Category Archives: Privacy

How Apple’s "Find My" Feature Works

Matthew Green intelligently speculates about how Apple's new "Find My" feature works.

If you haven't already been inspired by the description above, let me phrase the question you ought to be asking: how is this system going to avoid being a massive privacy nightmare?

Let me count the concerns:

  • If your device is constantly emitting a BLE signal that uniquely identifies it, the whole world is going to have (yet another) way to track you. Marketers already use WiFi and Bluetooth MAC addresses to do this: Find My could create yet another tracking channel.

  • It also exposes the phones who are doing the tracking. These people are now going to be sending their current location to Apple (which they may or may not already be doing). Now they'll also be potentially sharing this information with strangers who "lose" their devices. That could go badly.

  • Scammers might also run active attacks in which they fake the location of your device. While this seems unlikely, people will always surprise you.

The good news is that Apple claims that their system actually does provide strong privacy, and that it accomplishes this using clever cryptography. But as is typical, they've declined to give out the details how they're going to do it. Andy Greenberg talked me through an incomplete technical description that Apple provided to Wired, so that provides many hints. Unfortunately, what Apple provided still leaves huge gaps. It's into those gaps that I'm going to fill in my best guess for what Apple is actually doing.

Smashing Security #133: Cookie cock-ups, Hong Kong protests, and smart TV virus scans

We head to Hong Kong to look at how technology has helped anti-government protesters (and how China has tried to disrupt it), Samsung is skittish over whether to tell TV owners to virus-scan their devices, and you won’t believe whose website is not GDPR-compliant.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by James Thomson.

Maciej Cegłowski on Privacy in the Information Age

Maciej Cegłowski has a really good essay explaining how to think about privacy today:

For the purposes of this essay, I'll call it "ambient privacy" -- the understanding that there is value in having our everyday interactions with one another remain outside the reach of monitoring, and that the small details of our daily lives should pass by unremembered. What we do at home, work, church, school, or in our leisure time does not belong in a permanent record. Not every conversation needs to be a deposition.

Until recently, ambient privacy was a simple fact of life. Recording something for posterity required making special arrangements, and most of our shared experience of the past was filtered through the attenuating haze of human memory. Even police states like East Germany, where one in seven citizens was an informer, were not able to keep tabs on their entire population. Today computers have given us that power. Authoritarian states like China and Saudi Arabia are using this newfound capacity as a tool of social control. Here in the United States, we're using it to show ads. But the infrastructure of total surveillance is everywhere the same, and everywhere being deployed at scale.

Ambient privacy is not a property of people, or of their data, but of the world around us. Just like you can't drop out of the oil economy by refusing to drive a car, you can't opt out of the surveillance economy by forswearing technology (and for many people, that choice is not an option). While there may be worthy reasons to take your life off the grid, the infrastructure will go up around you whether you use it or not.

Because our laws frame privacy as an individual right, we don't have a mechanism for deciding whether we want to live in a surveillance society. Congress has remained silent on the matter, with both parties content to watch Silicon Valley make up its own rules. The large tech companies point to our willing use of their services as proof that people don't really care about their privacy. But this is like arguing that inmates are happy to be in jail because they use the prison library. Confronted with the reality of a monitored world, people make the rational decision to make the best of it.

That is not consent.

Ambient privacy is particularly hard to protect where it extends into social and public spaces outside the reach of privacy law. If I'm subjected to facial recognition at the airport, or tagged on social media at a little league game, or my public library installs an always-on Alexa microphone, no one is violating my legal rights. But a portion of my life has been brought under the magnifying glass of software. Even if the data harvested from me is anonymized in strict conformity with the most fashionable data protection laws, I've lost something by the fact of being monitored.

He's not the first person to talk about privacy as a societal property, or to use pollution metaphors. But his framing is really cogent. And "ambient privacy" is new -- and a good phrasing.

Regulation readiness: Embracing the privacy legislation wave ahead

There are a few certainties in life. Your attempt to use the fifteen-item express checkout line with sixteen items will be denied by the seventeen-year-old cashier. The motorcycle cop will write you a $150 ticket instead of warning for going just three miles over the speed limit in your neighborhood. Your tactic of ignoring that federal privacy regulation just enacted will result in significant fines and penalties for your burgeoning business. Whatever the scenario, the … More

The post Regulation readiness: Embracing the privacy legislation wave ahead appeared first on Help Net Security.

Researcher leaked a dataset of over 7,000,000 transactions scraped from the Venmo public API

Researcher leaked online a dataset containing over 7,000,000 transactions scraped from the Venmo public API

Venmo is a digital wallet app owned by PayPal that lets you make and share payments with friends.

In August 2016, security expert Martin Vigo devised a method to abuse an optional SMS-based feature that allowed users to authorize payments by replying to an SMS message with a provided 6-digit code. An attacker with physical access to the victim’s iPhone could steal funds from his account.

The attack technique leverages the following iOS features that are enabled by default. :

  • The Siri virtual assistant that allows replying to text messages from a locked device;
  • The text message preview that allows displaying part of the message on the display of a locked device’s screen.

In the attack scenario devised by the expert, the attacker sends a ‘reply-to-pay’ message to his victim’s locked mobile phone, and then leverages Siri to authorize the transactions. The expert explained that an attacker could steal up to $2,999.99 per week from the victim. The development team at Venmo addressed the issue by removing the SMS reply-to-pay feature.

Last year, the researcher Hang Do Thi Duc, reported that she was able to access 207,984,218 Venmo transactions by visiting ​this public URL. 207,984,218public Venmo transactions

Public data includes names, dates, pictures and messages sent, Hang Do Thi Duc was able to track a profile for some of them, such as two users identified with the monikers ‘The Cannabis Retailer’ and the ‘The cord dealer.’ She described The Cannabis Retailer with the following statement:

“With access to the first name,” she wrote, “I could infer that this person was male. I was also able to determine that he operates out of Santa Barbara, California. You might wonder how: some of his customers have a Facebook URL as their profile picture which includes their Facebook ID and so it was easy for me to see where some of them, and therefore the protagonist of this story as well, live… He registered on January 24, 2017, a day before his first transaction, and had a total of ?943 transactions in 2017.”

Time is passed by Venmo continues to provide a public stream of the users’ transactions.

Last week, researcher Dan Salmon published details related to more than 7 million new transactions that were scraped from Venmo onto GitHub between July and September 2018, in October 12018, and in January and February 2019. He decided to publish the dataset to warn Venmo users of publicly availability of their data.

“This is a dataset of over 7,000,000 transactions scraped from the Venmo public API. Venmo is an app which allows users to easily send and receive money.” wrote Salmon.

“I am releasing this dataset, in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key. There is some very valuable data here for any attacker conducting OSINT research.”

Anyone could analyze this dataset and profile the users posing a serious threat to them.

Experts suggest Venmo users set ‘private’ mode for their transactions, in this way the platform will not share the transaction anywhere other than your own personal feed and, if it’s a payment to another user, the feed of the other person in the payment.

venmo privacy

To update your privacy settings on the web first log in to venmo.com. Then navigate to Settings → Privacy and select your preferred defaultprivacy setting. Finally, make sure to click Save Settings.

Pierluigi Paganini

(SecurityAffairs – Venmo, privacy)

The post Researcher leaked a dataset of over 7,000,000 transactions scraped from the Venmo public API appeared first on Security Affairs.

One year of GDPR application: Europeans well aware of their digital rights

Europeans are relatively well aware of the new data protection rules, their rights and the existence of national data protection authorities, to whom they can turn for help when their rights are violated, according to the European Commission. “European citizens have become more aware of their digital rights and this is encouraging news. However, only three in ten Europeans have heard of all their new data rights. For companies, their customers’ trust is hard currency … More

The post One year of GDPR application: Europeans well aware of their digital rights appeared first on Help Net Security.

How employees and their organizations are prioritizing data privacy

Employees in the UK expressed greater understanding of privacy laws, and better training opportunities, than those in the U.S., the ObserveIT survey reveals. The survey polled 1,000 full-time employees in the United States and United Kingdom to determine their understanding of their organizations’ current privacy regulations. New policies and regulations dictating organizations’ handling of sensitive consumer information – such as the GDPR, the CCPA and Vermont’s data privacy law – have brought to light the … More

The post How employees and their organizations are prioritizing data privacy appeared first on Help Net Security.

Data, Surveillance, and the AI Arms Race

According to foreign policy experts and the defense establishment, the United States is caught in an artificial intelligence arms race with China -- one with serious implications for national security. The conventional version of this story suggests that the United States is at a disadvantage because of self-imposed restraints on the collection of data and the privacy of its citizens, while China, an unrestrained surveillance state, is at an advantage. In this vision, the data that China collects will be fed into its systems, leading to more powerful AI with capabilities we can only imagine today. Since Western countries can't or won't reap such a comprehensive harvest of data from their citizens, China will win the AI arms race and dominate the next century.

This idea makes for a compelling narrative, especially for those trying to justify surveillance -- whether government- or corporate-run. But it ignores some fundamental realities about how AI works and how AI research is conducted.

Thanks to advances in machine learning, AI has flipped from theoretical to practical in recent years, and successes dominate public understanding of how it works. Machine learning systems can now diagnose pneumonia from X-rays, play the games of go and poker, and read human lips, all better than humans. They're increasingly watching surveillance video. They are at the core of self-driving car technology and are playing roles in both intelligence-gathering and military operations. These systems monitor our networks to detect intrusions and look for spam and malware in our email.

And it's true that there are differences in the way each country collects data. The United States pioneered "surveillance capitalism," to use the Harvard University professor Shoshana Zuboff's term, where data about the population is collected by hundreds of large and small companies for corporate advantage -- and mutually shared or sold for profit The state picks up on that data, in cases such as the Centers for Disease Control and Prevention's use of Google search data to map epidemics and evidence shared by alleged criminals on Facebook, but it isn't the primary user.

China, on the other hand, is far more centralized. Internet companies collect the same sort of data, but it is shared with the government, combined with government-collected data, and used for social control. Every Chinese citizen has a national ID number that is demanded by most services and allows data to easily be tied together. In the western region of Xinjiang, ubiquitous surveillance is used to oppress the Uighur ethnic minority -- although at this point there is still a lot of human labor making it all work. Everyone expects that this is a test bed for the entire country.

Data is increasingly becoming a part of control for the Chinese government. While many of these plans are aspirational at the moment -- there isn't, as some have claimed, a single "social credit score," but instead future plans to link up a wide variety of systems -- data collection is universally pushed as essential to the future of Chinese AI. One executive at search firm Baidu predicted that the country's connected population will provide them with the raw data necessary to become the world's preeminent tech power. China's official goal is to become the world AI leader by 2030, aided in part by all of this massive data collection and correlation.

This all sounds impressive, but turning massive databases into AI capabilities doesn't match technological reality. Current machine learning techniques aren't all that sophisticated. All modern AI systems follow the same basic methods. Using lots of computing power, different machine learning models are tried, altered, and tried again. These systems use a large amount of data (the training set) and an evaluation function to distinguish between those models and variations that work well and those that work less well. After trying a lot of models and variations, the system picks the one that works best. This iterative improvement continues even after the system has been fielded and is in use.

So, for example, a deep learning system trying to do facial recognition will have multiple layers (hence the notion of "deep") trying to do different parts of the facial recognition task. One layer will try to find features in the raw data of a picture that will help find a face, such as changes in color that will indicate an edge. The next layer might try to combine these lower layers into features like shapes, looking for round shapes inside of ovals that indicate eyes on a face. The different layers will try different features and will be compared by the evaluation function until the one that is able to give the best results is found, in a process that is only slightly more refined than trial and error.

Large data sets are essential to making this work, but that doesn't mean that more data is automatically better or that the system with the most data is automatically the best system. Train a facial recognition algorithm on a set that contains only faces of white men, and the algorithm will have trouble with any other kind of face. Use an evaluation function that is based on historical decisions, and any past bias is learned by the algorithm. For example, mortgage loan algorithms trained on historic decisions of human loan officers have been found to implement redlining. Similarly, hiring algorithms trained on historical data manifest the same sexism as human staff often have. Scientists are constantly learning about how to train machine learning systems, and while throwing a large amount of data and computing power at the problem can work, more subtle techniques are often more successful. All data isn't created equal, and for effective machine learning, data has to be both relevant and diverse in the right ways.

Future research advances in machine learning are focused on two areas. The first is in enhancing how these systems distinguish between variations of an algorithm. As different versions of an algorithm are run over the training data, there needs to be some way of deciding which version is "better." These evaluation functions need to balance the recognition of an improvement with not over-fitting to the particular training data. Getting functions that can automatically and accurately distinguish between two algorithms based on minor differences in the outputs is an art form that no amount of data can improve.

The second is in the machine learning algorithms themselves. While much of machine learning depends on trying different variations of an algorithm on large amounts of data to see which is most successful, the initial formulation of the algorithm is still vitally important. The way the algorithms interact, the types of variations attempted, and the mechanisms used to test and redirect the algorithms are all areas of active research. (An overview of some of this work can be found here; even trying to limit the research to 20 papers oversimplifies the work being done in the field.) None of these problems can be solved by throwing more data at the problem.

The British AI company DeepMind's success in teaching a computer to play the Chinese board game go is illustrative. Its AlphaGo computer program became a grandmaster in two steps. First, it was fed some enormous number of human-played games. Then, the game played itself an enormous number of times, improving its own play along the way. In 2016, AlphaGo beat the grandmaster Lee Sedol four games to one.

While the training data in this case, the human-played games, was valuable, even more important was the machine learning algorithm used and the function that evaluated the relative merits of different game positions. Just one year later, DeepMind was back with a follow-on system: AlphaZero. This go-playing computer dispensed entirely with the human-played games and just learned by playing against itself over and over again. It plays like an alien. (It also became a grandmaster in chess and shogi.)

These are abstract games, so it makes sense that a more abstract training process works well. But even something as visceral as facial recognition needs more than just a huge database of identified faces in order to work successfully. It needs the ability to separate a face from the background in a two-dimensional photo or video and to recognize the same face in spite of changes in angle, lighting, or shadows. Just adding more data may help, but not nearly as much as added research into what to do with the data once we have it.

Meanwhile, foreign-policy and defense experts are talking about AI as if it were the next nuclear arms race, with the country that figures it out best or first becoming the dominant superpower for the next century. But that didn't happen with nuclear weapons, despite research only being conducted by governments and in secret. It certainly won't happen with AI, no matter how much data different nations or companies scoop up.

It is true that China is investing a lot of money into artificial intelligence research: The Chinese government believes this will allow it to leapfrog other countries (and companies in those countries) and become a major force in this new and transformative area of computing -- and it may be right. On the other hand, much of this seems to be a wasteful boondoggle. Slapping "AI" on pretty much anything is how to get funding. The Chinese Ministry of Education, for instance, promises to produce "50 world-class AI textbooks," with no explanation of what that means.

In the democratic world, the government is neither the leading researcher nor the leading consumer of AI technologies. AI research is much more decentralized and academic, and it is conducted primarily in the public eye. Research teams keep their training data and models proprietary but freely publish their machine learning algorithms. If you wanted to work on machine learning right now, you could download Microsoft's Cognitive Toolkit, Google's Tensorflow, or Facebook's Pytorch. These aren't toy systems; these are the state-of-the art machine learning platforms.

AI is not analogous to the big science projects of the previous century that brought us the atom bomb and the moon landing. AI is a science that can be conducted by many different groups with a variety of different resources, making it closer to computer design than the space race or nuclear competition. It doesn't take a massive government-funded lab for AI research, nor the secrecy of the Manhattan Project. The research conducted in the open science literature will trump research done in secret because of the benefits of collaboration and the free exchange of ideas.

While the United States should certainly increase funding for AI research, it should continue to treat it as an open scientific endeavor. Surveillance is not justified by the needs of machine learning, and real progress in AI doesn't need it.

This essay was written with Jim Waldo, and previously appeared in Foreign Policy.

Human error still the cause of many data breaches

With the incidence of reported data breaches on the rise, more than half of all C-suite executives (C-Suites) (53%) and nearly three in 10 Small Business Owners (SBOs) (28%) who suffered a breach reveal that human error or accidental loss by an external vendor/source was the cause of the data breach, according to a Shred-it survey conducted by Ipsos. When assessing additional causes of data breaches, the report found that nearly half of all C-Suites … More

The post Human error still the cause of many data breaches appeared first on Help Net Security.

Computers and Video Surveillance

It used to be that surveillance cameras were passive. Maybe they just recorded, and no one looked at the video unless they needed to. Maybe a bored guard watched a dozen different screens, scanning for something interesting. In either case, the video was only stored for a few days because storage was expensive.

Increasingly, none of that is true. Recent developments in video analytics -- fueled by artificial intelligence techniques like machine learning -- enable computers to watch and understand surveillance videos with human-like discernment. Identification technologies make it easier to automatically figure out who is in the videos. And finally, the cameras themselves have become cheaper, more ubiquitous, and much better; cameras mounted on drones can effectively watch an entire city. Computers can watch all the video without human issues like distraction, fatigue, training, or needing to be paid. The result is a level of surveillance that was impossible just a few years ago.

An ACLU report published Thursday called "the Dawn of Robot Surveillance" says AI-aided video surveillance "won't just record us, but will also make judgments about us based on their understanding of our actions, emotions, skin color, clothing, voice, and more. These automated 'video analytics' technologies threaten to fundamentally change the nature of surveillance."

Let's take the technologies one at a time. First: video analytics. Computers are getting better at recognizing what's going on in a video. Detecting when a person or vehicle enters a forbidden area is easy. Modern systems can alarm when someone is walking in the wrong direction -- going in through an exit-only corridor, for example. They can count people or cars. They can detect when luggage is left unattended, or when previously unattended luggage is picked up and removed. They can detect when someone is loitering in an area, is lying down, or is running. Increasingly, they can detect particular actions by people. Amazon's cashier-less stores rely on video analytics to figure out when someone picks an item off a shelf and doesn't put it back.

More than identifying actions, video analytics allow computers to understand what's going on in a video: They can flag people based on their clothing or behavior, identify people's emotions through body language and behavior, and find people who are acting "unusual" based on everyone else around them. Those same Amazon in-store cameras can analyze customer sentiment. Other systems can describe what's happening in a video scene.

Computers can also identify people. AIs are getting better at identifying people in those videos. Facial recognition technology is improving all the time, made easier by the enormous stockpile of tagged photographs we give to Facebook and other social media sites, and the photos governments collect in the process of issuing ID cards and drivers licenses. The technology already exists to automatically identify everyone a camera "sees" in real time. Even without video identification, we can be identified by the unique information continuously broadcasted by the smartphones we carry with us everywhere, or by our laptops or Bluetooth-connected devices. Police have been tracking phones for years, and this practice can now be combined with video analytics.

Once a monitoring system identifies people, their data can be combined with other data, either collected or purchased: from cell phone records, GPS surveillance history, purchasing data, and so on. Social media companies like Facebook have spent years learning about our personalities and beliefs by what we post, comment on, and "like." This is "data inference," and when combined with video it offers a powerful window into people's behaviors and motivations.

Camera resolution is also improving. Gigapixel cameras as so good that they can capture individual faces and identify license places in photos taken miles away. "Wide-area surveillance" cameras can be mounted on airplanes and drones, and can operate continuously. On the ground, cameras can be hidden in street lights and other regular objects. In space, satellite cameras have also dramatically improved.

Data storage has become incredibly cheap, and cloud storage makes it all so easy. Video data can easily be saved for years, allowing computers to conduct all of this surveillance backwards in time.

In democratic countries, such surveillance is marketed as crime prevention -- or counterterrorism. In countries like China, it is blatantly used to suppress political activity and for social control. In all instances, it's being implemented without a lot of public debate by law-enforcement agencies and by corporations in public spaces they control.

This is bad, because ubiquitous surveillance will drastically change our relationship to society. We've never lived in this sort of world, even those of us who have lived through previous totalitarian regimes. The effects will be felt in many different areas. False positives­ -- when the surveillance system gets it wrong­ -- will lead to harassment and worse. Discrimination will become automated. Those who fall outside norms will be marginalized. And most importantly, the inability to live anonymously will have an enormous chilling effect on speech and behavior, which in turn will hobble society's ability to experiment and change. A recent ACLU report discusses these harms in more depth. While it's possible that some of this surveillance is worth the trade-offs, we as society need to deliberately and intelligently make decisions about it.

Some jurisdictions are starting to notice. Last month, San Francisco became the first city to ban facial recognition technology by police and other government agencies. A similar ban is being considered in Somerville, MA, and Oakland, CA. These are exceptions, and limited to the more liberal areas of the country.

We often believe that technological change is inevitable, and that there's nothing we can do to stop it -- or even to steer it. That's simply not true. We're led to believe this because we don't often see it, understand it, or have a say in how or when it is deployed. The problem is that technologies of cameras, resolution, machine learning, and artificial intelligence are complex and specialized.

Laws like what was just passed in San Francisco won't stop the development of these technologies, but they're not intended to. They're intended as pauses, so our policy making can catch up with technology. As a general rule, the US government tends to ignore technologies as they're being developed and deployed, so as not to stifle innovation. But as the rate of technological change increases, so does the unanticipated effects on our lives. Just as we've been surprised by the threats to democracy caused by surveillance capitalism, AI-enabled video surveillance will have similar surprising effects. Maybe a pause in our headlong deployment of these technologies will allow us the time to discuss what kind of society we want to live in, and then enact rules to bring that kind of society about.

This essay previously appeared on Vice Motherboard.

Cyber News Rundown: Radiohead Hit by Ransomware Hack

Reading Time: ~ 2 min.

Radiohead Refuses Ransom, Releases Stolen Tracks

The band Radiohead recently fell victim to a hack in which 18 hours of previously unreleased sessions were ransomed for $150,000. Rather than pay the ludicrous fee, the band instead opted to release the tracks through Bandcamp for a donation to charity. The unreleased sessions were stored as archived mini discs the band created during the years surrounding their third album, “OK Computer.”

US Border Protection Breached by Contractor

A subcontractor for the US Customs and Border Protection (CBP) agency is under scrutiny after it was revealed that they had illicitly transferred thousands of images of both license plates and travelers that had crossed the US/Mexico border in the last month. In doing so, the subcontractor broke several mandatory security policies written into a legal contract. While there is no sign of the images leaking onto the dark web, there is very little redress for the exposed travelers without proving actual harm.

Billions of Spam Emails Sent Everyday

The latest industry report on spam emails revealed that around 3.4 billion fake/spam emails are distributed across the globe each day. More worrisome is that the majority of these emails originate in the US and regularly target US-based industries. While many industries have improved security measures, larger enterprises have struggled to implement strong protection for their entire staff.

Ransomware Hits Washington Food Bank

The Auburn Food Bank in the State of Washington recently fell victim to a ransomware attack that encrypted all but one of their computers, which was isolated from the internal network. Instead of paying the ransom, the nonprofit chose to wipe all computers, including their email server, and begin rebuilding from scratch. The ransomware variant has been claimed to be GlobeImposter 2.0, which requires the victim to contact the attacker to determine the ransom demanded.

Retro Game Site Breached

The account information was leaked for over 1 million users of EmuParadise, a retro gaming site that hosts all things gaming related. The breach, which took place in April of 2018, affected 1.1 million IP and email addresses, many of which were found in previous data breaches. It is still unclear how the breach actually took place, though given the use of salted MD5 hashes for storing user data it’s clear EmuParadise could have done more to properly secure their users information.

The post Cyber News Rundown: Radiohead Hit by Ransomware Hack appeared first on Webroot Blog.

The Best Encrypted Email Services You Need to Use in 2019

You may be concerned that everything you do online is being watched by the government, powerful corporations, or malicious hackers.  

How you can defend yourself against unwanted eyes is through encryption.

In the past, we’ve shared with you what encrypted messaging apps you should use for secure communication and also walked you through the most popular free encryption software tools.

We can all agree on the fact that a huge part of our internet activity revolves around email.  

Thus, in this article, I’m going to offer you some alternatives to popular email services such as Gmail or Yahoo, which can also be secured to a certain degree, but, at the same time, mainstream providers are notorious for mishandling their users’ data or scanning inboxes for keywords to display personalized ads.

I’m sure you want that everything you share via email to stay private and only be accessed by the people you choose, and the perfect way to do this is through encrypted emails.

Although there are multiple ways to secure your email using encryption software, they are often difficult to implement by unskilled users. Maybe at a later time, I’m going to also dig into this subject if you are interested, but for now, I’m going to look at some encrypted email services options that are easy to use.  

So, below I’ve put together a list of user-friendly web-based encrypted email services that will help you increase your level of online anonymity.  

You’ll notice that (almost) all of the options come from European countries. Here, the GDPR imposes strict rules on data privacy, and among many other regulations, it’s making privacy by design a legal requirement.  

Disclaimer: While none of those providers will share your data with other companies/advertisers, some may present it to government entities under legal demands.

1. ProtonMail

ProtonMail is an encrypted email service based in Switzerland and created by scientists, engineers, and developers from CERN, with the intention of increasing your online security and privacy. They pride themselves with datacenters “located under 1000 meters of granite rock in a heavily guarded bunker which can survive a nuclear attack”.  

Features:

  • Free option with 500MB storage and 150 emails per day
  • Paid options starting from $ 4.00 / Month for personal use
  • Business plans for $6.25 / Month / User
  • Two-step verification
  • Use your own domain
  • Mobile apps available (iOS and Android)
  • Report phishing option
  • Self-destructing messages – you can set an expiration time on your emails so they get automatically deleted from the recipient’s inbox after a certain time
  • Based on open source code
  • They use AES, RSA, and OpenPGP encryption

2. Tutanota  

Tutanota is an encrypted email provider from Germany. They position themselves as a secure alternative to Gmail. According to their website, they are also planning to include a calendar, notes, and cloud storage in their offering – and of course, all of these features will be encrypted too.  

Features:

  • Free for 1 user with 1GB of storage
  • Other paid options starting from €12 for personal use  
  • Business plans available
  • Free for non-profit organizations
  • Use your own domain
  • Two-factor authentication
  • Based on open-source code
  • Their data centers run on 100% renewable energy

Additional details:

If you want to send an email to someone who’s using a different email service (for instance, Gmail), you will be asked to enter a password that you will have to share with the recipient.  

The recipient will then use it to unlock your message and be able to read it by accessing a link. The URL will remain active until you sent them another confidential email.  

This is what an email sent from a Tutanota account to someone who is using a different email service looks like.  

3. Hushmail

Hushmail is a secure email service based in Canada that encrypts your email communication. Simplicity is at the core of their business in order to keep their customers secure and better understand potential threats. Hushmail uses the “passphrase” naming for the log-in field which is typically referred to as “password”, in this way encouraging people to use more complex passwords – phrases, rather than words.

Features:

  • 14-Day free trial (no credit card required), then $49.98 per year with 10GB of email storage
  • Business plans available
  • iOS app
  • Two-factor authentication
  • Use your own domain
  • An account will be locked if too many attempts are made to access it
  • Ability to set up Hushmail within an email program (Mac Mail, Microsoft Outlook, Android phone, Thunderbird)
  • Inbox antivirus and spam filtering
  • TLS/SSL, OpenPGP encryption

Additional details:

Similar to Tutanota, if your recipient is not using Hushmail, you have to check the Encrypted checkbox, and the email will be read on a secure web page.

4. Countermail

Countermail is a web-based encrypted email provider, with their data centers located in Sweden. Although their website looks quite outdated, their email security is able to handle today’s privacy threats.  

Features:

  • 7-Days free trial. After the trial ends, multiple plans are available starting with $4.83 per month with 4000MB of storage. You also have the possibility to add extra storage for a fee.
  • Compatible with Android phone
  • Message filter / Auto reply
  • Supports IMAP
  • Diskless web servers – This means they don’t have any hard drives and instead start from a CD-ROM for increased online privacy. Their web server does not log any IP-addresses.
  • USB-key option – It’s used as a keyfile in combination with your password for increased security. It provides better protection against keyloggers and brute force attacks.  
  • OpenPGP data encryption, SSL-MITM protection

5. Runbox

Headquartered in Norway, Runbox is a company that provides secure email services worldwide, offering encrypted communication and strong authentication.

Features:

  • Free 30-Day Trial
  • Paid plans for personal use, starting with EUR 14.95 per year, with 1 GB for email and 100 MB for files
  • Business plans starting with EUR 69.95 per year, with 25 GB for email, 2 GB for files, and 25 email domains
  • Accepted payment methods: Credit/debit cards, Bitcoin, PayPal, Money Orders, SWIFT/SEPA payments, and cash.
  • 60-day full money back guarantee
  • Use your own domain
  • Calendar
  • Ad-free Webmail, spam and virus filtering, email consolidation, and filtering
  • Access from any client via POP, IMAP, SMTP, and others
  • End-to-end encryption
  • Their servers run on 100% renewable energy

6. Kolab Now

Kolab Now offers email accounts for secure collaboration, with all the strongly protected data being stored in Switzerland. Just like any other secure encrypted email service, they will never monitor your data, sell it to third parties, or display ads.  

  

Image source: alternativeto.net

Features:  

  • 30-Day Free Trial, then prices start at $4.44 per month for an Individual account
  • Group accounts (1 to 100 users) from $5.42 per month
  • Calendar, address book, files, and more
  • Two-factor authentication (this will disable access to your account on any other channel, such as ActiveSync, *DAV and IMAP)
  • Mobile synchronization (enabled for mobile devices using ActiveSync)
  • Automatic replies

7. Mailfence

Mailfence was founded in Belgium on the principle that privacy is a right and not a feature. They focus on transparency and maintain an updated transparency report, also keeping their code open to audits.  

Image source: alternativeto.net

Features:

  • Free version for 1 group with 500MB of email, 500MB of documents, 1.000 events calendars, support via email
  • Paid versions starting from EUR 2,50 per month and 5GB of email, 12 GB documents, 10.000 events calendar, support available via email and phone
  • Business plans available, tailored to your company’s needs
  • POPs, IMAPs, SMTPs, iOS, Android, Exchange
  • Custom email domain
  • Contacts, Calendar, Documents, and Groups
  • Accepted payment methods: credit card, PayPal, Bitcoin, Litecoin
  • Two-factor authentication
  • End-to-end encryption

8. Posteo

Posteo is an independent email service based in Germany focused on sustainability, security, privacy, and usability. The service is fully ad-free and they protect their users’ privacy through an innovative encryption and security model.

Image source: posteo.de

Features:  

  • Pricing starting with 1 EUR per month with 2GB storage – two aliases included. Storage can be increased up to max. 20 GB, each additional GB costs 0.25 EUR/month;
  • Migration service from other email accounts available (folder structure included)
  • Automatic replies
  • Anonymous signup – you don’t have to provide your name or address during registration
  • Anonymous payment – they don’t link payments with email accounts
  • Calendar  
  • 100% open-source code
  • Spam and virus filter
  • Emails sent don’t contain your IP address
  • Free support
  • Two-factor authentication
  • Accepted payments: PayPal, bank transfer, credit card or cash
  • TLS-encrypted access – TLS with PFS for IMAP, POP3, webmail, CardDAV, and CalDAV)
  • TLS-encrypted transmission: protects emails and metadata, as long as the other email server also supports it (TLS with PFS).
  • TLS-sending guarantee - protects you from sending emails to insecure systems
  • AES encrypted hard disks  
  • Runs on renewable energy 100%

9. StartMail

StartMail is based in The Netherlands and was built by the creators of StartPage, a private search engine. This is a great platform for secure communications, that can be accessed from a webmail interface, as well as through IMAP protocol, which makes it compatible with existing email clients.

Features:

  • Free 7-Day trial (no credit card required)
  • Accounts for personal use with $59.95 per year – 10 GB storage, 10 custom aliases, unlimited disposable aliases, IMAP support
  • Business accounts with $59.95 per mailbox per year – 10 GB storage, 10 GB storage, custom, and disposable aliases, IMAP support
  • Disposable email addresses – create temporary email addresses when you don’t want to share the real ones
  • IMAP/SMTP compatible
  • It’s based on a mix of open-source and closed-source components
  • PGP encryption, security like PFS (TLS 1.1 & 1.2), and extra-secure vaults

10. Mailbox

Mailbox is a secure email provider based in Germany, which was founded with the purpose of becoming an alternative to other webmail services that depend on their customer data to obtain revenue from advertising. All created accounts include other features besides an email inbox, such as a cloud office suite to edit documents, a calendar, etc.

Features:  

  • Free 30-Day Trial, with 10 emails per day, storage space of 100MB for emails, 10MB file storage, 1 email address alias
  • Paid option for personal use starting with 1 EUR per month, with 2GB email storage, 3 email aliases
  • Business email plan starting with 25 EUR per month, with central management console, email and groupware, cloud storage, online word processing, and more
  • Calendar, Contacts, Task Planner
  • Online Office
  • Cloud Storage
  • Offline mode  
  • Advanced users are offered dedicated Tor Exit Node with Hidden Onion Services available at their data center
  • Their servers run on 100% green energy

How you can increase your online security and privacy even more

Hopefully, I’ve helped you choose an encrypted email service alternative to the risky email provider you are currently using. Yet, obviously, email anonymity does not equal online security.  

Even though some of the email services listed above also include spam filtering, virus scanning, or report phishing options, malicious attackers can always find ways to send you malware-infected links via email.  

This is why you should also be using a proactive, threat prevention solution for your PC, which lets you click any link with confidence and allows you to be sure that you won’t get touched by malware.  

And it scans and blocks the URLs you click both in your inbox and anywhere else on the web.   

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

Here’s some great news for companies  

We’re working hard on a brand new email module specifically designed to prevent business email compromise (BEC) attacks. We will keep you posted on the progress, so stay tuned!

Are you using any secure email service? Do you have any suggestions that we could add to the list? Let us know in the comments section below!

 

The post The Best Encrypted Email Services You Need to Use in 2019 appeared first on Heimdal Security Blog.

Video Surveillance by Computer

The ACLU's Jay Stanley has just published a fantastic report: "The Dawn of Robot Surveillance" (blog post here) Basically, it lays out a future of ubiquitous video cameras watched by increasingly sophisticated video analytics software, and discusses the potential harms to society.

I'm not going to excerpt a piece, because you really need to read the whole thing.

GDPR implementation lessons can help with CCPA compliance

The ever increasing number of data breaches has made consumers more aware of how their data is being used and has emphasized the importance of keeping personal data private, says Sovan Bin, CEO and founder of cloud data management firm Odaseva. “In terms of the general public, the California Consumer Privacy Act (CCPA) is a wake-up call for consumers to know and understand their data privacy rights. They should feel free to exercise these rights … More

The post GDPR implementation lessons can help with CCPA compliance appeared first on Help Net Security.

Smashing Security #132: CBP cyber attack, an iPhone privacy boost, and Twitter list abuse

United States Customs and Border Protection had sensitive data stolen, but the hackers didn’t have to breach its network. Apple has ambitious plans to make iPhone users safer online. And trolls are using Twitter lists to target their victims.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Will self-driving cars represent a new mode for surveillance?

Picture the future, where driving is a thing of the past. You can hop in your car or one from a ride-share, buckle up and tell the car where you want to go. During your ride, you can check your email and look up a few things online through your dashboard. Meanwhile, your whereabouts and other details are being tracked remotely by companies. As self-driving cars develop further, autonomous vehicles will play a much larger … More

The post Will self-driving cars represent a new mode for surveillance? appeared first on Help Net Security.

Customs and Border Protection (CBP) confirms hack of a subcontractor

Customs and Border Protection (CBP) revealed that photos of travelers and license plates collected at a single U.S. border point have been stolen by hackers.

Customs and Border Protection (CBP) revealed that photos of travelers and license plates collected at a single U.S. border point have been stolen as a result of a cyber attack.

The Customs and Border Protection agency did not reveal the name of the company that was involved in the incident. According to media outlets, hackers broke into the computer network of an unnamed subcontractor, many experts believe the incident could be linked to the hack of Perceptics.

At the end of May the company Perceptics, a leader in license plate readers (LPRs), license plate recognition systems and vehicle identification products, announced to have suffered a security breach. The attackers stole data and offered business plans, financial documents, and personal information for free on the dark web.

CBP perceptics hack files 2

LPRs manufactured by Perceptics are installed at all land border crossing lanes for privately owned vehicle traffic (POV) in the United States, Canada, and for the most critical lanes in Mexico.

A hacker that goes online with the moniker ‘Boris Bullet-Dodger’ reported the hack to The Register and shared with the journalists a list of files as proof of the attack.

A Customs spokesman revealed that fewer than 100,000 people have been impacted, hackers accessed to photos of travelers in vehicles entering and exiting the United States at a single land-border port of entry over one and a half months.

CBP said that stolen data are not available online or in the Dark Web.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” reads a statement published by the CBP.

Anyway the subcontractor was not authorized to transfer copies of the images to its infrastructure without CBP’s authorization.

The Customs and Border Protection learned of the security breach on May 31, 2019, it pointed out that hackers did not compromise its network.

“The chairman of the House Homeland Security Committee, Rep. Bennie Thompson of Mississippi, noted with alarm that this is the “second major privacy breach at DHS this year.”” reported the AP.

“We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” he said in a statement.

Pierluigi Paganini

(SecurityAffairs – CBP, hacking)

The post Customs and Border Protection (CBP) confirms hack of a subcontractor appeared first on Security Affairs.

Maine Passes Internet Privacy Bill

Maine has passed a bill prohibiting ISPs from using and selling the data of internet users within the state.

The Act to Protect the Privacy of Online Consumer Information is closely modeled on an Obama era FCC rule that prohibits internet service providers from collecting information on their customers. The rule was revoked in 2017.

According to bill, the Maine legislation, “prohibits a provider of broadband Internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access…. The bill prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access.”

Additional requirements include “reasonable measures” to protect user data from outside access, although there is not much in the way of specifics regarding these measures.

Although the bill passed with broad bipartisan support, tech companies and ISPs strongly opposed the measure.

“Maine should avoid being the first to attempt to regulate an interstate service,” wrote Christina Fisher, a representative for a coalition of 84 technology companies opposing the law.

State Attorney General Aaron Frey disagreed.

“The state has a significant interest in protecting Maine consumers from practices that may compromise their personal data, or which place their financial well-being at risk,” Frey said in a statement in support of the law.

Read more about the law here.

The post Maine Passes Internet Privacy Bill appeared first on Adam Levin.

US border agency contractor breached, license plate and travelers’ photos stolen

US Customs and Border Protection (CBP) announced that a hacker may have stolen sensitive data collected by the agency from a subcontractor’s network. “On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack,” the CBP stated and … More

The post US border agency contractor breached, license plate and travelers’ photos stolen appeared first on Help Net Security.

Analytics and automation solutions to help contact center IT staff ensure compliance

91% of of contact center IT staff believe increasing contact center compliance software investment should be considered a priority in the next year. 83% of contact center professionals also said their organization’s efforts towards customer privacy and private data safety need to be improved, according to NICE. NICE’s survey, which focused on identifying the challenges of IT and compliance professionals, brought to light that 97% of those surveyed have at least one concern when it … More

The post Analytics and automation solutions to help contact center IT staff ensure compliance appeared first on Help Net Security.

Podcast Two Year Anniversary – The Top 10 Episodes

Two years ago on June 9th, 2017 I released the first episode of Security In Five. Here we are two years later, 500+ episodes recorded and no signs of slowing down. The podcast’s longevity and the energy to keep up the dail episode schedule is all because of the listeners and feedback I have received. […]

The post Podcast Two Year Anniversary – The Top 10 Episodes appeared first on Security In Five.

Study: Fortnite Game Becoming the Preferred Social Network for Kids

According to a study recently released by National Research Group (NRG), the wildly popular video game Fortnite is growing beyond its intended gaming platform into a favored social network where kids go daily to chat, message, and connect.

The study represents the most in-depth study on Fortnite to date and contains essential takeaways for parents trying to keep up with their kids’ social networking habits. According to the NRG study, “Fortnite is the number one service teens are using, and audiences cite its social elements as the primary motivators for playing.”

The popular game now claims more than 250 million users around the world, and for its audience of teens (ages 10-17) who play at least once a week, Fortnite consumes about 25% of their free time, cites NRG adding that “Fortnite presents a more hopeful meta-verse where community, inclusivity, creativity and authentic relationships can thrive.”

Summer gaming 

With school break now upon us, the NRG study is especially useful since screentime tends to jump during summer months. Here are some of the risks Fortnite (and gaming in general) presents and some tips on how to increase privacy and safety for young users who love this community.

Fortnite safety tips 

Activate parental controls. Kids play Fortnite on Xbox One, PlayStation 4, Nintendo Switch, and iOS. Parents can restrict and monitor playing time by going into the Settings tab of each device, its related URL, or app. Another monitoring option for PC, tablets, and mobile devices is monitoring software.

Listen, watch, learn. Sit with your kids and listen to and watch some Fortnite sessions. Who are they playing with? What’s the tone of the conversation? Be vocal about anything that concerns you and coach your child on how to handle conflict, strangers online (look at their friend list), and bullying.

Monitor voice chat. Voice chat is an integral part of Fortnite if you are playing in squads or teams. Without the chat function, players can’t communicate in real-time with other team members. Voice chat is also a significant social element of the game because it allows players to connect and build community with friends anywhere. Therein lies the risk — voice chat also allows kids to play the game with strangers so the risk of inappropriate conversation, cyberbullying, and grooming are all reported realities of Fortnite. Voice chat can be turned off in Settings and should be considered for younger tween users.

Scams, passwords, and tech addiction. When kids are having a blast playing video games, danger is are far from their minds. Talk about the downside so they can continue to play their favorite game in a safe, healthy way. Discuss the scams targeting Fortnite users, the importance of keeping user names and passwords private (and strong), and the reasoning behind gaming screen limits.

Social networks have become inherent to kids’ daily life and an important way to form meaningful peer bonds. With new networks emerging every day such as Fortnite, it’s more important than ever to keep the conversation going with your kids about the genuine risks these fun digital hangouts bring.

The post Study: Fortnite Game Becoming the Preferred Social Network for Kids appeared first on McAfee Blogs.

Security Affairs 2019-06-08 07:37:33

German intelligence agencies could hack servers, smartphones and any other devices under a draft law drawn up by the German Interior Ministry.

The German Interior Ministry would allow the German domestic and foreign intelligence services are to hack into computers and smartphones under a draft law.

According to the draft law, the country’s intelligence agencies are allowed to, under specific circumstances, to intercept encrypted traffic to and from publishing companies, radio and television broadcasters, and freelance journalists. Of course, privacy advocated, and associations for the defense of human rights fear the Government could carry out a massive surveillance campaign.

“The intelligence services would also be empowered to intercept the encrypted communications of publishing companies, radio and television broadcasters and freelance journalists in certain cases, or to covertly search the digital data on their devices, meaning that they could also identify journalistic sources in the process.” reads a post published by the association Reporters Without Borders (RSF Germany).

German Intelligence
Der Eingangsbereich zur Zentrale des Bundesnachrichtendienstes (BND) in Pullach bei Muenchen, aufgenommen am Mittwoch (10.05.06). Entgegen urspruenglichen Planungen wird die Pullacher BND-Zentrale nun doch nicht geschlossen. Das technische Aufklaerungszentrum bleibt mit rund 1500 Mitarbeitern in Pullach, der Rest der insgesamt 6000 Mann starken Belegschaft zieht nach Berlin um. Foto: Johannes Simon/ ddp

The law could also authorities to identify journalistic sources threatening the constitutionally guaranteed right to source protection.

The RSF Germany also issued a statement to explain how the law would hinder the journalistic activities in the country.

If source protection is abolished, media professionals and their sources would lose the foundation for trusting cooperation. Interior Minister Horst Seehofer must put a stop to his ministry’s plans immediately,” said Christian Mihr, Executive Director of RSF Germany.

The authorities would be allowed to use spyware to compromise target device and conduct so-called “online searches” (“Online-Durchsuchung”) to access the target’s data.

The power assigned to the German intelligence agencies is very dangerous, for example, they would be able to monitor journalistic activities by wiretapping encrypted communications between journalists and their sources.  

The domestic intelligence service would also be allowed to spy on German media, and a most scaring scenario sees Germany’s foreign intelligence agency BND authorized to hack into foreign media to conduct its investigation.

“Although the draft law foresees certain protective rights for journalists, in the case of foreign media in particular the obstacles the state authorities would face are comparatively trivial.” continues the post. “The BND would be empowered to hack foreign media to guarantee “Germany’s capacity to act”. So for example it would be allowed to hack into the servers of The Washington Post if this was deemed to serve Germany’s foreign policy interests.” 

German media outlets, broadcasters, and journalists are protesting against the Interior Ministry, and also the Social Democratic Party, announced its opposition to the plans.

Interior Minister Seehofer attempted to calm the journalists by explaining that the Government will continue to offer them ‘special’ protection.

According to Germany RSP, Germany ranks 13th out of 180 states on Reporters Without Borders’ Press Freedom Index what will happen in the future?

Pierluigi Paganini

(SecurityAffairs – surveillance, German Intelligence)

The post appeared first on Security Affairs.

Cyber News Rundown: Medical Testing Service Data Breach

Reading Time: ~ 2 min.

Quest Diagnostics Customers Affected by Third-Party Breach

The medical testing organization Quest Diagnostics has fallen victim to a third-party data breach that could affect nearly 12 million of their patients. AMCA, a collections agency that works with Quest Diagnostics, noticed unauthorized access to their systems over an eight-month period from August of last year through March 2019. The majority of data targeted were Social Security Numbers and other financial documents, rather than patient’s health records. The market offers a premium for such data.

Adware Installed by Millions of Android Users

Until recently, there were over 230 apps on the Google Play store that had been compromised by a malicious plugin that forced out-of-app advertisements on unsuspecting victims. Globally, over 440 million individuals have installed at least one of these compromised applications and have been affected by overly-aggressive advertisements. While this SDK has been used legitimately for nearly a year, sometime during 2018 the plugin began performing increasingly malicious behaviors, until other developers caught on and began updating their own applications to remove the plugin. 

Chinese Database Exposes Millions of Records

A database belonging to FMC Consulting, a headhunting firm based in China, was recently found by researchers to be publicly available. Among the records are resumes and personally identifiable information for millions of individuals, as well as company data with thousands of recorded messages and emails. Unfortunately for anyone whose information is contained within this database, in the two weeks since being notified of the breach FMC has yet acknowledge the breach or take steps to secure it.

Restaurant Payment Systems Infected

Customer who’ve patronized either Checkers or Rally’s restaurants in recent months are being urged to monitor their credit cards after the chain announced that they discovered card stealing malware on their internal systems. While not all restaurant locations were affected, the company is still working to determine the extent of the compromised payment card systems and has offered credit monitoring services to customers.

University of Chicago Medicine Server Found Online

Researchers have found a server belonging to University of Chicago Medicine with personal information belonging to more than 1.6 million current and past donors. The data includes names, addresses, and even marital and financial information for each donor. Fortunately, the researcher was quick to inform the university of the unsecured ElasticSearch server and it was taken down within 48 hours.

The post Cyber News Rundown: Medical Testing Service Data Breach appeared first on Webroot Blog.

Tor Project released Tor Browser 8.5.1 for Windows, Mac, Linux, and Android

A new version of the popular Tor Browser was released by the Tor Project, it is Tor Browser 8.5.1 for Windows, Mac, Linux, and Android.

The Tor Project has released Tor Browser 8.5.1 for Windows, Mac, Linux, and Android, the new version of the popular anonymizing browser.

This release includes a temporary fix for a known WebGL fingerprinting technique. Tor 8.5.1 can be downloaded for free from the Tor Browser download page and from the distribution directory.

Tor Browser 8.5.1

The development team disabled WebGL readPixel() function that could be abused to fingerprint a Tor Browser user. 

“Tor Browser 8.5.1 is the first bugfix release in the 8.5 series and aims at mostly fixing regressions and providing small improvements related to our 8.5 release.” reads the announcement from the Tor Project. “Additionally, we disable the WebGL readPixel() fingerprinting vector, realizing, though, that we need a more holistic approach when trying to deal with the fingerprinting potential WebGL comes with.”

The developers defined this fix a temporary solution that needs a more holistic approach.

Bwloe the full changelog since Tor Browser 8.5:

  • All platforms
    • Update Torbutton to 2.1.10
      • Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup
      • Bug 30464: Add WebGL to safer descriptions
      • Translations update
    • Update NoScript to 10.6.2
      • Bug 29969: Remove workaround for Mozilla’s bug 1532530
    • Update HTTPS Everywhere to 2019.5.13
    • Bug 30541: Disable WebGL readPixel() for web content
  • Windows + OS X + Linux
    • Bug 30560: Better match actual toolbar in onboarding toolbar graphic
    • Bug 30571: Correct more information URL for security settings
  • Android
    • Bug 30635: Sync mobile default bridges list with desktop one
  • Build System
    • All platforms
      • Bug 30480: Check that signed tag contains expected tag name

Pierluigi Paganini

(SecurityAffairs – Tor Browser 8.5.1, Tor Project)

The post Tor Project released Tor Browser 8.5.1 for Windows, Mac, Linux, and Android appeared first on Security Affairs.

Smashing Security #131: Zap yourself from the net, and patch now against BlueKeep

Microsoft issues warning to unpatched Windows users about worm risk, and how do you delete all traces of yourself off the internet after your murder your podcast co-host?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Mozilla and Google Browsers Get Security, Anti-Tracking Boosts

Both FireFox and Chrome have received updates to better guard users against privacy and security threats, such as tracking by Facebook.

Apple debuts privacy-minded “Sign in with Apple” SSO

Among the many news shared during Apple’s annual developer conference there’s one that stands out: the introduction of “Sign in with Apple”. About the “Sign in with Apple” feature Apple’s new single sign-on (SSO) authentication mechanism is similar to the one provided by Facebook, Google, LinkedIn, Twitter, and others, in that it will allow users to sign in to apps and websites without creating a new account. But there are important differences, mainly focused on … More

The post Apple debuts privacy-minded “Sign in with Apple” SSO appeared first on Help Net Security.

Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online?

Take it down, please. 

The above is a typical text message parents send to kids when they discover their child has posted something questionable online. More and more, however, it’s kids who are sending this text to parents who habitually post about them online.

Tipping Point

Sadly — and often unknowingly — parents have become some of the biggest violators of their children’s privacy. And, there’s a collective protest among kids that’s expressing itself in different ways. Headlines reflect kids reigning in their parent‘s posting habits and parents choosing to pull all photos of their kids offline. There’s also a younger generation of voices realizing the effect social media has had on youth, which could be signaling a tipping point in social sharing.

Ninety-two percent of American children have an online presence before the age of 2, and parents post nearly 1,000 images of their children online before their fifth birthday, according to Time. Likewise, in a 2017 UNICEF report, the children’s advocacy group called the practice of “sharenting” – parents sharing information online about their children – harmful to a child’s reputation and safety.

Digital Footprint

This sharenting culture has fast-tracked our children’s digital footprints, which often begins in the womb. Kids now have a digital birth date — the date of the first upload, usually a sonogram photo — in addition to their actual birth date. Sharing the details of life has become a daily routine with many parents not thinking twice before sharing birthdays, awards, trips, and even more private moments such as bath time or potty training mishaps.

Too often, what a parent views as a harmless post, a child might see as humiliating, especially during the more sensitive teen years. Oversharing can impact a child’s emotional health as well as the parent-child relationship, according to a University of Michigan study.

Diminishing Privacy 

So how far is too far when it comes to the boundaries between public and private life? And, what are the emotional, safety, and privacy ramifications to a child when parents overshare? The sharenting culture has forced us all to consider these questions more closely.

Children’s diminishing privacy is on advocacy agendas worldwide. Recently, the UK Children’s Commissioner released a report called “Who Knows About Me?” that put a spotlight on how we collect and share children’s data and how this puts them at risk.

5 safe sharing tips for families

  1. Stop and think. Be intentional about protecting your child’s privacy. Before you upload a photo or write a post, ask yourself, “Do I really need to share this?” or “Could this content compromise my child’s privacy (or feelings) today or in the future?”
  2. Ask permission. Before publicly posting anything about your child, ask for his or her permission. This practice models respect and digital responsibility. If posting a group photo that includes other children, ask both the child’s consent and his or her parent’s.
  3. Keep family business private. Resist sharing too much about your family dynamic — good or bad — online. Sharing your parenting struggles or posting details about what’s going on with you and your child could cause embarrassment and shame and irreparably harm your relationship.
  4. Consider a photo purge. With your child’s wellbeing, safety, and privacy in mind — present and future — consider going through your social networks and deleting any photos or posts that don’t need to be public.
  5. Talk to kids about the freedom of expression. Every person who logs on to the internet can expect fundamental freedoms, even kids. These include the right to privacy, how our data is shared, and the freedom of expression online. Discuss these points with your children in addition to our collective digital responsibilities such as respect for others, wise posting, downloading legally, citing works properly, and reporting risky behavior or content.

When it comes to parenting, many of us are building our wings on the way down, especially when it comes to understanding all the safety implications around data privacy for children. However, slowing down to consider your child’s wellbeing and privacy with every post is a huge step toward creating a better, safer internet for everyone.

The post Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online? appeared first on McAfee Blogs.

Google is taking action on deceptive installation tactics for Chrome Browser Extensions

Google aims at eliminating the use of deceptive installation tactics among Chrome browser extensions introducing a new policy.

Google announced a new policy for Chrome browser extensions to eliminate the use of deceptive installation tactics.

The additional changes are part of the Project Strobe presented by Google in October 2018 in the aftermath of the data breach that exposed data of over 500,000 users of its Google+.

Google aims at ensuring that all Chrome extensions are trustworthy by default

Google says that users’ trust in extensions is greatly influenced by the path to downloading an extension. A single bad experience could affect users’ interest in these applications. 

“Setting the right expectations for what an extension does, from the start, helps create a healthy and thriving ecosystem of extensions, developers, and passionate users.” states Google.

“Last year, to improve user transparency we deprecated inline installation and began requiring all extension installs to go through the Chrome Web Store. This change has helped reduce user complaints about unwanted extensions by 18 percent.”

Unfortunately, Google still receives user feedback about deceptive extension install flows. The company is prohibiting extensions that benefit from deceptive install tactics with the following policy:

Extensions must be marketed responsibly. Extensions that use or benefit from deceptive installation tactics will be removed from the Chrome Web Store.

Deceptive installation tactics include:

  • Unclear or inconspicuous disclosures on marketing collateral preceding the Chrome Web Store item listing.
  • Misleading interactive elements as part of your distribution flow. This includes misleading call-to-action buttons or forms that imply an outcome other than the installation of an extension.
  • Adjusting the Chrome Web Store item listing window with the effect of withholding or hiding extension metadata from the user.

Developers are asked to audit their install traffic to ensure it is compliant before July 1st, 2019.

Google also introduced two additional restrictions on Chrome browser extensions, the most important one requires the use of the “minimum set of permissions necessary” when asking for access to data. Below the two restrictions:The tech giant added the following Chrome Web Store policies.

  1. We’re requiring extensions to only request access to the appropriate data needed to implement their features.  All extensions will now be required to use the “minimum set of permissions necessary” when asking for access to data. If there is more than one permission that could be used to implement a feature, developers must ask for permissions that could give them access to the least amount of data.
  2. We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content.  The company is requiring more extensions to post privacy policies in the Chrome Web Store. Even if this requirement is already in place for extensions that require access to “personal and sensitive user data,” now Google is extending the requirement to those Chrome browser extensions that need access to personal communication or user-provided content,


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Chrome Browser Extensions, Google)

The post Google is taking action on deceptive installation tactics for Chrome Browser Extensions appeared first on Security Affairs.

Why zero trust is crucial to compliance

The enterprise faces a brand new world when it comes to data privacy and security. New regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have joined PCI-DSS, HIPAA, and more than 25,000 other cybersecurity regulations passed since 2008. Together, these regulations have vastly increased the workload on security teams already stretched thin by the sheer scale and complexity of modern software business services. The challenge posed by these … More

The post Why zero trust is crucial to compliance appeared first on Help Net Security.

ProtonMail denies that it spies on users for government agencies

The popular privacy-focused email service ProtonMail has been accused of offering voluntarily real-time surveillance assistance to law enforcement.

The popular privacy-focused email service ProtonMail made the headlines because it has been accused of supporting real-time surveillance carried out by law enforcement.

protonmail

On May 10, while Stephan Walder, a public prosecutor and head of the Cybercrime Competence Center in Switzerland’s Canton of Zurich, was giving a presentation at an event when the Swiss lawyer Martin Steiger live-tweeted from the event that Walder incidentally mentioned ProtonMail as a service provider that voluntarily offers support to law enforcement.

Steiger said that ProtonMail offers voluntary support for real-time surveillance without requiring an order from a federal court.

“Email service provider ProtonMail, based in Switzerland, offers assistance for real-time surveillance: Voluntarily!” reads the post published by Stieger.

Steiger pointed out the company provided metadata and so-called secondary data that could be used by law enforcement and intelligence agencies for surveillance purposes.

“Metadata or secondary data that is available must be provided. On the other hand, ProtonMail, as a provider of derived communication services, has in principle no obligation for real-time surveillance. Art. 26 para. 4 SPTA provides such obligation only for providers of telecommunications services such as Swisscom or UPC.” continues the post.

“There is currently no evidence that ProtonMail is a provider of derived communications services with more extensive surveillance obligations. ProtonMail would therefore not have to voluntarily provide assistance for real-time surveillance.”

Steiger pointed out that ProtonMail the company is subject to Swiss local surveillance laws, but it’s not subject to more extensive surveillance obligations.

According to the transparency report published by the company, ProtonMail could conduct real-time surveillance for the authorities and it also mentions a current case:

“In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.“s.

Walder said that Steiger has misunderstood his speech, but the lawyer believes that the situation is exactly the one he described in the post.

ProtonMail denied Steiger’s claims and published a post to clarify that it only supports authorities when presented by an order from a Swiss court or prosecutor.

ProtonMail does not voluntarily offer assistance as alleged. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in all criminal cases. Furthermore, ProtonMail’s end-to-end encryption means we cannot be forced by a court to provide unencrypted message contents.” reads the blog post.

ProtonMail cannot be used for any purposes that are illegal under Swiss law. Not only is this against our terms and conditions, we are also obligated by law to assist police investigations in criminal cases. However, the claim that we do this voluntarily is entirely false.”

According to ProtonMail, Steiger’s interpretation of the law is different from the one taken by the Swiss authorities.

The company clarified that it does not agree with the interpretation taken by some branches of the Swiss government. Therefore, we have asked the Swiss Federal Administrative Tribunal to rule on the appropriate interpretation of the law, and we will appeal to the Swiss Supreme Court if necessary.

ProtonMail threatens to take legal action for defamation pursuant to art. 174 of the Swiss Criminal Code.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – privacy, surveillance)

The post ProtonMail denies that it spies on users for government agencies appeared first on Security Affairs.

Cyber News Rundown: Popular News Site Breached

Reading Time: ~ 2 min.

News Site Suffers Data Breach

Flipboard, a news aggregation site, recently revealed that it’s been the victim of a data breach that could affect many of their more than 100 million active users. Digital tokens were among the compromised data, which could give the attackers further access to other sites, though Flipboard promptly removed or replaced them. At least two separate breaches have been reported by Flipboard, with one occurring in the middle of 2018 and the other in April of this year. Both allowed the attackers nearly unlimited access to databases containing a wealth of user data.

Keylogger Targets Multiple Industries

At least two separate campaigns have been found to be sending malicious emails to industry-leading companies in several different areas of business. Hidden within these emails are two variants of the HawkEye keylogger that perform various malicious activities beyond simply stealing keystrokes from the infected device. By acting as a loader, HawkEye can install additional malware and even contains a script to relaunch itself in case of a system reboot.

Australian Teen Hacks Apple

A teen from Australia was recently in court to plead guilty to two separate hacks on Apple, which he conducted in hopes of gaining a job with the company. While Apple has since confirmed that no internal or customer data was breached, they have chosen leniency after his lawyer made a case for the perpetrator being remorseful and not understanding the full impact of his crimes.

Fake Crypto-wallets Appear on App Store

Several fake cryptocurrency wallets have made their way into the Google Play store following the latest rise in the value of Bitcoin. Both wallets use some form of address scam, by which the user transfers currency into a seemingly new wallet address that was actually designed to siphon off any transferred currency. The second of the two wallets operated under the guise of being the “mobile” version of a well-known crypto-wallet. It was quickly identified as fake due to an inconsistent icon image. Both fake wallets were tied to the same domain and have since been removed from the store.

Ransomware Focuses on MySQL Servers

While the threat of GandCrab is not new, organizations discovered its persistent risk after researchers found it has been refocused on attacking MySQL servers. By specifically targeting the port used to connect to MySQL servers, port 3306, the attackers have had some success, since many admins allow port 3306 to bypass their internal firewalls to ensure connectivity. As GandCrab continues to narrow it’s attack scope, its remaining viable vectors are likely to be even more lucrative given that most organizations are not able to secure everything.

The post Cyber News Rundown: Popular News Site Breached appeared first on Webroot Blog.

Cybersecurity and Drones – A Rising Threat?

Drones, which are part of the UAV (unnamed aerial vehicles) group, have certainly seen an increase in popularity in the past few years. The global drone market is expected to grow from $14 billion in 2018 to over $43 billion in 2024. Long gone are the days when drones were only used for military purposes – today they can basically be purchased and flown by anyone. They can be affordable, come in all sizes, and can get as sophisticated as you can imagine.  

Drones are now used for a multitude of purposes, ranging from recreational use, photography and filmmaking, agriculture, to surveillance and so many other uses. This technology will soon even be utilized by Amazon to deliver small packages, has already been employed by Domino’s to bring pizza, and UPS has used it to ship medical samples in the US. 

But technology like this can equally be used for good and bad purposes and could easily turn into a sci-fi nightmare. And one of the biggest concerns here is that drones can be hacked, or other drones can be used to hack electronic devices and gather data without one’s consent. 

The malicious uses of drones 

Drones can become a threat to your privacy since they can be used as spying devices. 

Numerous cases have been reported so far. To name a few, a couple flew a drone to watch their neighbors and ended up being arrested, and burglars are now reportedly using drones to scout houses they intend to rob.  

Privacy-related incidents may be so common since many countries don’t have any drone laws in place, or drone users are simply unaware of them. But there are some countries that did release regulations. For example, the UK is currently in the process of updating their Drones Billmost probably as a response to the famous Gatwick Airport incident, when drone sightings stopped 1,000 flights from December 19-21, 2018 and affected the travel plans of around 140,000 people. The United States has also released regulations for drone users, and you can go through them here if you are flying your drones in the US. 

Some drones can even see through walls by employing Wi-Fi and 3D imaging, and could easily create 3D plans of building that could facilitate criminals’ access inside them. 

Not only that, other prominent issues are related to cyber-attacks, which may have seemed impossible to happen in the past but could now be carried out using drone technology. Drones can now be used to hack servers, spy on networks, extract data, and block communications.  

Corporate networks can be heavily affected by the malicious use of drones, so companies need to have solid security measures in place to prevent unwanted access and protect themselves from cyber warfare attacks. 

How hackers steal data with drones

Attackers can attach a small computer (such as Raspberry Pi) to a drone, fly it over places where they wouldn’t normally be able or allowed to enter, and then exploit Wi-Fi, Bluetooth, or RFID (Radio-frequency identification) vulnerabilities. 

A cybersecurity company proved that a drone could basically be connected to any devices, like smartphones or laptops, during the 2014 Black Hat security conference in Singapore. They used a drone to intercept data from the attendees’ phones with a software dubbed Snoopy that ran on the minicomputer attached to the drone. It could mimic Wi-Fi networks that victims were connected to in the past and then they were able to steal any information that was used on the device, including bank details and passwords 

Also, other sources have shown that drones equipped with a radio transceiver could be used to hijack Bluetooth mice. This means that any other Bluetooth-connected devices could be accessed, such as keyboards, from which attackers could obtain keystrokes and figure out users’ login credentials. 

Your own drone could be hacked easily 

Imagine you are flying your drone, planning to take breathtaking shots of the spectacular location you are exploring and all of a sudden, the drone crashes and hits the ground. Or worse, it starts flying into random people and injures them.  

One way this could happen is through GPS spoofing. This practice involves tricking a GPS receiver by transmitting a fake GPS signal. As a result, the drone will use the wrong location.  

How malicious drones can be stopped  

The market size of the anti-drone market is expected to reach $1.85 billion by 2024, which proves the fact that significant efforts are being made to fight hostile drones.  

For instance, researchers funded by the EU are trying to find ways to detect and disable malicious drones through the KNOX project. Additionally, a recent study conducted by Fujitsu System Integration Laboratories and the Ben-Gurion University of the Negev addresses the same issue and analyzes methods to detect drones. What’s more, companies AT&T and Dedrone (a drone detection technology start-up) are collaborating to develop IoT solutions against malicious drones.  

Below I’ve included a few methods used to detect rogue drones: 

Source 

1. Geofencing  

Geofences are virtual boundaries set up within physical locations where drones can be detected when they reach certain delimited areas.  

How does geofencing work 

This is a location-based service and can be set up using GPS, Wi-Fi, Bluetooth, cellular data or RFID. In order to use geofencing, a developer or admin must create a virtual border around a specified location in GPS or RFID-enabled software. It’s quite a simple operation and can be represented, for example, by a circle drawn around a location on Google Maps. Technically, the geofence should generate a response to the moment an unauthorized drone enters the defined area.  

However, this technology may not always be so efficient 

Regular drones have built-in geofencing software, so you can’t unknowingly fly them over restricted areas, but malicious actors could build their own devices without this software or even hack the standard ones. Apparently, there is a website (on the open internet, not on the dark webthat sells hacks for drones manufactured by DJI, the market leader in unmanned aerial vehicles. The hackers’ solutions remove geofencing, altitude, and speed limitations. 

2. Radar 

Radar is already the standard go-to mechanism for aerial vehicles detection, so drones can also be detected using radar detection systems. 

Drone radars use a combination of noise detection, thermal detection, radio signal detection, and signal identification. However, this method is not fully accurate, as it can easily mistake birds for drones. 

Additionally, some drone radars also use microphones to recognize noise patterns, but this has proved to be ineffective in noisy urban areas. 

3. Acoustic sensors 

These sensors are able to detect drones that sometimes can’t be seen by radars.  

Acoustic sensors recognize the unique sounds generated by different drone types and run them against a sound signatures database. If there’s a match, the system triggers an alert.  

Source 

4. RF Scanners 

Radio-frequency scanners examine the electromagnetic spectrum and find the specific transmissions from drones.  

However, RF scanners will work when radio signals are present. Some drones operate without any RF signals and only rely on GPS, so this method will, in some cases, be inefficient.  

Source 

5. Thermal imaging 

Thermal drones use vision imaging cameras that work by detecting heat emitted by almost all objects and materials.  

So, drone thermal cameras could prove to be powerful tools to detect unwanted UAVs.  

Of course, there are many other methods out there (including hybrids) that are meant to stop malicious drones, which I haven’t mentioned in this article. Here are some more resources I recommend you check out if you want to become an anti-drone expert: 

To Sum Up 

Drones are certainly impacting our daily lives and will, without doubt, make up an important part of the IoT network used in our future smart cities. But sadly, they can be easily misused for malicious purposes. So, a lot of effort should be put into their cybersecurity and using the proper ways to detect and take down the ones which are threatening us.  

What is your opinion on the issues related to drones and cybersecurity? Share your thoughts in the comments section below. 

The post Cybersecurity and Drones – A Rising Threat? appeared first on Heimdal Security Blog.

Smashing Security #130: Doctored videos, BCC blunders, and a diva

You won’t believe who had to report themselves to the data protection agency for a breach, or who has been sharing doctored videos of political rivals, or how much money you can make selling a laptop infected with malware… and how Carole gets her diva on.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, who aren’t joined by a guest this week.

VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs

Innovative Connecting is actually a Chinese company that secretly owns 10 VPN products with a total of 86 million installs under its belt.

Recent research by the cybersecurity experts at VPNpro shows that the popular mobile VPN developer Innovative Connecting is actually a Chinese company that secretly owns 10 VPN products with a total of 86 million installs under its belt.

The study also revealed that two of those VPN products are under its other developer name, Lemon Clove, and another two by Autumn Breeze 2018.

Interestingly, most of the popular mobile-only VPNs that VPNpro analyzed are actually Chinese (run by Chinese nationals or actually located in China). Any data that is held in mainland China is wide open to access by Chinese authorities, confirming US Senators’ recent fears of American data falling into Chinese or Russian hands.

Innovative Connecting VPNs products

Innovative Connecting owns the following 10 VPN products:

  1. VPN Master – Free Proxy
  2. VPN Proxy Master (Pro)
  3. VPN Proxy Master (Lite)
  4. Turbo VPN
  5. Unlimited Free VPN
  6. HOT VPN
  7. Snap VPN
  8. VPN Robot
  9. VPN Sofast
  10. Turbo VPN Private Browser
VPNs

Source: VPNpro

What is the relationship between Innovative Connecting, Lemon Clove and ALL Connected?

VPNpro’s research reveals that there is a clear relationship between these three companies. Innovative Connecting has more than a strong business relationship with Lemon Clove, which creates the popular Snap VPN and VPN Robot apps.

Lemon Clove and Innovative Connecting share the same secretary, Loo Ping Yoo, and key addresses. Both Lemon Clove’s website and Innovative Connecting’s website are the same, with only small changes in text.

If you search VPN Proxy Master on Apple’s App Store, you can see the developer name appears as ALL Connected, while Innovative Connecting listed as the developer on Google Play.

ALL Connected’s Turbo and Master VPN are on similar Cloudfront domains that link to Innovative Connecting. The App Store policy for VPN Master (developed by Innovative Connecting) is hosted on ALL Connected’s domain. All the policies for these VPN apps have the exact same broken English and typos.

Innovative Connecting’s Director seems to be Danny Chen, the well-known Chinese entrepreneur and CEO behind Linksure. Beyond that, the researchers discovered that the email address used to register turbovpn.co (developed by Innovative Connecting) also registered lemonclove.net, vpnsnap.com, and many others.

VPNs 2

Source: VPNpro

Why does it matter if a company owns multiple VPN products?

There is nothing wrong with owning multiple VPN brands – but there must be transparency between the company and its users. Trust is the most important factor for most users of VPN services. Other than this, there are two further crucial issues

1. Privacy

In a recent US survey, 95% of internet users said they were either somewhat concerned or very concerned about their privacy. However, if VPNs are actually located in a 5/9/14 Eyes country, which are normally high-surveillance countries, or in a repressive country like China or Russia, users’ data is most likely already in those governments’ hands.

2. Security

If a VPN’s parent company is untrustworthy, including having weak security or actively engaged in malicious activities, it can be a big problem. This can lead to users’ data being stolen and sold on the black market, or even having their computers hacked into.

Bottom line

There are thousands of VPN companies out there, and unfortunately many of them have weak security and privacy features, or are outright malicious in wanting to steal or sell user data.

To help you find a trustworthy VPN, you should follow these steps below:

  • carefully read the privacy policy of a VPN provider
  • read in-depth reviews of a VPN company on different platforms
  • ask for a recommendations on different communities and see their views
  • check if the company is GDPR compliant
  • read their privacy features
  • check if they have had any scandals or breaches

With the right homework, you can find a trustworthy VPN that actually helps safeguard your online activity.


About The Author: Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67(at)gmail(dot)com


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – VPNs, privacy)

The post VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs appeared first on Security Affairs.

What makes Quick Heal’s Next Generation Suite of Features a SMART choice to protect your privacy?

The cyber threat landscape is evolving every second, with thousands of new potential threats being detected every single day. With people becoming more and more conscious about their privacy and private data, such evolving threats can have a significant impact on the personal and financial life of people. In order…

Handle personal data: What we forget is as important as what we remember

This spring, Facebook addressed the issue of permanence across its messaging platforms – from Instagram to Messenger to WhatsApp – with the aim to “set a new standard” for consumers’ private communication platforms. Shortly after, Telegram took it further, announcing new capabilities that enable users to delete any message in both ends of any private chat, at any time. While these announcements focus on the consumer audience, global businesses have been grappling with the same … More

The post Handle personal data: What we forget is as important as what we remember appeared first on Help Net Security.

Most global workers noticed stricter policies at work as a result of GDPR

When enforcement of the GDPR went into effect on May 25, 2018, it had worldwide implications on data protection and privacy legislation. One year later, there are conflicting sentiments from the global workforce about whether the regulation has been effective, according to Snow Software. A new survey, which polled 3,000 professionals in the United States, Europe and Asia Pacific region, found that only 39% of respondents feel their personal data is better protected since GDPR … More

The post Most global workers noticed stricter policies at work as a result of GDPR appeared first on Help Net Security.

How many adults trust companies with their personal data?

More than one third (36%) of adults aged 16–75 trust companies and organizations with their personal data more since GDPR came into effect one year ago, according to TrustArc. There are positive sentiments toward enforcement activity, and half (47%) of respondents have exercised some of their GDPR privacy rights. 57% of respondents are also more likely to use websites that have a certification mark or seal to demonstrate GDPR compliance. “The research tells a tale … More

The post How many adults trust companies with their personal data? appeared first on Help Net Security.

Snapchat staff used internal tools to spy on users

Snapchat internal staff has allegedly abused their role in the company to spy on Snapchat users using and internal tools and steal data.

Snapchat is a multimedia messaging app that makes pictures, videos, and messages (snaps) available for a short time before they become inaccessible to their recipients. Initially, it was only allowing person-to-person photo sharing, but now it also implements users’ “Stories” of 24 hours of chronological content. As of February 2018, Snapchat has 187 million daily active users.

Snapchat has internal tools that allow employees to access consumer data, and unfortunately, these tools have been abused by the internal staff.

The news was first reported by Motherboard that learned of abuses of the tools by “multiple” members to spy on users.

“Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users, Motherboard has learned.” reports Motherboard.

Current and former employees, along with a cache of internal company emails obtained by Motherboard, demonstrates the abuse of internal tools to access user data. Employees were able to access location information, personal information, including phone numbers, email addresses, and snaps.

Multiple sources and emails referred to an internal tool called SnapLion that was originally used to gather information on users in response to valid law enforcement requests (i.e. court order or subpoena). 

A former employee told Motherboard that SnapLion provides “the keys to the kingdom,”

snapchat

Over time the use of the SnapLion tool was extended to other departments, including security staff, and a team called “Customer Ops.”

The information obtained by Motherboard demonstrates that Snapchat failed in implementing the concept of least privilege to limit access based on what are the effective needs of members according to their jobs.

The good news is that Snapchat today implements stricter controls for data access, but it was not true in the past. Moreover, SnapLion and other internal tools did not implement a satisfactory level of logging to track what data employees accessed. 

“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.” reads a spokesperson’s statement sent to Motherboard via email.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Snapchat, privacy)

The post Snapchat staff used internal tools to spy on users appeared first on Security Affairs.

A closer look at mobile permissions one year into GDPR

With GDPR reaching its one year anniversary May 25, Airship revealed top-level results of its global benchmark study, examining the state of mobile app user permissions across nearly 700 million people worldwide. Meet new regulatory requirements While marketers trimmed customer lists to meet new regulatory requirements for “traditional” channels (i.e., email), mobile app audiences continue to grow — up globally by +16.6 percent year over year. Businesses are also sending more notifications — averaging 36 … More

The post A closer look at mobile permissions one year into GDPR appeared first on Help Net Security.

Smashing Security #129: Too Long; Didn’t Listen

Don’t hire a hacker, they might scam you! What works and what doesn’t when it comes to protecting your email account? And China’s controversial social credit system comes under the microscope.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Data privacy: A hot-button issue for Americans one year after GDPR

The General Data Protection Regulation (GDPR) went into effect in the European Union a year ago this month. GDPR, which gives EU citizens more control over their personal data by mandating how businesses must handle that information, has attracted great interest around the world. In addition, it has inspired government officials elsewhere in the world to develop laws addressing consumer data privacy concerns. In recognition of GDPR’s first anniversary, nCipher Security conducted a survey to … More

The post Data privacy: A hot-button issue for Americans one year after GDPR appeared first on Help Net Security.

Visiting the NSA

Yesterday, I visited the NSA. It was Cyber Command's birthday, but that's not why I was there. I visited as part of the Berklett Cybersecurity Project, run out of the Berkman Klein Center and funded by the Hewlett Foundation. (BERKman hewLETT -- get it? We have a web page, but it's badly out of date.)

It was a full day of meetings, all unclassified but under the Chatham House Rule. Gen. Nakasone welcomed us and took questions at the start. Various senior officials spoke with us on a variety of topics, but mostly focused on three areas:

  • Russian influence operations, both what the NSA and US Cyber Command did during the 2018 election and what they can do in the future;

  • China and the threats to critical infrastructure from untrusted computer hardware, both the 5G network and more broadly;

  • Machine learning, both how to ensure a ML system is compliant with all laws, and how ML can help with other compliance tasks.

It was all interesting. Those first two topics are ones that I am thinking and writing about, and it was good to hear their perspective. I find that I am much more closely aligned with the NSA about cybersecurity than I am about privacy, which made the meeting much less fraught than it would have been if we were discussing Section 702 of the FISA Amendments Act, Section 215 the USA Freedom Act (up for renewal next year), or any 4th Amendment violations. I don't think we're past those issues by any means, but they make up less of what I am working on.

G Suite users’ passwords stored in plain-text for more than 14 years

Google accidentally stored the passwords of its G Suite users in plain-text for 14 years allowing its employees to access them.

The news is disconcerting, Google has accidentally stored the passwords of the G Suite users in plain-text for 14 years, this means that every employee in the company was able to access them.

G Suite

According to the tech giant, the incident was caused by a bug in the password recovery mechanism and only business users were affected.

“However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.” reads a blog post published by the company. “This is a G Suite issue that affects business users only–no free consumer Google accounts were affected–and we are working with enterprise administrators to ensure that their users reset their passwords. “

The G Suite (aka Google Apps) includes cloud computing, productivity and collaboration tools, it is widely adopted by business users, Google already addressed the bug by removing the capability from G Suite administrators.

The bug resides in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without the knowledge of their previous passwords. The procedure could be used to set the password for newcomers employees and for account recovery.

Google admitted that if the admins reset the password, the admin console would store the passwords in plain text on google servers.

Google investigated the problem and confirmed that it has no evidence of improper access to or misuse of the affected G Suite credentials.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure.” continues Google. ” This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google attempted to reassure users explaining that even if the passwords were stored in plain text passwords they were stored on internal secure encrypted servers that were not accessible for the open Internet.

At the time Google did not reveal how many users might have been impacted, but we have to consider that currently, G Suite has 5 million enterprise customers potentially at risk.

The company notified the incident to the impacted business users via and asked them to reset their passwords, it also announced that will automatically reset passwords for users who do not change their passwords.

Google isn’t the only tech giant that accidentally store plain text passwords on its internal servers. Recently, Facebook revealed a similar incident that affected its users and Instagram users.

In 2018, Twitter asked more than 330 million users to change their passwords after a bug exposed them in plain text on internal systems.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – G Suite, hacking)

The post G Suite users’ passwords stored in plain-text for more than 14 years appeared first on Security Affairs.

Official Tor Browser for Android available on Google Play

The Tor Project has released the first stable version of the Tor Browser for Android. The release is referred to as version 8.5, mainly to prevent confusion: Tor Browser releases for Windows, macOS, and Linux are currently on that version. About Tor Browser for Android The Tor Project released an alpha version of the app in September 2018 and has been working on tweaking it ever since. “Mobile browsing is increasing around the world, and … More

The post Official Tor Browser for Android available on Google Play appeared first on Help Net Security.

Google Decided to End Business with Huawei. How This Impacts Users.

Sad and worrying news for Huawei mobile users, like you and me. Google recently announced that it will no longer provide support to the giant Chinese company for many Android hardware and software operations. 

This move is followed by a Trump administration decision to add Huawei Technologies Co Ltd to the trade blacklist and impose restrictions that will affect how the company will do business with other U.S. organizations. 

On top of that, important US chipmakers like Intel, Qualcomm, and others have also joined Google and cut off deals with the Chinese company, Bloomberg reported 

So, the big US tech players decided to comply with this new legislation, but the consequences will surely impact the tech industry, consumers, and each of us, in general.  

While we are aware of the geopolitical implications involved, a trade war between China and US, which will probably lead to an imminent technological cold war, there are also actual real-life implications for those who have (at least) one Huawei device at home. 

All the buzz around the recent Huawei ban has probably sparked confusion and raised some key questions like: 

Is my Huawei device safe? Should I stop using it and switch to another alternative?  What about Android security updates? I want to purchase a new Huawei smartphone, is it safe or not? 

In this article, we’ll try to understand what’s the best approach to dealing with this situation and provide actionable and useful tips you can apply for a better user experience. 

 Here are some key aspects related to the Huawei ban to keep in mind                

The US Government applied new regulations for Huawei Chinese companies, by adding it to the “Entity List” which means it can’t “buy parts of technology from US suppliers without government approval as its equipment is considered potential tools for Chinese espionage”.  

Following this ban, the US Department of Industry and Security, Commerce said Huawei still has a 90-day “temporary general license” which allows the company to continue using the US intel with the license.  

During this limited license available until August 19, 2019, Huawei will work closely with US corporations to maintain business relationships and provide software updates for the existing Huawei devices. Read more details about this temporary license. 

From a positive perspective, ZTE telecom Chinese company went through a similar situation. It was blacklisted by the US government, but it finally lifted the trade ban and allowed the company to continue getting essential hardware parts and software from US companies.      

However, in the case of Huawei, Google decided not to provide software hardware, and technical services to the Chinese phone maker. This means that the giant tech player will control the Chinese company’s access to Android, its core operating system, and parts of it, such as: 

  • Its Play store 
  • Own applications 
  • Google Assistant
  • Gmail email service 
  • Tools that require access to third-party services. 

While the US-based technology companies such as Intel and Qualcomm decided to comply with the latest US government order, it looks like Microsoft remains silent on potential Windows ban which will block Huawei’s access to get Windows licenses. The Verge tried to reach out to Microsoft reps, but no further commend has been given on this situation. However, it appears that the company stopped selling Huawei’s MateBook X Pro, one of the Windows laptops in the US, at its online store. 

In anticipation of this move and current tensions between US government and China, Huawei has worked on a plan B and already started developing a proprietary operating system, for both smartphones and computers, as an alternative to Google’s Android OS. We’ll see how things will evolve going forward. 

“We have prepared our own operating system, if it turns out we can no longer use these systems [Android], we will be ready and have our plan B.”

declared Huawei executive, Richard Yu.

In a recent interview, Huawei’s founder Ren Zhengfei said that the company’s “5G would not be affected and predicted that no other parties would be able to catch up with the company in 5G technology in the next 2-3 years”. He also added that the U.S. authorities are underestimated Huawei’s capabilities. Are they?  

Smartphones sales experienced a decline in the first months of 2019, but Huawei saw a significant increase in shipments by 50% (all running Android OS), and “made a strong statement by growing volume and share despite market headwinds”, according to IDC new report.    

What the current Huawei device owners need to know 

Google declared that consumers who currently have a Huawei device can still use the company’s services such as the Google Play Store, Google Search, Gmail, Google Maps, and security from Google Play Protect. 

 The official statement from Huawei also confirmed that it “will continue to provide security updates and after-sales services to all existing Huawei and Honor smartphone and tablet products.” 

So, this means that all current Huawei devices will work normally, without being affected in any way. In the medium-to-long term, we don’t know exactly what’s going to happen, but it will depend on the relationship between the US and China.    

Yes, you can still perform your daily tasks, download any app from the Google Play and rest assured that all software updates are being delivered at time.  

We all know how essential software patching is and why security experts have taken every opportunity to encourage both regular users and organizations to apply them.    

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

 How does this situation impact any future Huawei smartphone?  

If you’re going to purchase a new Huawei smartphone in the upcoming months, there will be limitations regarding the access to Google services and other implied restrictions that you need to know about.  

  • First off, all the upcoming Huawei devices will not be certified by Google and they won’t have built-in Google’s most popular applications and programs.  

This decision won’t impact the Chinese consumers, who already can’t access most of Google’s top services, but will be reflected in Europe and other parts of the globe.  

  • Without access to Google Mobile Services, third-party developers won’t be able to use Google’s API on new Huawei handsets. 
  • For future devices, Huawei can no longer benefit from the Google Play services, but it still has access to Android OS, since it is an open source system. 
  • Each new addition Google will be done to Android via the Google Play Services will no longer be available to the Chinese company for its global devices. 
  • New versions of Huawei smartphones outside China will not ship with key Google services such as Google Play, Gmail apps, Maps, or YouTube. Even if you try to install them, they won’t work. 
  • Without access to Google Play store, users will probably try to download their apps and programs from other sources which can pose as real security risks and provide new opportunities for cybercriminals to inject malware thought fake apps. 
  • Also, new Huawei smartphones could not receive future releases of Android OS and be stuck with an old version. This means there will be no access to new improvements and features developed by the company, but we know that Huawei usually changes the standard Android experience by adding its own user interfaces.                                                                                                                                         

 Protection guide for Huawei device users 

 There’s no secret to anyone that Huawei is the largest smartphone vendor in China and a key player on the global market.  

However, the company still relies on the US suppliers to obtain hardware that will make it develop high quality and popular devices all over the world. 

If you have a deep fondness for your Huawei smartphone and you don’t want to give up on it, here are some key security measures you should apply: 

  1. Apply available software updates and consider turning on the “automatic updates” feature, if you have it. Thus, you will avoid seeing your device an easy target for as malware and ransomware which usually target outdated programs and apps. 
  2. Use a specialized security solution like Thor Free to handle software updates, automatically and silently, by allowing users to save time and energy.
  3. If your Huawei device is more vulnerable to cyber attacks, it is recommended to use a multi-layered security solution like Thor Premium Home. Given its proactive and unique threat intel, alongside a next-gen Antivirus, your sensitive information and digital life is secure and protected with a complete and all-in-one security suite. 
  4. Be proactive and stay up to date with the latest news about this debate, if you’re going to invest in a Huawei device. Make sure you follow the company’s latest announcements on this matter and keep an eye on the security updates for your specific device.
  5. Learn about the online dangers and build a strong defense against cyber threats by checking out one of our valuable educational resources that will teach you actionable and applicable security tips.      
Final thoughts 

In the long run, this decision coming from the US Government to crack down the Chinese companies will probably escalate to something even bigger. There’s an ongoing battle between the United States and China which we don’t know exactly how will end, but the future remains unclear for the Chinese company. 

The other day, I heard one of my colleagues in the office saying that Huawei is no longer a viable option. I, for one, will continue to use my current Huawei smartphone and stay informed with the latest news from the company.

What are your thoughts on this subject? Are you still going to invest your money in a Huawei phone or consider other options?  

The post Google Decided to End Business with Huawei. How This Impacts Users. appeared first on Heimdal Security Blog.

Data Security in the Cloud: How to Lock Down the Next-Gen Perimeter

Enjoy the video replay of the recent Threatpost cloud security webinar, featuring a panel of experts offering best practices and ideas for managing data in a cloudified world.

Facial Recognition Software 101: Current Debates and How to Elude It

Facial recognition software is a relatively new technological development that is becoming adopted on a large scale by law enforcement agencies and national intelligence agencies worldwide.

Theoretically, the adoption of facial recognition software and other biometric identification methods could help identify attacks before they occur and generally lead to a faster capture of criminals. Practically, many citizens and digital privacy advocates are fighting back against the use of facial recognition software.

So why is facial recognition software such a charged topic?

To help anyone understand exactly why people don’t like it, I’ll first dive into the current debates surrounding it and on the main controversies about facial recognition software. Then, I’ll continue by explaining how the technology works and how you can confuse it or resist it.

While I wouldn’t encourage anyone to do anything illegal or resist legitimate info requirements made by public authorities, the truth is that facial recognition software is still, in many ways, a wild west. The laws are being debated and subject to change.

Innovators and authorities are still exploring what the technology can do and discover new functionalities. Meanwhile, the public tries to catch up and debate whether the functionality should be used in the first place.

Therefore, attempts to resist facial recognition software and to confuse it are a vital part of current negotiations and debates, in a new landscape where the right to a private life can’t be taken for granted anymore.

But before we dive in deep into the intricacies of facial recognition software, we need to look a bit to the history of developing facial recognition software.

A short history of facial recognition software:

  • Mid-1960s: American mathematician Woodrow Wilson Bledsoe and his team develop a simple device which records facial features using a stylus and a tablet. His efforts helped pave the way towards modern facial recognition software and his intelligence team members are considered pioneers of AI and pattern recognition.
  • Between the 1980s and 1990s: MIT, Rhode Island, and Brown University scientists develop the technology further, leading to Eigenfaces. Eigenfaces are two-dimensional facial structures generated through algebraic formulae. They laid the foundation for contemporary facial recognition software.
  • After 2001: The 9/11 terrorist attacks highlighted the need to strengthen border security with better personal identification, via facial recognition software. This led to a wide-scale adaptation of this software, which continues to be improved to this day. Applications of the software were quickly picked up by the commercial sector as well (see below).
  • 2005: The first personal phone with facial recognition software is unveiled at the Security Show Japan. The technology was named OKAO Vision Face Recognition Sensor and it was developed by the OMRON Corporation.
  • 2005 – present: Facial recognition software is increasingly adopted by most smartphones but also perfected for the use of law enforcement and military groups. Machine learning and AI are employed for taking its accuracy to new heights and to vary its applications.

Why Is Facial Recognition Software So Debated Today?

As you can see, facial recognition software also has some consumer applications which are pretty popular (like the ones for smartphones).

Since security experts have long decried single-factor authentication (like security measures consisting only of passwords) as being too vulnerable to hacking (through credential stuffing attacks, for example), two-factor authentication is increasingly recommended and implemented. Some voices say even two-factor authentication is not as secure as previously thought.

In this context, methods of biometric authentication seem like a more secure way of accessing your accounts. Signing in with your face, your fingerprint, your iris scan or other bodily-related identity factors, which are (theoretically) accessible to no one buy you is the next level.

So why then are people against facial recognition software?

First and foremost, because facial recognition software started being employed in mass surveillance programs at nation-wide levels. People may not be against facial recognition software per se, but the way it started being used by law enforcement and state intelligence agencies are making most citizens uncomfortable.

Secondly, it’s not just the matter of privacy infringing: facial recognition software is also prone to errors and bias which cause people further discomfort.

Thirdly, as people become more educated in cybersecurity matters, with news of new data breaches making headlines every month, everyone is realizing that the safest bet is to have as little of your data collected as possible. If you allow devices to record even your most personal and private biometric data and store it for recognition and authentication, sooner or later the data might fall into the wrong hands.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

There are other ways of being safe or employing multi-factor authentication methods; you don’t need to hand over your intimate bodily data. Besides, some biometric data is very easily faked by hackers just by seeing a photo of their victim where the hands are visible. In a famous case, a German minister’s fingerprints were replicated by hackers using just public photos.

Countries Which Are in the Spotlight for Facial Recognition Software

But the first reason for which people are outraged by facial recognition software lately is the way some public authorities started employing it. In the past half-year, some countries have been more under the spotlight for using facial recognition software in a way equated by people to a dystopian-like mass surveillance campaign.

These countries are:

#1. The US

In most American cities, unless explicitly banned due to public backlash and protests, police authorities have adopted the use of facial recognition software.

Since the technology behind facial recognition software is rather new and unprecedented, laws haven’t managed to catch up with it. Therefore, it’s still akin to the wild west: police are using the tech liberally and gathering as much data as they can, just thinking that it might be useful in the future or in order to train the programs to be more accurate.

As of 2016, it was estimated that 50% of the population was in the databases of police-owned facial recognition software, and that was 3 years ago.

If laws concerning the collection of private data without consent are in place, they are targeted at companies and advertisers, not at law enforcement. However, digital rights advocacy groups started speaking out against the rights of law enforcement to gather and make use of such data without a just reason. The following year will probably bring significant changes, one way or the other, as the matter is settled towards one pole or the other. More details on debates and protests below.

#2. The UK

bansky mural against cctv

“One Nation Under CCTV,” 2007 mural by Banksy (Flickr/ogglog).

In the UK, the use of facial recognition software by law enforcement seems to be even more pervasive than in the US, raising deeper concern over citizen rights and dystopian potential. To say that the use of this tech by police forces is contested would be an understatement.

First of all, as the use of this tech is yet unregulated, the police are apparently using it without permission. Privacy rights advocates such as the Big Brother Watch NGO are campaigning against the use, calling it unlawful and abusive towards privacy rights. Other studies report numerous ways in which surveillance via facial recognition software infringes on multiple citizen rights.

The UK police is also taken to court over its use of facial recognition software, in a first case. Until the matter is settled via legislation, more trials and protests will probably follow.

The fact that the use of the software is not even particularly effective doesn’t help improve its public perception either.

#3. China

China is facing an international outrage over its treatment of the Uighur minority in the Xinjiang region, who are under constant surveillance through various technological means, including facial recognition, voice recording and spying (even when not talking on the phone and so on). Chinese police forces even have smart glasses with built-in facial recognition systems, so the potential of the tech is very high.

#4. Germany

Germany tested out using facial recognition software for checking the people who cross through a train station, on the basis of volunteers and completely consensual ceding of biometric photos. However, it didn’t take long for privacy advocates to raise alarms. Considering the country’s history to mass surveillance by the government, I think the quick response, even if the trigger was ‘softer’ than the practices adopted by other countries, is a healthy exercise in democracy.

Other countries (less concerning cases):

Facial recognition software is also employed by law enforcement in the United Arab Emirates (for border control and such).

In Japan, the tech is being used for some controversial things like checking whether employees are smiling enough and so on, but since it’s not controversial in how police forces are using it, I won’t be including Japan in the list of really concerning countries.

Singapore, the tech capital of Asia, also employs facial recognition software widely for fast check-ins and such, but no reports of abuse have come through. Of course, it’s very possible that the West is experiencing more public protests about this kind of tech because of cultural differences and a greater awareness of privacy rights.

How People Are Fighting Back against Facial Recognition Software and Why

While for their part, law enforcement forces are defending their use of facial recognition software by highlighting the positive effects it has, people are not convinced.

In the US and UK, regular protests were held against the police use of facial recognition software without probable cause, as well as against storing the data obtained through this software without consent. If we look at some of the recent and non-recent protests, it’s pretty clear that many citizens see facial recognition software as having the potential to lead to a dystopian world, at least when it is in the hands of public forces.

  • In Washington, DC, people made a logo from the Eye of Sauron (from the Lord of the Rings trilogy) and the campaign message ‘Stop Watching Us, Sauron’ in order to protest surveillance;
  • An NSA program which uses machine learning to identify probable terrorists has been dubbed Skynet, in a reference to the machine turned mad which ultimately takes control of humans in the Terminator series.

Recently, San Francisco registered a huge win in this fight: due to citizen backlash, it became the first city to ban the use of facial recognition software by police and municipal authorities. Reports say that Oakland may soon follow in its trail.

New York Brooklyn tenants are protesting the plans of a landlord to install facial recognition software in their building. If the protest is successful, it will serve as a useful precedent to fight future potentially unethical uses of this software.

In other parts of the world, like China, protests were obviously not held against this tech, but the Uighur minority members who manage to get away (usually to Turkey as a preferred asylum destination) are complaining about the all-controlling digital surveillance tech back home.

Protesting facial recognition software is not all political; there are also economic ways of sanctioning the use of technologies which are perceived as infringing people’s privacy.

Advocacy groups blend their efforts in order to exert pressure on big tech companies like Google and Microsoft in order to prevent them from selling facial recognition software to the government. Google agreed to the requests and said it will not release such software for now, until it finds good ways to ensure its ethical use.

amazon protest against facial recognition software

Amazon protestors using printed masks of Jeff Bezos in order to condemn facial recognition software, via NYTimes. 

Amazon acknowledged the tech’s potential for abuse but continued seeking partnerships with federal forces. As a result, it is now facing investor pressure in order to determine the company to stop selling facial recognition tech to law enforcement. Its employees are protesting it as well, though with little success so far. Luckily, investors stepped in to call an ethics check on the practice, with a greater potential of obtaining results.

Regular citizens are also fighting the use of facial recognition software through social media shares of incidents they are subjected to. In the digital age, this disclosure can gain quite the traction. Thanks to these small but significant ways to fight it, several new problems were revealed, beyond the privacy infringement and potential to lead to a totalitarian rule.

Apparently, facial recognition software can also be racist and gender biased. Because it was fed biased photos (in the hunger of authorities to just push images into it indiscriminately, including celebrity photos and everything they could get their hands on from private citizens without consent), facial recognition software has trouble correctly identifying women and black people. Women of color are a particularly targeted category since they are subjected to a double bias.

Facial Recognition Software Tech Details: How It Works

Just like photo cameras were in a way designed to crudely imitate the human eye, so was facial recognition software emulated on the way people recognize faces.

Step 1: At least one picture of your face is captured by the software, from public sources or from CCTV video, whatever.

Step 2: The facial recognition software ‘reads’ the geometry of your skin and measures out proportional distances between the main features, the depth, and 3D shapes and so on.

Step 3: All this is compiled into a set of mathematical data – your face’s formula.

Step 4: This string of numbers is then compared to the database of millions of other faces captures, and the likeliest match is drawn.

example of facial recognition software fails

Two examples of facial recognition software fails, via PopularMechanics.

This is the basic way it works. Is it accurate? Not really, several sources attest, but it does seem to get better and better thanks to more data being fed into it (with or without consent) and artificial intelligence algorithms.

How to Confuse Facial Recognition Software

Since the use of facial recognition software, even by law enforcement, is not yet regulated, resisting it does not constitute a crime. Harsher climates may impose charges, but this only leads to greater publish backlash. A recent case of a UK man being fined after covering his face to elude facial recognition software has sparked an even more energetic opposition to police using this tech.

The interesting part is that since there are no laws yet regulating the use of facial recognition software (in the UK), not only resisting is not illegal, but the use of it (by police) is not yet legal, too.

Still, until the matters are settled and each country negotiates its own limits on the use of this controversial tech, let’s take a look at how facial recognition software can be confused.

There are at least 3 ways, but it’s debatable for how long they will continue to work.

#1. Wear a partial mask:

The old cover-up method is by far the most effective, but in some places, it can get you in trouble, as in the case of the UK man discussed above. Since you’re wearing a face mask, it’s pretty clear that you’re trying to hide your identity and that can draw unwanted attention from the police.

#2. Wear special clothing items for confusing facial recognition software:

There are several clothing items with confusing patterns on them which were specially designed to prevent cameras using facial recognition software from being able to tell where your face is. For example, a pair of psychedelic glasses, or this scarf by Hyphen-Labs, or an anti-surveillance coat, or a baseball cap with projects tiny laser dots on your face invisible to the human eye but confusing for the software.

anti face makeup surveillance art

Anti-Face, the art project by CVDazzle.

#3. Wear irregular make-up designed for confusing facial recognition software:

Other creative ways to confuse facial recognition software is through make-up. The CVDazzle group has developed a series of looks which make your face untrackable, but their efforts aim to be a form of artistic protest and not a practical everyday solution for eluding recognition.

Positive Examples of Facial Recognition Software Applications

Since I want to maintain a non-biased overview of everything related to facial recognition software, I feel we should also note some of its applications which can make a positive difference in the world.

I won’t include crime prevention in the list, even though it is often mentioned by authorities as the main reason for a wide-spread employment of facial recognition software methods. While it may indeed have a positive impact on preventing or reducing crime, I stand with those who believe individual freedom is more important than collective security.

Here are a few cool applications of facial recognition software:

Final Words

Facial recognition software, especially the advanced types used at the state level, are based on powerful machine learning technologies. Thus, unfortunately, even if you manage to successfully confuse it through creative means, the algorithms are bound to catch up and improve. Perhaps digital artists will be able to keep up and find new ways to confuse the software in a cat and mouse game, for a while.

But the real target of those concerned about facial recognition software should still remain the political debate and negotiation. The recent victory of citizens over local authorities in San Francisco has proved that where there’s a will, there’s a way. Nonetheless, no one should ignore the positive aspects which may come from facial recognition software.

Still, being more careful about what data we share and with whom should be a must for all of us. How about you? Who logs into their cell phone with facial recognition?

The post Facial Recognition Software 101: Current Debates and How to Elude It appeared first on Heimdal Security Blog.

How Technology and Politics Are Changing Spycraft

Interesting article about how traditional nation-based spycraft is changing. Basically, the Internet makes it increasingly possible to generate a good cover story; cell phone and other electronic surveillance techniques make tracking people easier; and machine learning will make all of this automatic. Meanwhile, Western countries have new laws and norms that put them at a disadvantage over other countries. And finally, much of this has gone corporate.

GDPR one year on

May 2019 marks the first anniversary since the General Data Protection Regulation came into force. What has changed in the world of privacy and data protection since then? BH Consulting looks at some of the developments around data breaches, and we briefly outline some of the high-profile cases that could impact on local interpretation of the GDPR.

Breach reporting – myths and misconceptions

Amongst the most immediate and visible impacts of the GDPR was the requirement to report data breaches to the supervisory authority. In the context of GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The regulation introduced a duty on all organisations to report personal data breaches to the supervisory authority where they are likely to pose a risk to data subjects. This report must take place within 72 hours of the controller becoming aware of the breach, where feasible. There are additional obligations to report the breach to data subjects, without undue delay, if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms.

Between May 2018 when GDPR came into force, and January 2019, there were 41,502 personal data breaches reported across Europe, according to figures from the European Data Protection Board. In Ireland, the Data Protection Commission recorded 3,542 valid data security breaches from 25 May to 31 December 2018. This was a 70 per cent increase in reported valid data breaches compared to 2017.

Notwithstanding the uptick in the number of reported breaches, it has been suggested that many organisations are still unsure how to spot a data breach, when a breach may meet the criteria for reporting, or even how to go about reporting. With this in mind, the key lessons to consider are:

Not every breach needs to be reported

Organisations controlling and processing personal data should have a process in place to assess the risks to data subjects if a breach occurs. This assessment should focus on the severity and likelihood of the potential negative consequences of the breach on the data subject.

Assess the risks

When assessing whether to report, the controller will need to consider the type of breach, sensitivity and volume of the personal data involved, how easily individuals can be identified from it, the potential consequences and the characteristics of the individual or the controller (such as if the data relates to children or it involves medical information).

Who’s reporting first?

It’s possible the supervisory authority may hear about the breach from other sources including the media or affected data subjects. If this is the case, an authority such as the DPC may reach out to the affected organisation first, even before that entity has reported.

Establish the facts

As a final point, it is important not to forget that, even if you do not need to report a breach, the GDPR requires you to document the facts relating to it, its effects and remedial action taken. Therefore, you should keep a record should of all privacy incidents, even if they do not rise to a reportable level. This will help you learn from any mistakes and to meet accountability obligations.

Points to note

Keep in mind that it is not just about reporting a breach; organisations must also contain the breach, attempt to mitigate its negative effects, evaluate what happened, and prevent a repeat.

Breach reporting myths

Several misconceptions quickly emerged about GDPR, so here is a short primer to clarify them:

  1. Not all data breaches need to be reported to the supervisory authority
  2. Not all details need to be provided as soon as a data breach occurs
  3. Human error can be a source of a data breach
  4. Breach reporting is not all about punishing organisations
  5. Fines are not necessarily automatic or large if you don’t report in time

Resource cost – beyond the obvious

There have been a limited number of GDPR-related fines to date (see below) but this amount is likely to increase. Aside from financial penalties relating to breaches, organisations and businesses also need to consider the cost involved in complying with the regulation more generally.

This includes the resources needed to engage with a supervisory authority like the Data Protection Commission, as well as the amount of time it typically takes to manage a subject access request (SAR). The number of SARs is increasing because GDPR allows individuals to make a request free of charge.

GDPR enforcement actions: Google

In the runup to May 25 2018, there had been significant doubts about effective enforcement of the GDPR. If the seemingly invulnerable American social media and technology giants were able to ignore requirements without consequence, what would happen to the credibility and enforceability elsewhere? But against the current global backdrop, those technology companies have become far less invulnerable than they once seemed. Most cases are still making their way through the appeals procedure, but initial verdicts and sanctions are causing ripples for everyone within scope.

On January 21, 2019, the French Supervisory Authority for data protection (CNIL) fined Google €50 million for GDPR violations – the largest data protection fine ever imposed. The case raises several important privacy issues and provides useful insights into how one supervisory authority interprets the GDPR.

CNIL’s decision focuses on two main aspects: (i) violation of Google’s transparency obligations under the GDPR (specifically under Articles 12 and 13) and (ii) the lack of a legal basis for processing personal data (a requirement under Article 6). The CNIL is of the opinion that the consent obtained by Google does not meet the requirements for consent under the GDPR. Google is appealing the decision.

The decision dismisses the application of the GDPR’s one-stop-shop mechanism by holding that Google Ireland Limited is not Google’s main establishment in the EU (which would have made Ireland’s DPC the competent authority, rather than the CNIL). Since the fine is more than €2 million, it is clearly based on the turnover of Alphabet, Google’s holding company in the United States, not on any European entity.

GDPR enforcement actions: Facebook

On 7 February, Germany’s competition law regulator, FCO, concluded a lengthy investigation into Facebook and found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

Facebook has not been fined; instead, the FCO imposed restrictions on its processing of user data from private users based in Germany. Facebook-owned services such as WhatsApp and Instagram may continue to collect data but assigning that data to a Facebook user account will only be possible with the user’s voluntary consent. Collecting data from third party websites and assigning it to a Facebook user account will also only be possible with a user’s voluntary consent.

Facebook is required to implement a type of internal unbundling; it can no longer make use of its social network conditional on agreeing to its current data collection and sharing practices relating to its other services or to third party apps and websites. Facebook intends to appeal this landmark decision under both competition and data protection law in the EU.

Other enforcement actions

After Birmingham Magistrates’ Court fined workers in two separate cases for breaching data protection laws, the UK Information Commissioner’s Office warned that employees could face a criminal prosecution if they access or share personal data without a valid reason.

The first hospital GDPR violation penalty was issued in Portugal after the Portuguese supervisory authority audited the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. The failure to implement appropriate access controls is a violation of the GDPR, and the hospital was fined €400,000 for the violations.

Lessons from year one

For data controllers and processors, the lessons to be learned from the first year of GDPR are clear:

Transparency is key

You must give users clear, concise, easily accessible information to allow them to understand fully the extent of the processing of their data. Without this information, it is unlikely any consent we collect will be considered to be a GDPR level of consent.

Fines can be large

CNIL’s response to Google demonstrates that regulators will get tough when it comes to fines and take several factors into account when determining the level of fine.

Watch the investigations

There are current 250 ongoing investigations – 200 from complaints or breaches and 50 opened independently by the data protections authorities so these will be interesting to watch in 2019.

Lead Supervisory Authority identity

Google and Facebook have both appointed the DPC in Ireland as their lead supervisory authority and have included this in the appeals process. CNIL took the lead in Google investigation, even though Google has its EU headquarters in Ireland – because the complaints were made against Google LLC (the American entity) in France.

Further challenges

There are further challenges to the way for the tech giants use personal data show no sign of dwindling. A complaint has been filed with Austria’s data protection office in respect of a breach of Article 15 GDPR, relating to users of Amazon, Apple, Netflix, Google (again) and Spotify being unable to access their data. 2019 should be an interesting year for Privacy.

What lies ahead?

The GDPR cannot be seen in isolation; it emerged at the same time as a growing public movement that frames privacy as a fundamental right. The research company Gartner identified digital ethics and privacy as one of its top trends for 2019. From a legislative perspective, the GDPR is part of a framework aimed at making privacy protection more robust.

PECR is the short form of the Privacy and Electronic Communications (EC Directive) Regulations 2003. They implement the e-privacy directive and they sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights on electronic communications and they contain specific rules on marketing calls, emails, texts and faxes, cookies and similar technologies, keeping communications services secure and customer privacy relating to traffic and location data, itemised billing, line identification, and directory listings.

Further afield in the US, the California Consumer Privacy Act (CCPA) was signed into law in June 2018 and will come into effect on 1 January 2020. It’s intended to give California residents the right to know what personal data is being collected about them, and whether that information is sold or disclosed. Many observers believe the Act will trigger other U.S. states to follow suit.

For the remainder of 2019 and beyond, it promises to be an interesting time for privacy and data protection.

The post GDPR one year on appeared first on BH Consulting.

The Concept of "Return on Data"

This law review article by Noam Kolt, titled "Return on Data," proposes an interesting new way of thinking of privacy law.

Abstract: Consumers routinely supply personal data to technology companies in exchange for services. Yet, the relationship between the utility (U) consumers gain and the data (D) they supply -- "return on data" (ROD) -- remains largely unexplored. Expressed as a ratio, ROD = U / D. While lawmakers strongly advocate protecting consumer privacy, they tend to overlook ROD. Are the benefits of the services enjoyed by consumers, such as social networking and predictive search, commensurate with the value of the data extracted from them? How can consumers compare competing data-for-services deals? Currently, the legal frameworks regulating these transactions, including privacy law, aim primarily to protect personal data. They treat data protection as a standalone issue, distinct from the benefits which consumers receive. This article suggests that privacy concerns should not be viewed in isolation, but as part of ROD. Just as companies can quantify return on investment (ROI) to optimize investment decisions, consumers should be able to assess ROD in order to better spend and invest personal data. Making data-for-services transactions more transparent will enable consumers to evaluate the merits of these deals, negotiate their terms and make more informed decisions. Pivoting from the privacy paradigm to ROD will both incentivize data-driven service providers to offer consumers higher ROD, as well as create opportunities for new market entrants.

Don’t have your account hijacked. Secure your online accounts with more than a password, says Google

Research published at the end of last week argues that the typical user can significantly harden the security of their online accounts by linking a recovery phone number that can send an alert if there is suspicious activity on the account.

Read more in my article on the Hot for Security blog.

Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks

Users of Software-as-a-Service (SaaS) and webmail services are being targeted with increasing frequency, according to the APWG Q1 2019 Phishing Activity Trends Report. The category became the biggest target in Q1, accounting for 36 percent of all phishing attacks, for the first time eclipsing the payment-services category which suffered 27 percent of attacks recorded in the quarter. Online SaaS applications have become fundamental business tools, since they are convenient to use and cost-effective. SaaS services … More

The post Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks appeared first on Help Net Security.

Israeli firm linked to WhatsApp spyware attack faces lawsuit

Amnesty International fears its staff may be ‘surveilled via NSO Pegasus software’

The Israeli firm linked to this week’s WhatsApp hack is facing a lawsuit backed by Amnesty International, which says it fears its staff may be under surveillance from spyware installed via the messaging service.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Related: WhatsApp spyware attack was attempt to hack human rights data, says lawyer

Related: WhatsApp hack: have I been affected and what should I do?

Continue reading...

Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware

Reading Time: ~2 min.

WhatsApp Exploited to Install Spyware through Calls

A serious flaw has been discovered in the messaging app WhatsApp that would allow an attacker to install spyware on a victim’s device by manipulating the packets being sent during the call. Further disguising the attack, the malicious software could be installed without the victim answering the call, and with access to the device the attacker could also delete the call log. Fortunately, the Facebook-owned app was quick to respond and quickly released an update for affected versions. 

SIM Swapping Group Officially Charged

Nine men in their teens and 20s have been arrested and charged for a SIM-swapping operation that netted the group over $2 million in stolen cryptocurrency. The group operated by illicitly gaining access to phone accounts by having the phone swapped to a SIM card in their control. The group would then fraudulently access cryptocurrency accounts by bypassing 2-factor authentication, since login codes were sent to devices under their control. Three of the group were former telecom employees with access to the systems needed to execute the scam.

Web Trust Seal Injected with Keylogger

A recent announcement revealed that scripts for the “Trust Seals” provided by Best of the Web to highly-rated websites were compromised and redesigned to capture keystrokes from site visitors. While Best of the Web was quick to resolve the issue, at least 100 sites are still linking customers to the compromised seals. This type of supply chain attack has risen in popularity recently. Hackers have been seen injecting payment stealing malware into several large online retailer’s websites since the beginning of the year.

Fast Retailing Data Breach

The online vendor Fast Retailing is currently investigating a data breach that gave attackers full access to nearly half a million customer accounts for two of the brand’s online stores. The attack took place within the last three weeks and targeted payment information with names and addresses for customers of UNIQLO Japan and GU Japan. Fast Retailing has since forced a password reset for all online customers and delivered emails with further information for those affected by the attack.

Data Leak in Linksys Routers

Last week researchers discovered a flaw in over 25,000 Linksys routers that could give attackers access to not only the device’s MAC address, but also device names and other critical settings that could compromise the security of anyone using the router. Additionally, by identifying the device’s IP address, attackers could even use geolocation to gauge the approximate location of the exploited device, all without authentication.

The post Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware appeared first on Webroot Blog.

The largest breaches over the past three years have caused massive and irreparable damage

Publicly traded companies suffering the worst data breaches averaged a 7.5 percent decrease in stock price, a Bitglass report reveals. Bitglass researched the three largest data breaches of publicly traded companies from each of the last three years in order to uncover cybersecurity trends and demonstrate the extensive damage that can be done by improper security. Among the incidents detailed in the Kings of the Monster Breaches report are the Marriott breach of 2018, the … More

The post The largest breaches over the past three years have caused massive and irreparable damage appeared first on Help Net Security.

Half of companies missed GDPR deadline, 70% admit systems won’t scale

Even if given two years notice to achieve GDPR compliance, only half of companies self-reported as compliant by May 25, 2018, a DataGrail survey reveals. “The Age of Privacy: The Cost of Continuous Compliance” report benchmarks the operational impact of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as sharing insights into lessons learned and attitudes toward privacy regulations. DataGrail surveyed more than 300 U.S. privacy management … More

The post Half of companies missed GDPR deadline, 70% admit systems won’t scale appeared first on Help Net Security.

Duckduckgo vs Google: A Security Comparison and How to Maximize Your Privacy

Preoccupied with privacy? You’ve come to the right place. In today’s guide, I’ll go through everything you should know about Duckduckgo vs Google, how each of them works and how you can make the switch work for you (or not). You’ll also get performance comparisons, pros and cons for each product and advice on how to make the most of your privacy.

Should you decide in the end to switch to the Duckduckgo search engine over Google (I won’t tell you what to do, the decision is entirely yours after getting all the info below), I’ll also share extra advice on how to make the most out of your Duckduckgo products. Since the software suite is not limited to the search engine, there are also some software products to consider. But first thing’s first, let’s check out the Duckduckgo vs Google competition, comparison, and in-depth analysis.

Duckduckgo vs Google: The Competition Between Them and the Shift of Users

Usually, when people think of the Duckduckgo vs Google competition they are immediately thinking of the search engine Duckduckgo vs the search engine Google. Namely, this debate is about whether to use Duckduckgo or Google as your default browser search engine and / or homepage.

Even though Duckduckgo has other tools and apps besides its search engine, as I’ll get into below, for now let’s keep referring strictly to the search engine. This way, you’ll understand better what all the fuss is about with the Duckduckgo vs Google debate. Here’s an overview of public perception on it and everything you need to know about the context of this competitive comparison.

As the tools and techniques used for data gathering have slowly turned into more and more comprehensive algorithms tracking scores of information, both consumers and businesses have become more preoccupied with privacy. The rise of the so-called big data and big tech conglomerates has led to an increased level of surveillance which makes most people uncomfortable.

The fact that all the search history of users is tracked by Google (even in incognito browser mode) has contributed to the growing discomfort of concerned users.

If they’re not particularly concerned with how Google itself manages their personal data, then they’re concerned about data breaches.

Nowadays, with so many breaches making the headlines, it’s hard to trust that your data will remain as private as you’d like. Even if the entities you’re willing to share that data with have your confidence, no one is truly unhackable.

So How Are Duckduckgo and Google Competing?

Google doesn’t compete with Duckduckgo so much, in the grand scheme of things. Google is the big guy in the industry and while they are certainly aware of their smaller competitors catching up, it’s not really the same league. Yet.

Virtually all internet users tend to be Google search engine users, by default. The main strategy for Google is to try to hold on to the users it has by implementing better security and privacy protection measures. This is something definitely on their agenda, but the issue still remains that user data is tracked. Therefore, Google is leaking some users who are leaving its boat in order to climb aboard that of Duckduckgo.

For their part, Duckduckgo are directly positioning themselves as an alternative and competitor to the Google search engine. Their very blog is aiming to answer the very direct question of ‘Why You Should Use Us Instead of Google’.

So, why do some users prefer switching to Duckduckgo from Google? Here’s our unbiased comparison.

Duckduckgo Search Engine at a Glance: Pros and Cons

Obviously, since many users (exact number unknown) are switching to Duckduckgo from Google, the product is a great one, for people who are more concerned with privacy.

Why is the number of Duckduckgo users unknown?

Well, that’s the beauty of it: not even Duckduckgo knows exactly how many users it has, precisely because they do not track them. Nice, right?

However, according to their official approximations based on the number of searches they get each month and based on the fact that each user makes 1 search per day, on average (so 30 per month), their total user pool should be around 25 million people. That’s pretty impressive.

As a side note, I’d like to point out that my intuition says people make more than 30 searches per month if they are active internet users. And if they heard about Duckduckgo enough as to use it, they are probably tech-savvy and active enough online to use their devices almost daily. Therefore, I’d say that there’s a good chance that some users only switch to Duckduckgo when they are doing searches which they would rather keep truly private. Funny thought.

As you can see, the main advantage, unique selling point and promise of the Duckduckgo search engine is its utter privacy. Here’s the entire picture of my Duckduckgo review, broken down in pros and cons.

Pros of Duckduckgo as a search engine:

  • Perfect privacy. No data on your online searches collected or stored. (If you want this privacy to extend further than searches and to all your browser activity, you need to install the complementary Duckduckgo products, which I described below).
  • No ads targeting you based on your searches.
  • No social engineering techniques used on your based on your searches and other interests.
  • You can be sure you are getting the same search results as all other users (no targeting or profiling).
  • 1-page search results. Infinite scroll: as long as you keep going down, more search results keep loading. It’s a well-known fact that many users don’t make it to the second page of Google search results, but Duckduckgo just presents to you more info on the same page so you never have to click next and lose the initial results from sight.

Cons of Duckduckgo as a search engine:

  • Has a few nice extra perks and features, but still not as many as Google. Just think of Google Maps, Google Flights, Google Finance, Google Books, etc.
  • Less personalization: Duckduckgo doesn’t remember your search history, which is technically an advantage for privacy, but it can also be less convenient sometimes.

screenshot with duckduckgo search

For example, here’s a Duckduckgo search I did for ‘Aviatorilor’, a place in Bucharest, the city I live in. Normally, with Google, I would also get the option of quickly checking out on the map where that place is and how to get there from my location, how long will this take and so on.

In terms of privacy, Duckduckgo clearly wins. But if privacy is not your pet peeve, Google is an incredible product as well, and not one to reject without careful consideration. Here’s how things look like from the other side, too.

Google Search Engine at a Glance: Pros and Cons

Google is not the immediate loser in this competition, however. Not only because it’s still leagues away from Duckduckgo and because most internet users still use the Google search engine.

But it also has unique advantages when compared to Duckduckgo, advantages which derive precisely from its data collecting practices. After all, even if your personal data is used by Google to make money, you still get a few benefits too.

It all comes down to whether you prefer privacy or personalization. Since personalization requires data storing, you can’t have both.

So, here are the pros and cons of the Google search engine, very briefly.

Pros of Google as a search engine:

  • Displays unique content (including advertising content) tailored for your preferences and history
  • Offers built-in features which can be of help (like Google Maps, or help with calculating your trajectory to a place you’re searching for, or search results filters like Books or Flights, etc.)
  • Remembers your search history (this also counts as a con, but it can be helpful in some cases when you want to revisit a web page you forgot to save elsewhere)
  • It’s integrated with your other Google accounts and products, which can sometimes be rewarding.

Cons of Google as a search engine:

  • Remembers your search history (also counts as a pro if you need it, see above).
  • Not even incognito browsing is truly private (read the fine print the next time you open an incognito browser tab in Chrome – or Mozzila, for that matter).
  • Sells your data to third parties and offers them sophisticated tools of tracking you across the web so you can be bombarded with tailored ads.
  • Pulls data from your private emails in order to spam you with ads. Google representatives say this is an automatic process and that no human employee sees your personal emails but it can still be uncomfortable for some users. Imagine, for example, that you and your partner are surprised with an unexpected pregnancy and you’re considering abortion, only to be spammed with baby carriage ads all of a sudden.

How to Protect Your Privacy with the Duckduckgo Search Engine

If you decide to go for Duckduckgo as a way to protect your privacy a bit more, here is everything you need to know in order to make the most of it. The goal is to increase your privacy while also making sure you understand all the ways you can use the Duckduckgo technology to your fullest potential and, if possible, to preseve some of the convenience we are used to from the Google days.

Frequently asked questions about Duckduckgo

Q: Can you browse dark web websites with Duckduckgo?

A: Indeed, you can. But we’d recommend using the go-to browser for the deep and dark web, which is the Tor browser. Many users browse the darker regions of the internet by using the Duckduckgo search engine on the Tor browser.

That still doesn’t mean that doing illegal things on the dark web or on the deep web will stay secret if you do, however. Law enforcement can still track illegal things taking place there (as they should). But as far as privacy goes (and if you don’t want the other users lurking around the creepy corners of the web to see you), Duckduckgo is a great tool.

Q: What browser is better for privacy, Tor or Duckduckgo?

A: First of all, let’s make something clear: there is no Duckduckgo browser on computers. There’s just the Duckduckgo extension to be added to Chrome. But you can use Duckduckgo as a search engine on the Tor browser and that is, indeed, a much more private option than using Duckduckgo in Chrome (even with the extension installed).

On the other hand, there are Duckduckgo browsers for mobile devices (more on those in the products section below). Still, mobile devices also have the option of using the Tor browser for Android. Both are just as safe, privacy-wise.

Q: How does Duckduckgo make money if it blocks ads?

A: One of the major things that puts people off regarding Google is that it makes money selling their data to advertisers. You know what they say – when a product is free of charge, it’s because you are the product.

So, in search of more privacy and less misuse of their data (or less risk of data breaches), people switch to Duckduckgo. But then they think ‘wait, but Duckduckgo is also free’. So how do they make money, then, if they don’t store and sell data?

Just because they offer you complete privacy, it doesn’t mean Duckduckgo has no advertising ties. The Duckduckgo business model is still based on advertising and affiliate revenue. The ads are displayed on the right of your search results, based on the exact keyword of the search. But unlike Google, those ads are not personalized (as in, based on your search history, demographics, shopping history, etc.), because your data is not tracked.

Other Duckduckgo Products to Consider

Mainly, Duckduckgo is a search engine and that’s their core product offering. A search engine with a focus on privacy much above Google privacy practices, which is great for the users who are concerned about this. In today’s digital landscape, we should all be a little more watchful of our private data and what happens to it.

So the privacy aspect of the Duckduckgo search engine is what makes people use them.

The search engine is their main product, and you can access and use it as an URL here. It’s simple and clean and comes with no other product required for its use.

On the other hand, you can also access this search engine from the Duckduckgo products which complement it. Here are the options:

  • The Duckduckgo extension for Chrome: As far as security goes, this is a great Chrome extension to add*. It’s great if you want to keep using Google Chrome (it’s not like you want to reject the brand altogether) but still make sure that the Duckduckgo search engine is used everywhere in your browser by default, and that your data is not collected or stored. Using the Duckduckgo extension for Chrome will also block advertising trackers.
  • The Duckduckgo Privacy Browser (Android app): This is a privacy browser meant to be used on tablets and smartphones using the Android OS.
  • The Duckduckgo Privacy Browser (Apple app): This app is the same, but issued for Apple mobile devices (like iPhones).

You will notice that there is no Duckduckgo browser for computers or laptops. That’s because it isn’t needed: the Duckduckgo extension for Google Chrome effectively turns your browser into a Duckduckgo browser.

Of course, you can still use the Duckduckgo search engine with other browsers as well, such as Mozilla Firefox, or Opera and so on.

Some users who really want to maximize their privacy protection use the Tor browser with the Duckduckgo search engine. Duckduckgo is actually the default search engine for the Tor browser, especially desirable for users who want to browse the deep web or the dark web safely.

Important note: you will notice many other sources and blogs saying Duckduckgo is a ‘safe browser’ or ‘secure browser’. This safety and security they are referring to only extends to the privacy aspect. Using Duckduckgo will not keep you safe from viruses, malware, ransomware, and other internet dangers. Only a full security solution (based both on an anti-virus component and a traffic filtering, proactive component, like our Thor Premium Home) can protect you from cyber-attacks.

*You can also check out other great Google Chrome extensions for increased security (all hand-picked by us and devoid of any ulterior motive like compensation or whatever).

Bonus: 15 Extra Duckduckgo Features which Google Doesn’t Have

#1. Seeing social media bios

You can have links to the social media profiles featured on a website directly from the search results. If you want to connect to an author or customer support for a specific business and so on, Duckduckgo will point you directly to those profiles, no need to enter the website and manually search for them.

#2. App store alternatives to apps

You can search for apps in the app stores just as you would do in any other search engine, but Duckduckgo will also present you with alternatives for the same thing. No more time wasted on scout work.

#3. The Duckduckgo bangs

This is a very cool feature that allows you to search within a specific website for the words you want. Here is the entire list of Duckduckgo bangs.

#4. Weather data available instantly

You can search for simple things like ‘Is it raining in [town name]?’ and you’ll find out what you need to know instantly.

#5. Keyboard shortcuts

Macros and other cool keyboard shortcuts are just a few settings away in Duckduckgo.

#6. Emoticon ‘translations’

Not sure what an emoticon like ‘;;)’ means? Just ask Duckduckgo. (P.S: It’s something from the ancient times of Yahoo Messenger and I know it because I’m old. No, I’m not serious about the last part).

#7. Quick stopwatch

Just what the name says.

#8. Drink recipes

If you search for stuff like ‘how to make a mojito’, the recipe will be displayed right in the search results, no click required. Cheers!

#9. Password generator

Just like other browsers, Duckduckgo will help you generate stronger passwords. (This is important because of credential stuffing attacks and so on). But unlike other browsers, it won’t store them in any way. That’s up to your memory, password manager tool, etc.

#10. Finding rhymes

Troubled by some poetry writing and you just can’t find the rhyme? Or you’re unsure whether two words actually rhyme? No worries, ask Duckduckgo and it will tell you. Yes, seriously.

#11. Calendar as an instant answer

Google also has a calendar feature, but with Duckduckgo it’s an instant answer. You can just search for ‘March 2021’ and you will instantly see the month calendar laid out right in the search results.

#12. Loan calculators

Need help figuring out interest rates and stuff? Duckduckgo has you covered with this too.

#13. Cool features for developers

Plenty of nice things. Here’s just a few:

  • Generate lorem ipsum text quickly and automatically
  • Encode links to machine-readable text
  • Convert binary code to decimal code
  • Convert content to ASCII texts
  • Show a list of special characters and their HTML values
  • Show HTML value for any special character
  • Convert colors to their universal numeric code
  • Show colors based on hexadecimal values

#14. Anagram solver

If you have a poetry writing assistant built-in, why not also an anagram solver assistant? Yes, it really works.

#15. Instant text converting for lower-case, upper-case and capital letter

This is super-useful whenever you need to modify a text in this regard, and it’s a feature currently supported nowhere else.

Final words

If you think these Duckduckgo features look good, rest assured that there are many, many more. Some are downright useful, others just cute, but there’s no denying that Duckduckgo is heading on the right track when it comes to popularity.

This surge isn’t limited to the geek community. More and more users are making their choice in the Duckduckgo vs Google battle, and it’s not in favor of the Google giant.

The post Duckduckgo vs Google: A Security Comparison and How to Maximize Your Privacy appeared first on Heimdal Security Blog.

Smashing Security #128: Shackled ankles, photo scrapes, and SIM card swaps

A bad software update causes big headaches for Dutch police, but brings temporary freedom to criminals. SIM swaps are in the news again as fraudsters steal millions. And does your cloud photo storage service have a dirty little secret?

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Rip Off Britain’s David McClelland.

Identity theft victims could lead us to accept more security-improving friction

Far too many individuals who have never been victims of identity theft and financial crimes don’t understand how devastating those are to victims. “There are many victim services organizations that assist violent crime victims and the understanding of the trauma and the victim experience is not questioned (which is very appropriate and as it should be),” Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), told Help Net Security. After all, we … More

The post Identity theft victims could lead us to accept more security-improving friction appeared first on Help Net Security.

Twitter inadvertently collected and shared iOS location data

Twitter confirmed revealed that a bug in its iOS app it the root cause for an inadvertent collection of location data and sharing it with a third-party.

A new story of a violation of the user’s privacy made the lines, Twitter revealed that due to a bug is collected and shared iOS location data with a third-party advertising company,

Fortunately, only one partner of the micro-blogging firm was involved and the data collection and sharing occurred in certain circumstances.

“We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances.” reads the security advisory published by Twitter.

“Specifically, if you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,”

Twitter admitted having failed into removing the location data from the information shared with the trusted advertising partner that was accessing it during real-time bidding process. 

The company pointed out that location data its shared could not be used to track individuals because it had implemented technical measures to “fuzz” the information. Twitter explained that shared was no more precise than zip code or city (5km squared).

Twitter did not share users’ handles or other unique account IDs, this means that it was impossible to link the identity of a specific user to a geographic location. 

“The partner did not receive data such as your Twitter handle or other unique account IDs that could have compromised your identity on Twitter.” continues the announcement.

“This means that for people using Twitter for iOS who we inadvertently collected location information from, we may also have shared that information with a trusted advertising partner,”

Another good news is that the partner did not retain the data that was deleted “as part of their normal process.” 

Twitter

Twitter has already fixed the issue and notified the incident to all the impacted users, anyway it did not reveal the extent of the incident either for how long it shared the data with its partner.

“We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us. We’re very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day,” concludes Twitter.

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post Twitter inadvertently collected and shared iOS location data appeared first on Security Affairs.

UK government security decisions can be challenged in court, judges rule

Supreme court says GCHQ’s hacking powers should be subject to judicial review

Government security decisions will in future be open to challenge in the courts after judges ruled that a secretive intelligence tribunal could not be exempt from legal action.

By a 4-3 majority, supreme court justices declared that the extent of GCHQ’s powers to hack into internet services should be subject to judicial review.

Related: GCHQ discloses secret location of former London office

Continue reading...

Cybersecurity, privacy and technologies still top challenges for IT audit teams and leaders

Cybersecurity, privacy and technologies—from mission-critical to digitally transformative—top the list of challenges IT audit teams and leaders grapple with every day, according to a study conducted by ISACA and Protiviti. An executive summary of the study notes the growing role and responsibilities of IT audit in digital transformation, partnerships between the IT organization and IT audit function, and differences in how IT audit leaders operate compared to other IT audit professionals. The 2019 IT Audit … More

The post Cybersecurity, privacy and technologies still top challenges for IT audit teams and leaders appeared first on Help Net Security.

The iOS Twitter Bug: 3 Tips to Protect Your Location Data

Many of us use social media to keep our family and friends up-to-date on our everyday lives. We don’t typically expect social media companies to keep their partners updated on our every move as well. But for some Twitter users, this is exactly the situation they’ve found themselves in. On Monday afternoon, the social media company disclosed a bug that resulted in some Twitter users’ locations being shared with an unnamed Twitter partner.

So, how exactly did this bug disclose the locations of certain Twitter users? The social network accidentally sent advertising partners location data for a process called real-time bidding. This process lets advertisers pay for space based on certain users’ locations. Twitter intended to remove the location data from what it sent to its partners but failed to do so. Affected users include those who had more than one Twitter account on an iOS device. If the user chose to share their precise location on one account, Twitter says it may have collected and shared data for the other account on the same mobile device even if that account had opted out of location sharing. Although the location data was “fuzzed” to only show a ZIP code or city, it is still unclear as to how long this location sharing took place.

According to Twitter, the location data was not retained by the partner and they have fixed the problem to ensure that it doesn’t happen again. And while affected users have already been notified by the social network, there are some steps users can take to help protect their data:

  • Turn off location services. While social media is meant for sharing, there is some information, like your location, that ought to be kept private. If a cybercriminal knows where you are at a specific point in time, they could potentially use that information to your disadvantage. Consider your overall privacy and opt out of sharing your location data with social media platforms.
  • Update, update, update. No matter what type of bug might be affecting a certain platform, it’s always crucial to keep your software up-to-date. Turning on automatic updates will ensure that you are always equipped with the latest patches and security fixes.
  • Use a comprehensive security solution. Using a solution like McAfee Total Protection helps to add an extra layer of security in case a bug does expose your device or data.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The iOS Twitter Bug: 3 Tips to Protect Your Location Data appeared first on McAfee Blogs.

The Guardian view on hacking: a dangerous arms trade | Editorial

Cyberweapons are dangerous in themselves. Their proliferation makes them much more harmful

NSO Group, an Israeli firm that has risen to a billion-dollar valuation on the strength of the aggressive hacking tools it sells to authoritarian governments across the Arab world, is being sued by lawyers and activists who claim to be victims of its software. One of the lawyers involved in the suit was targeted some weeks ago by mysterious WhatsApp calls to his phone in the middle of the night. When he contacted technical experts, they discovered Pegasus 3, an aggressive virus that can apparently install itself on a phone without the victim taking any action at all. Once installed, it takes control of the device, recording conversations and video. It can destroy the evidence of its own arrival and existence, and control any files on the device. In effect, it turns a smartphone into the perfect spying device, which the victim will carry everywhere with them.

Similar programs are widely available to abusers of all sorts, which is one reason why many domestic violence shelters ban the use of smartphones. But the ones that can easily be bought require some action from the victim, usually a misplaced click, or else a few moments’ access to their phone. The NSO malware targeting WhatsApp is different in that it could install itself without the victim doing anything at all. To discover and exploit the programming mistakes that opened this vulnerability would take years and cost millions of dollars. That is why it’s assumed that only states, or state-backed actors, have the resources to produce them.

Continue reading...

WhatsApp spyware attack was attempt to hack human rights data, says lawyer

NSO Group technology reportedly used against lawyer involved in civil case against the Israeli surveillance firm

The UK lawyer whose phone was targeted by spyware that exploits a WhatsApp vulnerability said it appeared to be a desperate attempt by someone to covertly find out the details of his human rights work.

The lawyer, who asked not to be named, is involved in a civil case brought against the Israeli surveillance company NSO Group whose sophisticated Pegasus malware has reportedly been used against Mexican journalists, and a prominent Saudi dissident living in Canada.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Users are strongly advised to check for WhatsApp updates manually through the Apple App Store on an iPhone, Google Play or similar on an Android device, the Microsoft Store on Windows Phones and the Galaxy app store on Tizen devices.

Related: Mexico accused of spying on journalists and activists using cellphone malware

Continue reading...

WhatsApp urges users to update app after discovering spyware vulnerability

The spyware, developed by Israeli cyber intelligence company, used infected phone calls to take over the functions of operating systems

WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allowed spyware to be injected into a user’s phone through the app’s phone call function.

The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.

Related: WhatsApp 'deleting 2m accounts a month' to stop fake news

Users are strongly advised to check for WhatsApp updates manually through the Apple App Store on an iPhone, Google Play or similar on an Android device, the Microsoft Store on Windows Phones and the Galaxy app store on Tizen devices.

Continue reading...

Spying on personal alarms and GPS trackers is as simple as sending an SMS

Security experts found that the devices – manufactured in China, and rebadged by multiple companies around the world – are vulnerable to a simple hack that could allow a hacker to track their location, and even secretly listen in via the microphone.

Read more in my article on the Bitdefender BOX blog.

That’s classified! Our top secret guide to helping people protect information

As information security professionals, we often face a challenge when trying to explain what we mean by ‘data classification’. So here’s my suggestion: let’s start by not calling it that. In my experience, the minute you call it that, people switch off.

Our role should be to try to engage an audience, not scare them away. Classification sounds like a military term, and if the reaction that greets you is an eye-roll that says: ‘you’re talking security again’, then they’ve zoned out before you’ve even got to the second sentence. I try and change the language, because otherwise, what we have here is a failure to communicate.

In reality, it’s very simple if you explain what you mean by classification. If we strip away any jargon or names, what we’re doing is asking an organisation to decide what information is most important to it. Then, it’s about asking the organisation’s people to apply appropriate layers of protection to that information based on its level of importance.

De do do do, de da da da

Who needs to use data classification? These days, it’s everyone. Why is it important? Why make people do this work? Data is a precious commodity. Think of it like water in many parts of the world: there’s a lot of it about, it’s too easily leaked if you don’t protect it, it’s extremely valuable if you control the source, and you can combine it with other things to increase its worth. Well, it’s a similar story with data. Data is just a bunch of numbers, but context turns it into information. You could have 14 seemingly random numbers, and that’s data. Now, split them into two groups, one of eight digits and another of six digits with some dashes in between. Suddenly those numbers become a bank account number and sort code. Then it’s information.

Message in a bottle

The first step for security professionals to win people over to the concept is to make it real for their audience. If your message is personal, people can relate it to what they have to do in their work.

We handle types of information in different ways and make decisions all the time on who should have access to it. Think of it this way: do you file paperwork – utility bills, appointment letters, bank statements – at home? Would you leave your payslip lying around the home for your kids to read?

In a work context, a CEO might want their executive assistant to access their calendar for meetings, but they don’t necessarily want to share their bank account details to see how much money they make or what they spend it on.

Naturally, the type of information that’s most valuable will vary by industry, so you have to adapt any message to suit. In healthcare, it might be sensitive medical records about someone’s health. For someone working in food and drinks industry, maybe IP (intellectual property) like the recipe to the secret sauce or the package design are the most valuable items to protect. In pharmaceuticals, it might be the blueprints or ingredients in a new drug.

You don’t have to put on the red light

So now we’ve established that information may have different values, how do we group them? Deciding on the value of information may require the employee to apply good judgement. I like using the traffic light idea of three tiers of information (red amber and green) rather than the binary option of just public or private. Those three levels then become public (green), confidential (amber), and restricted or private (red). It allows for an extra level of data management, and therefore protection, where needed but is still a simple number to grasp.

Photo by Harshal Desai on Unsplash

This approach is easy to picture. People can very quickly understand what category information falls into, and what to do with it. Using the traffic light approach, public material (green) might be a brochure about a new product, or it could be the menu in the staff canteen. That’s the material that you want many people to see. The company contact directory or minutes from a meeting would be confidential (amber). Items that aren’t for general distribution outside board level (such as merger discussions) are extremely sensitive or privileged (red).

Once we know what we’re protecting, we get to the how.

  • If we’re dealing with physical paper documents, we can mark the sensitive information with a red sticker or red mark on the corner. The rule might be: never leave a red file unattended unless an authorised person is actively reading it and doing something with it. You know it shouldn’t leave the building unless it’s extremely well protected.
  • If the mark or sticker is amber, the person holding it must lock it away overnight.
  • Any document with a green mark doesn’t have to be locked away.

Every breath you take

You can extend that system beyond individual files to folders and to filing cabinets if necessary. You can apply this very easily by adding the appropriate colour to each document, folder, filing cabinet or even rooms in the building. Leave marker pens, stickers or anything that clearly shows the classification available for people to use.

It’s relatively easy to get people to apply the exact same marking system to electronic data. So you mark the Word file or Excel sheet with the same colour scheme, and folders, and so on. Once you’ve put the colours on it, the application of it is easy. If you use templates or forms of any kind it’s easy to start applying rules automatically, and you can then tie in the classification to your data leakage prevention tools, or DLP solutions, by blocking the most sensitive information from leaving the organisation, or at least flagging it for attention. It’s possible to put markers in the metadata of document templates, so amber or red documents could flag to the user that they need to encrypt before sending.

Ultimately, we’re in the business of changing behaviour, and the net result should be that people become more aware of information and data protection because it’s a relatable concept that they’re applying in their daily work, almost without realising.

So if not classification, what do we call it? The importance of information? Data management? It’s still not very snappy, so any suggestions or answers on a postcard please.

Oh, and as a footnote, if you have any information you want everyone in the company to read, just put it in an unsealed envelope marked “CONFIDENTIAL” and leave it near the printer/photocopier/coffee area. I guarantee everyone passing will take a look.

The post That’s classified! Our top secret guide to helping people protect information appeared first on BH Consulting.

How to Secure your PC after a Fresh Windows Installation [Updated 2019]

 

You chose to install Windows operating system on your computer or, maybe, for various technical reasons, you had to reinstall it. No matter your reasons, it’s important to keep in mind various security layers after this procedure, so your computer is safe from threats.

How to secure your PC after a fresh Windows installation

After finishing the Windows installation, whether it’s Windows 7, 10 or another operating system, we encourage you to follow these security measures below to enhance protection:

1. Keep your Windows operating system up to date

Probably the most important step to do is checking for the latest security updates and patches available for your Windows operating system.

To get the security updates automatically, go to “Control Panel” and check if your automatic updating system is enabled or follow these steps:

  1. Access the search box in your Windows operating system, type Windows Update.
  2. Select Advanced options.
  3. Click on Automatically download updates in case it is not already selected/turned on.

After checking for available updates for your Windows operating system, keep the automatic update turned on in order to download and install the important updates that can help protect your PC against new viruses or next-generation malware.

Always remember to keep your OS up to date with the latest security available. Software patching remains an essential key to improve online safety and security experts make a good case of emphasizing its importance. Cybercriminals still try to benefit from security holes found in users’ systems and PCs. That’s one of the reasons why cyber attacks still work and they make a lot of money of it.

 2. Update your software

You don’t have to update only the Windows operating system, but your software as well. Therefore, make sure all the latest updates and security patches for your main programs and apps are installed.

Needless to say that most popular pieces of software (such as Java, Adobe Flash, Adobe Shockwave, Adobe Acrobat Reader), especially the outdated ones, are always under threat from malicious actors who exploit them to get easier access to your sensitive data.

Since these pieces of software are always under threat from criminal minds, don’t just rely on your memory to manually update every program or application you have installed.

A better option would be to start using a dedicated cyber security solution for you and keep your software program up to date.

3. Create a restore point

If you already installed the security updates for Windows OS, the next step recommended is to create a restore point in Windows.

You can do this by clicking on the Start button, then select Control Panel -> System and Maintenance (or System and Security) -> System. Then select System protection and click the Create button.

After installing Windows, you can create the Restore Point and name it Clean installation, and continue installing drivers and applications.

If one of the drivers causes issues on the system, you can always go back to the Clean installation restore point.

system_restore

 4. Install a traditional antivirus product

When you consider installing an antivirus program on your PC, make sure you use one from a legitimate company, because there can be fake software programs out there. It is important to have a reliable security solution on your system, which should include real-time scanning, automatic update, and a firewall.

To find the best antivirus that suits your needs, read this ultimate guide that will teach you more about antiviruses, its main features and what should you look for.

If you choose to install a security product that doesn’t have a firewall, make sure you have turned on the Windows firewall.

To turn it on, go to Control Panel, select System and Security, then Windows Defender Firewall and turn it on or off.


Super useful guide on how to secure your PC after a fresh Windows installation:
Click To Tweet


5. Install a proactive security solution for multi-layered protection

On our blog, we explained on many occasions why traditional antivirus is no longer the go-to solution, simply because it cannot keep up with the rise of new and advanced online threats. Financial malware especially is created to steal sensitive data and confidential information and it uses sophisticated methods to do so.

Next-gen malware usually has the ability to evade detection and bypass antivirus software that users have installed on their PCs to keep their data safe. We recommend reading these 12 examples of spam campaigns behind the scenes indicating a low detection rate for AV engines during the first stages of a cyber attack.

With the help of a proactive cybersecurity solution, you get the best protection against financial and data-stealing malware, such as Zeus or Cryptolocker.

To improve the financial control of your online banking account, you can always set banking alerts to track your account activity and apply these simple and effective financial protection tips.

 

6. Back up your system

You updated the operating system and your system applications, you have installed additional security products for your system safe and even created a Clean installation restore point for your Windows.

The steps above are meant to keep you safe from malicious software and online threats, but you may still encounter hardware issues that could endanger your private information.

To make sure your data stays safe, you should be using a twofold strategy, which should include combining an external hard drive usage with an online backup service.

We need to emphasize the importance of having a backup solution which provides stability (look for a big company name), it’s easy to use (so you won’t have a headache backing up from files), allows you to synchronize your files with the online backup servers and provides some sort of security, such as encryption capabilities.

Online Backup

Our guide on how to do a data backup includes more information on most popular backup solutions available and what the best ways to keep your data safe are.

At the same time, you could simply use your Windows Backup system. To set it up, access your Windows Control Panel and then click Backup and Restore to access the location. From this place, you can set an automatic backup, create a schedule and even choose a network location for your backup files.

7. Use a standard user account

Windows provides a certain level of rights and privileges depending on what kind of user account you have. You may use a standard user account or an administrator user account.

To secure your PC, it is recommended to have a standard account to prevent users from making changes that affect everyone who uses the computer, such as deleting important Windows files necessary for the system.

With a Standard user account, you have limited rights and cannot do things like changing system settings, or installing new software apps, hardware or changing the username and passwords. Here’s why you should use an account like this one and how to create it.

If you want to install an application or make security changes, remember that you will need an administrator account.

We also recommend that you set a strong password for your Windows user account.

Use this security guide that will help you set unique and strong passwords and manage them like an expert.

Top Security Tip:
Using a standard account ensures that a piece of malware which infects a limited-user account won’t do much damage as one infecting an administrator account.

Windows account

8. Keep your User Account Control enabled

User Account Control (UAC) is an essential security feature of Windows that prevents unauthorized changes to the operating system. Many users have the tendency to disable it after installing/reinstalling the Windows operating system.

We don’t recommend to turn it off. Instead of disabling the UAC, you can decrease the intensity level using a slider in the Control Panel.

UAC monitors what changes are going to be made to your computer. When important changes appear, such as installing a program or removing an application, the UAC pops up asking for an administrator-level permission.

In case your user account is infected with malware, UAC helps you by keeping suspicious programs and activities from making changes to the system.

 

UAC

 

9. Secure your web browser before going online

Here’s another thing to do after installing Windows: pay attention to browser security. Since our web browser is the main tool used to access the Internet, it is important to keep it safe before going online.

The vulnerabilities in your web browser are like open door invitations to cybercriminals who find creative ways to harvest your most important data. For example, if you are using Adobe Flash, be aware of its security flaws and how it can expose you to attacks.

To stay safe while accessing various web pages, follow these steps:

  1. Choose the latest version for your browser.
  2. Keep it updated.
  3. Choose a private browsing session when you access a website you are not sure about. Choosing this mode will prevent authentication credentials (or cookies) from being stored and steal by attackers.
  4. Since data-stealing malware spreads through malicious code embedded in pop-up windows even in legitimate websites, make sure your web browser can block pop-ups:

And there’s, even more, you can do. Use these step-by-step instructions to enjoy the best secure browsing.


On my next Windows install, I’ll follow these security tips to improve my data safety:
Click To Tweet


10. Use an encryption software tool for your hard drive

Even if you set a password to your Windows account, malicious actors can still get unauthorized access to your private files and documents. They can do this by simply booting into their own operating system – Linux, for example – from a special disc or USB flash drive.

A solution for this case is to encrypt your hard drive and protect all your sensitive files. It is recommended to use this level of security if you have a laptop, which can be very easily stolen. The same thing applies to a computer.

A free encryption tool you can use is BitLocker, which is available on the latest Windows operating systems and you can enable it at any moment. Even after you have enabled the BitLocker protection, you won’t notice any difference because you don’t have to insert anything else but your normal Windows user account password. The benefits of using this encryption tool:

  • It encrypts your entire drive, which makes it impossible for malicious actors stealing your laptop to remove the hard drive and read your files.
  • It’s also a great encryption software if it happens to lose your PC/laptop or get it stolen.
  • Easy to use and already integrated into your Windows OS, so there’s no need to add another encryption software.

If you’d rather want to use another solution, here’s a full list of encryption software tools you can choose to protect your data.

 11. Be careful online and don’t click on suspicious links

To make sure you won’t be infected by clicking on dangerous links, hover the mouse over the link to see if you are directed to a legitimate location. If you were supposed to reach your favorite news website, such as “www.cnn.com”, but the link indicates “hfieo88.net“, then you probably shouldn’t access it. Chances are you’ll be infected with malware and cybercriminals steal your sensitive data.

It’s worth trying shortening services, such as goo.gl or tinyurl. But in some cases, an unknown link may send you to a malicious site that can install malware on the system.

So, how can you know where you’ll arrive if you click it?

To make sure you are going to the right direction, use a free tool such as Redirect Detective that will allow you to see the complete path of a redirected link. Another tool which can provide very helpful in checking suspicious links is the reliable URL checker, VirusTotal.

For more information on how to maximize your financial data protection, check out this article.

 Conclusion

It’s not just about staying safe. 

This guide above is meant to keep you safe online. But, at the same time, following these security measures mean that you also set up your system to work smoothly for online browsing and financial operations, activities you do every day.

Since there are many other solutions to protect a system after a Windows installation, we would like to know your opinion on this.

How do you increase your security after a Windows installation?
Do you have a particular routine?
We’d love to add your tips to the list, so share them in the comments below.

Spend time with your family, not updating their apps!
Thor Foresight Home anti malware and ransomware protection heimdal security
Let THOR FREE Silently and automatically update software Close security gaps Works great with your favorite antivirus

INSTALL IT, FORGET IT AND BE PROTECTED

Download Thor FREE

The post How to Secure your PC after a Fresh Windows Installation [Updated 2019] appeared first on Heimdal Security Blog.

A False Sense of Cybersecurity: The Riskiest States in America

Reading Time: ~5 min.

Like many Americans, you might think your online habits are safe enough—or, at least, not so risky as to put you in danger for cybercrime. As it happens, most of us in the U.S. are nowhere near as secure as we think we are.

As part of our recent survey to better understand people’s attitudes, perspectives, and behaviors relating to online cyber-safety (or “cyber-hygiene”), we calculated each state’s cyber-hygiene score, which you can think of like a test score on people’s understanding and practice of good online habits. I’ve repaired computers and worked in the cybersecurity business for almost 15 years now, and I was shocked by some of the results.

Cut to the chase: just how bad were the results?

Bad. The average across all 50 states was only 60% (that’s a D in letter grades) on our scale. In fact, only 10% of Americans got a 90% or higher (i.e. an A). The riskiest states—Mississippi, Louisiana, California, Alaska, and Connecticut— combined for an average score of 56%. So what made their scores so low?

  • In Mississippi, almost 1 in 4 people don’t use any kind of antivirus and don’t know if they’ve ever been infected by malware.
  • Only 44% of Louisiana residents take any precautions before clicking links in emails leaving themselves vulnerable. (This is a great way to get scammed by a phishing email and end up with a nasty infection on your computer.)
  • Over 43% of Californians and Alaskans share their passwords with friends or family.

What does people’s perception vs. reality look like?

Americans in every state were overconfident. An astounding 88% feel they take the right steps to protect themselves. But remember, only 10% of people scored an A on our test, and the highest scoring state (New Hampshire) still only got an average of 65% (that’s still only a D).

While the average American has a surface level understanding of common cyber threats, there’s a lot of room for education. Many of those interviewed have heard of malware (79%), phishing (70%), and ransomware (49%), but few could explain them. Defending against the most common online threats in today’s landscape requires a basic understanding of how they work. After all, the more cyber aware you are of an attack such as phishing, the greater chance you have to spot and avoid it.

Along with understanding common cyberattacks, it’s also important to recognize threats to your online privacy. An alarming amount of Americans don’t keep their social media accounts private (64%) and reuse their passwords across multiple accounts (63%).

Given the number of news reports involving major companies getting breached, huge worldwide ransomware attacks, etc., we were pretty surprised by these numbers. As you’re reading these, you might be checking off a mental list of all the things you do and don’t know, the actions you do and don’t take when it comes to cybersecurity. What’s important here is that this report should act as a reminder that understanding what kinds of threats are out there will help you take the proper precautions. And, following a few simple steps can make a huge difference in your online safety.

How about some good news?

There is good news. There are some who scored a 90% or above on our test. We call them Cyber-Hygiene Superstars, because they not only take all the basic steps to protect themselves and their data online, but they go above and beyond. Cyber-Hygiene Superstars are evenly spread across the entirety of the U.S., and they help demonstrate to the rest of us that it’s easy to raise our own cyber-hygiene scores.  

Some of the standout behavior of superstars included regularly backing up their data in multiple ways always using antivirus, and using a VPN when connecting to public WiFi Hotspots.

Superstars can also explain common attacks and are less likely to fall victim of phishing attacks and identity theft. They frequently monitor their bank and credit card statements and regularly check their credit scores.

What can you do to improve your cyber-hygiene score?

All in all, it’d be pretty easy for the average American to take their score from a D to at least a B, if not higher. You won’t have to do anything drastic. But just making a few small tweaks to your regular online behavior could work wonders to keep you and your family safe from cybercrime.

  1. Use antivirus/antimalware software.
    There are a lot of free solutions out there. While you typically get what you pay for in terms of internet security, even a free solution is better than no protection at all.
  2. Keep all your software and your operating system up to date.
    This one’s super easy. Most applications and operating systems will tell you when they need an update. All you have to do is click OK instead of delaying the update to a later date.
  3. Don’t share or reuse passwords, and make sure to use strong ones.
    You might think password sharing is no big deal, especially when it comes to streaming or gaming sites, but the more you share, the more likely it is that your passwords could end up being misused. And if the password to just one of your accounts is compromised, then any of your other accounts that use that password could also become compromised. If you’re concerned about having to create and remember a lot of unique passwords, use a secure password manager.
  4. Lock down your social media profiles.
    Making your posts and personal details public and searchable means scammers can find your details and increase their chances of successfully stealing your identity or tricking you into handing over money or sensitive personal information.
  5. If you connect to public WiFi, use a VPN.
    Antivirus software protects the device, but a VPN protects your actual connection to the internet, so what you do and information you send online stays private.
  6. Back up your data.
    Cloud storage is a great solution. But it’s a good idea to do a regular physical backup to an external drive, too, particularly for important files like tax documents.
  7. Don’t enable macros in Microsoft® Office documents.
    If you’re ever trying to open a document and it tells you to enable macros, don’t do it. This is a common tactic for infections.
  8. Use caution when opening email attachments.
    Only open attachments from people you know and trust, and, even then, be extra careful. If you’re really not sure, call the person and confirm that they really sent the file.

Want to see where your state ranks? See the full list or read more about our study and findings here.

Test your knowledge and see where the Webroot Community stacks up against the rest of America: Join our daily contest for a chance to win prizes! Contest ends at 4:00pm MT on May 21, 2019.

Methodology
Webroot partnered with Wakefield Research to survey 10,000 Americans, ages 18 and up, with 200 interviews in each of the 50 states. This survey was conducted between February 11 and February 25, 2019, using an email invitation and an online survey instrument. The margin of error is +/- 0.98 percentage points for the total audience of this study and +/- 6.9 percentage points for each state at the 95% confidence level.

The post A False Sense of Cybersecurity: The Riskiest States in America appeared first on Webroot Blog.

GDPR and Data Breach Risks: An Interview with Bogdan Manolea of ApTI

May 2018 brought on the mandatory implementation of GDPR regulations for Europe, but, de facto, for the entire world since European users can freely roam across the internet of pretty much all countries.

Much to the fretting of virtually everyone else around the world, lots of companies and websites located outside of EU had to review and restructure not just the text from their privacy policies, but their actual data collection practices.

GDPR One Year Later: An Interview with Bogdan Manolea

Now, a year later, on the law’s 1st anniversary since its implementation, I decided to have a talk with someone who understands much more about it than me, namely with Bogdan Manolea from the Romanian Association for Technology and Internet (APTI) and from Trusted.ro (the 3rd party seal of approval for e-commerce websites, vouching for their safety and honesty following independent tests).

bogdan manolea from apti

Bogdan Manolea delivering a conference talk. Photo credit: CristalStudio.ro

He doesn’t like the word expert, but I don’t really know how to introduce him avoiding the word. Let’s just say he’s the first person who comes to my mind whenever I have some issues and doubts regarding digital rights in general (not just the very recent GDPR).

Here’s what we talked about and what his answers were. [The interview was a bit edited for length and clarity.]

1. As a GDPR expert, what’s your take on how this law was implemented in Europe and beyond, now, almost one year later since its principles became enforced?

First, I hate the words “GDPR expert”. I don’t understand how you can be an expert in a law that was adopted three years ago and it started to be implemented one year ago. This is just marketing bullshit, IMHO.

Moreover, the truth is that data protection existed for a long time in Europe as a specific domain and the Council of Europe Convention 108 on automatic processing of personal data exists from 1981. Even the first EU directive exists from 1995.

So, the fact that some media picked up the subject only recently or that companies have become much more aware since the huge fines from GDPR were advertised, that is just their problem.

But the concern for privacy and personal data protection, including specific legislation on the matter, have existed in Europe for decades. Even the principles are almost the same from 1981.

The need for a law more in line with the digital processing of personal data has been discussed for years and the digital rights groups from Europe (including myself from APTI in Romania) have been active in pinpointing the limits of the previous directive from 1995 and asking for a better legislation that is unique at the entire EU space level. This is why GDPR was adopted in 2016 and it started being applied in 2018.

So the principles should have been enforced for some time, actually. The fact that we are still discussing how companies are implementing the data protection principles after decades of laws in this domain shows us that the legislation was basically inefficient, to a large extent.

2. Do you think companies have mostly adapted to this new framework, by and large? Have you noticed a great array of differences between various categories of businesses implement GDPR? For example, companies from a certain niche versus others in a different niche, or based on company size, or on their location?

It would be almost impossible for one person to have a pan-European overview of how GDPR was implemented so far. The situation depends on so many factors – size, niche, location, country, compliance with previous legislation, the quantity of data collected, etc.

From my empiric evidence, there is a huge wide range of compliance – from a high level of compliance in multinationals that are more used to compliance mechanisms and new regulations, especially if they come from countries with traditional strong data protection regimes (e.g. Germany) to no compliance at all in SMEs [n. a – Small to Medium Enterprises] that do not use digital tools and are in one of the countries where the DPA (Data Protection Authority) is very weak in its enforcement.

3. So what would be in your opinion the good and bad in GDPR implementation so far?

The good thing with GDPR is that it forced companies to think more (in depth) about the personal data they are collecting in order to answer the basic questions posed by GDPR (What data? How do we collect it? For what purposes? For how long? Etc.)

There are several bad things that are worrying me:

  • The risk of missing the purpose and scope of GDPR. Instead of protecting the personal data of European citizens, we might create a layer of bureaucracy which does little for achieving this aim;
  • The absolute need for simplification and guidance for SMEs in understanding the exact steps to be done for compliance on data protection;
  • The crucial role of the DPAs in implementing the GDPR. With a dormant DPA, all the while GDPR seems like just a nice story, with no real effects.

4. What’s the no #1 mistake companies can do when it comes to preventing data breaches?

There are a lot of actions that can be done and it depends on the size of the company and the importance of the data that is being processed.

But one thing that strikes me personally, in almost all companies, as a measure that is easy to do and could save a lot of hassle later, is disk encryption by default (before booting the OS) of all mobile devices (laptops, mobile phones, and tablets).

I mean, these types of devices are being lost or stolen regularly all over the world. This is just human nature and it is very possible to happen to your company sooner or later. It’s almost impossible not to have any personal data on them. But still, very few companies have a mandatory policy of having all their mobile devices encrypted by default.

bogdan manolea from Gpec and apti

Bogdan Manolea delivering a conference talk. Photo credit: CristalStudio.ro

5. How about the no #1 mistake they may do once a data breach already occurs?

Probably to panic. 🙂

This is why it is helpful to have a data breach procedure and to test it from time to time. Especially in big companies, this should be a must.

6. I don’t mean to sound fatalistic, but do you think there’s a certain unavoidable component to data breaches in this new law framework? Can a company avoid penalties with a certainty of 100% through preparation? I, for one, certainly hope so & think so, but I think there are a lot of defeatist voices among company reps having a hard time adapting to the new rules.

Of course, it is unavoidable. The question about data breaches is when it will happen, not if it will happen. If it never happens, then you’re very, very lucky or you just don’t know about it.

But this is why if you report a data breach, it doesn’t automatically mean that you will be fined. Look at the numbers compiled by our colleagues from civil society (based on FoI requests to DPAs) from all over the EU and you will see this is true. But it also shows that probably the level of reporting is very different from one country to another.

You can see the table of facts and figures here.

So, in Romania, for example, by March 2019 there were reported 414 data breaches and, as far as we know, there wasn’t any fine yet.

7. Do you know if the position of Data Protection Officer was actually created within companies, on a significant scale? As in, did companies really hire a person to fulfill this role alone, without other ‘merry weather’ responsibilities?

First, let me emphasize again that not all companies need a DPO. The art 37 of the GDPR makes it clear that only in two situations private companies must employ a DPO:

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.

Also, the DPO can be external, you don’t have to have an internal staff role for this.

Moreover, GDPR doesn’t say that it must do only that – however, it is worth emphasizing that a DPO may have other tasks that are in a conflict of interest with this position – for details see Art 29 with regards to DPOs – Chapter 3.5.

8. What do you think of the new laws the US authorities are striving to adopt soon regarding data protection? I know there are some debates within the US to adopt new laws, but EU representatives are a bit critical of American efforts so far.

I haven’t followed the topic too closely, but I can point out is that EU is actually the most advanced globally in the field of data protection legislation, so it starts to “export” this legislation in several other areas, not just to the US.

Also, I think that California, with this act, may be more advanced than other US states in these activities.

9. What’s your no #1 advice to companies trying to navigate the post-GDPR framework of digital consumer rights?

From a privacy advocate perspective, I think there are two basic things all companies should do:

  • Do an analysis on what data you collected and if you can live without it (thinking about your users and their rights, not with the idea “it might be helpful in the future, who knows?”). This is part of the “data minimization” direction within GDPR and if you do it properly you can actually collect less data (renouncing those bits that might have been collected for an unclear purpose anyway.)
  • Keep your users informed about what you do with their data. Article 29WP has a pretty simple table as an Annex to their Opinion on transparency, which is a great guide.

For Romanian readers, I’ve written a very user-friendly guide here, on the topic of protecting yourself from conflicts with your consumers over data privacy.

10. Finally, do you have a remarkable data breach story to share, one which we could all learn a bit from? What’s the most interesting/crazy/serious/impressive case of data breach fulfilled (or averted) that you heard of?

What is remarkable for me is the long history of Facebook data breaches from the past couple of years (see the latest), some with ridiculous mistakes (Plaintext passwords? Really?) and how they got away with it. So far, at least…

Thank you, Bogdan, for your time and answers.

The post GDPR and Data Breach Risks: An Interview with Bogdan Manolea of ApTI appeared first on Heimdal Security Blog.

The privacy paradox: why do people keep using tech firms that abuse their data? | John Naughton

Despite privacy scandals, Facebook is more profitable than ever – journalists must use the tools of tech to understand why

A dark shadow looms over our networked world. It’s called the “privacy paradox”. The main commercial engine of this world involves erosion of, and intrusions upon, our privacy. Whenever researchers, opinion pollsters and other busybodies ask people if they value their privacy, they invariably respond with a resounding “yes”. The paradox arises from the fact that they nevertheless continue to use the services that undermine their beloved privacy.

If you want confirmation, then look no further than Facebook. In privacy-scandal terms, 2018 was an annus horribilis for the company. Yet the results show that by almost every measure that matters to Wall Street, it has had a bumper year. The number of daily active users everywhere is up; average revenue per user is up 19% on last year, while overall revenue for the last quarter of 2018 is 30.4% up on the same quarter in 2017. In privacy terms, the company should be a pariah. At least some of its users must be aware of this. But it apparently makes no difference to their behaviour.

Related: Secretive hard-Brexit Facebook campaign got 1m responses

Continue reading...

Cyber News Rundown: FBI Phishing Scam

Reading Time: ~2 min.

“FBI Director” Phishing Campaign

A new email phishing campaign has been making its way around the web that claims to be from “FBI Director Christopher Wray,” who would love to assist with a massive wire transfer to the victim’s bank account. Unfortunately for anyone hoping for a quick payday, the $10 million check from Bank of America won’t be arriving anytime soon, unless they are willing to enter more personal information and send it to a Special FBI agent using a Yahoo email address. While most phishing campaigns use scare tactics to scam victims, taking the opposite approach of offering a large payout seems less likely to get results.

Magecart Skimming Script Works on Dozens of Sites

Following the many Magecart attacks of recent years, a new payment skimming script has been found that allows attackers to compromise almost any online checkout page without the need to customize it for the specific site. The script currently works on 57 unique payment card gateways from around the world and begins injecting both the loader and the exfiltration script when the keyword “checkout” is searched for in the address bar.

Scammers Target Google Search Ads

Scammers are now turning towards Google Ads to post fake phone numbers posing to be customer support for popular websites such as eBay and Amazon. These phone scammers will often tell those who call that there is something wrong with their account and ask for a Google Play gift card code before they can help. The ads will look as if they are legitimate which causes confusion to those who call the phony numbers listed.  

Citycomp Data Dumped After Blackmail Attempt

Shortly after discovering that their systems had been breached, Citycomp announced they would not be paying a ransom for a large chunk of stolen client data. Unfortunately for Citycomp, the hackers decided to make the data publicly available after not receiving their requested $5,000. Amongst the stolen data is financial and personal information for dozens of companies for which Citycomp provides infrastructure services, though it may only be an initial dump and not the entire collection.

Email Scam Robs Catholic Church of Over $1.7 Million

The Saint Ambrose Catholic Parish in Ohio recently fell victim to email scammers who took nearly $2 million from the church currently undergoing a major renovation. The scammers targeted monthly transactions made between the church and the construction company by providing “updated” bank information for the payments and sending appropriate confirmations for each transfer. The church was only made aware of the breach after the construction company called to inquire about two months of missing payments.

The post Cyber News Rundown: FBI Phishing Scam appeared first on Webroot Blog.

Is Pornhub Safe? How to Browse Adult Websites Securely

This is a question we get asked a lot and one which is floating all over the internet too, especially on discussion forums where people can stay anonymous if they want: Is Pornhub safe? Is it a safe site to enter? We decided to address it here since we’d rather let people get their facts straight on cybersecurity directly from the industry instead of scraping for half-truths around the web.

So, is Pornhub safe to browse? What should you do and not do when browsing Pornhub? What are the cybersecurity risks associated with browsing Pornhub? Can you get viruses into your computer? How about malware? What about other adult websites, how safe are those?

What can you do to protect your computer when accessing Pornhub or other adult content websites? How about your privacy, who can see what sites you are browsing and how can you hide your activity?

We’ll answer all these questions and more, right below. Keep scrolling and learn how to stay safe when browsing Pornub and other adult websites.

Is Pornhub safe to browse for your cybersecurity?

The short answer is that no, Pornhub is not completely safe to browse, however, whenever, without taking some necessary precautions. That doesn’t mean that Pornhub is a malware or cybercriminal hub bent on causing its users harm on purpose, quite the contrary. However, there can be risks associated with browsing Pornhub which go beyond the website’s control.

Given that its popularity is so high (there were over 33.5 billion visits to Pornhub last year, according to the website’s official data) and that in many cases its visitors are not necessarily tech-savvy, it’s no wonder that Pornhub can attract cybercriminals bent on using this opportunity.

As we said, Pornhub in itself is safe and strives to stay that way, as a huge business employing lots of tech people tasked to keep the website primed. But you can still become a target for cybercriminal groups and hackers while visiting Pornhub and other adult-themed websites (especially less popular ones, with less developed security policies). This is mostly due to the ads displayed on the porn website, over which the website has little control.

Unfortunately, the prevalence of malware on porn websites is very high. According to security researcher Conrad Longmore, there’s a 53% chance of encountering malware while browsing Pornhub. Of course, security employees from Pornhub and similar websites are doing their best to keep it safe for their users and catch malware as fast as possible. But the truth remains that porn sites are still one of the most popular destinations for hackers and uploaders of malicious code.

What Are the Main Cybersecurity Risks of Pornhub?

What can these cybercriminals targeting the visitors of porn sites be after? What are the main risks you are exposed to while browsing?

#1. Computer viruses (Trojans)

Well, for one, to infect your computer with viruses. While the vast majority of viruses you can contract this way are mostly harmless, they can still slow your system significantly, as well as serve as a gateway for more dangerous stuff. These very common viruses to be found on ads displayed on porn websites can be Trojans, for the most part.

Such viruses don’t pose a huge security risk but they can make your computer slower, as well as create more vulnerabilities into your system, which can then be exploited for more dangerous malware to enter.

#2. Adware

Other viruses you can get from the ads displayed on Pornhub or similar websites are adware. This means that once they take root into your computer, they will cause more ads and spammy content to be displayed to you even if you’re not browsing Pornhub anymore.

This is not just annoying since it can also slow down your system, but it can also be privacy-infringing since the ads can be adult content related. If you share your computer with other family members, you probably don’t want indecent ads popping up when other people are using the device.

#3. Malware or Spyware

Other types of malware which you can contract from clicking ads on Pornhub or similar sites are more dangerous. The cybercriminals behind them can be after your data, and considering the nature of the content you are browsing, this can be very sensitive data related to the type of adult content you are interested in, your online behavior and so on.

Sextortion scams are very common. This is when you get an email from hackers claiming to have installed spyware into your computer and filmed you while you were browsing adult websites, recording also everything you have watched and so on. They will also tell you that unless you send them money, they will send this data to your employer, family, friends and so on.

For the most part, these claims are bogus and the hackers are just fishing for the users gullible or scared enough in order to make some easy money. But in some cases, they may be real. Don’t take that chance and make sure you stay safe, first and foremost by having your device protected by a reliable anti-malware solution.

How Safe Are Other Adult Content Websites?

What about other adult websites, besides Pornhub? Are their security risks the same?

Well, for the most part, we should stress again that Pornhub is still overall safe-ish. It’s the content from third parties (ads) that you need to be wary of. The same risks from ads are also true for every other adult-themed site out there, especially those who allow publishers to stream their own content (the ‘tube’ type of porn websites).

This is because such websites make money from allowing advertisers to run embedded ads from traffic networks. In many cases, this embedded content has malicious code included in it. While the host website (the porn website running these ads) removes all ads containing malicious scripts, it can take a while for these risky ads to get detected.

But in the case of lesser-known websites, with fewer employees and less of a security network in place, the risks may actually be greater than with Ponhub. If another website you’d like to browse is also a huge one, well-known and with millions of users, the risks are probably about the same.

If we’re talking about obscure porn websites, then not only they are more likely to get infected with malware from third parties (advertisers) but they may be a front for cyber-criminality in themselves.

How to Protect Your Privacy when Browsing Pornhub?

The issue of safety has two aspects: protecting yourself from viruses, extortion, hackers, and so on, rounded up under the umbrella term ‘cybersecurity’ and the second issue of protecting your privacy from everyone around you.

Let’s start by addressing privacy first.

You may be tempted to browse Pornhub incognito to make sure no one but you knows about it. While this can be a partial solution (not to store search history, cookies and so on), incognito browsing is not really private.

Major browsers like Google Chrome and Mozilla are very upfront about it whenever you open up a new incognito browser window.

browser incognito message

If your main concern is to prevent the people you live with or share a computer with from finding traces of your online activity, then incognito browsing is ok. But your internet service provider or your employer (if you ever get the bright idea of accessing such websites from your workplace’s network) can still find out the list of domains which got accessed from your computer. If people with access to your home network are a bit tech-savvy, they can figure it out too.

Also, as mentioned above, ads are one of the main sources of malicious code on porn websites. While a Chrome extension that works like an ad blocker can keep some of the risk at bay, you should know that ad blockers tend to be automatically disabled once you enter incognito browsing mode. You can manually set exceptions to ensure ad blockers work for incognito browser tabs too, but you need to do a bit of tinkering with it.

What else should you remember about your privacy when browsing Pornhub or other porn websites?

Even while browsing incognito, the website you are browsing will still collect some data about you via cookies. This is entirely normal and, in theory, protects your anonymity (they just store data about user statistics but without personally identifiable information). But if they ever get hacked, or if you install malicious software by clicking on ads while browsing, this data could be at risk of being misused or used to identify you.

The only thing which can completely protect your anonymity while browsing Pornhub and other adult websites is a VPN service. Lots of users opt for one in order to stay more anonymous online.

As for the issue of cybersecurity on adult websites as a whole, beyond privacy, here’s how you can make Pornhub browsing safe.

How to Access Pornhub Safely: 5 Tips

First and foremost, learn more about the dangers of the internet and about strengthening your online safety as a whole. It’s never too late to start educating yourself in cybersecurity for laymen. Just being here and reading this guide to Pornhub safety is a great start.

But beyond being simply aware of online risks, here’s what else you can do to stay safe while browsing Pornhub or other adult websites.

#1. Up your protection with a good anti-malware solution

This should be obvious, but to make sure you stay safe from any malware danger, you need to have an active next-generation anti-virus software. A product like our Thor Vigilance is trained to prevent the latest type of intelligent threats and protect your privacy as well.

#2. Go for a traffic filter-based security product (it’s a must!)

Next, and definitely, more importantly, traffic filtering is the advanced type of protection you most definitely need. This is especially true if you sometimes browse potentially risky websites like adult-themed ones.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

In today’s cybersecurity age, when the methods of hackers are getting more and more sophisticated, traditional anti-virus is not enough anymore. An anti-virus, no matter how good it is, reacts to known threats once they already reach your system. If you’re dealing with an APT (advanced persistent threat) this may be too late.

But a traffic filtering solution, like our Thor Foresight, is based on AI and can intelligently detect threats before they reach your system. Such protective software actively scans incoming traffic and blocks malicious code before it gets a chance to target you. This way, even if you accidentally click on a malicious ad while browsing Pornhub, you’re still safe.

#3. Don’t click on ads while browsing Pornhub

Speaking of ads on Pornhub or other adult websites, don’t click them. While some may be harmless, this is where the dangers associated with porn websites are usually hidden. If you really wish to support your favorite porn website, you can find other ways to do that (like signing up for a premium subscription, for example).

#4. Don’t download anything from adult websites or related pop-ups

If the ads displayed on Pornhub and porn websites, in general, are truly malicious, they will probably try to convince you to download something. They will promise you some more HD content completely free of charge or something similar, on condition that you install some no-name video player, etc. Don’t fall for this trap!

The software such ads are asking you to install is most likely spyware or malware. Don’t install anything and close all browser windows immediately if you are prompted to start a download.

#.5 Don’t buy anything (or enter credit card info) from 3rd parties

Under no circumstances should you enter your credit card info while browsing less-known, shady porn websites. You can buy a subscription from the major adult website you are browsing (like Pornhub and similar sites) if you want, this is safe.

But if you start browsing the independent websites of publishers or other websites you reached starting from your initial browsing, be mindful not to enter any sensitive information like credit card data. You may be tempted by a special access offer (either for a major discount or completely free, but only if you create a member account, which also asks for credit card info). Don’t fall for it!

The post Is Pornhub Safe? How to Browse Adult Websites Securely appeared first on Heimdal Security Blog.

Biometric Authentication Overview, Advantages & Disadvantages [Updated 2019]

What is biometric authentication?

Biometric authentication is simply the process of verifying your identity using your measurements or other unique characteristics of your body, then logging you in a service, an app, a device and so on. What’s complicated is the technology behind it, so let’s see how it works.

How biometric authentication works

To understand it better, just know that biometrics is the name for any type of body measurements and calculations. Biometric identification verifies you are you based on your body measurements. Biometric authentication goes one step further and uses that information to compare you against a database and enters your information in a service.

Think of it like this: biometric identification is like a neighbor who looks through the peeping hole at the 2 people who just rung the bell. The neighbor decides which one of them is Dave based on height, hair color, eye color and so on.
Biometric authentication is the neighbor who looks through the peeping hole to see who is calling the door. If it’s Dave, the neighbor lets him in.
If it’s not Dave, the door remains shut.

CHECK YOUR CYBER SECURITY HABITS
Would you rather use a password or a biometric authentication method?

This is just the simplified explanation for biometric authentication but stay tuned!

Here’s what we will cover in this extensive explanation of biometric authentication, a fascinating technology with significant adoption in the present and huge potential in the future.

Table of contents

How biometric authentication works

Biometric authentication works by comparing two sets of data: the first one is preset by the owner of the device, while the second one belongs to a device visitor. If the two data are nearly identical, the device knows that “visitor” and “owner” are one and the same, and gives access to the person.

The important thing to note is that the match between the two data sets has to be nearly identical but not exactly identical. This is because it’s close to impossible for 2 biometric data to match 100%. For instance, you might have a slightly sweaty finger or a tiny, tiny scar that changes the print pattern.

Designing the process so that it doesn’t require an exact match greatly diminishes the chance of a false negative (the device doesn’t recognize your fingerprint) but also increases the odds that a fake fingerprint might be considered genuine.

How biometric authentication works

Popular biometric authentication methods and how they work

There are quite a few types of identifying a user by way of his own body. Below are the most popular biometric technologies that have made their way into users’ hands.

Fingerprint Scanners and how they are stored

There are three types of fingerprint scanners: optical, capacitive and ultrasound.

  • An optical scanner takes a photo of the finger, identifies the print pattern, and then compiles it into an identification code.

optical fingerprint scanner 1

Source

  • A capacitive scanner works by measuring electrical signals sent from the finger to the scanner. Print ridges directly touch the scanner, sending electrical current, while the valleys between print ridges create air gaps. A capacitive scanner basically maps out these contact points and air gaps, resulting in an absolutely unique pattern. These are ones used in smartphones and laptops.
  • Ultrasonic scanners will make their appearance in the newest generation of smartphones. Basically, these will emit ultrasounds that will reflect back into the scanner. Similar to a capacitive one, it forms a map of the finger unique to the individual.

How are your fingerprints stored?

Both Google and Apple store your fingerprint on the device itself and do not make a copy of it on their own servers.

Apple’s TouchID won’t store the actual image of the fingerprint, but a mathematical representation of it. So even if a malicious hacker reaches this mathematical representation, he cannot reverse engineer it to reveal an actual image of your fingerprint. Not only that, but the fingerprint data itself is encrypted.

As this security researcher pointed out, TouchID can be hacked but it’s still an extremely safe method of biometric authentication. For someone to hack an iPhone using TouchID sensors, they would need a really good copy of someone’s fingerprint. This will get them access to your unlocked phone, but not to a copy of your fingerprint, so it differs from stealing a password.

apple touch id finger

Source

Also, not even the device’s OS can access the fingerprint data directly, much less an app. Instead, there’s a gatekeeper security software called Secure Enclave that sits between the fingerprint data, and the program making the fingerprint scan request.

Android phones operate under similar guidelines. They store the fingerprint data in a secure part of the main processor called Trusted Execution Environment, or TEE for short. The TEE is isolated from other parts of the processor and doesn’t directly interact with installed apps.

Just as with Apple devices, fingerprint data is stored in an encrypted state. In addition, removing a user from the device should also delete any fingerprints stored on it.

While Apple has moved away from fingerprint scanning authentication and replaced TouchID with FaceID, other companies still rely on it.

Indeed, in 2018, a lot of smartphone developers are aiming to incorporate fingerprint scanners in the screen itself. Vivo is the first one to market such a device. The Vivo phone has a Synaptic CMOS sensor, a small camera, taped to the back of the OLED panel. Whenever the OLED screen lights up, it also illuminates your fingerprint, which the sensor sees and then compares it to the info already stored. For users, the result is a seamless experience: simply touch the screen with your finger and your phone will unlock.

Here’s how Android and iPhones store your fingerprint and other biometric data

CLICK TO TWEET

Eye scanners

Security researchers consider the eye as one of the most reliable body parts for biometric authentication since it the retina and iris remains almost completely unchanged during a person’s lifetime.

  • A retinal scan will illuminate the complex blood vessels in a person’s eye using infrared light, making them more visible than the surrounding tissue. Just like fingerprints, no two persons will ever have the same retinal pattern.

retina 1

Source

  • Iris scanners rely on high-quality photos or videos of one or both irises of a person. Irises too are unique to the individual. However, iris scanners have proven to be easy to trick simply by using a high-quality photograph of the subject’s eyes or face.

How iris scanners work

When it comes to biometrics, the iris has several major advantages compared to a fingerprint:

  • You don’t spread the information around every time you touch something.
  • The iris stays virtually unchanged throughout a person’s life. A fingerprint, on the other hand, can be dirtied, scarred or eroded.
  • You can’t use a fingerprint with dirty or sweaty hands. Irises, however, have no such problem.

The only major disadvantage of an iris scanner is that high-quality photos of your face or eyes can trick the scanner and unlock the device. iris scanner 1

Source

Despite these limitations, the technology has made its way as a security feature in airports, banks, and other sensitive buildings. Of course, just like with other security measures, it’s used in conjunction with multiple authentication technologies.

How it works. In the enrollment phase, the scanner will make a photograph of your iris using both normal light, as well as infrared light to capture details that wouldn’t be visible otherwise.

After the device records the person’s iris, it will remove any unnecessary details, such as eyelashes, and then transform the information into mathematical data and encrypt it.

During verification, an iris scanner will again emit infrared light to spot those hidden details. Because an iris scanner supplies its own light, it also works in low light or dark conditions.

Speaker recognition

Speaker recognition, unlike voice recognition, wants to identify who is talking, and not what is being said.

Source

In order to identify the speaker, the specialized software will break down their words into packets of frequencies called formants. These packets of formants also include a user’s tone, and together they form his voice print.

Speaker recognition technology is either:

  • Text-dependent, meaning it unlocks after identifying certain words or phrases (think “Hey Alexa!” for the Amazon Echo).
  • Text-independent, where it tries to recognize the voice itself but ignores what is actually said.

Unlike other methods mentioned here, speaker recognition comes with a significant usability problem, since it’s easy for background noises to distort the person’s voice and make it unrecognizable.

When it comes to consumer devices, voice activation can come across as awkward (a.k.a. talking to Siri in the subway).

But the biggest issue with speech recognition is how easy it is to create a high-quality reproduction of a person’s voice. Even low-quality smartphones can accurately record a person’s voice, complete with inflections, tone, and accents.

This hasn’t stopped speaker recognition and similar technologies from gaining mainstream adoption. Just look at the success of Amazon Echo, Google Home, and other voice controlled speakers integrated into a lot of smart homes. What do you get when you combine an Amazon Alexa with an Amazon Key that unlocks your home to couriers when you’re at work?

It’s an amazing biometric authentication experience for users. At the same time, it’s a security risk of nightmare proportions.

We don’t mean just biometric authentication exploits, but “classic” hacker methods as well. Rhino Security Labs demonstrated just how to attack Amazon Key via WiFi so the camera is blind to whoever would enter your home.

We covered the risk of using IoT devices and we explained how to secure them here. In this guide, you’ll find the best ways to protect your home wireless network. But let’s return to biometric authentication types and how they work because we’ll later explain how their advantages and disadvantages.

Other biometric technologies

The methods above are the most well known and most popular, but not the only ones. Here are some other technologies:

Facial recognition systems

Generally speaking, facial recognition systems approach biometric authentication from a lot of angles.

Source

The classic way is to simply extract your face’s features from an image (eyes, nose, distance between your lips and your nose etc) and compare them to other images to find a match.

Through skin texture analysis, your unique lines, beauty marks, wrinkles and so on are turned into a mathematical space, which is then compared to other images.

Both of them can be easily fooled with makeup, masks or, in some cases, simply obstructing part of your face. This is where thermal imagery and other technologies stepped up the game until we got to this point – that of widespread adoption of systems like the Apple FaceID.

The iPhone FaceID uses more than 30,000 infrared dots to map your face, then creates essentially a 3D map of your features. This map, like Touch ID, is sent to the Secure Enclave in the CPU to be compared with the one already stored on the device. The result? Your phone is unlocked just by looking at it.

In the marketing materials, Apple said there is a 1 in a million chance for someone else to unlock an iPhone using FaceID. Of course, that just sounded like a challenge for security experts. A researcher from Vietnam fooled FaceID with a 3D printed mask made from silicone and paper tape.

2. Hand and finger geometry

While not as unique as prints, iris scanners or tridimensional face maps, our hands are different enough from other people’s. That makes them a viable authentication method in certain cases.

hand geomtry

Source: Eter.it

A hand geometry scanner will measure palm thickness, finger length and width, knuckle distance and so on.

Advantages of this kind of system are cheapness, ease of use and unobtrusiveness. It also has a few major disadvantages. A hand’s size can vary over the time. Health problems might limit movements.  More importantly, a hand is not that unique, so the system has low accuracy.

hand geometry 1

Source

2.    Vein geometry

Our vein layout is completely unique and not even twins have the same vein geometry. In fact, the overall layout is different from hand one hand to another.

Veins have an added advantage since they are incredibly difficult to copy and steal because they are visible under tightly controlled circumstances.

A vein geometry scanner will light up the veins with near-infrared light, which makes your veins visible on the picture.

vein biometrics 1

Source

Advantages and disadvantages of biometric authentication

Ultimately, biometric authentication techniques are all about security. As a feature, their main competitor is the password (or PIN code, on occasion), so a comparison between the two will reveal both their flaws and weaknesses. Let’s see.

Advantage: Ease of use

A fingerprint or iris scan is much easier to use than a password, especially a long one. It only takes a second (if that) for the most modern smartphones to recognize a fingerprint and allow a user to access the phone. Ultrasound scanners will soon become commonplace, since manufacturers can place them directly behind the screen, without taking any extra real estate on a phone.

Voice recognition, on the other hand, is a bit iffier and background noises can easily scramble the process and render it inoperable.

Disadvantage: You cannot revoke the fingerprint/iris/voice print remotely

A big disadvantage of biometric security is that a user cannot remotely alter them. If you lose access to an email, you can always initiate a remote recovery to help you regain control. During the process, you will be able to change your password or add two-factor authentication to double your account’s security.

Biometrics, however, don’t work like that. You have to be physically near the device to change its initial, secure data set.

A thief could steal your smartphone, create a fake finger, and then use it to unlock the phone at will. Unless you quickly locked your phone remotely, a thief would quickly steal every bit of information on the device.

Advantage: The malicious hacker has to be near you

The biggest advantage of biometrics is that a malicious hacker has to be in your physical proximity in order to collect the information required to bypass the login.

smartphone 1445448 640

Source

This narrows down the circle of possible suspects in case your biometric lock is somehow bypassed.

The proximity also puts him at risk of getting caught red-handed, in a way that regular malicious hackers working from another continent cannot.

Disadvantage: “Master fingerprints” can trick many phones and scanners

When you first register a fingerprint, the device will ask you for multiple presses from different angles. These samples will then be used as the original data set to compare with subsequent unlock attempts.

However, smartphone sensors are small, so they often rely on partial matches of fingerprints.

Researchers have discovered that a set of 5 “master fingerprints” can exploit these partial matches, and open about 65% of devices.

The number is likely to go down in real life conditions, but an open rate of even 10% to 15% is huge and can expose millions of devices.

Disadvantage: Biometrics last a lifetime

You can always change your password if somebody learns it, but there’s no way to modify your iris, retina or fingerprint. Once somebody has a working copy of these, there’s not much you can do to stay safe, other than switching to passwords or using another finger.

In one of the biggest hacks ever, the US Office of Personnel Management leaked 5.6 million employee fingerprints. For the people involved, a part of their identity will always be compromised. In CPO Magazine, we explored even more risks of using biometric data, especially in the context of law enforcement.

Disadvantage: Vulnerabilities in biometric authentication software

A couple of years ago, security researchers discovered weaknesses in Android devices that allowed them to remotely extract a user’s fingerprint, use backdoors in the software to hijack mobile payments or even install malware.

What’s more, they were able to do this remotely, without having physical access to the device.

Since then, patches have come for the vulnerabilities, but bug hunters are constantly on the hunt for new ones.

Hacking methods

Whitehat security researchers have proved time and again how to fool fingerprint or iris scanners. Here are just some of the methods they use.

Creating a fake finger (spoofing the fingerprint)

To open up a smartphone secured with a fingerprint, the attacker will first need to find a high-quality print, that contains a sufficient amount of specific patterns to open up the device.

Next, an attacker will lift the fingerprint, place it on a plastic laminate, and then cast a finger to fit this mold.

fake fingerprint 1

Source

Once the malicious hacker creates the fake finger, all he has to do is to place it on the scanner, press with his finger to conduct electricity and then use the unlocked phone.

Tricking an iris scanner

For some iris scanners, all it takes is taking a photo with a cheap camera in night mode, print the iris on paper, and then putting a wet contact lens to mimic the roundness of the human eye.

Hacking the biometric sensor and stealing the data

Another, more insidious method of obtaining the fingerprint data of a phone, and unlocking it, is to directly hack the part of the phone responsible for storing the information.

For iOS devices, this means breaking into the Secure Enclave. Technically, this is possible, but it is far beyond the scope of your average, day-to-day cyber criminal. The few confirmed hackings have been done by Cellebrite.

Still, the software and expertise might reach mass-market, and into the hands of script kiddies.

In the case of Android devices, researchers have proven it is possible to trick the Qualcomm provided Trusted Execution Environment by loading a customized app, which then runs a privilege escalation until it obtains greater access to the TEE.

Fortunately for us users, a cybercriminal would need considerable expertise to hack your phone in such a way.

Biometric security for mobile devices, such as smartphones and laptops

A fingerprint lock is useless if somebody steals your smartphone, and then simply lifts the print off from the device.

ext

Source

How to secure smartphone/laptop fingerprint readers

Here are a few simple tips to help minimize the number of prints that are on your phone:

  • Dress your phone with a fingerprint-resistant or oleophobic cover and screen protector.
  • Use a different finger other than your index or thumb.
  • If convenience is not your primary concern, use both the fingerprint and the password/PIN lock. This is especially useful for sensitive business smartphones and laptops. Here is a comprehensive guide for your smartphone security, and we compiled the best password tips here.
  • If your laptop or other device supports it, use a fingerprint randomizer. In short, you register 2-3 fingerprints, and the lock screen will ask you provide a different finger each time you log in.

Here are a few tips to prevent thieves from stealing fingerprints off your smartphone

CLICK TO TWEET

Conclusion

Biometric authentication has strongly expanded in the last few years, with more and more consumers relying on it and even demanding for it.

Do you use any sort of biometric technology? How do you feel about it, especially in government’s hands, and how secure do you think is?

This post was originally published in July 2017 by Paul Cucu and updated on January 12, 2018 by Ana Dascalescu.

Spend time with your family, not updating their apps!
Thor Foresight Home anti malware and ransomware protection heimdal security
Let THOR FREE Silently and automatically update software Close security gaps Works great with your favorite antivirus

INSTALL IT, FORGET IT AND BE PROTECTED

Download Thor FREE

The post Biometric Authentication Overview, Advantages & Disadvantages [Updated 2019] appeared first on Heimdal Security Blog.

High Value Cryptocurrency Stolen by Hackers

Reading Time: ~2 min.

Hackers Breach Private Keys to Steal Cryptocurrency

A possible coding error allowed hackers to compromise at least 732 unique, improperly secured private keys used in the Ethereum blockchain. By exploiting a vulnerability, hackers have successfully stolen 38,000 Ethereum coins so far, translating to over $54 million in stolen funds, though the current number is likely much higher. While uncommon, such attacks do show that the industry’s security and key-generation standards have plenty of room for improvement.

Prominent Malware Reverse Engineer Faces Jail Time

The malware researcher Marcus Hutchins, who successfully reversed and stopped the WannaCry ransomware attacks in 2017, is facing up to six years of jail time for prior malware creation and distribution. Hutchins’ charges all tie back to his involvement in the creation of Kronos, a widespread banking Trojan that’s caused significant damage around the world.

Data Exposed for Thousands of Rehab Patients

Personally identifiable data belonging to nearly 145,000 patients of a Pennsylvania rehab facility have been found in a publicly available database. After a Shodan search, researchers discovered the database that contained roughly 4.9 million unique documents showing information ranging from names and birthdays to specific medical services provided and billing records, all of which could be used to to steal the identity of these thousands of individuals.

Study Finds Password Security Still Lacking

After this year’s review of password security it may come as no surprise that the top five passwords still in use are simple and have remained at the top for some time. Using a list generated from past data breaches, researchers found the password “123456” was used over 23 million times, with similar variations rounding out the top five. Several popular names, sports teams, and bands like blink182 and Metallica are still in use for hundreds of thousands of accounts. While these passwords may be easy to remember, they are exceedingly simple to guess. Stronger passwords should include multiple words or numbers to increase the complexity.

Bodybuilding Site Breached through Phishing Campaign

The website bodybuilding.com has announced they were the victim of a data breach stemming from an email phishing campaign in July 2018 that could affect many of the site’s clients. Fortunately, the site doesn’t store full payment card data, and the data it does store is only stored at the customer’s request, leaving little data for hackers to actually use. The site also forced a password reset for all users issued a warning about suspicious emails coming from bodybuilding.com, noting they may be part of another phishing campaign.

The post High Value Cryptocurrency Stolen by Hackers appeared first on Webroot Blog.

Facebook Braces for Multibillion Dollar Fine

Facebook announced that it was preparing for a massive fine from the Federal Trade Commission for its mishandling of user privacy. The fine could be as much as $5 billion.

The social media giant revealed the fine as a one-time expense in its annual earnings statement, explaining a 51% decline in income, “in connection with the inquiry of the FTC into our platform and user data practices.”

“We estimate that the range of loss in this matter is $3.0bn to $5.0bn,” the company’s statement explained. “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”

Facebook has been the target of an FTC investigation to determine if it had violated a 2011 consent decree following the 2018 revelation that it improperly shared data with Cambridge Analytica.

Despite the size of the fine, the company showed continuous growth and an expansion of its ecosystem of apps.

Read more about the story here.

The post Facebook Braces for Multibillion Dollar Fine appeared first on Adam Levin.

How Business can address the Security Concerns of Online Shoppers

It’s no secret that cybersecurity is an epidemic problem that affects online businesses on a global scale. E-commerce businesses are especially affected by data breaches because it weakens the consumer’s trust in online businesses to protect their personal data. In response to the growing number of breaches, governments and enterprises alike are stepping up to the plate to provide sustainable solutions to the problem.

The UK is aiming to become a world leader in cybersecurity by investing a substantial amount of money (to the tune of £70 million) in the Industrial Strategy Challenge Fund. The fund represents the government’s commitment to increase funding in research and development by £4.7 billion over a four year period. One of the primary goals of the investment will be to supply the industry with the money necessary to design and develop state-of-the-art hardware that’s more secure and resilient to common cyber threats.

The logic stems from the fact that cybercriminals are constantly finding new ways to exploit current technology, so the best way to combat future attacks is to design chips and hardware with stronger security features built into them to outpace cyber threats. However, this means businesses will have to invest in new IT systems as it rolls out to keep their security measures up to par.

For the time being, online business owners need to do everything in their power to address the privacy concerns of their users. In some cases, this might mean investing in more secure and modern e-commerce platforms that offer security features, such as TLS (still commonly known as SSL) protection and security software to protect against malware attacks, or simply generating new, strong admin passwords on a regular basis.

The fact is, there is no way to provide customers with a 100% guarantee their personal data is safe, but there are actions webmasters and companies can do to make their websites a lot safer to use by their customers. To help you learn more about how you can secure your site from cyber threats, Wikibuy has laid out 15 steps in the infographic below.


How Business Owners Can Address Online Shopping Concerns

When is it fair to infer?

While the GDPR framework is robust in many respects, it struggles to provide adequate protection against the emerging risks associated with inferred data (sometimes called derived data, profiling data, or inferential data). Inferred data pose potentially significant risks in terms of privacy and/or discrimination, yet they would seem to receive the least protection of the personal data types prescribed by GDPR. Defined as assumptions or predictions about future behaviour, inferred data cannot be verified at the time of decision-making. Consequently, data subjects are often unable to predict, understand or refute these inferences, whilst their privacy rights, identity and reputation are impacted.

Reaching dangerous conclusions

Numerous applications drawing potentially troubling inferences have emerged; Facebook is reported to be able to infer protected attributes such as sexual orientation and race, as well as political opinions and the likelihood of a data subject attempting suicide. Facebook data has also been used by third parties to decide on loan eligibility, to infer political leniencies, to predict views on social issues such as abortion, and to determine susceptibility to depression. Google has attempted to predict flu outbreaks, other diseases and medical outcomes. Microsoft can predict Parkinson’s and Alzheimer’s from search engine interactions. Target can predict pregnancy from purchase history, users’ satisfaction can be determined by mouse tracking, and China infers a social credit scoring system.

What protections does GDPR offer for inferred data?

The European Data Protection Board (EDPB) notes that both verifiable and unverifiable inferences are classified as personal data (for instance, the outcome of a medical assessment regarding a user’s health, or a risk management profile). However it is unclear whether the reasoning and processes that led to the inference are similarly classified. If inferences are deemed to be personal data, should the data protection rights enshrined in GDPR also equally apply?

The data subjects’ right to being informed, right to rectification, right to object to processing, and right to portability are significantly reduced when data is not ‘provided by the data subject’ for example the EDPB note (in their guidelines on the rights to data portability) that “though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject, these data will typically not be considered as “provided by the data subject” and thus will not be within scope of this new right’.

The data subject however can still exercise their “right to obtain from the controller confirmation as to whether or not personal data concerning the data subject has being processed, and, where that is the case, access to the personal data”. The data subject also has the right to information about “the existence of automated decision-making, including profiling (Article 22(1),(4)) meaningful information about the logic involved, as well as the significance and consequences of such processing” (Article 15). However the data subject must actively make such an access request, and if the organisation does not provide the data, how will the data subject know that derived or inferred data is missing from their access request?

A data subject can also object to direct marketing based on profiling and/or have it stopped, however there is no obligation on the controller to inform the data subject that any profiling is taking place – “unless it produces legal or significant effects on the data subject”.

No answer just yet…

Addressing the challenges and tensions of inferred and derived data, will necessitate further case law on the interpretation of “personal data”, particularly regarding interpretations of GDPR. Future case law on the meaning of “legal effects… or similarly significantly affects”, in the context of profiling, would also be helpful. It would also seem reasonable to suggest that where possible data subjects should be informed at collection point, that data is derived by the organisation and for what purposes. If the data subject doesn’t know that an organisation uses their data to infer new data, the data subject cannot exercise fully their data subject rights, since they won’t know that such data exists.

In the meantime, it seems reasonable to suggest that inferred data which has been clearly informed to the data subject, is benevolent in its intentions, and offers the data subject positive enhanced value, is ‘fair’.

The post When is it fair to infer? appeared first on BH Consulting.

These Cookie Warning Shenanigans Have Got to Stop

These Cookie Warning Shenanigans Have Got to Stop

This will be short, ranty and to the point: these warnings are getting ridiculous:

These Cookie Warning Shenanigans Have Got to Stop

I know, tell you something you don't know! The whole ugly issue reared its head again on the weekend courtesy of the story in this tweet:

The reason I don't know if it makes it better or worse is that on the one hand, it's ridiculous that in a part of the world that's more privacy-focused than most it essentially boils down to "take this cookie or no access for you" whilst on the other hand, the Dutch DPA somehow thinks that this makes any sense to (almost) anyone:

And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.

Is this really what we want? To continue chucking up cookie warnings to everyone and somehow expecting them to make an informed decision about the risks they present? 99% of people are going to click through them anyway (note: this is a purely fabricated figure based on the common-sense assumption that people will generally click through anything that gets in the way of performing the task they set out to complete in the first place). And honestly, how on earth is your average person going to make an informed decision on a message like this:

Do you know how hard it is to explain OAuth to technical people, let alone the masses? Oh wait - it's not OAuth - it's Oath but even I didn't get that at first because nobody really reads these warnings anyway! And now that I have read it and I know it's Oath, what does that really mean? Oh look, a big blue button that will make it all go away and allow me to do what I came here for in the first place...

But say you are more privacy focused and you wanted to follow that link in the original tweet. Here's your fix:

These Cookie Warning Shenanigans Have Got to Stop

And if you're smart enough to actually understand what cookies are and be able to make an informed decision when prompted with a warning like TechCrunch's, then you're smart enough to know how to right click on a link and open it incognito. Or run an ad blocker. Or something like a Pi-hole.

Or you move to Australia because apparently, we don't deserve the same levels or privacy down here. Or have I got that back to front and Europeans don't deserve the same slick UX experience as we get down here? You know, the one where you click on a link to read an article and you actually get to read the article!

So let's be European for a moment and see how that experience looks - let's VPN into Amsterdam and try to control my privacy on TechCrunch:

These Cookie Warning Shenanigans Have Got to Stop

Are you fucking serious? This is what privacy looks like? That's 224 different ad networks that are considered "IAB Partners" (that'd be the Interactive Advertising Bureau) and I can control which individual ones can set cookies. And that's in addition to the 10 Oath foundational partners:

These Cookie Warning Shenanigans Have Got to Stop

You can't disable any of those either by the look of it so yeah, no privacy on that front. But at least you can go and read their privacy policy, right? Sure, Unruly's is 3,967 words, Facebook's is 4,498 words and Zentrick's is another 3,805 words. Oh - and remember that you need to accept cookies on each one of those sites too and you're going to want to read about how they and their partners track you...

These Cookie Warning Shenanigans Have Got to Stop

And the ridiculous thing about it is that tracking isn't entirely dependent on cookies anyway (and yes, I know the Dutch situation touched on browser fingerprinting in general too). Want to see a perfect example? Have a go of Am I Unique and you'll almost certainly be told that "Yes! You can be tracked!":

These Cookie Warning Shenanigans Have Got to Stop

Over one million samples collected and yet somehow, I am a unique snowflake that can be identified across requests without a cookie in sight. How? Because even though I'm running the current version of Chrome on the current version of Windows, less than 0.1% of people have the same user agent string as me. Less than 0.1% of people also have their language settings the same as mine. Keep combining these unique attributes and you have a very unique fingerprint:

These Cookie Warning Shenanigans Have Got to Stop

The list goes on well beyond that screen grab too - time zone, screen resolution and even the way the canvas element renders on the page. It's kinda cool in a kinda creepy way.

And here's the bit that really bugs me (ok, it all bugs me but this is the worst): how do we expect your normal everyday person to differentiate between cookie warnings and warnings like these:

These Cookie Warning Shenanigans Have Got to Stop
These Cookie Warning Shenanigans Have Got to Stop

I know what these are and you probably do too by virtue of being on this blog, but do you really think most people who have been conditioned to click through the warning that's sitting between them and the content they wish to read understand the difference between this and a cookie warning? We literally have banks telling people just to ignore these warnings:

So in summary, everyone clicks through cookie warnings anyway, if you read them you either can't understand what they're saying or the configuration of privacy settings is a nightmare, depending on where you are in the world you either don't get privacy or you don't get UX hell, if you understand the privacy risks then it's easy to open links incognito or use an ad blocker, you can still be tracked anyway and finally, the whole thing is just conditioning people to make bad security choices. That is all.

How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep

Spring Break and reputation management

Spring Break and reputation management Spring Break 2019 is in full swing, which means high school and college kids have hit the road determined to make this rite of passage epic. Unfortunately, not everyone will return home with his or her online reputation intact.

Despite the headlines and warnings, kids are still uploading their lives 24/7 and not all of their choices will be wise. While impressive at the moment, showcasing one’s exceptional beer pong or body shot skills could become a future digital skeleton.

Define it

The decision to share reckless content online has damaged (even destroyed) scholarships, opportunities, reputations, and careers.

Each day more than one billion names are searched on Google, and 77% of job recruiters look up potential employees up online during the hiring process, according to BrandYourself.com. Also, 45% of people have found content in an online search that made them decide not to do business with someone.

As elementary as it sounds, the first step to helping your child safeguard his or her online reputation this spring break is defining what is and is not appropriate online content.

Spring Break and reputation management

Technology has created a chasm between generations so don’t assume your values align with your child’s in this area. Behavior once considered inappropriate has slowly become acceptable to kids who grew up in the online space. Also, peers often have far more influence than parents.

So take the time to define (and come to an agreement on) content you consider off limits such as profanity, racy photos, mean, disrespectful, or racist comments, irresponsible or prank videos, or pictures that include alcohol or drug use. (Yes, state the obvious!)

Untag It

Spring Break and reputation management

Turn off tagging. Like it or not, people often judged us by the company we keep. Your child’s online behavior may be stellar but tag-happy, reckless friends can sink that quickly. To make sure your child doesn’t get tagged in risky photos on Twitter, Instagram, or Facebook, encourage them to adjust privacy settings to prevent tagging or require user approval. Also, help your kids to pay more attention to unflattering Snapchat photos and Snapchat story photos that other people post about them that can be problematic if shared elsewhere.

Lock It

Amp privacy settings. By adjusting privacy settings to “friends only” on select social networks content, digital mistakes can be minimized. However, we know that anything uploaded can be shared and screen captured before it’s deleted so tightening privacy settings isn’t a guarantee.

Google It

Spring Break and reputation management To get a clear picture of your child’s digital footprint and what a school or future employer might find, Google your child’s name. Examine the social networks, links, and sites that have cataloged information about your child. One of the best ways to replace damaging digital information is by creating positive information that overshadows it. Encourage your child to set up a Facebook page that reflects their best self — their values, their goals, and their character. Make the page public so others can view it. They may also consider setting up a LinkedIn page that highlights specific achievements, goals, and online endorsements from teachers and past employers.

If for some reason there’s damaging content that can’t be removed by request, encourage your child to set up a personal website and blog weekly. This can be a professional or hobby blog, but the idea is to repopulate the search results with favorable content and push the tainted content further down on Google.

Balance It

In your guiding, don’t forget the wise words of Cyndi Lauper who reminds us all, “Girls just wanna have fun!” Strive for balance in giving kids the room to make memories with friends while at the same time equipping them to make wise choices online.

The post How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep appeared first on McAfee Blogs.

Why it’s too easy to manipulate voters – and steal the EU elections | Eleonora Nestola

It’s time to act, as personal data is being used to target voters – and the EU commission isn’t doing enough to stop this

On 11 July last year the UK Information Commissioner’s Office (ICO) published its first report on the Cambridge Analytica scandal. This is a date I will never forget, a date that substantially changed my vision of the current threats to our democratic society. It is a day that became a call to arms for me – and, for once, I had the understanding, the knowledge and the expertise to support the fight. I felt it was time to put all of this to good use for civil society, and so I set out to discover how online electoral campaigning works. And let me tell you, the system is not in good health and we Europeans should all be made more aware of that.

Related: This is Europe: stay close with the Guardian’s email updates

Voters become unaware they are receiving political messages based on bias. The risks are enormous

Related: Data protection laws are shining a needed light on a secretive industry | Bruce Schneier

Continue reading...

The Risks of Public Wi-Fi and How to Close the Security Gap

public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

The Risks

By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

Rising Star: VPNpublic wi-fi risks

The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

Who Needs a VPN?

If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

How VPNs work

To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

Stay Safe on Public Wi-Fi 

Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

Mumsnet reports itself to regulator over data breach

Company apologises after bug meant users were able to log into accounts of strangers

Mumsnet has reported itself to the information commissioner after a data breach resulted in users accidentally logging into the accounts of strangers.

Related: Mumsnet forums are a guilty pleasure, but there are truths, too

Related: Mumsnet brings in tougher forum rules after transgender row

Continue reading...

#PrivacyAware: Will You Champion Your Family’s Online Privacy?

online privacyThe perky cashier stopped my transaction midway to ask for my email and phone number.

Not now. Not ever. No more. I’ve had enough. I thought to myself.

“I’d rather not, thank you,” I replied.

The cashier finished my transaction and moved on to the next customer without a second thought.

And, my email and phone number lived in one less place that day.

This seemingly insignificant exchange happened over a year ago, but it represents the day I decided to get serious and champion my (and my family’s) privacy.

I just said no. And I’ve been doing it a lot more ever since.

A few changes I’ve made:

  • Pay attention to privacy policies (especially of banks and health care providers).
  • Read the terms and conditions of apps before downloading.
  • Block cookies from websites.
  • Refuse to purchase from companies that (appear to) take privacy lightly.
  • Max my privacy settings on social networks.
  • Change my passwords regularly and keep them strong!
  • Delete apps I no longer use.
  • Stay on top of software updates on all devices and add extra protection.
  • Have become hyper-aware before giving out my email, address, phone number, or birth date.
  • Limit the number of photos and details shared on social media.

~~~

The amount of personal information we share every day online — and off — is staggering. There’s information we post directly online such as our birth date, our location, our likes, and dislikes. Then there’s the data that’s given off unknowingly via web cookies, Metadata, downloads, and apps.

While some data breaches are out of our control, at the end of the day, we — along with our family members — are one giant data leak.

Studies show that on average by the age of 13, parents have posted 1,300 photos and videos of their child to social media. By the time kids get devices of their own, they are posting to social media 26 times per day on average — a total of nearly 70,000 posts by age 18.

The Risksonline privacy

When we overshare personal data a few things can happen. Digital fallout includes data misuse by companies, identity theft, credit card fraud, medical fraud, home break-ins, reputation damage, location and purchasing tracking, ransomware, and other risks.

The Mind Shift

The first step toward boosting your family’s privacy is to start thinking differently about privacy. Treat your data like gold (after all, that’s the way hackers see it). Guiding your family in this mind-shift will require genuine, consistent effort.

Talk to your family about privacy. Elevate its worth and the consequences when it’s undervalued or shared carelessly.

Teach your kids to treat their personal information — their browsing habits, clicks, address, personal routine, school name, passwords, and connected devices — with great care. Consider implementing this 11 Step Privacy Take Back Plan.

This mind and attitude shift will take time but, hopefully, your kids will learn to pause and think before handing over personal information to an app, a social network, a retail store, or even to friends.

Data Protection Tips*

  1. Share with care. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future.
  2. Own your online presence. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information.online privacy
  3. Think before you act. Information about you, such as the games you like to play, your contacts list, where you shop and your geographic location, has tremendous value. Be thoughtful about who gets that information and understand how it’s collected through websites and apps.
  4. Lock down your login. Your usernames and passwords are not enough to protect critical accounts like email, banking, and social media. Strengthen online accounts and use strong authentication tools like a unique, one-time code through an app on your mobile device.

* Provided by the National Cyber Security Alliance (NCSA).

January 28 National Data Privacy Day. The day highlights one of the most critical issues facing families today — protecting personal information in a hyper-connected world. It’s a great opportunity to commit to taking real steps to protect your online privacy. For more information on National Data Privacy Day or to get involved, go to Stay Safe Online.

The post #PrivacyAware: Will You Champion Your Family’s Online Privacy? appeared first on McAfee Blogs.

Busting 5 Cybersecurity Myths

It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.

Only the IT department is responsible for cybersecurity

It is not wrong to say that the IT department is responsible to implement new processes and policies to keep the cybersecurity in a top notch state. However, they just don’t have a magic stick to protect all of the computers in the network. In reality each employee should be extremely careful when receiving and opening different e-mail messages from colleagues or third parties. It is dangerous since the infection can spread across all of the departments within the organization and this may cause a further data breach for example.

Using just an antivirus software is enough

Antivirus software might have been enough to safe your business from potential attack 20 years ago – nowadays it definitely is just not enough to protect your whole organization. Hackers find new ways to disable your antivirus and hide their attacks in the system. With ransomware gaining more popularity among hackers the time of getting infected and getting your information locked is just a matter of seconds. So using an antivirus is not always enough, but you also need to stay informed about the latest threats. Check out our database of cyber security vendors to find the best solution for your personal or business needs.

A strong password is enough

It is not a secret that having a long and complex password on your accounts is an essential. However, even big tech giants like Facebook or Apple experience data breaches and are pretty often a target for hackers. Every website requires you to create a strong password, but it is also good to use two-factor-authentication (2FA). At first the user was getting an SMS with a code for 2FA, but even this can be compromised by using a cloned sim card. So make sure you have an app like Google Authenticator for example to make your accounts more secure.

Threats are being spread only through the Internet

Some users may think that disconnecting from the internet will prevent the threats spreading around the network and they are completely wrong. Just imagine what happens if an employee brings an infected flash drive and plugs it in – all of the computers may become infected and your company may lose valuable information. You may have your information stolen even when you shop at a local retailer. So threats are not only online, but in our daily life and we need to be very careful and take care of our personal information.

Only certain industries experience cyber attacks

Some businesses still believe that they may be not targeted by hackers because they are a small or mid-sized business or in a specific industry. Well, they are completely wrong. Some companies also believe they do not have anything that hackers may find valuable to steal. In reality there is information like personal addresses or credit card numbers which can make every business in every industry a potential target. Here are the industries which are most vulnerable to cyber-attacks nowadays:

 Top 10 Sectors Breached

The post Busting 5 Cybersecurity Myths appeared first on CyberDB.