Researchers have shown just how easy it is for third-parties to exploit the so-called “smart” speakers that many home owners have purchased to eavesdrop on conversations and even steal passwords and credit card details.
Read more in my article on the Bitdefender BOX blog.
The UK government’s porn block was a dead man walking for months, if not years. It is long overdue that this attempt to curb children’s access to online pornography is scrapped. Almost two years ago, a close colleague and I sat in a meeting with one of the policymakers who had recently been asked to implement the proposal. The pained look on his face when we queried his progress confirmed our suspicions that it was an impossible task. It was clear to many that the block could – and would – never come to pass.
The plan did not have just one achilles heel – it had many.
Scientists and other stakeholders cannot access information about what the population is actually doing onlineContinue reading...
Data is the most valuable asset/resource on Earth. Still, we have little or no control over who is exploiting ours without our consent. That is what the authors, Jehane Noujaim and Karim Amer, want to make us realize in their documentary film The Great Hack, released by Netflix on July 24, 2019. Jehane Noujaim, American documentary film director, and Karim Amer, Egyptian-American film producer and director, already worked together on The Square (2013), but it … More
There’s something ironic about cybercriminals getting “hacked back.” BriansClub, one of the largest underground stores for buying stolen credit card data, has itself been hacked. According to researcher Brian Krebs, the data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.
Most of the records offered up for sale on BriansClub are “dumps.” Dumps are strings of ones and zeros that can be used by cybercriminals to purchase valuables like electronics, gift cards, and more once the digits have been encoded onto anything with a magnetic stripe the size of a credit card. According to Krebs on Security, between 2015 and 2019, BriansClub sold approximately 9.1 million stolen credit cards, resulting in $126 million in sales.
Back in September, Krebs was contacted by a source who shared a plain text file with what they claimed to be the full database of cards for sale through BriansClub. The database was reviewed by multiple people who confirmed that the same credit card records could also be found in a simplified form by searching the BriansClub website with a valid account.
So, what happens when a cybercriminal, or a well-intentioned hacker in this case, wants control over these credit card records? When these online fraud marketplaces sell a stolen credit card record, that record is completely removed from the inventory of items for sale. So, when BriansClub lost its 26 million card records to a benign hacker, they also lost an opportunity to make $500 per card sold.
What good comes from “hacking back” instances like this? Besides the stolen records being taken off the internet for other cybercriminals to exploit, the data stolen from BriansClub was shared with multiple sources who work closely with financial institutions. These institutions help identify and monitor or reissue cards that show up for sale in the cybercrime underground. And while “hacking back” helps cut off potential credit card fraud, what are some steps users can take to protect their information from being stolen in the first place? Follow these security tips to help protect your financial and personal data:
- Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible.
- Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
- Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity
The post Hack-ception: Benign Hacker Rescues 26M Stolen Credit Card Records appeared first on McAfee Blogs.
Plenty of headlines are warning about anyone’s fingerprint being able to unlock a Samsung Galaxy S10, but I’m not sure it’s quite as simple as that…
As our children venture into toddlerhood, they start to test us a bit. They tug at the tethers we create for them to see just how far they can push us. As they grow and learn, they begin to carve out a vision of the world for themselves—with your guidance, of course, so that they can learn how to live a safe and happy life both now and as they get older.
This is true in the digital world as well.
Typically, at around age two, our kids get their first taste of playing on mommy’s or daddy’s smartphone or tablet and discover an awesome new world of devices and online activities. It’s slow at first—a couple minutes here and there—but, over time, they spend more and more of their day online. You have an opportunity when your child has their first experience with a connected device to set the tone for what’s expected. This is a deliberate teaching moment, the first of many, where you explain how to go safely online and continue to reinforce these behaviors as they grow.
This chapter of “Is Your Digital Front Door Unlocked?” lays out several topics that, if done in healthy and constructive way, will make your child’s digital journey much more enjoyable. Topics such as the importance of rules, online etiquette, and the notion of “the talk” as it relates to going online safely are discussed in detail, in the hope of providing a framework that will grow as your child grows.
It also looks at challenges that every parent should be aware of, such as cyberbullying and the impact of screen time on your child. It also introduces the risks associated with online gaming for those just getting started.
I can’t express strongly enough the importance of engagement with your child during the formative years. This chapter will give you plenty of ideas of how to go about it in a way that both you and your child will enjoy.
Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.
The post Chapter Preview: Ages 2 to 10 – The Formative Years appeared first on McAfee Blogs.
Protiviti and ISACA surveyed 2,252 chief audit executives (CAEs), internal audit professionals and IT audit vice presidents and directors worldwide. Asked to identify their biggest technology challenges, IT audit leaders and professionals noted the following as their top five: IT security and privacy/cybersecurity Data management and governance Emerging technology and infrastructure changes – transformation/innovation/disruption Staffing and skills challenges Third-party/vendor management “As much as organizations are focusing on cybersecurity and protecting their data, they’re still behind … More
The post Key challenges impacting IT audit pros navigating an evolving risk landscape appeared first on Help Net Security.
Footballers’ wives go to war over Instagram leaks, it turns out fake news is fine on Facebook (just so long as it’s in a political ad), and things take a horrific turn in Japan, as a stalker uses a scary technique to find out where his pop idol lives.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dave Bittner.
Do you know what kind of data your streaming device may be collecting while you binge watch?
The post Streaming devices track viewing habits, study finds appeared first on WeLiveSecurity
You probably know privacy is a thing of the past, that is unless you spend a lot of time digging for freshwater clams in marshlands of Loon Lake. Mark Zuckerberg said it years ago, but he thought it was a good thing. In the wake of the Equifax breach and Cambridge Analytica, the end of privacy is no longer scary. It’s neutral. We’ve reached a “Now What?” moment.
Is It the Algorithm or the Microphone?
We can all agree paranoia is bad for business, and there’s plenty to go around these days whether you’re on the marketing side of things, the breach side, or the consumer side.
With no expectation of privacy, we’ve become a little numb to the parade of stories–both reported by the media and anecdotal–of connected devices eavesdropping on us–serving ads for things mentioned in casual conversation. But we’re all online every day, and in the process leave a trail of cookie crumbs for marketers to find us. There’s no need for a hidden mic.
While many enjoy the convenience that facial recognition provides in retail micro-targeting products and services, others hate it. We’ve heard the cringe-worthy news about health apps sharing some of the more intimate details of our sex lives with Facebook, Google, and other third parties.
Some of us shrug it off. The convenience made possible by the forfeiture of privacy is worth it to them. For others, it is an unacceptable situation. This is unfortunate, because it’s not a situation. It’s new norm, and none of it inspires a feeling of security.
A worried customer or client is a hesitant customer or client. So, how do you ease that tension? I would argue that, ironically, you can do this by creating a high information environment, where everyone can make informed decisions about how they want to interact with businesses and services.
Moving Right Along…
The need to protect privacy no longer needs an introduction. There’s plenty of legislation. New privacy laws in New York and Nevada law will go into effect October, with California’s CCPA in January 2020. Maine and Vermont already have enacted stronger laws to that effect, and many states are expected to follow.
There’s a big “but” here. Without the right solutions provider navigating privacy law can be prohibitively expensive for small to medium-sized companies. Add to that the possibility of compliance costs in a marketplace with many different laws, and we have a potential company killer on our hands. Google may be able to weather a $170 million fine for non-compliance without flinching; most of us can’t.
A Modest Proposal
Once upon a time, Hollywood was faced with a similar situation. In the beginning, there was no ratings system and it was a problem. There were many family-friendly films and then there were those that would make Mae West blush, but there was no way for the audience to know which was which. The result was an opportunity cost. Some people avoided the movies because they were perceived as scandalous.
Enter the Motion Picture Producers and Distributors of America (MPPDA and later MPAA), which set guidelines later formalized as the movie rating system still used today. It’s not a perfect system, but the benefits outweigh its flaws. First of all, it’s voluntary. The MPAA created an opt-in industry standard, avoiding the need for legislation. The gaming industry also rates product.
Most importantly, it was end-user friendly. You don’t need to know anything about Rambo: Last Blood or Abominable to decide which is better for kids; one is Rated R and one is Rated G. A similar system might work for websites and apps.
Here’s a sketch of what that might look like:
P–Protected User: Data is either not collected or it is protected and in compliance with online standards such as the GDPR, CCPA, SHIELD, HIPAA, COPA or PIPEDA.
ND–Not Distributed: Personally identifying information is collected to personalize an experience (location, ad preferences, etc.) but it is not shared with third parties.
A–Anonymized: Non-identifying usage data is collected and shared with third parties. (Forget for the moment that there’s no such thing as anonymized data that can’t potentially be re-identified in today’s deep data environment).
S–Shared: User data is collected, shared, and/or sold to third parties. (Think: Naked in a glass house.)
If a collection of privacy and data use experts could get together on the creation of this rating system, privacy policies would no longer be so perilous.
Would it work? Online privacy is getting more complex with every new whizbang, regulation, law, court case, breach, compromise, and scandal. Any workable solution needs to counter that with a general approach that can be applied globally.
If this isn’t it, it’s time to figure out what is.
The post Rated P for Private? It’s Time to Re-think Privacy appeared first on Adam Levin.
New problems for Apple, most of its users likely ignore that the company is sharing iOS web browsing data
on some of them to Chinese giant Tencent.
Most Apple users likely don’t know that the tech giant is sending iOS web browsing data on some of them to the Chinese giant Tencent.
The news is worrying, starting from at least iOS 12.2, Apple has integrated the “Tencent Safe Browsing” to improve security of its users and protect them from fraudulent websites. The Tencent Safe Browsing does it by implementing the “Fraudulent Website Warning” feature in the Safari web browser for both iOS and
The service leverages a blacklist of malicious websites that are continuously updated. The blacklist was initially provided by Google’s Safe Browsing service. In order to prevent users from visiting malicious websites, blacklisting services have to know the websites he visits and also log their IP address to manage the browsing history. At the time, it’s not clear if Tencent is also collecting IP addresses from users residing outside of China, likely the Tencent’s blacklist is only provided to Chinese users because Google’s services are blocked in the country.
Experts fear that Tencent could have access to the same data sent to Google and intelligence experts believe that it could share the same information with the Chinese government.
“Tencent works closely with the Chinese Communist Party. It facilitates government censorship in China through its multi-functional utility app WeChat.” reported the website reclaimthenet.org. “The company also released a game pro-Chinese Communist Party game called Clap for Xi Jinping: An Awesome Speech in 2017 which, as the title suggests, encourages users to virtually clap for the Chinese president Xi Jinping. In addition to this, Tencent is reportedly collaborating with the Chinese Communist Party to develop “patriotic” video games.”
Privacy advocates believe that such kind of major changes has to be
The good news is that users could turn off the Fraudulent Website Warning feature in Safari, even if they are potentially exposed to online threats.
The feature is enabled by default on iPhones and iPads devices running iOS 13, below the instruction to disable it:
- iOS: Settings > Safari > Turn off Fraudulent Website Warning
- macOS: Safari > Preferences > Security > Uncheck Warn when visiting a fraudulent website
The post Privacy advocates criticize Apple for sharing some users browsing data with Tencent appeared first on Security Affairs.
An alarming 70% of the campaign websites reviewed in the OTA 2020 U.S. Presidential Campaign Audit failed to meet OTA’s privacy and security standards – potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with … More
The post 70% of presidential campaigns fail to provide adequate online privacy and security protections appeared first on Help Net Security.
Leafly, a cannabis information platform, suffered a data leak that exposed the personal information of some of its customers.
Exposed records include user’s email addresses, usernames and encrypted passwords, fortunately, no financial data
For some users, the database also leaked names, ages, gender, location, and mobile numbers.
“On September 30, we teamed that a set of Leafly user records dated July 2, 2016 held in a secondary Leafly database was disclosed without permission. Your email address was in that file,” reads the notification email sent to the impacted customers. “
The company hired a forensic security firm to help its staff in the investigation. The company recommends users to reset the password and use a unique password for each service online.
“However, it is a good idea to ensure that you use a unique password on Leafly and other services you use. If you share passwords across services and haven’t updated them recently, and you haven’t reset your Leafly password, we recommend you do SO DOW,” continues the notification mail.
“Please accept our sincere apology for any concern this has caused. If you have any questions, please reach out to our customer support team at firstname.lastname@example.org,” states Leafly.
At the time it is not clear the number of impacted users.
The post Leafly Cannabis information platform suffered a data leak appeared first on Security Affairs.
Someone recently asked me what I wanted for Christmas this year, and I had to think about it for a few minutes. I certainly don’t need any more stuff. However, if I could name one gift that would make me absolutely giddy, it would be getting a chunk of my privacy back.
Like most people, the internet knows way too much about me — my age, address, phone numbers and job titles for the past 10 years, my home value, the names and ages of family members — and I’d like to change that.
But there’s a catch: Like most people, I can’t go off the digital grid altogether because my professional life requires me to maintain an online presence. So, the more critical question is this:
How private do I want to be online?
The answer to that question will differ for everyone. However, as the privacy conversation continues to escalate, consider a family huddle. Google each family member’s name, review search results, and decide on your comfort level with what you see. To start putting new habits in place, consider these 15 tips.
15 ways to reign in your family’s privacy
- Limit public sharing. Don’t share more information than necessary on any online platform, including private texts and messages. Hackers and cyber thieves mine for data around the clock.
- Control your digital footprint. Limit information online by a) setting social media profiles to private b) regularly editing friends lists c) deleting personal information on social profiles d) limiting app permissions someone and browser extensions e) being careful not to overshare.
- Search incognito. Use your browser in private or incognito mode to reduce some tracking and auto-filling.
- Use secure messaging apps. While WhatsApp has plenty of safety risks for minors, in terms of data privacy, it’s a winner because it includes end-to-end encryption that prevents anyone in the middle from reading private communications.
- Install an ad blocker. If you don’t like the idea of third parties following you around online, and peppering your feed with personalized ads, consider installing an ad blocker.
- Remove yourself from data broker sites. Dozens of companies can harvest your personal information from public records online, compile it, and sell it. To delete your name and data from companies such as PeopleFinder, Spokeo, White Pages, or MyLife, make a formal request to the company (or find the opt-out button on their sites) and followup to make sure it was deleted. If you still aren’t happy with the amount of personal data online, you can also use a fee-based service such as DeleteMe.com.
- Be wise to scams. Don’t open strange emails, click random downloads, connect with strangers online, or send money to unverified individuals or organizations.
- Use bulletproof passwords. When it comes to data protection, the strength of your password, and these best practices matter.
- Turn off devices. When you’re finished using your laptop, smartphone, or IoT devices, turn them off to protect against rogue attacks.
- Safeguard your SSN. Just because a form (doctor, college and job applications, ticket purchases) asks for your Social Security Number (SSN) doesn’t mean you have to provide it.
- Avoid public Wi-Fi. Public networks are targets for hackers who are hoping to intercept personal information; opt for the security of a family VPN.
- Purge old, unused apps and data. To strengthen security, regularly delete old data, photos, apps, emails, and unused accounts.
- Protect all devices. Make sure all your devices are protected viruses, malware, with reputable security software.
- Review bank statements. Check bank statements often for fraudulent purchases and pay special attention to small transactions.
- Turn off Bluetooth. Bluetooth technology is convenient, but outside sources can compromise it, so turn it off when it’s not in use.
Is it possible to keep ourselves and our children off the digital grid and lock down our digital privacy 100%? Sadly, probably not. But one thing is for sure: We can all do better by taking specific steps to build new digital habits every day.
Be Part of Something Big
October is National Cybersecurity Awareness Month (NCSAM). Become part of the effort to make sure that our online lives are as safe and secure as possible. Use the hashtags #CyberAware, #BeCyberSafe, and #NCSAM to track the conversation in real-time.
The post 15 Easy, Effective Ways to Start Winning Back Your Online Privacy appeared first on McAfee Blogs.
An obsessed fan assaulted J-Pop star Ena Matsuoka after determining where she lived by zooming in on selfies she had posted on social media, and examining the reflection in her eyes.
at the Tor Project have removed from its network more than 800 relay servers running outdated and EOL versions of the Tor software.
Currently, the Tor network is composed of more than 6000 relays, some of them running outdated Tor software versions (in some cases back to the 0.2.4.x versions). Other relays are running the latest Tor software in nightly builds and alpha releases. Maintainers of
Now the maintainers of the project announced to have removed roughly 13.5% of the relay servers, 750 acting as Tor middle relays and 62 as exit relays.
The presence of End-Of-Life relays in the Tor Network has multiple negative impacts on network stability and security, it
“In the past weeks, we’ve taken steps to contact every relay operator with a valid ContactInfo field to ask them to upgrade to the latest stable release. The Tor relay community was informed via the
“The End-Of-Life relays in the network currently make up just over 12% of the total bandwidth, or around 750 relays. Out of these, only 62 are Exit relays accounting for only 1.68% of the total Exit traffic. We expect a minor impact on the size of the network, and a small drop in the Metrics graph.”
The maintainers expect a new Tor stable release in November, it will reject End-Of-Life relays by default. Until then, the maintainers will reject obsolete relays using their fingerprints.
Instruction to upgrading End-Of-Life relays are included in the announcement.
The post Tor Project is going to remove End-Of-Life relays from the network appeared first on Security Affairs.
Free Wi-Fi hotspots can track your location, even if you don't connect to them. This is because your phone or computer broadcasts a unique MAC address.
What distinguishes location-based marketing hotspot providers like Zenreach and Euclid is that the personal information you enter in the captive portal -- like your email address, phone number, or social media profile -- can be linked to your laptop or smartphone's Media Access Control (MAC) address. That's the unique alphanumeric ID that devices broadcast when Wi-Fi is switched on.
MAC addresses alone don't contain identifying information besides the make of a device, such as whether a smartphone is an iPhone or a Samsung Galaxy. But as long as a device's MAC address is linked to someone's profile, and the device's Wi-Fi is turned on, the movements of its owner can be followed by any hotspot from the same provider.
The defense is to turn Wi-Fi off on your phone when you're not using it.
EDITED TO ADD: Note that the article is from 2018. Not that I think anything is different today....
We take a trip to Staten Island, New York, to hear how a case of cyberstalking resulted in the arrest of 20 alleged mobsters, learn about the nude photo-loving insider threat at Yahoo, and discover how fraudsters might be boosting Match.com’s profits.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by Graham Cluley and Carole Theriault, joined this week by Ran Levi of “Malicious Life.”
Twitter admitted having “inadvertently” used phone numbers and email addresses, collected for security purposes, for advertising.
Twitter apologized to have used phone numbers and email addresses,
“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.” reads a post published by Twitter.
At the time of writing it is unclear the number of impacted Twitter users.
The company attempted to downplay the severity of the privacy incident highlighting that none of the user data
The Twitter Tailored Audiences product allows advertisers to target ads to customers based on the advertiser’s own marketing lists that includes info such as email addresses or phone numbers. Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.
Twitter admitted that when an advertiser uploaded their marketing list, its staff may have matched the information included in these lists with data provided by its users to protect their accounts.
The root cause of the problem was addressed in September 17, 2019.
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.” added Twitter.
“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,”
The post Twitter inadvertently used Phone Numbers collected for security for Ads appeared first on Security Affairs.
Apple has released macOS Catalina (v10.15), a new major release of its desktop operating system, which comes with many functional and security and privacy improvements. The former include a new game subscription service, a feature that extends Mac desktops with iPad as a second display, a new accessibility feature that makes it possible to control Mac entirely by voice, and more. The latter include, among other things, better protections against macOS tampering, an improved Gatekeeper, … More
October is Cybersecurity Awareness Month, reminding us that cyber-attacks know no boundaries between work and home, so we need to be diligent about cyber hygiene across all environments. With the abundance of connected devices we all depend on, protecting your digital footprint is no longer optional. But where do you learn what to do?
People who work for larger corporations may receive cyber information and training from their employer. For instance, at Cisco every employee gets basic cyber training and increasingly advanced training based on your role; we even share educational materials on applying best practices at home. But not all businesses have the resources to dedicate to such training. And in the home, most people have limited cyber knowledge at best, and only pay attention if or when they become victims of an attack.
To get you started, here are a few tips that will help you to “own IT, protect IT and secure IT” to stay safe online.
Recognize we are experiencing radical change. With our busy lives, we take technology for granted. But it’s important to realize that technology is changing society faster than any other advance in human history. Adults need to get smart about the implications and actively discuss “today’s digital reality” with their children. Just as you teach a toddler to avoid a hot stove, teach them from an early age about safe online practices.
Ask questions. When you acquire a new connected device, stop and ask where it came from. Who connects with it and/or captures data from it? For what purpose do they collect the data and is that important to me? How do they care for the protection of your data and privacy? The more knowledgeable you become, the smarter your next questions will be.
Maintain your devices. Understand if the device you’re buying has software that will need updated and patched as vulnerabilities are found and fixed. If so, make sure that gets done. Just like not replacing expired batteries in a smoke alarm, using outdated unsecure software won’t keep you safe.
Secure and Protect Passwords. Make your passwords long and complex; change them regularly; don’t use the same password for multiple applications Change default password settings on new devices. We all know multiple passwords can get cumbersome and hard to remember, so use a reputable password manager to keep track for you. Many businesses and institutions provide Two-factor authentication (2FA) as an added step to protect your on-line identity and data. If it’s offered, use it.
Embrace technology, but be aware. If you were walking down a dark street in an unfamiliar city, you’d likely be more aware about who else is around you or may be following you. Treat the internet the same way. Being connected does not mean bad things will happen, but it pays to stay alert and understand best practices and how to apply them. For instance, don’t open email attachments if you’re not completely sure of the sender’s trustworthiness. Don’t click on emailed links that you haven’t asked for. “Stop, think before you click” to avoid the burden of what may come after a malicious attack.
Remember Data Privacy. While security and privacy are different, they’re definitely related. When you’re watching for online threats, also remember that nothing online is really ‘free’ – you’re most likely giving up something (data) to get a “free service/app”. Ask – is the intrinsic value of the “free” thing worth it? When you download an app or sign up for a new service that collects your data, choose carefully what sharing you allow. And remember, when you put personal information online, it stays around for a long time and may come back to you in unexpected, and unwelcome, ways.
It’s time to bring cybersecurity into the greater social consciousness and constructive discussions about changing norms. As new capabilities keep coming to market faster, we should and can have the right social adaptation to embrace technology safely.
Tips to help improve your cyber-hygiene (Infographic)
A flaw in WhatsApp could have allowed hackers to snoop upon your chat history just by tricking you into opening a boobytrapped GIF image.
If you’re going to run WhatsApp, make sure that it’s properly updated.
Nearly three-quarters of consumers (74%) would be likely to participate in a cybersecurity awareness or education program from their financial institution if they offered it. The survey conducted by The Harris Poll on behalf of Computer Services also found that an overwhelming majority of consumers (92%) have concerns about the security of their personal confidential data online. The poll ran online July 1-3, 2019, and it represents feedback from more than 2,000 U.S. adults ages … More
The post Consumers have concerns about cybersecurity, value education on best practices appeared first on Help Net Security.
Researcher discovered a logical flaw in the Signal messaging app for Android that could be exploited by a malicious caller to force a call to be answered at the receiver’s end without interaction.
Google Project Zero white-hat hacker Natalie Silvanovich discovered a logical vulnerability in the Signal messaging app for Android that could be exploited by a malicious caller to force a call to be answered at the receiver’s end without requiring his interaction.
This means that the attacker could spy on the receiver through the microphone of his device.
However, the Signal vulnerability can only be exploited if the receiver fails to answer an audio call over Signal, eventually forcing the incoming call to be automatically answered on the receiver’s device.
The logical vulnerability resides in a method
“In the Android client, there is a method
The post A bug in Signal for Android could be exploited to spy on users appeared first on Security Affairs.
A Google-funded facial recognition project used deceitful methods to get people to agree to have their faces scanned.
According to a Daily News report, contractors working for Google through an external company were instructed to target dark-skinned people, college students, and the homeless to amass data for the company’s smartphone facial recognition technology.
The contractors were allegedly instructed by a Netherlands-based staffing company called Randstad to use misleading or deceptive practices to get their subjects to agree to have their faces scanned in exchange for $5 gift cards.
“We were told not to tell (people) that it was video, even though it would say on the screen that a video was taken,” one contractor told the Daily News.
“It was a lot of basically sensory overloading the person into getting it done as quickly as possible and distracting them as much as possible so they didn’t even really have time to realize what was going on,” another contractor said.
Another contractor spoke of being deployed to Atlanta and to the BET Awards in Los Angeles to specifically target African-Americans.
A spokesperson for Google defended the initiative as being critical to have a “diverse sample, which is an important part of building an inclusive product.”
Other reports have described contractors misleading potential subjects as to the use and the retention of the data itself. While Google was initially quote as saying their facial scans would be held for 18 months, a photo obtained by the Daily News shows a significantly more open-ended agreement:
“Research Data will be retained for as long as needed to fulfill the Purposes, which is expected to be about 5 years, but it may be as long as necessary for the Purposes due to the extended time needed for collection analysis, or other logistical considerations…. There is no limit to how long or in what manner Google may retain, use of share the Aggregate Data,” says the official consent agreement for the project.
Several students reported contractors approaching them for facial scans under the guise of college students.
“They said they wanted us to test out a new phone, an Android. I put in my email. My guy told me to do it all really quick. He kept saying, ‘Hit next and upload. Next and upload.’ I thought they were students. We’re new here and trying to make friends,” said a college freshman.
“They said it was a survey and we thought they were students. I don’t think I even realized there was a consent form,” said another student.
Google’s stated purpose for the data is for a facial recognition-based security measure for its upcoming Pixel 4 smartphone, but it has also pursued facial recognition technology in several other product lines and initiatives.
The post Google Allegedly Used Deceptive Tactics for Facial Recognition appeared first on Adam Levin.
A former Yahoo software engineer has admitted hacking into thousands of Yahoo users’ accounts in a search for naked images and videos of young women.
Read more in my article on the Hot for Security blog.
Cryptocurrency is not exactly a newfangled contraction; the idea of a decentralized digital asset was coined in the late ‘80s by David Chaum, the American cryptographer whose works ignited the computer science revolution that gave birth to Bitcoin, Blockchain, Altcoin, and a whole new way of looking at monetary transactions.
The Birth of Bitcoin
Ecash, the first form of cryptocurrency and Chaum’s brainchild, was launched in 1983 as an alternative to paper money. Digicash, the company regulating this novel ‘non-corporeal’ monetary asset, managed to raise over $10 million in a span of a decade.
The concept was sound and the idea of getting rid of traditional money appealed to the general public. And in 2009, a group called Satoshi Nakamoto launched Bitcoin, which was unanimously considered the first (and true) decentralized digital currency.
With the advent of a new era of non-bank-dependent digital currency, numerous Bitcoin alternatives were seeded on the market. Altcoins they’re called and, at the moment, there are over 4,000 of them in use.
Living the dream, right? Well, not my intention of casting a dark cloud over this brave new world, but wherever money’s involved, there’s bound to be someone trying to bamboozle a goose.
Cryptocurrency fraud, the subject du jour, has gained quite a foothold, with hundreds of thousands of people being swindled every day. Not exactly breaking news, but the ploys have become so intricate, that it’s increasingly difficult to tell apart the fake from the legit one.
Hence this little handy hand-guide will tell you all about the wondrous world of crypto scams and how to avoid them. Let’s start with a rundown of the most (un)common scams.
As a rule of thumb, you should never accept crypto-trading with companies or startups that are not blockchain-powered. In layman’s terms, that means that all transaction data can be tracked and reviewed.
Furthermore, before committing to a company or another, you may want to review their credentials – look for status quo indicators such as adherence to initial coin offerings rules and digital currency liquidity.
That’s about it at a glance. Up next, we’re going to dive into the most common and uncommon cryptocurrency scams. Enjoy (or not).
Fake ICOs (initial coin offerings)
Here’s how ICOs are defined:
“An ICO is a type of funding using cryptocurrencies. Mostly the process is done by crowdfunding but private ICOs are becoming more common. An ICO is a quantity of cryptocurrency sold in the form of tokens or coins to investors or speculators, in exchange for legal tender or other cryptocurrencies such as Bitcoin or Ethereum. The tokens sold are promoted as future functional units of currency if or when the ICO’s funding goal is met and the project launches. In some cases, like Ethereum the tokes are required to use the system for its purposes.”
Impeccable textbook definition, don’t you think? But what does it really mean? Let’s water it down a little. Imagine the following scenario: assume, for a moment, that you’re running a tech company that has come up with an entirely new cryptocurrency management system or a crypto coin. All fine and dandy, but how on Earth are you going to raise enough money to streamline your idea?
Certainly, you can try to go through banks or call up some capitalist investors, but that would mean dividing or even giving up the ownership of your small business. Fortunately, there’s a better way to go about this – the ICO.
First, you will need to get the attention of some people willing to invest in your idea. Not so fast; to pull this off, you will also need a way to show your future partners that your idea is sound. You can do that by creating a crackerjack whitepaper.
It’s essentially the documentation that proves that your crypto idea works and is, of course, worth the money. You should also consider setting up a website to increase your company’s credibility.
The second step you should take would be to convince the interested partners to give you some of their money in exchange for a small amount of your ‘homemade’ currency.
The point is to up the currency’s rate of circulation and usage of thereof. That, in turn, will increase the value of your newly-created digital asset which translates into a steady cash flow for your company. In this case, the incentive would be a higher return on investment.
Sorry for the rather long detour, but it’s important for you to know the mechanics behind ICOs in order to understand how scams work and how swindlers act. Enter fake or fraudulent ICOs which are specifically engineered to bleed cash from naïve investors.
How do they do that, you ask? By promising astronomical gains in the span of a couple of weeks. For instance, by spinning the fake crypto coin’s white paper (that would the project’s documentation I was telling you about), the fraudster will attempt to lure in investors by promising them astronomical gains (100x or even 1,000x) in a short amount of time – try a couple of weeks or event days.
Fake ICOs count as some of the most common types of cryptocurrency scams. Unfortunately, over the past couple of years, the scales kind of tipped in the ‘favor’ of the fake one.
In fact, according to a Bloomberg study, over 80 percent of ICOs are fraudulent, with less than 8 percent reaching out. Yes, they can be avoided, but we will talk more about that in the third part of this article.
Another cryptocurrency scam is the so-called shady or overnight exchange. How does that work, you ask? Let’s assume for a moment that you want to exchange your digital token for a better-performing crypto coin.
One would naturally assume that this is what every crypto coin possessor should aim for if he (or she) is looking to increase gains. The best way to go about this would be to exchange your coin with another that outperforms it.
Still, before you go full wolf of Wall Street on this one, consider choosing a legit and regulated cryptocurrency broker or exchange system. Why? Because you would risk losing your entire portfolio by tying them in a venture that simply sounds too good to be true.
Shady exchanges tend to follow a similar pattern – boy has crypto-money, boy finds better price, boy makes deposit coaxed by shady deal-man, boy asks about how the deal’s performing.
Teary-eyed deal-man says that he couldn’t upscale the business, the price dropped, and that the coins are worth zilch. The dénouement – the shady dealer gets your coins and you end up with a dent in your wallet.
There’s nothing wrong in picking up an app to manage your cryptocurrency portfolio – plenty to choose from and, speaking on behalf of the vast majority, they’re great-look and easy to use.
Yes, I know that you know that there’s a big “but” around the bend, but it is an article on cryptocurrency fraud. Lately, a great deal of fraudulent wallets has been discovered on Google’s Play Store.
Though Google is making efforts to root these posers, their efforts are hindered by malicious developers which seed them by the hundreds. Anyways, the latest crypto-wallet apps to be cloned was Trezor. So, what happens when you use one of these apps to manage your portfolio? Money goes in and, poof, it melts into nothingness. User beware!
Pyramid schemes (Ponzi)
Handsome son of a gun, isn’t he? Meet Charles Ponzi or the reason why the dictionary people added a new entry under the word “pyramid”. Yup, he’s the mastermind behind the eponymous lurk. Never heard of it? That’s all right; it just means you haven’t had any dealings with hedge funds and private equity.
Pulling this off is does not require a Ph.D. in rocket science; just the right amount of guile. The idea is to coax as many people as possible to invest in, well, something.
Ponzi managed to pull this off with postage stamps, so why wouldn’t it work with cryptocurrency? The pyramid scheme in a nutshell: the scammer comes up with a ‘foolproof’ investment scheme. Enters the goose, just ready to be plucked. The swindler will persuade the goose to tie his money into this outstanding venture, promising higher gains.
The goose will then invest a sum amount in the idea. But that’s not all – the initial investors now have the job to bring in new investors if they want to get a share of that dough or, in this case, digital coins.
Once the new investors step in, the older ones begin getting payouts. And it goes merely on until the new investors well run dry. In the end, the only one who stands to win is the scammer.
When all else fails, you will always have the ‘classics’ to fall back to. A while back, I wrote an article about just how effective PayPal phishing scams are, even though everyone knows about them and how they work (ironic, isn’t it?).
Pretty easy to imagine how this type of scam works – using psychological manipulation, the scammer will trick you into revealing your username, password, or billing information. The most commonly used tactics are Punycode and the so-called fake Airdrops. So, how does this work?
Simply put, the scammer sends the user a link that sends him to a fake page. Naturally, this page looks exactly like a legit crypto-trading service. On top of that, the pot is sweetened by a free Airdrop. In most cases, the users are asked to send a certain number of Bitcoins or Ether to a spiked MyEtherWallet.
Considered to be the most devastating weapon in a scammer’s arsenal, impersonation scams are very hard to detect and, therefore, to counter. This is what in cybersecurity lingo is called a multi-vector attack.
First, the impersonator must gather as much information as he can about the victim. Up next, there’s the company on behalf of which he will attempt to contact the victim. Of course, this also involves calling up some vital info.
For instance, in some cases, the scammers posed as the project owner or even the company’s CEO in order to lure the victim with a once-in-a-lifetime offer.
Here’s where the multi-vector attack comes into play – using a combination of social engineering, phishing, and cold-calling, the scammer will coax the victim into investing his crypto coins into his idea.
As I said, impersonation scams are very hard to detect simply because the scammers know how to do their homework. The only possible defense once can think of might be having some inside info on the company.
Careful who you trust with your cryptocurrency portfolio. There are dozens of unregulated online brokers and exchanges and, like in most scamming schemes, they lure customers with low prices, competitive trading products, and quick returns.
After you make the deposit, it will become increasingly hard to withdraw your money. For instance, they would ask for high commissions or conjure up bogus reasons why you can’t withdraw your funds or gain. Worst case scenario – they stop returning your calls and run away with your money.
Automated trading systems
Given the volatility of crypto coins like Bitcoin, promoters would look by just about any opportunity to make a profit. The general tendency would be to speculate the price differences between various exchanges.
Why is this considered a scam? In most case, these cryptocurrency exchanges have ludicrously long withdrawal process, not to mention the fact that they tend to charge a lot in order to swap Bitcoins or Ether with fiat currencies (government-issued currency that can’t be backed up by a physical commodity with value, like silver or gold).
Basically, it’s the textbook definition of money). Long story short – crypto coin arbitrage takes a lot, doesn’t guarantee gain, and will, more than likely lead to financial loss. I should also add that these types of trades take a long time to settle, which means that anything can happen in the interim. Caveat emptor!
Pump & Dump online groups
P&D scams are not exactly new. In fact, economic analysts argued that this type of fraud goes all the way back to the early 18th century.
Though most of these schemes were conducted by word of mouth, emergent techs such as the Internet, social media, and email servicing made it possible for scammers to attract even more investors.
So, what’s up with this P&D scams? In laymen’s terms, it’s a plot aimed at inflating the stock price of certain commodities in a bid to buy low and sell high. What happens is when the scammers dump their ill-gotten shares, the prices will plummet, leading to investors losing their money fast. The same thing happens with cryptocurrency.
Bear in mind that it takes quite a lot of people in order to pull this off. The scammers usually congregate over social media platforms such as Facebook Messenger, Telegram, Slack, and IRC. On average, such a group would total some 100,000 members.
Each is a vital cog in the effort to manipulate the price of altcoins with low market caps. These groups use various tools to monitor volumes, a vital first step identifying crypto coins with the highest ‘scheming’ potential. After that, it’s all a matter of buying low while watching the prices go down.
Social media engineering
Social media platforms are a great way to get to know investors and people who are willing to trade cryptocurrency. However, at the same time, these platforms are breeding ground for fake cryptocurrency traders, scammers impersonating legit traders, and bots.
Remember the golden rule – if it sounds too good to be true then it’s most definitely a scam. It would also be in your best interest to stick to legit communication channels and avoid private messages received on Facebook, Twitter, or Instagram.
Fake emails are, by far, the most ‘popular’ way of luring potential investors. What’s even more unnerving is the fact that they really look like legit emails piped through by legit company – logos, headers, names, addresses, social media handles.
Don’t fall for it; if you ever receive such an email, check every bit of information before acting. For instance, if the email contains phone numbers or physical addresses, you should consider calling the trader.
Try to gauge the offer’s genuineness: are the numbers doable? How about initial coin offerings? Does the trader operate over a regulated cryptocurrency exchange? Has he informed you about liabilities? And, most importantly, see how confident he is about the plan itself. The scammer will always try to boast the plan.
Cryptocurrency fraud – Case Studies
Now that you got the hang of what to look out for, here are some cryptocurrency fraud cases. Enjoy, but watch your back.
The BITPoint Hacking
On the 12th of July, BITPoint, a Japanese cryptocurrency exchange, reported that over $28 million were stolen in a massive hack attack. It was later revealed that the losses amounted to $19.3 million, but that didn’t make things any better.
The official report revealed that the funds were stolen mostly belonged to the company. The looted assets included Bitcoin, Litecoin, Bitcoin Cash, XRP, and Ether.
Since the company’s cybersecurity safeguards were inefficient, BITPoint decided to postpone withdrawals and deposits for the time being. In addition, Asahi Shimbun, BITPoint’s CEO, has announced that the company will return the assets to the customers affected by the attack.
Binance May Heist
In late May, Binance, one of the largest cryptocurrency exchanges, suffered a $40 million loss in the wake of a “perfectly-orchestrated” hacking attack. The authorities pointed out that among the assets stolen by hackers were 2FA codes and API Tokens.
A total of 7,000 Bitcoins were stolen and several high net-worth accounts have been compromised. That did not put the company of business, of course, since the stolen assets were roughly two percent of all of Binance’s holdings. The exchange announced that it will be using part of its self-insurance funds in order to cover for the loses.
What happens when six hackers get together? They steal $27 million worth of Bitcoins. According to a Europol press release, in late June, five men and one woman were detained following a 14-month-long investigation which involved law enforcement officer from the United Kingdom and the Netherlands.
The report revealed that the six suspects were part of criminal ring responsible for the theft of $27 million from 4,000 people. The method used was typosquatting, which involves the use of clandestine cryptocurrency exchanges in a bid to tap into the victim’s cryptocurrency wallet.
Fall of the Kraken.
Earlier this year, Kraken, one of Bitnance’s competitors, was hit by a cryptocurrency price drop last year. This flash-crash resulted in the coin’s price plummeting from $8,400 to a mere $75. At the time, the company believed that the sudden crash might have been caused by a glitch in the system.
However, that didn’t account for a high-profile’s wallet being hacked and emptied. The subsequent investigation revealed that glitch and hacking were related. Furthermore, the suspect managed to obscure 1,200 bitcoins or the equivalent of $10 million before being apprehended by the authorities.
GateHub XRP Heist
On June the 6th, a group of cybercriminals managed to steal $10 million worth of XRP coin from cryptocurrency exchange GateHub. The authorities revealed that the amount was stolen from 100 compromised Ledger wallets.
Although the account holders were contacted and reimbursed, the investigators have yet to produce any suspects. In addition, out of the $10 million that was stolen from GateHub, only $200,000 were retrieved.
Bitrue Hack Attack
During the same month, another cryptocurrency exchange has been hit by a hacking attack – Bitrue, a Singaporean crypto company, lost over $4 million.
According to the authorities, sometime in June, the unauthorized access occurred. At around the same time, Bitrue’s platform reported that 9.3 million XRP and 2.5 million ADA were transferred to an unknown wallet.
The subsequent investigation revealed that the cybernetic attack was possible due to a system vulnerability that surfaced after the company’s Risk Control Team performed a 2nd review process. Although the assets are irretrievable, the company has reimbursed all the affected parties.
Tips to avoid cryptocurrency fraud
Quite a lot to take in, isn’t it? What can I say? The world’s a wonderful place; the question is now how can one protect himself against these threats. Check out these awesome tips.
Research, research, and even more research
The best way to avoid cryptocurrency fraud is to do your homework before investing your crypto coins. There’s plenty to choose from – in fact, there are over 500 online exchanges.
So, in order to avoid being scammed, take your time to research the exchanges: read their blogs, look at the conversion rates, gains, ICOs, over-the-web security protocols. For extra safety, you could shoot an mail to support or a company’s representative to ask about the exchange.
Figure out a way to store your cryptocurrency
Buying and the trading crypto coin is only the first step. Next along the lien would be figuring out a way to store your digital assets. So far, there are two ways to store cryptocurrency: working through exchanges and digital wallets.
Exchanges work very much like traditional banks: they offer deposits, accounts, and, of course, charge fees for deposit management and transactions.
As for the second storage method, digital wallets are to cryptocurrency what Revolut and Payoneer are to fiat currencies. Evidently, the decision’s entirely up to you.
Know the tell-tale signs of fraudulent ICOs
As you might have figured out by now, fake ICOs are a scammer’s weapons of choice. Of course, none of this would be possible without someone naïve enough to believe this stuff.
Anyway, in the case of ICOs, you can easily figure out if the project’s legit or fake by taking a closer look at the white paper for signs of forgery. These include:
Fraudsters are more likely to copy an entire whitepaper and pass it as their own rather than writing the whole thing from scratch. Just copy-paste the whole things into Google and the search button. If you see the same thing elsewhere, it’s more than likely that you’re dealing with scammers.
No team members
Most exchange presentation websites feature a media section that contains info about the members of the team. Look for any inconsistencies: incomplete descriptions, stock photos, odd-looking contact details.
The websites would look like they were made in a hurry. You know what I’m talking about.
Since these websites were made for one purpose and one purpose only, it’s obvious that the person or persons behind the scheme won’t spend time worrying about details such as blog posts, landing pages, or newsletters. Take some time to read a post or two. Lack of proofreading alone should be a major red flag, one that may point out that the website is, indeed, fake.
Staff reluctant to answer tough questions
Even the most experienced scammer cannot dupe a crypto-savvy user. So, if you decide to get in touch with a member of staff, start asking questions. The more technical they are, the better. A legit employee will be in the position to answer every question related to the product, whereas a scammer might eschew them.
Boost your online security
While it’s always a good idea to beef up your online security, now more than ever you should take the time to review your cybersecurity habits. I know it’s convenient to trade or buy crypto on the fly, but sloppy practices usually result in compromised personal data.
To his end, I would advise you to conduct every transaction from a secured endpoint. Our Thor Foresight Home product can safeguard your computer and cryptocurrency account against all types of online attacks such as malware, ransomware, cryptojacking, and even bitcoin miners.
On that note, you should definitely consider running a quick scan of your system in order to root out lingering bitcoin miners.
EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.Try Thor Foresight
Know thine enemy
Each day, the list of shady cryptocurrency exchanges gets bigger. So, before you choose an exchange, make sure it’s not on the blacklist. Here are the platforms’ names you should look out for:
Remember that a fool is born every minute. Don’t be one – read, research, get your act straight and always pay attention to your cybersecurity habits. Hope you’ve enjoyed my article. As always, for questions, rants, comments, coffee and beer donations, shoot me an email.
The post 10+ Cryptocurrency Fraud and Scams You Need to Pay Attention to appeared first on Heimdal Security Blog.
When your baby is on the way, their privacy and digital security is probably the last thing you have on your mind. At least it’s way down there on the list—of course it is! You’re preparing for a bright, joyous addition to your family and home. Everything you’re doing is intended to create an environment that is safe and comfortable, so your baby knows a warm and loving world right from the start. Not to mention, you and your family are anticipating how much you’ll enjoy these milestones.
When my children were babies we spent a lot of time “baby proofing” the house. You know, putting special locks on the kitchen cabinets, plastic covers on electrical outlets, baby gates, and more. Today that behavior needs to extend online. We need to be the guardians of our baby’s privacy, identity, and security until they get to the age where they understand what’s at risk and can protect themselves.
No doubt you will want to share all those precious moments as your bundle of joy fills your life with happiness, despite the possible risks. With that in mind, there’s an entire chapter in “Is Your Digital Front Door Unlocked?” dedicated to your baby’s first steps online, offering suggestions on what constitutes a healthy balance of what should and should not be shared. It also looks at other important considerations that you may not have thought of, such as getting your baby a Web address and monitoring their identity to make sure an identify thief hasn’t hijacked it—plenty of things many parents wouldn’t think of, but should, given the way our world works today.
Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.
The post Chapter Preview: Birth to Age 2 – First Footprints appeared first on McAfee Blogs.
Drivers are distracted by a hacked billboard, we take a deeper look at how the deepfake problem has… uh… deepened, and Carole is less than happy about Amazon’s announcement about new Alexa integrations.
All this, an annoying goose, and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
The hard truth is that identity data is the new gold—and criminal panhandlers are mining it for sale and distribution on the Dark Web.
Indeed, the internet provides ways for big data breaches to result in disastrous leaks of huge databases of personal information, resulting in detailed profiles of individuals—based on their internet behaviors, including social media activities, online shopping, financial transactions and more—being sold for nefarious purposes.
It’s all about identity theft. What does it mean for digital citizens like us? And what can we do about it?
The Mining of Identity Data
In 2019, data of all kinds is being criminally mined on the internet, but the theft and sale of identity data in particular is rising dramatically. How is this possible? In today’s highly-connected society, we’re constantly being asked to provide personal information to retailers, surveys, medical professionals, and other data collection efforts. We constantly disclose our name, address, social security number, health status, purchasing history, credit card numbers, and more. Anytime there’s a breach in an online database holding such data, by accident or malicious hacker intent, cybercriminals pounce on it to mine it for the identity gold.
“Identity theft and identity fraud…refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data…,” says the US Department of Justice, Criminal Division, in its Fraud Section report, reminding us what it’s all about. Data breaches are the goldmine for this kind of theft.
One of the more recent breaches collected, packaged and sold about 26 Million new accounts on the Dark Web by hacking several websites, including online shopping, career and learning platforms. A longer list of breaches—see The 18 Biggest Data Breaches of the 21st Century, as well as Wikipedia’s List of Data Breaches—reveals how chronic it’s become. Because our personal data is often stored on internet sites, many of which are crucial to our way of life, we forget that simply registering and providing personal details can lead to more precise and accurate description of our location, our healthcare information, and even information indicated on our government issued IDs. And its sale on the Dark Web is a very bad outcome.
The Dark Web (or Darknet) refers to that part of the internet that hides your identity and location when you’re on it. Dark Web websites are accessible only through Tor (the “Onion Routing” browser) and through I2P (the Invisible Internet Project”). Historically, one of the reasons for the creation of the Dark Web was to provide US Navy intelligence officers a means to maneuver on the internet without being recognized or traced. The Tor network achieves anonymity by bouncing the request through a large number of intermediate servers and employing a layered encryption system on the identification of the source IP where the search originated, so that no one knows where the request for a webpage or site ultimately comes from. I2P specializes in allowing the anonymous hosting of websites, so the target IP address is unknown to the searcher.
In short, browsing the Dark Web allows you to anonymously access “anonymized” websites, not all of which are bad, but also many sites that are, collectively known as Darknet markets. The former category includes SecureDrop, which lets news organizations receive anonymous submissions. The latter category included Silkroad 1.0, which was launched in February of 2011; and 2.0, which was finally shut down in November of 2014 by the FBI. The Dark Web or Darknet is still a channel for all kinds of illegal activities, including a place for radical extremists to spread propaganda—and remains a region on the internet for the sale of illegally gotten identity data.
Protecting Your Identity
Although data protection laws state that any personal data set that’s stored online has to be stripped of identifiers such as name and social security, true compliance is difficult to maintain or enforce—so each one of us has the ultimate responsibility to protect our data to stay safe online. Here are some practical steps you can take to help protect your identity:
Accounts and Usernames: Think carefully when choosing your username for your online accounts and email addresses. Choose something that does not closely identify with your full name or other personal information.
Passwords: If you use several internet services, social media accounts, and email addresses, you’ll need a lot of passwords. Tempting as it is, avoid using the same password for all your accounts. Use a unique password for each account, one that you can remember, but that’s not easy to guess. We highly recommend using Trend Micro Password Manager to generate strong passwords, to keep them safe, and to change them frequently. Banking apps and other payment system apps also utilize two-factor authentication, which you should take advantage of for more secure transactions and purchases.
Privacy: Keep your personal information private online and enable strong privacy controls on your social media accounts.
Protect your devices: Don’t leave your mobile devices and laptops unattended and enable PIN and password to unlock them.
Remediation: If you hear of a major online data breach, sit up and take notice: you might need to take active steps to remediate the situation. As with the Equifax Data Breach of 2017, where sensitive data on 143 Million Americans was exposed, remediation may mean locking or freezing your credit on each of the credit bureaus: Equifax, Experian, and TransUnion. With other types of breaches, it may simply mean closing an account or canceling a credit card. As with the credit bureaus, many banks have identity protection services which you can also avail yourself of.
Trend Micro ID Safe
Apart from the best practices outlined above, you should also install Trend Micro ID Safe for Android and iOS on your mobile devices, to monitor and help remediate any known security issues with your identity data.
What is ID Safe? ID Safe checks if any of your personal information stolen from data breaches is circulating on the Dark Web for sale or distribution by cybercriminals. It identifies which accounts were breached and the kind of data posted, then notifies you, so you can take steps to change your account credentials or remediate any potential effects of the illegal distribution or sale of your personal data.
Top-notch Security. To ensure the highest level of security when handling your personal information, ID Safe first hashes the data you enter on the app (essentially converting the text to an irreversible number) using the SHA-256 hashing standard—the world’s most secure— before sending it through an encrypted connection to check it against a comprehensive Dark Web database.
Easy to Use Tools. You can quickly check if your personal data has reached the Dark Web with just a few taps, using its various tools:
GDPR Compliant. Finally, you should know that Trend Micro takes your privacy seriously and complies with the European Union’s General Data Protection Regulations (GDPR) to protect your data. Read ID Safe’s data collection notice here:
The post In Identity Theft the Target is You! appeared first on .
Experts discovered an unprotected Elasticsearch cluster containing
personally identifiable and tax information of Russian citizens exposed online.
Security experts from Comparitech along with security researcher Bob Diachenko discovered 20 million tax records belonging to Russian citizens exposed online in clear text and without protection.
The experts found an unprotected Elasticsearch cluster that was containing personally identifiable information on Russian citizens spanning from 2009 to 2016.
“A database of more than 20 million Russian tax records was found on an unsecured server, accessible to anyone with a web browser.” reads the post published by Comparitech
The Elasticsearch database was first indexed by search engines in May 2018, Diachenko discovered it on September 17, 2019, and on September 20, 2019 it was secured.
It is not possible to determine whether anyone else accessed the exposed data before it was discovered by Diachenko. The experts also revealed that the owner based in Ukraine, but did not reveal its identity.
The cluster included multiple databases, two of them contained tax and personally identifiable information about Russian citizens, prevalently from Moscow and the surrounding area.
“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over 6 million from 2009 to 2015.” continues the experts.
Exposed records included the following information:
- Full name
- Residency status
- Passport number
- Phone number
- Tax ID number
- Employer name and phone number
- Tax amount
The exposed data could be used by threat actors to carry out tax scam and frauds.
“Affected individuals could be at risk of identity theft and should monitor their accounts closely. Tax fraud could also be a risk, though our team is not well-versed enough on the topic of the Russian tax system to give concrete advice.” concludes the experts.
“Potential victims should also be on the lookout for targeted phishing and other scams. Fraudsters could pose as tax officials, for example, to steal money or request additional information to aid in identity theft.”
The post Experts found 20 Million tax records for Russian citizens exposed online appeared first on Security Affairs.
Over a year on from the introduction of the General Data Protection Regulation (GDPR), the Capgemini Research Institute has found that companies vastly overestimated their readiness for the new regulation with just 28% having successfully achieved compliance. This is compared to a GDPR readiness survey last year which found that 78% expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant: … More
The post Companies vastly overestimating their GDPR readiness, only 28% achieving compliance appeared first on Help Net Security.
Over the years, I’ve been the star of a number of sub-stellar parenting moments. More than once, I found myself reprimanding my kids for doing things that kids do — things I never stopped to teach them otherwise.
Like the time I reprimanded my son for not thanking his friend’s mother properly before we left a birthday party. He was seven when his etiquette deficit disorder surfaced. Or the time I had a meltdown because my daughter cut her hair off. She was five when she brazenly declared her scorn for the ponytail.
The problem: I assumed they knew.
Isn’t the same true when it comes to our children’s understanding of the online world? We can be quick to correct our kids when they fail to exercise the best judgment or handle a situation the way we think they should online.
But often what’s needed first is a parental pause to ask ourselves: Am I assuming they know? Have I taken the time to define and discuss the issue?
With that in mind, here are five digitally-rich terms dominating the online conversation. If possible, find a few pockets of time this week and start from the beginning — define the words, then discuss them with your kids. You may be surprised where the conversation goes.
5 digital terms that matter
Internet privacy is the personal privacy that every person is entitled to when they display, store, or provide information regarding themselves on the internet.
Highlight: We see and use this word often but do our kids know what it means? Your personal information has value, like money. Guard it. Lock it down. Also, respect the privacy of others. Be mindful about accidentally giving away a friend’s information, sharing photos without permission, or sharing secrets. Remember: Nothing shared online (even in a direct message or private text) is private—nothing. Smart people get hacked every day.
Ask: Did you know that when you go online, websites and apps track your activity to glean personal information? What are some ways you can control that? Do you know why people want your data?
Act: Use privacy settings on all apps, turn off cookies in search engines, review privacy policies of apps, and create bullet-proof passwords.
Digital wellbeing (also called digital wellness) is an ongoing awareness of how social media and technology impacts our emotional and physical health.
Highlight: Every choice we make online can affect our wellbeing or alter our sense of security and peace. Focusing on wellbeing includes taking preventative measures, making choices, and choosing behaviors that build help us build a healthy relationship with technology. Improving one’s digital wellbeing is an on-going process.
Ask: What do you like to do online that makes you feel good about yourself? What kinds of interactions make you feel anxious, excluded, or sad? How much time online do you think is healthy?
Act: Digital wellness begins at home. To help kids “curb the urge” to post so frequently, give them a “quality over quantity” challenge. Establish tech curfews and balance screen time to green time. Choose apps and products that include wellbeing features in their design. Consider security software that blocks inappropriate apps, filters disturbing content, and curbs screen time.
Media literacy is the ability to access, analyze, evaluate, and create media in a variety of forms. It’s the ability to think critically about the messages you encounter.
Highlight: Technology has redefined media. Today, anyone can be a content creator and publisher online, which makes it difficult to discern the credibility of the information we encounter. The goal of media literacy curriculum in education is to equip kids to become critical thinkers, effective communicators, and responsible digital citizens.
Ask: Who created this content? Is it balanced or one-sided? What is the author’s motive behind it? Should I share this? How might someone else see this differently?
Act: Use online resources such as Cyberwise to explore concepts such as clickbait, bias, psychographics, cyberethics, stereotypes, fake news, critical thinking/viewing, and digital citizenship. Also, download Google’s new Be Internet Awesome media literacy curriculum.
Empathy is stepping into the shoes of another person to better understand and feel what they are going through.
Highlight: Empathy is a powerful skill in the online world. Empathy helps dissolve stereotypes, perceptions, and prejudices. According to Dr. Michelle Borba, empathetic children practice these nine habits that run contrary to today’s “selfie syndrome” culture. Empathy-building habits include moral courage, kindness, and emotional literacy. Without empathy, people can be “mean behind the screen” online. But remember: There is also a lot of people practicing empathy online who are genuine “helpers.” Be a helper.
Ask: How can you tell when someone “gets you” or understands what you are going through? How do they express that? Is it hard for you to stop and try to relate to what someone else is feeling or see a situation through their eyes? What thoughts or emotions get in your way?
Act: Practice focusing outward when you are online. Is there anyone who seems lonely, excluded, or in distress? Offer a kind word, an encouragement, and ask questions to learn more about them. (Note: Empathy is an emotion/skill kids learn over time with practice and parental modeling).
Cyberbullying is the use of technology to harass, threaten, embarrass, shame, or target another person online.
Highlight: Not all kids understand the scope of cyberbullying, which can include spreading rumors, sending inappropriate photos, gossiping, subtweeting, and excessive messaging. Kids often mistake cyberbullying for digital drama and overlook abusive behavior. While kids are usually referenced in cyberbullying, the increase in adults involved in online shaming, unfortunately, is quickly changing that ratio.
Ask: Do you think words online can hurt someone in a way, more than words said face-to-face? Why? Have you ever experienced cyberbullying? Would you tell a parent or teacher about it? Why or why not?
Act: Be aware of changes in your child’s behavior and pay attention to his or her online communities. Encourage kids to report bullying (aimed at them or someone else). Talk about what it means to be an Upstander when bullied. If the situation is unresolvable and escalates to threats of violence, report it immediately to law enforcement.
We hope these five concepts spark some lively discussions around your dinner table this week. Depending on the age of your child, you can scale the conversation to fit. And don’t be scared off by eye rolls or sighs, parents. Press into the hard conversations and be consistent. Your voice matters in their noisy, digital world.
The post 5 Digitally-Rich Terms to Define and Discuss with Your Kids appeared first on McAfee Blogs.
Fifty attorneys general announced earlier this month that Google is the target of an antitrust probe. Any business owner who has happened to find themselves stuck in the company’s orbit–that would be any company with a digital presence–won’t hesitate to tell you such a move is long overdue.
Case in point: I just did a Google search for Basecamp, an online project management tool. The first two hits were for different companies–Smartsheet and Monday.com. Not too long ago, the same search resulted in a first hit featuring Basecamp, but it was an ad. The copy: “We don’t want to run this ad.”
“We’re the #1 result,” Basecamp’s ad copy continued, “but this site lets companies advertise against us using our brand. So here we are. A small, independent co. forced to pay ransom to a giant tech company.”
Basecamp founder and CEO Jason Fried doubled down on this sentiment on his Twitter feed, stating “[Y]ou’re forced to pay up if you want to be found. It’s a shakedown. It’s ransom.”
An Offer Businesses Can’t Refuse
Fried is by no means alone. Any business with an online presence has at one time or another played by Google’s rules to stay competitive. For most, it’s a daily reality. The reason is simple. Most businesses need websites, and websites need to follow Google’s best practices to be found in online searches, terms Google can force because it currently has 92 percent worldwide market share on search.
Google can make drastic changes to these best practices that have effectively buried companies overnight. A business that finds itself out of Google’s good graces, or in the case of Basecamp, finds itself nestled one or two slots beneath competitor ads in search results, would need to create a paid campaign via Google Ads (38.2 percent of the online advertising market) and pay to show up in search results.
A business with a physical location that wants to show up in local search results needs to create an account for Google My Business, so it can show up in Google Maps (which accounts for 67 percent of navigation app usage), but also needs to keep an eye on Google Reviews left on its business listing. The performance of ads, search traffic, and app usage can all be tracked via Google Analytics (over 70 percent of the analytics market), which provides business owners (and Google, of course) detailed information about who’s visiting their websites or using their apps. Most of these users will be using Google’s Chrome web browser (64 percent of users worldwide), on a device running Android (76 percent of mobile users worldwide), which was, of course, developed by Google.
Per Bob Dylan, “It doesn’t take a weatherman to tell which way the wind blows.” It would seem that Google has a monopoly, but that’s for the court to decide. On the face of it, it’s not necessarily bad news; anyone who remembers the days of phone books, mail order catalogs, and paper maps is most likely glad for the convenience of the services Google provides–businesses and consumers alike.
What’s problematic is the necessity of it all. It’s all but impossible for a business to opt out of Google’s services. Even taco trucks have websites. It’s equally difficult for us as consumers to opt out entirely, although alternatives (e.g., iOS, Apple Maps, and Bing) do exist. The fact is that businesses and industries that don’t in some way rely on at least one of Google’s services to be discovered are few and far between.
Our Data Is Valuable
However much value our data has, the fact remains that Google charges us to share it with Google. Nice work if you can get it, right?
When companies use Google’s services to make themselves known to the world, they have to share data on themselves, and also on their customers and clients. Every search query leading to a site, every ad click, every map search, and every visit tracked by analytics is actively helping Google build its library of information on as many people as possible–even people who have never actually used the internet.
As Google continues to expand its services, its ecosystem is oozing into businesses that have no choice but to pony up and participate or be lost in cyberspace. The evolution thus far points to the possibility of increasingly Orwellian methods in the realm of advertising and data collection.
What do I mean by Orwellian? Google Home and Nest products are aggressively moving into the field of facial recognition, and, of course, the company is thus far characteristically coy about the intended uses for the data thus collected.
“We can never say never,” said Google’s general manager of Home and Nest products when asked if data from face scanning would be used to target consumers for advertising. He added that it is not being used for that purpose now.
It’s far too soon to tell how the antitrust probe of Google will turn out, and it’s guaranteed to take a long time to play out. One thing is certain: The stakes are just as high, if not higher, for businesses as they are for consumers, and we all would be better served were we not being served by Google’s tentacular array of services.
The post It’s Google’s World. Your Business Is Just Living in It appeared first on Adam Levin.
As the British MPs and the EU representatives continue to discuss the specifics of the upcoming Brexit, nothing is yet settled. In this murky context, companies in the UK and companies working with companies in UK are rightly confused.
What about GDPR, the transnational European data protection regulation to which we were just beginning to adjust?
Will there still be a GDPR after Brexit, for the UK space?
If it will change, how so?
Should a new kind of data protection compliance regulation be created for the UK instead of GDPR?
All these topics are intensely debated right now across all business mediums. Unfortunately, there’s a lot of uncertainty and a lot of Brexit and GDPR myths as well.
Let’s walk through everything together and see what will really happen with GDPR after Brexit on all possible scenarios.
Possible Brexit Scenarios
For now, British politicians are still stuck on debating whether they want to comply to the new law against a no deal situation.
There are several possible outcomes, depending on what will be decided on these counts:
- If they choose to comply with the new law (accept the deal) or not;
- If they ask for a delay in deciding (Brexit and the deal-or-no-deal debate simply get postponed);
- If they try to negotiate a new deal;
Regardless of what happens next, the UK and companies connected to this space will still need to deal with GDPR. The GDPR after Brexit issue is not going anywhere.
Even in the most extreme outcomes, data compliance will still be on the agenda. Let’s take a few examples.
A. GDPR after Brexit with a deal
Within the deal currently on the table, GDPR is also stipulated as a must. If the British MPs somehow agree on the deal before the 31st of October deadline, then Brexit goes through as planned. GDPR would be part of the deal with the EU, so the current data compliance regulations stay in place.
In this case, you have nothing to change: GDPR rules stay in place as they are.
B. GDPR if Brexit is delayed and renegotiated
If the British MPs ask for a deadline extension to be able to hopefully gain consensus until then, GDPR essentially remains in place. Until the new deal is discussed and agreed upon, the UK does not technically leave the EU.
That means all European laws and UK-EU agreements stay the same as they were, including the GDPR, at least for the deadline extension.
The political party who initiated Brexit and continues to support it hard says delaying is not an option. But considering that the Parliament can’t seem to reach a consensus on how and when to exit the EU, or even on the idea of exiting at all, a delay is very possible.
C. GDPR after Brexit with no deal (Hard Brexit)
If, let’s say, the UK representatives refuse to comply and accept the deal, this will probably open up a whole can of worms of legal contention.
Until the issues are hashed and rehashed through courts, GDPR will become a big question mark.
One way or another, as the British minister in charge of data protection, Baroness Neville-Rolfe, has recently said, even if GDPR will no longer apply in the UK, some very similar legislation will need to be instated.
“One thing we can say with reasonable confidence is that if any country wishes to share data with EU member states, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection,” Neville-Rolfe said. “This will be a major consideration in the UK’s negotiations going forward.”
While it’s not clear if the UK will still adhere to GDPR after Brexit, or adhere to a similar framework (such as the Privacy Shield, see below), or submit to being independently evaluated,
Useful Info for a GDPR after a No-Deal Brexit:
- The documents and criteria for the EU’s adequacy decisions (how they decide a country provides adequate data protection and is therefore trustworthy);
- The Privacy Shield Framework: a framework which allows people to transfer their personal data from the EU to the US while maintaining GDPR standards. There is the possibility for the UK to adhere to it or create a similar framework;
- The Official GDPR FAQs – on the main GDPR portal.
There are 5 possible scenarios for a GDPR after Brexit with no deal, depending on your role in the data ecosystem.
We’ll tackle each one, but rest assured that the matter of data protection will not return to its pre-GDPR state. Once the world started taking data protection and privacy concerns seriously (and rightly so), there’s no turning back.
Here are the 5 possible scenarios for GDPR after Brexit with no deal:
In all data exchanges, we can speak of data controllers and data processors.
Data controllers are the business entities which collect the data of their clients and contacts (often in order to provide them with services) AND decide the purposes for which that data will be processed.
Data processors are the business entities which process the data on behalf of a data controller (besides any employees of the controller).
Data subjects are the people whose personal data is being processed.
We’ve drawn the 5 possible scenarios for a GDPR after Brexit, depending on the role of the business in the data flow.
- Scenario 1: Controllers in the UK, providing services for UK people and entities and sharing no personal data with organizations outside the UK;
- Scenario 2: Controllers in the UK, providing services for the UK but involved with processors in the EU (or anywhere else outside the UK);
- Scenario 3: Controllers in the UK, providing services for people and business entities in the EU;
- Scenario 4: Processors in the UK, acting on behalf of controllers or processors in the EU (or UK and EU);
- Scenario 5: Processors in the UK, acting on behalf of controllers or processors in the UK.
#1. Scenario 1
This scenario is rather simple. Even though there are not a lot of cases like this in real life, since data circulation is never as tightly sealed as this, it has to be covered by any guide.
If you’re among the rare few UK controllers who only provide services to the UK and has no exchanges with non-UK processors, you’re lucky. You don’t really need to concern yourself with GDPR after Brexit.
The data protection laws you will need to abide by after Brexit are going to be more or less the same as the ones you are used to and will be communicated by UK authorities in due time.
It’s highly possible that after the UK leaves EU with no deal, the controllers doing business solely in the UK will need to comply with the Data Protection Act 2018 (DPA2018) instead of the GDPR. Or, another likely possibility is that GDPR will be absorbed into UK’s own laws upon Brexit (even with no deal).
In any case, the controllers defined by scenario 1 are the least affected by the GDPR after Brexit issue, because nothing will actually change for them.
#2. Scenario 2
Most small UK businesses fall into this category, of controllers in the UK who are involved with processors outside EU. Basically, anyone who uses international software like Microsoft, Facebook, Dropbox, and so on, can be fitted into this second scenario.
Legally, nothing really changes in this case either, because GDPR after Brexit will mean adopting the UK data protection law, DPA2018 (linked above). Since the processors outside the UK will still be compliant with GDPR, there is nothing that hinders these UK controllers from continuing to use their services.
#3. Scenario 3
In scenario 3, the UK controllers are not just working with non-UK processors but they are even serving EU-based clients or having EU offices and so on. In this case, the situation is a bit murkier.
The problem is that communicating between various branches and entities involved in the business process might be stalled by GDPR after Brexit.
To be proactive about it, you can designate a DPO (Data Protection Officer) in each country you have offices in, and that should cover the conditions imposed by the EU on third countries (which the UK will effectively become).
This will solve compliance issues, but be warned that handling GDPR after Brexit in paperwork terms might not be the worst of it. Because of the extra hassle involved, it’s very likely that obtaining more clients in the EU market will be difficult. It will be harder to compete with EU controllers who don’t have post-Brexit ambiguity to sort through.
#4. Scenario 4
After May 2018, all processors in the UK who were working with EU organizations were required to have them sign contracts which stipulated how their data would be handled. The issue here is that those contracts and agreements mentioned the UK as an EU country, which will no longer be true.
This means that all this paperwork will need to be redone. It’s best if you are proactive and start sending out the revised forms as soon as the Brexit decision is concluded one way or another.
There is the risk that some of your business partners will decline to resign, but you do the best with what you have and move on. Continuing to do business with them in the absence of flawless paperwork is too great of a risk to take.
#5. Scenario 5
For processors in the UK working only with data of people within the UK (and for controllers in the UK), the same applies as in Scenario 1. In other words, nothing changes, there is no extra concern to be had.
Cybersecurity Risks of GDPR after Brexit: A Few Words of Caution
As you can see by now, GDPR after Brexit will bring a lot of paperwork in many cases. Not just paperwork, but also a lot of communications going on with partners across national frontiers.
Since these communications will not be your standard run-of-the-mill, since the Brexit situation is new to everyone, this can be a huge opportunity for cybercriminals.
Be wary of any email you receive about Brexit and GDPR matters, especially if the sender is prompting you to do something involving vulnerable data. Don’t enter your login details on any page (could be a phishing attempt), don’t engage in conversations with people you don’t really know from before, etc.
Business Email Compromise (BEC) is a growing and costly threat. The little chaos which will likely flood everyone’s emails concerning GDPR after Brexit is the perfect opportunity for BEC attacks.
Spam filters are not enough to tackle it – you need to do some thorough background checks with every email and to also have an email security solution specially designed to counter BEC attacks.
Wrapping it up
I hope this guide helped clear the confusion surrounding GDPR after Brexit. In any case and however convoluted the Brexit process will continue to be, you should take some steps to prepare for the future.
Just look up your own business situation in the scenarios above and find out what can you expect even if we’ll have a no-deal Brexit. Good luck and drop us a line with any concern you might have.
The post GDPR after Brexit: No Deal and All Other Exit Scenarios Explained appeared first on Heimdal Security Blog.
The trade war with China has reached a new industry: subway cars. Congress is considering legislation that would prevent the world's largest train maker, the Chinese-owned CRRC Corporation, from competing on new contracts in the United States.
Part of the reasoning behind this legislation is economic, and stems from worries about Chinese industries undercutting the competition and dominating key global industries. But another part involves fears about national security. News articles talk about "spy trains," and the possibility that the train cars might surreptitiously monitor their passengers' faces, movements, conversations or phone calls.
This is a complicated topic. There is definitely a national security risk in buying computer infrastructure from a country you don't trust. That's why there is so much worry about Chinese-made equipment for the new 5G wireless networks.
It's also why the United States has blocked the cybersecurity company Kaspersky from selling its Russian-made antivirus products to US government agencies. Meanwhile, the chairman of China's technology giant Huawei has pointed to NSA spying disclosed by Edward Snowden as a reason to mistrust US technology companies.
The reason these threats are so real is that it's not difficult to hide surveillance or control infrastructure in computer components, and if they're not turned on, they're very difficult to find.
Like every other piece of modern machinery, modern train cars are filled with computers, and while it's certainly possible to produce a subway car with enough surveillance apparatus to turn it into a "spy train," in practice it doesn't make much sense. The risk of discovery is too great, and the payoff would be too low. Like the United States, China is more likely to try to get data from the US communications infrastructure, or from the large Internet companies that already collect data on our every move as part of their business model.
While it's unlikely that China would bother spying on commuters using subway cars, it would be much less surprising if a tech company offered free Internet on subways in exchange for surveillance and data collection. Or if the NSA used those corporate systems for their own surveillance purposes (just as the agency has spied on in-flight cell phone calls, according to an investigation by the Intercept and Le Monde, citing documents provided by Edward Snowden). That's an easier, and more fruitful, attack path.
We have credible reports that the Chinese hacked Gmail around 2010, and there are ongoing concerns about both censorship and surveillance by the Chinese social-networking company TikTok. (TikTok's parent company has told the Washington Post that the app doesn't send American users' info back to Beijing, and that the Chinese government does not influence the app's use in the United States.)
Even so, these examples illustrate an important point: there's no escaping the technology of inevitable surveillance. You have little choice but to rely on the companies that build your computers and write your software, whether in your smartphones, your 5G wireless infrastructure, or your subway cars. And those systems are so complicated that they can be secretly programmed to operate against your interests.
Last year, Le Monde reported that the Chinese government bugged the computer network of the headquarters of the African Union in Addis Ababa. China had built and outfitted the organization's new headquarters as a foreign aid gift, reportedly secretly configuring the network to send copies of confidential data to Shanghai every night between 2012 and 2017. China denied having done so, of course.
If there's any lesson from all of this, it's that everybody spies using the Internet. The United States does it. Our allies do it. Our enemies do it. Many countries do it to each other, with their success largely dependent on how sophisticated their tech industries are.
China dominates the subway car manufacturing industry because of its low prices -- the same reason it dominates the 5G hardware industry. Whether these low prices are because the companies are more efficient than their competitors or because they're being unfairly subsidized by the Chinese government is a matter to be determined at trade negotiations.
Finally, Americans must understand that higher prices are an inevitable result of banning cheaper tech products from China.
We might willingly pay the higher prices because we want domestic control of our telecommunications infrastructure. We might willingly pay more because of some protectionist belief that global trade is somehow bad. But we need to make these decisions to protect ourselves deliberately and rationally, recognizing both the risks and the costs. And while I'm worried about our 5G infrastructure built using Chinese hardware, I'm not worried about our subway cars.
This essay originally appeared on CNN.com.
EDITED TO ADD: I had a lot of trouble with CNN's legal department with this essay. They were very reluctant to call out the US and its allies for similar behavior, and spent a lot more time adding caveats to statements that I didn't think needed them. They wouldn't let me link to this Intercept article talking about US, French, and German infiltration of supply chains, or even the NSA document from the Snowden archives that proved the statements.
The European Court of Justice ruled that the E.U.’s “right to be forgotten” privacy law only applies within the borders of its member states.
“Currently, there is no obligation under E.U. law, for a search engine operator who grants a request for de-referencing made by a data subject… to carry out such a de-referencing on all the versions of its search engine,” stated the ruling.
The court’s decision stemmed from a legal battle between online search giant Google and French privacy regulator CNIL. CNIL had called for Google to remove any references containing potentially damaging or libelous information worldwide, and attempted to impose a €100,000 fine for non-compliance.
This is the first major court decision to challenge the “right to be forgotten” online since it became effective in 2014. The right, also called the “right to erasure” grants E.U. citizens the ability to have data collected about them to be deleted. Google reports that it has received over 840,000 such requests, and has removed 45% of the referenced links.
“Courts or data regulators in the U.K., France or Germany should not be able to determine the search results that internet users in America, India or Argentina get to see,” said the executive director of privacy group Article 19 in a statement.
How is private medical data leaking onto the streets of Milton Keynes, what is widening the cybersecurity skills gap, and how is Australia controversially tackling the problem of drivers using their mobile phones?
All this and more can be heard in the latest “Smashing Security” podcast.
Messages can only be seen under UV light and can be erased using a hairdryer
Forget lemon juice and hot irons, there is a new way to write and read invisible messages – and it can be used again and again.
The approach, developed by researchers in China, involves using water to print messages on paper coated with manganese-containing chemicals. The message, invisible to the naked eye, can be read by shining UV light on the paper.Continue reading...
Another day, another embarrassing data leak made the headlines, the online dating app Heyyo left a server exposed on the internet.
The online dating app Heyyo left a server exposed on the internet without protection, data were stored on an Elasticsearch instance.
The exposed data included personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users.
The detailed data exposed left online included:
- Phone numbers
- Email addresses
- Dates of birth
- Profile pictures and other images
- Facebook IDs for users who linked their profiles
- Instagram IDs for users who linked their profiles
- Longitude and latitude
- Who liked a user’s profile
- Liked profiles
- Disliked profiles
- Superliked profiles
- Blocked profiles
- Dating preferences
- Registration and last active date
- Smartphone details
The news was first reported by ZDNet who was informed about the incident by security researchers from WizCase.
“Avishai Efrat, Wizcase leading
ZDNet verified the authenticity of the data and contacted the Turkey-based company behind Heyyo to notify it of the leak, but the company did not reply for a week.
While waiting for a reply from the development team, the experts noticed that the number of registered users grew from 71,769 to 71,921. Experts also registered an account ad verified that associated data were leaked online. This circumstance suggests that the server was a live production system.
The server was taken down today after ZDNet contacted Turkey’s Computer Emergency Response Team (CERT).
Clearly, the exposure of this type of data poses serious risks, including the extortion, to the users’ privacy.
At the time of writing is unclear if anyone else had access to the exposed database.
(SecurityAffairs – Heyyo, hacking)
The post Heyyo dating app left its users’ data exposed online appeared first on Security Affairs.
A federal appellate court ruled that mining and aggregating user data publicly posted to social media sites is allowable by law.
In an opinion released earlier this month, the 9th Circuit U.S.Court of Appeals upheld an injunction against employment-centric social network LinkedIn from blocking access to hiQ, a data mining company that sells aggregated user information.
LinkedIn sent a cease-and-desist letter to hiQ in 2017 requesting that the company stop accessing and copying data from its servers. The letter warned hiQ that further aggregation activity would violate state and federal laws, including the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), California Penal Code § 502(c), and the California common law of trespass. HiQ responded with a suit against LinkedIn and requested a temporary restraining order against them, which was granted by the district court and upheld by the 9th Circuit.
While the court’s ruling was a response to the potential for “irreparable harm” to hiQ caused by depriving them of access to data, the decision as it pertains to the collection and dissemination of data could have major implications for online privacy:
“[T]here is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do,” stated the court’s opinion.
The opinion went on to assert that the CFAA didn’t apply to hiQ, since “the CFAA’s prohibition on accessing a computer ‘without authorization’ is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer.”
As things stand now with this legal battle, information displayed publicly on a website is fair game for third parties seeking to aggregate their user data, regardless of whether their activities conflict with a web service’s user license agreement or the wishes of their users. It also limits the definition of “unauthorized access” to content protected behind a password or some other means of authorization.
It is unclear how this ruling would apply in states with more stringent privacy requirements, or how it impacts data accidentally exposed to the public because of poor cybersecurity or human error, but the case does raise several questions about the ownership of and access to user data.
With the release of iPhone 11 and its two Pro variants, Apple has released iOS 13, a substantial functional update of its popular mobile operating system. But while many users are happy to finally get a complete Dark Mode for the device or a better phone camera, some are more interested in security and privacy enhancements. Location data On iOS 13, users will be able to control the location data shared with apps with more … More
The post What security and privacy enhancements has iOS 13 brought? appeared first on Help Net Security.
Maria Farrell has a really interesting framing of information/device privacy:
What our smartphones and relationship abusers share is that they both exert power over us in a world shaped to tip the balance in their favour, and they both work really, really hard to obscure this fact and keep us confused and blaming ourselves. Here are some of the ways our unequal relationship with our smartphones is like an abusive relationship:
- They isolate us from deeper, competing relationships in favour of superficial contact -- 'user engagement' -- that keeps their hold on us strong. Working with social media, they insidiously curate our social lives, manipulating us emotionally with dark patterns to keep us scrolling.
- They tell us the onus is on us to manage their behavior. It's our job to tiptoe around them and limit their harms. Spending too much time on a literally-designed-to-be-behaviorally-addictive phone? They send company-approved messages about our online time, but ban from their stores the apps that would really cut our use. We just need to use willpower. We just need to be good enough to deserve them.
- They betray us, leaking data / spreading secrets. What we shared privately with them is suddenly public. Sometimes this destroys lives, but hey, we only have ourselves to blame. They fight nasty and under-handed, and are so, so sorry when they get caught that we're meant to feel bad for them. But they never truly change, and each time we take them back, we grow weaker.
- They love-bomb us when we try to break away, piling on the free data or device upgrades, making us click through page after page of dark pattern, telling us no one understands us like they do, no one else sees everything we really are, no one else will want us.
- It's impossible to just cut them off. They've wormed themselves into every part of our lives, making life without them unimaginable. And anyway, the relationship is complicated. There is love in it, or there once was. Surely we can get back to that if we just manage them the way they want us to?
Nope. Our devices are basically gaslighting us. They tell us they work for and care about us, and if we just treat them right then we can learn to trust them. But all the evidence shows the opposite is true.
Facebook announced it has suspended tens of thousands of apps as a result of a review of privacy practices launched following the Cambridge Analytica scandal.
In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought. The company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.
After the Cambridge Analytica privacy scandal in 2018, the social network giant launched a review of privacy practices. Facebook’s review of all apps on the platform aimed at determining alleged abuse of user data and violation of its privacy rules.
Now Facebook announced that the suspensions of tens of thousands of apps.
According to vice president of partnerships Ime Archibong, the suspensions are “not necessarily an indication that these apps were posing a threat to people.” Archibong also added that some “did not respond to our request for information.”
In July, the United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.
“Any developer that doesn’t go along with these requirements will be held accountable.” concluded Archibong.
(SecurityAffairs – social network, privacy)
The post Facebook suspends tens of thousands of apps from hundreds of developers appeared first on Security Affairs.
“Smart” devices might be handy and offer higher quality services, but users should be aware that everything comes with a price. And we’re not talking here about the price of the actual device, but of the fact that these devices collect device, user and user behavior information and send it to a variety of third-parties. This information might currently be worthless to users, but it’s worth a lot to companies: it is used to improve … More
The post Should you trust your smart TV or streaming device? appeared first on Help Net Security.
Many organizations’ privacy statements fail to meet common privacy principles outlined in GDPR, CCPA, PIPEDA, including the user’s right to request information, to understand how their data is being shared with third parties and the ability of that information to be deleted upon request, according to the Internet Society’s Online Trust Alliance (OTA). Organizations also have a duty to notify users of their rights in an easily understandable matter. OTA analyzed 29 variables in 1,200 … More
The post Organizations continue to struggle with privacy regulations appeared first on Help Net Security.
Once again concerns are being raised about the sorry state of IoT security, after a security researcher discovered over 15,000 private webcams that have been left wide open for anyone with an internet connection to spy upon.
Read more in my article on the Bitdefender BOX blog.
Once, not long ago, data was nestled in paper files or stored on isolated computer networks, housed in glassed-off, air-conditioned rooms. Now, data is digital, moves effortlessly, and gets accessed from devices and places around the world at breakneck speeds. This makes it possible for businesses, organizations, and even individuals to collect and analyze this data for a whole host of purposes, such as advertising, insurance proposals, and scientific research, to name but a few. The data they are collecting and accessing about you is part of your personal data lake.
Data lake is a term that technologists typically use, but for us, using the term paints a strong visual for an important concept—how we create an extraordinary amount of data simply by going online and using connected devices. Your online interactions create drops of data that collect into streams, and pool together to form an ever-deepening lake of data over time. It stands to reason that the more time you spend online, connecting devices in your home and accessing a growing number of applications on your smartphone, the more quickly your personal data lake grows.
As you can imagine, your privacy and security are what’s at stake as you go about your digital life. Ultimately, the more data you share, either knowingly or unknowingly, the more that data potentially puts you at risk. This is true for you and your family members. The stakes get even higher because some of our own behavior can put us at risk. The internet is a platform with a global reach and a forever memory. What you say, do, and post can have a lifetime of implications. As a family, each member has a personal responsibility to look after themselves and each other. This unwritten contract extends to the internet because our actions there can impact our personal and professional lives, not to mention the lives of others. This book is laden with examples of how people get passed over for jobs, ruin romantic relationships, and end up doing actual physical harm to others because of what they say, do, or post online, ranging from sharing a picture of someone passed out at a party because it seemed funny at the time, to something calculated and intentionally injurious, like cyberbullying.
With people admitting that they increasingly spend more time online while connecting more and more devices in our homes, it’s time to understand the permanence of those behaviors and how they can impact all aspects of your life. As you go through the book you’ll better understand how your personal data lake is constantly growing, while laying out useful tips you can use to better manage your information.
Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.
The post Chapter Preview: It All Starts with Your Personal Data Lake appeared first on McAfee Blogs.
The security, privacy and safety of connected autonomous vehicles (CAVs) has been improved thanks to testing at WMG, University of Warwick. CAVs can now connect to each other, roadside infrastructure, and roadside infrastructure to each other more securely. In the near future connected and autonomous vehicles are expected to become widely used across the UK. To ensure a smooth deployment, researchers from WMG, University of Warwick undertook real-world testing of four academic innovations in the … More
The post Improving the security, privacy and safety of future connected vehicles appeared first on Help Net Security.
Greenbone Networks has released details of new research in to the security of the servers used by health providers across the world to store images of X-rays as well as CT, MRI and other medical scans. Of the 2,300 medical image archive systems worldwide that Greenbone analyzed between mid-July and early September 2019, 590 of them were freely accessible on the internet, together containing 24.3 million data records from patients located in 52 different countries. … More
The post Confidential data of 24.3 million patients discovered online appeared first on Help Net Security.
44% of Americans, 38% of Brits, 33% of Australians, and 37% of Canadians have been the victim of a data breach, according to newly released research conducted by PCI Pal. The findings suggest that a combination of recent high-profile data breaches in each region, the development of assorted laws and regulations to protect consumer data privacy (e.g. the California Consumer Privacy Act, Europe’s General Data Protection Regulations, Canada’s Personal Information Protection and Electronic Documents Act, … More
The post Businesses facing post breach financial fallout by losing customer trust appeared first on Help Net Security.
Researchers discover that confidential images of X-rays, CT and MRI scans related to millions of patients has been left unprotected on hundreds of servers used by health providers worldwide.
If you’re a citizen of Ecuador, chances are that you’ve had your personal and financial information exposed after an ElasticSearch server was left unsecured.
Victims even include Wikileaks founder Julian Assange…
A misconfigured database has exposed the personal data of nearly every Ecuadorian citizen, including 6.7 million children.
The database was discovered by vpnMentor and was traced back to Ecuadorean company Novaestra. It contained 20.8 million records, well over the country’s current population of 16 million. The data included official government ID numbers, phone numbers, family records, birthdates, death dates (where applicable), marriage dates, education histories, and work records.
“One of the most concerning parts about this data breach is that it includes detailed information about people’s family members,” stated a blog from vpnMentor announcing the discovery of the leak. “Most concerningly, the leaked data seems to include national identification numbers and unique taxpayer numbers. This puts people at risk of identity theft and financial fraud.”
The leaked data also included financial information for individuals and businesses including bank account status, account balance, credit type, job details, car models, and car license plates.
“The information in both indexes would be as valuable as gold in the hands of criminal gangs,” wrote ZDNet reporter Catalin Cimpanu. “Crooks would be able to target the country’s most wealthy citizens (based on their financial records) and steal expensive cars (having access to car owners’ home addresses and license plate numbers).”
The exposed database was on a server running Elasticsearch, a software program that enables users to query large amounts of data. Elasticsearch has been involved in several high profile data leaks, mostly due to configuration mistakes. Other recent Elasticsearch leaks included a Canadian data mining firm’s records for 57 million US citizens, a medical database storing the data on 85 percent of Panamanian citizens, and a provincial Chinese government database that contained 90 million personal and business records.
The post New Breach Exposes an Entire Nation: Living and the Dead appeared first on Adam Levin.
The Tor Project has raised $86,000 for a Bug Smash fund that it will use to pay developers that will address critical flaws in the popular
The Tor Project has raised $86,000 for a Bug Smash fund that was created to pay developers that will address critical security and privacy issues in the popular
In earlier of August, the Tor Project announced the creation of the Bug Smash Fund with the intent to pay professionals that will support the organization in maintaining the work and smashing the bugs.
“The goal of the Bug Smash Fund is to increase the Tor Project’s reserve of funds that allow us to complete maintenance work and smash the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.” reads the announcement published by the Tor Project.
“When we say maintenance and bugs, we are talking about work that is critical—and that we must pay for. This work includes responding quickly to security bugs, improving test coverage, and keeping up with Mozilla’s ESRs. An entire ecosystem relies on us doing so.”
The organization has added donations it received in August 2019 to the Bug Smash Fund.
Any vulnerability that could be used to
“Want to keep up with the work we’re doing with this fund? There are three ways: (1) Follow the “BugSmashFund” trac ticket tag, (2) watch this blog for updates about the progress of these tickets, and (3) make a donation and opt in for our newsletter to get updates directly to your inbox.” concludes the announcement.
The post Tor Project’s Bug Smash Fund raises $86K in August appeared first on Security Affairs.
Researcher discovered an unsecured database exposed online, belonging to car dealership marketing firm Dealer Leads, containing 198 million records.
The researcher Jeremiah Fowler discovered an unsecured database exposed online that belong to car dealership marketing firm Dealer Leads.
The archive containing 198 million records for a total of 413GB of data containing information of potential car buyers, vehicles, loan and finance inquiries, log data with IP addresses of visitors, and more.
“On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several times in the previous weeks, but was unable to identify the owner.” reports Security Discovery. “I spent several days trying to identify the owner of the database and there was no clear indication in the millions of records.”
Dealer Leads provides content relevant and related to the auto industry for franchise and independent car dealerships, the website of the company describes itself with the following statement.
“dominates the automotive digital marketing industry with highly used automobile search strings turned i
The Elastic database was accessible to anyone with any browser, its records included name, email, phone, address, IP, and other sensitive or identifiable information, in plain text.
The archive also included IP addresses, ports, pathways, and storage info.
The good news is that after the expert reported his discovery to the company, it has secured the database restricting public access to the archive.
At the time of writing it is not clear how long the data remained exposed online and if someone had access to its records.
“Dealer Leads acted fast to restrict public access immediately after the notification. Unfortunately, the data
“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,”
(SecurityAffairs – hacking, data leak)
The post Delaler Leads, a car dealer marketing firm exposed 198 Million records online appeared first on Security Affairs.
Most U.S. citizens acknowledge and accept that state and local government agencies share their personal data, even when it comes to personal information such as criminal records and income data, according to a new survey conducted by YouGov and sponsored by Unisys. However, the survey found they remain concerned about the security of the data. The survey of nearly 2,000 (1,986) U.S. citizens living in eight states found that more than three-quarters (77%) accept that … More
The post Interacting with governments in the digital age: What do citizens think? appeared first on Help Net Security.
Ever experienced buggy features on your phone? Well, there’s a way to solve them and it does not involve sending your phone packing to the nearest repair shop – it’s called the safe mode and, yes, it works just like Microsoft Windows’ repair and debugging environment. So, what is safe mode on my phone? Long story short, it could be your only shot at making that phone off your works again.
Screen freezes, unresponsive features, cascading restarts – all could be symptoms of a conflictive application. Unfortunately, uninstalling the application in question may not resolve the issue. Anyway, here’s how to switch on the safe mode on your phone.
What happens when your phone reboots in safe mode?
Basically, the safe mode is an environment where you debug faulty applications, turn off the feature that is otherwise hidden in normal mode. A Windows user knows best that in order to completely uninstall an app, you would need to go into safe mode. Well, that’s, more or less, what happens when you use this smartphone feature.
The environment is not at all different from your regular UI – all the apps are there, menus, connectivity options. However, while running in safe mode, you won’t be able to use widgets and some third-party applications; you won’t need them anyway since your goal here is to determine what went wrong with your phone. Well, that’s about it in safe mode. Yes, I know that it’s not a lot, but then again, you can’t get more straightforward than this.
Oh, by the way – most of the smartphone mishaps are generated by latent malware. On that note, I would wholeheartedly recommend using Thor Mobile Security, our latest malware-busting tool. Take it for a spin – first month’s on the house. If you don’t like it, you can always cancel your subscription and rely on your tool of choice.
How do you turn on the safe mode on your phone?
The quickest answer would be that it depends on what operating system your phone runs. Interestingly enough, the procedure’s the same across all iPhone devices, regardless of the OS. I’ll start with this one.
Turning on safe mode on your iPhone
Here’s a rundown on how to switch on the safe mode feature on your iPhone.
Step 1. Power down your phone by holding the power button.
Step 2. Wait until the phone’s completely powered off.
Step 3. Press and hold the power button again.
Step 4. When the screen lights up, hold down the Volume down button. Keep the two buttons pressed until the Apple logo appears on the screen.
Step 5. Your phone will now boot up in safe mode. Now you can safely remove any malfunctioning applications.
That was suspiciously easy, wasn’t it? Told you that the procedure’s the same when it comes to iPhones. Now that the fun part is over, let’s see how to switch on the safe mode on your Android device.
Turning on safe mode on Android
Let me start by showing you how to switch on this feature on most Samsung Galaxy phones.
Step 1. Drag down the notification bar.
Step 2. Tap on the “Safe mode enabled” button.
Step 3. Confirm and wait until your phone restarts. Congrats! Your phone is now operating in a safe mode.
Pitch-perfect! But that’s hardly the only way to switch on the celebrated safe mode. As I might have mentioned, the procedure depends on the type of phone you have. The list below will show you to unlock the feature on your Android phone.
Safe mode on HTC phones
If you have an HTC device, here’s how to switch on the safe mode.
Step 1. Press and hold the Power key. It should be located on the right side of your phone.
Step 2. Hold the Power key for about three seconds.
Step 3. From the power down menu that appears on the screen, tap and holds the Power off icon. After a couple of seconds, a new power down option will appear on your screen – “Reboot to safe mode”.
Step 4. Hit the Restart button. Your phone will now boot up in safe mode.
Safe mode on LG phones
To switch on the safe mode on your LG phone, start by holding the Power key and select the Restart option. Once the LG logo appears on the screen, hold down the Volume Down key. To see if safe mode is enabled, take a closer look at the bottom left corner of the screen. If you followed the above-mentioned steps, a Safe mode icon should appear.
Safe mode on Moto G phones
If you have a Motorola smartphone, please follow these steps in order to enable safe mode.
Step 1. Press and hold the Power key.
Step 2. Please release the power key when the Shut Down menu appears.
Step 3. Long-press the power off button.
Step 4. When the Reboot to Safe Mode option appears on your screen, tap on OK to initiate safe mode.
Safe mode on Huawei smartphones
It’s trickier to switch on the safe mode on Huawei phone since it involves removing the battery. Just follow the steps below.
Step 1. With the phone turned on, remove the back cover.
Step 2. Remove the battery.
Step 3. Put the battery back in the slot.
Step 4. Hold down the Menu.
Step 5. Long-press the Power Key. Don’t let go of that Menu key.
Step 6. If done correctly, the message “Safe Mode” should appear in the lower part of the screen.
Safe Mode on Blackberry PRIVs
Here’s a quick guide ton how to turn off the feature on your Blackberry PRIV phone.
Step 1. Long-press the Power button.
Step 2. When the Power Off menu appears on the screen, long-tap the Power Off button.
Step 3. After a couple of seconds, a safe mode prompt will appear on your screen.
Step 4. Tap OK to confirm.
Safe mode on Xiaomi smartphones
There are two ways to enable this feature on your Mi smartphone. Check out the guide below.
Step 1. With the device powered on, long-press the power key.
Step 2. When the power menu appears, let go of the power key.
Step 3. Long-press the Power Off button.
Step 4. After a couple of seconds, the Android Safe Mode message will appear on your screen.
Step 5. Hit the Reboot button to restart the device into safe mode.
Step 1. Restart your device. You can do that by selecting the Restart option from the Power Off menu.
Step 2. When the Xiaomi logo appears on your screen, tap the Menu key.
Step 3. Continue tapping the menu key until you see the lock screen.
Step 4. The Android Safe Mode message should now be on your screen.
Safe mode on your Oppo smartphone
Oppo phones are the latest addition to the market. Can’t say I’ve had too much contact with them, but from what I’ve gathered, they’re cheap and surprisingly high-performing. So, here’s how to switch on the safe mode on your Oppo phone.
Step 1. Press and hold the Power key.
Step 2. In the Power Off menu, tap and hold the power off. Keep it pressed for a couple of seconds.
Step 3. A second power off menu till appear.
Step 4. Tap on OK to confirm booting into safe mode.
Well, that’s about everything you need to know about the issue at hand (what is safe mode on my phone). As I’ve mentioned, sometimes it may be the only way to get rid of buggy applications and unresponsive features. And, if all else fails, there’s always the restore to factory settings feature. Hope you’ve enjoyed the read and, as always, for comments, rants, beer donations, shoot me a comment.
Apple’s furious with Google over iPhone hacking attacks against Uyghur Muslims in China, DNS-over-HTTPS is good for privacy but makes ISPs angry, and concern over digital assistants listening to our private moments continues to rise.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by journalist John Leyden.
Fifty-one CEOs representing U.S.-based businesses sent an open letter to Congress requesting a comprehensive federal consumer privacy law.
Signed by the CEOs AT&T, Comcast, General Motors, Mastercard, and Wal-Mart, among others, the letter requested “a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.”
The cosignatories of the letter are members of the Business Roundtable, an association of executives focuses on “working to promote a thriving U.S. economy… through sound public policy.”
Attached to the letter was a proposal for a consumer policy framework that encompasses the need for federal legislation to override state privacy laws, a definition of personal data, the creation of a federal standard for data breach notifications, and the assignment of primary enforcement responsibilities to the FTC. The framework also calls for “no private right of action,” meaning that consumers would be unable to bring lawsuits for violations of the law.
While the Business Roundtable requests a more uniform law to “ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws,” many critics suggest that the ulterior motive is to pass a weaker set of privacy protections to supercede more stringent state laws currently in place in Maine and California.
The post More than 50 U.S. Businesses Call For Federal Privacy Law appeared first on Adam Levin.
“I’ve read that my web hosting provider’s website that they have a good security solution in place to protect me against hackers.”
This is a pretty common answer that a lot of bloggers and small business owners gave me when I ask them if they know about how secure their web hosting is. Also, they often add that their budgets are pretty tight so they’ve chosen to go with “an affordable provider.” By “affordable,” of course, they mean ‘ridiculously cheap.”
Come on, people.
Do you really think that a cheap web hosting has everything in place to stop a website attack? Do you think that they will protect you from all types of hacker attacks?
While I don’t know everything about how web hosting providers choose security solutions, I can tell you with some confidence that a lot of them have laughable solutions.
If you don’t believe me, you can Google something like “Hacked website stories” and you’ll see that many web hosting companies, from some of the cheapest to even some well-known ones – don’t have adequate security solutions in place. As a result, lots of people have lost their websites. These horror stories are quite common, and even a simple Google search can return a lot of them.
Unfortunately, hackers are becoming more and more skilled at what they do, and stats support this. If you visit the live counter of hacked websites on Internet Live Stats, you’ll discover that at least 100,000 websites are hacked DAILY (for example, I visited the counter at 7:07 pm and it showed that 101,846 websites have been hacked since 12 am).
From what I saw on Internet Live Stats, I could tell that one website was hacked every second. This is horrible, and one of the bad things about this was that many of the owners of these websites thought that they were protected by their web hosting provider.
The next bad thing about all of this is that the number of websites hacked daily is getting higher. For example, there were about 30,000 websites hacked a day in 2013 according to this Forbes piece, but as we could see on the live counter, this number has more than tripled in 2019. If this negative trend continues, then we could easily see even more website owners losing their business on a daily basis very soon.
While this information is certainly alarming, website owners are typically to blame for the fact that their website was stolen from them (not trying to be rude here at all). If we dig a little bit deeper into the data on hacked websites, we discover that many use ridiculously simple passwords, poor hosting providers, outdated content management systems (CMS), and do other unwise things that help hackers get in.
For example, many bloggers want to focus on content writing, editing, and lead building rather than think about stuff like hosting. While content proofreading is something they could get help with by using numerous online tools like, Grammarly and Hemingway Editor, getting quality assistance with a hacked website is a whole new ballgame.
Next, there’s an issue with passwords. According to a recent survey by the UK’s National Cyber Security Centre (NCSC), 23.2 million web accounts they’ve analyzed had “123456” as a password. Moreover, about 7.7 million people relied on “123456789” for protection of their data, while “password” and “qwerty” were also quite popular with about 3 million users each.
While a password is something that could be changed in a matter of seconds to protect your site against brute force attacks, it may not protect you from most cyber threats. This is the responsibility of a hosting provider, and unfortunately, a lot of people disregard this requirement for web security.
That’s why we’re going to talk about hosting security issues that you should protect your site from.
How Web Hosting Affects the Security of Your Website
Before we talk about major web hosting hazards, let’s quickly discuss the connection between the security of your website and the web hosting you’re using. I’m going to say this right away: choosing a web hosting provider is one of the most important decisions you’ll make when setting up for your website, and the implications go way beyond security.
For example, if you’re a blogger or a business owner, you’ll get:
- A high level of protection against hackers. “This means that you’ll be able to concentrate on content creation,” says Peter O’Brien, a content specialist from Studicus. “If I selected a poor host, I wouldn’t spend so much doing the creative stuff, that’s for sure”
- A fast loading time. People don’t like to wait; in fact, Google claims that websites that load within 5 seconds have 70 percent longer visitor sessions, 35 lower bounce rates, and 25 percent higher viewability compared to websites that load between 5 and 19 seconds. That’s why Google has released the mobile-first indexing update and designed own PageSpeed Insights tool to help users optimize the performance of their websites
- High reliability and uptime. Most web hosting companies claim that the websites they service are online for 99.9 percent of the time, but the real time can vary and depends on the quality of the provider.
- Better security. This one means that different web hosting providers have different security packages, therefore the websites they power have different protection from hackers. Moreover, a good host can help you to recover quickly in case if you’ve suffered an attack.
Let’s talk a little bit more about the last bullet point. So, how can one tell that their hosting provider is poor? That’s pretty easy:
- Slow loading times. If your website loads for more than five seconds, then chances are that its performance is affected by the hosting provider that has put a lot of sites into one server
- Frequent security issues. If your website doesn’t have backups and suffers from various cyber attacks often, then you should definitely talk to your provider (make sure that your passwords aren’t the problem)
- Regular unexpected downtime. A poor choice of a web hosting provider often leads to this problem, which, in turn, is often caused by overloaded servers. In other words, the provider simply can’t handle the volume of visitors that your website (and other websites hosted on that server) are experiencing.
So, to sum up, the quality of hosting is essential for the success of your online venture, and making a poor choice can lead to disappointing outcomes (just remember the figures from the live counter again). But with so many websites getting hacked on a daily basis, what do you need to know to protect your own one? Read the next section to know.
Beware of these Major Web Hosting Hazards
- Shared Hosting Issues
Sharing hosting is a tricky business, and you don’t know how many websites are on the server where your own one lives. It’s quite possible that the number is quite high, up to a thousand, and this could be one of the reasons why your website might be underperforming.
For example, this discussion threat had some interesting information on this. A person asked how many websites are typically served on one shared server, and some of the answers were astonishing! For example, one user responded by writing the following.
Can you believe it? 800 websites on one server! Talk about performance issues, right?
While I realize that a single server can host up to several thousand websites, can you imagine what would happen if at least ten of them are high-traffic ones? Think crashes, slow loading times, unplanned downtime, and lots of other issues.
Since people are always looking to save costs, chances are that shared hosting issues will continue to impact a lot of websites.
- Attacks that Exploit an outdated version of PHP
It’s a known fact that about 80 percent of all websites in 2018 ran on PHP. However, since the beginning of 2019, the support for PHP 5.6x will be ended, meaning that all support for any version of PHP 5.x is gone. In other words, the sites that fail to update won’t get any security patches, bug fixes, and updates.
However, recent reports suggest that this news didn’t trigger any massive moves to the newer versions of PHP. For example, according to Threat Post, about 62 percent of all server-side programming websites are still using PHP version 5. Here are the full data.
Source: Threat Post
“These sites probably include old libraries that haven’t had the joy of an update…” the abovementioned Threat Post post cited a web security expert, as saying. “The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”
For hackers looking for some business, this means that they have a lot of work to do. Can you imagine it: since the beginning of this year, more than 60 percent of websites stopped getting security updates!
“Faced with the urgent requirement to update the PHP version, a lot of websites owners will make a corresponding request for their web hosting providers,” shares Sam Bridges, a web security specialist from Trust My Paper. “This means that the latter will face a flood of support requests, which could translate into a slow pace of the update process.”
On top of that, some providers may not be willing to notify their users about the requirement to update their PHP versions, so a lot of websites may still be using outdated ones in the next few years.
Well, hopefully you’re not going to be one of them.
- More Sophisticated DDoS Attack Techniques
DDoS attacks are nothing new. However, they are still a common type of a cyberweapon used against websites that should be considered when choosing a hosting provider. In fact, the situation here is a lot more complicated than one thinks.
For example, the research suggests that the total number of DDoS attacks has decreased by 13 percent in 2018, which may seem like a positive signal by many.
The comparison of the number of DDoS attacks between 2017 and 2018. Source: Kaspersky
Unfortunately, the stats don’t provide the big picture here. According to Kaspersky, hackers are reducing the number of attempts to break into websites using DDoS attacks, but they are turning to more advanced and sophisticated attack techniques.
For example, it was found that the average length of attacks has increased from 95 minutes in the first quarter of 2018 to 218 minutes in the fourth quarter of 2018. While it means that the protection against this kind of attacks is getting better, it also suggests that the malefactors are becoming more selective and skilled.
For example, 2018 has seen the biggest DDoS attacks in history; one of these situations involved a U.S.-based website that reported a 1.7 TB/s assault (this means that the attackers overwhelmed the site with a massive wave of traffic hitting 1.7 terabytes per second!), according to The Register.
Source: The Register
Therefore, we may see an increase in unresponsive websites due to DDoS attacks in the next years (clearly, not a lot of websites can survive an attack like this one), as hackers deploy more sophisticated techniques.
Since a lack of DDoS-protected hosting is a major risk factor in this situation, make sure that your hosting provider has this protection in place.
Web hosting is not the first thing that many website owners think about when setting up their businesses, but it’s definitely one that could make or break them. The success of your venture ultimately depends on the uptime, loading time, and overall reliability of your website, so being aware of the threats that you can face in the nearest future could help you to avoid losing your website and joining those 100,000+ unfortunate sites owners who get their sites hacked every day.
Hopefully, this article was a nice introduction to the importance of web hosting and the risks that come with it. Remember: if you want your data to be protected, pay attention to the existing and emerging risks right now and make appropriate decisions. Eventually, this’ll pay you nicely by maximizing uptime and reliability of your website.
Dorian Martin is a frequent blogger and an article contributor to a number of websites related to digital marketing, AI/ML, blockchain, data science and all things digital. He is a senior writer at WoWGrade, runs a personal blog NotBusinessAsUsusal and provides training to other content writers.
The post Major Web Hosting Hazards You Should Take Seriously appeared first on CyberDB.
Firefox new Enhanced Tracking Protection (ETP) feature launched to all users of the browser to offer better privacy and protection from cryptojacking.
The post Firefox 69: Third‑Party Tracking Cookies and Cryptomining Now Blocked by Default appeared first on WeLiveSecurity
Still thinking about buying a new phone? Well, trading your old one (and probably some extra cash) for a spanking-new smartphone would be the most sensible thing to do. However, there’s still the issue of actually making sure that the buyer can’t access your personal data. Sure, you will argue that wiping the phone’s storages would put an end to this debate.
As it happens, data can be extracted from a device even if the owner deleted everything by hand. So, are there any workarounds? There are, but it takes more than a simple memory wipe to ensure that the data’s totally safe.
Still willing to go through with this? Awesome! Here’s are a couple of data protections you should consider taking if you plan on selling your phone anytime soon.
1. Backup, backup, and even more backup
I can’t emphasize enough the importance of backup. Doesn’t matter if want to sell your phone or use the computer for other purposes than entertainment; you still need a copy of your data in case something goes wrong.
So, the first step you will need to take would be to back up everything on your phone. If you’re the proud owner of an iPhone, you can take advantage of the iCloud feature and back up everything to the cloud.
You can also plug it in your Mac and save a local copy just to be extra safe. Don’t know your way around the iCloud back up feature? Chill, fam! I got you covered. Just tap on Settings, choose the Storage & Backup option from the menu, and then head to iCloud Backup.
Bear in mind that you will need an iCloud account to store data on the cloud. When you’re ready, tap on the Back Up Now button and that’s it. Your phone will then copy your data on the cloud. Sit back and relax because this is going to take a while.
Paging Android smartphone owners! Yeah, I know that not having the luxury of an in-built Cloud backup solution can be frustrating, but where a USB cable, there’s always away. As I was saying, the best and fastest way to back up the stuff on your Android smartphone would be to connect it via USB and copy every byte of data on your computer.
It may not be pretty, but it works. Sure, you can also try your luck with third-party Cloud backup software for Android like G Cloud Backup, MyBackUp Pro, Titanium Backup, Migrate, or Resilio Sync. You should do this preferably before wiping the internal and external storages. Just saying. No pressure.
2. Get rid of the SIM and any attached SD cards.
Doesn’t matter if you have an iPhone or Android smartphone; that SIM card must go away before reaching its new owner. As you probably know by now, SIM cards are used to store contact info, like phone numbers, email addresses, and names. You really wouldn’t want that kind of info to fall into the wrong hands, do you now?
So, before trading in your phone, make sure you yank the SIM card out of its slot. Newer smartphones have special trays, which facilitate access to both components.
If your phone doesn’t have a device tray, you’ll need to remove the back cover and probably the battery as well to gain access to the SIM\SD slots. You should refer to the phone’s manual for detailed instructions on how to safely remove the SIM and SDs.
3. Encrypt your data
Scrambling the data on your smartphone using an encryption key may be the best way to ensure that the data is totally unreadable. What happens is that the residue left behind after a total reset (I will get to that in a moment) will be locked by the phone’s unique encryption key.
Yes, it means that no one will be able to read or use a byte of information even if, by some miracle, someone does manage to get ahold of your deleted data.
For iPhone owners, you don’t need to do anything out of the ordinary to encrypt your data, since the phone does this by default. Unfortunately, things are not the same when it comes to Android devices. Not to worry.
Here’s what you need to do in order to encrypt the data on your Android smartphone. Tap on Settings and head to More. Scroll down until you see Security. Tap on Encrypt Device and use the slider to start the process.
Depending on the amount of data on your smartphone, the encryption could take anywhere from a couple of minutes to one hour. When it’s done, you can proceed with the next step which is performing the factory reset.
4. Performing a factory reset
As you would imagine, the final step before the phone will be shipped to the next owner would be to wipe it clean. Sure, you can go ahead and delete everything manually, but do bear in mind that this procedure usually leaves behind “breadcrumbs” (loose pieces of data that can be used to reconstruct a big deal of what used to be there).
As a result, the best way to go about scrubbing your phone’s memory would be to perform a factory reset.
On Android, head to Settings, tap on Privacy and select the Factory Data Reset. Tap again on the Factory Data Reset button to confirm. Your smartphone will restart a couple of times during the process.
If you have an iPhone, head to Settings, tap on General, and select Reset. Go to the bottom of the screen and tap on Reset Phone. It’s going to take a while, so take a chance to chill.
So, these are the basic steps that you will need to take before you sell your phone. Of course, there are always more ways to ensure that your phone’s clean as a whistle before giving it away.
Additional steps to take before you sell your phone
Step 1. Unpair all devices
If you have headphones, smartwatches, or Wi-Fi\Bluetooth speakers paired with your smartphone you should consider, well, unpairing them before proceeding with the above-mentioned steps. For Android, tap on Settings and head to the Bluetooth menu.
Turn on your Bluetooth to see a complete list of all paired devices. To unpair them, tap on the gearwheel next to each item and hit the unpair button.
In case you have an Android-compatible associated with your phone, you may want to wipe its memory as well. For most Android watches, go to Settings > Privacy > Factory Data Reset. Confirm the process and that’s basically it.
As for iPhones, to unpair, an Apple Watch head to the My Watch menu, select the active watch and click on the “information” button next to it. Hit the Unpair button and you’re all set. Just remember to keep that smartwatch close to the phone while performing the unpairing process.
Of course, you shouldn’t forget about wiping your Apple Watch’s internal and external storage after unpairing it. To do that, fire up your smartwatch, go to Settings and then tap on General. Select Reset and tap on Erase All Content and Setting. Choose the Erase All option to confirm.
Step 2. Sign out from all tertiary services
Another thing you might want to try before you sell your phone would be to sign out from all accounts. This includes Facebook Messenger, Gmail, Yahoo Mail, Google or Apple Pay, and everything in between. Do bear in mind that some apps like Facebook’s IMS and Gmail stores passwords.Be sure to wipe them as well before signing out of your accounts.
So, if you have an Android phone, you would want to tap on Setting and then on Cloud and Accounts. Tap on Accounts. Select one of them and then tap on the Remove Account button. You will have to repeat the procedure for each item in the list.
iPhone users should remember to switch off iMessage, the Wallet & Apple Pay, Find my phone, and Apple ID. You will find all of these items under Settings.
Step 3. Delete credentials from browsers
Most browsers store credentials by default. So, before saying buh-bye to your old phone, you may want to delete your credentials. Since Chrome’s most used mobile and desktop browser on the market, I’m going to show you how to purge the credential cache. First, open up your Chrome browser.
Tap on the More menu (icon look like three parallel lines) and select Options. From the left tab, select Privacy and Security. Scroll until you see Forms and Passwords. In the next dialog box, please select Saved Logins. Tap on the Remove All button. Congrats! You’ve just cleared the browser’s password cache. You can now sell your phone or at least try to find some interested party.
Step 4. Unregister your device from the Apple account (Apple phones only)
To unregister the device from the account, hop on your Apple ID account. When prompted, type in your username and password. Go to the bottom of the list and click on Devices. Select your current device from the drop-down list and click on the Remove button.
Step 5. Remove factory reset protection (Android only)
FRP (factory reset protection) is an Android-exclusive failsafe that prevents factory reset and manual wipe in case your phone gets stolen. In other words, if someone were to run out with your phone, this in-built countermeasure will not allow the thief to wipe the phone’s memory in an attempt to get rid of the evidence.
So, it’s only natural to deactivate FRP before attempting to sell your phone. To do that, tap on Settings and go to About device/phone. From there, head on over to Software info. Write down your phone’s version.
After that, go back to the Settings menu and select the Security or Lock Screen Security menu. Under Screen Lock, move the slider to the off position. All you need to do now is perform a factory reset and find a customer (good luck with that).
Step 6. Fill the phone with dummy data
Not what you might call a regular pre-sale tactic, but considering the staggering number of cyberattacks, one cannot be too careful about data security. And yes, your personal info can still end up on the dark web even if you took all the precautions.
Filling up your dummy data prior to encryption and factory reset is one of the best ways to make this type of info totally unusable and virtually irretrievable. What this means is uploading stuff other than sensitive info on the phone.
This includes pics, videos, and empty documents. During the encryption process, the dummy data become interwoven with personal info. So, even if the phone ends up in the hands of a hacker, he/she will be unable to make heads or tails of the data that was on your phone.
Step 7. Clean your phone, add accessories, and scan
Now it’s time to add the finishing touches: cleaning, packing, and scanning the device. Yes, I’m aware that the cleaning and packaging parts don’t have any kind of bearing on data protection, but this doesn’t mean that they are unimportant.
Would you really consider buying a dirty and dusty smartphone? So, give a good clean before placing it in the original box. Don’t forget about blowing the battery compartment with a can of compressed air. Finally, place the phone in its box. Don’t forget about including the original accessories: charger, USB cable, user’s manual, headphones, and back cover spares.
Before taking it to the new owner, give it one last malware scan. I’m painfully aware that the memory was wiped clean, but some types of malware, especially those that get themselves attached to the boot sector, can persist even if the device’s entire storage has been wiped-clean. Now your device is ready to be shipped to its new owner.
That’s about it on how to prepare your phone before shipping it to its forever home. To wrap everything up nice and neat: backup, remote SIM and SD card, encrypt and perform a factory reset. I hope you’ve enjoyed my article and, as always, for any rants, comments, beer donations, shoot me a comment. Ciao!
The post 4+ Essential Data Protection Steps to Take Before You Sell Your Phone appeared first on Heimdal Security Blog.
A security researcher found a server on the internet containing more than 419 million records related to Facebook users.
No password protection was in place – meaning the treasure trove of phone numbers was available to literally anybody with an internet connection.
Read more in my article on the Tripwire State of Security blog.
“Is Your Digital Front Door Unlocked?” explores the modern implications of our human nature: our inherent inclination to share our experiences, specifically on the internet. Our increasing reliance on technology to connect with others has us sharing far more information about ourselves than we realize, and without a full understanding of the risks involved.
While we’re posting innocent poolside pictures, we’re also creating a collection of highly personal information. And not just on social media. It happens by simply going about our day. Whether it is the computers we use for work and play, the smartphones that are nearly always within arm’s reach, or the digital assistants that field household requests—all of these devices capture and share data about our habits, our interests, and even our comings and goings. Yet we largely don’t know it’s happening—or, for that matter, with whom we’re sharing this information, and to what end.
I wrote this book for anyone who wants to live online as safely and privately as possible, for the sake of themselves and their family. And that should be plenty of us. With news of data breaches, companies sharing our personal information without our knowledge, and cybercrime robbing the global economy of an estimated $600 billion a year, it’s easy to feel helpless. But we’re not. There are things we can do. It’s time to understand how we’re creating all this personal information so we can control its flow, and who has access to it. The book takes an even-handed look at the most prevalent privacy and security challenges facing individuals and families today. It skips the scare tactics that can dominate the topic, and illustrates the steps each of us can take to lead more private and secure lives in an increasingly connected world.
The notion that binds the book together is the idea of a personal data lake. “Data lake” is a widely used term in business to reflect a large repository of data that companies collect and store. In the book I explore how we create personal data lakes as we go about our digital lives. I explore how our data lakes fill as we do more and more activities online, and offer insights that can be used to protect our personal data lakes, so that we can live more privately and enjoy safe online experiences.
This book is for people in families of any size or structure. It looks at security and privacy across the stages of life, and explores the roles each of us play in those stages, from birth to the time we eventually leave a digital legacy behind, along with important milestones and transitional periods in between. You’ll see how security and privacy are pertinent at every step of your digital journey, and how specific age groups have concerns that are often unique to that stage of life. The structure allows you to easily navigate to the chapters and sections that most relate to the life stage you are in, and offers guidance.
This book, like most things in life, is about choice. You can choose to roll the dice and hope that you’re not one of the hundreds of millions who are victims each year of phishing scams, ransomware attacks, and identity theft, or among the handful of people who still fall for the Nigerian prince lottery scam. You can also choose to use your computers, tablets, smartphones, and personal assistants as you have been, letting companies grift all kinds of personal information from you, without your knowledge or consent. Or you can choose to embrace the guidelines outlined in the book and make it extremely more difficult for a bad actor or cybercriminal to make you or your loved ones a victim.
The post Introduction to “Is Your Digital Front Door Unlocked?” a book by Gary Davis appeared first on McAfee Blogs.
Should Google really be helping the FBI with a bank robbery? What’s the story behind the Twitter CEO claiming there’s a bomb in their offices? And how much does your car really know about you?
And we mourn the loss of Doctor Who legend Terrance Dicks…
A vulnerability broker is offering up to $2.5 million for zero-day remote exploits which would allow attackers to infect a remote Android smartphone with malware, with no user interaction required. But who will they then sell exploits to?
Industrial espionage is a much more common occurrence than many people realize. As a business grows and begins to compete at a higher level, the stakes grow and their corporate secrets become more valuable. It isn’t just other businesses that might want this information, hackers who think they can sell the information will also be sniffing about.
Even if you can’t eliminate the risk entirely, there are certain things you can do to reduce the risk of a security breach in your business.
While hackers do much of their work from their computers, they also often rely on a number of offline methods to enhance their effectiveness. For example, social engineering is regularly used to coerce people into unwittingly undermining otherwise very secure systems. Countering social engineering is difficult, although educating your employees about it will go a long way to mitigating the risk.
If a hacker wants to access your systems but is struggling to breach your cybersecurity, they may well turn to other methods to get through your security, including rummaging through bins for any discarded documents. If that sounds desperate to you, you might not realize just how often it works.
Make sure that any documentation that contains information that would be of interest to a would-be hacker, or corporate competitor, is completely destroyed when it is no longer needed. Make sure that if you use a shredder to do this, it is one that shreds documents securely.
Don’t Print Sensitive Information if You Don’t Have to
Of course, what would be better than having to securely destroy documents would be to not generate those documents to begin with. If you don’t have to print out sensitive information – don’t! If your sensitive documents are protected by a decent cybersecurity system, they will be about as safe as they can be. A physical document is much less secure.
Keep Your Schematics Under Wraps
Anyone who has access to the design schematics of your most important products will be able to reverse engineer them and probe them for weaknesses, even if they don’t have access to a physical device. Modern engineering businesses, like businesses in a number of other industries, make extensive use of printed circuit boards. If a competitor gets their hands on your PCB schematics, they can easily copy your proprietary technology.
Designing your own PCBs using Altium.com or a similar software package means that you can produce hardware that is unique to your engineering business. This should give you an added layer of security, as a potential hacker or criminal won’t know the internal layout and therefore won’t know what the potential entry points are. However, if they get their hands on your schematics, you instantly lose this benefit.
Keep it Need to Know
Your most sensitive corporate secrets shouldn’t be given to anyone who doesn’t need them. In any business, there will be coworkers who also become friends. Even if people only see each other when they’re at work, they will often develop friendly relationships with one another. It is important to maintain a distinction between business and pleasure – don’t feel bad about withholding sensitive information from someone that you trust if there is no reason for them to have that information.
If you want to keep your engineering business secure, you need to make sure that workers at all levels understand their individual role in ensuring the security of the business as a whole. All it takes is one clueless person to undermine even the most secure cybersecurity system.
The post Protecting Your Engineering Business from Industrial Espionage and Cybercriminals appeared first on CyberDB.
Critics say face-swap app could spread misinformation on a massive scale
A Chinese app that lets users convincingly swap their faces with film or TV characters has rapidly become one of the country’s most downloaded apps, triggering a privacy row.
In case you haven't heard, #ZAO is a Chinese app which completely blew up since Friday. Best application of 'Deepfake'-style AI facial replacement I've ever seen.
Here's an example of me as DiCaprio (generated in under 8 secs from that one photo in the thumbnail) pic.twitter.com/1RpnJJ3wgT
Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you’ve made digital security strides in your home, what concerns if any should you have about your child’s data being compromised at school?
There’s a long and short answer to that question. The short answer is don’t lose sleep (it’s out of your control) but get clarity and peace of mind by asking your school officials the right questions.
The long answer is that cybercriminals have schools in their digital crosshairs. According to a recent report in The Hill, school districts are becoming top targets of malicious attacks, and government entities are scrambling to fight back. These attacks are costing school districts (taxpayers) serious dollars and costing kids (and parents) their privacy.
According to one report, a U.S. school district becomes the victim of cyberattack as often as every three days. The reason for this is that cybercriminals want clean data to exploit for dozens of nefarious purposes. The best place to harvest pure data is schools where social security numbers are usually unblemished and go unchecked for years. At the same time, student data can be collected and sold on the dark web. Data at risk include vaccination records, birthdates, addresses, phone numbers, and contacts used for identity theft.
Top three cyberthreats
The top three threats against schools are data breaches, phishing scams, and ransomware. Data breaches can happen through phishing scams and malware attacks that could include malicious email links or fake accounts posing as acquaintances. In a ransomware attack, a hacker locks down a school’s digital network and holds data for a ransom.
Over the past month, hackers have hit K-12 schools in New Jersey, New York, Wisconsin, Virginia, Oklahoma, Connecticut, and Louisiana. Universities are also targeted.
In the schools impacted, criminals were able to find loopholes in their security protocols. A loophole can be an unprotected device, a printer, or a malicious email link opened by a new employee. It can even be a calculated scam like the Virginia school duped into paying a fraudulent vendor $600,000 for a football field. The cybercrime scenarios are endless.
7 key questions to ask
- Does the school have a system to educate staff, parents, and students about potential risks and safety protocols?
- Does the school have a data protection officer on staff responsible for implementing security and privacy policies?
- Does the school have reputable third-party vendors to ensure the proper technology is in place to secure staff and student data?
- Are data security and student privacy a fundamental part of onboarding new school employees?
- Does the school create backups of valuable information and store them separately from the central server to protect against ransomware attacks?
- Does the school have any new technology initiatives planned? If so, how will it address student data protection?
The majority of schools are far from negligent. Leaders know the risks, and many have put recognized cybersecurity frameworks in place. Also, schools have the pressing challenge of 1) providing a technology-driven education to students while at the same time, 2) protecting student/staff privacy and 3) finding funds to address the escalating risk.
Families can add a layer of protection to a child’s data while at school by making sure devices are protected in a Bring Your Own Device (BYOD) setting. Cybersecurity is a shared responsibility. While schools work hard to implement safeguards, be sure you are taking responsibility in your digital life and equipping your kids to do the same.
The post 7 Questions to Ask Your Child’s School About Cybersecurity Protocols appeared first on McAfee Blogs.
Because I really don’t want to rile up all you wonderful Mac users, I’ve decided to do a follow-up on the whole hiding your folders in plain view dilemma.
If haven’t done so already, be sure to check out my article on how to hide your files, folders, and disk drives; it may not apply to Mojave or whatever else OS you’re running, but at least you’ll get an idea of what you’re up against. So, how do you hide folders on Mac?
Get yourself acquainted with the Terminal (Mac’s version of Windows’ command prompt) because, as it happens, it’s the only way to hide folders on Mac without resorting to third-party tools. Let’s dig in.
How to Hide Folders on Mac – Quick and Painless Version
If you really don’t want to trouble yourself with code, there’s a very easy and extremely fast way to hide your folders on Mac -by using the FileVault.
Basically, it turns your hard-drive in a Fort Knox-like vault which cannot be opened without the proper cipher, which in this case is the username and password associated with your admin account.
Yes, I know it’s like curing the disease by killing the patient, but I did say that it’s the easiest way to go about hiding your folders. Anyway, here’s what you’ll need to do, should you choose to use FileVault for masking your files, folders, and everything in between.
Step 1. Click on the Apple icon located in the upper-left corner of your screen.
Step 2. Click on System Preferences.
Step 3. Click on Security & Privacy.
Step 4. Head to the FileVault tab (it’s right next to the General tab).
Step 5. Click on the padlock icon to make changes.
Step 6. Click on the Turn On FileVault button.
Step 7. In the next dialog box, select the recovery method. You can choose between iCloud and generating a local recovery key. I, for one, would go with the later version since it’s more secure (no use compromising two accounts if your password gets stolen).
Here’s what’s going to happen if you use the local recovery key method: you will be taken to another dialog box where you will be going to see a system-generated code.
It looks very much like a Windows or antivirus activation key. Put this code in a new document or something. That the recovery key you’ll be using in case you don’t remember the password.
Step 8. Click on Continue.
Step 9. Click again on the Continue button to finish the process.
That’s it! Now FileVault will begin encrypting all the data on your drive. Depending on your specs, this process can take anywhere from a couple of hours to a few days.
Don’t worry too much about ending up with a potato computer; you’ll still be able to surf the web, watch movies, or play games because everything happens in the background.
One more thing: don’t forget to hook up your Mac to the power outlet. You really wouldn’t want to run out of juice in the middle of a procedure involving the drive on which your entire data is stored.
How to hide folders on Mac using Terminal
There’s also a way to hide folders on Mac, but it involves using the Terminal. Don’t worry; it’s just a couple of command lines. Nothing too fancy or complicated. So, here’s how to hide files/folders using Terminal.
Step 1. Click on Finder.
Step 2. From the left panel, select Applications.
Step 3. Scroll down until you see Utilities. Double-click to enter the Utilities menu.
Step 4. Double-click on Terminal.
Step 5. Type in the following line:
Step 6. Create a new folder on your desktop. Fill it with stuff that you want to hide.
Step 7. Drag-and-drop the folder on to the Terminal window. If you look closely, you’ll see that the folder’s path has appeared.
Step 8. Press Return to hide the folder.
Great! Now that your folder’s out of sight, out of mind, let’s see how we go about accessing it. There are three ways to access hidden files and folders.
Method 1 – Using the Go to Folder function
From the Go menu, select Go to Folder. In the dialog box that appears on your screen, type in the path of your hidden folder. Don’t forget to include the “~” sign before the path.
It should look something like this: “~/Desktop/MyHiddenFiles”
Method 2 – Using the Open/Dialog function
Double-click on Finder and select Desktop from Favorites. Press the Show items as icons, in a list, in columns, or in the library (the pictogram looks like a rectangle divided by to straight lines). You may need to perform this operation a couple of times before the folder becomes visible.
Method 3 – Show hidden files in Finder
It’s possible to see a hidden file in Finder, but you will need to tinker a bit with Terminal. So, fire up your Terminal, and type in the following line:
defaults write com.apple.finder AppleShowAllFiles TRUE
Press Return to continue. After that, please type in or paste the following line:
Again, press return, go to Finder, and there you are – what was once hidden, can now be seen. Enjoy!
How to hide folders on your Mac by using Terminal Aliases
Aliases are macros or shortcuts to various commands. Albeit temporary, we can easily turn this into a more permanent solution. Again, you will need to fiddle around with the Terminal. So, here’s what you’ll need to do:
Step 1. Open the Terminal.
Step 2. Type in or paste the following line:
sudo nano ~/.bash_profile
Step 3. When prompted, type in the username and password associated with your active admin account.
Step 4. Press Return to continue.
Step 5. Scroll down to the end of the open .bash_profile.
Step 6. Type in or paste the following line:
alias showFiles=’defaults write com.apple.finder AppleShowAllFiles YES; killall Finder /System/Library/CoreServices/Finder.app
Step 7. Navigate to the following line and type in or paste the following:
alias hideFiles=’defaults write com.apple.finder AppleShowAllFiles NO; killall Finder /System/Library/CoreServices/Finder.app.
Step 8. Save the file.
Step 9. Exit Terminal.
That’s about it. Now, the next time you will launch Finder, all desired folders will be hidden.
Even more ways to hide files and folders on your Mac
As they say, there’s more than one way to skin something (please don’t say “cat”). So, if you found that the methods described are much too difficult, here are a couple of more ways to hide folders on Mac.
Using the “mv” command
The “mv” command in Terminal moves a file or folder from one place to another. How does this help you? Here’s the trick: the “mv” command moves the folder from its original location to a period folder.
Now, by default, period folders are hidden because they contain system-critical information. Basically, it’s the same thing as moving files or folders to your System32 folder in Windows.
To make files invisible in this manner, open Terminal and type in mv filename .filename. Replace “filename” with the name of the file you want to hide and the “.filename” parameter with the name of the system-protect file.
Deploy Apple’s Developer Tools
If you’re in the mood to do a bit of tweaking, download and deploy one of Apple’s Dev Tools and enter the following command in Terminal: setfile -a V <name of the file you want to hide>. The name of the file should follow the “V” parameter without the “<>”. This command will set the file’s attribute to invisible.
Dump everything in the Library folder
When everything else fails, try the Library folder. It’s hidden by default, making it the ideal place to store top-secret stuff. Just fire up your Finder, navigate to Finder, right-click, create a new folder, and drag all the files in there.
Use third-party file-hiding software
You can also use special software to keep your folders away from prying eyes. The best ones are Altomac and Hide Folders. However, there are also open-source alternatives such as AES Crypt, Axcrypt, or File Lock PE. Give them a try if you’re looking to beef up your account’s privacy.
That’s it on how to hide folders on Mac computer. Know any more methods? Hit the comments section and let me know.
Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents often assume that cybersecurity has risen as a priority for school administrators. But with many institutions struggling to modernize legacy systems, that assumption puts our children’s security at risk. Here are the top threats to cybersecurity in schools and how to protect against them, so you can send your kids out the door knowing they’re safe and secure.
Unsecured School WiFi
Many school WiFi networks are as vulnerable as any public network at a coffee shop or airport. In an attempt to secure WiFi networks in K-12 environments, many schools use pre-shared key (PSK) authentication. PSK authentication is the practice of sharing a single WiFi password with network users in order to grant access. This password often makes its way onto unauthorized devices, granting potentially malicious users access to the school’s network, and to your child’s digital footprint.
Weak Cybersecurity Practices
A school’s cybersecurity defense plan is only as strong as its weakest link, and that weak link is often the plan’s users and overseers. According to Verizon’s 2019 Data Breach Investigation Report, a startling 35% of all education sector data breaches were caused by human error. Mistakes as simple as using discontinued or out-of-date software can leave entire school systems vulnerable—even at prestigious institutions like Stanford University. Because Stanford was using discontinued software called NolijWeb, a white hat hacker was able to exploit a security flaw that left sensitive student data easily accessed through a simple change to a numeric ID in a URL. While exploring the scope of the vulnerability, 81 students’ private data was exposed, including information like Social Security numbers, citizenship status, criminal status, standardized test scores, ethnicity, and home addresses.
Targeted Cybersecurity Attacks
Due to the highly sensitive data stored within their systems, education IT infrastructure is consistently a top target for cybercriminals. K-12 school systems and higher education saw more than 48 million records exposed through data breaches in 2017 and 2018 alone. The threat has become a large enough issue that the FBI has released a public service announcement warning that the education sector was one of those most frequently targeted by social engineering schemes and phishing attacks.
Beyond traditional cyber threats, schools often face a unique adversary—the students themselves. The Joint Information Systems Committee (JISC) recently conducted a survey that examined more than 850 cyberattacks against schools and concluded that a majority of those incidents had been perpetrated by students or school staff. Although an attacker who targets a school so that they won’t have to take a test may not be as costly as one that targets student data, it still can grind a school system to a halt.
How to Protect Your Student’s Cybersecurity
How can you protect your child’s cybersecurity while they are at school? Get involved. Ask the school’s administrators about their cybersecurity policy. Ask about their strength of their firewalls, their email security measures, and the amount of encryption applied to the data storage systems. If you’re not satisfied with their measures, be your child’s cybersecurity advocate.
Although you may have limited control over any school-provided devices, you can secure your child’s personal devices behind a trusted VPN (though they must know how to use it first). This will wrap your child’s data in a tunnel of encryption, protecting them from prying eyes wherever they go. In some cases, VPNs can prevent access to testing and curriculum sites on school networks, so students should know how to connect and disconnect to their VPN at will.
Most importantly, teach your child to be aware of the risks of cybercrime and how to combat them. Help them understand how a VPN and other measures can keep them safe, how to recognize phishing attacks, and why they should always be vigilant. Your child knows to wear a seatbelt when riding in someone else’s car, they should also know how to stay safe online, whether at home, school, or a friend’s house.
The key to truly protecting your children from potential cybersecurity threats is education, both for yourself and for your family. Follow us on Facebook and Twitter to stay up to date on the latest risk reports and security tips.
The post Cybersecurity in Schools: What Families Need to Know appeared first on Webroot Blog.
Simply by downloading the right combination of apps, parents can now track their child’s location 24/7, monitor their same social conversations, and inject their thoughts into their lives in a split second. To a parent, that’s called safety. To kids, it’s considered maddening.
Kids are making it clear that parents armed with apps are overstepping their roles in many ways. And, parents, concerned about the risks online are making it clear they aren’t about to let their kids run wild.
I recently watched the relationship of a mother and her 16-year-old daughter fall apart over the course of a year. When the daughter got her driver’s license (along with her first boyfriend), the mother started tracking her daughter’s location with the Life360 app to ease her mind. However, the more she tracked, the more the confrontations escalated. Eventually, the daughter, feeling penned in, waged a full-blown rebellion that is still going strong.
There’s no perfect way to parent, especially in the digital space. There are, however, a few ways that might help us drive our digital lanes more efficiently and keep the peace. But first, we may need to curb (or ‘chill out on’ as my kids put it) some annoying behaviors we may have picked up along the way.
Here are just a few ways to keep the peace and avoid colliding with your kids online:
Interact with care on their social media. It’s not personal. It’s human nature. Kids (tweens and teens) don’t want to hang out with their parents in public — that especially applies online. They also usually aren’t too crazy about you connecting with their friends online. And tagging your tween or teen in photos? Yeah, that’s taboo. Tip: If you need to comment on a photo (be it positive or negative) do it in person or with a direct message, not under the floodlights of social media. This is simply respecting your child’s social boundaries.
Ask before you share pictures. Most parents think posting pictures of their kids online is a simple expression of love or pride, but to kids, it can be extremely embarrassing, and even an invasion of privacy. Tip: Be discerning about how much you post about your kids online and what you post. Junior may not think a baby picture of him potty training is so cute. Go the extra step and ask your child’s permission before posting a photo of them.
Keep tracking and monitoring in check. Just because you have the means to monitor your kids 24/7 doesn’t mean you should. It’s wise to know where your child goes online (and off) but when that action slips into a preoccupation, it can wreck a relationship (it’s also exhausting). The fact that some kids make poor digital choices doesn’t mean your child will. If your fears about the online world and assumptions about your child’s behavior have led you to obsessively track their location, monitor their conversations, and hover online, it may be time to re-engineer your approach. Tip: Put the relationship with your child first. Invest as much time into talking to your kids and spending one-one time with them as you do tracking them. Put conversation before control so that you can parent from confidence, rather than fear.
Avoid interfering in conflicts. Kids will be bullied, meet people who don’t like them and go through tough situations. Keeping kids safe online can be done with wise, respectful monitoring. However, that monitoring can slip into lawnmower parenting (mowing over any obstacle that gets in a child’s path) as described in this viral essay. Tip: Don’t block your child’s path to becoming a capable adult. Unless there’s a serious issue to your child’s health and safety, try to stay out of his or her online conflicts. Keep it on your radar but let it play out. Allow your child to deal with peers, feel pain, and find solutions.
As parents, we’re all trying to find the balance between allowing kids to have their space online and still keep them safe. Too much tracking can cause serious family strife while too little can be inattentive in light of the risks. Parenting today is a difficult road that’s always a work-in-progress so give yourself permission to keep learning and improving your process along the way
The post Digital Parenting: How to Keep the Peace with Your Kids Online appeared first on McAfee Blogs.
Researchers able to identify MP Anthony Carbines’s travel history using tweets and Public Transport Victoria dataset
The three-year travel history of a Victorian politician was able to be identified after the state government released the supposedly “de-identified” data of more than 15m myki public transport users in a breach of privacy laws.
In July 2018, Public Transport Victoria (now the Department of Transport) released a dataset containing 1.8bn travel records for 15.1m myki public transport users for the period between June 2015 and June 2018.
See you about 05.24AM tomorrow at Rosanna to catch the first train to town. Well done all. Thanks for hanging in there. Massive construction effort. Single track gone. Two level crossings gone. The trains! The trains! The trains are coming! pic.twitter.com/kk2Cj3ey9TContinue reading...
With summer coming to a close, it’s almost time for back to school! Back to school season is an exciting time for students, especially college students, as they take their first steps towards independence and embark on journeys that will shape the rest of their lives. As students across the country prepare to start or return to college, we here at McAfee have revealed new findings indicating that many are not proactively protecting their academic data. Here are the key takeaways from our survey of 1,000 Americans, ages 18-25, who attend or have attended college:
Education Needs to Go Beyond the Normal Curriculum
While many students are focused on classes like biology and business management, very few get the proper exposure to cybersecurity knowledge. 80% of students have been affected by a cyberattack or know a friend or family member who has been affected. However, 43% claim that they don’t think they will ever be a victim of a cybercrime in the future.
Educational institutions are very careful to promote physical safety, but what about cyber safety? It turns out only 36% of American students claim that they have learned how to keep personal information safe through school resources. According to 42% of our respondents, they learn the most about cybersecurity from the news. To help improve cybersecurity education in colleges and universities, these institutions should take a certain level of responsibility when it comes to training students on how they can help keep their precious academic data safe from cybercriminals.
Take Notes on Device Security
Believe it or not, many students fail to secure all of their devices, opening them up to even more vulnerabilities. While half of students have security software installed on their personal computers, this isn’t the case for their tablets or smartphones. Only 37% of students surveyed have smartphone protection, and only 13% have tablet protection. What’s more, about one in five (21%) students don’t use any cybersecurity products at all.
Class Dismissed: Cyberattacks Targeting Education Are on the Rise
According to data from McAfee Labs, cyberattacks targeting education in Q1 2019 have increased by 50% from Q4 2018. The combination of many students being uneducated in proper cybersecurity hygiene and the vast array of shared networks that these students are simultaneously logged onto gives cybercriminals plenty of opportunities to exploit when it comes to targeting universities. Some of the attacks utilized include account hijacking and malware, which made up more than 70% of attacks on these institutions from January to May of 2019. And even though these attacks are on the rise, 90% of American students still use public Wi-Fi and only 18% use a VPN to protect their devices.
Become a Cybersecurity Scholar
In order to go into this school year with confidence, students should remember these security tips:
- Never reuse passwords. Use a unique password for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. You can also use a password manager so you don’t have to worry about remembering various logins.
- Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public. Protect your identity by turning your profiles to private so you can control who can follow you. You should also take the time to understand the various security and privacy settings to see which work best for your lifestyle.
- Use the cloud with caution. If you plan on storing your documents in the cloud, be sure to set up an additional layer of access security. One way of doing this is through two-factor authentication.
- Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to keep your connection secure.
- Discuss cyber safety often. It’s just as important for families to discuss cyber safety as it is for them to discuss privacy on social media. Talk to your family about ways to identify phishing scams, what to do if you may have been involved in a data breach, and invest in security software that scans for malware and untrusted sites.
The post Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season appeared first on McAfee Blogs.
You’ve probably heard of CafePress, a custom T-shirt and merchandise company allowing users to create their own unique apparel and gifts. With a plethora of users looking to make their own creative swag, it’s no surprise that the company was recently targeted in a cybercriminal ploy. According to Forbes, CafePress experienced a data breach back in February that exposed over 23 million records including unique email addresses, names, physical addresses, phone numbers, and passwords.
How exactly did this breach occur? While this information is still a bit unclear, security researcher Jim Scott stated that approximately half of the breached passwords had been exposed through gaps in an encryption method called base64 SHA1. As a result, the breach database service HaveIBeenPwned sent out an email notification to those affected letting them know that their information had been compromised. According to Engadget, about 77% of the email addresses in the breach have shown up in previous breach alerts on HaveIBeenPwned.
Scott stated that those who used CafePress through third-party applications like Facebook or Amazon did not have their passwords compromised. And even though third-party platform users are safe from this breach, this isn’t always the case. With data breaches becoming more common, it’s important for users to protect their information as best as they can. Check out the following tips to help users defend their data:
- Check to see if you’ve been affected. If you know you’ve made purchases through CafePress recently, use this tool to check if you could have been potentially affected.
- Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
- Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.
The post 23M CafePress Accounts Compromised: Here’s How You Can Stay Secure appeared first on McAfee Blogs.
Starting a new school year is both exciting and stressful for families today. Technology has magnified learning and connection opportunities for our kids but not without physical and emotional costs that we can’t overlook this time of year.
But the transition from summer to a new school year offers families a fresh slate and the chance to evaluate what digital ground rules need to change when it comes to screen time. So as you consider new goals, here are just a few of the top digital risks you may want to keep on your radar.
- Cyberbullying. The online space for a middle or high school student can get ugly this time of year. In two years, cyberbullying has increased significantly from 11.5% to 15.3%. Also, three times as many girls reported being harassed online or by text than boys, according to the U.S. Department of Education.
Back-to-School Tip: Keep the cyberbullying discussion honest and frequent in your home. Monitor your child’s social media apps if you have concerns that cyberbullying may be happening. To do this, click the social icons periodically to explore behind the scenes (direct messages, conversations, shared photos). Review and edit friend lists, maximize location and privacy settings, and create family ground rules that establish expectations about appropriate digital behavior, content, and safe apps.Make an effort to stay current on the latest social media apps, trends, and texting slang so you can spot red flags. Lastly, be sure kids understand the importance of tolerance, empathy, and kindness among diverse peer groups.
- Oversharing. Did you know that 30% of parents report posting a photo of their child(ren) to social media at least once per day, and 58% don’t ask permission? By the age of 13, studies estimate that parents have posted about 1,300 photos and videos of their children online. A family’s collective oversharing can put your child’s privacy, reputation, and physical safety at risk. Besides, with access to a child’s personal information, a cybercriminal can open fraudulent accounts just about anywhere.
Back-to-School Tip: Think before you post and ask yourself, “Would I be okay with a stranger seeing this photo?” Make sure there is nothing in the photo that could be an identifier such as a birthdate, a home address, school uniforms, financial details, or password hints. Also, maximize privacy settings on social networks and turn off photo geo-tagging that embeds photos with a person’s exact coordinates. Lastly, be sure your child understands the lifelong consequences that sharing explicit photos can have on their lives.
- Mental health + smartphone use. There’s no more disputing it (or indulging tantrums that deny it) smartphone use and depression are connected. Several studies of teens from the U.S. and U.K. reveal similar findings: That happiness and mental health are highest at 30 minutes to two hours of extracurricular digital media use a day. Well-being then steadily decreases, according to the studies, revealing that heavy users of electronic devices are twice as unhappy, depressed, or distressed as light users.
Back-to-School Tip: Listen more and talk less. Kids tend to share more about their lives, friends, hopes, and struggles if they believe you are truly listening and not lecturing. Nurturing a healthy, respectful, mutual dialogue with your kids is the best way to minimize a lot of the digital risks your kids face every day. Get practical: Don’t let your kids have unlimited phone use. Set and follow media ground rules and enforce the consequences of abusing them.
- Sleep deprivation. Sleep deprivation connected to smartphone use can dramatically increase once the hustle of school begins and Fear of Missing Out (FOMO) accelerates. According to a 2019 Common Sense Media survey, a third of teens take their phones to bed when they go to sleep; 33% girls versus 26% of boys. Too, 1 in 3 teens reports waking up at least once per night and checking their phones.
Back-to-School Tip: Kids often text, playing games, watch movies, or YouTube videos randomly scroll social feeds or read the news on their phones in bed. For this reason, establish a phone curfew that prohibits this. Sleep is food for the body, and tweens and teens need about 8 to 10 hours to keep them healthy. Discuss the physical and emotional consequences of losing sleep, such as sleep deprivation, increased illness, poor grades, moodiness, anxiety, and depression.
- School-related cyber breaches. A majority of schools do an excellent job of reinforcing the importance of online safety these days. However, that doesn’t mean it’s own cybersecurity isn’t vulnerable to cyber threats, which can put your child’s privacy at risk. Breaches happen in the form of phishing emails, ransomware, and any loopholes connected to weak security protocols.
Back-to-School Tip: Demand that schools be transparent about the data they are collecting from students and families. Opt-out of the school’s technology policy if you believe it doesn’t protect your child or if you sense an indifferent attitude about privacy. Ask the staff about its cybersecurity policy to ensure it has a secure password, software, and network standards that could affect your family’s data is compromised.
Stay the course, parent, you’ve got this. Armed with a strong relationship and media ground rules relevant to your family, together, you can tackle any digital challenge the new school year may bring.
The post 5 Digital Risks That Could Affect Your Kids This New School Year appeared first on McAfee Blogs.
Capital One is one of the 10 largest banks based on U.S. deposits. As with many big-name brands, cybercriminals see these companies as an ideal target to carry out large-scale attacks, which has now become a reality for the financial organization. According to CNN, approximately 100 million Capital One users in the U.S. and 6 million in Canada have been affected by a data breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, and more.
According to the New York Post, the alleged hacker claimed the data was obtained through a firewall misconfiguration. This misconfiguration allowed command execution with a server that granted access to data in Capital One’s storage space at Amazon. Luckily, Capital One stated that it “immediately fixed the configuration vulnerability.”
This breach serves as a reminder that users and companies alike should do everything in their power to keep personal information protected. If you think you might have been affected by this breach, follow these tips to help you stay secure:
- Check to see if you’ve been notified by Capital One. The bank will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services. Be sure to take advantage of the services and check out the website Capital One set up for information on this breach.
- Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible. Capital One will allow you to freeze your card so purchases can no longer be made.
- Change your credentials. Err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks.
- Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
- Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.
The post Capital One Data Breach: How Impacted Users Can Stay More Secure appeared first on McAfee Blogs.
If you’ve been on social media recently, you’ve probably seen some people in your feed posting images of themselves looking elderly. That’s because FaceApp, an AI face editor that went viral in 2017, is making a major comeback with the so-called FaceApp Challenge — where celebrities and others use the app’s old age filter to add decades onto their photos. While many folks have participated in the fun, there are some concerns about the way that the app operates when it comes to users’ personal privacy.
According to Forbes, over 100,000 million people have reportedly downloaded FaceApp from the Google Play Store and the app is the number one downloaded app on the Apple App Store in 121 different countries. But what many of these users are unaware of is that when they download the app, they are granting FaceApp full access to the photos they have uploaded. The company can then use these photos for their benefit, such as training their AI facial recognition algorithm. And while there is currently nothing to indicate that the app is taking photos for malicious intent, it is important for users to be aware that their personal photos may be used for other purposes beyond the original intent.
So, how can users enjoy the entertainment of apps like FaceApp without sacrificing their privacy? Follow these tips to help keep your personal information secure:
- Think before you upload. It’s always best to err on the side of caution with any personal data and think carefully about what you are uploading or sharing. A good security practice is to only share personal data, including personal photos, when it’s truly necessary.
- Update your settings. If you’re concerned about FaceApp having permission to access your photos, it’s time to assess the tools on your smartphone. Check which apps have access to information like your photos and location data. Change permissions by either deleting the app or changing your settings on your device.
The post Downloaded FaceApp? Here’s How Your Privacy Is Now Affected appeared first on McAfee Blogs.
The past few weeks have proven to be wins for family safety with several top social networks announcing changes to their policies and procedures to reduce the amount of hateful conduct and online bullying.
Twitter: ‘Dehumanizing Language Increases Risk’
In response to rising violence against religious minorities, Twitter said this week that it would update its hateful conduct rules to include dehumanizing speech against religious groups.
“Our primary focus is on addressing the risks of offline harm, and research shows that dehumanizing language increases that risk . . . we’re expanding our rules against hateful conduct to include language that dehumanizes others based on religion,” the company wrote on its Twitter Safety blog.
Twitter offered two resources that go in-depth on the link between dehumanizing language and offline harm that is worth reading and sharing with your kids. Experts Dr. Susan Benesch and Nick Haslam and Michelle Stratemeyer define hate speech, talk about its various contexts, and advise on how to counter it.
Instagram: ‘This intervention gives people a chance to reflect.’
Instagram announced it would be rolling out two new features to reduce potentially offensive content. The first, powered by artificial intelligence, prompts users to pause before posting. For instance, if a person is about to post a cruel comment such as “you are so stupid,” the user will get a pop-up notification asking, “are you sure you want to post this?”
A second anti-bullying function new to Instagram is called “Restrict,” a setting that will allow users to indiscreetly block bullies from looking at your account. Restrict is a quieter way to cut someone off from seeing your content than blocking, reporting, or unfollowing, which could spark more bullying.
These digital safety moves by both Instagram and Twitter are big wins for families concerned about the growing amount of questionable content and bullying online.
If you get a chance, go over the basics of these new social filters with your kids.
Other ways to avoid online bullying:
Wise posting. Encourage kids to pause and consider tone, word choice, and any language that may be offensive or hurtful to another person, race, or gender. You are your child’s best coach and teacher when it comes to using social apps responsibly.
Stay positive and trustworthy. Coach kids around online conflict and the importance of sharing verified information. Encourage your child to be part of the solution in stopping rumors and reporting digital skirmishes and dangerous content to appropriate platforms.
Avoid risky apps. Apps like ask.fm allow anonymity should be off limits. Kik Messenger, Yik Yak, Tinder, Down, and Whisper may also present risks. Remember: Any app is risky if kids are reckless with privacy settings, conduct, content, or the people they allow to connect with them.
Layer security. Use a comprehensive solution to help monitor screentime, filter content, and monitor potentially risky apps and websites.
Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in and monitor game time conversations and make every effort to help him or her balance summer gaming time.
Make profiles and photos private. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying and online conflict.
The post Family Safety: Twitter, Instagram Beef Up Measures to Fight Hate Speech, Bullying appeared first on McAfee Blogs.
You’ve probably heard of the popular video conferencing platform, Zoom. This platform enables its millions of users in various locations to virtually meet face to face. In an effort to enhance user experience and work around changes in Safari 12, Zoom installed a web server that allows users to enjoy one-click-to-join meetings. Unfortunately, a security researcher recently disclosed that this product feature acts as a flaw that could allow cybercriminals to activate a Mac user’s webcam without their permission.
How exactly does this vulnerability work? Cybercriminals are able to exploit a feature that allows users to send a meeting link directly to a recipient. When the recipient clicks on the link, they are automatically launched into the video conferencing software. If the user has previously installed the Zoom app onto their Mac and hasn’t turned off their camera for meetings, Zoom will auto-join the user to a conference call with the camera on. With this flaw, an attacker can send a victim a meeting link via email message or web server, allowing them to look into a victim’s room, office, or wherever their camera is pointing. It’s important to note that even if a user has deleted the Zoom app from their device, the Zoom web server remains, making the device susceptible to this vulnerability.
While the thought of someone unknowingly accessing a user’s Mac camera is creepy, this vulnerability could also result in a Denial of Service (DoS) attack by overwhelming a user’s device with join requests. And even though this patch has been successfully patched by Zoom, it’s important for users to realize that this update is not enforced by the platform. So, how can Zoom users avoid getting sucked into a potentially malicious call? Check out these security tips to stay secure on conference calls:
- Adjust your Zoom settings. Users can disable the setting that allows Zoom to turn your camera on when joining a meeting. This will prevent a hacker from accessing your camera if you are sent a suspicious meeting link.
- Update, update, update. Be sure to manually install the latest Zoom update to prevent DoS or other potential attacks. Additionally, Zoom will introduce an update in July that allows users to apply video preferences from their first call to all future calls. This will ensure that if a user joins their first meeting without video, this setting will remain consistent for all other calls.
The post Watch Your Webcam: Tips to Protect Your Mac From Zoom Hackers appeared first on McAfee Blogs.
If you haven’t seen your kids in a few hours but can hear outbursts of laughter from a nearby room, chances are, they — along with millions of other kids — are watching YouTube. The popular digital video hub has more viewers than network television and soaks up more than 46,000 years of our collective viewing time annually. Chances are your kids will be part of the YouTube digital mosh pit this summer, but do you know the risks?
Types of screen time
The quality of online time for kids usually shifts during the summer months. For example, there’s active screen time and passive screen time. Knowing the difference between the two can help your family decide best how to balance device use — especially when it comes to consuming endless hours on YouTube.
Active screen time requires a person’s cognitive and/or physical engagement and develops social, language, or physical skills. Engaging in activities such as researching, creating original content, learning a new program, and playing educational games is considered active screen usage. Active screen time tends to go up during the school year and down in the summer.
Passive screen time is passively absorbing information via a screen, app, or game for entertainment reasons only. This includes scrolling through social networks, watching movies binge watching), and watching YouTube videos. Little to no thought or creativity is required when a person engages in repetitious, passive screen activities.
According to a Common Sense Media study, children ages 8 to 12, spend nearly six hours per day using media, and teenagers average closer to nine hours a day (numbers don’t include school work). It’s safe to say that during the summer, these numbers climb even higher — as do the risks.
Here are a few ways to balance screen time and boost safety on YouTube this summer.
YouTube: 5 Family Talking Points
- Explore YouTube.The best way to understand the culture of YouTube is to spend time there. Ask your kids about their favorite channels and what they like about them. Get to know the people they follow — after all, these are the people influencing your child. Here’s a sampling of a few top YouTubers: MattyBRaps (music), JoJoSiwa (music, dance), Brooklyn and Bailey (vlogs, challenges, music), Baby Ariel (challenges, vlog), Johnny Orlando (music), PewDiePie (comedy), Jacy and Kacy (crafts, challenges), (Bethany Mota (shopping hauls), Grav3yardgirl (makeup), Smosh (comedy).
- Respect age limits. YouTube is packed with humor, tutorials, pranks, vlogs, music, reviews, and endlessly engaging content. However, age limits exist for a good reason because the channel also has its share of dangerous content. The darker side of YouTube is always just a click away and includes sexual content, hate content, harassment and cyberbullying, violent and graphic content, and scams.
- Turn on restricted mode. By turning on the restricted mode you can block videos with mature content from a user’s searches, related videos, playlists, and shows — this is a big deal since many “up next” videos (on the right side of the screen) are cued to play automatically and can lead kids to sketchy content. In addition to the restricted mode, consider an extra layer of protection with filtering software for all your family devices.
- Opt for YouTube Kids. For kids under 13, YouTube Kids is a safe video platform, specially curated for young viewers. Kids may snub any platform designed “for kids,” however, if you are worried about younger kids running into inappropriate content, this is your best video option.
- Discuss the ‘why’ behind the rules. As a parent, you know the possible ways YouTube — or other social platforms — can be harmful. Don’t assume your kids do. Kids are immersed in their peer groups online, which means danger and harm aren’t primary concerns. Even so, before you lecture kids about the dangers of YouTube, open up a dialogue around the topic by asking great questions. Here are just a few to get you started:
- Do you understand why it’s important to filter YouTube content and respect age limits (inappropriate content, cyberbullying)?
- Do you understand why unboxing and makeup videos are so popular (advertisers want you to purchase)?
- Do you understand why we need to balance between screen time this summer? (mental, physical health)
- Do you know why this piece of content might be fake or contain questionable information (conspiracy, hate, or political videos)?
As the public increasingly demands social networks do more to remove harmful or objectionable content, one thing is clear: Despite strides in this area by a majority of platforms, no online social hub is (or will likely ever be) 100% safe. The best way to keep kids safe online is by nurturing a strong parent-child connection and having consistent conversations designed to equip and educate kids about digital risks and responsibility.
The post Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer appeared first on McAfee Blogs.
According to a study recently released by National Research Group (NRG), the wildly popular video game Fortnite is growing beyond its intended gaming platform into a favored social network where kids go daily to chat, message, and connect.
The study represents the most in-depth study on Fortnite to date and contains essential takeaways for parents trying to keep up with their kids’ social networking habits. According to the NRG study, “Fortnite is the number one service teens are using, and audiences cite its social elements as the primary motivators for playing.”
The popular game now claims more than 250 million users around the world, and for its audience of teens (ages 10-17) who play at least once a week, Fortnite consumes about 25% of their free time, cites NRG adding that “Fortnite presents a more hopeful meta-verse where community, inclusivity, creativity and authentic relationships can thrive.”
With school break now upon us, the NRG study is especially useful since screentime tends to jump during summer months. Here are some of the risks Fortnite (and gaming in general) presents and some tips on how to increase privacy and safety for young users who love this community.
Fortnite safety tips
Activate parental controls. Kids play Fortnite on Xbox One, PlayStation 4, Nintendo Switch, and iOS. Parents can restrict and monitor playing time by going into the Settings tab of each device, its related URL, or app. Another monitoring option for PC, tablets, and mobile devices is monitoring software.
Listen, watch, learn. Sit with your kids and listen to and watch some Fortnite sessions. Who are they playing with? What’s the tone of the conversation? Be vocal about anything that concerns you and coach your child on how to handle conflict, strangers online (look at their friend list), and bullying.
Monitor voice chat. Voice chat is an integral part of Fortnite if you are playing in squads or teams. Without the chat function, players can’t communicate in real-time with other team members. Voice chat is also a significant social element of the game because it allows players to connect and build community with friends anywhere. Therein lies the risk — voice chat also allows kids to play the game with strangers so the risk of inappropriate conversation, cyberbullying, and grooming are all reported realities of Fortnite. Voice chat can be turned off in Settings and should be considered for younger tween users.
Scams, passwords, and tech addiction. When kids are having a blast playing video games, danger is are far from their minds. Talk about the downside so they can continue to play their favorite game in a safe, healthy way. Discuss the scams targeting Fortnite users, the importance of keeping user names and passwords private (and strong), and the reasoning behind gaming screen limits.
Social networks have become inherent to kids’ daily life and an important way to form meaningful peer bonds. With new networks emerging every day such as Fortnite, it’s more important than ever to keep the conversation going with your kids about the genuine risks these fun digital hangouts bring.
The post Study: Fortnite Game Becoming the Preferred Social Network for Kids appeared first on McAfee Blogs.
Take it down, please.
The above is a typical text message parents send to kids when they discover their child has posted something questionable online. More and more, however, it’s kids who are sending this text to parents who habitually post about them online.
Sadly — and often unknowingly — parents have become some of the biggest violators of their children’s privacy. And, there’s a collective protest among kids that’s expressing itself in different ways. Headlines reflect kids reigning in their parent‘s posting habits and parents choosing to pull all photos of their kids offline. There’s also a younger generation of voices realizing the effect social media has had on youth, which could be signaling a tipping point in social sharing.
Ninety-two percent of American children have an online presence before the age of 2, and parents post nearly 1,000 images of their children online before their fifth birthday, according to Time. Likewise, in a 2017 UNICEF report, the children’s advocacy group called the practice of “sharenting” – parents sharing information online about their children – harmful to a child’s reputation and safety.
This sharenting culture has fast-tracked our children’s digital footprints, which often begins in the womb. Kids now have a digital birth date — the date of the first upload, usually a sonogram photo — in addition to their actual birth date. Sharing the details of life has become a daily routine with many parents not thinking twice before sharing birthdays, awards, trips, and even more private moments such as bath time or potty training mishaps.
Too often, what a parent views as a harmless post, a child might see as humiliating, especially during the more sensitive teen years. Oversharing can impact a child’s emotional health as well as the parent-child relationship, according to a University of Michigan study.
So how far is too far when it comes to the boundaries between public and private life? And, what are the emotional, safety, and privacy ramifications to a child when parents overshare? The sharenting culture has forced us all to consider these questions more closely.
Children’s diminishing privacy is on advocacy agendas worldwide. Recently, the UK Children’s Commissioner released a report called “Who Knows About Me?” that put a spotlight on how we collect and share children’s data and how this puts them at risk.
5 safe sharing tips for families
- Stop and think. Be intentional about protecting your child’s privacy. Before you upload a photo or write a post, ask yourself, “Do I really need to share this?” or “Could this content compromise my child’s privacy (or feelings) today or in the future?”
- Ask permission. Before publicly posting anything about your child, ask for his or her permission. This practice models respect and digital responsibility. If posting a group photo that includes other children, ask both the child’s consent and his or her parent’s.
- Keep family business private. Resist sharing too much about your family dynamic — good or bad — online. Sharing your parenting struggles or posting details about what’s going on with you and your child could cause embarrassment and shame and irreparably harm your relationship.
- Consider a photo purge. With your child’s wellbeing, safety, and privacy in mind — present and future — consider going through your social networks and deleting any photos or posts that don’t need to be public.
- Talk to kids about the freedom of expression. Every person who logs on to the internet can expect fundamental freedoms, even kids. These include the right to privacy, how our data is shared, and the freedom of expression online. Discuss these points with your children in addition to our collective digital responsibilities such as respect for others, wise posting, downloading legally, citing works properly, and reporting risky behavior or content.
When it comes to parenting, many of us are building our wings on the way down, especially when it comes to understanding all the safety implications around data privacy for children. However, slowing down to consider your child’s wellbeing and privacy with every post is a huge step toward creating a better, safer internet for everyone.
The post Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online? appeared first on McAfee Blogs.
The UK is aiming to become a world leader in cybersecurity by investing a substantial amount of money (to the tune of £70 million) in the Industrial Strategy Challenge Fund. The fund represents the government’s commitment to increase funding in research and development by £4.7 billion over a four year period. One of the primary goals of the investment will be to supply the industry with the money necessary to design and develop state-of-the-art hardware that’s more secure and resilient to common cyber threats.
The logic stems from the fact that cybercriminals are constantly finding new ways to exploit current technology, so the best way to combat future attacks is to design chips and hardware with stronger security features built into them to outpace cyber threats. However, this means businesses will have to invest in new IT systems as it rolls out to keep their security measures up to par.
For the time being, online business owners need to do everything in their power to address the privacy concerns of their users. In some cases, this might mean investing in more secure and modern e-commerce platforms that offer security features, such as TLS (still commonly known as SSL) protection and security software to protect against malware attacks, or simply generating new, strong admin passwords on a regular basis.
The fact is, there is no way to provide customers with a 100% guarantee their personal data is safe, but there are actions webmasters and companies can do to make their websites a lot safer to use by their customers. To help you learn more about how you can secure your site from cyber threats, Wikibuy has laid out 15 steps in the infographic below.