January 28 is Data Privacy Day—not exactly a major holiday, but it does provide an important opportunity to address something that’s compromising your privacy on a daily basis: namely, your phone.
With a nod to all the flip-phone activists out there, it’s fair to say smartphones aren’t going anywhere. Few among us pine for the days when wall-anchored phones that couldn’t send photos, call a cab, and watch a clip of Baby Yoda at the same time. The level of convenience ushered in by Android and iOS devices is beyond dispute.
That convenience came at a heavy cost that consumers are only now beginning to appreciate. Take, for instance, the “Brightest Flashlight” app, which ran afoul of the FTC a few years back on account of transmitting intimate levels of user data to advertisers while providing a minimal level of service; i.e. turning on the light of an Android device.
And that’s the most basic example. Mobile apps provide the opportunity to track our day-to-day lives down to the most intimate details, and they often share that data with little to no oversight: dating apps such as Match.com and Tinder have been “caught” collecting and selling data relating to drug use and religious views. Period tracking apps like Maya have been found to upload user data to Facebook including heaviness of menstrual flow, body weight, and sexual activity. Google recently acquired the fitness smartwatch brand FitBit, and with it the access to the sleep, exercise, and eating habits of its users. We might be at a loss as to how this data can be monetized, but rest assured: your data has value and is actively being exploited one app at a time.
What’s the solution? Unfortunately, there isn’t one, at least not yet. Despite the passage of California’s privacy law, we’re still very much living in the Wild West when it comes to user data.
Still, we can mitigate the ongoing privacy catastrophe that is the modern internet by making a quick audit of the apps on our smartphones. Take a look at what you have installed and ask yourself the following questions:
- Does this service actually require an app? If you have access to the same services by connecting via a web browser that you can with an app, stick to the web, preferably via a VPN and in private browsing mode. Most mobile apps are configured to get more user data than would be accessible via a website
- Is the data being accessed by this app worth it? A flashlight app shouldn’t need your physical location. Facebook Messenger shouldn’t need to track the velocity at which you’re traveling. That Scrabble clone doesn’t need to know every contact on your phone. Be circumspect about the kind of access being granted when you install an app on your phone. If there’s any doubt, don’t install it.
- Do I want this information out in the world? Any information shared with an app has the potential to be uploaded, processed and analyzed by any number of third parties. Don’t share anything with an app that you wouldn’t be comfortable having a stranger know about you.
It’s overly optimistic to expect to reclaim your privacy on Data Privacy Day, but you can at least take a few steps in the right direction. Delete any apps you’re not using, and see if there are more privacy-friendly alternatives to some of your more frequently used apps.
The post It’s Data Privacy Day. Do You Know What Info Your Apps Are Tracking? appeared first on Adam Levin.
Sometimes it's hard to tell the corporate surveillance operations from the government ones:
Google reportedly has a database called Sensorvault in which it stores location data for millions of devices going back almost a decade.
The article is about geofence warrants, where the police go to companies like Google and ask for information about every device in a particular geographic area at a particular time. In 2013, we learned from Edward Snowden that the NSA does this worldwide. Its program is called CO-TRAVELLER. The NSA claims it stopped doing that in 2014 -- probably just stopped doing it in the US -- but why should it bother when the government can just get the data from Google.
Have you had a Google Privacy Checkup lately? If not, when better than Data Privacy Day to audit the privacy of your Google account?
The post How to take charge of your Google privacy settings appeared first on WeLiveSecurity
A subsidiary of Avast antivirus is selling sensitive user browsing data to many companies, including Revlon, Microsoft, Google, Yelp, Condé Nast, and TripAdvisor.
According to a recent joint investigation by Vice’s Motherboad and PCMag, highly granular and sensitive user data from users of Avast antivirus is being repackaged and sold to companies via a subsidiary called Jumpshot which promises buyers of the data information on “Every search. Every click. Every buy. On every site.”
Avast’s “free” or “freemium” antivirus software has over 435 million active users, with 100 million devices feeding data into Jumpshot, including, Google searches, LinkedIn activity, Youtube activity, and activity on pornographic websites. According to the Motherboard article, “multiple Avast users… were not aware Avast sold browsing data, raising questions about how informed that consent is.”
The primary method of Avast’s data collection was initially via web browser plugins distributed through subsidiaries such as AVG. After privacy concerns were raised by security researchers, Google, Mozilla, and Firefox removed and banned these extensions from their respective web browsers. Since then, the company has begun harvesting user information through its anti-virus software.
Representatives from Avast responded to the report by emphasizing that users can opt out of their data collection, and that any data collected is anonymized.
“We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data,” the company announced in a statement.
Critics of the company’s data collection policies responded to this statement with skepticism.
“It’s almost impossible to de-identify data,” said law professor Eric Goldman. “When they promise to de-identify the data, I don’t believe it.”
Read the article here.
A German p
rivacy watchdog is investigating into clothing retailer H&M because it was allegedly spying on its customer service representatives in Germany.
Hamburg’s data protection commissioner has launched an investigation into Swedish clothing retailer H&M
According to the German privacy watchdog, a hard drive containing about 60 gigabytes of data revealed that superiors at the site in Nuremberg kept “detailed and systematic” records about employees’ private and sensitive data.
“Hamburg’s data p
Johannes Caspar, the state data protection officer in Hamburg, said the records demonstrate a massive surveillance activity on employees. The records were accessible to all company managers.
“In fact, there was a massive spying out of the employees at the location in Nuremberg,” said Caspar of the German Press Agency. “This has resulted in a significant evaluation of the reports available to us.”
The situation is very severe for H&M that in response said in a statement that it takes the case “very seriously” and expressed its “honest regret” to the affected staff.
“The qualitative and quantitative extent of the employee data accessible to the entire management level of the company shows a comprehensive research of the employees, which has not been comparable in the past few years,” added Caspar. “It is also health data of those affected, from bladder weakness to cancer, as well as data from people in their social environment, such as family disputes, deaths or holiday experiences.”
The company said that it is offering full cooperation with data p
In the coming weeks, the data protection officer would decide the fines
The post Did H&M spy on its German employees? Privacy watchdog opens an investigation appeared first on Security Affairs.
Communities across the United States are starting to ban facial recognition technologies. In May of last year, San Francisco banned facial recognition; the neighboring city of Oakland soon followed, as did Somerville and Brookline in Massachusetts (a statewide ban may follow). In December, San Diego suspended a facial recognition program in advance of a new statewide law, which declared it illegal, coming into effect. Forty major music festivals pledged not to use the technology, and activists are calling for a nationwide ban. Many Democratic presidential candidates support at least a partial ban on the technology.
These efforts are well-intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we're in the process of building. Ubiquitous mass surveillance is increasingly the norm. In countries like China, a surveillance infrastructure is being built by the government for social control. In countries like the United States, it's being built by corporations in order to influence our buying behavior, and is incidentally used by the government.
In all cases, modern mass surveillance has three broad components: identification, correlation and discrimination. Let's take them in turn.
Facial recognition is a technology that can be used to identify people without their knowledge or consent. It relies on the prevalence of cameras, which are becoming both more powerful and smaller, and machine learning technologies that can match the output of these cameras with images from a database of existing photos.
But that's just one identification technology among many. People can be identified at a distance by their heartbeat or by their gait, using a laser-based system. Cameras are so good that they can read fingerprints and iris patterns from meters away. And even without any of these technologies, we can always be identified because our smartphones broadcast unique numbers called MAC addresses. Other things identify us as well: our phone numbers, our credit card numbers, the license plates on our cars. China, for example, uses multiple identification technologies to support its surveillance state.
Once we are identified, the data about who we are and what we are doing can be correlated with other data collected at other times. This might be movement data, which can be used to "follow" us as we move throughout our day. It can be purchasing data, Internet browsing data, or data about who we talk to via email or text. It might be data about our income, ethnicity, lifestyle, profession and interests. There is an entire industry of data brokers who make a living analyzing and augmenting data about who we are -- using surveillance data collected by all sorts of companies and then sold without our knowledge or consent.
There is a huge -- and almost entirely unregulated -- data broker industry in the United States that trades on our information. This is how large Internet companies like Google and Facebook make their money. It's not just that they know who we are, it's that they correlate what they know about us to create profiles about who we are and what our interests are. This is why many companies buy license plate data from states. It's also why companies like Google are buying health records, and part of the reason Google bought the company Fitbit, along with all of its data.
The whole purpose of this process is for companies -- and governments -- to treat individuals differently. We are shown different ads on the Internet and receive different offers for credit cards. Smart billboards display different advertisements based on who we are. In the future, we might be treated differently when we walk into a store, just as we currently are when we visit websites.
The point is that it doesn't matter which technology is used to identify people. That there currently is no comprehensive database of heartbeats or gaits doesn't make the technologies that gather them any less effective. And most of the time, it doesn't matter if identification isn't tied to a real name. What's important is that we can be consistently identified over time. We might be completely anonymous in a system that uses unique cookies to track us as we browse the Internet, but the same process of correlation and discrimination still occurs. It's the same with faces; we can be tracked as we move around a store or shopping mall, even if that tracking isn't tied to a specific name. And that anonymity is fragile: If we ever order something online with a credit card, or purchase something with a credit card in a store, then suddenly our real names are attached to what was anonymous tracking information.
Regulating this system means addressing all three steps of the process. A ban on facial recognition won't make any difference if, in response, surveillance systems switch to identifying people by smartphone MAC addresses. The problem is that we are being identified without our knowledge or consent, and society needs rules about when that is permissible.
Similarly, we need rules about how our data can be combined with other data, and then bought and sold without our knowledge or consent. The data broker industry is almost entirely unregulated; there's only one law -- passed in Vermont in 2018 -- that requires data brokers to register and explain in broad terms what kind of data they collect. The large Internet surveillance companies like Facebook and Google collect dossiers on us are more detailed than those of any police state of the previous century. Reasonable laws would prevent the worst of their abuses.
Finally, we need better rules about when and how it is permissible for companies to discriminate. Discrimination based on protected characteristics like race and gender is already illegal, but those rules are ineffectual against the current technologies of surveillance and control. When people can be identified and their data correlated at a speed and scale previously unseen, we need new rules.
Today, facial recognition technologies are receiving the brunt of the tech backlash, but focusing on them misses the point. We need to have a serious conversation about all the technologies of identification, correlation and discrimination, and decide how much we as a society want to be spied on by governments and corporations -- and what sorts of influence we want them to have over our lives.
This essay previously appeared in the New York Times.
EDITED TO ADD: Rereading this post-publication, I see that it comes off as overly critical of those who are doing activism in this space. Writing the piece, I wasn't thinking about political tactics. I was thinking about the technologies that support surveillance capitalism, and law enforcement's usage of that corporate platform. Of course it makes sense to focus on face recognition in the short term. It's something that's easy to explain, viscerally creepy, and obviously actionable. It also makes sense to focus specifically on law enforcement's use of the technology; there are clear civil and constitutional rights issues. The fact that law enforcement is so deeply involved in the technology's marketing feels wrong. And the technology is currently being deployed in Hong Kong against political protesters. It's why the issue has momentum, and why we've gotten the small wins we've had. (The EU is considering a five-year ban on face recognition technologies.) Those wins build momentum, which lead to more wins. I should have been kinder to those in the trenches.
If you want to help, sign the petition from Public Voice calling on a moratorium on facial recognition technology for mass surveillance. Or write to your US congressperson and demand similar action. There's more information from EFF and EPIC.
As we embark on a new decade, data privacy has become top-of-mind for business executives and consumers worldwide. Data breaches frequently expose the personal data of millions, and many companies have not done enough to protect themselves from intentional or unintentional misuse. While it is often hard to reach agreement on new legislation, one issue that governments around the world seem to agree on is the need to help protect the personal data of their constituents. The EU’s General Data Protection Regulation (GDPR) became enforceable in May 2018, and many countries, from China to Brazil, have updated or passed their own regulations. The new California Consumer Privacy Act (CCPA) became effective at the beginning of 2020, other states are following suit, and a U.S. Federal privacy law is now under consideration.
Insights from the Cisco Data Privacy Research Program
The Cisco Chief Privacy Office has provided groundbreaking research and insights to help organizations and consumers understand what they can and should do to keep data safe and maximize their investments in data privacy. Two years ago, we launched our Data Privacy Benchmark Study, which explored privacy maturity and investments across thousands of organizations worldwide. We found that two-thirds of organizations were experiencing significant sales delays due to customer’s data privacy concerns, but that privacy investment was minimizing those delays. Last year, we expanded our inquiry to explore a wide range of business benefits, including the connection between privacy investment and security benefits such as fewer and less costly breaches. In November, we released a companion study looking at the attitudes and behaviors of consumers worldwide. We identified a large group we call “Privacy Actives” – that is, consumers who care about privacy, are willing to spend time or money to protect their data, and have already switched companies or providers based on their data policies.
The 2020 Data Privacy Benchmark Study and the ROI of Privacy
Today, in observance of International Data Privacy Day, I am pleased to share our 2020 Data Privacy Benchmark Study. Drawing on data from 2800 organizations in 13 countries, we have – for the first time – calculated the ROI for privacy. In addition, we updated the privacy metrics we have been tracking over several years. The study explores the value of privacy certifications in today’s market, as follows:
- For every dollar spent on privacy, the average organization is getting $2.70 in associated benefits. We asked respondents to quantify their annual privacy investment and business benefits, and we used this to calculate their privacy ROI. Most organizations are seeing very positive returns, and over 40% are realizing at least double their investment.
- 70% of organizations say they received significant business benefits from privacy beyond compliance. This is up from 40% last year, and includes better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.
- Higher accountability translates to increased benefits: Companies with higher accountability scores (as assessed using the Accountability Wheel of the Centre for Information Policy Leadership) experience lower breach costs, shorter sales delays, and higher financial returns.
- Eighty-two percent of organizations see privacy certifications as a motivation for purchasing: Privacy certifications such as the ISO 27701 and the EU-U.S. Privacy Shield are becoming an important purchasing factor when selecting a third-party vendor.
What does this mean for organizations?
The results of this study highlight that privacy is good for business, beyond any compliance requirements. We recommend that organizations:
- Invest in privacy beyond the legal minimum; most organizations are seeing very positive returns on their privacy spending.
- Work to obtain external privacy certifications; these have become an important factor in the buying process.
- Build in privacy accountability and maturity to achieve security benefits, reduced sales delays, and higher returns.
In future blogs, I will explore these results more fully, including some of the interesting differences in results across geographies and company size.
Follow Robert on Twitter @RobertWaitman
Patients and consumers deserve better access to personalized, actionable health care information to empower them to make better, more informed decisions – but it should not drive up health care costs or compromise the privacy of their personal health data, according to a poll of patients and consumers from Morning Consult and America’s Health Insurance Plans (AHIP). Personal privacy outweighs increased transparency A strong majority (62%) of patients want their data and privacy protected more … More
The post Patients believe stronger privacy protections are more important than easier health data access appeared first on Help Net Security.
Cisco, the makers of Webex, had warned users of the online conferencing service that a vulnerability allowed unauthorised remote users to listen in on private online meetings – without having to enter a password.
Cisco addressed a vulnerability in Cisco Webex that could be exploited by a remote, unauthenticated attacker to join a protected video conference meeting.
Cisco has addressed a high-severity flaw in the Cisco Webex video conferencing platform
In order to exploit the CVE-2020-3142 flaw, the attacker only needs to know the meeting ID that once inserted in the Webex mobile application for either iOS or Android will allow him to join the meeting bypassing any authentication
“A vulnerability in Cisco Webex Meetings Suite sites and Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android.” reads the security advisory published by Cisco. “An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or
The CVE-2020-3142 vulnerability has received a CVSS score of 7.5 out of 10, it was discovered while its experts were resolving a Cisco TAC support case.
Fortunately, the presence of the attackers in the meeting is easy to detect because the unauthorized attendees would be visible in the attendee list of the
The vulnerability affects Cisco Webex Meetings Suite sites and Cisco Meetings Online sites for versions earlier than 39.11.5 (for the former) and 40.1.3 (for the latter).
Cisco addressed the CVE-2020-3142 vulnerability with the release of the versions 39.11.5 and later and 40.1.3 and later for Webex Meetings Suite sites and Webex Meetings Online sites.
The good news is that the Cisco Product Security Incident Response Team (PSIRT) is not aware of any attack exploiting the vulnerability in the wild.
A couple of weeks ago, Cisco Systems released security fixes for two high-severity vulnerabilities in its products, including a remote code execution flaw in the Webex video conferencing platform.
The Webex flaw addressed by Cisco resides in the web-based management interface of Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing.
This flaw affects Webex Video Mesh Software releases earlier than 2019.09.19.1956m.
(SecurityAffairs – Webex, hacking)
The post Cisco Webex flaw allows unauthenticated remote attackers to join private meetings appeared first on Security Affairs.
Controversial firm Clearview AI which stole your photographs from social media sites to feed their facial recognition database expects you to send them your photos and a scan of your ID if you want to have your data removed.
Uhh, yeah. Right.
Safari’s anti-tracking feature could apparently give access to users’ browsing habits
The post Google: Flaws in Apple’s privacy tool could enable tracking appeared first on WeLiveSecurity
Microsoft has one of the best security teams and capabilities of any organization in the technology industry, yet it accidentally exposed 250 million customer records in December 2019. The data was accessible to anyone with a browser, who knew the server location, for about a month in total before an external researcher detected the problem. The database held records of customer support engagements dating back to 2005. Once alerted, Microsoft quickly closed the hole, investigated … More
The post Lessons from Microsoft’s 250 million data record exposure appeared first on Help Net Security.
A hospital gets hacked because of an ex-employee’s grudge, robocalls are on the rise, and we share a scary story about the future of facial recognition.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Michael Hucks.
Artificial intelligence – more specifically, the machine learning (ML) subset of AI – has a number of privacy problems. Not only does ML require vast amounts of data for the training process, but the derived system is also provided with access to even greater volumes of data as part of the inference processing while in operation. These AI systems need to access and “consume” huge amounts of data in order to exist and, in many … More
Some of the most popular dating services may be violating GDPR or other privacy laws
The post Dating apps share personal data with advertisers, study says appeared first on WeLiveSecurity
Past and current customers of a cosmetic surgery clinic are contacted by hackers making ransom demands, after they broke into its network and stole personal information.
An investigation has concluded that Jeff Bezos’s smartphone was hacked after receiving a WhatsApp message from Mohammed bin Salman.
Read more about the background behind the story, and what we know so far.
Japanese multinational Mitsubishi Electric has admitted that it had suffered a data breach some six months ago, and that “personal information and corporate confidential information may have been leaked.” The company, though, claims that “sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners have not been leaked.” What was compromised in the Mitsubishi Electric data breach? Mitsubishi Electric is a manufacturer of … More
The post Mitsubishi Electric discloses data breach, possible data leak appeared first on Help Net Security.
Watch out car drivers. If you have have installed a BlackVue dash cam into your vehicle you might have unwittingly made available your real-time GPS location.
The NIST released version 1.0 of Privacy Framework, it is a tool designed to help organizations to manage privacy risks.
The National Institute of Standards and Technology (NIST) has published the release version 1.0 of its privacy
The NIST Privacy Framework is designed to help organizations manage privacy risks, with specific focuses on:
- Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;
- Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment;
- Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.
The framework provides building blocks that help organizations in achieving privacy goals.
The Framework is composed of three main parts, the Core, Profiles, and Implementation Tiers.
The Core enables communications within organizations about privacy protection activities and desired goals. Profiles allow organizations to prioritize the outcomes and activities according to privacy values, the business mission, and risks.
Implementation tiers help organizations to optimize the resources that are necessary to manage the risk.
Organizations, one analyzed the potential impact of privacy risks, may choose to prioritize according to their strategy. The response to privacy risk includes:
- Mitigating the risk (e.g., organizations may be able to apply technical and/or policy measures to the systems, products, or services that minimize the risk to an acceptable degree);
- Transferring or sharing the risk (e.g., contracts are a means of sharing or transferring risk to other organizations, privacy notices and consent mechanisms are a means of sharing risk with individuals);
- Avoiding the risk (e.g., organizations may determine that the risks outweigh the benefits, and forego or terminate the data processing);
- Accepting the risk (e.g., organizations may determine that problems for individuals are minimal or unlikely to occur, therefore the benefits outweigh the risks, and it is not necessary to invest resources in mitigation).
The framework should also organizations to keep up with technology advancements and new uses for data.
The Privacy Framework is considered complementary with the NIST Cybersecurity Framework, using both it is possible to have a good understanding of the different origins of
Additional details are included in the document titled “NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT. “
The post NIST releases version 1.0 of the Privacy Framework appeared first on Security Affairs.
A bizarre sextortion scam is attempting to trick victims that not only has their smartphone been hacked to spy upon their private lives, but also every other device they have encountered which contains a built-in camera.
Read more in my article on the Hot for Security blog.
The New York Times has a long story about Clearview AI, a small company that scrapes identified photos of people from pretty much everywhere, and then uses unstated magical AI technology to identify people in other photos.
His tiny company, Clearview AI, devised a groundbreaking facial recognition app. You take a picture of a person, upload it and get to see public photos of that person, along with links to where those photos appeared. The system -- whose backbone is a database of more than three billion images that Clearview claims to have scraped from Facebook, YouTube, Venmo and millions of other websites -- goes far beyond anything ever constructed by the United States government or Silicon Valley giants.
Federal and state law enforcement officers said that while they had only limited knowledge of how Clearview works and who is behind it, they had used its app to help solve shoplifting, identity theft, credit card fraud, murder and child sexual exploitation cases.
But without public scrutiny, more than 600 law enforcement agencies have started using Clearview in the past year, according to the company, which declined to provide a list. The computer code underlying its app, analyzed by The New York Times, includes programming language to pair it with augmented-reality glasses; users would potentially be able to identify every person they saw. The tool could identify activists at a protest or an attractive stranger on the subway, revealing not just their names but where they lived, what they did and whom they knew.
And it's not just law enforcement: Clearview has also licensed the app to at least a handful of companies for security purposes.
EDITED TO ADD (1/23): Twitter told the company to stop scraping its photos.
Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. Version 1.0 of the NIST Privacy Framework The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. … More
The post NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance appeared first on Help Net Security.
Chinese authorities continue operations against unauthorized VPN services that are very popular in the country.
China continues to intensify the monitoring of the cyberspace applying and persecution of VPN services that could be used to bypass its censorship system known as the Great Firewall.
The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.
Since early 2019, the Chinese authorities have
In December, the Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.
According to an announcement from China’s Procuratorate Daily the man was also fined 500,000 yuan ($76,000).
Now media reports a new arrest made by Chinese authorities in the city of Taizhou, the police arrested a man with the pseudonym of Gao (29) that successfully operated VPN service since mid-2016. Gao has made more than 11 million Chinese yuan ($1.6 million) from renting access to VPN servers to more than 28,000 regular customers, he pleaded guilty in 2019 and is still awaiting the final sentence.
In July 2019, in compliance with the Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China.
Law enforcement agencies have seized control of the domain of WeLeakInfo, a website offering cheap access to billions of personal credentials stolen from approximately 10,000 data breaches.
Is it a legal requirement to include T&Cs?
What should you include in the T&Cs?
- How to make a purchase
- How to make a payment
- How they will receive their products
- How they can cancel orders
What kind of protection can you expect from the T&Cs? It may not be uncommon for disputes to arise between you and your online customers or visitors. Therefore, it is essential to ensure that the terms and conditions are accessible, preferably on your website.
You also need to protect your website from copyright infringements. You can avoid potential disputes and confusion by specifying which sections are copyrighted and which are your intellectual property. You should also stipulate what visitors can do with your data. If there is any breach of your copyright or intellectual property, the terms and conditions should clearly explain how the problem will be resolved.
Are there standard T&Cs which apply to all websites?
There are general formats or templates of T&Cs that you can obtain for free online. However, there is always the possibility that these documents will not cover specific aspects of your business or will not include the relevant terms. If you omit an essential term from your website, you may find yourself vulnerable if a dispute arises. Therefore, it is critical that you customise your terms and conditions so they are suitable for your website and business.
- Product and service offerings – No two businesses are alike, even if you sell the same products and services. For example, your competitor may only accept PayPal but you may allow other modes of payment.
- Industry or target audience – In every industry, there are specific provisions that need to be included in the T&Cs. For example, customers may have a legal right to cancel or return their purchases within a specified period.
Your T&Cs are like any other enforceable contract. Nevertheless, you must ensure that they don’t contravene existing consumer laws or government regulations. Remember, you should only incorporate clauses that you can legally apply.
Terms and conditions are necessary for all businesses, including e-commerce sites. It is essential that you create T&Cs that are suitable for your products and services, and that they are legally enforceable. You also need to periodically review your T&Cs, especially if there have been any significant changes to your business structure or the law. Moreover, they must be accessible to your online customers and visitors. If they are not aware of your T&Cs, you may find it difficult to enforce them if a problem arises.
Written by Kerry Gibbs, a legal expert at BEB Contract and Legal Services.
Canadian online pharmacy PlanetDrugsDirect.com has contacted customers warning them that their data might have been exposed in what they euphemistically describe as a “data security incident”.
Read more in my article on the Tripwire State of Security blog.
Facebook will (finally!) explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account. At the same time, users will be able to react quickly if someone managed to compromise their Facebook accounts and is using their credentials to access other apps and websites. Login Notifications The new feature, called Login Notifications, will deliver notifications to users via the Facebook app and user’s associated … More
The post Facebook users will be notified when their credentials are used for third-party app logins appeared first on Help Net Security.
The man who hacked the UK National Lottery didn’t end up a winner, Japanese Love hotel booking tool suffers a data breach, and just what is 23andMe planning to do with your DNA?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford.
An unsecured database discovered online has leaked thousands of baby photos and videos.
Bithouse, Inc. left unprotected and accessible online an Elasticsearch database containing nearly 100GB of information associated with its app Peekabo Moments. The leaked data includes photos, videos, and birthdates of babies, as well as 800,000 email addresses, location data as well as detailed device information.
The leaked data was discovered by Dan Ehrlich of the security consulting firm Twelve Security.
“I’ve never seen a server so blatantly open,” Ehrlich said of the leak.
The lack of protection of user security seemingly contradicts the company’s promises on the Google Play store.
“Data privacy and security come as our priority. Every Baby’s photos, audios & videos or diaries will be stored in secured space. Only families & friends can have access to baby’s moments at your control,” says the app’s description, which has been downloaded over a million times since 2012.
Bithouse has yet to comment on the leak or take the leaked data offline.
The post Baby App “Peekaboo” Leaks Photos, Videos and Personal Data appeared first on Adam Levin.
The developer of a smartphone app has carelessly left a database accessible to anybody with an internet connection, leaving exposed a database of millions of records containing baby videos and photos, as well as the email addresses of users.
Read more in my article on the Hot for Security blog.
You may have been expecting to reveal a lot by signing up as an adult webcam model, but I doubt this is quite what you had in mind.
The company will also soon launch anti-fingerprinting measures aimed at detecting and mitigating covert tracking and workarounds
The post Google to end support for third‑party cookies in Chrome appeared first on WeLiveSecurity
The new General Data Protection Regulations (GDPR) which came into effect in 2018 meant some big changes in the way businesses collect and handle personal data. The idea behind the new legislation is to give individuals better access and control over their own personal data. While this is great news for individuals, it requires a little extra work from businesses who must now provide legal grounds for collecting data and must only use it for the intended purpose. What’s more, they need to follow these regulations to the letter and remain GDPR compliant at all times.
This applies to companies of all sizes – even your small business. If you collect personal data in any form, such as emails, addresses, names or financial details, your business needs to be GDPR compliant. If it’s found that you’re not effectively managing and protecting your data you could face a big fine. Though regulators may be a bit more lenient with smaller businesses depending on how much data you hold, an unwanted fine is always bad news. That’s why we’ve put together this checklist to help ensure your small business is GDPR compliant. In this guide we’ll look at:
- Understanding your data and responsibilities
- Defining your data consent policy
- Access requests and disposing of old data
- Setting up a data storage and security policy
- Training all staff on GDPR
- Creating data processing notices
- Understanding your data and responsibilities
In order to be GDPR compliant it’s important that you understand what data you’re collecting and your responsibilities as a business. It’s therefore a good idea to get clued up on what is defined as ‘personal data’ and set out strict guidelines on how much information you need to collect. This is because a huge part of GDPR is ensuring that you only collect personal information you actually need and that it is only used for the intended purpose. The less you collect the easier it is to stay compliant.
You’ll also want to ensure anyone that is involved in the handling of data understands how to collect and store the data effectively, as well as how to process it in line with GDPR. As you collect data, it’s a good idea to keep a note of how consent is being obtained and what processes the data goes through once it has been collected.
- Setting out your data consent policy
Getting clear and explicit consent from individuals to collect and use their data is one of the most important aspects of GDPR. For this reason, you need to outline to customers or those using your services why you’re collecting their data and how you intend to use it in the future. Once they have actively agreed, you can then collect their data – this is usually done through sign-up forms or pop-ups. However, if they do not give you permission then under no circumstances should you record their personal information.
You must be able to show that they have obtained consent for all the data that you have collected. Otherwise, you run the risk of being fined. Another point worth noting is that you can no longer rely on underhand tactics such as pre-ticked boxes to gain consent. This is now illegal under GDPR and can land you in trouble. Finally, you must make it easy for individuals to opt-out of receiving your communications. The best way to do this is by adding an unsubscribe button at the bottom of all emails.
- Access requests and disposing of old data
If you haven’t already, GDPR states that you must get re-permission from customers whose information you held before the new guidelines were implemented in May 2018. If they do not give you their consent once again or they do not reply to your email at all, you must delete their data as soon as possible. An important part of your GDPR checklist should be getting auditing processes in place that determine how long you will store data. For example, if a customer has not engaged with your brand in 12 months it is no longer necessary to keep their information and it should therefore be deleted.
What’s more, as part of GDPR every EU individual has the right to access their data. Therefore you need a system in place to deal with access requests. You’ll have 30 days from receiving the request to provide them with an electronic copy of all the information you have on them. They can also request that this be deleted, so you need a system in place to get this done as quickly as possible.
- Setting up a data storage and security policy
GDPR is set out to protect the rights and personal information of individuals, therefore you need to make sure you’re taking care of the data you’re collecting. This means knowing where it is stored and ensuring you’ve got the security measures in place to keep it safe. Mapping out all the places where you store data, be that email, databases or cloud-based systems, makes it easier to find and deal with access or deletion requests. Your storage and security policy should outline where everything is stored, how it is protected and who has access to said data.
You also need to know how data is being transferred and the flow of information around your business. This stops information seemingly getting lost or falling into the wrong hands. It also pays to have a system in place just in case your hardware is accessed or lost, whilst containing sensitive information. For example, if a laptop full of information is misplaced, having the data encrypted means you’re less likely to fall victim to a breach or face a fine.
- Training all staff on GDPR
Most data breaches or security mistakes come as a result of human error. But unfortunately, in this case ignorance isn’t bliss, you cannot use ignorance as an excuse for mishandling data. For this reason, it’s important that all members of your team are clued up on GDPR, their personal responsibilities for looking after personal data, and how to recognise a breach. As part of GDPR, you must report any data breaches within 72 hours, this becomes much easier if everyone in your team is educated on what this looks like and who they need to report to.
- Creating data processing notices
Finally, data handling needs to be a clear and transparent process and therefore it’s a good idea to create a notice to explain how your business collects and processes data. This is often called a Fair Processing Notice and can be sent out to customers/users as well as being displayed somewhere on your website. It should outline how you capture, use and store data, as well as giving instructions on how an individual can make and access or deletion request. This helps them to understand how you are protecting their data and can be great for building your reputation as a legitimate and caring business.
Hundreds of millions of Windows 10 users are having an important patch rolled out to their computers today after Microsoft was warned by the NSA of a serious security hole in the operating system.
Facebook addressed last week a security flaw that exposed page admin accounts, the bug was exploited against several high-profile pages.
Last week Facebook has addressed a security issue that exposed page admin accounts, the bug was exploited in attacks in the wild against several high-profile pages.
The page admin accounts are anonymous unless the Page owner opts to make the
“The accounts behind those pages are anonymous unless a Page owner opts to make the
Wired confirmed that on message boards like 4chan, people started posting screenshots that
Facebook quickly addressed the issue after it was alerted by a security researcher.
“We quickly fixed an issue where someone could see who edited or published a post on behalf of a Page when looking at its edit history,” Facebook said in a statement. “We are grateful to the security researcher who alerted us to this issue.”
The list of the pages targeted by hackers included the ones belonging to President Donald Trump, the street artist Banksy, Russian president Vladimir Putin, former US secretary of state Hillary Clinton, Canadian prime minister Justin Trudeau, the hacking collective Anonymous, climate activist Greta Thunberg, and the rapper Snoop Dogg, among others.
In February 2018, the security researcher Mohamed Baset discovered a similar vulnerability on Facebook.
Baset explained that the flaw was a “logical error” that he discovered after receiving an invitation to like a Facebook page on which he had liked a post. The researchers analyzed the source code of the email sent by the social network and discovered it included the name of the administrator of the page and other info.
The post Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info appeared first on Security Affairs.
It’s not only external hackers who pose a threat to the customer data that your company stores.
Special Services Group, a company that sells surveillance tools to the FBI, DEA, ICE, and other US government agencies, has had its secret sales brochure published. Motherboard received the brochure as part of a FOIA request to the Irvine Police Department in California.
"The Tombstone Cam is our newest video concealment offering the ability to conduct remote surveillance operations from cemeteries," one section of the Black Book reads. The device can also capture audio, its battery can last for two days, and "the Tombstone Cam is fully portable and can be easily moved from location to location as necessary," the brochure adds. Another product is a video and audio capturing device that looks like an alarm clock, suitable for "hotel room stings," and other cameras are designed to appear like small tree trunks and rocks, the brochure reads.
The "Shop-Vac Covert DVR Recording System" is essentially a camera and 1TB harddrive hidden inside a vacuum cleaner. "An AC power connector is available for long-term deployments, and DC power options can be connected for mobile deployments also," the brochure reads. The description doesn't say whether the vacuum cleaner itself works.
One of the company's "Rapid Vehicle Deployment Kits" includes a camera hidden inside a baby car seat. "The system is fully portable, so you are not restricted to the same drop car for each mission," the description adds.
The so-called "K-MIC In-mouth Microphone & Speaker Set" is a tiny Bluetooth device that sits on a user's teeth and allows them to "communicate hands-free in crowded, noisy surroundings" with "near-zero visual indications," the Black Book adds.
Other products include more traditional surveillance cameras and lenses as well as tools for surreptitiously gaining entry to buildings. The "Phantom RFID Exploitation Toolkit" lets a user clone an access card or fob, and the so-called "Shadow" product can "covertly provide the user with PIN code to an alarm panel," the brochure reads.
The Motherboard article also reprints the scary emails Motherboard received from Special Services Group, when asked for comment. Of course, Motherboard published the information anyway.
A British man has been jailed for two years after police caught him using a notorious Remote Access Trojan (RAT) to hijack the webcams of young women, and spy upon them.
Read more in my article on the Tripwire State of Security blog.
We discuss how Microsoft Word helped trap a multi-million dollar fraudster, how Amazon Ring may be recording more than you’re comfortable with, and how teens are flocking to TikTok (and why that might be a problem).
All this and much more is covered in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
It’s the turn of a new decade and a new privacy law has gone into effect — the California Consumer Privacy Act or CCPA. A quick check with some of my fellow privacy pros on how many consumer information requests received at the end of the day on Jan. 1, puts retail at higher numbers […]
By 2021, cybercrimes will cost companies USD 6 trillion, according to a study.
The number of internet users has grown from an estimated at 2 billion in 2015 to 4.4 billion in 2019, but so have the cybercrimes which are expected to cost companies USD 6 trillion worldwide, according to a study by Cybersecurity Ventures.
Similarly, the number of smartphone users has grown from 2.5 billion in 2016 to 3.2 billion in 2019 and is forecasted to grow to 3.8 billion by 2021. Smartphones and the internet will make further inroads to our economic system. But there are certain risks involved as well.
Mobile phones are becoming targets of cybercriminals because of their widespread use and increasing computing power. Consider the fact that more than 60 % of online fraud occurs through mobile phones. This threat is not just towards individual users but businesses as well. It does not matter how large the company is either. 43% of the cyberattacks in 2019 were aimed at smaller businesses because they do not have adequate protection.
Given how vulnerable smartphones are and that the threat from cyber attacks is only expected to increase, here are some measures you can take to protect your business from cybercriminals:
Bring Your Own Devices (BYOD) offers several benefits to both the organization and employees. Such a policy allows employees at a company to use their mobile phones, tablets, or laptops for work, saving companies the hassle to purchase devices.
However, you need to rethink if you are saving more than what you are losing. Employees have confidential company information on their devices. Such a door into your organization can cost you heavily. Set aside the funds to obtain company devices for use by employees at the office. Consider such an investment as part of your cybersecurity strategy.
The cybersecurity threat landscape is ever-evolving due to the fast nature of innovation. Develop a comprehensive cybersecurity program that includes a regular assessment of your company’s security needs. Identify the strengths of your IT infrastructure against potential attacks, and do not let advances in technology or techniques take that away from you. Similarly, you should identify the vulnerabilities in your systems. Make sure any gaps in your defenses are appropriately plugged. A threat assessment should be an integral component of any cybersecurity policy.
Make sure that employees at your organization are informed and up to date on the latest in cyber threats. This way they can protect themselves and the company from cybercriminals. Even a single mistake by one employee can end up creating a door for individuals or groups wishing your company harm. All employees must be trained as a matter of policy. This way, they can identify phishing attacks and manage social engineering scams. Another factor your employees must be mindful of is resource monitoring. Suspicious resource use on company devices, whether it is excess internet or battery usage, should raise alarm bells. However, employees may not look into such things in detail because they do not own the devices. Train your staff to keep track of resource use too.
Most organizations have some form of an employee monitoring policy and track their workers. If you haven’t done so already, develop such a policy, and keep your employees informed to ensure transparency. If you have decided to use company devices, you can opt to install monitoring apps on them. There are several modern monitoring apps currently available such as XNSPY. The app can keep track of online activities, generate a list of call logs, and remote control the device. Furthermore, you can track the location of the device in real-time, and use features such as geofencing and GPS history. There are other powerful features too, such as ambient recording, multimedia access, and online activity tracking. You can also wipe off all the data from a device in case of theft. Monitoring apps such as XNSPY should be a part of your strategy against cybercriminals.
Don’t forget physical infrastructure:
Cybersecurity may involve software updates and training policies, but making sure your physical infrastructure is safe is just as important. Re-evaluate how exposed your digital infrastructure is to physical access. Furthermore, go through the profiles of suppliers and vendors to vet them properly. A small door in any piece of equipment can let cybercriminals through and bypass your entire cybersecurity foundation. Be aware of this threat and make sure that suppliers work by following specific regulations.
Develop a threat monitoring policy:
Anticipating an attack and stopping it is an important part of comprehensive cybersecurity policy. Make sure that you are monitoring your digital infrastructure round the clock.
Invest in threat monitoring software and a team of professionals that can identify, track, and stop an attack.
The concept of designing a cybersecurity system as a fortification is changing to an adaptable system that can accommodate evolving security threats. Furthermore, a monitoring policy also needs to have a clear response plan.
Such a plan details what needs to happen and when in case of an attack. This ensures that there is a speedy response by your company against any threat.
Smartphones have become powerful enough that they can be considered as computers in their own right. While this has created scores of opportunities, there are also clear threats posed by cybercrime. These threats are only going to increase as the internet and smartphone use increases. While protecting your business against cyber criminals requires a considerable investment of time and money, it will pay off in the long run.
Clark Thomas is an expert in VOIP. He helps businesses both small and medium-sized, in implementing and adopting the best security methods for their organization and network. He gives great advice regarding and assists people in boosting the security measures for their website and business.
The post Cybercrime is moving towards smartphones – this is what you could do to protect your company appeared first on CyberDB.
The past 12 months have been another bumper year for cybercrime affecting everyday users of digital technology. Trend Micro blocked more than 26.8 billion of these threats in the first half of 2019 alone. The bad news is that there are many more out there waiting to steal your personal data for identity fraud, access your bank account, hold your computer to ransom, or extort you in other ways.
To help you stay safe over the coming year we’ve listed some of the biggest threats from 2019 and some trends to keep an eye on as we hit the new decade. As you’ll see, many of the most dangerous attacks will look a lot like the ones we warned about in 2019.
As we enter 2020 the same rules apply: stay alert, stay sceptical, and stay safe by staying protected.
Top five threats of 2019
Cybercrime is a chaotic, volatile world. So to make sense of the madness of the past 12 months, we’ve broken down the main type of threats consumers encountered into five key areas:
Home network threats: Our homes are increasingly powered by online technologies. Over two-thirds (69%) of US households now own at least one smart home device: everything from voice assistant-powered smart speakers to home security systems and connected baby monitors. But gaps in protection can expose them to hackers. As the gateway to our home networks, routers are particularly at risk. It’s a concern that 83% are vulnerable to attack. There were an estimated 105m smart home attacks in the first half of 2019 alone.
Endpoint threats: These are attacks aimed squarely at you the user, usually via the email channel. Trend Micro detected and blocked more than 26 billion such email threats in the first half of 2019, nearly 91% of the total number of cyber-threats. These included phishing attacks designed to trick you into clicking on a malicious link to steal your personal data and log-ins or begin a ransomware download. Or they could be designed to con you into handing over your personal details, by taking you to legit-looking but spoofed sites. Endpoint threats sometimes include social media phishing messages or even legitimate websites that have been booby-trapped with malware.
Mobile security threats: Hackers are also targeting our smartphones and tablets with greater gusto. Malware is often unwittingly downloaded by users, since it’s hidden in normal-looking Android apps, like the Agent Smith adware that infected over 25 million handsets globally this year. Users are also extra-exposed to social media attacks and those leveraging unsecured public Wi-Fi when using their devices. Once again, the end goal for the hackers is to make money: either by stealing your personal data and log-ins; flooding your screen with adverts; downloading ransomware; or forcing your device to contact expensive premium rate phone numbers that they own.
Online accounts under attack: Increasingly, hackers are after our log-ins: the virtual keys that unlock our digital lives. From Netflix to Uber, webmail to online banking, access to these accounts can be sold on the dark web or they can be raided for our personal identity data. Individual phishing attacks is one way to get these log-ins. But an increasingly popular method in 2019 was to use automated tools that try tens of thousands of previously breached log-ins to see if any of them work on your accounts. From November 2017 through the end of March 2019, over 55 billion such attacks were detected.
Breaches are everywhere: The raw materials needed to unlock your online accounts and help scammers commit identity fraud are stored by the organizations you interact with online. Unfortunately, these companies continued to be successfully targeted by data thieves in 2019. As of November 2019, there were over 1,200 recorded breaches in the US, exposing more than 163 million customer records. Even worse, hackers are now stealing card data direct from the websites you shop with as they are entered in, via “digital skimming” malware.
What to look out for in 2020
Smart homes under siege: As we invest more money in smart gadgets for our families, expect hackers to double down on network attacks. There’s a rich bounty for those that do: they can use an exposed smart endpoint as a means to sneak into your network and rifle through your personal data and online accounts. Or they could monitor your house via hacked security cameras to understand the best time to break in. Your hacked devices could even be recruited into botnets to help the bad guys attack others.
Social engineering online and by phone: Attacks that target user credulity are some of the most successful. Expect them to continue in 2020: both traditional phishing emails and a growing number of phone-based scams. Americans are bombarded by 200 million automated “robocalls” each day, 30% of which are potentially fraudulent. Sometimes phone fraud can shift quickly online; for example, tech support scams that convince the user there’s something wrong with their PC. Social engineering can also be used to extort money, such as in sextortion scams designed to persuade victims that the hacker has and is about to release a webcam image of them in a “compromising position.” Trend Micro detected a 319% increase in these attacks from 2H 2018 to the first half of 2019.
Threats on the move: Look out for more mobile threats in 2020. Many of these will come from unsecured public Wi-Fi which can let hackers eavesdrop on your web sessions and steal identity data and log-ins. Even public charging points can be loaded with malware, something LA County recently warned about. This comes on top of the escalating threat from malicious mobile apps.
All online accounts are fair game: Be warned that almost any online account you open and store personal data in today will be a target for hackers tomorrow. For 2020, this means of course you will need to be extra careful about online banking. But also watch out for attacks on gaming accounts. Not only your personal identity data and log-ins but also lucrative in-game tokens will become highly sought after. Twelve billion of those recorded 55 billion credential stuffing attacks were directed at the gaming industry.
Worms make a comeback: Computer worms are dangerous because they self-replicate, allowing hackers to spread attacks without user interaction. This is what happened with the WannaCry ransomware attacks of 2017. A Microsoft flaw known as Bluekeep offers a new opportunity to cause havoc in 2020. There may be more out there.
How to stay safe
Given the sheer range of online threats facing computer users in 2020, you’ll need to cover all bases to keep your systems and data safe. That means:
Protecting the smart home with network monitoring solutions, regular checks for security updates on gadgets/router, changing the factory default logins to strong passwords, and putting all gadgets onto a guest network.
Tackling data-stealing malware, ransomware and other worm-style threats with strong AV from a reputable vendor, regular patching of your PC/mobile device, and strong password security (as given below).
Staying safe on the move by always using VPNs with public Wi-Fi, installing AV on your device, only frequenting official app stores, and ensuring you’re always on the latest device OS version. And steer clear of public USB charging points.
Keeping accounts secure by using a password manager for creating and storing strong passwords and/or switching on two-factor authentication where available. This will stop credential stuffing in its tracks and mitigate the impact of a third-party breach of your log-ins. Also, never log-in to webmail or other accounts on shared computers.
Taking on social engineering by never clicking on links or opening attachments in unsolicited emails, texts or social media messages and never giving out personal info over the phone.
How Trend Micro can help
Fortunately, Trend Micro fully understands the multiple sources for modern threats. It offers a comprehensive range of security products to protect all aspects of your digital life — from your smart home, home PCs, and mobile devices to online accounts including email and social networks, as well as when browsing the web itself.
Trend Micro Home Network Security: Provides protection against network intrusions, router hacks, web threats, dangerous file downloads and identity theft for every device connected to the home network.
Trend Micro Security: Protects your PCs and Macs against web threats, phishing, social network threats, data theft, online banking threats, digital skimmers, ransomware and other malware. Also guards against over-sharing on social media.
Trend Micro Mobile Security: Protects against malicious app downloads, ransomware, dangerous websites, and unsafe Wi-Fi networks.
Trend Micro Password Manager: Provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign-in to.
Trend Micro WiFi Protection: Protects you on unsecured public WiFi by providing a virtual private network (VPN) that encrypts your traffic and ensures protection against man-in-the-middle (MITM) attacks.
Trend Micro ID Security (Android, iOS): Monitors underground cybercrime sites to securely check if your personal information is being traded by hackers on the Dark Web and sends you immediate alerts if so.
The post The Everyday Cyber Threat Landscape: Trends from 2019 to 2020 appeared first on .
A Xiaomi security camera owner reports receiving random images from strangers’ homes
The post Google disables Xiaomi smart home integration after camera bug appeared first on WeLiveSecurity
California’s groundbreaking privacy law went into effect January 1, 2020.
The California Consumer Privacy Act (CCPA) requires businesses to inform state residents if their data is being monetized as well as to provide them with a clearly stated means of opting out from the collection of their data and/or having it deleted. Businesses not in compliance with CCPA regulations may be fined by the state of California and sued by its residents.
The CCPA requirements only kick in for companies that have collected the personal data of more than 50,000 California residents and/or show more than $25 million in annual revenue. The primary exception to the CCPA are companies subject to California’s Insurance Information and Privacy Protection Act (IIPPA).
Under the CCPA, companies are allowed to sell “anonymized” user data. This exemption has drawn heavy criticism from privacy advocates due to several studies showing that anonymized data can be re-identified with personally identifiable information relatively easily.
While the protections of the law only applies to California residents, businesses such as Microsoft have implemented its provisions for all customers.
Much like the European Union’s General Data Protection Regulation, many of the details of the implementation of the CCPA have yet to be determined and will most likely require further clarification in court cases.
“If you thought the GDPR was bumpy, the CCPA is going to be a real roller coaster,” said privacy and cybersecurity legal expert Reece Hirsh in an interview with The Verge.
The post What’s In Your Business Plan? California’s Privacy Law Goes Into Effect appeared first on Adam Levin.
2020 seems to be getting off to an inauspicious start with the compromise of the home addresses of prominent UK citizens–many of them in lines of work that could make them targets for crime.
The UK Cabinet Office issued an apology after a data leak that involved the exact addresses (including house and apartment numbers) of more than 1,000 New Year Honours recipients. The information was posted online and visible to the public for about an hour.
January 1 is one of two days reserved for the announcement of new members of the UK’s honor system, which includes newly minted members of the Order of Chivalry as well as other distinctions. The other day for such announcements is April 21, Queen Elizabeth’s birthday.
The names and addresses of 1,097 honors recipients were published on the New Year Honours website Friday, December 27. Included on the list were recording artist Sir Elton John, former Director of Public Prosecutions Alison Saunders, and several other athletes, celebrities, and government officials.
While many of the addresses on the list were already publicly available, individuals on the list are concerned for their safety.
“It’s much more concerning for private citizens, like those who have been involved in policing or counter-terrorism or other such sensitive cases, to have their addresses published,” said former Tory leader Sir Iain Duncan Smith to the Sunday Times.
“For someone like myself in direct frontline services, it would be very worrying if those details could be shared,” said Women’s Aid regional manager Sonya McMullen, whose address was also leaked.
As reported by the BBC, in an interview on Radio 4, former head of the civil service Lord Kerslake “suggested ‘human error’ could be to blame for the leak and called on investigators to look at whether staff were given training on data regulation.”
While the incident was subsequently reported to the Information Commissioner’s Office (ICO), which has the power to levy fines when personally identifiable information is mishandled or breached, what exactly is the right punishment for a crime where a layer of security is lost–and changing residence is the only remedy?
Do the fines cover the cost of selling a home, and all the associated expenses of moving? It’s an unknowable problem set, but there is one thing we know for certain: This sort of leak is avoidable. A combination of training and preventative systems can help employees avoid such grave mistakes–systems and protocols that work even on the day after Boxing Day, when employees may not be in the best shape.
There is always another layer of protection and prevention to be had when it comes to cyber and the protection of our information, just like there is always another story about failures to protect it.
The post The United Kingdom Leaks Home Addresses of Prominent Brits appeared first on Adam Levin.
With only days until the end of 2019, people are already chalking up their New Year’s resolution. For some, it’s hitting the gym more often. Others stay on the path of getting rid of all noxious and obnoxious friends. But, for myself, I am just content with finding more ways to keep doing more and worrying less (perhaps laying off the fourth cup of coffee). This article is dedicated to all those wonderful people out there who just want to stay awesome at what they’re doing. So, if you’re feeling then you’re less than productive, below the par and all that or badly want a resolution you can keep, take a quick look at my article about the best productivity apps you should definitely try out in 2020. Enjoy the article and careful with that extra glass of wine or champagne at the New Year’s Eve party.
Best productivity apps rundown
The first resolution before the end of the year: checking every item off your to-do list. It’s important to stay organized, no matter where you are or what you do. However, in an organization where every task is marked as “urgent”, it’s very difficult to figure out what your next step should be.
So, for all you 9-to-5ers who are struggling to keep all those deadlines, I give you Todoist, one of the best-rated task management and productivity tool.
Those familiar with task-focusing apps like Asana will know just how much of a difference the right tool can make, especially when you are flooded by tasks. Todoist is compatible with all platforms (macOS, Microsoft Windows, Android, and iOS) and can also run on some wearables such as Apple Watch or Wear OS.
The GUI’s very intuitive works both online and offline and come with a smart color code system that helps you assign priorities to the tasks at hand.
Other useful features: favorite projects, recurring tasks, ability to create new sections and add subtasks, delegate tasks to team members, receive desktop or on-top phone notifications, draw up productivity charts, check the project’s status and many more.
Todoist can also be synced with third-party apps like Slack or Dropbox. Finally, this application is free for use and scalable enough to suit any enterprise needs. However, if you plan on deploying it on every machine, including BYODs, you may want to purchase the premium version which has additional features.
What if life is one big RPG game, where you need to complete quests to earn experience and money? It certainly feels like it sometimes, but without magic, dragons, monsters, and epic battles.
What if we took everything out of RPG games (completing quests, leveling up, earning cash, unlocking new abilities) and apply them into real life? The result is Habitica, a gamified habit-building and productivity tool that makes you feel just like a video game hero.
It sounds too boring to create a memo about drinking water every hour? No problem – Habitica will transform this into an epic quest, with rewards and everything. One can say that Habitica is the best example of gamification.
The interface resembles an 8-Bit dungeon-crawling game for smartphones. The hero aka your charming little self, has a health bar (which can increase or decrease depending on how well you abide by your daily habits), an experience bar (fills up each time you complete a ‘quest’) and even an energy/mana bar which slowly drains as the day draws to an end.
Like any habit-building app, Habitica allows you to customize your daily routine, send you reminders if you skipped one or more, and display stats at the end of the day. The rewards earned by completing a task can be used to unlock new items for your avatar (clothes, weapons, trinkets).
Habitica can be used in any type of environment: home, school, and even work. The app has powerful task management tools and widgets, which are guaranteed to spare you a lot of trouble.
Habitica is a great open-source tool, free of charge, but you can keep the project alive by spending real money on gems (that’s the app’s currency) and items.
It supports third-party APIs and can be synced with many third-party apps such as WordPress, QuickToDo, Firefox, Trello, Zapier, and even Microsoft Flow.
Punch clocks may very well belong in the past, but they need to keep tabs on the employee’s activity is still around. So, how you eyeball someone without making him or her feel uncomfortable?
Try Timeular, a truly unique time-tracker that benefits both employer and employee. On the staff managing side, the app gives you a granular and bird’s eye view on everything that’s happening in your team, from completed tasks to delays and priority requests.
Employees using Timeular will have to gain a better understanding of how they spend time at work: lunch breaks, cigarette and coffee breaks, YouTube and Facebook time, reading & replying to emails, doing research.
Why is it unique though? Timeular’s ‘powers’ come from combining the old with the new. The time- and task-managing application is actually backed up by an odd-looking contraption that closely resembles one of those D&D dices. It’s actually a nine-face dice and, according to its makers, it makes task-tracking really easy.
The Tracker can be paired with any machine in a matter of seconds via Bluetooth and, once you’ve finished setting up your online account you can start taking advantage of Timeular. Each surface has a chalkboard-like texture, allowing you to write whatever crosses your mind.
Actually, that how it works: you write a task of each face with a non-permanent marker, sync them with the app, and that’s it. Each time you flip the ‘dice’, the app will start recording the time spent on the activity that’s written on that particular face.
Timular’s sole caveat is Its lack of free features. They have three pricing tiers, each with its own features. However, if you found the Tracker useful, you can always go full pro for a not-so-moderate free. This is a one-time fee and you get to keep the device.
Other useful features: third-party integration (Toggl, JIRA, Harvest), data exports, dashboard, cross-platform compatibility (Windows, macOS, Android, and iOS), reminders & notifications, analytics, and many more.
Freedom is the Liberty Bell of task-focusing applications; no crack in it, though, but a fantastic solution to a distraction-free workday. Ever felt like you’re not getting enough out of your day because your attention seems to be all over the place?
Even the best of us lose our way, especially if our workload is overwhelming. Facebook, YouTube, Netflix, Snapchat, and Insta are, no doubt, great kills switches, but we tend to overdo it; and, most of the time, we don’t even realize just how much time we spend on these distractions.
It doesn’t matter if you’re a freelancing looking for ways to boost your productivity or an overzealous project manager. Freedom is a great way to ensure that all tasks are done with time to spare. The app can be easily deployed on just any machine, regardless of OS.
From there, all you have to do is to select your work machines, settle on work schedules, and save your changes. During work hours, Freedom will block all distracting apps and websites. You can choose which apps and sites to block from a pre-defined list or you can add your own.
Other useful features: Locked Mode (apps and websites are blocked during workhours. Select Locked Mode to supersede this feature. Extends blocked mode indefinitely.), whitelisting, advanced scheduling (recurring blocks), customizable blocklists, sync across all devices, dashboard, and a full trail audit.
Brainstorming is the beating heart of every creational process. Oftentimes we engage in various activities just to get those creative juices flowing, mind-mapping being among one of them. It’s, more or less, like a diorama, where you have a central concept and stemming ideas.
Usually, this kind of exercise requires a pen-and-paper approach, but we kind of end up losing them and the brilliant ideas we came up with. So, if you want to keep track of these brainstorming sessions, Coggle is the way to go – a fantastic information-storage app, with an emphasis on visual processes.
It’s light, easy to use, and, most importantly, the free version can help you map out an idea in a matter of seconds. Of course, if you want to make the best out of your online collaboration, pitch for the Organization pricing tier, which unlocks tons of powerful features. Coggle makes chalkboards and paper look like things that belong behind a museum case.
Other useful features: cloud sync, cross-platform compatibility, thousands of free icons and diagrams, dashboard, bulk export, auto-arrange function, import/export text and .mm, export for Visio, shared folders, ability to upload high-resolution images, branded diagrams, full audit trail, and more.
Work smart. Stay Safe!
Working smart involves a lot of things: being kind to yourself, knowing when too much is too much, accepting criticism, staying away from potential toxic co-workers, and, above all, learning proper cybersecurity hygiene. Here are a couple of tips on how to stay safe online (and offline) in 2020.
1. Double-check app before deploying on machines
A solid piece of advice for sysadmins looking to make easier for all employees. Before downloading and deploying any software, ensure that it’s legit. Read reviews, contact the software vendor, and use a VM to perform a behavioral test on the app prior to deployment. That way, you can rule out potentially harmful applications.
2. Only sysadmins should have elevated privileges
Avoiding malicious apps is a full-time job, but the jobs become increasingly difficult knowing that, more than often, employees are the ones who pop open Pandora’s Box. That’s why it’s important to restrict the users’ privileges.
If you’re in charge of a handful of machines, it’s easy to enforce these restrictions, but what do you do if the enterprise has hundreds or thousands of workstations, not counting BYODs?
PAM or privileged access management is the answer to your problem.
Thor AdminPrivilege can help you enforce these rules from anywhere in the world and at any time. More than that, it’s the only PAM solution on the market that automatically revokes user’s admin rights if a threat is detected on the machine.
3. Ensure that your antivirus/antimalware solution is running and up-to-date
As an employee, you should make of habit out of checking your AM/AV solution. Ensure that it’s still running and that the malware database is up to date. If the license has expired or the agent has stopped working, disconnect from the Internet, and contact your sysadmin as soon as possible to prevent a malware infiltration.
From where I stand, the best New Year’s Eve resolution would be to change your work habits. Stay safe on the web, be productive, don’t forget about your health, and spend as much as possible in awesome company. Happy New Year everyone!
The post Top 5 Best Productivity Apps to Jumpstart Your Year and Their Security Levels appeared first on Heimdal Security Blog.
During the last decade or so, software deployment for both SMBs and enterprise has become rather problematic – not so much on the upscaling part, but rather on the number of licenses an institution has to purchase and renew. The costs can be ginormous, which is the very reason why the company owner resorts to cost-effective alternatives such as freeware, shareware, and open-source. In this article, I’m going to run you through each category. After that, you can decide which is better for your business. Let’s get to it – freeware vs. shareware vs. open source. Who will win the race?
What is Freeware?
Loosely defined as a type of proprietary software, that it’s being distributed at no cost whatsoever for the user, freeware is the answer to accomplishing very simple tasks without the need of investing in expensive, license-based software. Freeware software has no EULA, license, or rights of any kind, which means that it can be deployed on both home and enterprise machines.
Freeware is not a modern concoction. In fact, the term itself was coined in the golden 80s by Andrew Fluegelman, who sough of means of making PC-Talk (Skype’s long-forgotten ancestors) available outside regular distribution channels. The key differentiator between freeware, shareware, and open-source is that freeware does not make its source code available, despite being free of charge.
A couple of freeware examples: Discord (IM used by the gaming community), Yahoo Messenger (rest in peace, my friend), µTorrent, IrfanView, Groove Music, Winamp, DVD Shrink, CCleaner, and others.
- Easy to use and deploy (for home users and enterprises\SMBs).
- A great way to incentivize your potential customers (for soft makers and marketeers gunning for paid licenses).
- Solve daily tasks without having to invest in expensive software.
- Quickly grow your user base.
- Limited functionality.
- No way of reverse-engineering it since the source code is not made available.
- Customers may sometimes perceive the product as inferior.
What is Shareware?
Probably most of the apps found online and offline fall under this category. Shareware is so widespread that it ‘felt’ the need to have its own consortium. Called the Association of Shareware Professional or ASP, for short, this international trading and trade organization comprises over 1,500 vendors, authors, and online retailers. The term was coined around the same time as freeware.
While Fluegelman was pushing his PC-Talk comm app. Jim “Button” Knopf, an IBM employee at that time, was releasing a database program called PC-File. In legal terms, the main difference between Knopf’s apps and Fluegelman’s freebie is that the database program was never meant to be offered free of charge.
Knopf himself called his creation “user-supported software” meaning that users would need to cover some of the fees associated with the continual development of the product. No doubt, an interesting marketing praxis, but a lucrative one, given shareware’s popularity and availability.
Shareware is an umbrella term, encompassing various types of apps, each following a unique business model.
Types of shareware
Also called “advertising-supported software”, this type of shareware has embedded ads running alongside the apps. The purpose of adware is to generate revenue for its creator. Ads may be present during the installation process or as part of the user interface. Most are ‘hardwired’ to analyze the users’ traffic in order to display customized ads. Adware is free-to-use, but the sheer number of ads can interfere with normal operation. A large number of apps currently available on Google Play are adware.
It may sound like a new form of malware, but it’s actually a legit type of software. Why is it called “Crippleware”? Because the author purposely “cripples” the app’s vital functions, making them available in the paid or premium version. For instance, if you have photo-editing apps, the download as jpeg function may be disabled or the photos may have watermarks that can be removed by upgrading to full.
Trialware apps can be used for a limited period. In most cases, users will be granted access to all of the app’s functions (including the ones available in the paid version). However, once the trial period expires, the app will be disabled or revert to a very basic (and very unusable version). From my experience, trialware that doesn’t cover vital system processes (i.e. antivirus or malware-scanner), will simply stop working. They will, of course, display a splash screen meant to inform the user that the software has expired and that he must upgrade to full.
The software grants the user access to all of its features. However, it does come with one small request: the user is asked to shell out a small amount of cash to support the project or just show appreciation for the author’s work. The payout part is optional, having no bearing of the app’s functionality. Given its behavior, one could consider that donationware has more in common with freeware than with shareware.
Pejorative in nature, the term “nagware” describes a software category that reminds users via on-screen messages that their licenses are about to expire and that they should upgrade to the full version. In most cases, the nags will continue well after the trial period is over. The functionality will be reduced, the user having access only to basic functions.
A portmanteau term (“free” + “premium”) describing a type of software that ‘withholds’ advanced features, making them available in the premium version. The free version is fully functional. Nags are rare, but users might receive ads from time to time regarding the advantages of the premium versions.
- Free to use.
- Powerful feature. Great for getting a one-time task done.
- Donationware is just as good as any license-based application.
- Diversity and abundance.
- Most of them are cross-platformers.
- Some legal issues may arise if deployed on enterprise machines.
- Poor compatibility with newer operating systems.
- Ads and nags can become annoying.
- Shareware doesn’t benefit from regular security and functionality updates as licensed software.
One last thing to mention – neither freeware nor shareware authors don’t make the software code available for studying or altering. Which brings us to the third software category: open-source.
What is Open-Source?
Open-source software or OSS is a type of software in which the author releases the source code. Furthermore, as far as the copyright is concerned, whoever holds the software’s license can distribute, study or alter the source code. Enterprises would often turn to open-source solutions since they’re much easier to customize compared to licensed software.
The best example of OSS I can think of is VLC player, one of the most popular video players available online. That’s on the consumer side.
As for enterprises and SMBs, there are a number of open-source software that successfully replaced their license-based counterparts: OpernCart (online shopping platform), SuiteCRM (useful for managing customer info), Helpy (self-service support), Mailman (management tool for email lists), WordPress (blogging), Daawarpper (data visualization), Gimp (powerful image editor), LibreOffice (perfect and free alternative to Microsoft Office), and the list goes on.
Open-source software pros:
- Free and cheaper compared to (paid) license-based products.
- Modable, reliable, and easy to use.
- Safer from a cybersecurity standpoint compared to free and even some license-based products.
- Very flexible. It can be used beyond its intended purpose (you’re going to need a talented backend hand for that).
Open-source software cons:
- It can incur some long-term (and unforeseeable) costs. Any issues that arise have to be dealt with by yourself or your dev team. This usually happens when the software has been outstretched or altered more than necessary. Doing in-house patching and/or repair points to another con: no support for the product. So, if something goes wrong, you’re on your own.
- Less-than-friendly UI. It will also take you a while to learn the product.
Freeware vs. Shareware
Now that we’ve got the basics in place, let’s take a closer look at the first contenders: freeware vs. shareware.
First of all, I think it’s important to see which category the two of them address. We can agree (to disagree) that both types of software can be used on home and work machines alike. As someone who didn’t have a lot of money to spend on software, I can wholeheartedly say that freeware is what dreams are made of – imagine what it would have meant to buy a Photoshop license just to tweak some family photos or to pull a plank on your roommate.
Game streaming – for those of you familiar with the concept, the costs alone can make your head spin, that is if you want to go pro. Still, even the basics can cost a pretty penny. Luckily you can accomplish basic tasks like screen or voice recording with some very nice (and free) online tools.
Things change a bit when it comes to deploying freeware on enterprise machines. Of course, some shareware can handle some of the routine tasks. For instance, ePrompter is a great and hassle-free alternative to Microsoft Outlook or some other desktop-based email management tool. Even TeamViewer, the (over)glorified remote computer control tool is free and can be used to accomplish very simple tasks.
Other honorable mentions: Discord (great alternative to Teams, Skype for business, and even WhatsApp), B1 Free Archiver (if you really don’t want to buy WinRAR), Recuva (powerful data recovery application), CCleaner (registry cleaner), Foxit Reader (open and print pdf files), and Microsoft Visual Studio Express (supports multiple IDEs, pitch-perfect for web designers).
Indeed, they are very powerful tools, but, in my opinion, simply not enough to meet the needs of a bustling enterprise. It all boils down to statistics: the bigger the database, the likelier it is to find a solution (or more) to suit your needs.
Why shareware? There are literally thousands of apps, available both online and offline, some of them just as good, if not better than license-based software. One thing about shareware – it’s a short-term solution.
Basically, it’s your ‘emergency-only’ kit: problem – shareware – problem solved. This type of software wasn’t designed for long-term use. As I pointed out in the section about shareware, most have some kind of built-in ‘safety’ to prevent users from doing just that; except for donationware, of course. There’s also the matter of overexposing your machine(s) to malicious content. I will cover this in the last section of the article.
The main reason why shareware is better than freeware for enterprise needs – evergreen(ess). Most freeware is outdated, meaning that they may not even run properly on Windows 10 machines. If you also add the fact that they are unpatched, you’ve got yourself a major cybersecurity vulnerability. Last, but not least, to my knowledge, few freeware support platforms other than Microsoft Windows. So, if you need to deploy freeware on a machine running Linux or macOS, you’re in for a world of pain.
Winner – shareware. Hassle-free, tons of content, suitable for any kind of needs, be them home- or enterprise-related.
Shareware vs. open-source
Clearly, shareware is the better alternative to freeware, but how does it fare against open-source software. Clearly, the latter category holds the high ground here. Why? Because, as the name suggests, the source code is made available, which means that a talented backend hand can easily customize it. But, will it prove to be a match for shareware’s availability and ‘widespreadness’?
It could and it does. Open-source software is definitely getting a lot of attention and for a very good reason – even though OSS is free, it’s extremely reliable and tends to take quite a beating when subjected to repeated reverse-engineering. And, on top of that, OSS software, compared to freeware and shareware, is much more secure.
Open-source software is amazing simply because it’s out there and can potentially be molded into anything you like. However, it’s not the Holy Grail of enterprise software, nor does it want to be. OSS is scalable, dependable, and, in all cases, it’s made by an experienced computer engineer who isn’t necessarily motivated by money. Don’t get me wrong – shareware-type software is also developed by experienced people, but on the sample-now-buy-full-later basis.
As an enterprise, you should also consider the support aspect. If something goes terribly wrong with the software, there’s no one out there to help.
Well, that’s entirely correct; there’s an entire community out there of experts willing to give you a helping hand, but that means hours upon hours of digging through forums, asking questions and praying for someone to come up with the right answer. This perspective is not exactly compatible with an enterprise’s credo.
So, do we have a winner here? It would say that it’s a tie: open-source is dependable, flexible, and scalable, but low on support and could incur unforeseen costs, especially when you try to use for purposes other than it was designed for. On the other hand, shareware holds an abundant database but falls back as far as a long-term commitment.
Freeware vs. shareware vs open source
Now that we have all the pieces of the puzzle, it’s easier to figure out which is the best enterprise-grade solution.
Let’s start with freeware.
Major advantages – it’s free, easy to install, and can solve any number of issues. On the other hand, disadvantages wise, the freeware pool is very limited and can only address a handful of issues. Freeware would best be used on home machines. Take that and its questionable compatibility, no support of any kind, and the fact that most of them are obsolete, it’s safe to assume that freeware and enterprises just don’t mix.
Shareware – an entire database, laid down at your feet. Plenty of possibilities, but is shareware the answer to your company’s needs? It’s just a matter of how you look upon the problem: if it’s a one-time thing, then you should definitely consider deploying software on a couple of machines.
There’s no need to concern yourself with the trial period, as long as you can solve the task or tasks in one go. Just bear in mind that some apps will revert to basic functions or stop working altogether after a certain number of uses. Of course, if the app suits your needs, you can always activate the full version by buying the license.
Open-source – dependable, can easily be taken apart by any IDE, and free to use. Do take in mind that OSS can come with hidden costs and it’s harder to get used to it compared to shareware or license-based software. If you encounter issues along the way, you can always ask the dev community for help. Just don’t expect the answer to be prompt as in the case of an app that offers round-the-clock support.
In the end, it’s all up to you to decide which one clicks with your company’s needs.
Cybersecurity issues and safety tips
Tackling non-licensed-based software should come with a warning label. Up next, I’ll be discussing the risk of using shareware, freeware, and open-source software. I will also include some cybersecurity tips along the way.
1. Adware also means malware
If you plan on using shareware, pay extra attention to apps that use ads-generated revenue. Some of them may contain links to malicious websites that could seriously harm your machine. Best to check the security certificate after clicking on an ad, though I advise you not to.
2. Fake apps
Some applications advertised as freeware could be fake. Don’t download the first app you find on Google. Take your time and do some research. You would do well to stay away from websites that use too many CTAs and “free download” buttons. It’s like playing Russian Roulette with your personal data.
3. Freeware used as a malware entry point
As you know, outdated and unpatched software can be used by malicious hackers to circumvent your antivirus\antimalware solution. Since freeware does not receive regular security patches, it can become an entry point for malware.
4. Strengthen your cyber-defenses
When all else fails, ensure that you have a good antivirus\antimalware solution. Thor Premium Enterprise, our product that incorporates two of our award-winning technologies (Thor Foresight Enterprise and Thor Vigilance Enterprise) will ensure that no malware lands on your machine, by continuously scanning your outbound and inbound traffic, severing any malicious C&C connection it detects.
Companies, regardless of their size and needs, can also benefit from freeware, shareware, and open-source software. It’s all about figuring out your needs and selecting the solution that makes the most sense. As always, if you have any questions, feel free to send me a message.
The post Freeware vs. Shareware vs. Open Source – What is Each and How to Use Them Safely appeared first on Heimdal Security Blog.
2019 is virtually over and a new year beckons with all the solemnity of the grim reaper for those who don’t have their eyes wide open to the persistent threats we collectively face in the areas of privacy and cybersecurity.
Now that I have your attention, I’d like to add that it’s not all bad news. In the main, consumers and business leaders alike are more aware of cybersecurity and privacy than ever before. However, this sea change has been met with innovation on the criminal side of things. As defenses improve, the attack vectors become more nuanced and technically impressive. At times it can seem like a war of attrition, which brings us to the first series of predictions for 2020:
- CISOs will get worse at their jobs. Okay, simmer down all you cybersecurity people. I just mean there will be a shortage of experts–i.e., fewer of you to go around because at this moment in history everyone understands that a good CISO is critical to the ongoing success of an enterprise (the 2019 IBM Cost of Data Breach study found that the average cost to an organization was $3.92 million). With the demand for cybersecurity professionals far exceeding supply, the market will start having openings for less qualified people. Water finds its level, but it will be rough for a while.
- The disinformation blob will grow. With what we experienced in 2016 and 2018, is there any doubt there will be a rise in disinformation–homegrown and imported–of all stripe in the upcoming elections? Since these weaponized misinformation campaigns have proven effective, expect to see more of them in the private sector, with businesses adopting troll farm tricks to hurt the competition–or rather waiting to be discovered by intrepid reporters like Brian Krebs.
- Ransomware will continue to thrive. As long as humans are well……human, phishing attacks will lead to ransomware infecting more and more networks, and businesses, municipalities and other organizations will continue to pay whatever they must in order to regain control of their data and systems. We will also see better backup practices that will help minimize or neutralize the threat of these attacks.
- IoT botnets will make dystopian paranoia seem normal. IoT will continue to grow exponentially. In 2020 there will be somewhere around 20 billion IoT devices in use around the world. Unfortunately, many are not secure because they are protected by nothing more than manufacturer default passwords readily available online. They will weaponized (like years past) but with increasing skill and computing power.
- The integrity of the US elections will be questioned–and for good reason. There are still voting machines in use that are far from secure, and would not pass the most simple audits. Some states continue to use machines that leave no paper trail. Look forward to questions regarding election security all year.
- Cryptocurrency miners will continue to get rich off of stolen electricity. Related to the botnet craze, we will see an increase in computing power theft used to mine cryptocurrency. With bots becoming exponentially more effective as the result of AI and cloud computing, we will see a renaissance of Wild West behavior in the world’s cryptomines.
- Zero trust environments will be talked about. A few may exist. The assumption that one can trust the home team–people within one’s organization–sort of went the way of the Dodo bird when Edward Snowden walked away from the NSA carrying a treasure trove of NSA data hidden in a Rubic’s Cube. Zero trust simply means that no one can be trusted, in or outside the organization. With this assumption foremost, new systems make breaches and compromises harder to happen. Stay tuned.
- More people will know what “protect surface” means. Protect surface is part of the zero-trust environment. An organization’s attackable surface includes every error-prone human in its employ as well as the mistakes in configuration they may have committed along the way and a whole constellation of other issues. The protect surface is much smaller and must be kept out of harm’s way. The more we talk about subjects like protect surface, the stronger our cybersecurity will be.
- Cars will be frozen. Or not. But actually, yes. I think it will happen. Driverless cars are going to hit things as well as get hit. Cars that talk to satellites are toast. It’s going to happen. (Or not. But it totally could.)
- 5G will make the cyber smash grab a thing. 5G is going to make everything move fast, as will the new generation USB4 devices . With quicker speed, it will take much less time to transfer data. Coincidentally, criminals appreciate this as much as the rest of us.
- Social media will no longer need to be private. Social media companies will probably become a bit more responsible when it comes to the way they gather, store, crunch, analyze and sell our data to marketing companies and small to medium sized businesses looking to connect directly with consumers. This is really not worth talking about, however, because all of our information has already been scooped up. It’s good news for 2020 babies.
- State-sponsored traffic jams will be a thing. The hackers who brought you Hillary’s emails and who probably have President Trump’s tax returns are going to target operational systems with an array of tactics that include ransomware and more DDoS attacks that will snarl things up in ways we’ve not yet seen. The targets will be financial institutions, the power grid, an election, a company’s secret sauce, a city’s traffic lights or, you can fill in the blank.
- You’re going to have personal cyber insurance. Insurance companies will be writing more comprehensive cyber liability policies for businesses and offering innovative personal cyber coverage for consumers.
- HR will save money by spending some. More employers will offer their employees identity protection products and services as part of their paid or voluntary benefits programs. (An employee who has their identity stolen is not very productive and if, as part of that identity theft, their USER ID or passwords are exposed, a thief might have what he or she needs to access an employer’s network and sensitive databases.)
- The cloud will leak. The parade of stories about misconfigured cloud clients and data stored without any password protection on cloud services will continue apace, perhaps in part because of the CISO issue discussed in the first prediction.
- AI will gladly take your job. The Yang Gang knows it’s true. AI is here and it’s willing to work so that you can go fishing, collect that monthly $1,000 and not make ends meet. In all seriousness, the CISO shortage as well as many of the innovations discussed in this list of predictions will be increasingly powered by Artificial Intelligence.
2020 promises to be an interesting ride. Buckle up, because that driverless car might be hacked along the way. As ever, you are your best guardian when it comes to your privacy and personal cybersecurity. Be smart. Stay safe. And, have a very happy, healthy holiday season.
The post Too Much Holiday Cheer? Here’s Something to Fear: Cybersecurity Predictions for 2020 appeared first on Adam Levin.
The way we work and the spaces we work in have evolved considerably in the last fifty years. Corporate culture is nothing like what it used to be back in the 80’s and 90’s. Cabins and cubicles have given way to open offices. Many in the work-force today prefer to work remotely and maintain flexible hours. As such, hot-desking is common in many multi-national companies including those who have large office spaces. As the start-up culture evolved, there was a need for multiple small offices. This growing breed of self-employed professionals and start-up owners need other resources that are commonly required in the office environment like printers, shredders, Wi-Fi, meeting rooms, video-conferencing abilities etc . They also need a common place to meet people, network and exchange ideas because working solo could be monotonous at some time. Co-working has provided an all-in-one solution for the needs of such individuals and small groups of people by providing a common space where equipment and utilities could be shared between businesses who rent the space. Co-working spaces have thus become very popular across the world and especially in cities where real-estate is very expensive. According to statistics the number of co-working spaces has increase by 205% between 2014 and 2018
In any business however, security is paramount. Corporate espionage is very much a reality for small businesses that are very often the breeding ground for great ideas and innovations. Co-working spaces provide a melting pot for all kinds of unrelated people some of who cannot really be trusted. Thus it is necessary that when sharing space, equipment and utilities, users do not unknowingly end up sharing information and trade secrets. Ensuring data privacy and cyber security in a shared office can be very difficult but may be achieved by laying down the ground rules and ensuring that everyone follows it. Following are some of the security best practices for a co-working space.
- Ensuring network Security: While shared Wi-Fi access is probably one of the most popular and over utilized services provided by a co-working space, it is also the most vulnerable from a cyber security perspective. Following are some of the practices that would ensure secure access of Wi-Fi networks for all users.
- Having a dedicated administrator who would ensure that networks are set up correctly and securely. This person can also liaise with users to ensure that they are following the guidelines
- Setting up strong passwords for every network and ensuring that all passwords are changed frequently. This would also prevent old or previous members from accessing the network.
- Setting up individual networks and access pages for every business that is using the space including a separate network for guests.
- Securing smart devices: IoT has enabled intelligence in every device like TV, refrigerators, coffee machines and printers. A co-working space may be home to many such devices which are connected to the network. Tampering with any of these devices can allow people to access the Wi-Fi network or vice-versa. Therefore it is necessary to secure these devices by ensuring that their hardware is tamperproof and firmware is continuously updated. All devices that can connect to the network including laptops and phones should be password protected and should not be left around unlocked and/or unattended.
- Blocking websites: It is best to block potentially malicious websites which are not likely to do anyone any good. Corporate offices have always taken this step to prevent unwanted traffic and ensure network and data security. There is no reason why co-working spaces cannot offer this as a service.
- Vetting users: Co-working spaces may do a minimum background check on users to ensure that they fit-in with the business culture of the space and would not disrupt the normal functioning of the users in any way.
- Physical monitoring: Physical monitoring using cameras can ensure that users do not try to steal any data or equipment that does not belong to them. Providing physical access cards, logging in and out time of users and installing cameras can contribute to the overall security system of the space.
While these guidelines are general they should be useful to both the co-working space operators and users and would provide an idea on what to look out for and how to secure their private data and intellectual property.
Black Friday and Cyber Monday made clear that the online-offline divide in consumers’ minds has almost disappeared. Among the big winners for sales in 2019 will be a device that is perhaps the best physical representation of that diminishing online-offline divide: the digital assistant.
The main contenders for consumer dollars this year come by way of Amazon, Google, and Apple.
Amazon Echo smart home products have been among the company’s most popular items for a while now, but they hit new records in the recent four-day stretch from Black Friday to Cyber Monday. Internet connectivity continues its march to omnipresence in everyday consumer goods.
Televisions feature built-in internet functionality, and the FBI just released a warning about them.
A number of the newer TVs also have built-in cameras. In some cases, the cameras are used for facial recognition so the TV knows who is watching and can suggest programming appropriately. There are also devices coming to market that allow you to video chat with Grandma in 42″ glory.
Beyond the risk that your TV manufacturer and app developers may be listening to and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router.
Hackers can also take control of your unsecured TV. At the low end of the risk spectrum, they can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV’s camera and microphone and silently cyberstalk you.
The conveniences afforded by all this new connected technology are great, but it’s important to bear in mind that it also has its downside.
Even basic home goods like doorbells and light bulbs are commonly being sold with Wi-Fi connectivity and the ability to integrate into Google Home-, Siri-, or Alexa-enabled networks. These devices don’t just talk to one another. They’re also providing the companies that manufactured them with a gold mine of data about how they’re being used–and, increasingly, who is using them.
It’s not just IoT gadgets. Tech companies are busy these days trying to weave their way into your wallet, your entertainment, and your health, all the while mining as much data as possible to leverage into other markets and industries.
This has an air of inevitability about it because the right entrepreneur has not yet had the right aha! moment to make it stop being an issue. That said, cracks in the current personal information smash-and-grab approach to consumer data are beginning to appear, and consumers are becoming increasingly wary of how their data is being collected and used as well as who has access to it.
Break Out the Torches and Pitchforks
If a consumer revolt sounds overly optimistic, consider the uproar earlier this year over revelations that smart home speakers were eavesdropping consistently and sometimes indiscriminately on consumers, and the resulting semi-apologies issued by Apple, Amazon, and Google.
Or look at the ongoing civil rights concerns regarding Amazon’s Ring surveillance cameras, or the recent lawsuit against TikTok for allegedly offloading user data to China, or the reports of customers abandoning their Fitbits after the company was acquired by Google.
The message seems clear to me. Consumers may enjoy the convenience and easy access to the internet, but more and more they bristle at the lack of transparency when it comes to the way their data is being handled and used by third parties, and the seeming inevitability that it will wind up on an unsecured database for any and all to see.
While the fantasy of consumers uninstalling and unplugging en masse is common among a small community of sentient eels indigenous to the Malarkey Marshes of Loon Lake, there remains a business opportunity for the larger online community.
Will the Genius of Loon Lake Please Stand Up?
The effort to create a more privacy- and security-centric internet experience for consumers has largely been led by nonprofit organizations. World Wide Web inventor Tim Berners-Lee has been publicly discussing plans to create a follow-up with the aim of reverting to its original ideals of an open and cooperative global network with built-in privacy protections.
Meanwhile, the nonprofit Mozilla organization has revamped its Firefox browser to block several types of ad trackers by default and provide greater security for saved passwords and account information, in addition to publishing an annual guide to score internet-connected devices for their relative privacy friendliness and security. Wikipedia founder Jimmy Wales announced in November a service meant to provide an alternative to Twitter and Facebook reliant on user donations rather than the other social platforms’ often Orwellian ad tracking software.
Without a user base or killer app to drive adoption, Berners-Lee’s new web has been in the works for years, and Wales’s idea is a rehashing of a similar project called WikiTribune that also never managed to find its footing. Firefox is a quality browser, but its market share pales next to Google Chrome’s.
Thus far, nonprofit-driven alternatives have found no lure to drive consumer adoption. The next stage of privacy-centric development may need to have a profit motive to make inroads into the privacy protocols and proxies that dominate apps and devices. It can’t be merely self-sustaining, but rather must be compelling for users, developers, and engineers. One such company, Nullafi, has the right idea: anonymizing and individualizing a user’s most common digital identifier by creating email burners that redirect to the user’s private account. (Full disclosure: I’m an investor.) We need to see more of this kind of development, and we need to see it get adopted.
The current large-scale investment in cybersecurity proves there’s a market in our post-Equifax-breach world where awareness of data vulnerability and the possibility of getting hacked have hit critical mass. The time for the unicorns to arrive is now.
The post Selling Privacy: The Next Big Thing for Entrepreneurs appeared first on Adam Levin.
The Cambridge Analytica scandal may be old news, but it has far-reaching implications – Internet users grew more concerned over their online visibility and website owners were compelled to list their data-collection privacy. We can state for a fact that some good came out of it, although the amount alone of paperwork can be a powerful demotivator for someone with a sound business idea.
Since we’re on the topic of privacy, it would appear that we may have another Cambridge Analytica in the making. There’s been a lot of buzz around the implementation of DoH (DNS over HTTPS), a somewhat new encrypted communication protocol that should, theoretically, uphold privacy.
As one of my colleagues pointed out, DNS over HTTPS is poised to become the next “golden standard”, since it has achieved “an unprecedented default level of privacy and data protection”. DoH does have its merit –in a traditional DNS comm model, the user queries the domain name system for the numerical IP address associated with that specific website.
In turn, the DNS returns the address, allowing the user to view the requested web content. That’s, more or less, how web-surfing works. The major caveat of this comm protocol is that the DNS lookups are not encrypted. In essence, each time you’re trying to connect to a website, the endpoint pings the ISP about your request. Of course, your Internet Service Provider is blind to what you’re doing on that website, but can still ‘see’ and even log your request(s).
That’s a pain-point right there, and Google, Mozilla et al. have done a bang-up job speculating the market’s ‘needs.’ The push for DNS over HTTPS is at its peak, with browsers now allowing the users to implement the protocol. Despite limited effectiveness against MiM (man-in-the-middle) attacks, it would appear that the early adoption could, allegedly, paint a gigantic bullseye on the users’ backs.
Back in October, ZDNet pointed out that the premature adoption of DoH will not only wreak havoc in the enterprise/SMB/startup sector but could, presumably, give malicious hackers the upper hand. I’ll cover all these points throughout the article.
Since the topic du jour revolves around privacy/data protection or the lack thereof, here’s an interesting dilemma: should DNS over HTTPS replace VPN or work together? Should we completely forget about VPNs and stick with this new and ‘wobbly’ technology?
B2B – What does a VPN do?
In trying to figure out just how DoH can replace a VPN, I find myself compelled to go on a little B2B (back to basics trip). So, bear with me on this one.
Now, consider the way your endpoint (i.e. smartphone, tablet, PC, Mac) connects to the Internet. Let’s say that you want to search YouTube for the latest Witcher trailer. In order to do that, you will need to get out ‘into the wild’ and inquire about your ISP’s DNS for YouTube’s numerical IP.
Once the server finds the right address, you will be able to go to that place on the Internet where YT resides (here be dragons!). At a glance, the mechanism itself appears to be straightforward and secure. However, do bear in mind that the communication goes both ways (endpoint to ISP and ISP to the Internet), and, to our very misfortune, both are unsecured.
The time-honored solution to this is the VPN. What the VPN does is that it interposes a VPN client and VPN server between the querying machine, ISP, and the Internet. Breaking it down even further, it should look, more or less, like this: endpoint wants to end up on Wikipedia.
The request is sent in an unencrypted form to a VPN client. The client encrypts the packages containing the request and pipes them through to the ISP. In turn, the ISP sends the encrypted request to a VPN server, which communicates with the Internet. Basically, the ISP will be oblivious to your search strings.
So, that’s how a VPN works. Next, let’s take a closer look at DNS over HTTPS.
B2C Part 2 – How does DNS over HTTPS work?
DNS over HTTPS – the crux of this article. It may as well be the best thing that happened to privacy ever since GDPR was enforced, but I seriously have my doubts about that statement. More on that a bit later.
As I’ve mentioned, DoH is or was supposed to be the golden standard of data privacy and protection. The idea behind DNS over HTTPS was to prevent everyone (ISP, Government, secret services, hackers) from peeking at your traffic. It’s more than that; up until now, DNS queries were made in plaintext.
Remember the golden rule of password-making? Never leave them in plaintext, which can mean anything from writing them down in a notepad document from keeping network logs on your machine.
Basically, this is what happens in the traditional DNS comm model – plaintext DNS queries can be retrieved and reviewed by any of the IP matchmaking entities. Thus, the need for a more secure comm solution. Here enters DNS over HTTPS. It was specifically engineered to deal with this particular issue. Should it become the norm? Perhaps, but not in its current state.
Headbutting DoH is DNS over TLS, yet another security protocol that uses a dedicated communication port on your machine. While some sysadmins argue that neither of them solves the issue, they are inclined to choose the ‘lesser evil’ which, in this case, is DNS over TLS. Why is that?
As I’ve mentioned, DNS over TLS uses a dedicated comm port on your machine (853), whereas DoH uses port 443, which is the standard port for HTTPS traffic. So, why is this important? Traffic routed through 853, albeit encrypted, can still be seen at the network level. And, in some countries, such as the United States, DNS over TLS connections can raise some suspicions regarding your online activity.
Moving on to more pressing matters – DNS over HTTPS hides traffic info in HTTPS streams. DoT (DNS over TSL) does not. That’s not even the main issue. The endorsement of DoH means that we will need to change the way we look at the entire network infrastructure.
In order to make this happen, ISPs will need to implement DoH resolvers (DNS servers capable of handling DoH-type queries). Evidently, the existing architecture would have to undergo a rather radical makeover. And that translates into more money, time, and energy, which, in the end, maybe wasted on a solution that adds more to the issue than actually solving it.
It all boils down to this – encrypted DNS comm should be an industry standard, but neither DoH nor DoT are the answers.
DoH vs DoT vs VPN
The entire debate revolves around privacy vs. security – are you willing to let your guard down, even for a brief moment, to ensure that no one can spy on you? If we were to remove the context and ask the same question, the answer would be a staunch ‘no’. However, given what we know so far, it’s very difficult to predict the outcome, let alone make a decision that could ultimately tear down that modicum of privacy we thought we had.
DoH vs. DoT
In the previous section, I have outlined some of the pros and cons of using DoH over DoT. Here’s a short and comprehensive list of the pros and cons of each comm method.
DNS over HTTPS
- Prevents Man-in-the-Middle attack. No more plaintext DNS queries since they are secured.
- Circumvents ISP or third-party interception. All packages are obfuscated.
- Machine performance is greatly increased, since DNS over HTTPS method centralizes all DNS traffic, meaning fewer servers are required to process the queries.
- Most browser makers are pushing DoH, which means faster deployment.
- Wreaks havoc in enterprise sectors. Infrastructure expansion alone can ramp up the costs.
- Blocks just one tracking vector. True that ISPs or third-parties cannot see your DNS requests, but there are other ways to keep tabs on your online activity, such as OCSP connections, SNI fields or both.
- Potentially bypasses tradition DNS traffic filtering technology. Since DoH tends to overwrite a company’s DNS, allowing employees to visit otherwise banned websites.
- Leaves endpoints more vulnerable to cyberattacks. It may prevent MiM attacks but potentially makes an organization more vulnerable to insider threats and other forms of malware.
DNS over TSL
- Fairly easy to implement. DoT takes advantage of the existing network infrastructure.
- Mature encryption methodology. Tried-and-tested, TSL is more mature and flexible compared to HTTPS.
- Completely encrypts the connection. DoH merely encapsulates DNS traffic in HTTPS comm.
- Mim attacks can be fended off even with DoT. Users must empty their cached data from the server. This is usually stored in plaintext format.
- It doesn’t offer full protection against SNI leaks and traffic analysis.
- Must be constantly updated to patch vulnerabilities.
- Uses a dedicated comm port.
- Might raise legal issues in some countries.
DNS over HTTPS – A replacement for VPN?
And we finally come down to our little dilemma: should DoH replace VPN? The answer is still ‘no’. Although the technology was engineered to address some privacy issues, it ended up creating more security issues than ever before.
The tech eliminated one traffic-inspection vector, but do bear in mind that your ISP still has other means of keeping tabs on your activity. To say that the technology is still in its infancy would be a major understatement; in its diaper would be more precise.
DNS over HTTPS should never be conceived as a 1-to-1 replacement for a VPN client; at the very least, we can consider it as its counterpart, its partner in crime. While the VPN ‘scrambles’ your IP as to make it impossible to track your activity, DoH only ensures that the communication channels with the DNS are secured by encapsulating the DNS querying in the HTTPS.
VPN is here to stay. At least for the time being. Unfortunately, the same thing can’t be said about DNS over HTTPS. The approach may be sound on paper, but in reality, it’s something like curing the disease by killing the patient – you really don’t want to create a breach in your security network, just for some extra privacy.
When talking about DoH vs VPN, I always like to use the following analogy – for certain blood disorders, docs prescribe anticoagulants. Despite being hundreds of them on the market, they prefer Sintrom, because it’s the only curable one (things get out of hand, the doc can neutralize it). The same thing applies to VPN and DoH – VPN can be plugged, while DoH can’t! Well, at least not yet.
DNS over HTTPS does more for privacy but falls behind as far as security is concerned. Google and the other giants are doing their best to push DoH. Still, if we have the option to opt-out, we should take it. As I’ve pointed out, the technology needs a serious redesign before it can tackle both privacy and data protection issues.
The post DNS over HTTPS (DoH) – A Possible Replacement for VPN? appeared first on Heimdal Security Blog.
A variety of sensitive information has been there for the taking due to an unsecured cloud storage container
The post Data leak exposes 750,000 birth certificate applications appeared first on WeLiveSecurity
The NHS is a goldmine of patient data which the United States wants to be quarried by some of its biggest companies. Britain’s health service is home to a unique medical dataset that covers the entire population from birth to death. Jeremy Corbyn’s NHS press conference revealed that the US wanted its companies to get unrestricted access to the UK’s medical records, thought to be worth £10bn a year. A number of tech companies – including Google – already mine small parts of the NHS store. Ministers have been treading carefully after an attempt to create a single patient database for commercial exploitation was scrapped in 2016 when it emerged there was no way for the public to work out who would have access to their medical records or how they were using them.
However, such caution might be thrown to the wind if Boris Johnson gets his way over Brexit – and patients’ privacy rights are traded away for US market access. This would be a damaging step, allowing US big tech and big pharma to collect sensitive, personal data on an unprecedented scale. Donald Trump’s officials have already made clear that this is what they are aiming for. In the leaked government records of talks between US and UK trade representatives White House officials state that “the free flow of data is a top priority” in a post-Brexit world. Trump’s team see Brexit as an opportunity “to avoid forcing companies to disclose algorithms”. The US wants the UK to drop the EU’s 2018 data law, in which individuals must be told what is happening with their medical data, even if scrubbed of personal identifiers.Continue reading...
They say that home is where the heart is, but, it’s actually where you feel the safest. Unfortunately, with so many mishaps around the country, homeowners have begun to beef up their security. Alarms and burglar-proof bars just don’t cut it anymore – security cameras are the norm, and since crime is on the rise, they’re here to stay.
According to a Home Advisor report, around 30 million homeowners across the United States have purchased household surveillance systems.
The same report reveals that the average cost of installing a Fort Knox-grade home security system (or, at the very least a decent one) is $1,333 (between $655 and $2,011). Despite the cost, people are willing to go along with it, knowing that their home and surroundings are safe. But are they really?
The great Hackaton
As you know, virtually any electronic device can be tapped into, hijacked, hacked, or whatever you like to call it. The Medtronics case proves my point. So, around 2017, Medtronics, a US-based med equipment manufacturer was getting ready to push a next-gen insulin pump.
With FDA’s approval, the pump nearly made it to market until a team of security researchers blew the whistle on the project, calling it a disaster waiting to happen – well, not literally.
Long story made short, Medtronics created a radio-controlled insulin pump for patients with type 1. The dosage could be adjusted via remote, thus reducing the patient’s reliance on caretaker or nurse.
MiniMeds, as they were called, had to go through a major redesign after the two researchers proved that the device can easily be hijacked with a simplistic app and used to deliver a fatal overdose.
Sorry for the long and tedious intro. I just wanted to prove a point – if a system as ‘closed’ as an insulin pump can be hacked, so can security cameras.
In most cases, it’s poor cybersecurity hygiene (people too lazy to change default passwords, connecting cameras to unsecured routers, buying second-hand, etc.). However, there are cases where the devices themselves have design flaws that allow malicious actors to take control. It does have an Orwellian appeal to it, but this type of scenario is very real and extremely frightful.
Just to get an idea of what poor online security hygiene can get you into, I give you the 2016 ‘video-streaming experiment’. Apparently, a site that originated in Russia ‘leaked’ videos from over 15,000 locations in as many as 256 countries. Some big players were caught in the crosshairs: Linksys, Foscam, Panasonic, Hikvision, and AvTech.
There’s a lot of scuttlebutt about home security cameras and I’m here to sort it out. So, here’s everything you need to know about surveillance devices.
EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.Try Thor Foresight
How do you hijack a security camera?
Before talking about how home security cameras can be hacked, it’s imperative to know a little bit about them. There are several types of home surveillance systems – we have indoor and outdoor cameras, nanny cams, wireless cameras, wireless cameras with motion-sensing technology, IP cameras, CCTVs, wired cams, fake cams, you name it.
As far as indoor surveillance systems are concerned, homeowners tend to go with a Wi-Fi solution. It makes sense; compared to wired cameras that require some degree of expertise to set up, Wi-Fi cameras are out-of-the-box ready, meaning that you only need to power them up, find a proper place to set them, pair with the mobile or desktop app and that’s it. However, a good one is going to cost you a pretty penny, that’s for sure.
So, we have wired cameras, that run in a closed circuit, private CCTVs that are part of a larger surveillance system, and Wi-Fi cameras that are hooked up to your home’s router via an IP. If you just want to make sure that everything’s hunky-dory while you’ll away, a wireless camera hanged just above the doorway is more than enough.
On the other hand, if you want to keep tabs on what’s happening in your backyard or on the other side of the front door, it would be best to go with a closed-circuit and wired surveillance system. It’s the best safety measure today for that those package pirates (people who steal Amazon packages from your front door after delivery).
I won’t go into many details about security cameras because we’re here to talk about hacking and, of course, appropriate countermeasures.
Now that you know a little bit about the various types of home surveillance systems, let’s talk about hacking. As you probably know by now, any electronic device can be compromised (see the above example about Medtronic’s MiniMed). How should I go about this?
Well, in terms of cybersecurity, home security cameras aren’t that secure. What’s that supposed to mean? Think about it – you can really install antivirus software on your surveillance device. The best you can do would be to connect it to a secured network. But even that won’t guarantee total safety.
Let’s start out small. Wi-Fi cameras connect to your home’s router via an IP. That there’s a pain point; one of many, unfortunately. IP hacking or hijacking is, indeed, one of the methods used by malicious actors to seize control of your home security camera, but hardly the only one of the most popular.
In a nutshell, IP hacking means stealing your credentials via IP address impersonation. They use your PC’s com port to obtain info such as your email address, financial data, and everything commonly used to identify you as a living, breathing, and praying person.
Anyway, getting back to the topic at hand – the most common way to tap into a home security camera would be credentials stuffing. How does that work? Well, imagine being a hacker and stumbling upon a database on the dark web that contains usernames and passwords for routers. ‘What to do, what to do?’ asks the hacker on the night before Christmas when all’s quiet around the…basement.
What usually happens is that malicious hackers tend to sort of try to remote-connect to routers, using the credentials buried in those databases.
You might think this an exercise in futility, but it’s not – according to a report by Recorded Future, approximately 30,000 accounts get compromised each year. The reason – people don’t seem to think it’s important to change their routers’ default passwords. More on that later.
How to figure out if your camera got hacked
What we know so far is that home security cameras can be hacked and it’s not that hard to do it. So, the question that ensues is: how can I tell if my home security camera got hacked? Here’s what you should look for.
1. Strange noises in the dead of night
No ghosts, ghouls or socks-stealing elves – just your IP camera making strange sounds. Of course, some security cameras can make unusual sounds while rotating or zooming, but that usually happens while you’re at the helm. So, if you hear those types of sounds coming from the camera, first check that no one’s fooling around with it or trying to pull a fast one on you.
If everything else checks out and your camera is still on the fritz, it most likely means that it has been hacked and that someone might be looking at you. Be cautious around baby monitors with live video feed – those are even less secure than regular indoor surveillance cams. And you really wouldn’t want some creep to eyeball your child while he\she sleep, do you now?
2. Light at the end of the…camera?
Virtually every home security camera model comes with an illuminated LED light. That tells you when the device is switched on and recording. If you see the LED turning on and off by itself, it means that someone is attempting to tap into your camera or has already done so.
To ensure that this is not a random glitch (or someone trying to prank you), turn off the camera and ask everyone around the house to disconnect from the cam. If this type of behavior continues, especially at night time, it means that someone hacked into your device.
3. Check for abnormal rotations
Not much of a home security camera if it can’t cover those blind spots, isn’t it? Most commercial security cameras, including the cheaper models, have some sort of rotational factor. One way to figure out if your home cam has been hacked is to disconnect from it and see how it behaves.
If it starts rotating on its own, as if it’s eyeballing you, it means that someone might have tapped into it. Of course, it could just be a glitch, major design fail, or someone trying to mess around, but are you willing to take those chances?
4. Check for any subtle changes in the camera’s security settings
Hackers, especially the talented ones, will be gunning for your camera’s firmware settings. Oftentimes, they will disguise any changes made to the cam’s software as firmware upgrades or security settings that make no sense. You can also expect your cam’s user & password to be reverted to default.
So, if you notice any unusual activity in your camera, take a closer look at its security settings. Look for anything out of the ordinary – a new menu or submenu, password-change prompts, unauthorized connections.
5. Poor performance, intermittent video feed, ramped up processor
Just like a computer or tablet or smartphone, a home security camera has its own processor, storage device, logical board, etc. So, every kind of operation (i.e. zoom in/out, rotate, record, replay, backup) impacts performance in one way or another. Of course, routine operations should have no bearing on the camera’s resources.
The same thing cannot be said about clandestine operations – additional tasks, especially those who are running in the background can severely impact your camera, causing things like an intermittent video feed, processing speed going downhill, device not responding to commands. Now, if you encounter any of these things, it stands to reason that someone might be trying to tap into your cam.
6. Voices! Voices in the dark.
While hearing disembodied voices is never a good sign, in case of security cameras, it might mean that someone has hacked your device. Some surveillance devices, such as those used to monitor employees or nanny cams, are outfitted with speakers and microphones.
So, if you ever hear a voice coming from the camera and it’s not your tyke cooing or a familiar voice, it most definitely means that your device has been hacked. You should also pay attention to used items picked off Craigslist, eBay, or Angie’s List. Some of these devices may have hidden features or even hacked.
What to do if your camera got hacked
This is not the end of the road. Simply because someone hacked your camera, doesn’t mean you should throw it away. Well, not always – here are a couple of stuff you can try before getting rid of your home security cam.
1. Change your password
It’s perhaps the most important cybersecurity advice anyone can give you. By regularly changing your password(s) you reduce those hacking odds by more than 50 percent. Aim for long passwords (at least 9 characters), use signs and symbols, and refrain from including references to your hobbies or personal life (date of birth, spouse’ name, pets, high school, etc.).
And yes, in most cases, you can do that even after someone somehow managed to hack your device. Quick advice: unhook the camera from the network before attempting a password change. This way you can ensure that no one can overwrite your new password or revert to default.
2. Wipe and revert to factory settings
When all else fails, you could try to wipe the cam’s internal storage and attempt to revert to factory settings. This usually clears out most of the junk hackers to assert control over your security camera. Don’t forget to back up your recording before going through with this. For more info on how to perform this type of reset, check your camera’s manual.
3. Choose better encryption
Although obsolete, some security cameras still have WEP and WPA encryptions enabled by default. Ramp up your defenses by switching to WPA2 or WPA3 encryption if your camera supports this cryptographical format.
4. Regular firmware updates
Manufacturers regularly releases security updates for security cameras. They contain definitions for the latest viruses and malware. So, if you want to stay ahead of the game, do yourself a favor and install these firmware updates as soon as possible. The security camera will notify you once an update is ready.
5. Use Two-Factor Authentication
As you might have noticed, most websites now support 2FA authentication. Well, so do home security cameras; not all, but those that matter have it. Anyway, if your camera model supports 2FA, go ahead and make the switch – it’s a lot harder to hack, if not downright impossible.
6. Use a good antivirus\antimalware solution
All security cameras have some sort of in-built antivirus or antimalware software. However, it’s rudimentary at best and won’t do you much good if you become the target of a sophisticated, multi-vector attack.
Since everything boils down to how your security camera negotiates with the router, it’s only fair to assume that it might be used as an entry point for hackers.
Unfortunately, there aren’t many cybersecurity solutions on the market that ‘look’ beyond the endpoint level. However, our very own Thor Foresight Home can stop malware at the DNS, HTTP, and HTTPS level. This means that the nasties don’t even reach your device. How cool is that?
EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.Try Thor Foresight
If you haven’t gotten around to installing a security camera, there are a couple of things you should be aware of in the area of privacy.
Like everything in life, installing a surveillance system, whether at home or at your workplace, requires the consent of all parties involved. If you’re aiming for an indoor security camera, there’s no need to worry about any privacy issues.
However, the rules are slightly different for outdoor surveillance systems – if the camera’s just about the front door and, therefore, records what’s happening in the immediate vicinity of your home, no problem.
On the other hand, if that system was designed to monitor the surroundings, you are required, by law, to ask for your neighbors’ consent. Why? Generally, because people don’t like to be spied upon and, yes, I know that you mean good, but remember the saying: “Hell’s paved with good intentions.”
Workplace-wise, if you’re an employer, it’s mandatory to inform your staff about video surveillance. Furthermore, you are also required to get their consent in written form.
One more thing – even if you inform your employees and have them consent to be monitored, it’s still illegal to place surveillance cameras in certain areas (i.e. lockers, restrooms, dining room) or to hide them.
Home security cameras can be hacked. And, as always, it’s up to you to prevent some creep from spying on you. I hope you’ve enjoyed the article and, as always, all comments, rants, and beer donations are welcome.
The post Home Security Cameras: Safety and Privacy Issues Explained appeared first on Heimdal Security Blog.
We need to talk about WhatsApp. When the little green speech bubble first showed up in my life, I greeted it with awe and wonder. I even wrote a little love letter to its ability to connect with a virtual black sisterhood – the kind that rarely exists in our too-undiverse workplaces in real life – in my first book. It became the perfect platform to share experiences, frustrations, strategies and ideas.
WhatsApp group communities proliferated on my phone – they were education, community and activism all in one place. It was great.Continue reading...
What issues would face scanning attached to a mobile device resolve and, if used correctly, would it make the incursion into my privacy acceptable?
The post Face scanning – privacy concern or identity protection? appeared first on WeLiveSecurity
Company has been criticised for handling of move it says will reduce risk from hacking
Twitter has announced it is to clear out inactive accounts, freeing up dormant usernames and reducing the risk of old accounts being hacked.
But the company is facing criticism for the way it has handled the announcement, with many concerned that the accounts of people who have died over the past decade will be removed with no way of saving their Twitter legacies.Continue reading...
Despite its negative connotations, the Dark Web is nothing to be afraid of. Few know that the Dark Web was actually thought out as a means of preserving privacy and security. However, this also enabled it to become a breeding ground for illegal activity.
There are certainly things to be distrustful of when navigating the Dark Web, and before venturing into it head-first, you should understand certain things about it.
What is the Dark Web?
The first thing you need to know is that there is no actual database for the Dark Web. Instead, there are only what are known as “peer to peer connections”, which means that the data you are accessing is not stored in just one place.
Instead, it is found on thousands of different computers that are part of the network, so that no one can actually identify where the information is coming from. You can upload to the network, but when downloading, there is no telling where you’re getting the data from.
Why do people use the Dark Web?
There are all kinds of uses for the dark web. Some of them are downright nefarious; others, not so much.
- Drug sales
Taking into consideration the anonymous nature of the Dark Web, it was only a matter of time before it came into use to sell illegal drugs. It is the ideal avenue for this kind of transaction, because of the anonymity factor that is inherent to the Dark Web.
- Illegal commerce
To say that you can buy anything on the Dark Web would be an understatement. Anything you can imagine, no matter how gruesome, can be purchased on the Dark Web, from guns to stolen data to organs.
- Child porn
Is it really a surprise that child porn is rampant on the Dark Web? It’s one of the darker aspects of it, but the anonymous nature of it does lend itself to concealing horrible realities like this.
For all its negative connotations and activities, the Dark Web can also be a way to foster open communication that can sometimes save lives or make a change. Especially in cases where governments monitor online activity, having a place to speak out freely can be invaluable.
The Dark Web can be used as an excellent source for journalists because sources can remain anonymous. Additionally, no one can track their activity, so it cannot attract consequences from authorities.
How to access
You may be wondering how you can access the Dark Web – after all, you can’t just Google it or access it in a regular browser.
Here are some of the aspects you need to keep in mind about accessibility, including the browser you need to use, the URLs, personal credentials you may need, and even acceptable currency, should you decide to make a purchase.
- TOR browser
The most common way to access the Dark Web is via The Onion Router (TOR), the browser used by most people for this purpose. This ensures that your identity will remain concealed, as will your activity, because it encrypts everything.
You can obtain the TOR browser by downloading it from the official website. It’s as easy as installing it and running it like any normal program. And if you were worried about the legality of it – have no fear.
Both accessing the Dark Web and downloading the means to do so are entirely legal. While this can enable some pretty dark human behavior, it can also give us very necessary freedom to do positive things, as you will see. Not everyone uses it for nefarious purposes.
- Exact URLs
Something that makes it difficult to navigate the Dark Web is the fact that the pages are not indexed by browsers. That means that anything you may be looking for will require an exact URL. That does limit the amount of people who can access the Dark Web, as well as the scope of the pages one can gain access to.
Unless you know exactly where to look, you may not have a lot of luck finding what you want. That can deter you from searching, or on the contrary, it can determine you to go looking for someone who is well versed in illegal activity and who can help you out.
- Criminal activity
It comes as no surprise that the Dark Web is a hotbed of criminal activity. No one is advocating that one pick up criminal undertakings in order to use the Dark Web. But generally speaking, the people who will most likely be looking to access URLs here are people who are engaged in all manner of criminal activity.
All transactions on the Dark Web are completed via Bitcoin, as this type of currency cannot be traced. That increases the degree of safety of the transaction, both for buyers and for sellers.
However, that does not mean that these transactions are always safe. There is a high degree of uncertainty that accompanies these transactions, regardless of what you are purchasing.
You might find that the person you are buying from is a scammer who can end up taking your money, but not sending over your product. While identities are protected, transactions are not, so a degree of care is always necessary.
The future of the Dark Web
While authorities are always making efforts to cut down on the number of sites present on the Dark Web, more are always created. In the end, it proves to be a bit of a wasted effort. The more websites get shut down, the more pop up in their place.
Does that mean that the Dark Web will continue in perpetuity? No one can say with any degree of certainty. It is entirely possible that people will seek refuge in the anonymity of the Dark Web as the degree of surveillance grows, or the opposite can happen and we can grow to accept surveillance as a means of ensuring a thin veneer of security.
The Dark Web will always be controversial, but it’s not nearly as scary as it seems. It’s true that it certainly conceals some illegal and immoral behavior, but it can also be used for good. The anonymous and untraceable aspects of it help it remain a somewhat neutral space where one can find the freedom to communicate, investigate, search, trade, make purchases, etc.
Luckily, there’s a range of cybersecurity businesses and start-ups attempting to solve this issue through innovative new technologies.
We look at some recent projects and partnering opportunities tackling cybersecurity challenges.
These engines include;
- Static analyses
- Sandbox runs programs on a virtual environment
- Dynamic analyses (monitors the behaviour of currently running programs)
- Machine learnings
- Vulnerability attack protection
The company has been very successful in Japan and are now looking to expand into European markets with the help of a partner. Their ideal partner would be an Original Equipment Manufacturer (OEM) company working in Internet Security.
Protecting Data, Assets and Brands Against Global Cyber Attacks
A German company has developed an automated platform to deal with global cybersecurity threats more efficiently.
The technology allows users to;
- Benefit from ad-hoc assistance in emergencies
- Simplify their security processes
- Safely share threat information with a range of stakeholders and organisations
- Contribute to a collaborative database
- Automated incident response management
- Real-time alerts
- Data fusion on a large scale
- Easy integration
- Secure collaboration
- Varied deployment models
- Helps users understand and monitor threats worldwide
Helping SMEs Improve Their Information Security
A British company has developed a bespoke service for SMEs, helping them to improve their security and technology solutions.
This service includes;
- Privacy/ GDPR
- Business continuity
- Disaster recovery
- Collaboration technologies
- Blockchain/IoT/AI/Cloud computing
24/7 Security and Events Management
An Israeli company has developed a new solution to help organisations manage internal and external cyber threats. This real-time technology is available worldwide and offers a reliable, individualised service.
The service includes;
- Risk assessments
- A flexible pricing model
The company is looking for commercial agents in the cybersecurity sector to expand their client base.
Enterprise Europe Network: Connecting Businesses and Partners Worldwide
Enterprise Europe Network (EEN) helps businesses, academia and research institutions connect, expand into new markets and transform ideas into marketable products.
Discover more cybersecurity businesses and partnership opportunities part of the EEN network for an insight into the future of online security.
Who owns your data? This is one of the toughest questions facing governments, companies and regulators today and no one has answered it to anyone’s satisfaction. Not what we were promised last year, when the European Union’s General Data Protection Regulation, commonly known as the GDPR, came into effect.
The GDPR was billed as the gold standard of data protection, offering the strongest data rights in the world. It has forced companies everywhere to modify their operating models, often at great cost. It inspired the state of California to pass a similar law and where California leads, the rest of the US often follows; there have been calls for a federal version of the GDPR.
Most websites nudge us into clicking 'I consent' by making it harder for us not to
Advances in computing processing power and AI will allow those who have our data to do much more with it, and so with usContinue reading...
The UK government’s porn block was a dead man walking for months, if not years. It is long overdue that this attempt to curb children’s access to online pornography is scrapped. Almost two years ago, a close colleague and I sat in a meeting with one of the policymakers who had recently been asked to implement the proposal. The pained look on his face when we queried his progress confirmed our suspicions that it was an impossible task. It was clear to many that the block could – and would – never come to pass.
The plan did not have just one achilles heel – it had many.
Scientists and other stakeholders cannot access information about what the population is actually doing onlineContinue reading...
Messages can only be seen under UV light and can be erased using a hairdryer
Forget lemon juice and hot irons, there is a new way to write and read invisible messages – and it can be used again and again.
The approach, developed by researchers in China, involves using water to print messages on paper coated with manganese-containing chemicals. The message, invisible to the naked eye, can be read by shining UV light on the paper.Continue reading...
“I’ve read that my web hosting provider’s website that they have a good security solution in place to protect me against hackers.”
This is a pretty common answer that a lot of bloggers and small business owners gave me when I ask them if they know about how secure their web hosting is. Also, they often add that their budgets are pretty tight so they’ve chosen to go with “an affordable provider.” By “affordable,” of course, they mean ‘ridiculously cheap.”
Come on, people.
Do you really think that a cheap web hosting has everything in place to stop a website attack? Do you think that they will protect you from all types of hacker attacks?
While I don’t know everything about how web hosting providers choose security solutions, I can tell you with some confidence that a lot of them have laughable solutions.
If you don’t believe me, you can Google something like “Hacked website stories” and you’ll see that many web hosting companies, from some of the cheapest to even some well-known ones – don’t have adequate security solutions in place. As a result, lots of people have lost their websites. These horror stories are quite common, and even a simple Google search can return a lot of them.
Unfortunately, hackers are becoming more and more skilled at what they do, and stats support this. If you visit the live counter of hacked websites on Internet Live Stats, you’ll discover that at least 100,000 websites are hacked DAILY (for example, I visited the counter at 7:07 pm and it showed that 101,846 websites have been hacked since 12 am).
From what I saw on Internet Live Stats, I could tell that one website was hacked every second. This is horrible, and one of the bad things about this was that many of the owners of these websites thought that they were protected by their web hosting provider.
The next bad thing about all of this is that the number of websites hacked daily is getting higher. For example, there were about 30,000 websites hacked a day in 2013 according to this Forbes piece, but as we could see on the live counter, this number has more than tripled in 2019. If this negative trend continues, then we could easily see even more website owners losing their business on a daily basis very soon.
While this information is certainly alarming, website owners are typically to blame for the fact that their website was stolen from them (not trying to be rude here at all). If we dig a little bit deeper into the data on hacked websites, we discover that many use ridiculously simple passwords, poor hosting providers, outdated content management systems (CMS), and do other unwise things that help hackers get in.
For example, many bloggers want to focus on content writing, editing, and lead building rather than think about stuff like hosting. While content proofreading is something they could get help with by using numerous online tools like, Grammarly and Hemingway Editor, getting quality assistance with a hacked website is a whole new ballgame.
Next, there’s an issue with passwords. According to a recent survey by the UK’s National Cyber Security Centre (NCSC), 23.2 million web accounts they’ve analyzed had “123456” as a password. Moreover, about 7.7 million people relied on “123456789” for protection of their data, while “password” and “qwerty” were also quite popular with about 3 million users each.
While a password is something that could be changed in a matter of seconds to protect your site against brute force attacks, it may not protect you from most cyber threats. This is the responsibility of a hosting provider, and unfortunately, a lot of people disregard this requirement for web security.
That’s why we’re going to talk about hosting security issues that you should protect your site from.
How Web Hosting Affects the Security of Your Website
Before we talk about major web hosting hazards, let’s quickly discuss the connection between the security of your website and the web hosting you’re using. I’m going to say this right away: choosing a web hosting provider is one of the most important decisions you’ll make when setting up for your website, and the implications go way beyond security.
For example, if you’re a blogger or a business owner, you’ll get:
- A high level of protection against hackers. “This means that you’ll be able to concentrate on content creation,” says Peter O’Brien, a content specialist from Studicus. “If I selected a poor host, I wouldn’t spend so much doing the creative stuff, that’s for sure”
- A fast loading time. People don’t like to wait; in fact, Google claims that websites that load within 5 seconds have 70 percent longer visitor sessions, 35 lower bounce rates, and 25 percent higher viewability compared to websites that load between 5 and 19 seconds. That’s why Google has released the mobile-first indexing update and designed own PageSpeed Insights tool to help users optimize the performance of their websites
- High reliability and uptime. Most web hosting companies claim that the websites they service are online for 99.9 percent of the time, but the real time can vary and depends on the quality of the provider.
- Better security. This one means that different web hosting providers have different security packages, therefore the websites they power have different protection from hackers. Moreover, a good host can help you to recover quickly in case if you’ve suffered an attack.
Let’s talk a little bit more about the last bullet point. So, how can one tell that their hosting provider is poor? That’s pretty easy:
- Slow loading times. If your website loads for more than five seconds, then chances are that its performance is affected by the hosting provider that has put a lot of sites into one server
- Frequent security issues. If your website doesn’t have backups and suffers from various cyber attacks often, then you should definitely talk to your provider (make sure that your passwords aren’t the problem)
- Regular unexpected downtime. A poor choice of a web hosting provider often leads to this problem, which, in turn, is often caused by overloaded servers. In other words, the provider simply can’t handle the volume of visitors that your website (and other websites hosted on that server) are experiencing.
So, to sum up, the quality of hosting is essential for the success of your online venture, and making a poor choice can lead to disappointing outcomes (just remember the figures from the live counter again). But with so many websites getting hacked on a daily basis, what do you need to know to protect your own one? Read the next section to know.
Beware of these Major Web Hosting Hazards
- Shared Hosting Issues
Sharing hosting is a tricky business, and you don’t know how many websites are on the server where your own one lives. It’s quite possible that the number is quite high, up to a thousand, and this could be one of the reasons why your website might be underperforming.
For example, this discussion threat had some interesting information on this. A person asked how many websites are typically served on one shared server, and some of the answers were astonishing! For example, one user responded by writing the following.
Can you believe it? 800 websites on one server! Talk about performance issues, right?
While I realize that a single server can host up to several thousand websites, can you imagine what would happen if at least ten of them are high-traffic ones? Think crashes, slow loading times, unplanned downtime, and lots of other issues.
Since people are always looking to save costs, chances are that shared hosting issues will continue to impact a lot of websites.
- Attacks that Exploit an outdated version of PHP
It’s a known fact that about 80 percent of all websites in 2018 ran on PHP. However, since the beginning of 2019, the support for PHP 5.6x will be ended, meaning that all support for any version of PHP 5.x is gone. In other words, the sites that fail to update won’t get any security patches, bug fixes, and updates.
However, recent reports suggest that this news didn’t trigger any massive moves to the newer versions of PHP. For example, according to Threat Post, about 62 percent of all server-side programming websites are still using PHP version 5. Here are the full data.
Source: Threat Post
“These sites probably include old libraries that haven’t had the joy of an update…” the abovementioned Threat Post post cited a web security expert, as saying. “The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”
For hackers looking for some business, this means that they have a lot of work to do. Can you imagine it: since the beginning of this year, more than 60 percent of websites stopped getting security updates!
“Faced with the urgent requirement to update the PHP version, a lot of websites owners will make a corresponding request for their web hosting providers,” shares Sam Bridges, a web security specialist from Trust My Paper. “This means that the latter will face a flood of support requests, which could translate into a slow pace of the update process.”
On top of that, some providers may not be willing to notify their users about the requirement to update their PHP versions, so a lot of websites may still be using outdated ones in the next few years.
Well, hopefully you’re not going to be one of them.
- More Sophisticated DDoS Attack Techniques
DDoS attacks are nothing new. However, they are still a common type of a cyberweapon used against websites that should be considered when choosing a hosting provider. In fact, the situation here is a lot more complicated than one thinks.
For example, the research suggests that the total number of DDoS attacks has decreased by 13 percent in 2018, which may seem like a positive signal by many.
The comparison of the number of DDoS attacks between 2017 and 2018. Source: Kaspersky
Unfortunately, the stats don’t provide the big picture here. According to Kaspersky, hackers are reducing the number of attempts to break into websites using DDoS attacks, but they are turning to more advanced and sophisticated attack techniques.
For example, it was found that the average length of attacks has increased from 95 minutes in the first quarter of 2018 to 218 minutes in the fourth quarter of 2018. While it means that the protection against this kind of attacks is getting better, it also suggests that the malefactors are becoming more selective and skilled.
For example, 2018 has seen the biggest DDoS attacks in history; one of these situations involved a U.S.-based website that reported a 1.7 TB/s assault (this means that the attackers overwhelmed the site with a massive wave of traffic hitting 1.7 terabytes per second!), according to The Register.
Source: The Register
Therefore, we may see an increase in unresponsive websites due to DDoS attacks in the next years (clearly, not a lot of websites can survive an attack like this one), as hackers deploy more sophisticated techniques.
Since a lack of DDoS-protected hosting is a major risk factor in this situation, make sure that your hosting provider has this protection in place.
Web hosting is not the first thing that many website owners think about when setting up their businesses, but it’s definitely one that could make or break them. The success of your venture ultimately depends on the uptime, loading time, and overall reliability of your website, so being aware of the threats that you can face in the nearest future could help you to avoid losing your website and joining those 100,000+ unfortunate sites owners who get their sites hacked every day.
Hopefully, this article was a nice introduction to the importance of web hosting and the risks that come with it. Remember: if you want your data to be protected, pay attention to the existing and emerging risks right now and make appropriate decisions. Eventually, this’ll pay you nicely by maximizing uptime and reliability of your website.
Dorian Martin is a frequent blogger and an article contributor to a number of websites related to digital marketing, AI/ML, blockchain, data science and all things digital. He is a senior writer at WoWGrade, runs a personal blog NotBusinessAsUsusal and provides training to other content writers.
The post Major Web Hosting Hazards You Should Take Seriously appeared first on CyberDB.
Industrial espionage is a much more common occurrence than many people realize. As a business grows and begins to compete at a higher level, the stakes grow and their corporate secrets become more valuable. It isn’t just other businesses that might want this information, hackers who think they can sell the information will also be sniffing about.
Even if you can’t eliminate the risk entirely, there are certain things you can do to reduce the risk of a security breach in your business.
While hackers do much of their work from their computers, they also often rely on a number of offline methods to enhance their effectiveness. For example, social engineering is regularly used to coerce people into unwittingly undermining otherwise very secure systems. Countering social engineering is difficult, although educating your employees about it will go a long way to mitigating the risk.
If a hacker wants to access your systems but is struggling to breach your cybersecurity, they may well turn to other methods to get through your security, including rummaging through bins for any discarded documents. If that sounds desperate to you, you might not realize just how often it works.
Make sure that any documentation that contains information that would be of interest to a would-be hacker, or corporate competitor, is completely destroyed when it is no longer needed. Make sure that if you use a shredder to do this, it is one that shreds documents securely.
Don’t Print Sensitive Information if You Don’t Have to
Of course, what would be better than having to securely destroy documents would be to not generate those documents to begin with. If you don’t have to print out sensitive information – don’t! If your sensitive documents are protected by a decent cybersecurity system, they will be about as safe as they can be. A physical document is much less secure.
Keep Your Schematics Under Wraps
Anyone who has access to the design schematics of your most important products will be able to reverse engineer them and probe them for weaknesses, even if they don’t have access to a physical device. Modern engineering businesses, like businesses in a number of other industries, make extensive use of printed circuit boards. If a competitor gets their hands on your PCB schematics, they can easily copy your proprietary technology.
Designing your own PCBs using Altium.com or a similar software package means that you can produce hardware that is unique to your engineering business. This should give you an added layer of security, as a potential hacker or criminal won’t know the internal layout and therefore won’t know what the potential entry points are. However, if they get their hands on your schematics, you instantly lose this benefit.
Keep it Need to Know
Your most sensitive corporate secrets shouldn’t be given to anyone who doesn’t need them. In any business, there will be coworkers who also become friends. Even if people only see each other when they’re at work, they will often develop friendly relationships with one another. It is important to maintain a distinction between business and pleasure – don’t feel bad about withholding sensitive information from someone that you trust if there is no reason for them to have that information.
If you want to keep your engineering business secure, you need to make sure that workers at all levels understand their individual role in ensuring the security of the business as a whole. All it takes is one clueless person to undermine even the most secure cybersecurity system.
The post Protecting Your Engineering Business from Industrial Espionage and Cybercriminals appeared first on CyberDB.