Category Archives: Privacy

NordVPN Breach FAQ – What Happened and What’s At Stake?

NordVPN, one of the most popular and widely used VPN services out there, yesterday disclosed details of a security incident that apparently compromised one of its thousands of servers based in Finland. Earlier this week, a security researcher on Twitter disclosed that "NordVPN was compromised at some point," alleging that unknown attackers stole private encryption keys used to protect VPN users

Alexa and Google Home devices can be exploited to eavesdrop on users, phish passwords

Researchers have shown just how easy it is for third-parties to exploit the so-called “smart” speakers that many home owners have purchased to eavesdrop on conversations and even steal passwords and credit card details.

Read more in my article on the Bitdefender BOX blog.

Farewell the ‘porn block’ – a PR exercise but lousy policy | Amy Orben

Without greater access to our online habits, politicians cannot frame laws for the digital age

The UK government’s porn block was a dead man walking for months, if not years. It is long overdue that this attempt to curb children’s access to online pornography is scrapped. Almost two years ago, a close colleague and I sat in a meeting with one of the policymakers who had recently been asked to implement the proposal. The pained look on his face when we queried his progress confirmed our suspicions that it was an impossible task. It was clear to many that the block could – and would – never come to pass.

The plan did not have just one achilles heel – it had many.

Scientists and other stakeholders cannot access information about what the population is actually doing online

Related: UK drops plans for online pornography age verification system

Continue reading...

Review: The Great Hack

Data is the most valuable asset/resource on Earth. Still, we have little or no control over who is exploiting ours without our consent. That is what the authors, Jehane Noujaim and Karim Amer, want to make us realize in their documentary film The Great Hack, released by Netflix on July 24, 2019. Jehane Noujaim, American documentary film director, and Karim Amer, Egyptian-American film producer and director, already worked together on The Square (2013), but it … More

The post Review: The Great Hack appeared first on Help Net Security.

Hack-ception: Benign Hacker Rescues 26M Stolen Credit Card Records

There’s something ironic about cybercriminals getting “hacked back.” BriansClub, one of the largest underground stores for buying stolen credit card data, has itself been hacked. According to researcher Brian Krebs, the data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.

Most of the records offered up for sale on BriansClub are “dumps.” Dumps are strings of ones and zeros that can be used by cybercriminals to purchase valuables like electronics, gift cards, and more once the digits have been encoded onto anything with a magnetic stripe the size of a credit card. According to Krebs on Security, between 2015 and 2019, BriansClub sold approximately 9.1 million stolen credit cards, resulting in $126 million in sales.

Back in September, Krebs was contacted by a source who shared a plain text file with what they claimed to be the full database of cards for sale through BriansClub. The database was reviewed by multiple people who confirmed that the same credit card records could also be found in a simplified form by searching the BriansClub website with a valid account.

So, what happens when a cybercriminal, or a well-intentioned hacker in this case, wants control over these credit card records? When these online fraud marketplaces sell a stolen credit card record, that record is completely removed from the inventory of items for sale. So, when BriansClub lost its 26 million card records to a benign hacker, they also lost an opportunity to make $500 per card sold.

What good comes from “hacking back” instances like this? Besides the stolen records being taken off the internet for other cybercriminals to exploit, the data stolen from BriansClub was shared with multiple sources who work closely with financial institutions. These institutions help identify and monitor or reissue cards that show up for sale in the cybercrime underground. And while “hacking back” helps cut off potential credit card fraud, what are some steps users can take to protect their information from being stolen in the first place? Follow these security tips to help protect your financial and personal data:

  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook

The post Hack-ception: Benign Hacker Rescues 26M Stolen Credit Card Records appeared first on McAfee Blogs.

Chapter Preview: Ages 2 to 10 – The Formative Years

As our children venture into toddlerhood, they start to test us a bit. They tug at the tethers we create for them to see just how far they can push us. As they grow and learn, they begin to carve out a vision of the world for themselves—with your guidance, of course, so that they can learn how to live a safe and happy life both now and as they get older.

This is true in the digital world as well.

Typically, at around age two, our kids get their first taste of playing on mommy’s or daddy’s smartphone or tablet and discover an awesome new world of devices and online activities. It’s slow at first—a couple minutes here and there—but, over time, they spend more and more of their day online. You have an opportunity when your child has their first experience with a connected device to set the tone for what’s expected. This is a deliberate teaching moment, the first of many, where you explain how to go safely online and continue to reinforce these behaviors as they grow.

Just as at home and in school, these are children’s formative years in the digital world because there’s a significant increase in their access to devices and online engagement—whether it means watching videos, playing games, interacting with educational software, or many other activities. Keeping them safe in this environment needs to be top of mind, and that includes awareness of how their initial data puddle will rapidly become a data pond during these years. We need to be aware that this pond has direct ties to our privacy, their privacy, and, ultimately, to their life in general.

This chapter of “Is Your Digital Front Door Unlocked?” lays out several topics that, if done in healthy and constructive way, will make your child’s digital journey much more enjoyable. Topics such as the importance of rules, online etiquette, and the notion of “the talk” as it relates to going online safely are discussed in detail, in the hope of providing a framework that will grow as your child grows.

It also looks at challenges that every parent should be aware of, such as cyberbullying and the impact of screen time on your child. It also introduces the risks associated with online gaming for those just getting started.

I can’t express strongly enough the importance of engagement with your child during the formative years. This chapter will give you plenty of ideas of how to go about it in a way that both you and your child will enjoy.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

 

The post Chapter Preview: Ages 2 to 10 – The Formative Years appeared first on McAfee Blogs.

Key challenges impacting IT audit pros navigating an evolving risk landscape

Protiviti and ISACA surveyed 2,252 chief audit executives (CAEs), internal audit professionals and IT audit vice presidents and directors worldwide. Asked to identify their biggest technology challenges, IT audit leaders and professionals noted the following as their top five: IT security and privacy/cybersecurity Data management and governance Emerging technology and infrastructure changes – transformation/innovation/disruption Staffing and skills challenges Third-party/vendor management “As much as organizations are focusing on cybersecurity and protecting their data, they’re still behind … More

The post Key challenges impacting IT audit pros navigating an evolving risk landscape appeared first on Help Net Security.

Smashing Security #150: Liverpool WAGs, Facebook politics, and a selfie stalker

Footballers’ wives go to war over Instagram leaks, it turns out fake news is fine on Facebook (just so long as it’s in a political ad), and things take a horrific turn in Japan, as a stalker uses a scary technique to find out where his pop idol lives.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dave Bittner.

Rated P for Private? It’s Time to Re-think Privacy

You probably know privacy is a thing of the past, that is unless you spend a lot of time digging for freshwater clams in marshlands of Loon Lake. Mark Zuckerberg said it years ago, but he thought it was a good thing. In the wake of the Equifax breach and Cambridge Analytica, the end of privacy is no longer scary. It’s neutral. We’ve reached a “Now What?” moment.

Is It the Algorithm or the Microphone?

We can all agree paranoia is bad for business, and there’s plenty to go around these days whether you’re on the marketing side of things, the breach side, or the consumer side.

With no expectation of privacy, we’ve become a little numb to the parade of stories–both reported by the media and anecdotal–of connected devices eavesdropping on us–serving ads for things mentioned in casual conversation. But we’re all online every day, and in the process leave a trail of cookie crumbs for marketers to find us. There’s no need for a hidden mic.

While many enjoy the convenience that facial recognition provides in retail micro-targeting products and services, others hate it. We’ve heard the cringe-worthy news about health apps sharing some of the more intimate details of our sex lives with Facebook, Google, and other third parties.

Some of us shrug it off. The convenience made possible by the forfeiture of privacy is worth it to them. For others, it is an unacceptable situation. This is unfortunate, because it’s not a situation. It’s new norm, and none of it inspires a feeling of security.

A worried customer or client is a hesitant customer or client. So, how do you ease that tension? I would argue that, ironically, you can do this by creating a high information environment, where everyone can make informed decisions about how they want to interact with businesses and services.

Moving Right Along…

The need to protect privacy no longer needs an introduction. There’s plenty of legislation. New privacy laws in New York and Nevada law will go into effect October, with California’s CCPA in January 2020. Maine and Vermont already have enacted stronger laws to that effect, and many states are expected to follow.

There’s a big “but” here. Without the right solutions provider navigating privacy law can be prohibitively expensive for small to medium-sized companies. Add to that the possibility of compliance costs in a marketplace with many different laws, and we have a potential company killer on our hands. Google may be able to weather a $170 million fine for non-compliance without flinching; most of us can’t.

A Modest Proposal

Once upon a time, Hollywood was faced with a similar situation. In the beginning, there was no ratings system and it was a problem. There were many family-friendly films and then there were those that would make Mae West blush, but there was no way for the audience to know which was which. The result was an opportunity cost. Some people avoided the movies because they were perceived as scandalous.

Enter the Motion Picture Producers and Distributors of America (MPPDA and later MPAA), which set guidelines later formalized as the movie rating system still used today. It’s not a perfect system, but the benefits outweigh its flaws. First of all, it’s voluntary. The MPAA created an opt-in industry standard, avoiding the need for legislation. The gaming industry also rates product.

Most importantly, it was end-user friendly. You don’t need to know anything about Rambo: Last Blood or Abominable to decide which is better for kids; one is Rated R and one is Rated G. A similar system might work for websites and apps.

Here’s a sketch of what that might look like:

P–Protected User: Data is either not collected or it is protected and in compliance with online standards such as the GDPR, CCPA, SHIELD, HIPAA, COPA or PIPEDA.

ND–Not Distributed: Personally identifying information is collected to personalize an experience (location, ad preferences, etc.) but it is not shared with third parties.

A–Anonymized: Non-identifying usage data is collected and shared with third parties. (Forget for the moment that there’s no such thing as anonymized data that can’t potentially be re-identified in today’s deep data environment).

S–Shared: User data is collected, shared, and/or sold to third parties. (Think: Naked in a glass house.)

If a collection of privacy and data use experts could get together on the creation of this rating system, privacy policies would no longer be so perilous.

Would it work? Online privacy is getting more complex with every new whizbang, regulation, law, court case, breach, compromise, and scandal. Any workable solution needs to counter that with a general approach that can be applied globally.

If this isn’t it, it’s time to figure out what is.

The post Rated P for Private? It’s Time to Re-think Privacy appeared first on Adam Levin.

Privacy advocates criticize Apple for sharing some users browsing data with Tencent

New problems for Apple, most of its users likely ignore that the company is sharing iOS web browsing data on some of them to Chinese giant Tencent.

Most Apple users likely don’t know that the tech giant is sending iOS web browsing data on some of them to the Chinese giant Tencent.

The news is worrying, starting from at least iOS 12.2, Apple has integrated the “Tencent Safe Browsing” to improve security of its users and protect them from fraudulent websites. The Tencent Safe Browsing does it by implementing the “Fraudulent Website Warning” feature in the Safari web browser for both iOS and macOS that checks every site visited by the users.

Apple secure browsing

The service leverages a blacklist of malicious websites that are continuously updated. The blacklist was initially provided by Google’s Safe Browsing service. In order to prevent users from visiting malicious websites, blacklisting services have to know the websites he visits and also log their IP address to manage the browsing history. At the time, it’s not clear if Tencent is also collecting IP addresses from users residing outside of China, likely the Tencent’s blacklist is only provided to Chinese users because Google’s services are blocked in the country.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address,” Apple notes.

Experts fear that Tencent could have access to the same data sent to Google and intelligence experts believe that it could share the same information with the Chinese government.

“Tencent works closely with the Chinese Communist Party. It facilitates government censorship in China through its multi-functional utility app WeChat.” reported the website reclaimthenet.org. “The company also released a game pro-Chinese Communist Party game called Clap for Xi Jinping: An Awesome Speech in 2017 which, as the title suggests, encourages users to virtually clap for the Chinese president Xi Jinping. In addition to this, Tencent is reportedly collaborating with the Chinese Communist Party to develop “patriotic” video games.”

Privacy advocates believe that such kind of major changes has to be notified to the users.

The good news is that users could turn off the Fraudulent Website Warning feature in Safari, even if they are potentially exposed to online threats.

The feature is enabled by default on iPhones and iPads devices running iOS 13, below the instruction to disable it:

  • iOS: Settings > Safari > Turn off Fraudulent Website Warning
  • macOS: Safari > Preferences > Security > Uncheck Warn when visiting a fraudulent website

Pierluigi Paganini

(SecurityAffairs – Apple, privacy)

The post Privacy advocates criticize Apple for sharing some users browsing data with Tencent appeared first on Security Affairs.

70% of presidential campaigns fail to provide adequate online privacy and security protections

An alarming 70% of the campaign websites reviewed in the OTA 2020 U.S. Presidential Campaign Audit failed to meet OTA’s privacy and security standards – potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with … More

The post 70% of presidential campaigns fail to provide adequate online privacy and security protections appeared first on Help Net Security.

Leafly Cannabis information platform suffered a data leak

Leafly, a cannabis information platform, suffered a data leak that exposed the personal information of some of its customers.

Leafly, the world’s leading cannabis resource, informed its customers via email that has suffered a data leak. On September 30, the company discovered that customer

The company discovered on September 30 that a secondary database was exposing customer information from July 2, 2016.

Exposed records include user’s email addresses, usernames and encrypted passwords, fortunately, no financial data was collected by the company.

For some users, the database also leaked names, ages, gender, location, and mobile numbers.

“On September 30, we teamed that a set of Leafly user records dated July 2, 2016 held in a secondary Leafly database was disclosed without permission. Your email address was in that file,” reads the notification email sent to the impacted customers. Leafly does not collect credit card information or national identification numbers,”

Leafly Cannabis Website

The company hired a forensic security firm to help its staff in the investigation. The company recommends users to reset the password and use a unique password for each service online.

“However, it is a good idea to ensure that you use a unique password on Leafly and other services you use. If you share passwords across services and haven’t updated them recently, and you haven’t reset your Leafly password, we recommend you do SO DOW,” continues the notification mail.

“Please accept our sincere apology for any concern this has caused. If you have any questions, please reach out to our customer support team at support@leafly.com,” states Leafly.

At the time it is not clear the number of impacted users. 

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post Leafly Cannabis information platform suffered a data leak appeared first on Security Affairs.

15 Easy, Effective Ways to Start Winning Back Your Online Privacy

NCSAM

NCSAM

Someone recently asked me what I wanted for Christmas this year, and I had to think about it for a few minutes. I certainly don’t need any more stuff. However, if I could name one gift that would make me absolutely giddy, it would be getting a chunk of my privacy back.

Like most people, the internet knows way too much about me — my age, address, phone numbers and job titles for the past 10 years, my home value, the names and ages of family members  — and I’d like to change that.

But there’s a catch: Like most people, I can’t go off the digital grid altogether because my professional life requires me to maintain an online presence. So, the more critical question is this:

How private do I want to be online?  

The answer to that question will differ for everyone. However, as the privacy conversation continues to escalate, consider a family huddle. Google each family member’s name, review search results, and decide on your comfort level with what you see. To start putting new habits in place, consider these 15 tips.

15 ways to reign in your family’s privacy

  1. Limit public sharing. Don’t share more information than necessary on any online platform, including private texts and messages. Hackers and cyber thieves mine for data around the clock.
  2. Control your digital footprint. Limit information online by a) setting social media profiles to private b) regularly editing friends lists c) deleting personal information on social profiles d) limiting app permissions someone and browser extensions e) being careful not to overshare.NCSAM
  3. Search incognito. Use your browser in private or incognito mode to reduce some tracking and auto-filling.
  4. Use secure messaging apps. While WhatsApp has plenty of safety risks for minors, in terms of data privacy, it’s a winner because it includes end-to-end encryption that prevents anyone in the middle from reading private communications.
  5. Install an ad blocker. If you don’t like the idea of third parties following you around online, and peppering your feed with personalized ads, consider installing an ad blocker.
  6. Remove yourself from data broker sites. Dozens of companies can harvest your personal information from public records online, compile it, and sell it. To delete your name and data from companies such as PeopleFinder, Spokeo, White Pages, or MyLife, make a formal request to the company (or find the opt-out button on their sites) and followup to make sure it was deleted. If you still aren’t happy with the amount of personal data online, you can also use a fee-based service such as DeleteMe.com.
  7. Be wise to scams. Don’t open strange emails, click random downloads, connect with strangers online, or send money to unverified individuals or organizations.
  8. Use bulletproof passwords. When it comes to data protection, the strength of your password, and these best practices matter.
  9. Turn off devices. When you’re finished using your laptop, smartphone, or IoT devices, turn them off to protect against rogue attacks.NCSAM
  10. Safeguard your SSN. Just because a form (doctor, college and job applications, ticket purchases) asks for your Social Security Number (SSN) doesn’t mean you have to provide it.
  11. Avoid public Wi-Fi. Public networks are targets for hackers who are hoping to intercept personal information; opt for the security of a family VPN.
  12. Purge old, unused apps and data. To strengthen security, regularly delete old data, photos, apps, emails, and unused accounts.
  13. Protect all devices. Make sure all your devices are protected viruses, malware, with reputable security software.
  14. Review bank statements. Check bank statements often for fraudulent purchases and pay special attention to small transactions.
  15. Turn off Bluetooth. Bluetooth technology is convenient, but outside sources can compromise it, so turn it off when it’s not in use.

Is it possible to keep ourselves and our children off the digital grid and lock down our digital privacy 100%? Sadly, probably not. But one thing is for sure: We can all do better by taking specific steps to build new digital habits every day.

~~~

Be Part of Something Big

October is National Cybersecurity Awareness Month (NCSAM). Become part of the effort to make sure that our online lives are as safe and secure as possible. Use the hashtags #CyberAware, #BeCyberSafe, and #NCSAM to track the conversation in real-time.

The post 15 Easy, Effective Ways to Start Winning Back Your Online Privacy appeared first on McAfee Blogs.

Tor Project is going to remove End-Of-Life relays from the network

Maintainers at the Tor Project have removed from its network more than 800 relay servers running outdated and EOL versions of the Tor software.

Currently, the Tor network is composed of more than 6000 relays, some of them running outdated Tor software versions (in some cases back to the 0.2.4.x versions). Other relays are running the latest Tor software in nightly builds and alpha releases. Maintainers of the Tor Project announced they have removed relay servers running outdated and EOL versions of the Tor software.

Tor Project experts pointed out that they currently maintain only 5 Tor version series, 0.2.9.x (LTS), 0.3.5.x (LTS), 0.4.0.x, 0.4.1.x, 0.4.2.x (Stable on Dec 15th, 2019).

Now the maintainers of the project announced to have removed roughly 13.5% of the relay servers, 750 acting as Tor middle relays and 62 as exit relays.

The presence of End-Of-Life relays in the Tor Network has multiple negative impacts on network stability and security, it also impacts maintenance activities because it is not easy to roll out important fixes and new features for them.

“In the past weeks, we’ve taken steps to contact every relay operator with a valid ContactInfo field to ask them to upgrade to the latest stable release. The Tor relay community was informed via the tor-relays mailing list on September 3rd 2019 of this upcoming change.” reads the announcement published by the Tor Project.

“The End-Of-Life relays in the network currently make up just over 12% of the total bandwidth, or around 750 relays. Out of these, only 62 are Exit relays accounting for only 1.68% of the total Exit traffic. We expect a minor impact on the size of the network, and a small drop in the Metrics graph.”

The maintainers expect a new Tor stable release in November, it will reject End-Of-Life relays by default. Until then, the maintainers will reject obsolete relays using their fingerprints.

Instruction to upgrading End-Of-Life relays are included in the announcement.

Pierluigi Paganini

(SecurityAffairs – Tor, privacy)

The post Tor Project is going to remove End-Of-Life relays from the network appeared first on Security Affairs.

Wi-Fi Hotspot Tracking

Free Wi-Fi hotspots can track your location, even if you don't connect to them. This is because your phone or computer broadcasts a unique MAC address.

What distinguishes location-based marketing hotspot providers like Zenreach and Euclid is that the personal information you enter in the captive portal­ -- like your email address, phone number, or social media profile­ -- can be linked to your laptop or smartphone's Media Access Control (MAC) address. That's the unique alphanumeric ID that devices broadcast when Wi-Fi is switched on.

As Euclid explains in its privacy policy, "...if you bring your mobile device to your favorite clothing store today that is a Location -- ­and then a popular local restaurant a few days later that is also a Location­ -- we may know that a mobile device was in both locations based on seeing the same MAC Address."

MAC addresses alone don't contain identifying information besides the make of a device, such as whether a smartphone is an iPhone or a Samsung Galaxy. But as long as a device's MAC address is linked to someone's profile, and the device's Wi-Fi is turned on, the movements of its owner can be followed by any hotspot from the same provider.

"After a user signs up, we associate their email address and other personal information with their device's MAC address and with any location history we may previously have gathered (or later gather) for that device's MAC address," according to Zenreach's privacy policy.

The defense is to turn Wi-Fi off on your phone when you're not using it.

EDITED TO ADD: Note that the article is from 2018. Not that I think anything is different today....

Smashing Security #149: Falling in love with fraudsters

We take a trip to Staten Island, New York, to hear how a case of cyberstalking resulted in the arrest of 20 alleged mobsters, learn about the nude photo-loving insider threat at Yahoo, and discover how fraudsters might be boosting Match.com’s profits.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by Graham Cluley and Carole Theriault, joined this week by Ran Levi of “Malicious Life.”

Twitter inadvertently used Phone Numbers collected for security for Ads

Twitter admitted having “inadvertently” used phone numbers and email addresses, collected for security purposes, for advertising.

Twitter apologized to have used phone numbers and email addresses, privided by the users for security purposes, for advertising. According to the social media company, data used for account authentication were also matched with advertisers’ database to improve the efficiency of ads.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.” reads a post published by Twitter.

At the time of writing it is unclear the number of impacted Twitter users.

The company attempted to downplay the severity of the privacy incident highlighting that none of the user data was shared with partners outside the company.

The Twitter Tailored Audiences product allows advertisers to target ads to customers based on the advertiser’s own marketing lists that includes info such as email addresses or phone numbers. Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.

Twitter admitted that when an advertiser uploaded their marketing list, its staff may have matched the information included in these lists with data provided by its users to protect their accounts.

The root cause of the problem was addressed in September 17, 2019.

“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.” added Twitter.

“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,”

Pierluigi Paganini

(SecurityAffairs – Twitter, privacy)

The post Twitter inadvertently used Phone Numbers collected for security for Ads appeared first on Security Affairs.

You Gave Your Phone Number to Twitter for Security and Twitter Used it for Ads

After exposing private tweets, plaintext passwords, and personal information for hundreds of thousands of its users, here is a new security blunder social networking company Twitter admitted today. Twitter announced that the phone numbers and email addresses of some users provided for two-factor authentication (2FA) protection had been used for targeted advertising purposes—though the company

macOS Catalina: Security and privacy improvements

Apple has released macOS Catalina (v10.15), a new major release of its desktop operating system, which comes with many functional and security and privacy improvements. The former include a new game subscription service, a feature that extends Mac desktops with iPad as a second display, a new accessibility feature that makes it possible to control Mac entirely by voice, and more. The latter include, among other things, better protections against macOS tampering, an improved Gatekeeper, … More

The post macOS Catalina: Security and privacy improvements appeared first on Help Net Security.

Bringing Cybersecurity Home

October is Cybersecurity Awareness Month, reminding us that cyber-attacks know no boundaries between work and home, so we need to be diligent about cyber hygiene across all environments. With the abundance of connected devices we all depend on, protecting your digital footprint is no longer optional. But where do you learn what to do?

People who work for larger corporations may receive cyber information and training from their employer. For instance, at Cisco every employee gets basic cyber training and increasingly advanced training based on your role; we even share educational materials on applying best practices at home. But not all businesses have the resources to dedicate to such training. And in the home, most people have limited cyber knowledge at best, and only pay attention if or when they become victims of an attack.

To get you started, here are a few tips that will help you to “own IT, protect IT and secure IT” to stay safe online.

Recognize we are experiencing radical change. With our busy lives, we take technology for granted. But it’s important to realize that technology is changing society faster than any other advance in human history. Adults need to get smart about the implications and actively discuss “today’s digital reality” with their children. Just as you teach a toddler to avoid a hot stove, teach them from an early age about safe online practices.

Ask questions. When you acquire a new connected device, stop and ask where it came from.  Who connects with it and/or captures data from it? For what purpose do they collect the data and is that important to me? How do they care for the protection of your data and privacy?  The more knowledgeable you become, the smarter your next questions will be.

Maintain your devices. Understand if the device you’re buying has software that will need updated and patched as vulnerabilities are found and fixed. If so, make sure that gets done. Just like not replacing expired batteries in a smoke alarm, using outdated unsecure software won’t keep you safe.

Secure and Protect Passwords. Make your passwords long and complex; change them regularly; don’t use the same password for multiple applications Change default password settings on new devices. We all know multiple passwords can get cumbersome and hard to remember, so use a reputable password manager to keep track for you.  Many businesses and institutions provide Two-factor authentication (2FA) as an added step to protect your on-line identity and data.  If it’s offered, use it.

Embrace technology, but be aware.  If you were walking down a dark street in an unfamiliar city, you’d likely be more aware about who else is around you or may be following you. Treat the internet the same way. Being connected does not mean bad things will happen, but it pays to stay alert and understand best practices and how to apply them. For instance, don’t open email attachments if you’re not completely sure of the sender’s trustworthiness. Don’t click on emailed links that you haven’t asked for. “Stop, think before you click” to avoid the burden of what may come after a malicious attack.

Remember Data Privacy. While security and privacy are different, they’re definitely related. When you’re watching for online threats, also remember that nothing online is really ‘free’ – you’re most likely giving up something (data) to get a “free service/app”.  Ask – is the intrinsic value of the “free” thing worth it? When you download an app or sign up for a new service that collects your data, choose carefully what sharing you allow. And remember, when you put personal information online, it stays around for a long time and may come back to you in unexpected, and unwelcome, ways.

It’s time to bring cybersecurity into the greater social consciousness and constructive discussions about changing norms. As new capabilities keep coming to market faster, we should and can have the right social adaptation to embrace technology safely.

 


Additional Resources

Tips to help improve your cyber-hygiene (Infographic)

Trust.cisco.com

 

Consumers have concerns about cybersecurity, value education on best practices

Nearly three-quarters of consumers (74%) would be likely to participate in a cybersecurity awareness or education program from their financial institution if they offered it. The survey conducted by The Harris Poll on behalf of Computer Services also found that an overwhelming majority of consumers (92%) have concerns about the security of their personal confidential data online. The poll ran online July 1-3, 2019, and it represents feedback from more than 2,000 U.S. adults ages … More

The post Consumers have concerns about cybersecurity, value education on best practices appeared first on Help Net Security.

A bug in Signal for Android could be exploited to spy on users

Researcher discovered a logical flaw in the Signal messaging app for Android that could be exploited by a malicious caller to force a call to be answered at the receiver’s end without interaction.

Google Project Zero white-hat hacker Natalie Silvanovich discovered a logical vulnerability in the Signal messaging app for Android that could be exploited by a malicious caller to force a call to be answered at the receiver’s end without requiring his interaction.

This means that the attacker could spy on the receiver through the microphone of his device.

However, the Signal vulnerability can only be exploited if the receiver fails to answer an audio call over Signal, eventually forcing the incoming call to be automatically answered on the receiver’s device.

The logical vulnerability resides in a method handleCallConnected that could be abused cause the call to be answered, even though the user the interaction.

“In the Android client, there is a method handleCallConnected that causes the call to finish connecting. During normal use, it is called in two situations: when the device accepts the call when the user selects ‘accept,’ and when the device receives an incoming “connect” message indicating that the has accepted the call,” reads the analysis published by Silvanovich. “Using a modified client, it is possible to send the “connect” message to a callee device when an incoming call is in progress but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device.”

Silvanovich explained that the iOS client is affected by a similar logical issue, but the call is not established due to an error in the UI caused by the unexpected sequence of states.

Silvanovich shared her findings with the Signal security team last week that quickly addressed it on the same day with the release of the version v4.47.7.

Pierluigi Paganini

(SecurityAffairs – Signal, hacking)

The post A bug in Signal for Android could be exploited to spy on users appeared first on Security Affairs.

Google Allegedly Used Deceptive Tactics for Facial Recognition

A Google-funded facial recognition project used deceitful methods to get people to agree to have their faces scanned.

According to a Daily News report, contractors working for Google through an external company were instructed to target dark-skinned people, college students, and the homeless to amass data for the company’s smartphone facial recognition technology. 

The contractors were allegedly instructed by a Netherlands-based staffing company called Randstad to use misleading or deceptive practices to get their subjects to agree to have their faces scanned in exchange for $5 gift cards.

“We were told not to tell (people) that it was video, even though it would say on the screen that a video was taken,” one contractor told the Daily News. 

“It was a lot of basically sensory overloading the person into getting it done as quickly as possible and distracting them as much as possible so they didn’t even really have time to realize what was going on,” another contractor said.

Another contractor spoke of being deployed to Atlanta and to the BET Awards in Los Angeles to specifically target African-Americans. 

A spokesperson for Google defended the initiative as being critical to have a “diverse sample, which is an important part of building an inclusive product.” 

Other reports have described contractors misleading potential subjects as to the use and the retention of the data itself. While Google was initially quote as saying their facial scans would be held for 18 months, a photo obtained by the Daily News shows a significantly more open-ended agreement:

“Research Data will be retained for as long as needed to fulfill the Purposes, which is expected to be about 5 years, but it may be as long as necessary for the Purposes due to the extended time needed for collection analysis, or other logistical considerations…. There is no limit to how long or in what manner Google may retain, use of share the Aggregate Data,” says the official consent agreement for the project.

Several students reported contractors approaching them for facial scans under the guise of college students.

“They said they wanted us to test out a new phone, an Android. I put in my email. My guy told me to do it all really quick. He kept saying, ‘Hit next and upload. Next and upload.’ I thought they were students. We’re new here and trying to make friends,” said a college freshman.

“They said it was a survey and we thought they were students. I don’t think I even realized there was a consent form,” said another student.

Google’s stated purpose for the data is for a facial recognition-based security measure for its upcoming Pixel 4 smartphone, but it has also pursued facial recognition technology in several other product lines and initiatives. 

The post Google Allegedly Used Deceptive Tactics for Facial Recognition appeared first on Adam Levin.

Hashtag Trending – New privacy tools from Google, Alexa goes job hunting, UPS delivery drones approved

Google rolls out new privacy features, Alexa steps up to help people find jobs, and UPS gets federal approval for a fleet of delivery drones.

Chapter Preview: Birth to Age 2 – First Footprints

When your baby is on the way, their privacy and digital security is probably the last thing you have on your mind. At least it’s way down there on the list—of course it is! You’re preparing for a bright, joyous addition to your family and home. Everything you’re doing is intended to create an environment that is safe and comfortable, so your baby knows a warm and loving world right from the start. Not to mention, you and your family are anticipating how much you’ll enjoy these milestones.

Part of the enjoyment includes sharing these moments, which is mainly done online these days. (When’s the last time you took a picture on film and had it printed?) From digital invitations, to baby showers, and ultrasound pictures posted on social media—the weeks and months leading up to birth are a celebration as well. And that’s where your baby’s data lake gets its initial drops. Your posts on social media make up the first little digital streams feeding their data lake, along with anything else you share about them online.

When my children were babies we spent a lot of time “baby proofing” the house. You know, putting special locks on the kitchen cabinets, plastic covers on electrical outlets, baby gates, and more. Today that behavior needs to extend online. We need to be the guardians of our baby’s privacy, identity, and security until they get to the age where they understand what’s at risk and can protect themselves.


No doubt you will want to share all those precious moments as your bundle of joy fills your life with happiness, despite the possible risks. With that in mind, there’s an entire chapter in “Is Your Digital Front Door Unlocked?” dedicated to your baby’s first steps online, offering suggestions on what constitutes a healthy balance of what should and should not be shared. It also looks at other important considerations that you may not have thought of, such as getting your baby a Web address and monitoring their identity to make sure an identify thief hasn’t hijacked it—plenty of things many parents wouldn’t think of, but should, given the way our world works today.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

The post Chapter Preview: Birth to Age 2 – First Footprints appeared first on McAfee Blogs.

Smashing Security #148: Billboard boobs, face forensics, and Alexa gets way too personal

Drivers are distracted by a hacked billboard, we take a deeper look at how the deepfake problem has… uh… deepened, and Carole is less than happy about Amazon’s announcement about new Alexa integrations.

All this, an annoying goose, and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

In Identity Theft the Target is You!

The hard truth is that identity data is the new gold—and criminal panhandlers are mining it for sale and distribution on the Dark Web.

Indeed, the internet provides ways for big data breaches to result in disastrous leaks of huge databases of personal information, resulting in detailed profiles of individuals—based on their internet behaviors, including social media activities, online shopping, financial transactions and more—being sold for nefarious purposes.

It’s all about identity theft. What does it mean for digital citizens like us? And what can we do about it?

The Mining of Identity Data

In 2019, data of all kinds is being criminally mined on the internet, but the theft and sale of identity data in particular is rising dramatically. How is this possible? In today’s highly-connected society, we’re constantly being asked to provide personal information to retailers, surveys, medical professionals, and other data collection efforts. We constantly disclose our name, address, social security number, health status, purchasing history, credit card numbers, and more. Anytime there’s a breach in an online database holding such data, by accident or malicious hacker intent, cybercriminals pounce on it to mine it for the identity gold.

“Identity theft and identity fraud…refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data…,” says the US Department of Justice, Criminal Division, in its Fraud Section report, reminding us what it’s all about. Data breaches are the goldmine for this kind of theft.

One of the more recent breaches collected, packaged and sold about 26 Million new accounts on the Dark Web by hacking several websites, including online shopping, career and learning platforms. A longer list of breaches—see The 18 Biggest Data Breaches of the 21st Century, as well as Wikipedia’s List of Data Breaches—reveals how chronic it’s become. Because our personal data is often stored on internet sites, many of which are crucial to our way of life, we forget that simply registering and providing personal details can lead to more precise and accurate description of our location, our healthcare information, and even information indicated on our government issued IDs. And its sale on the Dark Web is a very bad outcome.

The Dark Web (or Darknet) refers to that part of the internet that hides your identity and location when you’re on it. Dark Web websites are accessible only through Tor (the “Onion Routing” browser) and through I2P (the Invisible Internet Project”). Historically, one of the reasons for the creation of the Dark Web was to provide US Navy intelligence officers a means to maneuver on the internet without being recognized or traced. The Tor network achieves anonymity by bouncing the request through a large number of intermediate servers and employing a layered encryption system on the identification of the source IP where the search originated, so that no one knows where the request for a webpage or site ultimately comes from. I2P specializes in allowing the anonymous hosting of websites, so the target IP address is unknown to the searcher.

In short, browsing the Dark Web allows you to anonymously access “anonymized” websites, not all of which are bad, but also many sites that are, collectively known as Darknet markets. The former category includes SecureDrop, which lets news organizations receive anonymous submissions.  The latter category included Silkroad 1.0, which was launched in February of 2011; and 2.0, which was finally shut down in November of 2014 by the FBI. The Dark Web or Darknet is still a channel for all kinds of illegal activities, including a place for radical extremists to spread propaganda—and remains a region on the internet for the sale of illegally gotten identity data.

Protecting Your Identity

Although data protection laws state that any personal data set that’s stored online has to be stripped of identifiers such as name and social security, true compliance is difficult to maintain or enforce—so each one of us has the ultimate responsibility to protect our data to stay safe online. Here are some practical steps you can take to help protect your identity:

Accounts and Usernames: Think carefully when choosing your username for your online accounts and email addresses. Choose something that does not closely identify with your full name or other personal information.

Passwords: If you use several internet services, social media accounts, and email addresses, you’ll need a lot of passwords. Tempting as it is, avoid using the same password for all your accounts. Use a unique password for each account, one that you can remember, but that’s not easy to guess. We highly recommend using Trend Micro Password Manager to generate strong passwords, to keep them safe, and to change them frequently. Banking apps and other payment system apps also utilize two-factor authentication, which you should take advantage of for more secure transactions and purchases.

Privacy: Keep your personal information private online and enable strong privacy controls on your social media accounts.

Protect your devices: Don’t leave your mobile devices and laptops unattended and enable PIN and password to unlock them.

Remediation: If you hear of a major online data breach, sit up and take notice: you might need to take active steps to remediate the situation. As with the Equifax Data Breach of 2017, where sensitive data on 143 Million Americans was exposed, remediation may mean locking or freezing your credit on each of the credit bureaus: Equifax, Experian, and TransUnion. With other types of breaches, it may simply mean closing an account or canceling a credit card. As with the credit bureaus, many banks have identity protection services which you can also avail yourself of.

Trend Micro ID Safe

Apart from the best practices outlined above, you should also install Trend Micro ID Safe for Android and iOS on your mobile devices, to monitor and help remediate any known security issues with your identity data.

What is ID Safe? ID Safe checks if any of your personal information stolen from data breaches is circulating on the Dark Web for sale or distribution by cybercriminals. It identifies which accounts were breached and the kind of data posted, then notifies you, so you can take steps to change your account credentials or remediate any potential effects of the illegal distribution or sale of your personal data.

Top-notch Security. To ensure the highest level of security when handling your personal information, ID Safe first hashes the data you enter on the app (essentially converting the text to an irreversible number) using the SHA-256 hashing standard—the world’s most secure— before sending it through an encrypted connection to check it against a comprehensive Dark Web database.

Easy to Use Tools. You can quickly check if your personal data has reached the Dark Web with just a few taps, using its various tools:

  • Email Checker. See if the email address you use for online accounts has appeared on the Dark Web due to a data breach. If it finds your address, the app shows exactly which accounts suffered the breach, so you immediately know which passwords to change.
  • Credit Card Checker. Find out if someone has stolen your credit card number and put it on the Dark Web.
  • Password Checker. You should not only use unique passwords for all of your accounts, but also choose passwords that nobody else has ever used. ID Safe can see if you have used a password currently in circulation on the Dark Web.
  • Dark Web Personal Data Monitor. ID Safe can scour the Dark Web for sensitive personal information like your bank account numbers, driver’s license data, social security number, and passport details, then immediately alert you if they ever appear there.

GDPR Compliant. Finally, you should know that Trend Micro takes your privacy seriously and complies with the European Union’s General Data Protection Regulations (GDPR) to protect your data. Read ID Safe’s data collection notice here:

https://esupport.trendmicro.com/en-us/home/pages/technical-support/1121937.aspx

For more information and to download ID Safe, go to Trend Micro ID Safe on the iOS App Store and Trend Micro ID Safe on Google Play.

The post In Identity Theft the Target is You! appeared first on .

Experts found 20 Million tax records for Russian citizens exposed online

Experts discovered an unprotected Elasticsearch cluster containing personally identifiable and tax information of Russian citizens exposed online.

Security experts from Comparitech along with security researcher Bob Diachenko discovered 20 million tax records belonging to Russian citizens exposed online in clear text and without protection.

The experts found an unprotected Elasticsearch cluster that was containing personally identifiable information on Russian citizens spanning from 2009 to 2016.

“A database of more than 20 million Russian tax records was found on an unsecured server, accessible to anyone with a web browser.” reads the post published by Comparitech.

Comparitech partnered with security researcher Bob Diachenko to investigate the data exposure, which included sensitive personal and tax information. The database was taken offline after Diachenko notified the owner, who is based in Ukraine.”

Russian citizens

The Elasticsearch database was first indexed by search engines in May 2018, Diachenko discovered it on September 17, 2019, and on September 20, 2019 it was secured.

It is not possible to determine whether anyone else accessed the exposed data before it was discovered by Diachenko. The experts also revealed that the owner based in Ukraine, but did not reveal its identity.

The cluster included multiple databases, two of them contained tax and personally identifiable information about Russian citizens, prevalently from Moscow and the surrounding area.

“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over 6 million from 2009 to 2015.” continues the experts.

Exposed records included the following information:

  • Full name
  • Address
  • Residency status
  • Passport number
  • Phone number
  • Tax ID number
  • Employer name and phone number
  • Tax amount

The exposed data could be used by threat actors to carry out tax scam and frauds.

“Affected individuals could be at risk of identity theft and should monitor their accounts closely. Tax fraud could also be a risk, though our team is not well-versed enough on the topic of the Russian tax system to give concrete advice.” concludes the experts.

“Potential victims should also be on the lookout for targeted phishing and other scams. Fraudsters could pose as tax officials, for example, to steal money or request additional information to aid in identity theft.”

Pierluigi Paganini

(SecurityAffairs – Russian citizens, data leak)

The post Experts found 20 Million tax records for Russian citizens exposed online appeared first on Security Affairs.

Companies vastly overestimating their GDPR readiness, only 28% achieving compliance

Over a year on from the introduction of the General Data Protection Regulation (GDPR), the Capgemini Research Institute has found that companies vastly overestimated their readiness for the new regulation with just 28% having successfully achieved compliance. This is compared to a GDPR readiness survey last year which found that 78% expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant: … More

The post Companies vastly overestimating their GDPR readiness, only 28% achieving compliance appeared first on Help Net Security.

5 Digitally-Rich Terms to Define and Discuss with Your Kids

online privacy

Over the years, I’ve been the star of a number of sub-stellar parenting moments. More than once, I found myself reprimanding my kids for doing things that kids do — things I never stopped to teach them otherwise.

Like the time I reprimanded my son for not thanking his friend’s mother properly before we left a birthday party. He was seven when his etiquette deficit disorder surfaced. Or the time I had a meltdown because my daughter cut her hair off. She was five when she brazenly declared her scorn for the ponytail.

The problem: I assumed they knew.

Isn’t the same true when it comes to our children’s understanding of the online world? We can be quick to correct our kids when they fail to exercise the best judgment or handle a situation the way we think they should online.

But often what’s needed first is a parental pause to ask ourselves: Am I assuming they know? Have I taken the time to define and discuss the issue?

With that in mind, here are five digitally-rich terms dominating the online conversation. If possible, find a few pockets of time this week and start from the beginning — define the words, then discuss them with your kids. You may be surprised where the conversation goes.

5 digital terms that matter

Internet Privacy

Internet privacy is the personal privacy that every person is entitled to when they display, store, or provide information regarding themselves on the internet. 

Highlight: We see and use this word often but do our kids know what it means? Your personal information has value, like money. Guard it. Lock it down. Also, respect the privacy of others. Be mindful about accidentally giving away a friend’s information, sharing photos without permission, or sharing secrets. Remember: Nothing shared online (even in a direct message or private text) is private—nothing. Smart people get hacked every day.
Ask: Did you know that when you go online, websites and apps track your activity to glean personal information? What are some ways you can control that? Do you know why people want your data?
Act: Use privacy settings on all apps, turn off cookies in search engines, review privacy policies of apps, and create bullet-proof passwords.

Digital Wellbeing

Digital wellbeing (also called digital wellness) is an ongoing awareness of how social media and technology impacts our emotional and physical health.

Highlight: Every choice we make online can affect our wellbeing or alter our sense of security and peace. Focusing on wellbeing includes taking preventative measures, making choices, and choosing behaviors that build help us build a healthy relationship with technology. Improving one’s digital wellbeing is an on-going process.
Ask: What do you like to do online that makes you feel good about yourself? What kinds of interactions make you feel anxious, excluded, or sad? How much time online do you think is healthy?
Act:
Digital wellness begins at home. To help kids “curb the urge” to post so frequently, give them a “quality over quantity” challenge. Establish tech curfews and balance screen time to green time. Choose apps and products that include wellbeing features in their design. Consider security software that blocks inappropriate apps, filters disturbing content, and curbs screen time.

Media Literacy

Media literacy is the ability to access, analyze, evaluate, and create media in a variety of forms. It’s the ability to think critically about the messages you encounter.

Highlight: Technology has redefined media. Today, anyone can be a content creator and publisher online, which makes it difficult to discern the credibility of the information we encounter. The goal of media literacy curriculum in education is to equip kids to become critical thinkers, effective communicators, and responsible digital citizens.
Ask: Who created this content? Is it balanced or one-sided? What is the author’s motive behind it? Should I share this?  How might someone else see this differently?
Act: Use online resources such as Cyberwise to explore concepts such as clickbait, bias, psychographics, cyberethics, stereotypes, fake news, critical thinking/viewing, and digital citizenship. Also, download Google’s new Be Internet Awesome media literacy curriculum.

Empathy

Empathy is stepping into the shoes of another person to better understand and feel what they are going through.

Highlight: Empathy is a powerful skill in the online world. Empathy helps dissolve stereotypes, perceptions, and prejudices. According to Dr. Michelle Borba, empathetic children practice these nine habits that run contrary to today’s “selfie syndrome” culture. Empathy-building habits include moral courage, kindness, and emotional literacy. Without empathy, people can be “mean behind the screen” online. But remember: There is also a lot of people practicing empathy online who are genuine “helpers.” Be a helper.
Ask: How can you tell when someone “gets you” or understands what you are going through? How do they express that? Is it hard for you to stop and try to relate to what someone else is feeling or see a situation through their eyes? What thoughts or emotions get in your way?
Act:  Practice focusing outward when you are online. Is there anyone who seems lonely, excluded, or in distress? Offer a kind word, an encouragement, and ask questions to learn more about them. (Note: Empathy is an emotion/skill kids learn over time with practice and parental modeling).

Cyberbullying

Cyberbullying is the use of technology to harass, threaten, embarrass, shame, or target another person online.

Highlight: Not all kids understand the scope of cyberbullying, which can include spreading rumors, sending inappropriate photos, gossiping, subtweeting, and excessive messaging. Kids often mistake cyberbullying for digital drama and overlook abusive behavior. While kids are usually referenced in cyberbullying, the increase in adults involved in online shaming, unfortunately, is quickly changing that ratio.
Ask: Do you think words online can hurt someone in a way, more than words said face-to-face? Why? Have you ever experienced cyberbullying? Would you tell a parent or teacher about it? Why or why not?
Act: Be aware of changes in your child’s behavior and pay attention to his or her online communities. Encourage kids to report bullying (aimed at them or someone else). Talk about what it means to be an Upstander when bullied. If the situation is unresolvable and escalates to threats of violence, report it immediately to law enforcement.

We hope these five concepts spark some lively discussions around your dinner table this week. Depending on the age of your child, you can scale the conversation to fit. And don’t be scared off by eye rolls or sighs, parents. Press into the hard conversations and be consistent. Your voice matters in their noisy, digital world.

The post 5 Digitally-Rich Terms to Define and Discuss with Your Kids appeared first on McAfee Blogs.

It’s Google’s World. Your Business Is Just Living in It

Fifty attorneys general announced earlier this month that Google is the target of an antitrust probe. Any business owner who has happened to find themselves stuck in the company’s orbit–that would be any company with a digital presence–won’t hesitate to tell you such a move is long overdue.

Case in point: I just did a Google search for Basecamp, an online project management tool. The first two hits were for different companies–Smartsheet and Monday.com. Not too long ago, the same search resulted in a first hit featuring Basecamp, but it was an ad. The copy: “We don’t want to run this ad.”

“We’re the #1 result,” Basecamp’s ad copy continued, “but this site lets companies advertise against us using our brand. So here we are. A small, independent co. forced to pay ransom to a giant tech company.”

Basecamp founder and CEO Jason Fried doubled down on this sentiment on his Twitter feed, stating “[Y]ou’re forced to pay up if you want to be found. It’s a shakedown. It’s ransom.”

An Offer Businesses Can’t Refuse

Fried is by no means alone. Any business with an online presence has at one time or another played by Google’s rules to stay competitive. For most, it’s a daily reality. The reason is simple. Most businesses need websites, and websites need to follow Google’s best practices to be found in online searches, terms Google can force because it currently has 92 percent worldwide market share on search.

Google can make drastic changes to these best practices that have effectively buried companies overnight. A business that finds itself out of Google’s good graces, or in the case of Basecamp, finds itself nestled one or two slots beneath competitor ads in search results, would need to create a paid campaign via Google Ads (38.2 percent of the online advertising market) and pay to show up in search results.

A business with a physical location that wants to show up in local search results needs to create an account for Google My Business, so it can show up in Google Maps (which accounts for 67 percent of navigation app usage), but also needs to keep an eye on Google Reviews left on its business listing. The performance of ads, search traffic, and app usage can all be tracked via Google Analytics (over 70 percent of the analytics market), which provides business owners (and Google, of course) detailed information about who’s visiting their websites or using their apps. Most of these users will be using Google’s Chrome web browser (64 percent of users worldwide), on a device running Android (76 percent of mobile users worldwide), which was, of course, developed by Google.

Per Bob Dylan, “It doesn’t take a weatherman to tell which way the wind blows.” It would seem that Google has a monopoly, but that’s for the court to decide. On the face of it, it’s not necessarily bad news; anyone who remembers the days of phone books, mail order catalogs, and paper maps is most likely glad for the convenience of the services Google provides–businesses and consumers alike.

What’s problematic is the necessity of it all. It’s all but impossible for a business to opt out of Google’s services. Even taco trucks have websites. It’s equally difficult for us as consumers to opt out entirely, although alternatives (e.g., iOS, Apple Maps, and Bing) do exist. The fact is that businesses and industries that don’t in some way rely on at least one of Google’s services to be discovered are few and far between.

Our Data Is Valuable

However much value our data has, the fact remains that Google charges us to share it with Google. Nice work if you can get it, right?

When companies use Google’s services to make themselves known to the world, they have to share data on themselves, and also on their customers and clients. Every search query leading to a site, every ad click, every map search, and every visit tracked by analytics is actively helping Google build its library of information on as many people as possible–even people who have never actually used the internet.

As Google continues to expand its services, its ecosystem is oozing into businesses that have no choice but to pony up and participate or be lost in cyberspace. The evolution thus far points to the possibility of increasingly Orwellian methods in the realm of advertising and data collection.

What do I mean by Orwellian? Google Home and Nest products are aggressively moving into the field of facial recognition, and, of course, the company is thus far characteristically coy about the intended uses for the data thus collected.

“We can never say never,” said Google’s general manager of Home and Nest products when asked if data from face scanning would be used to target consumers for advertising. He added that it is not being used for that purpose now.

It’s far too soon to tell how the antitrust probe of Google will turn out, and it’s guaranteed to take a long time to play out. One thing is certain: The stakes are just as high, if not higher, for businesses as they are for consumers, and we all would be better served were we not being served by Google’s tentacular array of services.

The post It’s Google’s World. Your Business Is Just Living in It appeared first on Adam Levin.

GDPR after Brexit: No Deal and All Other Exit Scenarios Explained

As the British MPs and the EU representatives continue to discuss the specifics of the upcoming Brexit, nothing is yet settled. In this murky context, companies in the UK and companies working with companies in UK are rightly confused.

What about GDPR, the transnational European data protection regulation to which we were just beginning to adjust?

Will there still be a GDPR after Brexit, for the UK space?

If it will change, how so?

Should a new kind of data protection compliance regulation be created for the UK instead of GDPR?

All these topics are intensely debated right now across all business mediums. Unfortunately, there’s a lot of uncertainty and a lot of Brexit and GDPR myths as well.

Let’s walk through everything together and see what will really happen with GDPR after Brexit on all possible scenarios.

Possible Brexit Scenarios

For now, British politicians are still stuck on debating whether they want to comply to the new law against a no deal situation.

There are several possible outcomes, depending on what will be decided on these counts:

  • If they choose to comply with the new law (accept the deal) or not;
  • If they ask for a delay in deciding (Brexit and the deal-or-no-deal debate simply get postponed);
  • If they try to negotiate a new deal;

Regardless of what happens next, the UK and companies connected to this space will still need to deal with GDPR. The GDPR after Brexit issue is not going anywhere.

Even in the most extreme outcomes, data compliance will still be on the agenda. Let’s take a few examples.

A. GDPR after Brexit with a deal

Within the deal currently on the table, GDPR is also stipulated as a must. If the British MPs somehow agree on the deal before the 31st of October deadline, then Brexit goes through as planned. GDPR would be part of the deal with the EU, so the current data compliance regulations stay in place.

In this case, you have nothing to change: GDPR rules stay in place as they are.

B. GDPR if Brexit is delayed and renegotiated

If the British MPs ask for a deadline extension to be able to hopefully gain consensus until then, GDPR essentially remains in place. Until the new deal is discussed and agreed upon, the UK does not technically leave the EU.

That means all European laws and UK-EU agreements stay the same as they were, including the GDPR, at least for the deadline extension.

The political party who initiated Brexit and continues to support it hard says delaying is not an option. But considering that the Parliament can’t seem to reach a consensus on how and when to exit the EU, or even on the idea of exiting at all, a delay is very possible.

C. GDPR after Brexit with no deal (Hard Brexit)

If, let’s say, the UK representatives refuse to comply and accept the deal, this will probably open up a whole can of worms of legal contention.

Until the issues are hashed and rehashed through courts, GDPR will become a big question mark.

One way or another, as the British minister in charge of data protection, Baroness Neville-Rolfe, has recently said, even if GDPR will no longer apply in the UK, some very similar legislation will need to be instated.

“One thing we can say with reasonable confidence is that if any country wishes to share data with EU member states, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection,” Neville-Rolfe said. “This will be a major consideration in the UK’s negotiations going forward.”

While it’s not clear if the UK will still adhere to GDPR after Brexit, or adhere to a similar framework (such as the Privacy Shield, see below), or submit to being independently evaluated,

Useful Info for a GDPR after a No-Deal Brexit:

  • The documents and criteria for the EU’s adequacy decisions (how they decide a country provides adequate data protection and is therefore trustworthy);
  • The Privacy Shield Framework: a framework which allows people to transfer their personal data from the EU to the US while maintaining GDPR standards. There is the possibility for the UK to adhere to it or create a similar framework;
  • The Official GDPR FAQs – on the main GDPR portal.

There are 5 possible scenarios for a GDPR after Brexit with no deal, depending on your role in the data ecosystem.

We’ll tackle each one, but rest assured that the matter of data protection will not return to its pre-GDPR state. Once the world started taking data protection and privacy concerns seriously (and rightly so), there’s no turning back.

Here are the 5 possible scenarios for GDPR after Brexit with no deal:

In all data exchanges, we can speak of data controllers and data processors.

Data controllers are the business entities which collect the data of their clients and contacts (often in order to provide them with services) AND decide the purposes for which that data will be processed.

Data processors are the business entities which process the data on behalf of a data controller (besides any employees of the controller).

Data subjects are the people whose personal data is being processed.

We’ve drawn the 5 possible scenarios for a GDPR after Brexit, depending on the role of the business in the data flow.

  • Scenario 1: Controllers in the UK, providing services for UK people and entities and sharing no personal data with organizations outside the UK;
  • Scenario 2: Controllers in the UK, providing services for the UK but involved with processors in the EU (or anywhere else outside the UK);
  • Scenario 3: Controllers in the UK, providing services for people and business entities in the EU;
  • Scenario 4: Processors in the UK, acting on behalf of controllers or processors in the EU (or UK and EU);
  • Scenario 5: Processors in the UK, acting on behalf of controllers or processors in the UK.

#1. Scenario 1

This scenario is rather simple. Even though there are not a lot of cases like this in real life, since data circulation is never as tightly sealed as this, it has to be covered by any guide.

If you’re among the rare few UK controllers who only provide services to the UK and has no exchanges with non-UK processors, you’re lucky. You don’t really need to concern yourself with GDPR after Brexit.

The data protection laws you will need to abide by after Brexit are going to be more or less the same as the ones you are used to and will be communicated by UK authorities in due time.

It’s highly possible that after the UK leaves EU with no deal, the controllers doing business solely in the UK will need to comply with the Data Protection Act 2018 (DPA2018) instead of the GDPR. Or, another likely possibility is that GDPR will be absorbed into UK’s own laws upon Brexit (even with no deal).

In any case, the controllers defined by scenario 1 are the least affected by the GDPR after Brexit issue, because nothing will actually change for them.

#2. Scenario 2

Most small UK businesses fall into this category, of controllers in the UK who are involved with processors outside EU. Basically, anyone who uses international software like Microsoft, Facebook, Dropbox, and so on, can be fitted into this second scenario.

Legally, nothing really changes in this case either, because GDPR after Brexit will mean adopting the UK data protection law, DPA2018 (linked above). Since the processors outside the UK will still be compliant with GDPR, there is nothing that hinders these UK controllers from continuing to use their services.

#3. Scenario 3

In scenario 3, the UK controllers are not just working with non-UK processors but they are even serving EU-based clients or having EU offices and so on. In this case, the situation is a bit murkier.

The problem is that communicating between various branches and entities involved in the business process might be stalled by GDPR after Brexit.

To be proactive about it, you can designate a DPO (Data Protection Officer) in each country you have offices in, and that should cover the conditions imposed by the EU on third countries (which the UK will effectively become).

This will solve compliance issues, but be warned that handling GDPR after Brexit in paperwork terms might not be the worst of it. Because of the extra hassle involved, it’s very likely that obtaining more clients in the EU market will be difficult. It will be harder to compete with EU controllers who don’t have post-Brexit ambiguity to sort through.

#4. Scenario 4

After May 2018, all processors in the UK who were working with EU organizations were required to have them sign contracts which stipulated how their data would be handled. The issue here is that those contracts and agreements mentioned the UK as an EU country, which will no longer be true.

This means that all this paperwork will need to be redone. It’s best if you are proactive and start sending out the revised forms as soon as the Brexit decision is concluded one way or another.

There is the risk that some of your business partners will decline to resign, but you do the best with what you have and move on. Continuing to do business with them in the absence of flawless paperwork is too great of a risk to take.

#5. Scenario 5

For processors in the UK working only with data of people within the UK (and for controllers in the UK), the same applies as in Scenario 1. In other words, nothing changes, there is no extra concern to be had.

Cybersecurity Risks of GDPR after Brexit: A Few Words of Caution

As you can see by now, GDPR after Brexit will bring a lot of paperwork in many cases. Not just paperwork, but also a lot of communications going on with partners across national frontiers.

Since these communications will not be your standard run-of-the-mill, since the Brexit situation is new to everyone, this can be a huge opportunity for cybercriminals.

Be wary of any email you receive about Brexit and GDPR matters, especially if the sender is prompting you to do something involving vulnerable data. Don’t enter your login details on any page (could be a phishing attempt), don’t engage in conversations with people you don’t really know from before, etc.

Business Email Compromise (BEC) is a growing and costly threat. The little chaos which will likely flood everyone’s emails concerning GDPR after Brexit is the perfect opportunity for BEC attacks.

Spam filters are not enough to tackle it – you need to do some thorough background checks with every email and to also have an email security solution specially designed to counter BEC attacks.

Wrapping it up

I hope this guide helped clear the confusion surrounding GDPR after Brexit. In any case and however convoluted the Brexit process will continue to be, you should take some steps to prepare for the future.

Just look up your own business situation in the scenarios above and find out what can you expect even if we’ll have a no-deal Brexit. Good luck and drop us a line with any concern you might have.

The post GDPR after Brexit: No Deal and All Other Exit Scenarios Explained appeared first on Heimdal Security Blog.

On Chinese "Spy Trains"

The trade war with China has reached a new industry: subway cars. Congress is considering legislation that would prevent the world's largest train maker, the Chinese-owned CRRC Corporation, from competing on new contracts in the United States.

Part of the reasoning behind this legislation is economic, and stems from worries about Chinese industries undercutting the competition and dominating key global industries. But another part involves fears about national security. News articles talk about "spy trains," and the possibility that the train cars might surreptitiously monitor their passengers' faces, movements, conversations or phone calls.

This is a complicated topic. There is definitely a national security risk in buying computer infrastructure from a country you don't trust. That's why there is so much worry about Chinese-made equipment for the new 5G wireless networks.

It's also why the United States has blocked the cybersecurity company Kaspersky from selling its Russian-made antivirus products to US government agencies. Meanwhile, the chairman of China's technology giant Huawei has pointed to NSA spying disclosed by Edward Snowden as a reason to mistrust US technology companies.

The reason these threats are so real is that it's not difficult to hide surveillance or control infrastructure in computer components, and if they're not turned on, they're very difficult to find.

Like every other piece of modern machinery, modern train cars are filled with computers, and while it's certainly possible to produce a subway car with enough surveillance apparatus to turn it into a "spy train," in practice it doesn't make much sense. The risk of discovery is too great, and the payoff would be too low. Like the United States, China is more likely to try to get data from the US communications infrastructure, or from the large Internet companies that already collect data on our every move as part of their business model.

While it's unlikely that China would bother spying on commuters using subway cars, it would be much less surprising if a tech company offered free Internet on subways in exchange for surveillance and data collection. Or if the NSA used those corporate systems for their own surveillance purposes (just as the agency has spied on in-flight cell phone calls, according to an investigation by the Intercept and Le Monde, citing documents provided by Edward Snowden). That's an easier, and more fruitful, attack path.

We have credible reports that the Chinese hacked Gmail around 2010, and there are ongoing concerns about both censorship and surveillance by the Chinese social-networking company TikTok. (TikTok's parent company has told the Washington Post that the app doesn't send American users' info back to Beijing, and that the Chinese government does not influence the app's use in the United States.)

Even so, these examples illustrate an important point: there's no escaping the technology of inevitable surveillance. You have little choice but to rely on the companies that build your computers and write your software, whether in your smartphones, your 5G wireless infrastructure, or your subway cars. And those systems are so complicated that they can be secretly programmed to operate against your interests.

Last year, Le Monde reported that the Chinese government bugged the computer network of the headquarters of the African Union in Addis Ababa. China had built and outfitted the organization's new headquarters as a foreign aid gift, reportedly secretly configuring the network to send copies of confidential data to Shanghai every night between 2012 and 2017. China denied having done so, of course.

If there's any lesson from all of this, it's that everybody spies using the Internet. The United States does it. Our allies do it. Our enemies do it. Many countries do it to each other, with their success largely dependent on how sophisticated their tech industries are.

China dominates the subway car manufacturing industry because of its low prices­ -- the same reason it dominates the 5G hardware industry. Whether these low prices are because the companies are more efficient than their competitors or because they're being unfairly subsidized by the Chinese government is a matter to be determined at trade negotiations.

Finally, Americans must understand that higher prices are an inevitable result of banning cheaper tech products from China.

We might willingly pay the higher prices because we want domestic control of our telecommunications infrastructure. We might willingly pay more because of some protectionist belief that global trade is somehow bad. But we need to make these decisions to protect ourselves deliberately and rationally, recognizing both the risks and the costs. And while I'm worried about our 5G infrastructure built using Chinese hardware, I'm not worried about our subway cars.

This essay originally appeared on CNN.com.

EDITED TO ADD: I had a lot of trouble with CNN's legal department with this essay. They were very reluctant to call out the US and its allies for similar behavior, and spent a lot more time adding caveats to statements that I didn't think needed them. They wouldn't let me link to this Intercept article talking about US, French, and German infiltration of supply chains, or even the NSA document from the Snowden archives that proved the statements.

EU Court Limits “The Right to Be Forgotten”

The European Court of Justice ruled that the E.U.’s “right to be forgotten” privacy law only applies within the borders of its member states.

“Currently, there is no obligation under E.U. law, for a search engine operator who grants a request for de-referencing made by a data subject… to carry out such a de-referencing on all the versions of its search engine,” stated the ruling.

The court’s decision stemmed from a legal battle between online search giant Google and French privacy regulator CNIL. CNIL had called for Google to remove any references containing potentially damaging or libelous information worldwide, and attempted to impose a €100,000 fine for non-compliance.

This is the first major court decision to challenge the “right to be forgotten” online since it became effective in 2014. The right, also called the “right to erasure” grants E.U. citizens the ability to have data collected about them to be deleted. Google reports that it has received over 840,000 such requests, and has removed 45% of the referenced links. 

“Courts or data regulators in the U.K., France or Germany should not be able to determine the search results that internet users in America, India or Argentina get to see,” said the executive director of privacy group Article 19 in a statement.

 

The post EU Court Limits “The Right to Be Forgotten” appeared first on Adam Levin.

Smashing Security #147: Don’t Snapchat and drive

How is private medical data leaking onto the streets of Milton Keynes, what is widening the cybersecurity skills gap, and how is Australia controversially tackling the problem of drivers using their mobile phones?

All this and more can be heard in the latest “Smashing Security” podcast.

Scientists invent new technology to print invisible messages

Messages can only be seen under UV light and can be erased using a hairdryer

Forget lemon juice and hot irons, there is a new way to write and read invisible messages – and it can be used again and again.

The approach, developed by researchers in China, involves using water to print messages on paper coated with manganese-containing chemicals. The message, invisible to the naked eye, can be read by shining UV light on the paper.

Continue reading...

Heyyo dating app left its users’ data exposed online

Another day, another embarrassing data leak made the headlines, the online dating app Heyyo left a server exposed on the internet.

The online dating app Heyyo left a server exposed on the internet without protection, data were stored on an Elasticsearch instance.

The exposed data included personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users.

The detailed data exposed left online included:

  • Names
  • Phone numbers
  • Email addresses
  • Dates of birth
  • Gender
  • Height
  • Profile pictures and other images
  • Facebook IDs for users who linked their profiles
  • Instagram IDs for users who linked their profiles
  • Longitude and latitude
  • Who liked a user’s profile
  • Liked profiles
  • Disliked profiles
  • Superliked profiles
  • Blocked profiles
  • Dating preferences
  • Registration and last active date
  • Smartphone details

The news was first reported by ZDNet who was informed about the incident by security researchers from WizCase.

“Avishai Efrat, Wizcase leading hacktivist, discovered a severe data leak on Heyyo, a relatively new mobile dating app. Our team was able to access a database of over 70,000 users from around the world through an unsecured Elasticsearch engine.reported WizCase. “The majority of affected users are based in Turkey, but there’s also a significant number from the US and Brazil, which is over ⅕ of their user base. “

ZDNet verified the authenticity of the data and contacted the Turkey-based company behind Heyyo to notify it of the leak, but the company did not reply for a week.

While waiting for a reply from the development team, the experts noticed that the number of registered users grew from 71,769 to 71,921. Experts also registered an account ad verified that associated data were leaked online. This circumstance suggests that the server was a live production system.

The server was taken down today after ZDNet contacted Turkey’s Computer Emergency Response Team (CERT).

Clearly, the exposure of this type of data poses serious risks, including the extortion, to the users’ privacy.

At the time of writing is unclear if anyone else had access to the exposed database.

Unfortunately, other dating platforms suffered similar incident in the past, including Ashley MadisonGrindr, 3Fun, and Luscious.

WizCase also has its own report on the leak, for additional reading.

Pierluigi Paganini

(SecurityAffairs – Heyyo, hacking)

The post Heyyo dating app left its users’ data exposed online appeared first on Security Affairs.

Court Rules in Favor of Mining LinkedIn User Data

A federal appellate court ruled that mining and aggregating user data publicly posted to social media sites is allowable by law.

In an opinion released earlier this month, the 9th Circuit U.S.Court of Appeals upheld an injunction against employment-centric social network LinkedIn from blocking access to hiQ, a data mining company that sells aggregated user information. 

LinkedIn sent a cease-and-desist letter to hiQ in 2017 requesting that the company stop accessing and copying data from its servers. The letter warned hiQ that further aggregation activity would violate state and federal laws, including the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), California Penal Code § 502(c), and the California common law of trespass. HiQ responded with a suit against LinkedIn and requested a temporary restraining order against them, which was granted by the district court and upheld by the 9th Circuit.

While the court’s ruling was a response to the potential for “irreparable harm” to hiQ caused by depriving them of access to data, the decision as it pertains to the collection and dissemination of data could have major implications for online privacy:

“[T]here is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do,” stated the court’s opinion. 

The opinion went on to assert that the CFAA didn’t apply to hiQ, since “the CFAA’s prohibition on accessing a computer ‘without authorization’ is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer.”

As things stand now with this legal battle, information displayed publicly on a website is fair game for third parties seeking to aggregate their user data, regardless of whether their activities conflict with a web service’s user license agreement or the wishes of their users. It also limits the definition of “unauthorized access” to content protected behind a password or some other means of authorization. 

It is unclear how this ruling would apply in states with more stringent privacy requirements, or how it impacts data accidentally exposed to the public because of poor cybersecurity or human error, but the case does raise several questions about the ownership of and access to user data. 

The post Court Rules in Favor of Mining LinkedIn User Data appeared first on Adam Levin.

What security and privacy enhancements has iOS 13 brought?

With the release of iPhone 11 and its two Pro variants, Apple has released iOS 13, a substantial functional update of its popular mobile operating system. But while many users are happy to finally get a complete Dark Mode for the device or a better phone camera, some are more interested in security and privacy enhancements. Location data On iOS 13, users will be able to control the location data shared with apps with more … More

The post What security and privacy enhancements has iOS 13 brought? appeared first on Help Net Security.

A Feminist Take on Information Privacy

Maria Farrell has a really interesting framing of information/device privacy:

What our smartphones and relationship abusers share is that they both exert power over us in a world shaped to tip the balance in their favour, and they both work really, really hard to obscure this fact and keep us confused and blaming ourselves. Here are some of the ways our unequal relationship with our smartphones is like an abusive relationship:

  • They isolate us from deeper, competing relationships in favour of superficial contact -- 'user engagement' -- that keeps their hold on us strong. Working with social media, they insidiously curate our social lives, manipulating us emotionally with dark patterns to keep us scrolling.

  • They tell us the onus is on us to manage their behavior. It's our job to tiptoe around them and limit their harms. Spending too much time on a literally-designed-to-be-behaviorally-addictive phone? They send company-approved messages about our online time, but ban from their stores the apps that would really cut our use. We just need to use willpower. We just need to be good enough to deserve them.

  • They betray us, leaking data / spreading secrets. What we shared privately with them is suddenly public. Sometimes this destroys lives, but hey, we only have ourselves to blame. They fight nasty and under-handed, and are so, so sorry when they get caught that we're meant to feel bad for them. But they never truly change, and each time we take them back, we grow weaker.

  • They love-bomb us when we try to break away, piling on the free data or device upgrades, making us click through page after page of dark pattern, telling us no one understands us like they do, no one else sees everything we really are, no one else will want us.

  • It's impossible to just cut them off. They've wormed themselves into every part of our lives, making life without them unimaginable. And anyway, the relationship is complicated. There is love in it, or there once was. Surely we can get back to that if we just manage them the way they want us to?

Nope. Our devices are basically gaslighting us. They tell us they work for and care about us, and if we just treat them right then we can learn to trust them. But all the evidence shows the opposite is true.

Facebook suspends tens of thousands of apps from hundreds of developers

Facebook announced it has suspended tens of thousands of apps as a result of a review of privacy practices launched following the Cambridge Analytica scandal.

In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought. The company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

After the Cambridge Analytica privacy scandal in 2018, the social network giant launched a review of privacy practices. Facebook’s review of all apps on the platform aimed at determining alleged abuse of user data and violation of its privacy rules.

Now Facebook announced that the suspensions of tens of thousands of apps.

According to vice president of partnerships Ime Archibong, the suspensions are “not necessarily an indication that these apps were posing a threat to people.” Archibong also added that some “did not respond to our request for information.”

Archibong revealed that the review “has addressed millions of apps. Of those, tens of thousands have been suspended for a variety of reasons while we continue to investigate.” In some case Facebook completely banned the apps.

In July, the United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.

Archibong explained that development teams behind the apps have to annually certify compliance with Facebook policies.

“Any developer that doesn’t go along with these requirements will be held accountable.” concluded Archibong.

Pierluigi Paganini

(SecurityAffairs – social network, privacy)

The post Facebook suspends tens of thousands of apps from hundreds of developers appeared first on Security Affairs.

Report: Use of AI surveillance is growing around the world

It's not just China: at least 75 out of 176 countries globally are actively using AI technologies for surveillance purposes, research shows.

Should you trust your smart TV or streaming device?

“Smart” devices might be handy and offer higher quality services, but users should be aware that everything comes with a price. And we’re not talking here about the price of the actual device, but of the fact that these devices collect device, user and user behavior information and send it to a variety of third-parties. This information might currently be worthless to users, but it’s worth a lot to companies: it is used to improve … More

The post Should you trust your smart TV or streaming device? appeared first on Help Net Security.

Organizations continue to struggle with privacy regulations

Many organizations’ privacy statements fail to meet common privacy principles outlined in GDPR, CCPA, PIPEDA, including the user’s right to request information, to understand how their data is being shared with third parties and the ability of that information to be deleted upon request, according to the Internet Society’s Online Trust Alliance (OTA). Organizations also have a duty to notify users of their rights in an easily understandable matter. OTA analyzed 29 variables in 1,200 … More

The post Organizations continue to struggle with privacy regulations appeared first on Help Net Security.

Chapter Preview: It All Starts with Your Personal Data Lake

Once, not long ago, data was nestled in paper files or stored on isolated computer networks, housed in glassed-off, air-conditioned rooms. Now, data is digital, moves effortlessly, and gets accessed from devices and places around the world at breakneck speeds. This makes it possible for businesses, organizations, and even individuals to collect and analyze this data for a whole host of purposes, such as advertising, insurance proposals, and scientific research, to name but a few. The data they are collecting and accessing about you is part of your personal data lake.

Data lake is a term that technologists typically use, but for us, using the term paints a strong visual for an important concept—how we create an extraordinary amount of data simply by going online and using connected devices. Your online interactions create drops of data that collect into streams, and pool together to form an ever-deepening lake of data over time. It stands to reason that the more time you spend online, connecting devices in your home and accessing a growing number of applications on your smartphone, the more quickly your personal data lake grows.

As you can imagine, your privacy and security are what’s at stake as you go about your digital life. Ultimately, the more data you share, either knowingly or unknowingly, the more that data potentially puts you at risk. This is true for you and your family members. The stakes get even higher because some of our own behavior can put us at risk. The internet is a platform with a global reach and a forever memory. What you say, do, and post can have a lifetime of implications. As a family, each member has a personal responsibility to look after themselves and each other. This unwritten contract extends to the internet because our actions there can impact our personal and professional lives, not to mention the lives of others. This book is laden with examples of how people get passed over for jobs, ruin romantic relationships, and end up doing actual physical harm to others because of what they say, do, or post online, ranging from sharing a picture of someone passed out at a party because it seemed funny at the time, to something calculated and intentionally injurious, like cyberbullying.

With people admitting that they increasingly spend more time online while connecting more and more devices in our homes, it’s time to understand the permanence of those behaviors and how they can impact all aspects of your life. As you go through the book you’ll better understand how your personal data lake is constantly growing, while laying out useful tips you can use to better manage your information.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

The post Chapter Preview: It All Starts with Your Personal Data Lake appeared first on McAfee Blogs.

Improving the security, privacy and safety of future connected vehicles

The security, privacy and safety of connected autonomous vehicles (CAVs) has been improved thanks to testing at WMG, University of Warwick. CAVs can now connect to each other, roadside infrastructure, and roadside infrastructure to each other more securely. In the near future connected and autonomous vehicles are expected to become widely used across the UK. To ensure a smooth deployment, researchers from WMG, University of Warwick undertook real-world testing of four academic innovations in the … More

The post Improving the security, privacy and safety of future connected vehicles appeared first on Help Net Security.

Confidential data of 24.3 million patients discovered online

Greenbone Networks has released details of new research in to the security of the servers used by health providers across the world to store images of X-rays as well as CT, MRI and other medical scans. Of the 2,300 medical image archive systems worldwide that Greenbone analyzed between mid-July and early September 2019, 590 of them were freely accessible on the internet, together containing 24.3 million data records from patients located in 52 different countries. … More

The post Confidential data of 24.3 million patients discovered online appeared first on Help Net Security.

Businesses facing post breach financial fallout by losing customer trust

44% of Americans, 38% of Brits, 33% of Australians, and 37% of Canadians have been the victim of a data breach, according to newly released research conducted by PCI Pal. The findings suggest that a combination of recent high-profile data breaches in each region, the development of assorted laws and regulations to protect consumer data privacy (e.g. the California Consumer Privacy Act, Europe’s General Data Protection Regulations, Canada’s Personal Information Protection and Electronic Documents Act, … More

The post Businesses facing post breach financial fallout by losing customer trust appeared first on Help Net Security.

Thousands of Google Calendars Possibly Leaking Private Information Online

"Warning — Making your calendar public will make all events visible to the world, including via Google search. Are you sure?" Remember this security warning? No? If you have ever shared your Google Calendars, or maybe inadvertently, with someone that should not be publicly accessible anymore, you should immediately go back to your Google settings and check if you're exposing all your events

WhatsApp ‘Delete for Everyone’ Doesn’t Delete Media Files Sent to iPhone Users

Mistakenly sent a picture to someone via WhatsApp that you shouldn't have? Well, we've all been there, but what's more unfortunate is that the 'Delete for Everyone' feature WhatsApp introduced two years ago contains an unpatched privacy bug, leaving its users with false sense of privacy. WhatsApp and its rival Telegram messenger offer "Delete for Everyone," a potentially life-saving feature

New Breach Exposes an Entire Nation: Living and the Dead

A misconfigured database has exposed the personal data of nearly every Ecuadorian citizen, including 6.7 million children.

The database was discovered by vpnMentor and was traced back to Ecuadorean company Novaestra. It contained 20.8 million records, well over the country’s current population of 16 million. The data included official government ID numbers, phone numbers, family records, birthdates, death dates (where applicable), marriage dates, education histories, and work records.

“One of the most concerning parts about this data breach is that it includes detailed information about people’s family members,” stated a blog from vpnMentor announcing the discovery of the leak. “Most concerningly, the leaked data seems to include national identification numbers and unique taxpayer numbers. This puts people at risk of identity theft and financial fraud.”

The leaked data also included financial information for individuals and businesses including bank account status, account balance, credit type, job details, car models, and car license plates.

“The information in both indexes would be as valuable as gold in the hands of criminal gangs,” wrote ZDNet reporter Catalin Cimpanu. “Crooks would be able to target the country’s most wealthy citizens (based on their financial records) and steal expensive cars (having access to car owners’ home addresses and license plate numbers).” 

The exposed database was on a server running Elasticsearch, a software program that enables users to query large amounts of data. Elasticsearch has been involved in several high profile data leaks, mostly due to configuration mistakes. Other recent Elasticsearch leaks included a Canadian data mining firm’s records for 57 million US citizens, a medical database storing the data on 85 percent of Panamanian citizens, and a provincial Chinese government database that contained 90 million personal and business records. 

The post New Breach Exposes an Entire Nation: Living and the Dead appeared first on Adam Levin.

Tor Project’s Bug Smash Fund raises $86K in August

The Tor Project has raised $86,000 for a Bug Smash fund that it will use to pay developers that will address critical flaws in the popular anonymizing network.

The Tor Project has raised $86,000 for a Bug Smash fund that was created to pay developers that will address critical security and privacy issues in the popular anonymizing network.

In earlier of August, the Tor Project announced the creation of the Bug Smash Fund with the intent to pay professionals that will support the organization in maintaining the work and smashing the bugs.

“The goal of the Bug Smash Fund is to increase the Tor Project’s reserve of funds that allow us to complete maintenance work and smash the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.” reads the announcement published by the Tor Project.

“When we say maintenance and bugs, we are talking about work that is critical—and that we must pay for. This work includes responding quickly to security bugs, improving test coverage, and keeping up with Mozilla’s ESRs. An entire ecosystem relies on us doing so.”

The organization has added donations it received in August 2019 to the Bug Smash Fund.

Any vulnerability that could be used to de-anonymize Tor users or that could be used by attackers to cause a malfunction to the anonymizing network is considered critical and must be addressed rapidly, and part of the Bug Smash Fund will allow paying developers to do it.

The funding project aims to be transparent, any donors can track how that money is being used by the foundation, the Tor Project will tag any bug tickets that utilize the money of the fund with the “BugSmashFund” tag.

“Want to keep up with the work we’re doing with this fund? There are three ways: (1) Follow the “BugSmashFund” trac ticket tag, (2) watch this blog for updates about the progress of these tickets, and (3) make a donation and opt in for our newsletter to get updates directly to your inbox.” concludes the announcement.

“Want to contribute anonymously, with cryptocurrency, or by mail? Here’s how.”

Pierluigi Paganini

(SecurityAffairs – Tor Project, privacy)

The post Tor Project’s Bug Smash Fund raises $86K in August appeared first on Security Affairs.

Delaler Leads, a car dealer marketing firm exposed 198 Million records online

Researcher discovered an unsecured database exposed online, belonging to car dealership marketing firm Dealer Leads, containing 198 million records.

The researcher Jeremiah Fowler discovered an unsecured database exposed online that belong to car dealership marketing firm Dealer Leads.

The archive containing 198 million records for a total of 413GB of data containing information of potential car buyers, vehicles, loan and finance inquiries, log data with IP addresses of visitors, and more.

“On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several times in the previous weeks, but was unable to identify the owner.” reports Security Discovery. “I spent several days trying to identify the owner of the database and there was no clear indication in the millions of records.”

Dealer Leads provides content relevant and related to the auto industry for franchise and independent car dealerships, the website of the company describes itself with the following statement.

“dominates the automotive digital marketing industry with highly used automobile search strings turned into online inventory advertising classified sites, service sites, finance sites etc. Car shoppers have needs, and DealerLeads matches those needs in live searches.”

The Elastic database was accessible to anyone with any browser, its records included name, email, phone, address, IP, and other sensitive or identifiable information, in plain text.

The archive also included IP addresses, ports, pathways, and storage info.

The good news is that after the expert reported his discovery to the company, it has secured the database restricting public access to the archive.

At the time of writing it is not clear how long the data remained exposed online and if someone had access to its records.

“Dealer Leads acted fast to restrict public access immediately after the notification. Unfortunately, the data was exposed for an undetermined length of time and it is unclear who else may have had access to the millions of records that were publicly exposed.” Security Discovery concludes.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,”

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Delaler Leads, a car dealer marketing firm exposed 198 Million records online appeared first on Security Affairs.

Interacting with governments in the digital age: What do citizens think?

Most U.S. citizens acknowledge and accept that state and local government agencies share their personal data, even when it comes to personal information such as criminal records and income data, according to a new survey conducted by YouGov and sponsored by Unisys. However, the survey found they remain concerned about the security of the data. The survey of nearly 2,000 (1,986) U.S. citizens living in eight states found that more than three-quarters (77%) accept that … More

The post Interacting with governments in the digital age: What do citizens think? appeared first on Help Net Security.

What Is Safe Mode on My Phone?

Ever experienced buggy features on your phone? Well, there’s a way to solve them and it does not involve sending your phone packing to the nearest repair shop – it’s called the safe mode and, yes, it works just like Microsoft Windows’ repair and debugging environment. So, what is safe mode on my phone? Long story short, it could be your only shot at making that phone off your works again.

Screen freezes, unresponsive features, cascading restarts – all could be symptoms of a conflictive application. Unfortunately, uninstalling the application in question may not resolve the issue. Anyway, here’s how to switch on the safe mode on your phone.

What happens when your phone reboots in safe mode?

Basically, the safe mode is an environment where you debug faulty applications, turn off the feature that is otherwise hidden in normal mode. A Windows user knows best that in order to completely uninstall an app, you would need to go into safe mode. Well, that’s, more or less, what happens when you use this smartphone feature.

The environment is not at all different from your regular UI – all the apps are there, menus, connectivity options. However, while running in safe mode, you won’t be able to use widgets and some third-party applications; you won’t need them anyway since your goal here is to determine what went wrong with your phone. Well, that’s about it in safe mode. Yes, I know that it’s not a lot, but then again, you can’t get more straightforward than this.

Oh, by the way – most of the smartphone mishaps are generated by latent malware. On that note, I would wholeheartedly recommend using Thor Mobile Security, our latest malware-busting tool. Take it for a spin – first month’s on the house. If you don’t like it, you can always cancel your subscription and rely on your tool of choice.

Free Trial

How do you turn on the safe mode on your phone?

The quickest answer would be that it depends on what operating system your phone runs. Interestingly enough, the procedure’s the same across all iPhone devices, regardless of the OS. I’ll start with this one.

Turning on safe mode on your iPhone

Here’s a rundown on how to switch on the safe mode feature on your iPhone.

Step 1. Power down your phone by holding the power button.

Step 2. Wait until the phone’s completely powered off.

Step 3. Press and hold the power button again.

Step 4. When the screen lights up, hold down the Volume down button. Keep the two buttons pressed until the Apple logo appears on the screen.

Step 5. Your phone will now boot up in safe mode. Now you can safely remove any malfunctioning applications.

That was suspiciously easy, wasn’t it? Told you that the procedure’s the same when it comes to iPhones. Now that the fun part is over, let’s see how to switch on the safe mode on your Android device.

Turning on safe mode on Android

Let me start by showing you how to switch on this feature on most Samsung Galaxy phones.

Step 1. Drag down the notification bar.

Step 2. Tap on the “Safe mode enabled” button.

Step 3. Confirm and wait until your phone restarts. Congrats! Your phone is now operating in a safe mode.

Pitch-perfect! But that’s hardly the only way to switch on the celebrated safe mode. As I might have mentioned, the procedure depends on the type of phone you have. The list below will show you to unlock the feature on your Android phone.

Safe mode on HTC phones

If you have an HTC device, here’s how to switch on the safe mode.

Step 1. Press and hold the Power key. It should be located on the right side of your phone.

Step 2. Hold the Power key for about three seconds.

Step 3. From the power down menu that appears on the screen, tap and holds the Power off icon. After a couple of seconds, a new power down option will appear on your screen – “Reboot to safe mode”.

Step 4. Hit the Restart button. Your phone will now boot up in safe mode.

Safe mode on LG phones

To switch on the safe mode on your LG phone, start by holding the Power key and select the Restart option. Once the LG logo appears on the screen, hold down the Volume Down key. To see if safe mode is enabled, take a closer look at the bottom left corner of the screen. If you followed the above-mentioned steps, a Safe mode icon should appear.

Safe mode on Moto G phones

If you have a Motorola smartphone, please follow these steps in order to enable safe mode.

Step 1. Press and hold the Power key.

Step 2. Please release the power key when the Shut Down menu appears.

Step 3. Long-press the power off button.

Step 4. When the Reboot to Safe Mode option appears on your screen, tap on OK to initiate safe mode.

Safe mode on Huawei smartphones

It’s trickier to switch on the safe mode on Huawei phone since it involves removing the battery. Just follow the steps below.

Step 1. With the phone turned on, remove the back cover.

Step 2. Remove the battery.

Step 3. Put the battery back in the slot.

Step 4. Hold down the Menu.

Step 5. Long-press the Power Key. Don’t let go of that Menu key.

Step 6. If done correctly, the message “Safe Mode” should appear in the lower part of the screen.

Safe Mode on Blackberry PRIVs

Here’s a quick guide ton how to turn off the feature on your Blackberry PRIV phone.

Step 1. Long-press the Power button.

Step 2. When the Power Off menu appears on the screen, long-tap the Power Off button.

Step 3. After a couple of seconds, a safe mode prompt will appear on your screen.

Step 4. Tap OK to confirm.

Safe mode on Xiaomi smartphones

There are two ways to enable this feature on your Mi smartphone. Check out the guide below.

First method

Step 1. With the device powered on, long-press the power key.

Step 2. When the power menu appears, let go of the power key.

Step 3. Long-press the Power Off button.

Step 4. After a couple of seconds, the Android Safe Mode message will appear on your screen.

Step 5. Hit the Reboot button to restart the device into safe mode.

Second method

Step 1. Restart your device. You can do that by selecting the Restart option from the Power Off menu.

Step 2. When the Xiaomi logo appears on your screen, tap the Menu key.

Step 3. Continue tapping the menu key until you see the lock screen.

Step 4. The Android Safe Mode message should now be on your screen.

Safe mode on your Oppo smartphone

Oppo phones are the latest addition to the market. Can’t say I’ve had too much contact with them, but from what I’ve gathered, they’re cheap and surprisingly high-performing. So, here’s how to switch on the safe mode on your Oppo phone.

Step 1. Press and hold the Power key.

Step 2. In the Power Off menu, tap and hold the power off. Keep it pressed for a couple of seconds.

Step 3. A second power off menu till appear.

Step 4. Tap on OK to confirm booting into safe mode.

Wrap-up

Well, that’s about everything you need to know about the issue at hand (what is safe mode on my phone). As I’ve mentioned, sometimes it may be the only way to get rid of buggy applications and unresponsive features. And, if all else fails, there’s always the restore to factory settings feature. Hope you’ve enjoyed the read and, as always, for comments, rants, beer donations, shoot me a comment.

The post What Is Safe Mode on My Phone? appeared first on Heimdal Security Blog.

Smashing Security #145: Apple and Google willy wave while home assistants spy – DoH!

Apple’s furious with Google over iPhone hacking attacks against Uyghur Muslims in China, DNS-over-HTTPS is good for privacy but makes ISPs angry, and concern over digital assistants listening to our private moments continues to rise.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by journalist John Leyden.

More than 50 U.S. Businesses Call For Federal Privacy Law

Fifty-one CEOs representing U.S.-based businesses sent an open letter to Congress requesting a comprehensive federal consumer privacy law.

Signed by the CEOs AT&T, Comcast, General Motors, Mastercard, and Wal-Mart, among others, the letter requested “a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.”

The cosignatories of the letter are members of the Business Roundtable, an association of executives focuses on “working to promote a thriving U.S. economy… through sound public policy.”  

Attached to the letter was a proposal for a consumer policy framework that encompasses the need for federal legislation to override state privacy laws, a definition of personal data, the creation of a federal standard for data breach notifications, and the assignment of primary enforcement responsibilities to the FTC. The framework also calls for “no private right of action,” meaning that consumers would be unable to bring lawsuits for violations of the law. 

While the Business Roundtable requests a more uniform law to “ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws,” many critics suggest that the ulterior motive is to pass a weaker set of privacy protections to supercede more stringent state laws currently in place in Maine and California. 

The post More than 50 U.S. Businesses Call For Federal Privacy Law appeared first on Adam Levin.

Major Web Hosting Hazards You Should Take Seriously

“I’ve read that my web hosting provider’s website that they have a good security solution in place to protect me against hackers.”

This is a pretty common answer that a lot of bloggers and small business owners gave me when I ask them if they know about how secure their web hosting is. Also, they often add that their budgets are pretty tight so they’ve chosen to go with “an affordable provider.” By “affordable,” of course, they mean ‘ridiculously cheap.”

Come on, people.

Do you really think that a cheap web hosting has everything in place to stop a website attack? Do you think that they will protect you from all types of hacker attacks?

While I don’t know everything about how web hosting providers choose security solutions, I can tell you with some confidence that a lot of them have laughable solutions.

If you don’t believe me, you can Google something like “Hacked website stories” and you’ll see that many web hosting companies, from some of the cheapest to even some well-known ones – don’t have adequate security solutions in place. As a result, lots of people have lost their websites. These horror stories are quite common, and even a simple Google search can return a lot of them.

Shocking Stats

Unfortunately, hackers are becoming more and more skilled at what they do, and stats support this. If you visit the live counter of hacked websites on Internet Live Stats, you’ll discover that at least 100,000 websites are hacked DAILY (for example, I visited the counter at 7:07 pm and it showed that 101,846 websites have been hacked since 12 am).

From what I saw on Internet Live Stats, I could tell that one website was hacked every second. This is horrible, and one of the bad things about this was that many of the owners of these websites thought that they were protected by their web hosting provider.

The next bad thing about all of this is that the number of websites hacked daily is getting higher. For example, there were about 30,000 websites hacked a day in 2013 according to this Forbes piece, but as we could see on the live counter, this number has more than tripled in 2019. If this negative trend continues, then we could easily see even more website owners losing their business on a daily basis very soon.

While this information is certainly alarming, website owners are typically to blame for the fact that their website was stolen from them (not trying to be rude here at all). If we dig a little bit deeper into the data on hacked websites, we discover that many use ridiculously simple passwords, poor hosting providers, outdated content management systems (CMS), and do other unwise things that help hackers get in.

For example, many bloggers want to focus on content writing, editing, and lead building rather than think about stuff like hosting. While content proofreading is something they could get help with by using numerous online tools like, Grammarly and Hemingway Editor, getting quality assistance with a hacked website is a whole new ballgame.

Next, there’s an issue with passwords. According to a recent survey by the UK’s National Cyber Security Centre (NCSC), 23.2 million web accounts they’ve analyzed had “123456” as a password. Moreover, about 7.7 million people relied on “123456789” for protection of their data, while “password” and “qwerty” were also quite popular with about 3 million users each.

While a password is something that could be changed in a matter of seconds to protect your site against brute force attacks, it may not protect you from most cyber threats. This is the responsibility of a hosting provider, and unfortunately, a lot of people disregard this requirement for web security.

That’s why we’re going to talk about hosting security issues that you should protect your site from.

How Web Hosting Affects the Security of Your Website

Before we talk about major web hosting hazards, let’s quickly discuss the connection between the security of your website and the web hosting you’re using. I’m going to say this right away: choosing a web hosting provider is one of the most important decisions you’ll make when setting up for your website, and the implications go way beyond security.

For example, if you’re a blogger or a business owner, you’ll get:

  • A high level of protection against hackers. “This means that you’ll be able to concentrate on content creation,” says Peter O’Brien, a content specialist from Studicus. “If I selected a poor host, I wouldn’t spend so much doing the creative stuff, that’s for sure”
  • A fast loading time. People don’t like to wait; in fact, Google claims that websites that load within 5 seconds have 70 percent longer visitor sessions, 35 lower bounce rates, and 25 percent higher viewability compared to websites that load between 5 and 19 seconds. That’s why Google has released the mobile-first indexing update and designed own PageSpeed Insights tool to help users optimize the performance of their websites
  • High reliability and uptime. Most web hosting companies claim that the websites they service are online for 99.9 percent of the time, but the real time can vary and depends on the quality of the provider.
  • Better security. This one means that different web hosting providers have different security packages, therefore the websites they power have different protection from hackers. Moreover, a good host can help you to recover quickly in case if you’ve suffered an attack.

Let’s talk a little bit more about the last bullet point. So, how can one tell that their hosting provider is poor? That’s pretty easy:

  • Slow loading times. If your website loads for more than five seconds, then chances are that its performance is affected by the hosting provider that has put a lot of sites into one server
  • Frequent security issues. If your website doesn’t have backups and suffers from various cyber attacks often, then you should definitely talk to your provider (make sure that your passwords aren’t the problem)
  • Regular unexpected downtime. A poor choice of a web hosting provider often leads to this problem, which, in turn, is often caused by overloaded servers. In other words, the provider simply can’t handle the volume of visitors that your website (and other websites hosted on that server) are experiencing.

So, to sum up, the quality of hosting is essential for the success of your online venture, and making a poor choice can lead to disappointing outcomes (just remember the figures from the live counter again). But with so many websites getting hacked on a daily basis, what do you need to know to protect your own one? Read the next section to know.

Beware of these Major Web Hosting Hazards

  1. Shared Hosting Issues

Sharing hosting is a tricky business, and you don’t know how many websites are on the server where your own one lives. It’s quite possible that the number is quite high, up to a thousand, and this could be one of the reasons why your website might be underperforming.

For example, this discussion threat had some interesting information on this. A person asked how many websites are typically served on one shared server, and some of the answers were astonishing! For example, one user responded by writing the following.

Can you believe it? 800 websites on one server! Talk about performance issues, right?

While I realize that a single server can host up to several thousand websites, can you imagine what would happen if at least ten of them are high-traffic ones? Think crashes, slow loading times, unplanned downtime, and lots of other issues.

Since people are always looking to save costs, chances are that shared hosting issues will continue to impact a lot of websites.

  1. Attacks that Exploit an outdated version of PHP

It’s a known fact that about 80 percent of all websites in 2018 ran on PHP. However, since the beginning of 2019, the support for PHP 5.6x will be ended, meaning that all support for any version of PHP 5.x is gone. In other words, the sites that fail to update won’t get any security patches, bug fixes, and updates.

However, recent reports suggest that this news didn’t trigger any massive moves to the newer versions of PHP. For example, according to Threat Post, about 62 percent of all server-side programming websites are still using PHP version 5. Here are the full data.

Source: Threat Post

“These sites probably include old libraries that haven’t had the joy of an update…” the abovementioned Threat Post post cited a web security expert, as saying. “The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”

For hackers looking for some business, this means that they have a lot of work to do. Can you imagine it: since the beginning of this year, more than 60 percent of websites stopped getting security updates!

“Faced with the urgent requirement to update the PHP version, a lot of websites owners will make a corresponding request for their web hosting providers,” shares Sam Bridges, a web security specialist from Trust My Paper. “This means that the latter will face a flood of support requests, which could translate into a slow pace of the update process.”

On top of that, some providers may not be willing to notify their users about the requirement to update their PHP versions, so a lot of websites may still be using outdated ones in the next few years.

Well, hopefully you’re not going to be one of them.

  1. More Sophisticated DDoS Attack Techniques

DDoS attacks are nothing new. However, they are still a common type of a cyberweapon used against websites that should be considered when choosing a hosting provider. In fact, the situation here is a lot more complicated than one thinks.

For example, the research suggests that the total number of DDoS attacks has decreased by 13 percent in 2018, which may seem like a positive signal by many.

The comparison of the number of DDoS attacks between 2017 and 2018. Source: Kaspersky

Unfortunately, the stats don’t provide the big picture here. According to Kaspersky, hackers are reducing the number of attempts to break into websites using DDoS attacks, but they are turning to more advanced and sophisticated attack techniques.

For example, it was found that the average length of attacks has increased from 95 minutes in the first quarter of 2018 to 218 minutes in the fourth quarter of 2018. While it means that the protection against this kind of attacks is getting better, it also suggests that the malefactors are becoming more selective and skilled.

 

For example, 2018 has seen the biggest DDoS attacks in history; one of these situations involved a U.S.-based website that reported a 1.7 TB/s assault (this means that the attackers overwhelmed the site with a massive wave of traffic hitting 1.7 terabytes per second!), according to The Register.

Source: The Register

Therefore, we may see an increase in unresponsive websites due to DDoS attacks in the next years (clearly, not a lot of websites can survive an attack like this one), as hackers deploy more sophisticated techniques.

Since a lack of DDoS-protected hosting is a major risk factor in this situation, make sure that your hosting provider has this protection in place.

Stay Protected

Web hosting is not the first thing that many website owners think about when setting up their businesses, but it’s definitely one that could make or break them. The success of your venture ultimately depends on the uptime, loading time, and overall reliability of your website, so being aware of the threats that you can face in the nearest future could help you to avoid losing your website and joining those 100,000+ unfortunate sites owners who get their sites hacked every day.

Hopefully, this article was a nice introduction to the importance of web hosting and the risks that come with it. Remember: if you want your data to be protected, pay attention to the existing and emerging risks right now and make appropriate decisions. Eventually, this’ll pay you nicely by maximizing uptime and reliability of your website.

 

Dorian Martin is a frequent blogger and an article contributor to a number of websites related to digital marketing, AI/ML, blockchain, data science and all things digital. He is a senior writer at WoWGrade, runs a personal blog NotBusinessAsUsusal and provides training to other content writers.

The post Major Web Hosting Hazards You Should Take Seriously appeared first on CyberDB.

Hundreds of millions of Facebook users’ phone numbers found lying around on the internet

A security researcher found a server on the internet containing more than 419 million records related to Facebook users.

No password protection was in place – meaning the treasure trove of phone numbers was available to literally anybody with an internet connection.

Read more in my article on the Tripwire State of Security blog.

Introduction to “Is Your Digital Front Door Unlocked?” a book by Gary Davis

“Is Your Digital Front Door Unlocked?” explores the modern implications of our human nature: our inherent inclination to share our experiences, specifically on the internet. Our increasing reliance on technology to connect with others has us sharing far more information about ourselves than we realize, and without a full understanding of the risks involved.

While we’re posting innocent poolside pictures, we’re also creating a collection of highly personal information. And not just on social media. It happens by simply going about our day. Whether it is the computers we use for work and play, the smartphones that are nearly always within arm’s reach, or the digital assistants that field household requests—all of these devices capture and share data about our habits, our interests, and even our comings and goings. Yet we largely don’t know it’s happening—or, for that matter, with whom we’re sharing this information, and to what end.

I wrote this book for anyone who wants to live online as safely and privately as possible, for the sake of themselves and their family. And that should be plenty of us. With news of data breaches, companies sharing our personal information without our knowledge, and cybercrime robbing the global economy of an estimated $600 billion a year, it’s easy to feel helpless. But we’re not. There are things we can do. It’s time to understand how we’re creating all this personal information so we can control its flow, and who has access to it. The book takes an even-handed look at the most prevalent privacy and security challenges facing individuals and families today. It skips the scare tactics that can dominate the topic, and illustrates the steps each of us can take to lead more private and secure lives in an increasingly connected world.

The notion that binds the book together is the idea of a personal data lake. “Data lake” is a widely used term in business to reflect a large repository of data that companies collect and store. In the book I explore how we create personal data lakes as we go about our digital lives. I explore how our data lakes fill as we do more and more activities online, and offer insights that can be used to protect our personal data lakes, so that we can live more privately and enjoy safe online experiences.

This book is for people in families of any size or structure. It looks at security and privacy across the stages of life, and explores the roles each of us play in those stages, from birth to the time we eventually leave a digital legacy behind, along with important milestones and transitional periods in between. You’ll see how security and privacy are pertinent at every step of your digital journey, and how specific age groups have concerns that are often unique to that stage of life. The structure allows you to easily navigate to the chapters and sections that most relate to the life stage you are in, and offers guidance.

This book, like most things in life, is about choice. You can choose to roll the dice and hope that you’re not one of the hundreds of millions who are victims each year of phishing scams, ransomware attacks, and identity theft, or among the handful of people who still fall for the Nigerian prince lottery scam. You can also choose to use your computers, tablets, smartphones, and personal assistants as you have been, letting companies grift all kinds of personal information from you, without your knowledge or consent. Or you can choose to embrace the guidelines outlined in the book and make it extremely more difficult for a bad actor or cybercriminal to make you or your loved ones a victim.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

The post Introduction to “Is Your Digital Front Door Unlocked?” a book by Gary Davis appeared first on McAfee Blogs.

Smashing Security #144: Google helps the FBI, Twitter Jack’s hijack, and car data woes

Should Google really be helping the FBI with a bank robbery? What’s the story behind the Twitter CEO claiming there’s a bomb in their offices? And how much does your car really know about you?

And we mourn the loss of Doctor Who legend Terrance Dicks…

Protecting Your Engineering Business from Industrial Espionage and Cybercriminals

Industrial espionage is a much more common occurrence than many people realize. As a business grows and begins to compete at a higher level, the stakes grow and their corporate secrets become more valuable. It isn’t just other businesses that might want this information, hackers who think they can sell the information will also be sniffing about.

Even if you can’t eliminate the risk entirely, there are certain things you can do to reduce the risk of a security breach in your business.

Shred Documents

While hackers do much of their work from their computers, they also often rely on a number of offline methods to enhance their effectiveness. For example, social engineering is regularly used to coerce people into unwittingly undermining otherwise very secure systems. Countering social engineering is difficult, although educating your employees about it will go a long way to mitigating the risk.

If a hacker wants to access your systems but is struggling to breach your cybersecurity, they may well turn to other methods to get through your security, including rummaging through bins for any discarded documents. If that sounds desperate to you, you might not realize just how often it works.

Make sure that any documentation that contains information that would be of interest to a would-be hacker, or corporate competitor, is completely destroyed when it is no longer needed. Make sure that if you use a shredder to do this, it is one that shreds documents securely.

Don’t Print Sensitive Information if You Don’t Have to

Of course, what would be better than having to securely destroy documents would be to not generate those documents to begin with. If you don’t have to print out sensitive information – don’t! If your sensitive documents are protected by a decent cybersecurity system, they will be about as safe as they can be. A physical document is much less secure.

Keep Your Schematics Under Wraps

Anyone who has access to the design schematics of your most important products will be able to reverse engineer them and probe them for weaknesses, even if they don’t have access to a physical device. Modern engineering businesses, like businesses in a number of other industries, make extensive use of printed circuit boards. If a competitor gets their hands on your PCB schematics, they can easily copy your proprietary technology.

Designing your own PCBs using Altium.com or a similar software package means that you can produce hardware that is unique to your engineering business. This should give you an added layer of security, as a potential hacker or criminal won’t know the internal layout and therefore won’t know what the potential entry points are. However, if they get their hands on your schematics, you instantly lose this benefit.

Keep it Need to Know

Your most sensitive corporate secrets shouldn’t be given to anyone who doesn’t need them. In any business, there will be coworkers who also become friends. Even if people only see each other when they’re at work, they will often develop friendly relationships with one another. It is important to maintain a distinction between business and pleasure – don’t feel bad about withholding sensitive information from someone that you trust if there is no reason for them to have that information.

If you want to keep your engineering business secure, you need to make sure that workers at all levels understand their individual role in ensuring the security of the business as a whole. All it takes is one clueless person to undermine even the most secure cybersecurity system.

The post Protecting Your Engineering Business from Industrial Espionage and Cybercriminals appeared first on CyberDB.

Chinese deepfake app Zao sparks privacy row after going viral

Critics say face-swap app could spread misinformation on a massive scale

A Chinese app that lets users convincingly swap their faces with film or TV characters has rapidly become one of the country’s most downloaded apps, triggering a privacy row.

Related: The rise of the deepfake and the threat to democracy

In case you haven't heard, #ZAO is a Chinese app which completely blew up since Friday. Best application of 'Deepfake'-style AI facial replacement I've ever seen.

Here's an example of me as DiCaprio (generated in under 8 secs from that one photo in the thumbnail) pic.twitter.com/1RpnJJ3wgT

Continue reading...

7 Questions to Ask Your Child’s School About Cybersecurity Protocols

Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you’ve made digital security strides in your home, what concerns if any should you have about your child’s data being compromised at school?

There’s a long and short answer to that question. The short answer is don’t lose sleep (it’s out of your control) but get clarity and peace of mind by asking your school officials the right questions. 

The long answer is that cybercriminals have schools in their digital crosshairs. According to a recent report in The Hill, school districts are becoming top targets of malicious attacks, and government entities are scrambling to fight back. These attacks are costing school districts (taxpayers) serious dollars and costing kids (and parents) their privacy.


Prime Targets

According to one report, a U.S. school district becomes the victim of cyberattack as often as every three days. The reason for this is that cybercriminals want clean data to exploit for dozens of nefarious purposes. The best place to harvest pure data is schools where social security numbers are usually unblemished and go unchecked for years. At the same time, student data can be collected and sold on the dark web. Data at risk include vaccination records, birthdates, addresses, phone numbers, and contacts used for identity theft. 

Top three cyberthreats

The top three threats against schools are data breaches, phishing scams, and ransomware. Data breaches can happen through phishing scams and malware attacks that could include malicious email links or fake accounts posing as acquaintances. In a ransomware attack, a hacker locks down a school’s digital network and holds data for a ransom. 

Over the past month, hackers have hit K-12 schools in New Jersey, New York, Wisconsin, Virginia, Oklahoma, Connecticut, and Louisiana. Universities are also targeted.

In the schools impacted, criminals were able to find loopholes in their security protocols. A loophole can be an unprotected device, a printer, or a malicious email link opened by a new employee. It can even be a calculated scam like the Virginia school duped into paying a fraudulent vendor $600,000 for a football field. The cybercrime scenarios are endless. 

7 key questions to ask

  1. Does the school have a data security and privacy policy in place as well as cyberattack response plan?
  2. Does the school have a system to educate staff, parents, and students about potential risks and safety protocols? 
  3. Does the school have a data protection officer on staff responsible for implementing security and privacy policies?
  4. Does the school have reputable third-party vendors to ensure the proper technology is in place to secure staff and student data?
  5. Are data security and student privacy a fundamental part of onboarding new school employees?
  6. Does the school create backups of valuable information and store them separately from the central server to protect against ransomware attacks?
  7. Does the school have any new technology initiatives planned? If so, how will it address student data protection?

The majority of schools are far from negligent. Leaders know the risks, and many have put recognized cybersecurity frameworks in place. Also, schools have the pressing challenge of 1) providing a technology-driven education to students while at the same time, 2) protecting student/staff privacy and 3) finding funds to address the escalating risk.

Families can add a layer of protection to a child’s data while at school by making sure devices are protected in a Bring Your Own Device (BYOD) setting. Cybersecurity is a shared responsibility. While schools work hard to implement safeguards, be sure you are taking responsibility in your digital life and equipping your kids to do the same. 

 

The post 7 Questions to Ask Your Child’s School About Cybersecurity Protocols appeared first on McAfee Blogs.

Cybersecurity in Schools: What Families Need to Know

Reading Time: ~ 3 min.

Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents often assume that cybersecurity has risen as a priority for school administrators. But with many institutions struggling to modernize legacy systems, that assumption puts our children’s security at risk. Here are the top threats to cybersecurity in schools and how to protect against them, so you can send your kids out the door knowing they’re safe and secure. 

Learn how VPNs help safeguard your data and can enable private and anonymous web browsing.

Unsecured School WiFi

Many school WiFi networks are as vulnerable as any public network at a coffee shop or airport. In an attempt to secure WiFi networks in K-12 environments, many schools use pre-shared key (PSK) authentication. PSK authentication is the practice of sharing a single WiFi password with network users in order to grant access. This password often makes its way onto unauthorized devices, granting potentially malicious users access to the school’s network, and to your child’s digital footprint.

Weak Cybersecurity Practices

A school’s cybersecurity defense plan is only as strong as its weakest link, and that weak link is often the plan’s users and overseers. According to Verizon’s 2019 Data Breach Investigation Report, a startling 35% of all education sector data breaches were caused by human error. Mistakes as simple as using discontinued or out-of-date software can leave entire school systems vulnerable—even at prestigious institutions like Stanford University. Because Stanford was using discontinued software called NolijWeb, a white hat hacker was able to exploit a security flaw that left sensitive student data easily accessed through a simple change to a numeric ID in a URL. While exploring the scope of the vulnerability, 81 students’ private data was exposed, including information like Social Security numbers, citizenship status, criminal status, standardized test scores, ethnicity, and home addresses.

Targeted Cybersecurity Attacks

Due to the highly sensitive data stored within their systems, education IT infrastructure is consistently a top target for cybercriminals. K-12 school systems and higher education saw more than 48 million records exposed through data breaches in 2017 and 2018 alone. The threat has become a large enough issue that the FBI has released a public service announcement warning that the education sector was one of those most frequently targeted by social engineering schemes and phishing attacks. 

Beyond traditional cyber threats, schools often face a unique adversary—the students themselves. The Joint Information Systems Committee (JISC) recently conducted a survey that examined more than 850 cyberattacks against schools and concluded that a majority of those incidents had been perpetrated by students or school staff. Although an attacker who targets a school so that they won’t have to take a test may not be as costly as one that targets student data, it still can grind a school system to a halt.

How to Protect Your Student’s Cybersecurity

How can you protect your child’s cybersecurity while they are at school? Get involved. Ask the school’s administrators about their cybersecurity policy. Ask about their strength of their firewalls, their email security measures, and the amount of encryption applied to the data storage systems. If you’re not satisfied with their measures, be your child’s cybersecurity advocate.

Although you may have limited control over any school-provided devices, you can secure your child’s personal devices behind a trusted VPN (though they must know how to use it first). This will wrap your child’s data in a tunnel of encryption, protecting them from prying eyes wherever they go. In some cases, VPNs can prevent access to testing and curriculum sites on school networks, so students should know how to connect and disconnect to their VPN at will.

Most importantly, teach your child to be aware of the risks of cybercrime and how to combat them. Help them understand how a VPN and other measures can keep them safe, how to recognize phishing attacks, and why they should always be vigilant. Your child knows to wear a seatbelt when riding in someone else’s car, they should also know how to stay safe online, whether at home, school, or a friend’s house.

The key to truly protecting your children from potential cybersecurity threats is education, both for yourself and for your family. Follow us on Facebook and Twitter to stay up to date on the latest risk reports and security tips.

The post Cybersecurity in Schools: What Families Need to Know appeared first on Webroot Blog.

Digital Parenting: How to Keep the Peace with Your Kids Online

Simply by downloading the right combination of apps, parents can now track their child’s location 24/7, monitor their same social conversations, and inject their thoughts into their lives in a split second. To a parent, that’s called safety. To kids, it’s considered maddening.

Kids are making it clear that parents armed with apps are overstepping their roles in many ways. And, parents, concerned about the risks online are making it clear they aren’t about to let their kids run wild.

I recently watched the relationship of a mother and her 16-year-old daughter fall apart over the course of a year. When the daughter got her driver’s license (along with her first boyfriend), the mother started tracking her daughter’s location with the Life360 app to ease her mind. However, the more she tracked, the more the confrontations escalated. Eventually, the daughter, feeling penned in, waged a full-blown rebellion that is still going strong.

There’s no perfect way to parent, especially in the digital space. There are, however, a few ways that might help us drive our digital lanes more efficiently and keep the peace. But first, we may need to curb (or ‘chill out on’ as my kids put it) some annoying behaviors we may have picked up along the way.

Here are just a few ways to keep the peace and avoid colliding with your kids online:

Interact with care on their social media. It’s not personal. It’s human nature. Kids (tweens and teens) don’t want to hang out with their parents in public — that especially applies online. They also usually aren’t too crazy about you connecting with their friends online. And tagging your tween or teen in photos? Yeah, that’s taboo. Tip: If you need to comment on a photo (be it positive or negative) do it in person or with a direct message, not under the floodlights of social media. This is simply respecting your child’s social boundaries. 

Ask before you share pictures. Most parents think posting pictures of their kids online is a simple expression of love or pride, but to kids, it can be extremely embarrassing, and even an invasion of privacy. Tip: Be discerning about how much you post about your kids online and what you post. Junior may not think a baby picture of him potty training is so cute. Go the extra step and ask your child’s permission before posting a photo of them.

Keep tracking and monitoring in check. Just because you have the means to monitor your kids 24/7 doesn’t mean you should. It’s wise to know where your child goes online (and off) but when that action slips into a preoccupation, it can wreck a relationship (it’s also exhausting). The fact that some kids make poor digital choices doesn’t mean your child will. If your fears about the online world and assumptions about your child’s behavior have led you to obsessively track their location, monitor their conversations, and hover online, it may be time to re-engineer your approach. Tip: Put the relationship with your child first. Invest as much time into talking to your kids and spending one-one time with them as you do tracking them. Put conversation before control so that you can parent from confidence, rather than fear.

Avoid interfering in conflicts. Kids will be bullied, meet people who don’t like them and go through tough situations. Keeping kids safe online can be done with wise, respectful monitoring. However, that monitoring can slip into lawnmower parenting (mowing over any obstacle that gets in a child’s path) as described in this viral essay. Tip: Don’t block your child’s path to becoming a capable adult. Unless there’s a serious issue to your child’s health and safety, try to stay out of his or her online conflicts. Keep it on your radar but let it play out. Allow your child to deal with peers, feel pain, and find solutions. 

As parents, we’re all trying to find the balance between allowing kids to have their space online and still keep them safe. Too much tracking can cause serious family strife while too little can be inattentive in light of the risks. Parenting today is a difficult road that’s always a work-in-progress so give yourself permission to keep learning and improving your process along the way

The post Digital Parenting: How to Keep the Peace with Your Kids Online appeared first on McAfee Blogs.

Myki data release breached privacy laws and revealed travel histories, including of Victorian MP

Researchers able to identify MP Anthony Carbines’s travel history using tweets and Public Transport Victoria dataset

The three-year travel history of a Victorian politician was able to be identified after the state government released the supposedly “de-identified” data of more than 15m myki public transport users in a breach of privacy laws.

In July 2018, Public Transport Victoria (now the Department of Transport) released a dataset containing 1.8bn travel records for 15.1m myki public transport users for the period between June 2015 and June 2018.

Related: Major breach found in biometrics system used by banks, UK police and defence firms

See you about 05.24AM tomorrow at Rosanna to catch the first train to town. Well done all. Thanks for hanging in there. Massive construction effort. Single track gone. Two level crossings gone. The trains! The trains! The trains are coming! pic.twitter.com/kk2Cj3ey9T

Continue reading...

Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season

With summer coming to a close, it’s almost time for back to school! Back to school season is an exciting time for students, especially college students, as they take their first steps towards independence and embark on journeys that will shape the rest of their lives. As students across the country prepare to start or return to college, we here at McAfee have revealed new findings indicating that many are not proactively protecting their academic data. Here are the key takeaways from our survey of 1,000 Americans, ages 18-25, who attend or have attended college:

Education Needs to Go Beyond the Normal Curriculum

While many students are focused on classes like biology and business management, very few get the proper exposure to cybersecurity knowledge. 80% of students have been affected by a cyberattack or know a friend or family member who has been affected. However, 43% claim that they don’t think they will ever be a victim of a cybercrime in the future.

Educational institutions are very careful to promote physical safety, but what about cyber safety? It turns out only 36% of American students claim that they have learned how to keep personal information safe through school resources. According to 42% of our respondents, they learn the most about cybersecurity from the news. To help improve cybersecurity education in colleges and universities, these institutions should take a certain level of responsibility when it comes to training students on how they can help keep their precious academic data safe from cybercriminals.

Take Notes on Device Security

Believe it or not, many students fail to secure all of their devices, opening them up to even more vulnerabilities. While half of students have security software installed on their personal computers, this isn’t the case for their tablets or smartphones. Only 37% of students surveyed have smartphone protection, and only 13% have tablet protection. What’s more, about one in five (21%) students don’t use any cybersecurity products at all.

Class Dismissed: Cyberattacks Targeting Education Are on the Rise

According to data from McAfee Labs, cyberattacks targeting education in Q1 2019 have increased by 50% from Q4 2018. The combination of many students being uneducated in proper cybersecurity hygiene and the vast array of shared networks that these students are simultaneously logged onto gives cybercriminals plenty of opportunities to exploit when it comes to targeting universities. Some of the attacks utilized include account hijacking and malware, which made up more than 70% of attacks on these institutions from January to May of 2019. And even though these attacks are on the rise, 90% of American students still use public Wi-Fi and only 18% use a VPN to protect their devices.

Become a Cybersecurity Scholar

In order to go into this school year with confidence, students should remember these security tips:

  • Never reuse passwords. Use a unique password for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. You can also use a password manager so you don’t have to worry about remembering various logins.
  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public. Protect your identity by turning your profiles to private so you can control who can follow you. You should also take the time to understand the various security and privacy settings to see which work best for your lifestyle.
  • Use the cloud with caution. If you plan on storing your documents in the cloud, be sure to set up an additional layer of access security. One way of doing this is through two-factor authentication.
  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to keep your connection secure.
  • Discuss cyber safety often. It’s just as important for families to discuss cyber safety as it is for them to discuss privacy on social media. Talk to your family about ways to identify phishing scams, what to do if you may have been involved in a data breach, and invest in security software that scans for malware and untrusted sites.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season appeared first on McAfee Blogs.

23M CafePress Accounts Compromised: Here’s How You Can Stay Secure

You’ve probably heard of CafePress, a custom T-shirt and merchandise company allowing users to create their own unique apparel and gifts. With a plethora of users looking to make their own creative swag, it’s no surprise that the company was recently targeted in a cybercriminal ploy. According to Forbes, CafePress experienced a data breach back in February that exposed over 23 million records including unique email addresses, names, physical addresses, phone numbers, and passwords.

How exactly did this breach occur? While this information is still a bit unclear, security researcher Jim Scott stated that approximately half of the breached passwords had been exposed through gaps in an encryption method called base64 SHA1. As a result, the breach database service HaveIBeenPwned sent out an email notification to those affected letting them know that their information had been compromised. According to Engadget, about 77% of the email addresses in the breach have shown up in previous breach alerts on HaveIBeenPwned.

Scott stated that those who used CafePress through third-party applications like Facebook or Amazon did not have their passwords compromised. And even though third-party platform users are safe from this breach, this isn’t always the case. With data breaches becoming more common, it’s important for users to protect their information as best as they can. Check out the following tips to help users defend their data:

  • Check to see if you’ve been affected. If you know you’ve made purchases through CafePress recently, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 23M CafePress Accounts Compromised: Here’s How You Can Stay Secure appeared first on McAfee Blogs.

5 Digital Risks That Could Affect Your Kids This New School Year

digital risks

digital risksStarting a new school year is both exciting and stressful for families today. Technology has magnified learning and connection opportunities for our kids but not without physical and emotional costs that we can’t overlook this time of year.

But the transition from summer to a new school year offers families a fresh slate and the chance to evaluate what digital ground rules need to change when it comes to screen time. So as you consider new goals, here are just a few of the top digital risks you may want to keep on your radar.

  1. Cyberbullying. The online space for a middle or high school student can get ugly this time of year. In two years, cyberbullying has increased significantly from 11.5% to 15.3%. Also, three times as many girls reported being harassed online or by text than boys, according to the U.S. Department of Education.
    Back-to-School Tip: Keep the cyberbullying discussion honest and frequent in your home. Monitor your child’s social media apps if you have concerns that cyberbullying may be happening. To do this, click the social icons periodically to explore behind the scenes (direct messages, conversations, shared photos). Review and edit friend lists, maximize location and privacy settings, and create family ground rules that establish expectations about appropriate digital behavior, content, and safe apps.Make an effort to stay current on the latest social media apps, trends, and texting slang so you can spot red flags. Lastly, be sure kids understand the importance of tolerance, empathy, and kindness among diverse peer groups.
  2. Oversharing. Did you know that 30% of parents report posting a photo of their child(ren) to social media at least once per day, and 58% don’t ask permission? By the age of 13, studies estimate that parents have posted about 1,300 photos and videos of their children online. A family’s collective oversharing can put your child’s privacy, reputation, and physical safety at risk. Besides, with access to a child’s personal information, a cybercriminal can open fraudulent accounts just about anywhere.
    Back-to-School Tip: Think before you post and ask yourself, “Would I be okay with a stranger seeing this photo?” Make sure there is nothing in the photo that could be an identifier such as a birthdate, a home address, school uniforms, financial details, or password hints. Also, maximize privacy settings on social networks and turn off photo geo-tagging that embeds photos with a person’s exact coordinates. Lastly, be sure your child understands the lifelong consequences that sharing explicit photos can have on their lives.
  3. Mental health + smartphone use. There’s no more disputing it (or indulging tantrums that deny it) smartphone use and depression are connected. Several studies of teens from the U.S. and U.K. reveal similar findings: That happiness and mental health are highest at 30 minutes to two hours of extracurricular digital media use a day. Well-being then steadily decreases, according to the studies, revealing that heavy users of electronic devices are twice as unhappy, depressed, or distressed as light users.
    Back-to-School Tip: Listen more and talk less. Kids tend to share more about their lives, friends, hopes, and struggles if they believe you are truly listening and not lecturing. Nurturing a healthy, respectful, mutual dialogue with your kids is the best way to minimize a lot of the digital risks your kids face every day. Get practical: Don’t let your kids have unlimited phone use. Set and follow media ground rules and enforce the consequences of abusing them.
  4. Sleep deprivation. Sleep deprivation connected to smartphone use can dramatically increase once the hustle of school begins and Fear of Missing Out (FOMO) accelerates. According to a 2019 Common Sense Media survey, a third of teens take their phones to bed when they go to sleep; 33% girls versus 26% of boys. Too, 1 in 3 teens reports waking up at least once per night and checking their phones.digital risks
    Back-to-School Tip:
    Kids often text, playing games, watch movies, or YouTube videos randomly scroll social feeds or read the news on their phones in bed. For this reason, establish a phone curfew that prohibits this. Sleep is food for the body, and tweens and teens need about 8 to 10 hours to keep them healthy. Discuss the physical and emotional consequences of losing sleep, such as sleep deprivation, increased illness, poor grades, moodiness, anxiety, and depression.
  5. School-related cyber breaches. A majority of schools do an excellent job of reinforcing the importance of online safety these days. However, that doesn’t mean it’s own cybersecurity isn’t vulnerable to cyber threats, which can put your child’s privacy at risk. Breaches happen in the form of phishing emails, ransomware, and any loopholes connected to weak security protocols.
    Back-to-School Tip: Demand that schools be transparent about the data they are collecting from students and families. Opt-out of the school’s technology policy if you believe it doesn’t protect your child or if you sense an indifferent attitude about privacy. Ask the staff about its cybersecurity policy to ensure it has a secure password, software, and network standards that could affect your family’s data is compromised.

Stay the course, parent, you’ve got this. Armed with a strong relationship and media ground rules relevant to your family, together, you can tackle any digital challenge the new school year may bring.

The post 5 Digital Risks That Could Affect Your Kids This New School Year appeared first on McAfee Blogs.

Capital One Data Breach: How Impacted Users Can Stay More Secure

Capital One is one of the 10 largest banks based on U.S. deposits. As with many big-name brands, cybercriminals see these companies as an ideal target to carry out large-scale attacks, which has now become a reality for the financial organization. According to CNN, approximately 100 million Capital One users in the U.S. and 6 million in Canada have been affected by a data breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, and more.

According to the New York Post, the alleged hacker claimed the data was obtained through a firewall misconfiguration. This misconfiguration allowed command execution with a server that granted access to data in Capital One’s storage space at Amazon. Luckily, Capital One stated that it “immediately fixed the configuration vulnerability.”

This breach serves as a reminder that users and companies alike should do everything in their power to keep personal information protected. If you think you might have been affected by this breach, follow these tips to help you stay secure:

  • Check to see if you’ve been notified by Capital One. The bank will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services. Be sure to take advantage of the services and check out the website Capital One set up for information on this breach.
  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible. Capital One will allow you to freeze your card so purchases can no longer be made.
  • Change your credentials. Err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Capital One Data Breach: How Impacted Users Can Stay More Secure appeared first on McAfee Blogs.

Downloaded FaceApp? Here’s How Your Privacy Is Now Affected

If you’ve been on social media recently, you’ve probably seen some people in your feed posting images of themselves looking elderly. That’s because FaceApp, an AI face editor that went viral in 2017, is making a major comeback with the so-called FaceApp Challenge — where celebrities and others use the app’s old age filter to add decades onto their photos. While many folks have participated in the fun, there are some concerns about the way that the app operates when it comes to users’ personal privacy.

According to Forbes, over 100,000 million people have reportedly downloaded FaceApp from the Google Play Store and the app is the number one downloaded app on the Apple App Store in 121 different countries. But what many of these users are unaware of is that when they download the app, they are granting FaceApp full access to the photos they have uploaded. The company can then use these photos for their benefit, such as training their AI facial recognition algorithm. And while there is currently nothing to indicate that the app is taking photos for malicious intent, it is important for users to be aware that their personal photos may be used for other purposes beyond the original intent.

So, how can users enjoy the entertainment of apps like FaceApp without sacrificing their privacy? Follow these tips to help keep your personal information secure:

  • Think before you upload. It’s always best to err on the side of caution with any personal data and think carefully about what you are uploading or sharing. A good security practice is to only share personal data, including personal photos, when it’s truly necessary.
  • Update your settings. If you’re concerned about FaceApp having permission to access your photos, it’s time to assess the tools on your smartphone. Check which apps have access to information like your photos and location data. Change permissions by either deleting the app or changing your settings on your device.
  • Understand and read the terms. Consumers can protect their privacy by reading the Privacy Policy and terms of service and knowing who they are dealing with.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Downloaded FaceApp? Here’s How Your Privacy Is Now Affected appeared first on McAfee Blogs.

Family Safety: Twitter, Instagram Beef Up Measures to Fight Hate Speech, Bullying

The past few weeks have proven to be wins for family safety with several top social networks announcing changes to their policies and procedures to reduce the amount of hateful conduct and online bullying.

Twitter: ‘Dehumanizing Language Increases Risk’

In response to rising violence against religious minorities, Twitter said this week that it would update its hateful conduct rules to include dehumanizing speech against religious groups.

“Our primary focus is on addressing the risks of offline harm, and research shows that dehumanizing language increases that risk . . . we’re expanding our rules against hateful conduct to include language that dehumanizes others based on religion,” the company wrote on its Twitter Safety blog.

Twitter offered two resources that go in-depth on the link between dehumanizing language and offline harm that is worth reading and sharing with your kids. Experts Dr. Susan Benesch and Nick Haslam and Michelle Stratemeyer define hate speech, talk about its various contexts, and advise on how to counter it.

Instagram: ‘This intervention gives people a chance to reflect.’ 

Instagram announced it would be rolling out two new features to reduce potentially offensive content. The first, powered by artificial intelligence, prompts users to pause before posting. For instance, if a person is about to post a cruel comment such as “you are so stupid,” the user will get a pop-up notification asking, “are you sure you want to post this?”

A second anti-bullying function new to Instagram is called “Restrict,” a setting that will allow users to indiscreetly block bullies from looking at your account. Restrict is a quieter way to cut someone off from seeing your content than blocking, reporting, or unfollowing, which could spark more bullying.

These digital safety moves by both Instagram and Twitter are big wins for families concerned about the growing amount of questionable content and bullying online.

If you get a chance, go over the basics of these new social filters with your kids.

Other ways to avoid online bullying:

Wise posting. Encourage kids to pause and consider tone, word choice, and any language that may be offensive or hurtful to another person, race, or gender. You are your child’s best coach and teacher when it comes to using social apps responsibly.

Stay positive and trustworthy. Coach kids around online conflict and the importance of sharing verified information. Encourage your child to be part of the solution in stopping rumors and reporting digital skirmishes and dangerous content to appropriate platforms.

Avoid risky apps. Apps like ask.fm allow anonymity should be off limits. Kik Messenger, Yik Yak, Tinder, Down, and Whisper may also present risks. Remember: Any app is risky if kids are reckless with privacy settings, conduct, content, or the people they allow to connect with them.

Layer security. Use a comprehensive solution to help monitor screentime, filter content, and monitor potentially risky apps and websites.

Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in and monitor game time conversations and make every effort to help him or her balance summer gaming time.

Make profiles and photos private. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying and online conflict.

The post Family Safety: Twitter, Instagram Beef Up Measures to Fight Hate Speech, Bullying appeared first on McAfee Blogs.

Watch Your Webcam: Tips to Protect Your Mac From Zoom Hackers

You’ve probably heard of the popular video conferencing platform, Zoom. This platform enables its millions of users in various locations to virtually meet face to face. In an effort to enhance user experience and work around changes in Safari 12, Zoom installed a web server that allows users to enjoy one-click-to-join meetings. Unfortunately, a security researcher recently disclosed that this product feature acts as a flaw that could allow cybercriminals to activate a Mac user’s webcam without their permission.

How exactly does this vulnerability work? Cybercriminals are able to exploit a feature that allows users to send a meeting link directly to a recipient. When the recipient clicks on the link, they are automatically launched into the video conferencing software. If the user has previously installed the Zoom app onto their Mac and hasn’t turned off their camera for meetings, Zoom will auto-join the user to a conference call with the camera on. With this flaw, an attacker can send a victim a meeting link via email message or web server, allowing them to look into a victim’s room, office, or wherever their camera is pointing. It’s important to note that even if a user has deleted the Zoom app from their device, the Zoom web server remains, making the device susceptible to this vulnerability.

While the thought of someone unknowingly accessing a user’s Mac camera is creepy, this vulnerability could also result in a Denial of Service (DoS) attack by overwhelming a user’s device with join requests. And even though this patch has been successfully patched by Zoom, it’s important for users to realize that this update is not enforced by the platform. So, how can Zoom users avoid getting sucked into a potentially malicious call? Check out these security tips to stay secure on conference calls:

  • Adjust your Zoom settings. Users can disable the setting that allows Zoom to turn your camera on when joining a meeting. This will prevent a hacker from accessing your camera if you are sent a suspicious meeting link.
  • Update, update, update. Be sure to manually install the latest Zoom update to prevent DoS or other potential attacks. Additionally, Zoom will introduce an update in July that allows users to apply video preferences from their first call to all future calls. This will ensure that if a user joins their first meeting without video, this setting will remain consistent for all other calls.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Watch Your Webcam: Tips to Protect Your Mac From Zoom Hackers appeared first on McAfee Blogs.

Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer

If you haven’t seen your kids in a few hours but can hear outbursts of laughter from a nearby room, chances are, they — along with millions of other kids — are watching YouTube. The popular digital video hub has more viewers than network television and soaks up more than 46,000 years of our collective viewing time annually. Chances are your kids will be part of the YouTube digital mosh pit this summer, but do you know the risks?

Types of screen time

The quality of online time for kids usually shifts during the summer months. For example, there’s active screen time and passive screen time. Knowing the difference between the two can help your family decide best how to balance device use — especially when it comes to consuming endless hours on YouTube.

Active screen time requires a person’s cognitive and/or physical engagement and develops social, language, or physical skills. Engaging in activities such as researching, creating original content, learning a new program, and playing educational games is considered active screen usage. Active screen time tends to go up during the school year and down in the summer.

Passive screen time is passively absorbing information via a screen, app, or game for entertainment reasons only. This includes scrolling through social networks, watching movies binge watching), and watching YouTube videos. Little to no thought or creativity is required when a person engages in repetitious, passive screen activities.

According to a Common Sense Media study, children ages 8 to 12, spend nearly six hours per day using media, and teenagers average closer to nine hours a day (numbers don’t include school work). It’s safe to say that during the summer, these numbers climb even higher — as do the risks.

Here are a few ways to balance screen time and boost safety on YouTube this summer.

YouTube: 5 Family Talking Points

  • Explore YouTube.The best way to understand the culture of YouTube is to spend time there. Ask your kids about their favorite channels and what they like about them. Get to know the people they follow — after all, these are the people influencing your child. Here’s a sampling of a few top YouTubers: MattyBRaps (music), JoJoSiwa (music, dance), Brooklyn and Bailey (vlogs, challenges, music), Baby Ariel (challenges, vlog), Johnny Orlando (music), PewDiePie (comedy), Jacy and Kacy (crafts, challenges), (Bethany Mota (shopping hauls), Grav3yardgirl (makeup), Smosh (comedy).
  • Respect age limits. YouTube is packed with humor, tutorials, pranks, vlogs, music, reviews, and endlessly engaging content. However, age limits exist for a good reason because the channel also has its share of dangerous content. The darker side of YouTube is always just a click away and includes sexual content, hate content, harassment and cyberbullying, violent and graphic content, and scams.
  • Turn on restricted mode. By turning on the restricted mode you can block videos with mature content from a user’s searches, related videos, playlists, and shows — this is a big deal since many “up next” videos (on the right side of the screen) are cued to play automatically and can lead kids to sketchy content. In addition to the restricted mode, consider an extra layer of protection with filtering software for all your family devices.
  • Opt for YouTube Kids. For kids under 13, YouTube Kids is a safe video platform, specially curated for young viewers. Kids may snub any platform designed “for kids,” however, if you are worried about younger kids running into inappropriate content, this is your best video option.
  • Discuss the ‘why’ behind the rules. As a parent, you know the possible ways YouTube — or other social platforms — can be harmful. Don’t assume your kids do. Kids are immersed in their peer groups online, which means danger and harm aren’t primary concerns. Even so, before you lecture kids about the dangers of YouTube, open up a dialogue around the topic by asking great questions. Here are just a few to get you started:

  • Do you understand why it’s important to filter YouTube content and respect age limits (inappropriate content, cyberbullying)?
  • Do you understand why unboxing and makeup videos are so popular (advertisers want you to purchase)?
  • Do you understand why we need to balance between screen time this summer? (mental, physical health)
  • Do you know why this piece of content might be fake or contain questionable information (conspiracy, hate, or political videos)?

As the public increasingly demands social networks do more to remove harmful or objectionable content, one thing is clear: Despite strides in this area by a majority of platforms, no online social hub is (or will likely ever be) 100% safe. The best way to keep kids safe online is by nurturing a strong parent-child connection and having consistent conversations designed to equip and educate kids about digital risks and responsibility.

The post Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer appeared first on McAfee Blogs.

Study: Fortnite Game Becoming the Preferred Social Network for Kids

According to a study recently released by National Research Group (NRG), the wildly popular video game Fortnite is growing beyond its intended gaming platform into a favored social network where kids go daily to chat, message, and connect.

The study represents the most in-depth study on Fortnite to date and contains essential takeaways for parents trying to keep up with their kids’ social networking habits. According to the NRG study, “Fortnite is the number one service teens are using, and audiences cite its social elements as the primary motivators for playing.”

The popular game now claims more than 250 million users around the world, and for its audience of teens (ages 10-17) who play at least once a week, Fortnite consumes about 25% of their free time, cites NRG adding that “Fortnite presents a more hopeful meta-verse where community, inclusivity, creativity and authentic relationships can thrive.”

Summer gaming 

With school break now upon us, the NRG study is especially useful since screentime tends to jump during summer months. Here are some of the risks Fortnite (and gaming in general) presents and some tips on how to increase privacy and safety for young users who love this community.

Fortnite safety tips 

Activate parental controls. Kids play Fortnite on Xbox One, PlayStation 4, Nintendo Switch, and iOS. Parents can restrict and monitor playing time by going into the Settings tab of each device, its related URL, or app. Another monitoring option for PC, tablets, and mobile devices is monitoring software.

Listen, watch, learn. Sit with your kids and listen to and watch some Fortnite sessions. Who are they playing with? What’s the tone of the conversation? Be vocal about anything that concerns you and coach your child on how to handle conflict, strangers online (look at their friend list), and bullying.

Monitor voice chat. Voice chat is an integral part of Fortnite if you are playing in squads or teams. Without the chat function, players can’t communicate in real-time with other team members. Voice chat is also a significant social element of the game because it allows players to connect and build community with friends anywhere. Therein lies the risk — voice chat also allows kids to play the game with strangers so the risk of inappropriate conversation, cyberbullying, and grooming are all reported realities of Fortnite. Voice chat can be turned off in Settings and should be considered for younger tween users.

Scams, passwords, and tech addiction. When kids are having a blast playing video games, danger is are far from their minds. Talk about the downside so they can continue to play their favorite game in a safe, healthy way. Discuss the scams targeting Fortnite users, the importance of keeping user names and passwords private (and strong), and the reasoning behind gaming screen limits.

Social networks have become inherent to kids’ daily life and an important way to form meaningful peer bonds. With new networks emerging every day such as Fortnite, it’s more important than ever to keep the conversation going with your kids about the genuine risks these fun digital hangouts bring.

The post Study: Fortnite Game Becoming the Preferred Social Network for Kids appeared first on McAfee Blogs.

Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online?

Take it down, please. 

The above is a typical text message parents send to kids when they discover their child has posted something questionable online. More and more, however, it’s kids who are sending this text to parents who habitually post about them online.

Tipping Point

Sadly — and often unknowingly — parents have become some of the biggest violators of their children’s privacy. And, there’s a collective protest among kids that’s expressing itself in different ways. Headlines reflect kids reigning in their parent‘s posting habits and parents choosing to pull all photos of their kids offline. There’s also a younger generation of voices realizing the effect social media has had on youth, which could be signaling a tipping point in social sharing.

Ninety-two percent of American children have an online presence before the age of 2, and parents post nearly 1,000 images of their children online before their fifth birthday, according to Time. Likewise, in a 2017 UNICEF report, the children’s advocacy group called the practice of “sharenting” – parents sharing information online about their children – harmful to a child’s reputation and safety.

Digital Footprint

This sharenting culture has fast-tracked our children’s digital footprints, which often begins in the womb. Kids now have a digital birth date — the date of the first upload, usually a sonogram photo — in addition to their actual birth date. Sharing the details of life has become a daily routine with many parents not thinking twice before sharing birthdays, awards, trips, and even more private moments such as bath time or potty training mishaps.

Too often, what a parent views as a harmless post, a child might see as humiliating, especially during the more sensitive teen years. Oversharing can impact a child’s emotional health as well as the parent-child relationship, according to a University of Michigan study.

Diminishing Privacy 

So how far is too far when it comes to the boundaries between public and private life? And, what are the emotional, safety, and privacy ramifications to a child when parents overshare? The sharenting culture has forced us all to consider these questions more closely.

Children’s diminishing privacy is on advocacy agendas worldwide. Recently, the UK Children’s Commissioner released a report called “Who Knows About Me?” that put a spotlight on how we collect and share children’s data and how this puts them at risk.

5 safe sharing tips for families

  1. Stop and think. Be intentional about protecting your child’s privacy. Before you upload a photo or write a post, ask yourself, “Do I really need to share this?” or “Could this content compromise my child’s privacy (or feelings) today or in the future?”
  2. Ask permission. Before publicly posting anything about your child, ask for his or her permission. This practice models respect and digital responsibility. If posting a group photo that includes other children, ask both the child’s consent and his or her parent’s.
  3. Keep family business private. Resist sharing too much about your family dynamic — good or bad — online. Sharing your parenting struggles or posting details about what’s going on with you and your child could cause embarrassment and shame and irreparably harm your relationship.
  4. Consider a photo purge. With your child’s wellbeing, safety, and privacy in mind — present and future — consider going through your social networks and deleting any photos or posts that don’t need to be public.
  5. Talk to kids about the freedom of expression. Every person who logs on to the internet can expect fundamental freedoms, even kids. These include the right to privacy, how our data is shared, and the freedom of expression online. Discuss these points with your children in addition to our collective digital responsibilities such as respect for others, wise posting, downloading legally, citing works properly, and reporting risky behavior or content.

When it comes to parenting, many of us are building our wings on the way down, especially when it comes to understanding all the safety implications around data privacy for children. However, slowing down to consider your child’s wellbeing and privacy with every post is a huge step toward creating a better, safer internet for everyone.

The post Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online? appeared first on McAfee Blogs.

How Business can address the Security Concerns of Online Shoppers

It’s no secret that cybersecurity is an epidemic problem that affects online businesses on a global scale. E-commerce businesses are especially affected by data breaches because it weakens the consumer’s trust in online businesses to protect their personal data. In response to the growing number of breaches, governments and enterprises alike are stepping up to the plate to provide sustainable solutions to the problem.

The UK is aiming to become a world leader in cybersecurity by investing a substantial amount of money (to the tune of £70 million) in the Industrial Strategy Challenge Fund. The fund represents the government’s commitment to increase funding in research and development by £4.7 billion over a four year period. One of the primary goals of the investment will be to supply the industry with the money necessary to design and develop state-of-the-art hardware that’s more secure and resilient to common cyber threats.

The logic stems from the fact that cybercriminals are constantly finding new ways to exploit current technology, so the best way to combat future attacks is to design chips and hardware with stronger security features built into them to outpace cyber threats. However, this means businesses will have to invest in new IT systems as it rolls out to keep their security measures up to par.

For the time being, online business owners need to do everything in their power to address the privacy concerns of their users. In some cases, this might mean investing in more secure and modern e-commerce platforms that offer security features, such as TLS (still commonly known as SSL) protection and security software to protect against malware attacks, or simply generating new, strong admin passwords on a regular basis.

The fact is, there is no way to provide customers with a 100% guarantee their personal data is safe, but there are actions webmasters and companies can do to make their websites a lot safer to use by their customers. To help you learn more about how you can secure your site from cyber threats, Wikibuy has laid out 15 steps in the infographic below.


How Business Owners Can Address Online Shopping Concerns