive sites while on public networks. Even with https:// encryptions it is best not to log in to social media sites or purchasing sites where you have to input your card details. Wait till you have access to your secure private wifi before you log in to such sites. 

Firewall

The default Mac firewall can be a bit annoying with its constant notifications for permissions. But it is very useful when you are logging into a public network. But you need to configure it properly. 

You have to go to System Preferences and select the Security and Privacy icon. You can alternatively search for ‘firewall’ using the search box in the System Preferences window. Once you find the firewall settings turn it on.  

If your firewall is locked then you have to unlock it by entering your admin password after you click the lock icon in the lower-left corner of the window. After turning it on click the Firewall Options and select “Block all incoming connections” from the drop-down menu. 

This will limit certain functions like file sharing but it will also reduce the threats of an outside attack while on public WiFi. You switch the firewall off when you are on a private network.  

You can also opt for other trusted Mac firewall providers. Usually, these are more elaborate in design and offer a range of functions. Security software like MacKeeper features ID theft guard and ad blockers along with encryption. 

Encrypt Email Passwords

Some of the mail service providers do not by-default encrypt your passwords. This means that anyone intercepting your information can view your passwords as plain text. Make sure that your email client is configured to use SSL while connecting to the mail server. You can with your email provider for the configuration procedure. If your email client does not provide SSL, then do not access it while on a public wi-fi.

Better DNS

When you search for any website, your Mac contacts a Domain Name System (DNS) to find that website. The DNS server connects your Mac to the IP address that hosts the webpage you are looking for. This process only takes a fraction of a second. 

You should configure your Mac to connect a reliable and fast DNS server that filters out malware, botnets and other malicious websites that attempt to infect your Mac. There are plenty of options when choosing a DNS service. The setup instructions are specific to the service providers.

Bottom Line

Public WiFi comes with its own risks. With just the basic protection enabled, try to avoid using sensitive information like credit card details while logged on to a public network. And always log out when you are not using the internet.  But if you follow these tips and get a trusted internet security provider then public wifi can be just as safe as any network.

About author:

Naomi Stone (<a href=”https://twitter.com/Naomi99Stone”>@Naomi99Stone</a>) is a cybersecurity enthusiast and Mac aficionado. She’s passionate about covering topics like Mac cybersecurity, Mac tips & hacks, Mac’s how-to guides. She is a contributor to Cyber Experts and Cybers Guards.

The post How To Keep Your Mac Secure Even If You Use Public Wi-Fi appeared first on CyberDB.

The Cyber Security Guide For Small Business Owners

Cybercrime isn’t limited to large corporations or wealthy individuals; it also targets small businesses. According to the U.S. Congressional Small Business Committee, a significant amount of cyber-attacks targeted businesses with less than 100 workers. A related study by the SMB CyberSecurity Report established that 50% of SMBs had experienced a security breach in the past.

The reason small businesses are targeted more than large corporations is that they’ve vulnerabilities in their networks. This means it’s easier to breach the networks of small businesses than it’s to penetrate large corporations. Small businesses don’t allocate sufficient time and funds to secure their networks. They also lack expert personnel, have outdated security programs, and fail to secure their endpoints. The following are some of the basic cybersecurity best practices for small businesses.

Use a Firewall

Setting up a firewall is one of the basic ways of defending your business against a cyber-attack. The Federal Communications Commission urges small businesses to have firewalls to prevent data breaches. Some organizations have a standard firewall and an internal firewall for additional protection. Employees working remotely should also set up firewalls on their home networks.

Put Your Cybersecurity Policies In Writing

When it comes to cybersecurity, it’s advisable to put your policies in writing. To get started, you can attend online training through the Small Business Administration Cybersecurity portal. You can get help with drafting your policies from the FCC’s Cyberplanner 2.0. Alternatively, you can request a comprehensive toolkit for cybersecurity best practices through the C3 Voluntary Program for Small Businesses.

Use The CIA Model

When it comes to establishing cybersecurity policies, you should use the CIA model to guide you. This model helps keep your business secure by protecting your data. The elements of this model are Confidentiality, Integrity, and Availability. First, you should make sure information can’t be accessed by unauthorized personnel. You can do this by encrypting the information.

Secondly, you need to protect data and systems from being altered by unauthorized personnel. This means you should ensure that the information is unchanged from the time you create it to the time it reaches the end-user. Lastly, ensure authorized personnel have access to information when they need it and that you update your applications whenever necessary.

Train Employees In Cyber Security Measures

After you have established security policies, the next step is to train your employees on how to incorporate these measures. For example, you should train your employees on how to create strong passwords. It would help if you also established rules that penalize employees for violating the business’s Cybersecurity policies. Make ground rules on how to manage and protect client data and other important information. For example, you may establish rules that all machines should have the latest security software, operating system, and web browser to guard against malware, viruses, and online threats.

Device a Plan For Mobile Devices

According to Tech Pro Research 2016 BYOD, 59% of businesses allow BYOD. There’s a high surge in the use of wearables like wireless fitness trackers and smartwatches. For this reason, small businesses should establish BYOD policies that emphasize the need for security precautions. Norton by Symantec also urges small businesses to encourage employees to set automatic updates and use a strong password policy for mobile devices that are tapping into the company’s network.

Back up Your Data Regularly

You may still be breached after observing all the necessary security measures. This is why you need to back up data regularly. You also need to back up data that is kept in the cloud because those servers could also be compromised. Store your backups in a safe place to guard against fire outbreaks and floods. Make sure your backups are up to date.

Apply Multifactor Identification

No matter how secure you think you’re, mistakes are inevitable. An employee can make a mistake that leaves your network vulnerable. Using the multifactor identification settings provides an additional layer of protection to your network. You can use employees’ phone numbers because it would be unlikely for a cybercriminal to have both the pin code and the password.

Secure Your Wi-Fi Network

If your business has a Wi-Fi network, you need to secure it. Encrypt and hide the Wi-Fi network, so it’s not accessed by unauthorized personnel. To hide the network, set up a wireless access point to prevent it from broadcasting the name of the network, also called the Service Set Identifier (SSID). Protect access to the router using a password. 

Endnote

Many businesses downplay the threat of cybercriminals, arguing that they don’t have significant assets or that their data is not worth a security breach. However, cybercriminals target the weak networks of small businesses more than the heavily secured networks of large organizations. For this reason, it’s important to observe cybersecurity practices to ensure your business and clients are secured from cyber thieves. The above measures will help you tighten the data security of your organization, making it more difficult for hackers to breach your systems.

The post The Cyber Security Guide For Small Business Owners appeared first on CyberDB.

Messenger Rooms: New Video Chat Option is Fun But Has Risks

Messenger Rooms

Messenger RoomsOne of the many things we’ve learned during this season of being homebound is that video chats with friends can save the day. One of the newest channels for video chatting is Messenger Rooms. While the new Facebook feature isn’t groundbreaking in terms of how it works, it’s the ability to pull together a big group of friends spontaneously that may make this a popular digital hangout for kids.

The Basics

Messenger Rooms functions similarly to the popular video conferencing app Zoom. The exception: There’s no need for users (or guests) to download a new app, create an account, or send out pre-planned meeting invites.

Messenger Rooms is simple. One person sets up a Messenger Room, that Room is assigned a URL, the organizer sends his or her friends that link, and those friends can instantly click it and be in the room. With so many families still opting to avoid large gatherings, Rooms may be the next best way to socialize in the most organic, pre-pandemic way.

The app makes it easy to watch movies together since one user screen can be pinned to the top of the chat for shared viewing. Kids can also have game nights, birthday parties, organize workout and study groups, or have a “squad hangout” as the Room title options call out (see graphic, below).

The Fun 

A few specific features may make Messenger Rooms appealing to kids. First, it’s easy to drop friends a link and be together almost instantly in a private room. Messenger Rooms is free, doesn’t have time limits, and up to 50 friends can get together in one room — from anywhere in the world. Kids joining a Room from their mobile app can apply quirky filters to their backgrounds or faces, which brings in the creativity element they get from Instagram Stories and Snapchat.

The Risks

Privacy. So far, privacy seems to be the biggest concern being raised and here’s why. Messenger Rooms, like Facebook, collects metadata from users — including guests without Facebook accounts. Metadata may include the people you talk with, at what times, and how often, all of which can be shared with a third party. Also, Messenger Rooms, while it does not record calls (like Zoom), lacks end-to-end encryption, which makes the channel vulnerable to hackers and compromises private conversations.

Troublemakers. Live chat rooms are not password-protected, so if a Room organizer decides to make a Room public or fails to lock a room they intended to be private, anyone can pop in and do anything. Much like the Zoom bombers emerging, anyone could crash a meeting with racial rants or graphic content. A link to a room can also be shared with others by anyone who has the link.

Cyberbullying. As with any app, conflicts can arise as can cyberbullying or harassment.

The Conversation

If you notice your kids using Messenger Rooms, you may consider having a few conversations that highlight the risks.

  • Privacy settings. If you organize a Room, lock it to keep unwanted people from crashing your meet up.
  • Nothing is private. Messenger Rooms isn’t encrypted, so it’s not the place to have private conversations or share sensitive content. Note: The internet in any form isn’t the place to share any personal content. Anything exchanged online — even a “private” text between two people — is vulnerable to hackers, device theft, or the possibility of a relationship falling out.
  • Nothing is free. Remind your children that services online are free for a reason. There is always an exchange: Free use for data. Be aware that profile information and bits of a conversation could be mined and used by a third party. To understand better how data is collected, Facebook’s help center or data policy.
  • Lock your room. Unless your child adjusts his or her preferences, it will be open to anyone that person is friends with on Facebook who will see the public Room at the top of their newsfeed. That means lovable Uncle Pete may mistakenly stumble into your daughter’s “squad” rant unless the Room is locked.
  • Report and block. If an unwanted person disrupts a Room kids can block the user and report it to Facebook.
  • Age-appropriate options. For kids under 13 (Facebook age requirement), there’s Messenger Kids, a Facebook feature that allows younger kids to video call with friends in a parentally-supervised room. It’s a great tool for teaching kids safe, online practices before they use the real thing.

To stay ahead of the digital hangouts available to kids, visit McAfee Consumer Family Safety blogs each week. You may also consider monitoring your child’s devices with parental controls designed to filter content, monitor screen time, and track new apps.

The post Messenger Rooms: New Video Chat Option is Fun But Has Risks appeared first on McAfee Blogs.

CEO of exam monitoring software Proctorio apologises for posting student’s chat logs on Reddit

Australian students who have raised privacy concerns describe the incident involving a Canadian student as ‘freakishly disrespectful’

The chief executive of an exam monitoring software firm that has raised privacy concerns in Australia has apologised for publicly posting a student’s chat logs during an argument on the website Reddit.

Mike Olsen, who is the CEO of the US-based Proctorio, has since deleted the posts and apologised, saying that he and Proctorio “take privacy very seriously”.

Related: Coalition's university fee overhaul accused of being an 'attack on women'

Related: Dan Tehan’s threat to police university enrolments can’t plug the holes in the Coalition’s logic

Continue reading...

Medical Care #FromHome: Telemedicine and Seniors

Telemedicine visit

Medical Care From Home: Telemedicine and Seniors

For weeks and even months now, millions of us have relied on the internet in ways we haven’t before. We’ve worked remotely on it, our children have schooled from home on it, and we’ve pushed the limits of our household bandwidth as families have streamed, gamed, and conferenced all at the same time. Something else is new—more and more of us have paid visits to our doctors and healthcare professionals  on the internet. Needless to say, this is an entirely new experience for many. And with that, I got to thinking about seniors. What’s been their experience with telemedicine? What concerns have they had? And how can we help?

For starters, an online doctor’s visit is known as telemedicine—a way of getting a medical issue diagnosed and treated remotely. With telemedicine, care comes by way of your smartphone or computer via a video conference or a healthcare provider’s portal.

Telemedicine is not new at all. It’s been in use for some time now, such as in rural communities that have little access to local healthcare professionals, in cases of ongoing treatment like heart health monitoring and diabetes care, and situations where a visit to the doctor’s office simply isn’t practical. What is new is this: the use of telemedicine has made a significant leap in recent months.

Telemedicine for seniors (and everyone else) is on the rise

A recent global consumer survey by Dynata  took a closer look at this trend. The research spanned age groups and nations across North America and Europe, which found that 39% of its respondents consulted a physician or healthcare professional online in the past few months. Of them, two-thirds said they used telemedicine as part of their care. Yet more telling, 84% of those who recently had a telemedicine appointment said this was the first time they used telemedicine.

The study also looked at their attitudes and experiences with telemedicine based on age and reported that members of the Baby Boomer generation found the experience to be satisfactory—just over 55%. Interestingly, this was quite consistent across other age groups as well, with all of them hovering just above or below that same level of satisfaction.

Have seniors changed their feelings about telemedicine?

One other study gives us some insight into how the opinions seniors hold about telemedicine may have changed in the past year. We can contrast the findings above with a University of Michigan study that polled American adults aged 50 to 80 in the middle of 2019. On the topic of telemedicine, the research found that:

  • 64% would consider using telemedicine if they had an unexpected illness while traveling
  • 58% saw it as an option for a return visit or follow-up
  • 34% would use it to address a new health concern

The study also asked how older Americans felt about telemedicine visits. At that time in 2019, only 14% said that their provider offered telemedicine visits, while 55% didn’t know if they had the option available to them at all. Just a small number, 4%, said they’d had a telemedicine visit within the year. Needless to say, it’ll be interesting to see what 2020’s results would have to say should the university run this poll again.

In terms of their experience with telemedicine, those who had at least one telemedicine visit, 58% felt that in-person office visits provided an overall better level of care and about 55% felt that in-person visits were better for communicating with their health care professional and feeling better cared-for overall.

Older adults and seniors express concerns about telemedicine

Citing the same University of Michigan study from last year, some of the concerns older adults shared are what you might expect, even regardless of age. The lack of a physical exam (71%), worries that the care might not be as good as a face-to-face visit (68%), and losing the feeling of a personal connection with their health care professional (49%) all ranked high.

Of note, three other concerns around technology also topped the responses:

  • Privacy (49%)
  • Issues using the technology needed to connect (47%)
  • Difficulty seeing or hearing their care provider (39%)

Once again, you can make a strong case that plenty of people might share these same concerns—not just seniors.

Your first telemedicine visit

On the subject of the actual telemedicine visit, let’s turn to some expert advice on the topic. The AARP (American Association of Retired Persons) offers a step-by-step guide on how to prepare for your first telemedicine visit. Their first piece of advice is “make sure you are tech-ready” for your appointment. And that’s one place I can help. Let’s take a look at some of those top concerns about technology.

Some of my advice here mirrors what I shared a few weeks ago about getting ready for and online job interview, and you can keep the following in mind:

Pick your device of choice and get it set up for telemedicine

You’ll need a device for your visit, so choose the one you know and that you’re comfortable with. That’s probably your computer or laptop. And just like with any video conferencing you do, spend some time getting familiar with how to set the microphone levels, speaker volume, and the camera. For audio, you can use a set of smartphone earbuds, which can help prevent audio feedback loops and simply make it easier to hear your caregiver.

As for cameras, many laptops have them built in as a standard feature. If that’s not the case for you, or if you have a desktop computer without a camera, there are several inexpensive options. If you’re shopping around, do a little research. There are plenty of reputable sites that provide mini-reviews, pricing overviews, and give you a sense for where you can make your purchase right now.  As with any connected device, be sure to change any default passwords to a strong, unique password.

And if you can, do a dry run before your appointment. Reach out to a friend or relative and set up a quick video call with your computer or laptop. That way, you can get a feel for the experience and fine tune your settings as you like.

In other instances, the care provider will have an app that you’ll need to download or an online portal that you’ll need to access. If this is the case, don’t worry. You can still practice using your camera and your audio ahead of time with a trusted video conferencing application like Apple’s FaceTime or Microsoft’s Skype.

Make sure your technology is secure

If you don’t already have a comprehensive security solution in place, get one. This will protect you against malware, viruses, and phishing attacks. You’ll also benefit from other features that help you manage your passwords, protect your identity, safeguard your privacy, and more.

As for privacy in general, medical information is among the most precious information you have. For example, here in the U.S., we have HIPPA privacy standards to protect our medical records and conversations. Yet there’s also the issue of eavesdropping , which is a risk in practically any online communication. Here, you’ll want to do some research. A reputable health care provider will have a comprehensive set of Frequently Asked Questions (FAQ) available as part of their telemedicine service, which should include a section on your personal privacy and the technology they use. (Here’s a good example of a telemedicine FAQ from University of Washington Medicine.) Consult that FAQ, and if you have further questions, feel free to call the healthcare provider and speak with them.

If you find yourself searching online for a telemedicine provider, look out for bad links and phishing scams. It’s a sad state of affairs, yet hackers are capitalizing on today’s healthcare climate just as they’ve taken advantage of innocent people in times of need before. Use a web advisor with your browser that will alert you of malicious links and never click any link or open any email that you’re unsure of. Again, your security software should help you steer clear of trouble.

The best telemedicine choice is the one that is right for you

We’ve welcomed the internet into so many aspects of our lives, right on down to purchasing connected refrigerators and washing machines. Yet inviting the internet into other aspects of our lives, like our health and that of our loved ones, may not come so quickly. To put it bluntly, getting comfortable with the idea of online doctor’s visits may take some time. However, with research and conversation with your healthcare provider, you may find that a telemedicine visit will work just as well, or well enough, as an in-person visit in some cases. As you make those very personal decisions for yourself, I hope this article and the resources cited within it helps you make a choice that’s absolutely right for you.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Medical Care #FromHome: Telemedicine and Seniors appeared first on McAfee Blogs.

EasyJet reveals cyber-attack exposed 9m customers’ details

Airline apologises after credit card details of about 2,200 passengers were stolen
Q&A: are you affected and what should you do?

EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.

The company said on Tuesday that email addresses and travel details were accessed and it would contact the customers affected.

Continue reading...

The Guardian view on an NHS coronavirus app: it must do no harm | Editorial

Smartphones can be used to digitally trace Covid-19. But not if the public don’t download an app over privacy fears – or find it won’t work on their device

The idea of the NHS tracing app is to enable smartphones to track users and tell them whether they interacted with someone who had Covid-19. Yet this will work only if large proportions of the population download the app. No matter how smart a solution may appear, mass consent is required. That will not be easy. Ministers and officials have failed to address the trade-offs between health and privacy by being ambiguous about the app’s safeguards.

Instead of offering cast-iron guarantees about the length of time for which data would be held; who can access it; and the level of anonymity afforded, we have had opacity and obfuscation. It is true that we are dealing with uncertainties. But without absolute clarity about privacy the public is unlikely to take up the app with the appropriate gusto.

Continue reading...

Email bungle at company seeking jobkeeper payments exposes staff’s personal details

Names, addresses and birthdates of more than 100 people shared in privacy breach

The company responsible for delivering traffic reports on radio and TV stations across Australia accidentally sent out the dates of birth, names and home addresses of more than 100 current and former staff to potentially thousands of people as the company seeks to apply for the jobkeeper payments.

Australian Traffic Network provides short traffic report updates during news bulletins to 80 radio and television stations, including the ABC, Seven, Nine, 10, 2GB and Triple M.

Related: As Australia takes on Google and Facebook over news content, the world is watching | Margaret Simons

Continue reading...

Using Big Tech to tackle coronavirus risks swapping one lockdown for another | Adam Smith

An app that logs movements and contacts might seem like a fair trade now but we risk giving away our privacy for good

Even when the lockdown is lifted, there is no guarantee that life will ever return to normal. To prevent a future outbreak of coronavirus, the UK will need to roll out mass testing, maintain some social distancing measures and closely monitor communities to curb future flare-ups.

In pursuing that last aim, governments across the world are developing technology to track our movements. When lockdown ends, technology could be a valuable means of controlling future outbreaks, alerting people to cases of Covid-19 in their area and hopefully preventing future shutdowns.

Related: The expansion of mass surveillance to stop coronavirus should worry us all | Veena Dubal

Continue reading...

‘Zoom is malware’: why experts worry about the video conferencing platform

The company has seen a 535% rise in daily traffic in the past month, but security researchers say the app is a ‘privacy disaster’

As coronavirus lockdowns have moved many in-person activities online, the use of the video-conferencing platform Zoom has quickly escalated. So, too, have concerns about its security.

In the last month, there was a 535% rise in daily traffic to the Zoom.us download page, according to an analysis from the analytics firm SimilarWeb. Its app for iPhone has been the most downloaded app in the country for weeks, according to the mobile app market research firm Sensor Tower. Even politicians and other high-profile figures, including the British prime minister, Boris Johnson, and the former US federal reserve chair Alan Greenspan, use it for conferencing as they work from home.

Related: Coronavirus and app downloads: what you need to know about protecting your privacy

Continue reading...

Morrisons not liable for massive staff data leak, court rules

UK supreme court says retailer not to blame for actions of employee with grudge

The UK’s highest court has ruled that Morrisons should not be held liable for the criminal act of an employee with a grudge who leaked the payroll data of about 100,000 members of staff.

The supermarket group brought a supreme court challenge in an attempt to overturn previous judgments which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the internet.

Continue reading...