Category Archives: Privacy

Facebook admitted to have stored millions of Instagram users’ passwords in plaintext

Other problems for Facebook that admitted to have stored millions of Instagram users’ passwords in plaintext

Yesterday, Facebook made the headlines once again for alleged violations of the privacy of its users, the company admitted to have ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission

In March, Facebook admitted to have stored the passwords of hundreds of millions of users in plain text, including “tens of thousands” passwords belonging to Instagram users as well.

Unfortunately the issue was bigger than initially reported, the company updated the initial press release confirming that millions of Instagram users were affected by the problem.

The disconcerting discovery was made in January by Facebook IT staff as part of a routine security review. The passwords were stored in plain text on internal data storage systems, this means that they were accessible only by employees.

Facebook quickly fixed the issue and notified the affected users.

Now Facebook confirmed to have discovered “additional logs of Instagram passwords” stored in a readable format. The social network giant pointed out that the passwords were never “abused or improperly accessed” by any of its employees.

Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).” reads the updated statement.

instagram

Summarizing, millions of Instagram users had their account passwords stored in plain text and searchable by thousands of Facebook employees.

Let me suggest to change your password using strong ones and enable the
two-factor authentication.

Pierluigi Paganini

(SecurityAffairs – Instagram, privacy)

The post Facebook admitted to have stored millions of Instagram users’ passwords in plaintext appeared first on Security Affairs.

Cyber News Rundown: Phishing Attack on Global IT Outsourcer

Reading Time: ~2 min.

Major IT Outsourcer Suffers After Phishing Attack

Global IT services provider Wipro announced they are in the process of investigating a data possibly affecting some of their clients. These types of companies are popular for hackers because, by breaching a single IT service company, they gain access to a far larger pool of victims through compromised credentials belonging to client networks. It’s still unclear how long the hackers had access to the systems, but some reports claim the attack was ongoing for several months.

Age-Verification Hits UK Porn Viewers

The UK has passed a measure that will subject users to age-verifications before being allowed to enter a pornographic website, as part of their ongoing fight to make the UK safer online. This measure was originally introduced as a way to decrease ransomware infections and slow the stream of stolen credentials from paid accounts for higher-traffic sites. The new law has an 88% backing from UK parents and will go into full effect on July 15.

Data Breach Affects Navicent Patients

A recent Navicent Health announcement revealed the email systems of the health care services provider were compromised in July, 2018, possibly affecting over 275,000 patients. While the remainder of their internal systems were untouched, the email server did contain patient data, including social security numbers and billing information. Fortunately, Navicent responded to the breach quickly and began notifying the proper authorities, as well as their client base, in addition to providing identity monitoring services for those whose information was exposed.

Chrome for iOS Bug Redirects Users to Ads

A new bug, found only in the iOS version of Chrome, has exposed up to half a million users to unwanted advertising redirects, sometimes from legitimate websites. The bug works by allowing malicious code to be executed from within page advertisements, which can then overlay onto the device’s screen until clicked. The majority of this campaign’s victims are based in the US and were targeted over a four-day period in early April.

Microsoft Loses Subdomain for Live Tiles

A German researcher recently took control of a subdomain used by Microsoft to assist websites with correctly formatting RSS feeds into a usable XML format for Windows 8 and 10 Live Tiles. Because the subdomain wasn’t registered to Microsoft or their Azure cloud services, and any malicious actor could have compromised the domain, the researcher purchased it and alerted Microsoft of his findings.

The post Cyber News Rundown: Phishing Attack on Global IT Outsourcer appeared first on Webroot Blog.

DevSecOps Podcast Episodes Recap

The week of April 15th I dedicated every Security In Five podcast episode to DevSecOps and the push to move security left. I was motivated to talk about this push because it’s a concept and challenge I deal with almost daily with my own projects and working with clients. DevSecOps, or DevOps if you are […]

The post DevSecOps Podcast Episodes Recap appeared first on Binary Blogger.

Google will check apps by new developers more thoroughly

In an attempt to thwart Android developers who are set to distribute malicious apps through Google Play, Google will be taking more time when reviewing apps by developers with newly minted accounts. This reviewing process will take days, not weeks, Google assures, and should allow them to do more thorough checks before approving apps to be featured in the store. Sameer Samat, VP of Product Management, Android & Google Play, also says that they know … More

The post Google will check apps by new developers more thoroughly appeared first on Help Net Security.

Building a modern data registry: Go beyond data classification

For organizations, understanding what data they store and analyze is gaining increasing urgency due to new privacy regulations, from the Global Data Privacy Regulation (GDPR) to the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD). But these regulations are not the only reason organizations are focused on privacy. Security imperatives and pressure to extract more value from the information they store has also put pressure on companies to get data privacy … More

The post Building a modern data registry: Go beyond data classification appeared first on Help Net Security.

Facebook Acknowledges “Unintentional” Harvesting of Email Contacts

Facebook announced that it “unintentionally” harvested the email contacts of 1.5 million of its users without their consent.

The social media company automatically uploaded the information from users who had registered with the site after 2016 and provided their email addresses and passwords. Upon submitting a form to “confirm” their accounts, registrants saw a screen showing that their email contact lists were harvested without any means of providing consent, opting out, or interrupting the process.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings,” a Facebook spokeperson said.

Facebook’s requests for user email passwords during account registration has garnered strong criticism from security and privacy experts and led to the company halting the practice earlier this month.

The news comes at an awkward time for the gaffe-prone company in light of its recent attempts to rebrand itself as being more privacy-focused.

The post Facebook Acknowledges “Unintentional” Harvesting of Email Contacts appeared first on Adam Levin.

Facebook ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission

Facebook made the headlines once again for alleged violations of the privacy of its users, this time collecting contacts from 1.5 Million email accounts without permission.

New problems for Facebook, the company collected contacts from 1.5 Million email accounts without user’permission.

We recently read about an embarrassing incident involving the social network giant that asked some newly-registered users to provide the passwords to their email accounts to confirm their identity.

Some experts speculated that the social network giant was using the password to access the email accounts and collect their contacts.

New of the day is that Facebook admitted it was collecting email contacts of some of its users.

“Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts. Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network” reported the Business Insider.
“The Silicon Valley company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.”

Of course, Facebook declared that it has “unintentionally” uploaded email contacts from up to 1.5 million new users on its servers since May 2016, but the company was never authorized to do it and did not receive their consent.

Facebook passwords

This means that roughly 1.5 million users unintentionally shared passwords for their email accounts with the social network.

According to a Facebook spokesperson who spoke with Business Insider, the company was using harvested data to “build Facebook’s web of social connections and recommend friends to add.”

“At the time, it wasn’t clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.” continues the Business Insider.

Facebook stopped using this email verification process a month ago, when a researcher using the pseudononymous of “e-sushi” noticed that the social network was asking some users to enter their email passwords when they signed up for new accounts.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the spokesperson said in a statement.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

The list of incidents that involved the company in the last year is long. In April experts found 540 Million Facebook user records on unprotected Amazon S3 buckets.

In March 2019, Facebook admitted to having stored the passwords of hundreds of millions of users in plain text.

In October 2018, Facebook disclosed a severe security breach that allowed hackers to steal access tokens and access personal information from 29 million Facebook accounts.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission appeared first on Security Affairs.

10 Chrome Extensions to Boost Your Online Safety in 2019

Chrome is the most popular internet browser nowadays, so we’ve decided to research extensions that increase your online safety. Even though it claims to automatically protect you from security issues, such as phishing attacks and dangerous websites, as the online threatscape evolves, it never hurts to add extra layers of protection.

pasted image 0 40

Web Browser Market Share, March 2019, according to W3Counter

In this guide, we’ll walk you through a variety of Chrome extensions, ranging from anti-tracking solutions, ad blockers, password managers, and VPN solutions, to name a few.

We hand-picked the add-ons from a wide palette of solutions, with the intention to help you browse safely on the internet.

So let’s jump in.

Here are some of the best privacy and safety-related Chrome extensions.

1. Privacy Badger

Privacy Badger is a browser add-on developed by The Electronic Frontier Foundation (EFF), that blocks advertisers and third-party trackers from tracking the web pages you visit. Essentially, whenever it detects advertisers who track you across different websites without your consent, it automatically stops them from inserting any more content into your browser.

image13 1

Keep in mind this isn’t a standard ad blocker, as it wasn’t created with the intention to completely block ads.

What it really does is focus on stopping any visible or invisible third-party scripts or images that seem to be tracking your activity despite the fact that you specifically refused to be tracked by sending a Do Not Track header. Most of these third-party trackers happen to be advertisements, so that’s why most of them will be blocked.

Does it make sense to simultaneously use Privacy Badger and a standard ad blocker? If you really despise ads, EFF advises on using a combination between Privacy Badger and uBlock Origin.

Download: Privacy Badger

2. Ghostery

Ghostery is similar to Privacy Badger – it detects and blocks third-party technologies which track you and it also markets itself as an ad blocker. Thus, it provides a clean and fast browsing experience, while preventing advertisers from tracking your activity.

image18 1

The Smart Blocking feature increases the pages’ loading speed, by automatically blocking and unblocking trackers.

image7 1

Download: Ghostery

3. HTTPS Everywhere

HTTPS Everywhere is an add-on created by the Electronic Frontier Foundation (EFF) and the Tor Project, that changes websites from insecure “HTTP” to secure “HTTPS”.

image10 1

Why use “HTTPS” instead of “HTTP?”

“HTTP” is not encrypted and can be vulnerable to threats, such as man-in-the-middle attacks. HTTPS should be used especially on insecure networks (such as public Wi-Fi), as these are most likely to be accessed by people on the same network who can steal your private information.

image2 2

Many websites do offer some support for encryption over HTTPS, but they make it difficult to use. For example, they can link unencrypted sites to encrypted pages.

HTTPS Everywhere takes care of those issues by rewriting requests to these sites to HTTPS.

Here you can access information about the project’s Git repository and also get involved in development if you are interested to do that.

Download: HTTPS Everywhere

4. LastPass

LastPass is a password manager which stores all of your passwords so you don’t have to remember them.

Using the same password for all your accounts is the worst thing you can do, so LastPass will contribute to your overall security hygiene.

image14 1

What you do need to remember is the master password used to guard the rest of your passwords. This tool uses strong encryption algorithms, so even the folks from LastPass don’t have access to your data.

image1 3

It integrates with a variety of two-factor authentication options so you can protect yourself with an extra layer of security. You should really turn on this feature just in case someone manages to steal your master password, and this way they can be stopped from accessing your account.

Download: LastPass 

5. Vanilla Cookie Manager

Vanilla Cookie Manager is an extension that allows you to delete unwanted cookies. It gives you the option to shut off cookies completely or just remove third-party cookies.

image11 1

Vanilla Cookie Manager allows you to whitelist the cookies that you would like to keep from websites trusted by you.

image20 1

Does it make sense to manage cookies?

Let’s start off by briefly explaining what they are and what they do.

Cookies are text strings stored on your computer in a directory. They are harmless, in the sense that they can’t infect your PC with malware. Yet, they can store information about your activity on websites.

So how do cookies work?

Web servers transmit cookies that are stored in your browser, and the next time a page is referenced, the browser returns the cookie to the server.

Obviously, it’s your choice if you want to alter cookies. Some users prefer to browse the internet without concerning too much about their information being collected, while others prefer to remain completely anonymous.

Download: Vanilla Cookie Manager

6. Perspective Guard

The Perspective Guard extension is based on a rather unique concept running on artificial intelligence, and its main purpose is to let you know if you might come across fake news.

image17 1

Its developers promise not to store your data so you can rest assured you are browsing the internet privately.

What it does is monitor the social networks and websites you access and gives you an overview of the type of content you encounter.

The content you see is classified as Negative, Neutral, or Positive.

image3 1

You also have the option to be notified if you are likely to become a victim of social engineering campaigns.

Download: Perspective Guard

7. minerBlock

minerBlock is an add-on used against those malicious hackers who try to steal your computer processing power to mine cryptocurrency without your consent.image19 1

This technique is called “crypto jacking”, short for “cryptocurrency hijacking”. For a full overview of the concept and a guide on how to avoid becoming a victim, access our article.

How does the minerBlock extension work?

It uses two different ways to stop crypto miners: by blocking requests/scripts loaded from a blacklist, and by detecting suspicious behavior inside loaded scripts and deleting them right away.

Download: minerBlock

8. uBlock Origin

For all of you out there who simply don’t want to see any ads, uBlock Origin is a great Chrome extension to help you block them all.

image22 1

This ad blocker also seems to be the easiest on CPU and memory, as per their comparison below:

image5 1

image6 1

Source: Google Chrome uBlock Origin Store

Download: uBlock Origin

9. CyberGhost VPN Free Proxy

VPN tools are a great way to access websites from countries that would otherwise not be available in your location. Not only that, but you are also protected against malicious actors and data miners since a VPN hides your real IP address and encrypts your connection.

image16 1

CyberGhost has all of these features in place and has been awarded the “Best Value” category at the BestVPN.com Awards in 2019, so we recommend you check it out.

image9 1

Download: CyberGhost VPN Free Proxy

10. Hotspot Shield VPN Free Proxy

Hotspot Shield VPN is another Chrome extension you should try out.

image12 1

It has both a free and paid version. The free one lets you access 95% of its features – hides your IP, prevents personal information theft, encrypts your activity on any network, and you can automatically secure popular websites or bypass unwanted ones.

image8 1

Download: Hotspot Shield VPN Free Proxy

Do Chrome extensions work in Incognito Mode?

Chrome extensions will not work in Incognito mode by default since this browsing alternative stops the browser from saving your history, cookies, and website data.

Yet, you do have the possibility to activate the Chrome add-ons manually so they run in Incognito as well.

Here is how:

Step #1: Open an Incognito window, and click on the Settings option.

image21 1

Step #2: The Extensions menu will open in a new Tab. Select the Details option from the add-on you would like to activate.

image23 1

Step #3: Activate Allow in incognito.

image15 1

And you’re all set. You can now use the add-ons you want in Incognito mode.

Are all Chrome extensions safe to use?

As a general rule, be careful when you browse the Chrome Web Store for extensions, as there are chances you run into add-ons that can compromise your security and privacy.

Here are some guidelines to keep in mind:

  • Always look at the extensions’ rating and try to choose the ones that have at least 4.3 out of 5 stars. And also make sure you read the user reviews.
  • Install extensions from trusted sources. You may want to look into who actually developed the add-on and see if the source looks suspicious or not.
  • Pay attention to what permissions the extensions require. If an extension you are already using suddenly asks you to grant another permission, this means it may have been compromised.
  • Never install too many extensions. Stick to the ones you really need. Too many of them can both slow down your browser and make it difficult to keep an eye on to notice if something fishy is going on.
  • Don’t rely on security browser extensions exclusively and also install an anti-malware solution on your computer.
The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

What security and privacy add-ons have we missed? Are there any Chrome extensions that you would advise against? Share your thoughts in the comments section below.

The post 10 Chrome Extensions to Boost Your Online Safety in 2019 appeared first on Heimdal Security Blog.

Smashing Security #124: Poisoned porn ads, the A word, and why why why Wipro?

Smashing Security #124: Poisoned porn ads, the A word, and why why why Wipro?

The hacker who lived the high life after spreading malware via porn sites, Wipro demonstrates how to turn a cybersecurity crisis into a PR disaster, and why are humans listening in to your Alexa conversations?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Brian Honan.

RobbinHood Ransomware Demands Grow $10K Per Day after Fourth Day

The ransom demands imposed by the new “RobbinHood” ransomware family increase $10,000 each day beginning on the fourth day following encryption. The creators of RobbinHood appear to be aiming their attacks at entire networks. When they’ve gained access to a target, they use their ransomware to encrypt as many computers as possible. They then drop […]… Read More

The post RobbinHood Ransomware Demands Grow $10K Per Day after Fourth Day appeared first on The State of Security.

Cyber News Rundown: Tax Extortion Ransomware Scams Corporations

Reading Time: ~2 min.

Tax Extortion Emails Bring Major Threats

A new email campaign has been spotted threatening ransomware and DDoS attacks over fake tax documents allegedly held by the attackers if a Bitcoin ransom isn’t paid. The campaign authors also threaten to send fake tax documents to the IRS through a poorly-worded ransom email that even provides Wikipedia excerpts for each threat put forward. Fortunately, as the campaign seems to be focused on corporations rather than individuals, no payments have been made to the attacker’s crypto coin wallet address.

Hotel Reservation Data Leaking Through Third-Party Services

As major data breaches continue to flood headlines, a recent study has revealed that nearly two of every three hotels exposes information about its guests to third-parties. Excerpts of the data show names, social security numbers, and payment card details that could give unauthorized users the ability to compromise identities or make changes to current reservations. Most of the exposed data involves comping through third-party services run on hotel websites offering customers additional packages.

Ransomware Conspirator Jailed in the UK

Police in the UK have officially charged and jailed a man for his part in the operation of a global ransomware campaign with ties to a Russian criminal organization. Charges range from fraud and blackmail to computer misuse relating to DDoS attacks and the Essex man is set to face at least six years. By masquerading as an advertising agent looking to purchase ad space on high-traffic sites, he was able to infect ad links with malware and other exploits to spread his campaign.

Firefox Begins Blocking Cryptomining Scripts

Even after the demise of CoinHive, cryptomining scripts are still being secretly deployed on thousands of websites without the knowledge of their owners and visitors. With the release of Firefox 67 beta, Mozilla is hoping to completely protect their users from malicious scripts that download and run cryptominers and other unwanted tracking software by using a blacklist created by Disconnect, a VPN developer with a reputation for privacy protection. Additionally, the new Firefox version will block fingerprinting scripts commonly used to invade a user’s browsing privacy.

MyCar App Uses Hardcoded Credentials

Thousands of cars were left vulnerable after a widely used vehicle telematics systems was found to be using hardcoded credentials in their mobile apps. Used in dozens of different car models to enable remote control functions, the hardcoded credentials leave these vehicles accessible to anyone with the app’s source code and the plaintext credentials within. Fortunately for users, the latest iOS and Android versions of the MyCar app have been updated to resolve this vulnerability.

The post Cyber News Rundown: Tax Extortion Ransomware Scams Corporations appeared first on Webroot Blog.

The One Word No One Is Talking About in the Disney-Fox Deal

On March 20, The Walt Disney Company completed its purchase of 21st Century Fox. The acquisition added huge properties like The Simpsons and National Geographic as well as film blockbuster franchises to Disney’s star-studded stable that includes Star Wars, Marvel Comics, Pixar, the Muppets, and a decades-long catalog of major intellectual properties.

While major acquisitions and mergers often give rise to anti-trust issues–and this one was no exception, the transfer of properties with complex privacy policies, and how that works going forward has not been a big topic of discussion.

Corralling such a massive amount of children’s and family-friendly entertainment under one roof may seem, at least on the surface, like a world-friendly move, but to quote a song from Disney’s 1995 direct-to-video sequel, “Pocahontas 2”–“things aren’t always what they appear.”

While Disney’s acquisition lacks the dark mirror quality of Amazon’s ever-expanding home networking business or Google’s inescapable array of services (all of them tracking users with mindboggling granularity), there is considerable consumer data tied to the properties that just changed hands, all of it governed by the privacy policies attached to them, which also changed hands but cannot be changed without user consent. This is not about whatever privacy fail we might expect next from Facebook. It’s about the potential privacy conflicts caused by Disney’s acquisition of Fox.

It Was All Started by a Mouse

Walt Disney liked to remind people that his company started humbly, “by a mouse.” Today, we are also dealing with something mouse-related: Our data.

Few of us ever read the privacy policies we agree to when we download software or an app–the exception here being those among us who are in the business of selling data. Privacy policies are binding. When a company changes hands, the data in its possession is governed by the privacy policy that was in place when the user accepted its terms, and that remains the case even after it’s transferred to its new owner. They can be changed, with user consent, which is usually given by users who are not studying the new terms of engagement.

Disney of course pre-dates the era of a surveillance economy, but it has invested aggressively in data analytics and customer tracking. Strategic data deployment has been central to Disney’s increased profits in recent years, both at its theme parks and brick-and-mortar stores. While RFID tracking for customers, facial recognition, personalized offers based on prior purchases and behavior can all vastly improve customer experience, we’ve seen far too many instance of companies abusing their privileged access to consumer data.

The “Don’t Be Evil” Option

Companies can start with good intentions (see Google’s recently retired “Don’t Be Evil” motto) and eventually expand their data mining practices to Orwellian dimensions. It’s a matter of grave concern.

When a disproportionate number of the customers being tracked are children, this should be even greater cause for concern. That’s the red button aspect of prime interest in the Disney-Fox deal.

Case in point, the 2017 lawsuit filed against Disney and still pending in court that claims the company was tracking children through at least 42 of its mobile apps via unique device fingerprints to “detect a child’s activity across multiple apps and platforms… across different devices, effectively providing a full chronology of the child’s actions.”

Disney denies these allegations, but they did cop to generating “anonymous reporting” from specific user activity through “persistent identifiers,” and that the information was collected by a laundry list of third party providers, many of which are ad tracking platforms.

The company is by no means alone in this practice. A 2018 study found that 3,337 family- and child- oriented apps available on the Google Play store were improperly tracking children under the age of 13. It’s not hard to see why. If consumer data is valuable, starting the process of collecting data associated with an individual as early as possible can provide marketing companies with extremely deep data about their target’s preferences and habits long before they have a disposable income. The U.S. Children’s Online Privacy Protection Rule (“COPPA”) was created to stop this from happening. But as we’ve seen from companies like TikTok, it’s often skirted or flouted outright and the penalties are often laughable compared to profits.

The collection of data on kids is a problem. Enter Disney, the sheer scale of that empire making its data position comparable to that held by Facebook or Google. It is similar with Fox properties, though to a lesser extent. The upshot: An immense amount of data just changed hands and no one is talking about it–and they should be.

Changing Privacy Policies

While privacy policies are easy to find, they are not so much fun to read. They are not all alike. But without engaging in a tale of the tape regarding Disney and Fox policies, there is still reason for concern.

The problem from a privacy standpoint is a side-effect of Disney’s aggressive expansion. Those of us who love Marvel Comics, and who signed up for related sites or apps before 2009 or Star Wars before 2012, or who subscribed to National Geographic before this year, all belong to Disney’s data holdings now. We have no way of knowing how our data is being used, or whether the privacy policy we agreed to is the one governing the current use of our data. Disney announced changes to each of its new properties’ privacy policies on its main website and updated them accordingly, but is that enough?

Companies can reserve the right to change their privacy policies, and if we don’t like it we can always opt out. Things become murkier when data is purchased by a third party; this can happen with acquisitions, or when major retailers go belly up. It happened when Radio Shack went out of business, and its entire customer database was suddenly put up for sale to the highest bidder.

The creation of meaningful standards for consumer privacy is a moving target, but it should be a legislatively mandated consideration for large scale mergers and acquisitions. Once a customer’s information is sold, there’s no way to get it back. An effective stopgap might be to demand a data transfer “opt out” button when we’re giving consent to privacy policies. When it comes to children, we might even consider legislating automatic “opt out” for anyone under a certain age. Where safeguarding children’s data is concerned, there’s still much work to be done.

This article originally appeared on Inc.com.

The post The One Word No One Is Talking About in the Disney-Fox Deal appeared first on Adam Levin.

The scourge of stalkerware

Stalkerware

Stalkerware. Software that allows someone else to spy upon every SMS text message you send or receive, who you’re speaking to on your smartphone phone, the pictures in your photo library, every social media post you make, your current location, and where you go and when.

The EFF’s Eva Galperin calls on the security industry to take stalkerware more seriously.

A Year Later, Cybercrime Groups Still Rampant on Facebook

Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.

Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.

Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.

“Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers found. “While some groups were removed immediately, other groups only had specific posts removed.”

But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings.  This is precisely what I experienced a year ago.

Not long after Facebook deleted most of the 120 cybercrime groups I reported to it back in April 2018, many of the groups began reemerging elsewhere on the social network under similar names with the same members.

Instead of reporting those emergent groups directly to people at Facebook’s public relations arm — something most mere mortals aren’t able to do — KrebsOnSecurity decided to report the re-offenders via Facebook’s regular abuse reporting procedures.

What did we find? KrebsOnSecurity received a series of replies saying that Facebook had reviewed my reports but that none of the groups were found to have violated its standards. KrebsOnSecurity later found that reporting the abusive Facebook groups to a quarter-million followers on Twitter was the fastest way to get them disabled.

How else have Facebook’s public statements about its supposed commitment to security and privacy been undermined by pesky facts over the past few weeks?

  • KrebsOnSecurity broke the news that Facebook developers wrote apps which stored somewhere between 200 million and 600 million Facebook user passwords in plain text. These plaintext passwords were indexed by Facebook’s data centers and searchable for years by more than 20,000 Facebook employees.
  • It emerged that Facebook’s new account signup page urges users to supply the password to their email account so Facebook can harvest contact details and who knows what else. Yes, that’s right: Facebook has been asking new users to share their email password, despite decades of consumer advice warning that is exactly what phishers do.
  • Cybersecurity firm UpGuard discovered two troves of unprotected Facebook user data sitting on Amazon’s servers, exposing hundreds of millions of records about users, including their names, passwords, comments, interests, and likes.

  • Facebook is making users searchable by marketers and others via phone number, even when that phone number was only provided solely for the purposes of multi-factor authentication.

Once again, that old adage applies: If you can’t quite figure out how you’re the customer in a given online relationship, that’s probably because you’re best described as the product being sold to others.

I long ago stopped providing personal information via any Facebook account. But for my part, there remain probably three big reasons why I’m still on Facebook.

For better or worse, a great many sources choose to share important information this way. Also, sometimes Facebook is the fastest way to find a potential source and get their attention.

Secondly, many people unfortunately still get much of their news from Facebook and prefer to be notified about new stories this way.

Finally, I periodically need to verify some new boneheaded privacy disclosure or security screw-up manufactured by Facebook.

I would probably never delete my Facebook account, for the same reason I wouldn’t voluntarily delete my accounts from various cybercrime forums: For my part, the potential benefits of being there outweigh the potential risks. Then again, I am likely far from your typical Facebook (ab)user.

But what about you, Dear Reader? How does your Facebook cost/benefit analysis break down? Have any of the recent or not-so-recent Facebook scandals prompted you to delete your account, or to heavily restrict what types of information you store on the social network or make available to others? Sound off in the comments below.

Cyber News Rundown: Massive Data Breach at Georgia Tech

Reading Time: ~2 min.

Massive Data Breach at Georgia Tech

It was recently revealed that the personal information on over 1.3 million people was illicitly accessed by hackers who breached Georgia Tech systems in December of last year. The breach is the second of the year for the university, and was only discovered after IT staff noted performance issues on a widely used web application that interacts with a major database for both students and staff. 

Restaurant Firm Admits to Data Breach

Earl Enterprises, the parent firm of several popular restaurants around the country, recently announced they had fallen victim to a point-of-sale breach at multiple restaurant locations over the last 10 months. At least 100 restaurants, including all locations of the Italian chain Buca di Beppo, have begun working on restoring their systems and contacting affected customers. Nearly 2.1 million payment card accounts have been found in a dark web marketplace that were posted just a month before the company made its discovery.

Toyota Confirms Sales Data Breach

Personal information for over 3.1 million individuals may have been compromised before officials found signs of unauthorized activity on an internal network used in multiple sales subsidiaries of Toyota and Lexus. While the company’s dealerships continue to provide service and parts to customers, this specific breach comes only a month after another cyber attack that impacted Toyota dealerships in Australia, leaving many customers worried about the safety of their data.

GPS Watches Display PWNED! Message

Nearly a year after researchers contacted the watch maker Vidimensio about multiple vulnerabilities in their GPS watches, a new message has appeared on watch maps. The phrase “PWNED!” has been seen on at least 20 different watch models as a message alerting the company to their poor security infrastructure, as end-users are susceptible to being tracked through their watches. More alarmingly, many of the devices were found to have this vulnerability after Germany passed a law banning smart-watches for children that were capable of remote-listening after it was found they often ran on unpatched firmware.

Ransomware Strikes Albany, NY

The city of Albany, New York has been working to restore normal operations after a ransomware attack took down several key components of its systems. Aside from a few document-specific requests, however, the vast majority of the functionality was left undisturbed throughout the attack and recovery process. According to officials, all public safety services remained fully operational and had staff working around the clock to continue to provide assistance or direct individuals to a working facility.

The post Cyber News Rundown: Massive Data Breach at Georgia Tech appeared first on Webroot Blog.

Cyber News Rundown: Hacker Exposes 26 Million Personal Records

Reading Time: ~2 min.

Gnosticplayers Adds 26 Million More Records for Sale

After the first 3 major data dumps, which totaled over 600 million records, the hacker known as Gnosticplayers has released his latest cache of data, which contains at least 26 million personal user records. These data caches hold customer information for 32 companies overall and have been obtained over just the past couple months, making the data that much more lucrative. The hacker claims these breaches are done simply out of frustration that security is still not being taken seriously by many major companies from across the globe, which may explain why the price tag for each dump is so low.

Hackers Set Off Tornado Sirens in Texas Towns

At least 30 tornado warning sirens in two Texas towns were triggered in the early morning hours by an unknown hacker. While officials quickly shut down the sirens, they did so just 24 hours prior to a major storm during which they might have needed to use these critical emergency systems. This attack is very similar to one that affected the entire Dallas area in 2017, when hackers successfully compromised a radio system that set off over 100 tornado sirens across the city.

Marketing Firm Exposes 230 Million Records

Another misconfigured Amazon database, this time belonging to Exactis, carries the blame for a data breach that could affect at least 230 million individuals, with more data on 110 million individual records tied to businesses. While it is still unclear exactly how long the database was accessible, the company and an external security auditor maintain that the data was not accessed maliciously during its time online, though the independent researcher who first discovered the database reports that the data may have been spotted for sale on the dark web.

Ransomware Cripples Major Aluminum Manufacturer

Norsk Hydro, a major Aluminum producer, suffered a ransomware attack that successfully shut down a large portion of the company’s operations. The attack forced the company to switch to manual operations at all of its facilities around the world, and temporarily take down their website while they worked to restore their systems from backups. Fortunately, the company retains backups for their major operations, so normal production should resume within the week.

Gearbest Leaks 1.5 Million Customer Records

Following the trend of unprotected databases, researchers recently found yet another one, this time belonging to Gearbest (a Chinese e-commerce site). This database contained unencrypted personal records for over 1.5 million customers around the globe, including payment data, ID and passport info, and even data that could compromise Gearbest itself, as URLs for an internal software platform were also exposed. The company has since claimed that the number of exposed records is much smaller than originally posted. However, they also maintain that they use strong encryption on all stored data, despite this latest evidence to the contrary. 

The post Cyber News Rundown: Hacker Exposes 26 Million Personal Records appeared first on Webroot Blog.

When is it fair to infer?

While the GDPR framework is robust in many respects, it struggles to provide adequate protection against the emerging risks associated with inferred data (sometimes called derived data, profiling data, or inferential data). Inferred data pose potentially significant risks in terms of privacy and/or discrimination, yet they would seem to receive the least protection of the personal data types prescribed by GDPR. Defined as assumptions or predictions about future behaviour, inferred data cannot be verified at the time of decision-making. Consequently, data subjects are often unable to predict, understand or refute these inferences, whilst their privacy rights, identity and reputation are impacted.

Reaching dangerous conclusions

Numerous applications drawing potentially troubling inferences have emerged; Facebook is reported to be able to infer protected attributes such as sexual orientation and race, as well as political opinions and the likelihood of a data subject attempting suicide. Facebook data has also been used by third parties to decide on loan eligibility, to infer political leniencies, to predict views on social issues such as abortion, and to determine susceptibility to depression. Google has attempted to predict flu outbreaks, other diseases and medical outcomes. Microsoft can predict Parkinson’s and Alzheimer’s from search engine interactions. Target can predict pregnancy from purchase history, users’ satisfaction can be determined by mouse tracking, and China infers a social credit scoring system.

What protections does GDPR offer for inferred data?

The European Data Protection Board (EDPB) notes that both verifiable and unverifiable inferences are classified as personal data (for instance, the outcome of a medical assessment regarding a user’s health, or a risk management profile). However it is unclear whether the reasoning and processes that led to the inference are similarly classified. If inferences are deemed to be personal data, should the data protection rights enshrined in GDPR also equally apply?

The data subjects’ right to being informed, right to rectification, right to object to processing, and right to portability are significantly reduced when data is not ‘provided by the data subject’ for example the EDPB note (in their guidelines on the rights to data portability) that “though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject, these data will typically not be considered as “provided by the data subject” and thus will not be within scope of this new right’.

The data subject however can still exercise their “right to obtain from the controller confirmation as to whether or not personal data concerning the data subject has being processed, and, where that is the case, access to the personal data”. The data subject also has the right to information about “the existence of automated decision-making, including profiling (Article 22(1),(4)) meaningful information about the logic involved, as well as the significance and consequences of such processing” (Article 15). However the data subject must actively make such an access request, and if the organisation does not provide the data, how will the data subject know that derived or inferred data is missing from their access request?

A data subject can also object to direct marketing based on profiling and/or have it stopped, however there is no obligation on the controller to inform the data subject that any profiling is taking place – “unless it produces legal or significant effects on the data subject”.

No answer just yet…

Addressing the challenges and tensions of inferred and derived data, will necessitate further case law on the interpretation of “personal data”, particularly regarding interpretations of GDPR. Future case law on the meaning of “legal effects… or similarly significantly affects”, in the context of profiling, would also be helpful. It would also seem reasonable to suggest that where possible data subjects should be informed at collection point, that data is derived by the organisation and for what purposes. If the data subject doesn’t know that an organisation uses their data to infer new data, the data subject cannot exercise fully their data subject rights, since they won’t know that such data exists.

In the meantime, it seems reasonable to suggest that inferred data which has been clearly informed to the data subject, is benevolent in its intentions, and offers the data subject positive enhanced value, is ‘fair’.

The post When is it fair to infer? appeared first on BH Consulting.

These Cookie Warning Shenanigans Have Got to Stop

These Cookie Warning Shenanigans Have Got to Stop

This will be short, ranty and to the point: these warnings are getting ridiculous:

These Cookie Warning Shenanigans Have Got to Stop

I know, tell you something you don't know! The whole ugly issue reared its head again on the weekend courtesy of the story in this tweet:

The reason I don't know if it makes it better or worse is that on the one hand, it's ridiculous that in a part of the world that's more privacy-focused than most it essentially boils down to "take this cookie or no access for you" whilst on the other hand, the Dutch DPA somehow thinks that this makes any sense to (almost) anyone:

And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.

Is this really what we want? To continue chucking up cookie warnings to everyone and somehow expecting them to make an informed decision about the risks they present? 99% of people are going to click through them anyway (note: this is a purely fabricated figure based on the common-sense assumption that people will generally click through anything that gets in the way of performing the task they set out to complete in the first place). And honestly, how on earth is your average person going to make an informed decision on a message like this:

Do you know how hard it is to explain OAuth to technical people, let alone the masses? Oh wait - it's not OAuth - it's Oath but even I didn't get that at first because nobody really reads these warnings anyway! And now that I have read it and I know it's Oath, what does that really mean? Oh look, a big blue button that will make it all go away and allow me to do what I came here for in the first place...

But say you are more privacy focused and you wanted to follow that link in the original tweet. Here's your fix:

These Cookie Warning Shenanigans Have Got to Stop

And if you're smart enough to actually understand what cookies are and be able to make an informed decision when prompted with a warning like TechCrunch's, then you're smart enough to know how to right click on a link and open it incognito. Or run an ad blocker. Or something like a Pi-hole.

Or you move to Australia because apparently, we don't deserve the same levels or privacy down here. Or have I got that back to front and Europeans don't deserve the same slick UX experience as we get down here? You know, the one where you click on a link to read an article and you actually get to read the article!

So let's be European for a moment and see how that experience looks - let's VPN into Amsterdam and try to control my privacy on TechCrunch:

These Cookie Warning Shenanigans Have Got to Stop

Are you fucking serious? This is what privacy looks like? That's 224 different ad networks that are considered "IAB Partners" (that'd be the Interactive Advertising Bureau) and I can control which individual ones can set cookies. And that's in addition to the 10 Oath foundational partners:

These Cookie Warning Shenanigans Have Got to Stop

You can't disable any of those either by the look of it so yeah, no privacy on that front. But at least you can go and read their privacy policy, right? Sure, Unruly's is 3,967 words, Facebook's is 4,498 words and Zentrick's is another 3,805 words. Oh - and remember that you need to accept cookies on each one of those sites too and you're going to want to read about how they and their partners track you...

These Cookie Warning Shenanigans Have Got to Stop

And the ridiculous thing about it is that tracking isn't entirely dependent on cookies anyway (and yes, I know the Dutch situation touched on browser fingerprinting in general too). Want to see a perfect example? Have a go of Am I Unique and you'll almost certainly be told that "Yes! You can be tracked!":

These Cookie Warning Shenanigans Have Got to Stop

Over one million samples collected and yet somehow, I am a unique snowflake that can be identified across requests without a cookie in sight. How? Because even though I'm running the current version of Chrome on the current version of Windows, less than 0.1% of people have the same user agent string as me. Less than 0.1% of people also have their language settings the same as mine. Keep combining these unique attributes and you have a very unique fingerprint:

These Cookie Warning Shenanigans Have Got to Stop

The list goes on well beyond that screen grab too - time zone, screen resolution and even the way the canvas element renders on the page. It's kinda cool in a kinda creepy way.

And here's the bit that really bugs me (ok, it all bugs me but this is the worst): how do we expect your normal everyday person to differentiate between cookie warnings and warnings like these:

These Cookie Warning Shenanigans Have Got to Stop
These Cookie Warning Shenanigans Have Got to Stop

I know what these are and you probably do too by virtue of being on this blog, but do you really think most people who have been conditioned to click through the warning that's sitting between them and the content they wish to read understand the difference between this and a cookie warning? We literally have banks telling people just to ignore these warnings:

So in summary, everyone clicks through cookie warnings anyway, if you read them you either can't understand what they're saying or the configuration of privacy settings is a nightmare, depending on where you are in the world you either don't get privacy or you don't get UX hell, if you understand the privacy risks then it's easy to open links incognito or use an ad blocker, you can still be tracked anyway and finally, the whole thing is just conditioning people to make bad security choices. That is all.

How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep

Spring Break and reputation management

Spring Break and reputation management Spring Break 2019 is in full swing, which means high school and college kids have hit the road determined to make this rite of passage epic. Unfortunately, not everyone will return home with his or her online reputation intact.

Despite the headlines and warnings, kids are still uploading their lives 24/7 and not all of their choices will be wise. While impressive at the moment, showcasing one’s exceptional beer pong or body shot skills could become a future digital skeleton.

Define it

The decision to share reckless content online has damaged (even destroyed) scholarships, opportunities, reputations, and careers.

Each day more than one billion names are searched on Google, and 77% of job recruiters look up potential employees up online during the hiring process, according to BrandYourself.com. Also, 45% of people have found content in an online search that made them decide not to do business with someone.

As elementary as it sounds, the first step to helping your child safeguard his or her online reputation this spring break is defining what is and is not appropriate online content.

Spring Break and reputation management

Technology has created a chasm between generations so don’t assume your values align with your child’s in this area. Behavior once considered inappropriate has slowly become acceptable to kids who grew up in the online space. Also, peers often have far more influence than parents.

So take the time to define (and come to an agreement on) content you consider off limits such as profanity, racy photos, mean, disrespectful, or racist comments, irresponsible or prank videos, or pictures that include alcohol or drug use. (Yes, state the obvious!)

Untag It

Spring Break and reputation management

Turn off tagging. Like it or not, people often judged us by the company we keep. Your child’s online behavior may be stellar but tag-happy, reckless friends can sink that quickly. To make sure your child doesn’t get tagged in risky photos on Twitter, Instagram, or Facebook, encourage them to adjust privacy settings to prevent tagging or require user approval. Also, help your kids to pay more attention to unflattering Snapchat photos and Snapchat story photos that other people post about them that can be problematic if shared elsewhere.

Lock It

Amp privacy settings. By adjusting privacy settings to “friends only” on select social networks content, digital mistakes can be minimized. However, we know that anything uploaded can be shared and screen captured before it’s deleted so tightening privacy settings isn’t a guarantee.

Google It

Spring Break and reputation management To get a clear picture of your child’s digital footprint and what a school or future employer might find, Google your child’s name. Examine the social networks, links, and sites that have cataloged information about your child. One of the best ways to replace damaging digital information is by creating positive information that overshadows it. Encourage your child to set up a Facebook page that reflects their best self — their values, their goals, and their character. Make the page public so others can view it. They may also consider setting up a LinkedIn page that highlights specific achievements, goals, and online endorsements from teachers and past employers.

If for some reason there’s damaging content that can’t be removed by request, encourage your child to set up a personal website and blog weekly. This can be a professional or hobby blog, but the idea is to repopulate the search results with favorable content and push the tainted content further down on Google.

Balance It

In your guiding, don’t forget the wise words of Cyndi Lauper who reminds us all, “Girls just wanna have fun!” Strive for balance in giving kids the room to make memories with friends while at the same time equipping them to make wise choices online.

The post How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep appeared first on McAfee Blogs.

Why it’s too easy to manipulate voters – and steal the EU elections | Eleonora Nestola

It’s time to act, as personal data is being used to target voters – and the EU commission isn’t doing enough to stop this

On 11 July last year the UK Information Commissioner’s Office (ICO) published its first report on the Cambridge Analytica scandal. This is a date I will never forget, a date that substantially changed my vision of the current threats to our democratic society. It is a day that became a call to arms for me – and, for once, I had the understanding, the knowledge and the expertise to support the fight. I felt it was time to put all of this to good use for civil society, and so I set out to discover how online electoral campaigning works. And let me tell you, the system is not in good health and we Europeans should all be made more aware of that.

Related: This is Europe: stay close with the Guardian’s email updates

Voters become unaware they are receiving political messages based on bias. The risks are enormous

Related: Data protection laws are shining a needed light on a secretive industry | Bruce Schneier

Continue reading...

The Risks of Public Wi-Fi and How to Close the Security Gap

public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

The Risks

By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

Rising Star: VPNpublic wi-fi risks

The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

Who Needs a VPN?

If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

How VPNs work

To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

Stay Safe on Public Wi-Fi 

Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

Mumsnet reports itself to regulator over data breach

Company apologises after bug meant users were able to log into accounts of strangers

Mumsnet has reported itself to the information commissioner after a data breach resulted in users accidentally logging into the accounts of strangers.

Related: Mumsnet forums are a guilty pleasure, but there are truths, too

Related: Mumsnet brings in tougher forum rules after transgender row

Continue reading...

#PrivacyAware: Will You Champion Your Family’s Online Privacy?

online privacyThe perky cashier stopped my transaction midway to ask for my email and phone number.

Not now. Not ever. No more. I’ve had enough. I thought to myself.

“I’d rather not, thank you,” I replied.

The cashier finished my transaction and moved on to the next customer without a second thought.

And, my email and phone number lived in one less place that day.

This seemingly insignificant exchange happened over a year ago, but it represents the day I decided to get serious and champion my (and my family’s) privacy.

I just said no. And I’ve been doing it a lot more ever since.

A few changes I’ve made:

  • Pay attention to privacy policies (especially of banks and health care providers).
  • Read the terms and conditions of apps before downloading.
  • Block cookies from websites.
  • Refuse to purchase from companies that (appear to) take privacy lightly.
  • Max my privacy settings on social networks.
  • Change my passwords regularly and keep them strong!
  • Delete apps I no longer use.
  • Stay on top of software updates on all devices and add extra protection.
  • Have become hyper-aware before giving out my email, address, phone number, or birth date.
  • Limit the number of photos and details shared on social media.

~~~

The amount of personal information we share every day online — and off — is staggering. There’s information we post directly online such as our birth date, our location, our likes, and dislikes. Then there’s the data that’s given off unknowingly via web cookies, Metadata, downloads, and apps.

While some data breaches are out of our control, at the end of the day, we — along with our family members — are one giant data leak.

Studies show that on average by the age of 13, parents have posted 1,300 photos and videos of their child to social media. By the time kids get devices of their own, they are posting to social media 26 times per day on average — a total of nearly 70,000 posts by age 18.

The Risksonline privacy

When we overshare personal data a few things can happen. Digital fallout includes data misuse by companies, identity theft, credit card fraud, medical fraud, home break-ins, reputation damage, location and purchasing tracking, ransomware, and other risks.

The Mind Shift

The first step toward boosting your family’s privacy is to start thinking differently about privacy. Treat your data like gold (after all, that’s the way hackers see it). Guiding your family in this mind-shift will require genuine, consistent effort.

Talk to your family about privacy. Elevate its worth and the consequences when it’s undervalued or shared carelessly.

Teach your kids to treat their personal information — their browsing habits, clicks, address, personal routine, school name, passwords, and connected devices — with great care. Consider implementing this 11 Step Privacy Take Back Plan.

This mind and attitude shift will take time but, hopefully, your kids will learn to pause and think before handing over personal information to an app, a social network, a retail store, or even to friends.

Data Protection Tips*

  1. Share with care. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future.
  2. Own your online presence. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information.online privacy
  3. Think before you act. Information about you, such as the games you like to play, your contacts list, where you shop and your geographic location, has tremendous value. Be thoughtful about who gets that information and understand how it’s collected through websites and apps.
  4. Lock down your login. Your usernames and passwords are not enough to protect critical accounts like email, banking, and social media. Strengthen online accounts and use strong authentication tools like a unique, one-time code through an app on your mobile device.

* Provided by the National Cyber Security Alliance (NCSA).

January 28 National Data Privacy Day. The day highlights one of the most critical issues facing families today — protecting personal information in a hyper-connected world. It’s a great opportunity to commit to taking real steps to protect your online privacy. For more information on National Data Privacy Day or to get involved, go to Stay Safe Online.

The post #PrivacyAware: Will You Champion Your Family’s Online Privacy? appeared first on McAfee Blogs.

Cyber Security Roundup for December 2018

The final Cyber Security Roundup of 2018 concludes reports of major data breaches, serious software vulnerabilities and evolving cyber threats, so pretty much like the previous 11 months of the year.

5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.


A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.

Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.  
NASA InSight Lander arrives on Mars 

It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images

Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.

The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.

Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant.  The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
Security company Insinia cause controversy after it took over the Twitter accounts by Eamon Holmes, Louis Theroux and several others celebs. Insinia said it had managed the account takeover by analysing the way Twitter handles messages posted by phone, to inject messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent. However, Insinia were accused of being unethical and breaking the UK Computer Misuse Act in some quarters.

Unsecured internet connected printers are being hacked again, this time they were used to sent print out messages of support for Swedish YouTube star PewDiePie. A hacker named TheHackerGiraffe was said to have targeted up 50,000 printers after using Shodan to search for open printer ports online, the scan was said to have found 800,000 vulnerable printers.

An Financial Conduct Authority (FCA) report warned UK banks about their over-reliance on third-party security providers. The FCA said companies "generally lacked board members with strong familiarity or specific technical cyber-expertise. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. The report also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Busting 5 Cybersecurity Myths

It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.

Only the IT department is responsible for cybersecurity

It is not wrong to say that the IT department is responsible to implement new processes and policies to keep the cybersecurity in a top notch state. However, they just don’t have a magic stick to protect all of the computers in the network. In reality each employee should be extremely careful when receiving and opening different e-mail messages from colleagues or third parties. It is dangerous since the infection can spread across all of the departments within the organization and this may cause a further data breach for example.

Using just an antivirus software is enough

Antivirus software might have been enough to safe your business from potential attack 20 years ago – nowadays it definitely is just not enough to protect your whole organization. Hackers find new ways to disable your antivirus and hide their attacks in the system. With ransomware gaining more popularity among hackers the time of getting infected and getting your information locked is just a matter of seconds. So using an antivirus is not always enough, but you also need to stay informed about the latest threats. Check out our database of cyber security vendors to find the best solution for your personal or business needs.

A strong password is enough

It is not a secret that having a long and complex password on your accounts is an essential. However, even big tech giants like Facebook or Apple experience data breaches and are pretty often a target for hackers. Every website requires you to create a strong password, but it is also good to use two-factor-authentication (2FA). At first the user was getting an SMS with a code for 2FA, but even this can be compromised by using a cloned sim card. So make sure you have an app like Google Authenticator for example to make your accounts more secure.

Threats are being spread only through the Internet

Some users may think that disconnecting from the internet will prevent the threats spreading around the network and they are completely wrong. Just imagine what happens if an employee brings an infected flash drive and plugs it in – all of the computers may become infected and your company may lose valuable information. You may have your information stolen even when you shop at a local retailer. So threats are not only online, but in our daily life and we need to be very careful and take care of our personal information.

Only certain industries experience cyber attacks

Some businesses still believe that they may be not targeted by hackers because they are a small or mid-sized business or in a specific industry. Well, they are completely wrong. Some companies also believe they do not have anything that hackers may find valuable to steal. In reality there is information like personal addresses or credit card numbers which can make every business in every industry a potential target. Here are the industries which are most vulnerable to cyber-attacks nowadays:

 Top 10 Sectors Breached

The post Busting 5 Cybersecurity Myths appeared first on CyberDB.