Category Archives: Privacy

It’s Data Privacy Day. Do You Know What Info Your Apps Are Tracking?

January 28 is Data Privacy Day—not exactly a major holiday, but it does provide an important opportunity to address something that’s compromising your privacy on a daily basis: namely, your phone.

With a nod to all the flip-phone activists out there, it’s fair to say smartphones aren’t going anywhere. Few among us pine for the days when wall-anchored phones that couldn’t send photos, call a cab, and watch a clip of Baby Yoda at the same time. The level of convenience ushered in by Android and iOS devices is beyond dispute. 

That convenience came at a heavy cost that consumers are only now beginning to appreciate.  Take, for instance, the “Brightest Flashlight” app, which ran afoul of the FTC a few years back on account of transmitting intimate levels of user data to advertisers while providing a minimal level of service; i.e. turning on the light of an Android device. 

And that’s the most basic example. Mobile apps provide the opportunity to track our day-to-day lives down to the most intimate details, and they often share that data with little to no oversight: dating apps such as Match.com and Tinder have been “caught” collecting and selling data relating to drug use and religious views. Period tracking apps like Maya have been found to upload user data to Facebook including heaviness of menstrual flow, body weight, and sexual activity. Google recently acquired the fitness smartwatch brand FitBit, and with it the access to the sleep, exercise, and eating habits of its users. We might be at a loss as to how this data can be monetized, but rest assured: your data has value and is actively being exploited one app at a time.

What’s the solution? Unfortunately, there isn’t one, at least not yet. Despite the passage of California’s privacy law, we’re still very much living in the Wild West when it comes to user data.

Still, we can mitigate the ongoing privacy catastrophe that is the modern internet by making a quick audit of the apps on our smartphones. Take a look at what you have installed and ask yourself the following questions:

 

  • Does this service actually require an app? If you have access to the same services by connecting via a web browser that you can with an app, stick to the web, preferably via a VPN and in private browsing mode. Most mobile apps are configured to get more user data than would be accessible via a website
  • Is the data being accessed by this app worth it? A flashlight app shouldn’t need your physical location. Facebook Messenger shouldn’t need to track the velocity at which you’re traveling. That Scrabble clone doesn’t need to know every contact on your phone. Be circumspect about the kind of access being granted when you install an app on your phone. If there’s any doubt, don’t install it.
  • Do I want this information out in the world? Any information shared with an app has the potential to be uploaded, processed and analyzed by any number of third parties. Don’t share anything with an app that you wouldn’t be comfortable having a stranger know about you. 

 

It’s overly optimistic to expect to reclaim your privacy on Data Privacy Day, but you can at least take a few steps in the right direction. Delete any apps you’re not using, and see if there are more privacy-friendly alternatives to some of your more frequently used apps.

 

The post It’s Data Privacy Day. Do You Know What Info Your Apps Are Tracking? appeared first on Adam Levin.

Google Receives Geofence Warrants

Sometimes it's hard to tell the corporate surveillance operations from the government ones:

Google reportedly has a database called Sensorvault in which it stores location data for millions of devices going back almost a decade.

The article is about geofence warrants, where the police go to companies like Google and ask for information about every device in a particular geographic area at a particular time. In 2013, we learned from Edward Snowden that the NSA does this worldwide. Its program is called CO-TRAVELLER. The NSA claims it stopped doing that in 2014 -- probably just stopped doing it in the US -- but why should it bother when the government can just get the data from Google.

Both the New York Times and EFF have written about Sensorvault.

Zoom Bug Could Have Let Uninvited People Join Private Meetings

If you use Zoom to host your remote online meetings, you need to read this piece carefully. The massively popular video conferencing software has patched a security loophole that could have allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session. Besides hosting password-protected virtual

Facial recognition firm sued for scraping 3 billion faceprints

A potential class action says Clearview AI is breaking biometrics privacy law by ransacking social media so police can match photos with IDs.

Avast Subsidiary Sells User Browsing History

A subsidiary of Avast antivirus is selling sensitive user browsing data to many companies, including Revlon, Microsoft, Google, Yelp, Condé Nast, and TripAdvisor.

According to a recent joint investigation by Vice’s Motherboad and PCMag, highly granular and sensitive user data from users of Avast antivirus is being repackaged and sold to companies via a subsidiary called Jumpshot which promises buyers of the data information on “Every search. Every click. Every buy. On every site.”

Avast’s “free” or “freemium” antivirus software has over 435 million active users, with 100 million devices feeding data into Jumpshot, including, Google searches, LinkedIn activity, Youtube activity, and activity on pornographic websites. According to the Motherboard article, “multiple Avast users… were not aware Avast sold browsing data, raising questions about how informed that consent is.”

The primary method of Avast’s data collection was initially via web browser plugins distributed through subsidiaries such as AVG. After privacy concerns were raised by security researchers, Google, Mozilla, and Firefox removed and banned these extensions from their respective web browsers. Since then, the company has begun harvesting user information through its anti-virus software. 

Representatives from Avast responded to the report by emphasizing that users can opt out of their data collection, and that any data collected is anonymized.

“We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data,” the company announced in a statement. 

Critics of the company’s data collection policies responded to this statement with skepticism.

“It’s almost impossible to de-identify data,” said law professor Eric Goldman. “When they promise to de-identify the data, I don’t believe it.”

Read the article here.

The post Avast Subsidiary Sells User Browsing History appeared first on Adam Levin.

Did H&M spy on its German employees? Privacy watchdog opens an investigation

A German privacy watchdog is investigating into clothing retailer H&M because it was allegedly spying on its customer service representatives in Germany.

Hamburg’s data protection commissioner has launched an investigation into Swedish clothing retailer H&M (Hennes & Mauritz) amid evidence that the company was spying on its customer service representatives in Germany.

According to the German privacy watchdog, a hard drive containing about 60 gigabytes of data revealed that superiors at the site in Nuremberg kept “detailed and systematic” records about employees’ private and sensitive data.

“Hamburg’s data protection commissioner said in a statement Monday that a hard drive containing about 60 gigabytes of data revealed that superiors at the site in Nuremberg kept “detailed and systematic” records about employees’ health, from bladder weakness to cancer, and about their private lives, such as family disputes or holiday experiences.” reads a post published by the Associated Press.

Johannes Caspar, the state data protection officer in Hamburg, said the records demonstrate a massive surveillance activity on employees. The records were accessible to all company managers.

“In fact, there was a massive spying out of the employees at the location in Nuremberg,” said Caspar of the German Press Agency. “This has resulted in a significant evaluation of the reports available to us.” 

H&M

The situation is very severe for H&M that in response said in a statement that it takes the case “very seriously” and expressed its “honest regret” to the affected staff.

“The qualitative and quantitative extent of the employee data accessible to the entire management level of the company shows a comprehensive research of the employees, which has not been comparable in the past few years,” added Caspar. “It is also health data of those affected, from bladder weakness to cancer, as well as data from people in their social environment, such as family disputes, deaths or holiday experiences.”

The company said that it is offering full cooperation with data protection officials, it also added that its managers had already taken urgent measures in response to the incident.

In the coming weeks, the data protection officer would decide the fines for this case. Let’s remind that according to EU GDPR law, H&M could face a fine of four percent of global annual sales.

Pierluigi Paganini

(SecurityAffairs – H&M, privacy)

The post Did H&M spy on its German employees? Privacy watchdog opens an investigation appeared first on Security Affairs.

Modern Mass Surveillance: Identify, Correlate, Discriminate

Communities across the United States are starting to ban facial recognition technologies. In May of last year, San Francisco banned facial recognition; the neighboring city of Oakland soon followed, as did Somerville and Brookline in Massachusetts (a statewide ban may follow). In December, San Diego suspended a facial recognition program in advance of a new statewide law, which declared it illegal, coming into effect. Forty major music festivals pledged not to use the technology, and activists are calling for a nationwide ban. Many Democratic presidential candidates support at least a partial ban on the technology.

These efforts are well-intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we're in the process of building. Ubiquitous mass surveillance is increasingly the norm. In countries like China, a surveillance infrastructure is being built by the government for social control. In countries like the United States, it's being built by corporations in order to influence our buying behavior, and is incidentally used by the government.

In all cases, modern mass surveillance has three broad components: identification, correlation and discrimination. Let's take them in turn.

Facial recognition is a technology that can be used to identify people without their knowledge or consent. It relies on the prevalence of cameras, which are becoming both more powerful and smaller, and machine learning technologies that can match the output of these cameras with images from a database of existing photos.

But that's just one identification technology among many. People can be identified at a distance by their heartbeat or by their gait, using a laser-based system. Cameras are so good that they can read fingerprints and iris patterns from meters away. And even without any of these technologies, we can always be identified because our smartphones broadcast unique numbers called MAC addresses. Other things identify us as well: our phone numbers, our credit card numbers, the license plates on our cars. China, for example, uses multiple identification technologies to support its surveillance state.

Once we are identified, the data about who we are and what we are doing can be correlated with other data collected at other times. This might be movement data, which can be used to "follow" us as we move throughout our day. It can be purchasing data, Internet browsing data, or data about who we talk to via email or text. It might be data about our income, ethnicity, lifestyle, profession and interests. There is an entire industry of data brokers who make a living analyzing and augmenting data about who we are ­-- using surveillance data collected by all sorts of companies and then sold without our knowledge or consent.

There is a huge ­-- and almost entirely unregulated ­-- data broker industry in the United States that trades on our information. This is how large Internet companies like Google and Facebook make their money. It's not just that they know who we are, it's that they correlate what they know about us to create profiles about who we are and what our interests are. This is why many companies buy license plate data from states. It's also why companies like Google are buying health records, and part of the reason Google bought the company Fitbit, along with all of its data.

The whole purpose of this process is for companies --­ and governments ­-- to treat individuals differently. We are shown different ads on the Internet and receive different offers for credit cards. Smart billboards display different advertisements based on who we are. In the future, we might be treated differently when we walk into a store, just as we currently are when we visit websites.

The point is that it doesn't matter which technology is used to identify people. That there currently is no comprehensive database of heartbeats or gaits doesn't make the technologies that gather them any less effective. And most of the time, it doesn't matter if identification isn't tied to a real name. What's important is that we can be consistently identified over time. We might be completely anonymous in a system that uses unique cookies to track us as we browse the Internet, but the same process of correlation and discrimination still occurs. It's the same with faces; we can be tracked as we move around a store or shopping mall, even if that tracking isn't tied to a specific name. And that anonymity is fragile: If we ever order something online with a credit card, or purchase something with a credit card in a store, then suddenly our real names are attached to what was anonymous tracking information.

Regulating this system means addressing all three steps of the process. A ban on facial recognition won't make any difference if, in response, surveillance systems switch to identifying people by smartphone MAC addresses. The problem is that we are being identified without our knowledge or consent, and society needs rules about when that is permissible.

Similarly, we need rules about how our data can be combined with other data, and then bought and sold without our knowledge or consent. The data broker industry is almost entirely unregulated; there's only one law ­-- passed in Vermont in 2018 ­-- that requires data brokers to register and explain in broad terms what kind of data they collect. The large Internet surveillance companies like Facebook and Google collect dossiers on us are more detailed than those of any police state of the previous century. Reasonable laws would prevent the worst of their abuses.

Finally, we need better rules about when and how it is permissible for companies to discriminate. Discrimination based on protected characteristics like race and gender is already illegal, but those rules are ineffectual against the current technologies of surveillance and control. When people can be identified and their data correlated at a speed and scale previously unseen, we need new rules.

Today, facial recognition technologies are receiving the brunt of the tech backlash, but focusing on them misses the point. We need to have a serious conversation about all the technologies of identification, correlation and discrimination, and decide how much we as a society want to be spied on by governments and corporations -- and what sorts of influence we want them to have over our lives.

This essay previously appeared in the New York Times.

EDITED TO ADD: Rereading this post-publication, I see that it comes off as overly critical of those who are doing activism in this space. Writing the piece, I wasn't thinking about political tactics. I was thinking about the technologies that support surveillance capitalism, and law enforcement's usage of that corporate platform. Of course it makes sense to focus on face recognition in the short term. It's something that's easy to explain, viscerally creepy, and obviously actionable. It also makes sense to focus specifically on law enforcement's use of the technology; there are clear civil and constitutional rights issues. The fact that law enforcement is so deeply involved in the technology's marketing feels wrong. And the technology is currently being deployed in Hong Kong against political protesters. It's why the issue has momentum, and why we've gotten the small wins we've had. (The EU is considering a five-year ban on face recognition technologies.) Those wins build momentum, which lead to more wins. I should have been kinder to those in the trenches.

If you want to help, sign the petition from Public Voice calling on a moratorium on facial recognition technology for mass surveillance. Or write to your US congressperson and demand similar action. There's more information from EFF and EPIC.

From Privacy to Trust and ROI

As we embark on a new decade, data privacy has become top-of-mind for business executives and consumers worldwide.  Data breaches frequently expose the personal data of millions, and many companies have not done enough to protect themselves from intentional or unintentional misuse. While it is often hard to reach agreement on new legislation, one issue that governments around the world seem to agree on is the need to help protect the personal data of their constituents. The EU’s General Data Protection Regulation (GDPR) became enforceable in May 2018, and many countries, from China to Brazil, have updated or passed their own regulations. The new California Consumer Privacy Act (CCPA) became effective at the beginning of 2020, other states are following suit, and a U.S. Federal privacy law is now under consideration.

Insights from the Cisco Data Privacy Research Program

The Cisco Chief Privacy Office has provided groundbreaking research and insights to help organizations and consumers understand what they can and should do to keep data safe and maximize their investments in data privacy. Two years ago, we launched our Data Privacy Benchmark Study, which explored privacy maturity and investments across thousands of organizations worldwide. We found that two-thirds of organizations were experiencing significant sales delays due to customer’s data privacy concerns, but that privacy investment was minimizing those delays. Last year, we expanded our inquiry to explore a wide range of business benefits, including the connection between privacy investment and security benefits such as fewer and less costly breaches. In November, we released a companion study looking at the attitudes and behaviors of consumers worldwide.  We identified a large group we call “Privacy Actives” – that is, consumers who care about privacy, are willing to spend time or money to protect their data, and have already switched companies or providers based on their data policies.

The 2020 Data Privacy Benchmark Study and the ROI of Privacy

Today, in observance of International Data Privacy Day, I am pleased to share our 2020 Data Privacy Benchmark Study. Drawing on data from 2800 organizations in 13 countries, we have – for the first time – calculated the ROI for privacy. In addition, we updated the privacy metrics we have been tracking over several years. The study explores the value of privacy certifications in today’s market, as follows:

  • For every dollar spent on privacy, the average organization is getting $2.70 in associated benefits. We asked respondents to quantify their annual privacy investment and business benefits, and we used this to calculate their privacy ROI. Most organizations are seeing very positive returns, and over 40% are realizing at least double their investment.
  • 70% of organizations say they received significant business benefits from privacy beyond compliance. This is up from 40% last year, and includes better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.
  • Higher accountability translates to increased benefits: Companies with higher accountability scores (as assessed using the Accountability Wheel of the Centre for Information Policy Leadership) experience lower breach costs, shorter sales delays, and higher financial returns.
  • Eighty-two percent of organizations see privacy certifications as a motivation for purchasing: Privacy certifications such as the ISO 27701 and the EU-U.S. Privacy Shield are becoming an important purchasing factor when selecting a third-party vendor.

What does this mean for organizations?

The results of this study highlight that privacy is good for business, beyond any compliance requirements. We recommend that organizations:

  • Invest in privacy beyond the legal minimum; most organizations are seeing very positive returns on their privacy spending.
  • Work to obtain external privacy certifications; these have become an important factor in the buying process.
  • Build in privacy accountability and maturity to achieve security benefits, reduced sales delays, and higher returns.

In future blogs, I will explore these results more fully, including some of the interesting differences in results across geographies and company size.

 


More Information

Cisco Data Privacy Benchmark Study 2020

Press Announcement Cisco Data Privacy Benchmark Study 2020 Confirms Positive Financial Benefits of Strong Corporate Data Privacy Practices

Cisco Data Privacy Benchmark Study 2020 – Infographic

Cisco 2019 Data Privacy Benchmark Study

Consumer Privacy Survey

Cisco Data Privacy

Follow Robert on Twitter @RobertWaitman

 

The post From Privacy to Trust and ROI appeared first on Cisco Blogs.

Patients believe stronger privacy protections are more important than easier health data access

Patients and consumers deserve better access to personalized, actionable health care information to empower them to make better, more informed decisions – but it should not drive up health care costs or compromise the privacy of their personal health data, according to a poll of patients and consumers from Morning Consult and America’s Health Insurance Plans (AHIP). Personal privacy outweighs increased transparency A strong majority (62%) of patients want their data and privacy protected more … More

The post Patients believe stronger privacy protections are more important than easier health data access appeared first on Help Net Security.

Cisco Webex flaw allows unauthenticated remote attackers to join private meetings

Cisco addressed a vulnerability in Cisco Webex that could be exploited by a remote, unauthenticated attacker to join a protected video conference meeting.

Cisco has addressed a high-severity flaw in the Cisco Webex video conferencing platform (CVE-2020-3142) that could be exploited by a remote, unauthenticated attacker to enter a password-protected video conference meeting.

In order to exploit the CVE-2020-3142 flaw, the attacker only needs to know the meeting ID that once inserted in the Webex mobile application for either iOS or Android will allow him to join the meeting bypassing any authentication.

“A vulnerability in Cisco Webex Meetings Suite sites and Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android.” reads the security advisory published by Cisco. “An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser.”

The CVE-2020-3142 vulnerability has received a CVSS score of 7.5 out of 10, it was discovered while its experts were resolving a Cisco TAC support case.

Fortunately, the presence of the attackers in the meeting is easy to detect because the unauthorized attendees would be visible in the attendee list of the meeting as a mobile attendee. 

The vulnerability affects Cisco Webex Meetings Suite sites and Cisco Meetings Online sites for versions earlier than 39.11.5 (for the former) and 40.1.3 (for the latter).  

Cisco addressed the CVE-2020-3142 vulnerability with the release of the versions 39.11.5 and later and 40.1.3 and later for Webex Meetings Suite sites and Webex Meetings Online sites.

The good news is that the Cisco Product Security Incident Response Team (PSIRT) is not aware of any attack exploiting the vulnerability in the wild.

A couple of weeks ago, Cisco Systems released security fixes for two high-severity vulnerabilities in its products, including a remote code execution flaw in the Webex video conferencing platform.

The Webex flaw addressed by Cisco resides in the web-based management interface of Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing.

This flaw affects Webex Video Mesh Software releases earlier than 2019.09.19.1956m.

Pierluigi Paganini

(SecurityAffairs – Webex, hacking)

The post Cisco Webex flaw allows unauthenticated remote attackers to join private meetings appeared first on Security Affairs.

New Bill Proposes NSA Surveillance Reforms

The newly-introduced bill targets the Patriot Act's Section 215, previously used by the U.S. government to collect telephone data from millions of Americans.

Privacy watchdog throws wider net to protect children online

A new, comprehensive code will compel online services to put children's health and safety before data-collecting profits.

Lessons from Microsoft’s 250 million data record exposure

Microsoft has one of the best security teams and capabilities of any organization in the technology industry, yet it accidentally exposed 250 million customer records in December 2019. The data was accessible to anyone with a browser, who knew the server location, for about a month in total before an external researcher detected the problem. The database held records of customer support engagements dating back to 2005. Once alerted, Microsoft quickly closed the hole, investigated … More

The post Lessons from Microsoft’s 250 million data record exposure appeared first on Help Net Security.

Smashing Security #162: Robocalls, health hacks, and facial recognition fears

A hospital gets hacked because of an ex-employee’s grudge, robocalls are on the rise, and we share a scary story about the future of facial recognition.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Michael Hucks.

There is no easy fix to AI privacy problems

Artificial intelligence – more specifically, the machine learning (ML) subset of AI – has a number of privacy problems. Not only does ML require vast amounts of data for the training process, but the derived system is also provided with access to even greater volumes of data as part of the inference processing while in operation. These AI systems need to access and “consume” huge amounts of data in order to exist and, in many … More

The post There is no easy fix to AI privacy problems appeared first on Help Net Security.

Mitsubishi Electric discloses data breach, possible data leak

Japanese multinational Mitsubishi Electric has admitted that it had suffered a data breach some six months ago, and that “personal information and corporate confidential information may have been leaked.” The company, though, claims that “sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners have not been leaked.” What was compromised in the Mitsubishi Electric data breach? Mitsubishi Electric is a manufacturer of … More

The post Mitsubishi Electric discloses data breach, possible data leak appeared first on Help Net Security.

NIST releases version 1.0 of the Privacy Framework

The NIST released version 1.0 of Privacy Framework, it is a tool designed to help organizations to manage privacy risks.

The National Institute of Standards and Technology (NIST) has published the release version 1.0 of its privacy framework. The Framework is a voluntary tool that can be used by organizations to manage risks in compliance with privacy legislation, including the European GDPR.

The NIST Privacy Framework is designed to help organizations manage privacy risks, with specific focuses on:

  • Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;
  • Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment;
  • Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.

The framework provides building blocks that help organizations in achieving privacy goals.

The Framework is composed of three main parts, the Core, Profiles, and Implementation Tiers.

The Core enables communications within organizations about privacy protection activities and desired goals. Profiles allow organizations to prioritize the outcomes and activities according to privacy values, the business mission, and risks.

Implementation tiers help organizations to optimize the resources that are necessary to manage the risk.

Organizations, one analyzed the potential impact of privacy risks, may choose to prioritize according to their strategy. The response to privacy risk includes:

  • Mitigating the risk (e.g., organizations may be able to apply technical and/or policy measures to the systems, products, or services that minimize the risk to an acceptable degree);
  • Transferring or sharing the risk (e.g., contracts are a means of sharing or transferring risk to other organizations, privacy notices and consent mechanisms are a means of sharing risk with individuals);
  • Avoiding the risk (e.g., organizations may determine that the risks outweigh the benefits, and forego or terminate the data processing);
  • Accepting the risk (e.g., organizations may determine that problems for individuals are minimal or unlikely to occur, therefore the benefits outweigh the risks, and it is not necessary to invest resources in mitigation).

The framework should also organizations to keep up with technology advancements and new uses for data.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” said Naomi Lefkovitz, NIST privacy policy adviser who led the development of the framework. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

The Privacy Framework is considered complementary with the NIST Cybersecurity Framework, using both it is possible to have a good understanding of the different origins of cybersecurity and privacy risks and allow to determine the most effective solutions to address the risks.

Additional details are included in the document titled “NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT.

Pierluigi Paganini

(SecurityAffairs – privacy, NIST)

The post NIST releases version 1.0 of the Privacy Framework appeared first on Security Affairs.

Sextortion scam leverages Nest video footage to fool victims into believing they are being spied upon everywhere

A bizarre sextortion scam is attempting to trick victims that not only has their smartphone been hacked to spy upon their private lives, but also every other device they have encountered which contains a built-in camera.

Read more in my article on the Hot for Security blog.

Clearview AI and Facial Recognition

The New York Times has a long story about Clearview AI, a small company that scrapes identified photos of people from pretty much everywhere, and then uses unstated magical AI technology to identify people in other photos.

His tiny company, Clearview AI, devised a groundbreaking facial recognition app. You take a picture of a person, upload it and get to see public photos of that person, along with links to where those photos appeared. The system -- whose backbone is a database of more than three billion images that Clearview claims to have scraped from Facebook, YouTube, Venmo and millions of other websites -- goes far beyond anything ever constructed by the United States government or Silicon Valley giants.

Federal and state law enforcement officers said that while they had only limited knowledge of how Clearview works and who is behind it, they had used its app to help solve shoplifting, identity theft, credit card fraud, murder and child sexual exploitation cases.

[...]

But without public scrutiny, more than 600 law enforcement agencies have started using Clearview in the past year, according to the company, which declined to provide a list. The computer code underlying its app, analyzed by The New York Times, includes programming language to pair it with augmented-reality glasses; users would potentially be able to identify every person they saw. The tool could identify activists at a protest or an attractive stranger on the subway, revealing not just their names but where they lived, what they did and whom they knew.

And it's not just law enforcement: Clearview has also licensed the app to at least a handful of companies for security purposes.

Another article.

EDITED TO ADD (1/23): Twitter told the company to stop scraping its photos.

NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance

Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. Version 1.0 of the NIST Privacy Framework The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. … More

The post NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance appeared first on Help Net Security.

Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity

Chinese authorities continue operations against unauthorized VPN services that are very popular in the country.

China continues to intensify the monitoring of the cyberspace applying and persecution of VPN services that could be used to bypass its censorship system known as the Great Firewall.

The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.

Since early 2019, the Chinese authorities have started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.

In December, the Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.

According to an announcement from China’s Procuratorate Daily the man was also fined 500,000 yuan ($76,000). Prosecutors said the man was convicted of collecting “illegal revenue” of 792,638 yuan ($120,500) from his unauthorized activity.

Now media reports a new arrest made by Chinese authorities in the city of Taizhou, the police arrested a man with the pseudonym of Gao (29) that successfully operated VPN service since mid-2016. Gao has made more than 11 million Chinese yuan ($1.6 million) from renting access to VPN servers to more than 28,000 regular customers, he pleaded guilty in 2019 and is still awaiting the final sentence.

In December 2017, Chinese authorities sentenced a man from Dongguan to nine months in prison for operating a VPN service that allowed him to earn $2,000. Other criminal cases were reported by Chinese authorities in the following months, blocked services had thousands of customers in the country.

In July 2019, in compliance with the Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China.

Pierluigi Paganini

(SecurityAffairs – Chinese authorities, privacy)

The post Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity appeared first on Security Affairs.

Facial recognition is real-life ‘Black Mirror’ stuff, Ocasio-Cortez says

"People think they're going to put on a cute filter and have puppy dog ears, and not realize that that data's being collected."

What Website Owners Should Know About Terms and Conditions

All website owners should consider terms and conditions (T&Cs) to be a form of legal protection as they establish the responsibility and rights of the involved parties. T&Cs provide full security should anything go amiss and they also help you settle any disputes quickly without having to resort to the courts.

Is it a legal requirement to include T&Cs?
No, but it’s always best to include terms and conditions on your website as they will enable you to reduce your potential liabilities. It is essential that you let your customers or visitors know about their rights; if you’re not clear about your policies, they may dispute matters such as cancellation options, item returns and other rights, putting your company at a disadvantage. Additionally, if areas are unclear in your terms and conditions or even not mentioned, it may mean that you are liable to give your customer additional rights than are given under statutory.
Do you have to include GDPR provisions?
Website owners, even those outside the European Union (EU), should also consider incorporating the General Data Protection Regulation. Inserting a data protection clause can reassure your customers that their data will not be used for inappropriate purposes. You can include the majority of the GDPR obligations in your site’s privacy policy.

What should you include in the T&Cs?
If you are an online seller, it is essential to explain to customers the various processes involved, such as:
  • How to make a purchase
  • How to make a payment
  • How they will receive their products
  • How they can cancel orders
T&Cs help you establish boundaries by outlining what specific rights customers have. In return, you also inform them about your obligations as a seller and the limits of your legal liability.

What kind of protection can you expect from the T&Cs? It may not be uncommon for disputes to arise between you and your online customers or visitors. Therefore, it is essential to ensure that the terms and conditions are accessible, preferably on your website.

You also need to protect your website from copyright infringements. You can avoid potential disputes and confusion by specifying which sections are copyrighted and which are your intellectual property. You should also stipulate what visitors can do with your data. If there is any breach of your copyright or intellectual property, the terms and conditions should clearly explain how the problem will be resolved.

Are there standard T&Cs which apply to all websites?
There are general formats or templates of T&Cs that you can obtain for free online. However, there is always the possibility that these documents will not cover specific aspects of your business or will not include the relevant terms. If you omit an essential term from your website, you may find yourself vulnerable if a dispute arises. Therefore, it is critical that you customise your terms and conditions so they are suitable for your website and business.
  • Product and service offerings – No two businesses are alike, even if you sell the same products and services. For example, your competitor may only accept PayPal but you may allow other modes of payment.
  • Industry or target audience – In every industry, there are specific provisions that need to be included in the T&Cs. For example, customers may have a legal right to cancel or return their purchases within a specified period.
Can website owners enforce their T&Cs?
Your T&Cs are like any other enforceable contract. Nevertheless, you must ensure that they don’t contravene existing consumer laws or government regulations. Remember, you should only incorporate clauses that you can legally apply.

Conclusion
Terms and conditions are necessary for all businesses, including e-commerce sites. It is essential that you create T&Cs that are suitable for your products and services, and that they are legally enforceable. You also need to periodically review your T&Cs, especially if there have been any significant changes to your business structure or the law. Moreover, they must be accessible to your online customers and visitors. If they are not aware of your T&Cs, you may find it difficult to enforce them if a problem arises.

Written by Kerry Gibbs, a legal expert at BEB Contract and Legal Services.

Apps are sharing more of your data with ad industry than you may think

Apps like Grindr, Tinder and Happn are (over-)sharing data about sexuality, religion, and location with a shadowy network of data brokers. And it's not just dating apps that are doing it...

Facebook users will be notified when their credentials are used for third-party app logins

Facebook will (finally!) explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account. At the same time, users will be able to react quickly if someone managed to compromise their Facebook accounts and is using their credentials to access other apps and websites. Login Notifications The new feature, called Login Notifications, will deliver notifications to users via the Facebook app and user’s associated … More

The post Facebook users will be notified when their credentials are used for third-party app logins appeared first on Help Net Security.

Smashing Security #161: Love, lucky dips, and 23andMe

The man who hacked the UK National Lottery didn’t end up a winner, Japanese Love hotel booking tool suffers a data breach, and just what is 23andMe planning to do with your DNA?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford.

Baby App “Peekaboo” Leaks Photos, Videos and Personal Data

An unsecured database discovered online has leaked thousands of baby photos and videos. 

Bithouse, Inc. left unprotected and accessible online an Elasticsearch database containing nearly 100GB of information associated with its app Peekabo Moments. The leaked data includes photos, videos, and birthdates of babies, as well as 800,000 email addresses, location data as well as detailed device information. 

The leaked data was discovered by Dan Ehrlich of the security consulting firm Twelve Security.

“I’ve never seen a server so blatantly open,” Ehrlich said of the leak. 

The lack of protection of user security seemingly contradicts the company’s promises on the Google Play store.

“Data privacy and security come as our priority. Every Baby’s photos, audios & videos or diaries will be stored in secured space. Only families & friends can have access to baby’s moments at your control,” says the app’s description, which has been downloaded over a million times since 2012.

Bithouse has yet to comment on the leak or take the leaked data offline.

 

The post Baby App “Peekaboo” Leaks Photos, Videos and Personal Data appeared first on Adam Levin.

Peekaboo Moments app left baby videos, photos, and 800,000 users’ email addresses exposed on the internet

The developer of a smartphone app has carelessly left a database accessible to anybody with an internet connection, leaving exposed a database of millions of records containing baby videos and photos, as well as the email addresses of users.

Read more in my article on the Hot for Security blog.

GDPR Checklist For Small Businesses

The new General Data Protection Regulations (GDPR) which came into effect in 2018 meant some big changes in the way businesses collect and handle personal data. The idea behind the new legislation is to give individuals better access and control over their own personal data. While this is great news for individuals, it requires a little extra work from businesses who must now provide legal grounds for collecting data and must only use it for the intended purpose. What’s more, they need to follow these regulations to the letter and remain GDPR compliant at all times.

This applies to companies of all sizes – even your small business. If you collect personal data in any form, such as emails, addresses, names or financial details, your business needs to be GDPR compliant. If it’s found that you’re not effectively managing and protecting your data you could face a big fine. Though regulators may be a bit more lenient with smaller businesses depending on how much data you hold, an unwanted fine is always bad news. That’s why we’ve put together this checklist to help ensure your small business is GDPR compliant. In this guide we’ll look at:

  • Understanding your data and responsibilities
  • Defining your data consent policy
  • Access requests and disposing of old data
  • Setting up a data storage and security policy
  • Training all staff on GDPR
  • Creating data processing notices

  1. Understanding your data and responsibilities

In order to be GDPR compliant it’s important that you understand what data you’re collecting and your responsibilities as a business. It’s therefore a good idea to get clued up on what is defined as ‘personal data’ and set out strict guidelines on how much information you need to collect. This is because a huge part of GDPR is ensuring that you only collect personal information you actually need and that it is only used for the intended purpose. The less you collect the easier it is to stay compliant.

You’ll also want to ensure anyone that is involved in the handling of data understands how to collect and store the data effectively, as well as how to process it in line with GDPR. As you collect data, it’s a good idea to keep a note of how consent is being obtained and what processes the data goes through once it has been collected.

 

  1. Setting out your data consent policy

Getting clear and explicit consent from individuals to collect and use their data is one of the most important aspects of GDPR. For this reason, you need to outline to customers or those using your services why you’re collecting their data and how you intend to use it in the future. Once they have actively agreed, you can then collect their data – this is usually done through sign-up forms or pop-ups. However, if they do not give you permission then under no circumstances should you record their personal information.

You must be able to show that they have obtained consent for all the data that you have collected. Otherwise, you run the risk of being fined. Another point worth noting is that you can no longer rely on underhand tactics such as pre-ticked boxes to gain consent. This is now illegal under GDPR and can land you in trouble. Finally, you must make it easy for individuals to opt-out of receiving your communications. The best way to do this is by adding an unsubscribe button at the bottom of all emails.

 

  1. Access requests and disposing of old data

If you haven’t already, GDPR states that you must get re-permission from customers whose information you held before the new guidelines were implemented in May 2018. If they do not give you their consent once again or they do not reply to your email at all, you must delete their data as soon as possible. An important part of your GDPR checklist should be getting auditing processes in place that determine how long you will store data. For example, if a customer has not engaged with your brand in 12 months it is no longer necessary to keep their information and it should therefore be deleted.

What’s more, as part of GDPR every EU individual has the right to access their data. Therefore you need a system in place to deal with access requests. You’ll have 30 days from receiving the request to provide them with an electronic copy of all the information you have on them. They can also request that this be deleted, so you need a system in place to get this done as quickly as possible.

 

  1. Setting up a data storage and security policy

GDPR is set out to protect the rights and personal information of individuals, therefore you need to make sure you’re taking care of the data you’re collecting. This means knowing where it is stored and ensuring you’ve got the security measures in place to keep it safe. Mapping out all the places where you store data, be that email, databases or cloud-based systems, makes it easier to find and deal with access or deletion requests. Your storage and security policy should outline where everything is stored, how it is protected and who has access to said data.

You also need to know how data is being transferred and the flow of information around your business. This stops information seemingly getting lost or falling into the wrong hands. It also pays to have a system in place just in case your hardware is accessed or lost, whilst containing sensitive information. For example, if a laptop full of information is misplaced, having the data encrypted means you’re less likely to fall victim to a breach or face a fine.

 

  1. Training all staff on GDPR

Most data breaches or security mistakes come as a result of human error. But unfortunately, in this case ignorance isn’t bliss, you cannot use ignorance as an excuse for mishandling data. For this reason, it’s important that all members of your team are clued up on GDPR, their personal responsibilities for looking after personal data, and how to recognise a breach. As part of GDPR, you must report any data breaches within 72 hours, this becomes much easier if everyone in your team is educated on what this looks like and who they need to report to.

 

  1. Creating data processing notices

Finally, data handling needs to be a clear and transparent process and therefore it’s a good idea to create a notice to explain how your business collects and processes data. This is often called a Fair Processing Notice and can be sent out to customers/users as well as being displayed somewhere on your website. It should outline how you capture, use and store data, as well as giving instructions on how an individual can make and access or deletion request. This helps them to understand how you are protecting their data and can be great for building your reputation as a legitimate and caring business.

 

The post GDPR Checklist For Small Businesses appeared first on CyberDB.

Apple says no to unlocking shooter’s phone; AG and Trump lash back

Attorney General Barr and President Trump are demanding Apple unlock the mass shooter's iPhone. Apple replies: You can't break just 1 phone.

Lottery hacker gets 9 months for his £5 cut of the loot

We don't care how little you made from your crimes, the judge said. We care that you went after an outfit that gives a ton to charities.

Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info

Facebook addressed last week a security flaw that exposed page admin accounts, the bug was exploited against several high-profile pages.

Last week Facebook has addressed a security issue that exposed page admin accounts, the bug was exploited in attacks in the wild against several high-profile pages.

The page admin accounts are anonymous unless the Page owner opts to make the admins public, but a bug allowed anyone to reveal the accounts running a Page.

“The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can’t see, for example, the names of the people who post to Facebook on WIRED’s behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one.” reads a post published by Wired.

The “View edit history” in Facebook allows Page admins to view any activity related to pages, including the name of users that made changes to a post. The bug allowed miscreants to reveal the account of the individual who made the changes, including page admins, with serious privacy implications.

Wired confirmed that on message boards like 4chan, people started posting screenshots that doxed the accounts behind prominent pages. The exploitation of the bug was simple, by opening a target page and checking the edit history of a post, it was possible to view the account or accounts that made edits to each post.

Facebook quickly addressed the issue after it was alerted by a security researcher.

“We quickly fixed an issue where someone could see who edited or published a post on behalf of a Page when looking at its edit history,” Facebook said in a statement. “We are grateful to the security researcher who alerted us to this issue.”

The list of the pages targeted by hackers included the ones belonging to President Donald Trump, the street artist Banksy, Russian president Vladimir Putin, former US secretary of state Hillary Clinton, Canadian prime minister Justin Trudeau, the hacking collective Anonymous, climate activist Greta Thunberg, and the rapper Snoop Dogg, among others.

In February 2018, the security researcher Mohamed Baset discovered a similar vulnerability on Facebook.

Baset explained that the flaw was a “logical error” that he discovered after receiving an invitation to like a Facebook page on which he had liked a post. The researchers analyzed the source code of the email sent by the social network and discovered it included the name of the administrator of the page and other info.

Pierluigi Paganini

(SecurityAffairs – Facebook, hacking)

The post Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info appeared first on Security Affairs.

Police Surveillance Tools from Special Services Group

Special Services Group, a company that sells surveillance tools to the FBI, DEA, ICE, and other US government agencies, has had its secret sales brochure published. Motherboard received the brochure as part of a FOIA request to the Irvine Police Department in California.

"The Tombstone Cam is our newest video concealment offering the ability to conduct remote surveillance operations from cemeteries," one section of the Black Book reads. The device can also capture audio, its battery can last for two days, and "the Tombstone Cam is fully portable and can be easily moved from location to location as necessary," the brochure adds. Another product is a video and audio capturing device that looks like an alarm clock, suitable for "hotel room stings," and other cameras are designed to appear like small tree trunks and rocks, the brochure reads.

The "Shop-Vac Covert DVR Recording System" is essentially a camera and 1TB harddrive hidden inside a vacuum cleaner. "An AC power connector is available for long-term deployments, and DC power options can be connected for mobile deployments also," the brochure reads. The description doesn't say whether the vacuum cleaner itself works.

[...]

One of the company's "Rapid Vehicle Deployment Kits" includes a camera hidden inside a baby car seat. "The system is fully portable, so you are not restricted to the same drop car for each mission," the description adds.

[...]

The so-called "K-MIC In-mouth Microphone & Speaker Set" is a tiny Bluetooth device that sits on a user's teeth and allows them to "communicate hands-free in crowded, noisy surroundings" with "near-zero visual indications," the Black Book adds.

Other products include more traditional surveillance cameras and lenses as well as tools for surreptitiously gaining entry to buildings. The "Phantom RFID Exploitation Toolkit" lets a user clone an access card or fob, and the so-called "Shadow" product can "covertly provide the user with PIN code to an alarm panel," the brochure reads.

The Motherboard article also reprints the scary emails Motherboard received from Special Services Group, when asked for comment. Of course, Motherboard published the information anyway.

Smashing Security #160: SNAFUs! MS Word, Amazon Ring, and TikTok

We discuss how Microsoft Word helped trap a multi-million dollar fraudster, how Amazon Ring may be recording more than you’re comfortable with, and how teens are flocking to TikTok (and why that might be a problem).

All this and much more is covered in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

CCPA and University Surveillance Apps

It’s the turn of a new decade and a new privacy law has gone into effect — the California Consumer Privacy Act or CCPA. A quick check with some of my fellow privacy pros on how many consumer information requests received at the end of the day on Jan. 1, puts retail at higher numbers […]

The post CCPA and University Surveillance Apps appeared first on Privacy Ref.

Cybercrime is moving towards smartphones – this is what you could do to protect your company

By 2021, cybercrimes will cost companies USD 6 trillion, according to a study.

The number of internet users has grown from an estimated at 2 billion in 2015 to 4.4 billion in 2019, but so have the cybercrimes which are expected to cost companies USD 6 trillion worldwide, according to a study by Cybersecurity Ventures.

Similarly, the number of smartphone users has grown from 2.5 billion in 2016 to 3.2 billion in 2019 and is forecasted to grow to 3.8 billion by 2021. Smartphones and the internet will make further inroads to our economic system. But there are certain risks involved as well.

Mobile phones are becoming targets of cybercriminals because of their widespread use and increasing computing power. Consider the fact that more than 60 % of online fraud occurs through mobile phones. This threat is not just towards individual users but businesses as well. It does not matter how large the company is either. 43% of the cyberattacks in 2019 were aimed at smaller businesses because they do not have adequate protection.

Given how vulnerable smartphones are and that the threat from cyber attacks is only expected to increase, here are some measures you can take to protect your business from cybercriminals:

Rethink BYOD:

Bring Your Own Devices (BYOD) offers several benefits to both the organization and employees. Such a policy allows employees at a company to use their mobile phones, tablets, or laptops for work, saving companies the hassle to purchase devices.

However, you need to rethink if you are saving more than what you are losing. Employees have confidential company information on their devices. Such a door into your organization can cost you heavily. Set aside the funds to obtain company devices for use by employees at the office. Consider such an investment as part of your cybersecurity strategy.

 

Cybersecurity assessments:

The cybersecurity threat landscape is ever-evolving due to the fast nature of innovation. Develop a comprehensive cybersecurity program that includes a regular assessment of your company’s security needs. Identify the strengths of your IT infrastructure against potential attacks, and do not let advances in technology or techniques take that away from you. Similarly, you should identify the vulnerabilities in your systems. Make sure any gaps in your defenses are appropriately plugged. A threat assessment should be an integral component of any cybersecurity policy.

Retrain staff:

Make sure that employees at your organization are informed and up to date on the latest in cyber threats. This way they can protect themselves and the company from cybercriminals. Even a single mistake by one employee can end up creating a door for individuals or groups wishing your company harm. All employees must be trained as a matter of policy. This way, they can identify phishing attacks and manage social engineering scams. Another factor your employees must be mindful of is resource monitoring. Suspicious resource use on company devices, whether it is excess internet or battery usage, should raise alarm bells. However, employees may not look into such things in detail because they do not own the devices. Train your staff to keep track of resource use too.

 

Employee monitoring:

Most organizations have some form of an employee monitoring policy and track their workers. If you haven’t done so already, develop such a policy, and keep your employees informed to ensure transparency. If you have decided to use company devices, you can opt to install monitoring apps on them. There are several modern monitoring apps currently available such as XNSPY. The app can keep track of online activities, generate a list of call logs, and remote control the device. Furthermore, you can track the location of the device in real-time, and use features such as geofencing and GPS history. There are other powerful features too, such as ambient recording, multimedia access, and online activity tracking. You can also wipe off all the data from a device in case of theft. Monitoring apps such as XNSPY should be a part of your strategy against cybercriminals.

 

Don’t forget physical infrastructure:

Cybersecurity may involve software updates and training policies, but making sure your physical infrastructure is safe is just as important. Re-evaluate how exposed your digital infrastructure is to physical access. Furthermore, go through the profiles of suppliers and vendors to vet them properly. A small door in any piece of equipment can let cybercriminals through and bypass your entire cybersecurity foundation. Be aware of this threat and make sure that suppliers work by following specific regulations.

Develop a threat monitoring policy:

Anticipating an attack and stopping it is an important part of comprehensive cybersecurity policy. Make sure that you are monitoring your digital infrastructure round the clock.

Invest in threat monitoring software and a team of professionals that can identify, track, and stop an attack.

The concept of designing a cybersecurity system as a fortification is changing to an adaptable system that can accommodate evolving security threats. Furthermore, a monitoring policy also needs to have a clear response plan.

Such a plan details what needs to happen and when in case of an attack. This ensures that there is a speedy response by your company against any threat.

 Conclusion:

Smartphones have become powerful enough that they can be considered as computers in their own right. While this has created scores of opportunities, there are also clear threats posed by cybercrime. These threats are only going to increase as the internet and smartphone use increases. While protecting your business against cyber criminals requires a considerable investment of time and money, it will pay off in the long run.

 

Clark Thomas is an expert in VOIP. He helps businesses both small and medium-sized, in implementing and adopting the best security methods for their organization and network. He gives great advice regarding and assists people in boosting the security measures for their website and business.  

The post Cybercrime is moving towards smartphones – this is what you could do to protect your company appeared first on CyberDB.

The Everyday Cyber Threat Landscape: Trends from 2019 to 2020

The past 12 months have been another bumper year for cybercrime affecting everyday users of digital technology. Trend Micro blocked more than 26.8 billion of these threats in the first half of 2019 alone. The bad news is that there are many more out there waiting to steal your personal data for identity fraud, access your bank account, hold your computer to ransom, or extort you in other ways.

To help you stay safe over the coming year we’ve listed some of the biggest threats from 2019 and some trends to keep an eye on as we hit the new decade. As you’ll see, many of the most dangerous attacks will look a lot like the ones we warned about in 2019.

As we enter 2020 the same rules apply: stay alert, stay sceptical, and stay safe by staying protected.

Top five threats of 2019

Cybercrime is a chaotic, volatile world. So to make sense of the madness of the past 12 months, we’ve broken down the main type of threats consumers encountered into five key areas:

Home network threats: Our homes are increasingly powered by online technologies. Over two-thirds (69%) of US households now own at least one smart home device: everything from voice assistant-powered smart speakers to home security systems and connected baby monitors. But gaps in protection can expose them to hackers. As the gateway to our home networks, routers are particularly at risk. It’s a concern that 83% are vulnerable to attack. There were an estimated 105m smart home attacks in the first half of 2019 alone.

Endpoint threats: These are attacks aimed squarely at you the user, usually via the email channel. Trend Micro detected and blocked more than 26 billion such email threats in the first half of 2019, nearly 91% of the total number of cyber-threats. These included phishing attacks designed to trick you into clicking on a malicious link to steal your personal data and log-ins or begin a ransomware download. Or they could be designed to con you into handing over your personal details, by taking you to legit-looking but spoofed sites. Endpoint threats sometimes include social media phishing messages or even legitimate websites that have been booby-trapped with malware.

Mobile security threats: Hackers are also targeting our smartphones and tablets with greater gusto. Malware is often unwittingly downloaded by users, since it’s hidden in normal-looking Android apps, like the Agent Smith adware that infected over 25 million handsets globally this year. Users are also extra-exposed to social media attacks and those leveraging unsecured public Wi-Fi when using their devices. Once again, the end goal for the hackers is to make money: either by stealing your personal data and log-ins; flooding your screen with adverts; downloading ransomware; or forcing your device to contact expensive premium rate phone numbers that they own.

Online accounts under attack: Increasingly, hackers are after our log-ins: the virtual keys that unlock our digital lives. From Netflix to Uber, webmail to online banking, access to these accounts can be sold on the dark web or they can be raided for our personal identity data. Individual phishing attacks is one way to get these log-ins. But an increasingly popular method in 2019 was to use automated tools that try tens of thousands of previously breached log-ins to see if any of them work on your accounts. From November 2017 through the end of March 2019, over 55 billion such attacks were detected.

Breaches are everywhere: The raw materials needed to unlock your online accounts and help scammers commit identity fraud are stored by the organizations you interact with online. Unfortunately, these companies continued to be successfully targeted by data thieves in 2019. As of November 2019, there were over 1,200 recorded breaches in the US, exposing more than 163 million customer records. Even worse, hackers are now stealing card data direct from the websites you shop with as they are entered in, via “digital skimming” malware.

What to look out for in 2020

Smart homes under siege: As we invest more money in smart gadgets for our families, expect hackers to double down on network attacks. There’s a rich bounty for those that do: they can use an exposed smart endpoint as a means to sneak into your network and rifle through your personal data and online accounts. Or they could monitor your house via hacked security cameras to understand the best time to break in. Your hacked devices could even be recruited into botnets to help the bad guys attack others.

Social engineering online and by phone: Attacks that target user credulity are some of the most successful. Expect them to continue in 2020: both traditional phishing emails and a growing number of phone-based scams. Americans are bombarded by 200 million automated “robocalls” each day, 30% of which are potentially fraudulent. Sometimes phone fraud can shift quickly online; for example, tech support scams that convince the user there’s something wrong with their PC. Social engineering can also be used to extort money, such as in sextortion scams designed to persuade victims that the hacker has and is about to release a webcam image of them in a “compromising position.” Trend Micro detected a 319% increase in these attacks from 2H 2018 to the first half of 2019.

Threats on the move: Look out for more mobile threats in 2020. Many of these will come from unsecured public Wi-Fi which can let hackers eavesdrop on your web sessions and steal identity data and log-ins. Even public charging points can be loaded with malware, something LA County recently warned about. This comes on top of the escalating threat from malicious mobile apps.

All online accounts are fair game: Be warned that almost any online account you open and store personal data in today will be a target for hackers tomorrow. For 2020, this means of course you will need to be extra careful about online banking. But also watch out for attacks on gaming accounts.  Not only your personal identity data and log-ins but also lucrative in-game tokens will become highly sought after. Twelve billion of those recorded 55 billion credential stuffing attacks were directed at the gaming industry.

Worms make a comeback: Computer worms are dangerous because they self-replicate, allowing hackers to spread attacks without user interaction. This is what happened with the WannaCry ransomware attacks of 2017. A Microsoft flaw known as Bluekeep offers a new opportunity to cause havoc in 2020. There may be more out there.

How to stay safe

Given the sheer range of online threats facing computer users in 2020, you’ll need to cover all bases to keep your systems and data safe. That means:

Protecting the smart home with network monitoring solutions, regular checks for security updates on gadgets/router, changing the factory default logins to strong passwords, and putting all gadgets onto a guest network.

Tackling data-stealing malware, ransomware and other worm-style threats with strong AV from a reputable vendor, regular patching of your PC/mobile device, and strong password security (as given below).

Staying safe on the move by always using VPNs with public Wi-Fi, installing AV on your device, only frequenting official app stores, and ensuring you’re always on the latest device OS version. And steer clear of public USB charging points.

Keeping accounts secure by using a password manager for creating and storing strong passwords and/or switching on two-factor authentication where available. This will stop credential stuffing in its tracks and mitigate the impact of a third-party breach of your log-ins. Also, never log-in to webmail or other accounts on shared computers.

Taking on social engineering by never clicking on links or opening attachments in unsolicited emails, texts or social media messages and never giving out personal info over the phone.

How Trend Micro can help

Fortunately, Trend Micro fully understands the multiple sources for modern threats. It offers a comprehensive range of security products to protect all aspects of your digital life — from your smart home, home PCs, and mobile devices to online accounts including email and social networks, as well as when browsing the web itself.

Trend Micro Home Network Security: Provides protection against network intrusions, router hacks, web threats, dangerous file downloads and identity theft for every device connected to the home network.

Trend Micro Security: Protects your PCs and Macs against web threats, phishing, social network threats, data theft, online banking threats, digital skimmers, ransomware and other malware. Also guards against over-sharing on social media.

Trend Micro Mobile Security: Protects against malicious app downloads, ransomware, dangerous websites, and unsafe Wi-Fi networks.

Trend Micro Password Manager: Provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign-in to.

Trend Micro WiFi Protection: Protects you on unsecured public WiFi by providing a virtual private network (VPN) that encrypts your traffic and ensures protection against man-in-the-middle (MITM) attacks.

Trend Micro ID Security (Android, iOS): Monitors underground cybercrime sites to securely check if your personal information is being traded by hackers on the Dark Web and sends you immediate alerts if so.

The post The Everyday Cyber Threat Landscape: Trends from 2019 to 2020 appeared first on .

Xiaomi Cameras Connected to Google Nest Expose Video Feeds From Others

Internet-connected devices have been one of the most remarkable developments that have happened to humankind in the last decade. Although this development is a good thing, it also stipulates a high security and privacy risk to personal information. In one such recent privacy mishap, smart IP cameras manufactured by Chinese smartphone maker Xiaomi found mistakenly sharing surveillance footage

What’s In Your Business Plan? California’s Privacy Law Goes Into Effect

California’s groundbreaking privacy law went into effect January 1, 2020.

The California Consumer Privacy Act (CCPA) requires businesses to inform state residents if their data is being monetized as well as to provide them with a clearly stated means of opting out from the collection of their data and/or having it deleted. Businesses not in compliance with CCPA regulations may be fined by the state of California and sued by its residents.

The CCPA requirements only kick in for companies that have collected the personal data of more than 50,000 California residents and/or show more than $25 million in annual revenue. The primary exception to the CCPA are companies subject to California’s Insurance Information and Privacy Protection Act (IIPPA). 

Under the CCPA, companies are allowed to sell “anonymized” user data. This exemption has drawn heavy criticism from privacy advocates due to several studies showing that anonymized data can be re-identified with personally identifiable information relatively easily.

While the protections of the law only applies to California residents, businesses such as Microsoft have implemented its provisions for all customers.

Much like the European Union’s General Data Protection Regulation, many of the details of the implementation of the CCPA have yet to be determined and will most likely require further clarification in court cases. 

“If you thought the GDPR was bumpy, the CCPA is going to be a real roller coaster,” said privacy and cybersecurity legal expert Reece Hirsh in an interview with The Verge.

The post What’s In Your Business Plan? California’s Privacy Law Goes Into Effect appeared first on Adam Levin.

The United Kingdom Leaks Home Addresses of Prominent Brits

2020 seems to be getting off to an inauspicious start with the compromise of the home addresses of prominent UK citizens–many of them in lines of work that could make them targets for crime.

The UK Cabinet Office issued an apology after a data leak that involved the exact addresses (including house and apartment numbers) of more than 1,000 New Year Honours recipients. The information was posted online and visible to the public for about an hour.

January 1 is one of two days reserved for the announcement of new members of the UK’s honor system, which includes newly minted members of the Order of Chivalry as well as other distinctions. The other day for such announcements is April 21, Queen Elizabeth’s birthday.

The names and addresses of 1,097 honors recipients were published on the New Year Honours website Friday, December 27. Included on the list were recording artist Sir Elton John, former Director of Public Prosecutions Alison Saunders, and several other athletes, celebrities, and government officials.

While many of the addresses on the list were already publicly available, individuals on the list are concerned for their safety.

“It’s much more concerning for private citizens, like those who have been involved in policing or counter-terrorism or other such sensitive cases, to have their addresses published,” said former Tory leader Sir Iain Duncan Smith to the Sunday Times.

“For someone like myself in direct frontline services, it would be very worrying if those details could be shared,” said Women’s Aid regional manager Sonya McMullen, whose address was also leaked.

As reported by the BBC, in an interview on Radio 4, former head of the civil service Lord Kerslake “suggested ‘human error’ could be to blame for the leak and called on investigators to look at whether staff were given training on data regulation.”

While the incident was subsequently reported to the Information Commissioner’s Office (ICO), which has the power to levy fines when personally identifiable information is mishandled or breached, what exactly is the right punishment for a crime where a layer of security is lost–and changing residence is the only remedy?

Do the fines cover the cost of selling a home, and all the associated expenses of moving? It’s an unknowable problem set, but there is one thing we know for certain: This sort of leak is avoidable. A combination of training and preventative systems can help employees avoid such grave mistakes–systems and protocols that work even on the day after Boxing Day, when employees may not be in the best shape.

There is always another layer of protection and prevention to be had when it comes to cyber and the protection of our information, just like there is always another story about failures to protect it.

 

 

The post The United Kingdom Leaks Home Addresses of Prominent Brits appeared first on Adam Levin.

Freeware vs. Shareware vs. Open Source – What is Each and How to Use Them Safely

During the last decade or so, software deployment for both SMBs and enterprise has become rather problematic – not so much on the upscaling part, but rather on the number of licenses an institution has to purchase and renew. The costs can be ginormous, which is the very reason why the company owner resorts to cost-effective alternatives such as freeware, shareware, and open-source. In this article, I’m going to run you through each category. After that, you can decide which is better for your business.  Let’s get to it – freeware vs. shareware vs. open source. Who will win the race?

What is Freeware?

Loosely defined as a type of proprietary software, that it’s being distributed at no cost whatsoever for the user, freeware is the answer to accomplishing very simple tasks without the need of investing in expensive, license-based software. Freeware software has no EULA, license, or rights of any kind, which means that it can be deployed on both home and enterprise machines.

Freeware is not a modern concoction. In fact, the term itself was coined in the golden 80s by Andrew Fluegelman, who sough of means of making PC-Talk (Skype’s long-forgotten ancestors) available outside regular distribution channels. The key differentiator between freeware, shareware, and open-source is that freeware does not make its source code available, despite being free of charge.

A couple of freeware examples: Discord (IM used by the gaming community), Yahoo Messenger (rest in peace, my friend), µTorrent, IrfanView, Groove Music, Winamp, DVD Shrink, CCleaner, and others.

Freeware pros:

  • Easy to use and deploy (for home users and enterprises\SMBs).
  • A great way to incentivize your potential customers (for soft makers and marketeers gunning for paid licenses).
  • Solve daily tasks without having to invest in expensive software.
  • Quickly grow your user base.

Freeware cons:

  • Limited functionality.
  • No way of reverse-engineering it since the source code is not made available.
  • Customers may sometimes perceive the product as inferior.

 

What is Shareware?

Probably most of the apps found online and offline fall under this category. Shareware is so widespread that it ‘felt’ the need to have its own consortium. Called the Association of Shareware Professional or ASP, for short, this international trading and trade organization comprises over 1,500 vendors, authors, and online retailers. The term was coined around the same time as freeware.

While Fluegelman was pushing his PC-Talk comm app. Jim “Button” Knopf, an IBM employee at that time, was releasing a database program called PC-File. In legal terms, the main difference between Knopf’s apps and Fluegelman’s freebie is that the database program was never meant to be offered free of charge.

Knopf himself called his creation “user-supported software” meaning that users would need to cover some of the fees associated with the continual development of the product. No doubt, an interesting marketing praxis, but a lucrative one, given shareware’s popularity and availability.

Shareware is an umbrella term, encompassing various types of apps, each following a unique business model.

Types of shareware

1. Adware

Also called “advertising-supported software”, this type of shareware has embedded ads running alongside the apps. The purpose of adware is to generate revenue for its creator. Ads may be present during the installation process or as part of the user interface. Most are ‘hardwired’ to analyze the users’ traffic in order to display customized ads. Adware is free-to-use, but the sheer number of ads can interfere with normal operation. A large number of apps currently available on Google Play are adware.

2. Crippleware

It may sound like a new form of malware, but it’s actually a legit type of software. Why is it called “Crippleware”? Because the author purposely “cripples” the app’s vital functions, making them available in the paid or premium version. For instance, if you have photo-editing apps, the download as jpeg function may be disabled or the photos may have watermarks that can be removed by upgrading to full.

3. Trialware

Trialware apps can be used for a limited period.  In most cases, users will be granted access to all of the app’s functions (including the ones available in the paid version). However, once the trial period expires, the app will be disabled or revert to a very basic (and very unusable version). From my experience, trialware that doesn’t cover vital system processes (i.e. antivirus or malware-scanner), will simply stop working. They will, of course, display a splash screen meant to inform the user that the software has expired and that he must upgrade to full.

4. Donationware

The software grants the user access to all of its features. However, it does come with one small request: the user is asked to shell out a small amount of cash to support the project or just show appreciation for the author’s work. The payout part is optional, having no bearing of the app’s functionality. Given its behavior, one could consider that donationware has more in common with freeware than with shareware.

5. Nagware

Pejorative in nature, the term “nagware” describes a software category that reminds users via on-screen messages that their licenses are about to expire and that they should upgrade to the full version. In most cases, the nags will continue well after the trial period is over. The functionality will be reduced, the user having access only to basic functions.

6. Freemium

A portmanteau term (“free” + “premium”) describing a type of software that ‘withholds’ advanced features, making them available in the premium version. The free version is fully functional. Nags are rare, but users might receive ads from time to time regarding the advantages of the premium versions.

Shareware pros:

  • Free to use.
  • Powerful feature. Great for getting a one-time task done.
  • Donationware is just as good as any license-based application.
  • Diversity and abundance.
  • Most of them are cross-platformers.

Shareware cons:

  • Some legal issues may arise if deployed on enterprise machines.
  • Poor compatibility with newer operating systems.
  • Ads and nags can become annoying.
  • Shareware doesn’t benefit from regular security and functionality updates as licensed software.

One last thing to mention – neither freeware nor shareware authors don’t make the software code available for studying or altering. Which brings us to the third software category: open-source.

What is Open-Source?

Open-source software or OSS is a type of software in which the author releases the source code. Furthermore, as far as the copyright is concerned, whoever holds the software’s license can distribute, study or alter the source code. Enterprises would often turn to open-source solutions since they’re much easier to customize compared to licensed software.

The best example of OSS I can think of is VLC player, one of the most popular video players available online. That’s on the consumer side.

As for enterprises and SMBs, there are a number of open-source software that successfully replaced their license-based counterparts: OpernCart (online shopping platform), SuiteCRM (useful for managing customer info), Helpy (self-service support), Mailman (management tool for email lists), WordPress (blogging), Daawarpper (data visualization), Gimp (powerful image editor), LibreOffice (perfect and free alternative to Microsoft Office), and the list goes on.

Open-source software pros:

  • Free and cheaper compared to (paid) license-based products.
  • Modable, reliable, and easy to use.
  • Safer from a cybersecurity standpoint compared to free and even some license-based products.
  • Very flexible. It can be used beyond its intended purpose (you’re going to need a talented backend hand for that).

Open-source software cons:

  • It can incur some long-term (and unforeseeable) costs. Any issues that arise have to be dealt with by yourself or your dev team. This usually happens when the software has been outstretched or altered more than necessary. Doing in-house patching and/or repair points to another con: no support for the product. So, if something goes wrong, you’re on your own.
  • Less-than-friendly UI. It will also take you a while to learn the product.

 

Freeware vs. Shareware

Now that we’ve got the basics in place, let’s take a closer look at the first contenders: freeware vs. shareware.

First of all, I think it’s important to see which category the two of them address. We can agree (to disagree) that both types of software can be used on home and work machines alike. As someone who didn’t have a lot of money to spend on software, I can wholeheartedly say that freeware is what dreams are made of – imagine what it would have meant to buy a Photoshop license just to tweak some family photos or to pull a plank on your roommate.

Game streaming – for those of you familiar with the concept, the costs alone can make your head spin, that is if you want to go pro. Still, even the basics can cost a pretty penny. Luckily you can accomplish basic tasks like screen or voice recording with some very nice (and free) online tools.

Things change a bit when it comes to deploying freeware on enterprise machines. Of course, some shareware can handle some of the routine tasks. For instance, ePrompter is a great and hassle-free alternative to Microsoft Outlook or some other desktop-based email management tool. Even TeamViewer, the (over)glorified remote computer control tool is free and can be used to accomplish very simple tasks.

Other honorable mentions: Discord (great alternative to Teams, Skype for business, and even WhatsApp), B1 Free Archiver (if you really don’t want to buy WinRAR), Recuva (powerful data recovery application), CCleaner (registry cleaner), Foxit Reader (open and print pdf files), and Microsoft Visual Studio Express (supports multiple IDEs, pitch-perfect for web designers).

Indeed, they are very powerful tools, but, in my opinion, simply not enough to meet the needs of a bustling enterprise. It all boils down to statistics: the bigger the database, the likelier it is to find a solution (or more) to suit your needs.

Why shareware? There are literally thousands of apps, available both online and offline, some of them just as good, if not better than license-based software. One thing about shareware – it’s a short-term solution.

Basically, it’s your ‘emergency-only’ kit: problem – shareware – problem solved. This type of software wasn’t designed for long-term use. As I pointed out in the section about shareware, most have some kind of built-in ‘safety’ to prevent users from doing just that; except for donationware, of course. There’s also the matter of overexposing your machine(s) to malicious content. I will cover this in the last section of the article.

The main reason why shareware is better than freeware for enterprise needs – evergreen(ess). Most freeware is outdated, meaning that they may not even run properly on Windows 10 machines. If you also add the fact that they are unpatched, you’ve got yourself a major cybersecurity vulnerability. Last, but not least, to my knowledge, few freeware support platforms other than Microsoft Windows. So, if you need to deploy freeware on a machine running Linux or macOS, you’re in for a world of pain.

Winner – shareware. Hassle-free, tons of content, suitable for any kind of needs, be them home- or enterprise-related.

Shareware vs. open-source

Clearly, shareware is the better alternative to freeware, but how does it fare against open-source software. Clearly, the latter category holds the high ground here. Why? Because, as the name suggests, the source code is made available, which means that a talented backend hand can easily customize it. But, will it prove to be a match for shareware’s availability and ‘widespreadness’?

It could and it does. Open-source software is definitely getting a lot of attention and for a very good reason – even though OSS is free, it’s extremely reliable and tends to take quite a beating when subjected to repeated reverse-engineering. And, on top of that, OSS software, compared to freeware and shareware, is much more secure.

Open-source software is amazing simply because it’s out there and can potentially be molded into anything you like. However, it’s not the Holy Grail of enterprise software, nor does it want to be. OSS is scalable, dependable, and, in all cases, it’s made by an experienced computer engineer who isn’t necessarily motivated by money. Don’t get me wrong – shareware-type software is also developed by experienced people, but on the sample-now-buy-full-later basis.

As an enterprise, you should also consider the support aspect. If something goes terribly wrong with the software, there’s no one out there to help.

Well, that’s entirely correct; there’s an entire community out there of experts willing to give you a helping hand, but that means hours upon hours of digging through forums, asking questions and praying for someone to come up with the right answer. This perspective is not exactly compatible with an enterprise’s credo.

So, do we have a winner here? It would say that it’s a tie: open-source is dependable, flexible, and scalable, but low on support and could incur unforeseen costs, especially when you try to use for purposes other than it was designed for. On the other hand, shareware holds an abundant database but falls back as far as a long-term commitment.

Freeware vs. shareware vs open source

Now that we have all the pieces of the puzzle, it’s easier to figure out which is the best enterprise-grade solution.

Let’s start with freeware.

Major advantages – it’s free, easy to install, and can solve any number of issues. On the other hand, disadvantages wise, the freeware pool is very limited and can only address a handful of issues. Freeware would best be used on home machines. Take that and its questionable compatibility, no support of any kind, and the fact that most of them are obsolete, it’s safe to assume that freeware and enterprises just don’t mix.

Shareware – an entire database, laid down at your feet. Plenty of possibilities, but is shareware the answer to your company’s needs? It’s just a matter of how you look upon the problem: if it’s a one-time thing, then you should definitely consider deploying software on a couple of machines.

There’s no need to concern yourself with the trial period, as long as you can solve the task or tasks in one go. Just bear in mind that some apps will revert to basic functions or stop working altogether after a certain number of uses. Of course, if the app suits your needs, you can always activate the full version by buying the license.

Open-source – dependable, can easily be taken apart by any IDE, and free to use. Do take in mind that OSS can come with hidden costs and it’s harder to get used to it compared to shareware or license-based software. If you encounter issues along the way, you can always ask the dev community for help. Just don’t expect the answer to be prompt as in the case of an app that offers round-the-clock support.

In the end, it’s all up to you to decide which one clicks with your company’s needs.

Cybersecurity issues and safety tips

Tackling non-licensed-based software should come with a warning label. Up next, I’ll be discussing the risk of using shareware, freeware, and open-source software. I will also include some cybersecurity tips along the way.

1. Adware also means malware

If you plan on using shareware, pay extra attention to apps that use ads-generated revenue. Some of them may contain links to malicious websites that could seriously harm your machine. Best to check the security certificate after clicking on an ad, though I advise you not to.

2. Fake apps

Some applications advertised as freeware could be fake. Don’t download the first app you find on Google. Take your time and do some research. You would do well to stay away from websites that use too many CTAs and “free download” buttons. It’s like playing Russian Roulette with your personal data.

3. Freeware used as a malware entry point

As you know, outdated and unpatched software can be used by malicious hackers to circumvent your antivirus\antimalware solution. Since freeware does not receive regular security patches, it can become an entry point for malware.

4. Strengthen your cyber-defenses

When all else fails, ensure that you have a good antivirus\antimalware solution. Thor Premium Enterprise, our product that incorporates two of our award-winning technologies (Thor Foresight Enterprise and Thor Vigilance Enterprise) will ensure that no malware lands on your machine, by continuously scanning your outbound and inbound traffic, severing any malicious C&C connection it detects.

Wrap-up

Companies, regardless of their size and needs, can also benefit from freeware, shareware, and open-source software. It’s all about figuring out your needs and selecting the solution that makes the most sense. As always, if you have any questions, feel free to send me a message.

The post Freeware vs. Shareware vs. Open Source – What is Each and How to Use Them Safely appeared first on Heimdal Security Blog.

Too Much Holiday Cheer? Here’s Something to Fear: Cybersecurity Predictions for 2020

2019 is virtually over and a new year beckons with all the solemnity of the grim reaper for those who don’t have their eyes wide open to the persistent threats we collectively face in the areas of privacy and cybersecurity. 

Now that I have your attention, I’d like to add that it’s not all bad news. In the main, consumers and business leaders alike are more aware of cybersecurity and privacy than ever before. However, this sea change has been met with innovation on the criminal side of things. As defenses improve, the attack vectors become more nuanced and technically impressive. At times it can seem like a war of attrition, which brings us to the first series of predictions for 2020:

  1. CISOs will get worse at their jobs. Okay, simmer down all you cybersecurity people. I just mean there will be a shortage of experts–i.e., fewer of you to go around because at this moment in history everyone understands that a good CISO is critical to the ongoing success of an enterprise (the 2019 IBM Cost of Data Breach study found that the average cost to an organization was $3.92 million). With the demand for cybersecurity professionals far exceeding supply, the market will start having openings for less qualified people. Water finds its level, but it will be rough for a while. 
  2. The disinformation blob will grow. With what we experienced in 2016 and 2018, is there any doubt there will be a rise in disinformation–homegrown and imported–of all stripe in the upcoming elections? Since these weaponized misinformation campaigns have proven effective, expect to see more of them in the private sector, with businesses adopting troll farm tricks to hurt the competition–or rather waiting to be discovered by intrepid reporters like Brian Krebs.
  3. Ransomware will continue to thrive. As long as humans are well……human, phishing attacks will lead to ransomware infecting more and more networks, and businesses, municipalities and other organizations will continue to pay whatever they must in order to regain control of their data and systems. We will also see better backup practices that will help minimize or neutralize the threat of these attacks. 
  4. IoT botnets will make dystopian paranoia seem normal. IoT will continue to grow exponentially. In 2020 there will be somewhere around 20 billion IoT devices in use around the world. Unfortunately, many are not secure because they are protected by nothing more than manufacturer default passwords readily available online. They will weaponized (like years past) but with increasing skill and computing power. 
  5. The integrity of the US elections will be questioned–and for good reason. There are still voting machines in use that are far from secure, and would not pass the most simple audits. Some states continue to use machines that leave no paper trail. Look forward to questions regarding election security all year. 
  6. Cryptocurrency miners will continue to get rich off of stolen electricity. Related to the botnet craze, we will see an increase in computing power theft used to mine cryptocurrency. With bots becoming exponentially more effective as the result of AI and cloud computing, we will see a renaissance of Wild West behavior in the world’s cryptomines.  
  7. Zero trust environments will be talked about. A few may exist. The assumption that one can trust the home team–people within one’s organization–sort of went the way of the Dodo bird when Edward Snowden walked away from the NSA carrying a treasure trove of NSA data hidden in a Rubic’s Cube. Zero trust simply means that no one can be trusted, in or outside the organization. With this assumption foremost, new systems make breaches and compromises harder to happen. Stay tuned.
  8. More people will know what “protect surface” means. Protect surface is part of the zero-trust environment. An organization’s attackable surface includes every error-prone human in its employ as well as the mistakes in configuration they may have committed along the way and a whole constellation of other issues. The protect surface is much smaller and must be kept out of harm’s way. The more we talk about subjects like protect surface, the stronger our cybersecurity will be.
  9. Cars will be frozen. Or not. But actually, yes. I think it will happen. Driverless cars are going to hit things as well as get hit. Cars that talk to satellites are toast. It’s going to happen. (Or not. But it totally could.)
  10. 5G will make the cyber smash grab a thing.  5G is going to make everything move fast, as will the new generation USB4 devices . With quicker speed, it will take much less time to transfer data. Coincidentally, criminals appreciate this as much as the rest of us. 
  11. Social media will no longer need to be private. Social media companies will probably become a bit more responsible when it comes to the way they gather, store, crunch, analyze and sell our data to marketing companies and small to medium sized businesses looking to connect directly with consumers. This is really not worth talking about, however, because all of our information has already been scooped up. It’s good news for 2020 babies. 
  12. State-sponsored traffic jams will be a thing. The hackers who brought you Hillary’s emails and who probably have President Trump’s tax returns are going to target operational systems with an array of tactics that include ransomware and more DDoS attacks that will snarl things up in ways we’ve not yet seen. The targets will be financial institutions, the power grid, an election, a company’s secret sauce, a city’s traffic lights or, you can fill in the blank.
  13. You’re going to have personal cyber insurance. Insurance companies will be writing more comprehensive cyber liability policies for businesses and offering innovative personal cyber coverage for consumers.
  14. HR will save money by spending some. More employers will offer their employees identity protection products and services as part of their paid or voluntary benefits programs. (An employee who has their identity stolen is not very productive and if, as part of that identity theft, their USER ID or passwords are exposed, a thief might have what he or she needs to access an employer’s network and sensitive databases.)
  15. The cloud will leak. The parade of stories about misconfigured cloud clients and data stored without any password protection on cloud services will continue apace, perhaps in part because of the CISO issue discussed in the first prediction. 
  16. AI will gladly take your job. The Yang Gang knows it’s true. AI is here and it’s willing to work so that you can go fishing, collect that monthly $1,000 and not make ends meet. In all seriousness, the CISO shortage as well as many of the innovations discussed in this list of predictions will be increasingly powered by Artificial Intelligence. 

2020 promises to be an interesting ride. Buckle up, because that driverless car might be hacked along the way. As ever, you are your best guardian when it comes to your privacy and personal cybersecurity. Be smart. Stay safe. And, have a very happy, healthy holiday season. 

 

 

The post Too Much Holiday Cheer? Here’s Something to Fear: Cybersecurity Predictions for 2020 appeared first on Adam Levin.

Cybersecurity And Privacy for a Co-Working Space

The way we work and the spaces we work in have evolved considerably in the last fifty years. Corporate culture is nothing like what it used to be back in the 80’s and 90’s. Cabins and cubicles have given way to open offices. Many in the work-force today prefer to work remotely and maintain flexible hours. As such, hot-desking is common in many multi-national companies including those who have large office spaces. As the start-up culture evolved, there was a need for multiple small offices. This growing breed of self-employed professionals and start-up owners need other resources that are commonly required in the office environment like printers, shredders, Wi-Fi, meeting rooms, video-conferencing abilities etc . They also need a common place to meet people, network and exchange ideas because working solo could be monotonous at some time. Co-working has provided an all-in-one solution for the needs of such individuals and small groups of people by providing a common space where equipment and utilities could be shared between businesses who rent the space. Co-working spaces have thus become very popular across the world and especially in cities where real-estate is very expensive. According to statistics the number of co-working spaces has increase by 205% between 2014 and 2018

In any business however, security is paramount. Corporate espionage is very much a reality for small businesses that are very often the breeding ground for great ideas and innovations. Co-working spaces provide a melting pot for all kinds of unrelated people some of who cannot really be trusted. Thus it is necessary that when sharing space, equipment and utilities, users do not unknowingly end up sharing information and trade secrets. Ensuring data privacy and cyber security in a shared office can be very difficult but may be achieved by laying down the ground rules and ensuring that everyone follows it. Following are some of the security best practices for a co-working space.

  1. Ensuring network Security: While shared Wi-Fi access is probably one of the most popular and over utilized services provided by a co-working space, it is also the most vulnerable from a cyber security perspective. Following are some of the practices that would ensure secure access of Wi-Fi networks for all users.
    1. Having a dedicated administrator who would ensure that networks are set up correctly and securely. This person can also liaise with users to ensure that they are following the guidelines
    2. Setting up strong passwords for every network and ensuring that all passwords are changed frequently. This would also prevent old or previous members from accessing the network.
    3. Setting up individual networks and access pages for every business that is using the space including a separate network for guests.

 

  1. Securing smart devices: IoT has enabled intelligence in every device like TV, refrigerators, coffee machines and printers. A co-working space may be home to many such devices which are connected to the network. Tampering with any of these devices can allow people to access the Wi-Fi network or vice-versa. Therefore it is necessary to secure these devices by ensuring that their hardware is tamperproof and firmware is continuously updated. All devices that can connect to the network including laptops and phones should be password protected and should not be left around unlocked and/or unattended.

 

  1. Blocking websites: It is best to block potentially malicious websites which are not likely to do anyone any good. Corporate offices have always taken this step to prevent unwanted traffic and ensure network and data security. There is no reason why co-working spaces cannot offer this as a service.

 

  1. Vetting users: Co-working spaces may do a minimum background check on users to ensure that they fit-in with the business culture of the space and would not disrupt the normal functioning of the users in any way.

 

  1. Physical monitoring: Physical monitoring using cameras can ensure that users do not try to steal any data or equipment that does not belong to them. Providing physical access cards, logging in and out time of users and installing cameras can contribute to the overall security system of the space.

 

While these guidelines are general they should be useful to both the co-working space operators and users and would provide an idea on what to look out for and how to secure their private data and intellectual property.

 

 

The post Cybersecurity And Privacy for a Co-Working Space appeared first on CyberDB.

Selling Privacy: The Next Big Thing for Entrepreneurs

Black Friday and Cyber Monday made clear that the online-offline divide in consumers’ minds has almost disappeared. Among the big winners for sales in 2019 will be a device that is perhaps the best physical representation of that diminishing online-offline divide: the digital assistant.

The main contenders for consumer dollars this year come by way of Amazon, Google, and Apple.

Amazon Echo smart home products have been among the company’s most popular items for a while now, but they hit new records in the recent four-day stretch from Black Friday to Cyber Monday. Internet connectivity continues its march to omnipresence in everyday consumer goods.

Televisions feature built-in internet functionality, and the FBI just released a warning about them.

A number of the newer TVs also have built-in cameras. In some cases, the cameras are used for facial recognition so the TV knows who is watching and can suggest programming appropriately. There are also devices coming to market that allow you to video chat with Grandma in 42″ glory.

Beyond the risk that your TV manufacturer and app developers may be listening to and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router.

Hackers can also take control of your unsecured TV. At the low end of the risk spectrum, they can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV’s camera and microphone and silently cyberstalk you.

The conveniences afforded by all this new connected technology are great, but it’s important to bear in mind that it also has its downside.

Even basic home goods like doorbells and light bulbs are commonly being sold with Wi-Fi connectivity and the ability to integrate into Google Home-, Siri-, or Alexa-enabled networks. These devices don’t just talk to one another. They’re also providing the companies that manufactured them with a gold mine of data about how they’re being used–and, increasingly, who is using them.

It’s not just IoT gadgets. Tech companies are busy these days trying to weave their way into your wallet, your entertainment, and your health, all the while mining as much data as possible to leverage into other markets and industries.

This has an air of inevitability about it because the right entrepreneur has not yet had the right aha! moment to make it stop being an issue. That said, cracks in the current personal information smash-and-grab approach to consumer data are beginning to appear, and consumers are becoming increasingly wary of how their data is being collected and used as well as who has access to it.

Break Out the Torches and Pitchforks

If a consumer revolt sounds overly optimistic, consider the uproar earlier this year over revelations that smart home speakers were eavesdropping consistently and sometimes indiscriminately on consumers, and the resulting semi-apologies issued by Apple, Amazon, and Google.

Or look at the ongoing civil rights concerns regarding Amazon’s Ring surveillance cameras, or the recent lawsuit against TikTok for allegedly offloading user data to China, or the reports of customers abandoning their Fitbits after the company was acquired by Google.

The message seems clear to me. Consumers may enjoy the convenience and easy access to the internet, but more and more they bristle at the lack of transparency when it comes to the way their data is being handled and used by third parties, and the seeming inevitability that it will wind up on an unsecured database for any and all to see.

While the fantasy of consumers uninstalling and unplugging en masse is common among a small community of sentient eels indigenous to the Malarkey Marshes of Loon Lake, there remains a business opportunity for the larger online community.

Will the Genius of Loon Lake Please Stand Up?

The effort to create a more privacy- and security-centric internet experience for consumers has largely been led by nonprofit organizations. World Wide Web inventor Tim Berners-Lee has been publicly discussing plans to create a follow-up with the aim of reverting to its original ideals of an open and cooperative global network with built-in privacy protections.

Meanwhile, the nonprofit Mozilla organization has revamped its Firefox browser to block several types of ad trackers by default and provide greater security for saved passwords and account information, in addition to publishing an annual guide to score internet-connected devices for their relative privacy friendliness and security. Wikipedia founder Jimmy Wales announced in November a service meant to provide an alternative to Twitter and Facebook reliant on user donations rather than the other social platforms’ often Orwellian ad tracking software.

Without a user base or killer app to drive adoption, Berners-Lee’s new web has been in the works for years, and Wales’s idea is a rehashing of a similar project called WikiTribune that also never managed to find its footing. Firefox is a quality browser, but its market share pales next to Google Chrome’s.

Thus far, nonprofit-driven alternatives have found no lure to drive consumer adoption. The next stage of privacy-centric development may need to have a profit motive to make inroads into the privacy protocols and proxies that dominate apps and devices. It can’t be merely self-sustaining, but rather must be compelling for users, developers, and engineers. One such company, Nullafi, has the right idea: anonymizing and individualizing a user’s most common digital identifier by creating email burners that redirect to the user’s private account. (Full disclosure: I’m an investor.) We need to see more of this kind of development, and we need to see it get adopted.

The current large-scale investment in cybersecurity proves there’s a market in our post-Equifax-breach world where awareness of data vulnerability and the possibility of getting hacked have hit critical mass. The time for the unicorns to arrive is now.

The post Selling Privacy: The Next Big Thing for Entrepreneurs appeared first on Adam Levin.

The Guardian view on Boris Johnson’s NHS plan: trading patient data | Editorial

Donald Trump has made clear he wants a post-Brexit Britain to let US tech companies and big pharma access medical records

The NHS is a goldmine of patient data which the United States wants to be quarried by some of its biggest companies. Britain’s health service is home to a unique medical dataset that covers the entire population from birth to death. Jeremy Corbyn’s NHS press conference revealed that the US wanted its companies to get unrestricted access to the UK’s medical records, thought to be worth £10bn a year. A number of tech companies – including Google – already mine small parts of the NHS store. Ministers have been treading carefully after an attempt to create a single patient database for commercial exploitation was scrapped in 2016 when it emerged there was no way for the public to work out who would have access to their medical records or how they were using them.

However, such caution might be thrown to the wind if Boris Johnson gets his way over Brexit – and patients’ privacy rights are traded away for US market access. This would be a damaging step, allowing US big tech and big pharma to collect sensitive, personal data on an unprecedented scale. Donald Trump’s officials have already made clear that this is what they are aiming for. In the leaked government records of talks between US and UK trade representatives White House officials state that “the free flow of data is a top priority” in a post-Brexit world. Trump’s team see Brexit as an opportunity “to avoid forcing companies to disclose algorithms”. The US wants the UK to drop the EU’s 2018 data law, in which individuals must be told what is happening with their medical data, even if scrubbed of personal identifiers.

Continue reading...

Has WhatsApp become a potential career assassin? | Afua Hirsch

The app helped connect me to an inspiring sisterhood. But the case of police officer Robyn Williams shows unopened messages can be a legal minefield

We need to talk about WhatsApp. When the little green speech bubble first showed up in my life, I greeted it with awe and wonder. I even wrote a little love letter to its ability to connect with a virtual black sisterhood – the kind that rarely exists in our too-undiverse workplaces in real life – in my first book. It became the perfect platform to share experiences, frustrations, strategies and ideas.

WhatsApp group communities proliferated on my phone – they were education, community and activism all in one place. It was great.

Continue reading...

Twitter to clear out inactive accounts and free up usernames

Company has been criticised for handling of move it says will reduce risk from hacking

Twitter has announced it is to clear out inactive accounts, freeing up dormant usernames and reducing the risk of old accounts being hacked.

But the company is facing criticism for the way it has handled the announcement, with many concerned that the accounts of people who have died over the past decade will be removed with no way of saving their Twitter legacies.

Continue reading...

The Dark Web: What You Need to Know

Despite its negative connotations, the Dark Web is nothing to be afraid of. Few know that the Dark Web was actually thought out as a means of preserving privacy and security. However, this also enabled it to become a breeding ground for illegal activity.

There are certainly things to be distrustful of when navigating the Dark Web, and before venturing into it head-first, you should understand certain things about it.

What is the Dark Web?

The first thing you need to know is that there is no actual database for the Dark Web. Instead, there are only what are known as “peer to peer connections”, which means that the data you are accessing is not stored in just one place.

Instead, it is found on thousands of different computers that are part of the network, so that no one can actually identify where the information is coming from. You can upload to the network, but when downloading, there is no telling where you’re getting the data from.

Why do people use the Dark Web?

There are all kinds of uses for the dark web. Some of them are downright nefarious; others, not so much.

  • Drug sales

Taking into consideration the anonymous nature of the Dark Web, it was only a matter of time before it came into use to sell illegal drugs. It is the ideal avenue for this kind of transaction, because of the anonymity factor that is inherent to the Dark Web.

  • Illegal commerce

To say that you can buy anything on the Dark Web would be an understatement. Anything you can imagine, no matter how gruesome, can be purchased on the Dark Web, from guns to stolen data to organs.

  • Child porn

Is it really a surprise that child porn is rampant on the Dark Web? It’s one of the darker aspects of it, but the anonymous nature of it does lend itself to concealing horrible realities like this.

  • Communication

For all its negative connotations and activities, the Dark Web can also be a way to foster open communication that can sometimes save lives or make a change. Especially in cases where governments monitor online activity, having a place to speak out freely can be invaluable.

  • Reporting

The Dark Web can be used as an excellent source for journalists because sources can remain anonymous. Additionally, no one can track their activity, so it cannot attract consequences from authorities.

How to access

You may be wondering how you can access the Dark Web – after all, you can’t just Google it or access it in a regular browser.

Here are some of the aspects you need to keep in mind about accessibility, including the browser you need to use, the URLs, personal credentials you may need, and even acceptable currency, should you decide to make a purchase.

  • TOR browser

The most common way to access the Dark Web is via The Onion Router (TOR), the browser used by most people for this purpose. This ensures that your identity will remain concealed, as will your activity, because it encrypts everything.

You can obtain the TOR browser by downloading it from the official website. It’s as easy as installing it and running it like any normal program. And if you were worried about the legality of it – have no fear.

Both accessing the Dark Web and downloading the means to do so are entirely legal. While this can enable some pretty dark human behavior, it can also give us very necessary freedom to do positive things, as you will see. Not everyone uses it for nefarious purposes.

  • Exact URLs

Something that makes it difficult to navigate the Dark Web is the fact that the pages are not indexed by browsers. That means that anything you may be looking for will require an exact URL. That does limit the amount of people who can access the Dark Web, as well as the scope of the pages one can gain access to.

Unless you know exactly where to look, you may not have a lot of luck finding what you want. That can deter you from searching, or on the contrary, it can determine you to go looking for someone who is well versed in illegal activity and who can help you out.

  • Criminal activity

It comes as no surprise that the Dark Web is a hotbed of criminal activity. No one is advocating that one pick up criminal undertakings in order to use the Dark Web. But generally speaking, the people who will most likely be looking to access URLs here are people who are engaged in all manner of criminal activity.

  • Bitcoin

All transactions on the Dark Web are completed via Bitcoin, as this type of currency cannot be traced. That increases the degree of safety of the transaction, both for buyers and for sellers.

However, that does not mean that these transactions are always safe. There is a high degree of uncertainty that accompanies these transactions, regardless of what you are purchasing.

You might find that the person you are buying from is a scammer who can end up taking your money, but not sending over your product. While identities are protected, transactions are not, so a degree of care is always necessary.

The future of the Dark Web

While authorities are always making efforts to cut down on the number of sites present on the Dark Web, more are always created. In the end, it proves to be a bit of a wasted effort. The more websites get shut down, the more pop up in their place.

Does that mean that the Dark Web will continue in perpetuity? No one can say with any degree of certainty. It is entirely possible that people will seek refuge in the anonymity of the Dark Web as the degree of surveillance grows, or the opposite can happen and we can grow to accept surveillance as a means of ensuring a thin veneer of security.

Conclusion

The Dark Web will always be controversial, but it’s not nearly as scary as it seems. It’s true that it certainly conceals some illegal and immoral behavior, but it can also be used for good. The anonymous and untraceable aspects of it help it remain a somewhat neutral space where one can find the freedom to communicate, investigate, search, trade, make purchases, etc.

 

 

The post The Dark Web: What You Need to Know appeared first on CyberDB.

Cyber Security Businesses: Solving Challenges Through New Technologies

From everyday transactions to transport planning, as our world becomes more dependent on technology, cybersecurity risks are becoming more common, and more dangerous. 

Luckily, there’s a range of cybersecurity businesses and start-ups attempting to solve this issue through innovative new technologies.

We look at some recent projects and partnering opportunities tackling cybersecurity challenges. 

Antivirus Software From Japan
Established in 2007, a Japanese company has developed security software to detect unknown threats. They have developed a heuristic application consisting of five engines to detect malware and protect users.

These engines include;
  • Static analyses
  • Sandbox runs programs on a virtual environment
  • Dynamic analyses (monitors the behaviour of currently running programs)
  • Machine learnings
  • Vulnerability attack protection
The advantage of this technology is that it does not depend on pattern files. So far, the programs have detected several major threats and the engines are regularly updated with the latest research and information. In addition, the software requires no signature, a benefit for companies who do not wish to have their data drawn into the cloud.

The company has been very successful in Japan and are now looking to expand into European markets with the help of a partner. Their ideal partner would be an Original Equipment Manufacturer (OEM) company working in Internet Security.

Protecting Data, Assets and Brands Against Global Cyber Attacks
A German company has developed an automated platform to deal with global cybersecurity threats more efficiently.

The technology allows users to;
  • Benefit from ad-hoc assistance in emergencies
  • Simplify their security processes
  • Safely share threat information with a range of stakeholders and organisations
  • Contribute to a collaborative database
Some of the benefits of this platform include;
  • Automated incident response management
  • Real-time alerts
  • Data fusion on a large scale
  • Easy integration
  • Secure collaboration
  • Varied deployment models
  • Helps users understand and monitor threats worldwide
The company is now looking for help with the commercialisation of the business. They are seeking European or Asian partners to aid with sales, marketing and delivery.

Helping SMEs Improve Their Information Security
A British company has developed a bespoke service for SMEs, helping them to improve their security and technology solutions.

This service includes;
  • IT/cybersecurity
  • Privacy/ GDPR
  • Business continuity
  • Disaster recovery
  • Collaboration technologies
  • Blockchain/IoT/AI/Cloud computing
The company prides itself on strong face-to-face communication and their ability to tailor services to meet the needs of specific clients. They are currently looking to make commercial partnerships with businesses looking to improve their cybersecurity.

24/7 Security and Events Management
An Israeli company has developed a new solution to help organisations manage internal and external cyber threats. This real-time technology is available worldwide and offers a reliable, individualised service.

The service includes;
  • Risk assessments
  • Forensics
  • Compliance
  • A flexible pricing model
The advantage of a 24/7 security service is that users can speak to security specialists at any time, and alerts are handled in real-time.

The company is looking for commercial agents in the cybersecurity sector to expand their client base.

Enterprise Europe Network: Connecting Businesses and Partners Worldwide
Enterprise Europe Network (EEN) helps businesses, academia and research institutions connect, expand into new markets and transform ideas into marketable products.

Discover more cybersecurity businesses and partnership opportunities part of the EEN network for an insight into the future of online security.

These new rules were meant to protect our privacy. They don’t work | Stephanie Hare

The data protection laws introduced last year are failing us – and our children

Who owns your data? This is one of the toughest questions facing governments, companies and regulators today and no one has answered it to anyone’s satisfaction. Not what we were promised last year, when the European Union’s General Data Protection Regulation, commonly known as the GDPR, came into effect.

The GDPR was billed as the gold standard of data protection, offering the strongest data rights in the world. It has forced companies everywhere to modify their operating models, often at great cost. It inspired the state of California to pass a similar law and where California leads, the rest of the US often follows; there have been calls for a federal version of the GDPR.

Most websites nudge us into clicking 'I consent' by making it harder for us not to

Advances in computing processing power and AI will allow those who have our data to do much more with it, and so with us

Continue reading...

Farewell the ‘porn block’ – a PR exercise but lousy policy | Amy Orben

Without greater access to our online habits, politicians cannot frame laws for the digital age

The UK government’s porn block was a dead man walking for months, if not years. It is long overdue that this attempt to curb children’s access to online pornography is scrapped. Almost two years ago, a close colleague and I sat in a meeting with one of the policymakers who had recently been asked to implement the proposal. The pained look on his face when we queried his progress confirmed our suspicions that it was an impossible task. It was clear to many that the block could – and would – never come to pass.

The plan did not have just one achilles heel – it had many.

Scientists and other stakeholders cannot access information about what the population is actually doing online

Related: UK drops plans for online pornography age verification system

Continue reading...

Scientists invent new technology to print invisible messages

Messages can only be seen under UV light and can be erased using a hairdryer

Forget lemon juice and hot irons, there is a new way to write and read invisible messages – and it can be used again and again.

The approach, developed by researchers in China, involves using water to print messages on paper coated with manganese-containing chemicals. The message, invisible to the naked eye, can be read by shining UV light on the paper.

Continue reading...

Major Web Hosting Hazards You Should Take Seriously

“I’ve read that my web hosting provider’s website that they have a good security solution in place to protect me against hackers.”

This is a pretty common answer that a lot of bloggers and small business owners gave me when I ask them if they know about how secure their web hosting is. Also, they often add that their budgets are pretty tight so they’ve chosen to go with “an affordable provider.” By “affordable,” of course, they mean ‘ridiculously cheap.”

Come on, people.

Do you really think that a cheap web hosting has everything in place to stop a website attack? Do you think that they will protect you from all types of hacker attacks?

While I don’t know everything about how web hosting providers choose security solutions, I can tell you with some confidence that a lot of them have laughable solutions.

If you don’t believe me, you can Google something like “Hacked website stories” and you’ll see that many web hosting companies, from some of the cheapest to even some well-known ones – don’t have adequate security solutions in place. As a result, lots of people have lost their websites. These horror stories are quite common, and even a simple Google search can return a lot of them.

Shocking Stats

Unfortunately, hackers are becoming more and more skilled at what they do, and stats support this. If you visit the live counter of hacked websites on Internet Live Stats, you’ll discover that at least 100,000 websites are hacked DAILY (for example, I visited the counter at 7:07 pm and it showed that 101,846 websites have been hacked since 12 am).

From what I saw on Internet Live Stats, I could tell that one website was hacked every second. This is horrible, and one of the bad things about this was that many of the owners of these websites thought that they were protected by their web hosting provider.

The next bad thing about all of this is that the number of websites hacked daily is getting higher. For example, there were about 30,000 websites hacked a day in 2013 according to this Forbes piece, but as we could see on the live counter, this number has more than tripled in 2019. If this negative trend continues, then we could easily see even more website owners losing their business on a daily basis very soon.

While this information is certainly alarming, website owners are typically to blame for the fact that their website was stolen from them (not trying to be rude here at all). If we dig a little bit deeper into the data on hacked websites, we discover that many use ridiculously simple passwords, poor hosting providers, outdated content management systems (CMS), and do other unwise things that help hackers get in.

For example, many bloggers want to focus on content writing, editing, and lead building rather than think about stuff like hosting. While content proofreading is something they could get help with by using numerous online tools like, Grammarly and Hemingway Editor, getting quality assistance with a hacked website is a whole new ballgame.

Next, there’s an issue with passwords. According to a recent survey by the UK’s National Cyber Security Centre (NCSC), 23.2 million web accounts they’ve analyzed had “123456” as a password. Moreover, about 7.7 million people relied on “123456789” for protection of their data, while “password” and “qwerty” were also quite popular with about 3 million users each.

While a password is something that could be changed in a matter of seconds to protect your site against brute force attacks, it may not protect you from most cyber threats. This is the responsibility of a hosting provider, and unfortunately, a lot of people disregard this requirement for web security.

That’s why we’re going to talk about hosting security issues that you should protect your site from.

How Web Hosting Affects the Security of Your Website

Before we talk about major web hosting hazards, let’s quickly discuss the connection between the security of your website and the web hosting you’re using. I’m going to say this right away: choosing a web hosting provider is one of the most important decisions you’ll make when setting up for your website, and the implications go way beyond security.

For example, if you’re a blogger or a business owner, you’ll get:

  • A high level of protection against hackers. “This means that you’ll be able to concentrate on content creation,” says Peter O’Brien, a content specialist from Studicus. “If I selected a poor host, I wouldn’t spend so much doing the creative stuff, that’s for sure”
  • A fast loading time. People don’t like to wait; in fact, Google claims that websites that load within 5 seconds have 70 percent longer visitor sessions, 35 lower bounce rates, and 25 percent higher viewability compared to websites that load between 5 and 19 seconds. That’s why Google has released the mobile-first indexing update and designed own PageSpeed Insights tool to help users optimize the performance of their websites
  • High reliability and uptime. Most web hosting companies claim that the websites they service are online for 99.9 percent of the time, but the real time can vary and depends on the quality of the provider.
  • Better security. This one means that different web hosting providers have different security packages, therefore the websites they power have different protection from hackers. Moreover, a good host can help you to recover quickly in case if you’ve suffered an attack.

Let’s talk a little bit more about the last bullet point. So, how can one tell that their hosting provider is poor? That’s pretty easy:

  • Slow loading times. If your website loads for more than five seconds, then chances are that its performance is affected by the hosting provider that has put a lot of sites into one server
  • Frequent security issues. If your website doesn’t have backups and suffers from various cyber attacks often, then you should definitely talk to your provider (make sure that your passwords aren’t the problem)
  • Regular unexpected downtime. A poor choice of a web hosting provider often leads to this problem, which, in turn, is often caused by overloaded servers. In other words, the provider simply can’t handle the volume of visitors that your website (and other websites hosted on that server) are experiencing.

So, to sum up, the quality of hosting is essential for the success of your online venture, and making a poor choice can lead to disappointing outcomes (just remember the figures from the live counter again). But with so many websites getting hacked on a daily basis, what do you need to know to protect your own one? Read the next section to know.

Beware of these Major Web Hosting Hazards

  1. Shared Hosting Issues

Sharing hosting is a tricky business, and you don’t know how many websites are on the server where your own one lives. It’s quite possible that the number is quite high, up to a thousand, and this could be one of the reasons why your website might be underperforming.

For example, this discussion threat had some interesting information on this. A person asked how many websites are typically served on one shared server, and some of the answers were astonishing! For example, one user responded by writing the following.

Can you believe it? 800 websites on one server! Talk about performance issues, right?

While I realize that a single server can host up to several thousand websites, can you imagine what would happen if at least ten of them are high-traffic ones? Think crashes, slow loading times, unplanned downtime, and lots of other issues.

Since people are always looking to save costs, chances are that shared hosting issues will continue to impact a lot of websites.

  1. Attacks that Exploit an outdated version of PHP

It’s a known fact that about 80 percent of all websites in 2018 ran on PHP. However, since the beginning of 2019, the support for PHP 5.6x will be ended, meaning that all support for any version of PHP 5.x is gone. In other words, the sites that fail to update won’t get any security patches, bug fixes, and updates.

However, recent reports suggest that this news didn’t trigger any massive moves to the newer versions of PHP. For example, according to Threat Post, about 62 percent of all server-side programming websites are still using PHP version 5. Here are the full data.

Source: Threat Post

“These sites probably include old libraries that haven’t had the joy of an update…” the abovementioned Threat Post post cited a web security expert, as saying. “The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”

For hackers looking for some business, this means that they have a lot of work to do. Can you imagine it: since the beginning of this year, more than 60 percent of websites stopped getting security updates!

“Faced with the urgent requirement to update the PHP version, a lot of websites owners will make a corresponding request for their web hosting providers,” shares Sam Bridges, a web security specialist from Trust My Paper. “This means that the latter will face a flood of support requests, which could translate into a slow pace of the update process.”

On top of that, some providers may not be willing to notify their users about the requirement to update their PHP versions, so a lot of websites may still be using outdated ones in the next few years.

Well, hopefully you’re not going to be one of them.

  1. More Sophisticated DDoS Attack Techniques

DDoS attacks are nothing new. However, they are still a common type of a cyberweapon used against websites that should be considered when choosing a hosting provider. In fact, the situation here is a lot more complicated than one thinks.

For example, the research suggests that the total number of DDoS attacks has decreased by 13 percent in 2018, which may seem like a positive signal by many.

The comparison of the number of DDoS attacks between 2017 and 2018. Source: Kaspersky

Unfortunately, the stats don’t provide the big picture here. According to Kaspersky, hackers are reducing the number of attempts to break into websites using DDoS attacks, but they are turning to more advanced and sophisticated attack techniques.

For example, it was found that the average length of attacks has increased from 95 minutes in the first quarter of 2018 to 218 minutes in the fourth quarter of 2018. While it means that the protection against this kind of attacks is getting better, it also suggests that the malefactors are becoming more selective and skilled.

 

For example, 2018 has seen the biggest DDoS attacks in history; one of these situations involved a U.S.-based website that reported a 1.7 TB/s assault (this means that the attackers overwhelmed the site with a massive wave of traffic hitting 1.7 terabytes per second!), according to The Register.

Source: The Register

Therefore, we may see an increase in unresponsive websites due to DDoS attacks in the next years (clearly, not a lot of websites can survive an attack like this one), as hackers deploy more sophisticated techniques.

Since a lack of DDoS-protected hosting is a major risk factor in this situation, make sure that your hosting provider has this protection in place.

Stay Protected

Web hosting is not the first thing that many website owners think about when setting up their businesses, but it’s definitely one that could make or break them. The success of your venture ultimately depends on the uptime, loading time, and overall reliability of your website, so being aware of the threats that you can face in the nearest future could help you to avoid losing your website and joining those 100,000+ unfortunate sites owners who get their sites hacked every day.

Hopefully, this article was a nice introduction to the importance of web hosting and the risks that come with it. Remember: if you want your data to be protected, pay attention to the existing and emerging risks right now and make appropriate decisions. Eventually, this’ll pay you nicely by maximizing uptime and reliability of your website.

 

Dorian Martin is a frequent blogger and an article contributor to a number of websites related to digital marketing, AI/ML, blockchain, data science and all things digital. He is a senior writer at WoWGrade, runs a personal blog NotBusinessAsUsusal and provides training to other content writers.

The post Major Web Hosting Hazards You Should Take Seriously appeared first on CyberDB.

Protecting Your Engineering Business from Industrial Espionage and Cybercriminals

Industrial espionage is a much more common occurrence than many people realize. As a business grows and begins to compete at a higher level, the stakes grow and their corporate secrets become more valuable. It isn’t just other businesses that might want this information, hackers who think they can sell the information will also be sniffing about.

Even if you can’t eliminate the risk entirely, there are certain things you can do to reduce the risk of a security breach in your business.

Shred Documents

While hackers do much of their work from their computers, they also often rely on a number of offline methods to enhance their effectiveness. For example, social engineering is regularly used to coerce people into unwittingly undermining otherwise very secure systems. Countering social engineering is difficult, although educating your employees about it will go a long way to mitigating the risk.

If a hacker wants to access your systems but is struggling to breach your cybersecurity, they may well turn to other methods to get through your security, including rummaging through bins for any discarded documents. If that sounds desperate to you, you might not realize just how often it works.

Make sure that any documentation that contains information that would be of interest to a would-be hacker, or corporate competitor, is completely destroyed when it is no longer needed. Make sure that if you use a shredder to do this, it is one that shreds documents securely.

Don’t Print Sensitive Information if You Don’t Have to

Of course, what would be better than having to securely destroy documents would be to not generate those documents to begin with. If you don’t have to print out sensitive information – don’t! If your sensitive documents are protected by a decent cybersecurity system, they will be about as safe as they can be. A physical document is much less secure.

Keep Your Schematics Under Wraps

Anyone who has access to the design schematics of your most important products will be able to reverse engineer them and probe them for weaknesses, even if they don’t have access to a physical device. Modern engineering businesses, like businesses in a number of other industries, make extensive use of printed circuit boards. If a competitor gets their hands on your PCB schematics, they can easily copy your proprietary technology.

Designing your own PCBs using Altium.com or a similar software package means that you can produce hardware that is unique to your engineering business. This should give you an added layer of security, as a potential hacker or criminal won’t know the internal layout and therefore won’t know what the potential entry points are. However, if they get their hands on your schematics, you instantly lose this benefit.

Keep it Need to Know

Your most sensitive corporate secrets shouldn’t be given to anyone who doesn’t need them. In any business, there will be coworkers who also become friends. Even if people only see each other when they’re at work, they will often develop friendly relationships with one another. It is important to maintain a distinction between business and pleasure – don’t feel bad about withholding sensitive information from someone that you trust if there is no reason for them to have that information.

If you want to keep your engineering business secure, you need to make sure that workers at all levels understand their individual role in ensuring the security of the business as a whole. All it takes is one clueless person to undermine even the most secure cybersecurity system.

The post Protecting Your Engineering Business from Industrial Espionage and Cybercriminals appeared first on CyberDB.