Category Archives: Privacy

Massachusetts General Hospital Warns of Privacy Incident

Massachusetts General Hospital (MGH) announced that it learned of a privacy incident involving its Department of Neurology. MGH said that it learned on 24 June 2019 of an instance where someone gained unauthorized access to databases related to two computer applications used by its Neurology Department for research studies. Upon taking a closer look, MGH […]… Read More

The post Massachusetts General Hospital Warns of Privacy Incident appeared first on The State of Security.

Modifying a Tesla to Become a Surveillance Platform

From DefCon:

At the Defcon hacker conference today, security researcher Truman Kain debuted what he calls the Surveillance Detection Scout. The DIY computer fits into the middle console of a Tesla Model S or Model 3, plugs into its dashboard USB port, and turns the car's built-in cameras­ -- the same dash and rearview cameras providing a 360-degree view used for Tesla's Autopilot and Sentry features­ -- into a system that spots, tracks, and stores license plates and faces over time. The tool uses open source image recognition software to automatically put an alert on the Tesla's display and the user's phone if it repeatedly sees the same license plate. When the car is parked, it can track nearby faces to see which ones repeatedly appear. Kain says the intent is to offer a warning that someone might be preparing to steal the car, tamper with it, or break into the driver's nearby home.

Smashing Security #142: Mercedes secret sensors, smart cities, and ransomware runs riot

Darknet Diaries host Jack Rhysider joins us to discuss how cities in Texas are being hit by a wave of ransomware, how Mercedes Benz has installed a tracker in your car (but not for the reason you think), the security threats impacting smart cities, and a new feature coming to your Facebook app.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast, hosted by computer security veterans Graham Cluley and Carole Theriault.

Unlocking the future of blockchain innovation with privacy-preserving technologies

The origins of blockchain as many are familiar with it today can be traced back to the Bitcoin whitepaper, first published in 2008 by Satoshi Nakamoto, which offered a vision of a new financial system underscored by cryptography and trust in code. Throughout the past decade, iterations of this technological infrastructure have gradually built out a diverse industry ecosystem, allowing for use cases that extend beyond cryptocurrencies and peer-to-peer transactions. From smart contracts to asset … More

The post Unlocking the future of blockchain innovation with privacy-preserving technologies appeared first on Help Net Security.

Cybersecurity in Schools: What Families Need to Know

Reading Time: ~ 3 min.

Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents often assume that cybersecurity has risen as a priority for school administrators. But with many institutions struggling to modernize legacy systems, that assumption puts our children’s security at risk. Here are the top threats to cybersecurity in schools and how to protect against them, so you can send your kids out the door knowing they’re safe and secure. 

Learn how VPNs help safeguard your data and can enable private and anonymous web browsing.

Unsecured School WiFi

Many school WiFi networks are as vulnerable as any public network at a coffee shop or airport. In an attempt to secure WiFi networks in K-12 environments, many schools use pre-shared key (PSK) authentication. PSK authentication is the practice of sharing a single WiFi password with network users in order to grant access. This password often makes its way onto unauthorized devices, granting potentially malicious users access to the school’s network, and to your child’s digital footprint.

Weak Cybersecurity Practices

A school’s cybersecurity defense plan is only as strong as its weakest link, and that weak link is often the plan’s users and overseers. According to Verizon’s 2019 Data Breach Investigation Report, a startling 35% of all education sector data breaches were caused by human error. Mistakes as simple as using discontinued or out-of-date software can leave entire school systems vulnerable—even at prestigious institutions like Stanford University. Because Stanford was using discontinued software called NolijWeb, a white hat hacker was able to exploit a security flaw that left sensitive student data easily accessed through a simple change to a numeric ID in a URL. While exploring the scope of the vulnerability, 81 students’ private data was exposed, including information like Social Security numbers, citizenship status, criminal status, standardized test scores, ethnicity, and home addresses.

Targeted Cybersecurity Attacks

Due to the highly sensitive data stored within their systems, education IT infrastructure is consistently a top target for cybercriminals. K-12 school systems and higher education saw more than 48 million records exposed through data breaches in 2017 and 2018 alone. The threat has become a large enough issue that the FBI has released a public service announcement warning that the education sector was one of those most frequently targeted by social engineering schemes and phishing attacks. 

Beyond traditional cyber threats, schools often face a unique adversary—the students themselves. The Joint Information Systems Committee (JISC) recently conducted a survey that examined more than 850 cyberattacks against schools and concluded that a majority of those incidents had been perpetrated by students or school staff. Although an attacker who targets a school so that they won’t have to take a test may not be as costly as one that targets student data, it still can grind a school system to a halt.

How to Protect Your Student’s Cybersecurity

How can you protect your child’s cybersecurity while they are at school? Get involved. Ask the school’s administrators about their cybersecurity policy. Ask about their strength of their firewalls, their email security measures, and the amount of encryption applied to the data storage systems. If you’re not satisfied with their measures, be your child’s cybersecurity advocate.

Although you may have limited control over any school-provided devices, you can secure your child’s personal devices behind a trusted VPN (though they must know how to use it first). This will wrap your child’s data in a tunnel of encryption, protecting them from prying eyes wherever they go. In some cases, VPNs can prevent access to testing and curriculum sites on school networks, so students should know how to connect and disconnect to their VPN at will.

Most importantly, teach your child to be aware of the risks of cybercrime and how to combat them. Help them understand how a VPN and other measures can keep them safe, how to recognize phishing attacks, and why they should always be vigilant. Your child knows to wear a seatbelt when riding in someone else’s car, they should also know how to stay safe online, whether at home, school, or a friend’s house.

The key to truly protecting your children from potential cybersecurity threats is education, both for yourself and for your family. Follow us on Facebook and Twitter to stay up to date on the latest risk reports and security tips.

The post Cybersecurity in Schools: What Families Need to Know appeared first on Webroot Blog.

Surveillance as a Condition for Humanitarian Aid

Excellent op-ed on the growing trend to tie humanitarian aid to surveillance.

Despite the best intentions, the decision to deploy technology like biometrics is built on a number of unproven assumptions, such as, technology solutions can fix deeply embedded political problems. And that auditing for fraud requires entire populations to be tracked using their personal data. And that experimental technologies will work as planned in a chaotic conflict setting. And last, that the ethics of consent don't apply for people who are starving.

Digital Parenting: How to Keep the Peace with Your Kids Online

Simply by downloading the right combination of apps, parents can now track their child’s location 24/7, monitor their same social conversations, and inject their thoughts into their lives in a split second. To a parent, that’s called safety. To kids, it’s considered maddening.

Kids are making it clear that parents armed with apps are overstepping their roles in many ways. And, parents, concerned about the risks online are making it clear they aren’t about to let their kids run wild.

I recently watched the relationship of a mother and her 16-year-old daughter fall apart over the course of a year. When the daughter got her driver’s license (along with her first boyfriend), the mother started tracking her daughter’s location with the Life360 app to ease her mind. However, the more she tracked, the more the confrontations escalated. Eventually, the daughter, feeling penned in, waged a full-blown rebellion that is still going strong.

There’s no perfect way to parent, especially in the digital space. There are, however, a few ways that might help us drive our digital lanes more efficiently and keep the peace. But first, we may need to curb (or ‘chill out on’ as my kids put it) some annoying behaviors we may have picked up along the way.

Here are just a few ways to keep the peace and avoid colliding with your kids online:

Interact with care on their social media. It’s not personal. It’s human nature. Kids (tweens and teens) don’t want to hang out with their parents in public — that especially applies online. They also usually aren’t too crazy about you connecting with their friends online. And tagging your tween or teen in photos? Yeah, that’s taboo. Tip: If you need to comment on a photo (be it positive or negative) do it in person or with a direct message, not under the floodlights of social media. This is simply respecting your child’s social boundaries. 

Ask before you share pictures. Most parents think posting pictures of their kids online is a simple expression of love or pride, but to kids, it can be extremely embarrassing, and even an invasion of privacy. Tip: Be discerning about how much you post about your kids online and what you post. Junior may not think a baby picture of him potty training is so cute. Go the extra step and ask your child’s permission before posting a photo of them.

Keep tracking and monitoring in check. Just because you have the means to monitor your kids 24/7 doesn’t mean you should. It’s wise to know where your child goes online (and off) but when that action slips into a preoccupation, it can wreck a relationship (it’s also exhausting). The fact that some kids make poor digital choices doesn’t mean your child will. If your fears about the online world and assumptions about your child’s behavior have led you to obsessively track their location, monitor their conversations, and hover online, it may be time to re-engineer your approach. Tip: Put the relationship with your child first. Invest as much time into talking to your kids and spending one-one time with them as you do tracking them. Put conversation before control so that you can parent from confidence, rather than fear.

Avoid interfering in conflicts. Kids will be bullied, meet people who don’t like them and go through tough situations. Keeping kids safe online can be done with wise, respectful monitoring. However, that monitoring can slip into lawnmower parenting (mowing over any obstacle that gets in a child’s path) as described in this viral essay. Tip: Don’t block your child’s path to becoming a capable adult. Unless there’s a serious issue to your child’s health and safety, try to stay out of his or her online conflicts. Keep it on your radar but let it play out. Allow your child to deal with peers, feel pain, and find solutions. 

As parents, we’re all trying to find the balance between allowing kids to have their space online and still keep them safe. Too much tracking can cause serious family strife while too little can be inattentive in light of the risks. Parenting today is a difficult road that’s always a work-in-progress so give yourself permission to keep learning and improving your process along the way

The post Digital Parenting: How to Keep the Peace with Your Kids Online appeared first on McAfee Blogs.

Myki data release breached privacy laws and revealed travel histories, including of Victorian MP

Researchers able to identify MP Anthony Carbines’s travel history using tweets and Public Transport Victoria dataset

The three-year travel history of a Victorian politician was able to be identified after the state government released the supposedly “de-identified” data of more than 15m myki public transport users in a breach of privacy laws.

In July 2018, Public Transport Victoria (now the Department of Transport) released a dataset containing 1.8bn travel records for 15.1m myki public transport users for the period between June 2015 and June 2018.

Related: Major breach found in biometrics system used by banks, UK police and defence firms

See you about 05.24AM tomorrow at Rosanna to catch the first train to town. Well done all. Thanks for hanging in there. Massive construction effort. Single track gone. Two level crossings gone. The trains! The trains! The trains are coming! pic.twitter.com/kk2Cj3ey9T

Continue reading...

Facebook Hired Outside Contractors to Transcribe User Audio

Facebook hired hundreds of third-party contractors to transcribe recordings of the site’s users, according to Bloomberg

The social media giant hired the contractors to transcribe audio gleaned from its Messenger app in order to ensure the accuracy of its artificial intelligence-based voice recognition software. It has since discontinued the practice.

“[W]e paused human review of audio more than a week ago,” Facebook said in an announcement released Tuesday.

Some commentators noted that “paused” is not the same as “permanently ceased.” Facebook is the latest company to come under scrutiny for hiring outside contractors to listen in on recordings of users, following Apple, Amazon, and Google. While each of the companies maintain that the recordings were anonymized, several whistleblowers reported potentially egregious violations of user privacy. Apple and Google have since stopped the practice.

While Facebook’s privacy policy states that its systems “automatically process content and communications,” it failed to mention that the recordings were made available to employees and contractors of other companies.

Read the Bloomberg article here.

The post Facebook Hired Outside Contractors to Transcribe User Audio appeared first on Adam Levin.

Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season

With summer coming to a close, it’s almost time for back to school! Back to school season is an exciting time for students, especially college students, as they take their first steps towards independence and embark on journeys that will shape the rest of their lives. As students across the country prepare to start or return to college, we here at McAfee have revealed new findings indicating that many are not proactively protecting their academic data. Here are the key takeaways from our survey of 1,000 Americans, ages 18-25, who attend or have attended college:

Education Needs to Go Beyond the Normal Curriculum

While many students are focused on classes like biology and business management, very few get the proper exposure to cybersecurity knowledge. 80% of students have been affected by a cyberattack or know a friend or family member who has been affected. However, 43% claim that they don’t think they will ever be a victim of a cybercrime in the future.

Educational institutions are very careful to promote physical safety, but what about cyber safety? It turns out only 36% of American students claim that they have learned how to keep personal information safe through school resources. According to 42% of our respondents, they learn the most about cybersecurity from the news. To help improve cybersecurity education in colleges and universities, these institutions should take a certain level of responsibility when it comes to training students on how they can help keep their precious academic data safe from cybercriminals.

Take Notes on Device Security

Believe it or not, many students fail to secure all of their devices, opening them up to even more vulnerabilities. While half of students have security software installed on their personal computers, this isn’t the case for their tablets or smartphones. Only 37% of students surveyed have smartphone protection, and only 13% have tablet protection. What’s more, about one in five (21%) students don’t use any cybersecurity products at all.

Class Dismissed: Cyberattacks Targeting Education Are on the Rise

According to data from McAfee Labs, cyberattacks targeting education in Q1 2019 have increased by 50% from Q4 2018. The combination of many students being uneducated in proper cybersecurity hygiene and the vast array of shared networks that these students are simultaneously logged onto gives cybercriminals plenty of opportunities to exploit when it comes to targeting universities. Some of the attacks utilized include account hijacking and malware, which made up more than 70% of attacks on these institutions from January to May of 2019. And even though these attacks are on the rise, 90% of American students still use public Wi-Fi and only 18% use a VPN to protect their devices.

Become a Cybersecurity Scholar

In order to go into this school year with confidence, students should remember these security tips:

  • Never reuse passwords. Use a unique password for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. You can also use a password manager so you don’t have to worry about remembering various logins.
  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public. Protect your identity by turning your profiles to private so you can control who can follow you. You should also take the time to understand the various security and privacy settings to see which work best for your lifestyle.
  • Use the cloud with caution. If you plan on storing your documents in the cloud, be sure to set up an additional layer of access security. One way of doing this is through two-factor authentication.
  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to keep your connection secure.
  • Discuss cyber safety often. It’s just as important for families to discuss cyber safety as it is for them to discuss privacy on social media. Talk to your family about ways to identify phishing scams, what to do if you may have been involved in a data breach, and invest in security software that scans for malware and untrusted sites.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season appeared first on McAfee Blogs.

Exploiting GDPR to Get Private Information

A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

  • a UK hotel chain that shared a complete record of his partner's overnight stays

  • two UK rail companies that provided records of all the journeys she had taken with them over several years

  • a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

How to Get Rich and Be Super Creepy

If you missed the news about Russian-owned FaceApp going viral, you’ve probably been vacationing on the coast of a dust pond on the dark side of the moon. It highlights the general lack of privacy laws out there, and may herald the start of meaningful legislation.

FaceApp allows users to tap into the power of artificial intelligence to see what they might look like with a perfect Hollywood smile, different hair, no hair, facial hair, or, alternately, as a much older version of themselves. The app essentially offers a rogue’s gallery of oneself, making it good fodder for social media sharing, and probably much harder to enter witness protection.

While the ability to hide out in South Dakota or South Jersey may not be foremost among the concerns of most FaceApp users, neither apparently is being hacked.

The locust-like media coverage of FaceApp spurred widespread day-after anxiety about how user images might be repurposed, and fake versions of the app laced with malware. Somehow the same fear isn’t daily in the minds of social media users, who waive many of the rights grabbed by the makers of FaceApp.

Consider that in the event user photos might fall into the hands of a hacker–state-sponsored or freelance, bad things could happen. The same problem holds true for Facebook and FaceApp users alike. That very same image (or images) proffered for fun on the user side and profit on the corporate side, could be legally (or illegally) repurposed by the company that lawfully acquired it. We live in an information Wild West. As of today, in most of America we neither know, nor have the right to know how our data is being used.

There Ought to Be A Law

While many were alarmed by the specter of Russia owning pictures of them and the privacy implications that went with that set of affairs, the bigger picture got lost in the scramble.

With FaceApp, the terms of use freaked everyone out. Sen. Chuck Schumer wrote an impassioned letter about it. Others–many others–cried foul. But here’s the thing: those terms of service were not terribly dissimilar from the terms applied by most big tech companies. The fact is, no one is protected.

As far as facial recognition goes, Snapchat and Instagram have FaceApp beat. Those two apps have far more information about user faces, and they are operating in a low regulatory oversight environment. They are in fact breaking laws that will be written in the years to come. Big Tech is to privacy what cigarettes were to healthy lungs and hearts before 1970 when the Surgeon General’s warning became mandatory.

Forget “Don’t Be Evil,” Don’t Be Creepy!

Still don’t think regulations are lacking? Google was recently out on the street offering random people $5 to be photographed. The pictures were being collected to help the company perfect 3D imaging and facial recognition. This will not be allowed to happen for five dollars or five hundred dollars in five years without full disclosure about the transaction and full consent.

Until these fast and loose practices are illegal, consumers should insist that such encroachments stop, and use their clicks and downloads (or more to the point the withholding of them) to change untoward uses of user data.

A citizen’s face is private information, and the collection of it for the purposes of identifying them and placing them here, there or anywhere–something done regularly in the Yuigar regions of China today to control that ethnic group–should not be deemed acceptable in a country like the United States, which is governed by a Constitution that doesn’t condone such encroachments.

Two Steps Forward, One Back

Facebook reached a $5 billion settlement for misrepresenting the way it handles user privacy, the SEC fined the company $100 million for misleading investors about the risks associated with the misuse of user information, and, still later in the day, Facebook admitted that it was the target of an FTC anti-trust investigation. Oh yeah, then came second quarter results, which exceeded expectations. All this in one day.

The settlement required that Facebook create new roles at the company to oversee privacy and police it, and that the company set about creating a more transparent environment for the information that the company collects, and how it’s used. The $5 billion fine was specifically for misleading users regarding their control over the ways Facebook used their data.

The settlement was met with a general outcry, with many experts saying it was toothless. With $56 billion in revenue, the fine is absorbable, and the new strictures in no way proscribe the way Facebook collects and sells user information. In other words, it signaled business as usual for the time being.

“The F.T.C. is sending the message that wealthy executives and massive corporations can rampantly violate Americans’ privacy and lie about how our personal information is used and abused and get off with no meaningful consequences,” Sen. Ron Wyden said.

The anti-trust investigation is not really news. It has been speculated for some time that the FTC was looking into the possibility that Facebook used its muscle to squash competition, news of an investigation may signal a more intense phase of regulatory action regarding the way big tech uses, and, by implication, abuses consumer information.

The bottom line is everything here. Right now, it is robust. Companies are making a killing using consumer information to mint money. The time for this Forty-Niner mentality is drawing to a close. So, if you are starting a company now, it might be a good time to join the handful of entrepreneurial pioneers who are now making money by protecting consumer privacy. The boom days of data strip mining are coming to a close.

The post How to Get Rich and Be Super Creepy appeared first on Adam Levin.

Cyber News Rundown: Children’s Tablets Show Vulnerabilities

Reading Time: ~ 2 min.

Children’s Tablets Leave Users Vulnerable

At least one LeapPad tablet designed specifically for children has been found to harbor critical vulnerabilities in the app Pet Chat that could allow unauthorized access to online traffic. The vulnerabilities could be used locate the tablet’s owner by creating a temporary WiFi network to help the user connect with other devices in the area. In addition to the remote access, local attackers would be able to send messages to children through non-HTTPS communications.

UK Universities Lacking Security

A recent study found that nearly 65% of the UK’s top universities are currently operating with sub-standard cybersecurity, especially during the time that students would be sitting for final exams. Among the remaining 35% of universities that did have some domain authentication, only 5% of those were using settings that would fully block phishing emails. If UK university students are requesting any login changes, they should be cautious when opening anything they receive, as the message may be compromised.

Intel CPU Patch Issued by Microsoft

Microsoft just released a patch for an Intel CPU vulnerability that was brought to light in 2012. The flaw could have been used to breach memory data from the device. The researchers who discovered it found they could easily leak sensitive kernel memory data into the normal user operations, even though a system normally doesn’t allow this. Additionally, this vulnerability would allow for speculative execution, which is when the system begins executing certain operations pre-emptively, and simply deleting those that don’t occur.

AT&T Employees Bribed to Unlock Phones

Employees of AT&T were found to be illicitly installing hardware onto corporate systems that would allow an attacker to unlock phones that were prevented from being used on other mobile providers. Even though some of the conspirators were eventually fired, many continued to work from within and from outside the company to further compromise nearly 2 million individual devices until the scam, which had been ongoing for more than five years, was discovered.

Mobile Bank Customers’ PINs Exposed

Customers of Monzo, a mobile-only bank in the UK, are being warned to change their PINs after many customers’ were leaked into internal log files. Fortunately, the data wasn’t made available outside of the company and the problem of PINs being stored in an alternate location has been resolved. Even after the company fixed the data leak, though, many customers were still suspicious when receiving an email informing them of the PIN reset issue.

The post Cyber News Rundown: Children’s Tablets Show Vulnerabilities appeared first on Webroot Blog.

23M CafePress Accounts Compromised: Here’s How You Can Stay Secure

You’ve probably heard of CafePress, a custom T-shirt and merchandise company allowing users to create their own unique apparel and gifts. With a plethora of users looking to make their own creative swag, it’s no surprise that the company was recently targeted in a cybercriminal ploy. According to Forbes, CafePress experienced a data breach back in February that exposed over 23 million records including unique email addresses, names, physical addresses, phone numbers, and passwords.

How exactly did this breach occur? While this information is still a bit unclear, security researcher Jim Scott stated that approximately half of the breached passwords had been exposed through gaps in an encryption method called base64 SHA1. As a result, the breach database service HaveIBeenPwned sent out an email notification to those affected letting them know that their information had been compromised. According to Engadget, about 77% of the email addresses in the breach have shown up in previous breach alerts on HaveIBeenPwned.

Scott stated that those who used CafePress through third-party applications like Facebook or Amazon did not have their passwords compromised. And even though third-party platform users are safe from this breach, this isn’t always the case. With data breaches becoming more common, it’s important for users to protect their information as best as they can. Check out the following tips to help users defend their data:

  • Check to see if you’ve been affected. If you know you’ve made purchases through CafePress recently, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 23M CafePress Accounts Compromised: Here’s How You Can Stay Secure appeared first on McAfee Blogs.

How to Get on the Dark Web: A Step-by-Step Guide

Dark web, deep web, clear web – just words or more? Well, in seeing just how many of you are interested in hearing all about the dark wonders of the internet, I’ve decided to make this small dark web guide. So, if you want to learn all about Tor Onion, Silk Road, secret, hush-hush Governmental ops, and how to get on the dark web, of course, you came to the right place. Welcome to the shadows, my friends! I will be your guide.

WTH is the dark web anyway?

Now, before we dig into it, we’ll need to stage a little show-and-tell about the differences between the deep web, dark web, and clear net. I’ll start with the later because writer’s privilege. So, the clear web is the very first and very visible layer of the Internet. Basically, it’s what we see when we do a Google or Bing search for things like cat videos or popular YouTube songs.

From a technical standpoint, clear web defines the content that it’s indexed, crawled, and displayed by the various search engines. Unfortunately, the clear web accounts for approximately 4 percent of the Internet. So, if the clear web is only a very tiny portion of the Internet, what happened to the rest?

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

Deep web vs. dark web

Welcome to the deep web, the part of the Internet that’s not indexed by search engines. There’s nothing spooky about the deep web; it contains stuff like scientific white papers, medical records, tax-related info, PayPal subscriptions, army communique, and much more. Although the deep web’s hiding behind HTTPS forms, its contents can be accessed if you know what you’re looking for.

Most of the websites hosted on the dark web can be access on a credential basis. For instance, if your health provider has a website capable of displaying bloodwork tests online, that particular section will be hosted on the deep web – it will not be indexed by Google or Bing and can only be accessed via password.

Oh, nearly forgot to mention that the deep web accounts for about 90 percent of all Internet.

That’s about it about the clear web and the deep web.

Remember: Clear, Deep, and Dark.

What’s the dark web then? Well, if the clear web is Google’s BFF and the deep web, its secret lover, then the dark web can only be the evil twin or the oddball.

Accounting for 6 percent of the Internet, the dark web is a most peculiar blend – on the one hand, it’s a cesspool, a rendezvous place for drug dealers, black hat hackers, hitmen, and human traffickers. On the other hand, due to its covert nature (I’ll get to that in a sec), this Internet fold acts like a liaison between  political outcasts and people the free world. It’s also used by people who want to submit anonymous tips (whistleblowers).

The dark web is favored by both groups because of its ability to render anyone and anything invisible. Privacy and anonymity are what you might consider the core values of the darknet. There’s no such thing as a mother-server that hosts the entire dark web, but rather a swarm of servers and nodes that can only be accessed through onion-type links. So, what are those?

More on Tor Onions

Since everything’s decentralized on the dark web, there are no crawlers to bring together the information. Even the URLs, if we can call them that, are infinitely different from what we’re used to.

For instance, if you want to access a site like YouTube, all you need to do is to write the URL in the address bar (i.e. https://youtube.com) or search for the website using google.com. Now, on the dark web, you’ll have to know the URL right to the last decimal and character to access it. All dark web addresses contain seemingly random strings comprised of numbers and letters, followed by a .onion extension.

Again, we shouldn’t lose sight of the fact that the dark web’s the place where the bulk of criminal activities take place. Everything little sordid detail you heard over the news about the dark web is painfully true.

This is the place where hackers come to purchase data stolen from users or companies or offer their services in exchange for Bitcoins or other forms of cryptocurrency. More than that, if you dare to dig deep enough, you can uncover other hair-raising activities such as human trafficking, child pornography, torture, or murder on demand.

Charming little spot, isn’t it? Well, that’s where we’re heading. Now, before you can access the dark web, there a couple of things you must do, security-wise. Ready? Set? Go!

Preparing to set sail

Source: WikiHow

#1. Install a VPN

VPNs are a must when you’re attempting to access the dark web. Why? Because of the long arm of the law, of course. Technically, you are free to surf on this Internet layer, provided that you don’t engage in any illegal activities. However, a recent ruling by the US Supreme Court deemed that even casually browsing the darknet can get you in a lot of hot water.

This means that if the authorities would intercept your darknet connection request, they would have had enough reason to search your house and confiscate the machine used for browsing. So, do yourself a favor and download a VPN before messing about on the dark web. Need a hand picking one? Check out this article written by one of my colleagues to narrow down your search.

#2. Install an adequate browser

The first rule of the dark web – never, ever use your default browser to search for stuff on the darknet. Popular browsers like Chrome, Opera, or Firefox have tracking technologies that make you very visible on the authorities’ radar. So, if you’re still willing to do this, I would recommend you download Tor, which is, by far, the safest and easy-to-use onion browser.

Of course, there are others who would argue that Tor being made by the military for covert communication makes it unreliable, privacy-wise since it’s believed to be watched. I wouldn’t take that one for granted, but, then again, there’s no smoke without fire. It’s all up to you.

Of Tor, VPNs and other demons

Anyway, going back to Tor – why use this particular browser over a regular one? Well, that’s a rather long story, but worth telling nonetheless. As you know, a regular browser mediates between the user’s search request and the site about to be accessed. Normally, your query will go through the ISP’s DNS, which in turn consults other resources to help you get the answer you were looking for.

Now, with Tor, the search request kind of bounces around multiple Tor relays before completing your search request. You’re probably wondering about what the heck are Tor relays. Well, what we call the clear web is, in fact, a conglomerate of servers, which are managed either by companies or on volunteer-basis.

The same principle applies more or less to what we call the dark web. Since it’s the dark side of the Internet we’re dealing with here, secrecy and untraceability become inherent. Thus, the info’s stored on Tor relays which are managed by volunteers.

So, what happens when you want to access a dark web onion? First of all, if you followed my advice and installed a VPN, the tunneling signal will be encrypted. This means that your ISP won’t have a clue about what you’re about to search for. Sure, it can still see that you want to access a Tor node, but other than it’s blinder than a mole.

From there, it will be redirected to another node and then another one. Why does it do that? For anonymity reasons, of course; no breadcrumbs means that there’s no way for someone to trace the signal back to you.

VPN Only? Unlikely.

Congrats! You just took the first steps of your dark web journey. Still, there are a couple of more precautions you must take before you can pop open Pandora’s box of dark Internet wonders. Getting back to Tor and VPN.  There’s no broad consensus on dark web safety.

However, everyone tends to agree that using only Tor is not enough. The two of them (Tor and VPN) work in tandem and, as it happens, there are several ways of tunneling your way all the way through the dark web using this dynamic duo. Here’s what you need to know.

Method I – Tor over VPN

Sounds very techie, doesn’t it? Well, it’s really not that complicated – using the Tor over VPN method means connecting to a VPN service before using the Tor browser. Have to say that this is the most popular and safest method to access onion links, and, on my part, a marriage made in Heaven: Tor’s an excellent ‘anonymizer’, while VPN safeguards your privacy.

When using this method, Tor will encrypt your request, which will pass through your ISP unhindered. From there, it will go through a VPN server which conceals your IP and wipes geo-locations tags and other elements your Government or ISP might use to track the request.

Next step – your request will be transferred to Tor entry nod which in turn transfers to one or more Tor relays. From there, it gets slingshot to several Tor exit nodes. Afterwards,  your request will be matched with the appropriate website. Tricky, but effective; that’s why it’s, by far, the best method to access dark web content.

Source: NordVPN

Pros of using Tor over VPN:
  • Session logs are not stored (metadata, IP address).
  • Traffic’s completely encrypted.
Con(s):
  • Doesn’t offer protection against malicious Tor exit nodes.

Method II – VPN over Tor

Not very safe, but it’s still useable. Recall how Tor oven VPN works? Well, VPN over Tor is basically its opposite – instead of going through the VPN first, the signal passes through the Tor network, before going through the VPN. Why is this method so unpopular? Because it’s not as safe as Tor over VPN.

If the signal goes through the Tor network first, your ISP will be able to see that you are attempting to connect to a Tor node. Though no one should bat an eye just because you’re attempting to access the dark web, keep in mind that in some countries, like the United States, even a simple foray can get you in trouble.

Pro(s) of using VPN over Tor:
  • Great if you trust your ISP, but not the VPN provider.
  • Can bypass blocked Tor nodes.
Con(s):
  • ISP can see you trying to access onion content.
  • Susceptible to end-to-end timing attacks.

Now, if you want to see what lurks in the dark corners of the Internet but don’t really trust Tor, there are alternatives. Here is a couple of them:

  1. I2P – great privacy protection and can access hidden onion links.
  2. Matrix.org – an open-source project just like Tor. Great for IoT data transfers, chats, and WebRTC signaling.
  3. Orbot – basically a Tor for Android.
  4. Globus Secure Browser – paid Tor alternative. VPN-powered. Allows the users to select preferred geolocation. If you want to take it for a spin, Globus features a five-day trial period.
  5. Comodo Ice Dragon – Firefox offspin. Employs multiple malware safeguards. Open-source project.
  6. FreeNet – open-source project. Sports the Darknet and OpenNet anonymous browsing technologies.

#3. Install a VM or disposable OS

I strongly recommend surfing on the dark web using virtual machine software instead of your locally installed Windows. Why? Because it’s easier to contain malware in a virtual environment, which can be fully controlled.

It’s like in those movies where the doctors are experimenting on deadly viral strains from behind the safety of a glass enclosure. And, as it happens, there are plenty of VMs to choose from:  Oracle VM Virtualbox, VMware Fusion and Workstations, QEMU, Red Hat Virtualization, Microsoft Hyper-V, Citrix XenServer, and Xen Project, just to name a few.

Now, if you really want to take the physical storage devices out of the equation, you can use what I like to call a disposable operating system – easy to deploy and to get rid of if you by chance you run into any trouble. All you’ll need is an 8GB thumb drive, an installation package, and a couple of minutes to get things up and running.

Let’s dig in.

How to install Tails OS

Source: TechSpot

Step 1. Get yourself a thumb drive; 8GB will do, but you can buy one with more space if you plan on using it for anything else. Nothing will happen to the stick (probably).

Step 2. Hop on the web and download the installation package for Tails OS.

Note: Tails is a Linux-based live operating system which can be booted from a USB stick or DVD. I recommend using a stick since DVDs have a read-only function after you’re done burning well and accessing the dark web required a bit of writing.

Chill, because nobody will ever find a record of you ever fiddling around the darknet. Note that Tails’ installation package is the .img format, which means that you’ll need software capable of burning images on your thumb drive.

My recommendation is Universal USB Installer, which is very intuitive. You can also go along with Rufus. The choice is yours. For this tutorial, I’ve used Universal.

Step 3. Insert the stick and do a quick format. Be sure to use FAT32 to root out any compatibility issues. Shouldn’t take longer than a few seconds.

Step 4. Download and install Universal USB Installer or Rufus.

Step 5. Fire up Universal USB or Rufus.

Step 6. Under “Step 1: Select a Linux Distribution from the dropdown to put on your USB” select Tails.

Step 7. Under “Step 2: Select your ubuntu*desktop*.iso”, click on the browse button and select the downloaded Tails .img file.

Step 8. Under “Step 3: Select your USB Flash Drive Letter Only”, use the dropdown box to select your thumb drive’s letter. If it doesn’t show up, check the “now showing all drives” option.

Step 9. Review the info and hit Create when you’re done.

Note that the process can take anywhere from 5 to 30 minutes depending on your machine. Sit back, relax, and wait until the installation’s done. When you’re ready, hit the Close button and you’re all set.

Now what? Well, now it’s time to fire up Tails and do a little bit of tinkering.

How to boot from USB and configure Tails

Bogged about your first boot? No worries. It always hurts the first time. Just follow these steps.

  1. Keep the thumb drive in the USB.
  2. Restart your computer.
  3. After the splash screen appears, press the appropriate Boot Menu key. If you’re tired of randomly pressing keys each time you perform this action, check out this article on hotkeys for the boot menu.
  4. Use your keyboard to select the corresponding drive letter. When you’re done, hit Enter.
  5. Wait for Tails OS to boot. Since this is the first time, it may take a while. Just be patient.
  6. Configure Tails and deploy Tor + VPN. Yes, the latest version of The Onion Router has an in-built VPN.
  7. Get ready to discover the dark and sometimes creepy wonders of the dark web.

So how do you get on the dark web?

All done installing and configuring Tor? Great! Fire it up and let’s surf. At first glance, Tor doesn’t look that different from your regular browser – it has a search bar, lots of quick-launch icons, the peeled onion icon smack in the middle of the screen. So, now what? Well, let’s start small.

Although content on the dark web is not as ‘indexed’ compared to the one on the clear web, you can still use search engines to find stuff. The Hidden Wiki and Grams are the heavyweights here.

Yay, now I found everything my heart longs for. Not quite: since the dark web relies on privacy and anonymity, search engines like the Wiki and Grams frequently return false results. No matter – good or not, the Hidden Wiki is a great place to start exploring.

The Hidden Wiki & Co.

Think of the Hidden Wiki as Wikipedia’s evil twin – looks more or less the same, but contains links to various dark web categories: editor’s picks, volunteer, introduction points, financial services, commercial services, email\messaging, drugs (yes, it’s the real deal), blogs & essays, hosting providers, hacking services, darknet radio (nothing shady about that; just some weird electronic tunes and, occasionally, a bit of jazz), literature (mostly resources on hacking, both ethical and black hat).

You can also find quick links here to the stuff that makes the dark web pitch-black dark: contract killers, rape, torture, or murder on demand, child pornography.

Fortunately, in Hidden Wiki, every website is followed by a brief description so that the user knows what to expect (or not). My advice to you would be to stick with the editor’s pick. You can also take a look at the blogs & essays section if you want to find some nifty coding resources.

If you’re feeling chatty, you can always access a chat room. Services like Random Chat connects you with random people using the same service. What happens after that, it’s all to you.

You should stay away from everything labeled “porn”, “card skimming services”, “PayPal hacks”, “firearms”, “real fake IDs and passports”. Believe me – there plenty to go around and each and every one of them are being kept under surveillance, not to mention the fact that you’ll get exposed to some stuff that will definitely make you take several cold showers.

Hidden Wiki’s not the only search engine online. Here are a couple of alternatives in case you get bored with Wiki.

  • DuckDuckGo – also available on the clear web. The best thing about DuckDuckGo is that it doesn’t track your searches. One can say that it’s the Google of the dark web.
  • Torch – considered the first dark web search engine, Torch boasts a database of several million onions links. Works just like Yelp. It even comes with recommendations, although most of them append websites like the infamous Silk Road.
  • WWW Virtual Library – if Torch and Hidden Wiki are old, the triple-W Virtual Library is Cthulhu-old; as in the elder god of search engines. What’s even better is the fact the WWW Virtual Library contains info dating back to the beginning of the Internet: logs, documents, pictures, and everything in between.

Fun fact: The Virtual Library was founded and, for a very long time, curated by none other than Tim Berners-Lee, the George Washington of the Internet. So, if you’re looking for obscure Internet facts, very old documents, Berners-Lee’s brainchild is the way to go.

  • Uncensored Hidden Wiki – think regular Hidden Wiki is bad? Wait till you see the uncensored version. As the name suggests, it emphasizes very illegal activities like human trafficking, drugs, pornography went wrong, and other things that fester in the dark corners of the human mind.
  • ParaZite – do you know the “want to get Lucky?” button in Google’s search engine? The one that takes you on a random clear web site? Well, ParaZite does the same thing. Sure, you can use it like any run-of-the-mill search engine, but if you’re feeling curious, you can also try the “feeling (un)lucky” feature. Proceed with caution and prepare to eject and torch the thumb drive.

Commercial Services

Believe it or not, the dark web even has online shops. And no, they don’t all sell drugs or firearms. Some of them are, reportedly, legit and have great bargains. For instance, if you want to buy a laptop or a smartphone, you can try your luck in one of these shops. Of course, all transactions are anonymous and Bitcoin-driven. Sure, you can use other cryptocurrencies if Bitcoin’s not your cup of tea.

The major issue with these websites is that a whopping 50 percent are fake, and there’s no way of telling for sure if they’ll deliver or not. By the way, most have shipping services.

Of course, you can’t use your home address for dark web drop-offs, but apparently, they can ship all over the world, minus some Middle Eastern countries and North Korea. To tell you the truth, I was tempted into purchasing a Samsung Galaxy S10 Plus; it was only 250 bucks. My advice: look, but don’t touch (buy).

Here are a couple of commercial services you can check out while you’re browsing the dark web:

  • CStore – any kind of electronics. You can make the purchases in cryptocurrency or gift cards. They even accept full escrow.
  • Apple Palace – everything Apple: laptops, desktops, phones, and accessories. All at ludicrously low prices.
  • EuroGuns – the name says it all: guns sold on the European market. The website even boasts that it’s the number one European arms dealer.
  • Kamagra for Bitcoins – if your boomstick ain’t working no more, you can try Kamagra, which is the dark web and cheap version of Viagra.
  • Gold & Diamonds – site offers ‘real’ diamonds and gold. (Un)fortunately, it only ships to Germany and the United States.
  • PirateSec – legit hackers, at your service!
  • Fake Passports – I think it’s self-explanatory.
  • SOL’s United States Citizenship – sells American citizenships; go figure.
  • Digital Gangster – the most gangsta way to hack someone’s computer. Apparently, these are Ronin hackers who can be hired for exploits, web hacking, password retrieval, and all-purpose espionage.
  • Onion Identity Services – summer discounts for IDs and passports. Bitcoins only.

Email clients

Always remember that the dark web is a people-centric community. So, it’s only natural to find ways to keep in touch with your darknet buddies and\or customers. There are several email and IM services which you can use, and it’s highly recommended to pick one if you want to step up your dark web game.

In terms of functionality, I don’t think there are too many differences between regular IMAP, POP3, and SMT services and the stuff you can use to communicate on the dark web. Let’s start with the email clients.

  • secMail – full-fledged email service. Pretty simplistic in design: you can compose, send, and receive emails. All the great things about an email client, minus the tracking, eavesdropping, and other privacy issues.
  • Lelantos- pay-to-use email service. Great security and privacy features, but it has one of the most unreliable and sidetrackable registration forms. Proceed at your own risk.
  • Bitmail.la – another pay-to-use email client. Has many features like IMAP, SMTP, and POP3 support, and a 500MB mailbox. Apparently, a lifetime membership costs $0.60.
  • Mail2Tor- a free email service which, reportedly, works on both dark and clear web.
  • Guerilla Mail – creates a disposable email address.
  • AnonInbox – pay-to-use email client. Supports IMAP, SMTP, and POP3; charges around 0.1 BTC per year.
  • Protonmail – has both paid and free subscriptions. Boasts the browser-encrypted email technology.

Chat\Social Media

Right. Let’s now talk about social media and instant messaging. Believe it or not, Zuckerberg’s Facebook has a darknet version. It’s mostly used for covert communication, anonymous tips submission, and stuff like that.

Sure, it’s not as secure as the clear web version, but it’s there and totally legal to use. Hidden Facebook is hardly the only social media client on the dark web. Check out the list below for the ‘hottest’ dark web clients.

  • BlackBook – works pretty much the same way as Facebook: you can chat, send pictures and friend requests, post status updates, and join groups. Though competing head-to-head with Facebook Onion, BlackBook’s prone to hacking. Reportedly, the client was disabled at least a couple of times in 2018.
  • Torbook – very similar to BlackBook. Some claim that both of them rose at around the same time, despite the creators not knowing each other.
  • The Campfire – gather around the campfire, folks to hear the tale of tales. The name’s rather suggestive – a big chatroom; everybody can join, and the topics can be anything from the latest trends in the music industry to how you can hide a human body.
  • Lucky Eddie’s Home – scripted chat room that sports one of the most efficient file-uploading system on the dark web. Just like any IM app, you can send or receive messages, join or create groups, and send files.
  • MadIRC Chat Server – if you’re over 30, you certainly remember the mIRC era. Surprisingly enough, IRC off-spins are still being used today, mostly for covert conversations or intranet communication. MadIRC Chat works just like a regular IRC – no or subscription required. Just pick a username and join in on the fun. I know sharing is caring, but in this case, I would advise you not to share any personal details because you may never know who’s on the other side of the line.
  • Chat with strangers – think Omegle, but on the dark web. Just fire up the client, connect to a chat room, and that’s it. You can’t send or receive files. Still, if you’re lucky, perhaps you can partake in a scintillating conversation.

Journalism and advocacy groups

As I’ve mentioned, the dark web isn’t just a place of eternal torment, teeming with drug dealers, human traffickers, and a hitman. It’s also used by journalists, advocacy group members, and political refugees in hiding. Reuters, Fox, NBC, CNN – all of them keep open dark web channels to receive anonymous tips from whistleblowers.

Advocacy groups are also reaping the advantages of the darknet because, here, the term of censorship is as popular as HTTPS. And finally, we have political outcasts, refugees, and people who want to get in touch with the outside world, being from a totalitarian country that suppresses all means of communication and information.

Of course, there are your run-of-the-mill congregations, which will worship anything from Lucifer to the flying spaghetti monster.

If you’re interested in subversive journalist, here are a couple of sites you can try visiting:

  • Soylent News – a trans spectrum darknet news aggregator. Features webmaster-moderated forums on which you can submit comments. You can also get involved by either submitting tips or writing news.
  • ProPublica – historically, ProPublica’s the first major news outlet to feature well, a darknet outlet. With an activity spanning almost four years, ProPublica managed to expose power abuses and blow the lid on covert activities conducted by governmental institutions. Although quite young compared to other darknet news outlets, ProPublica’s work was rewarded with five Pulitzer Prizes for Feature Writing, the last one being awarded to Hannah Dreier, the investigative journalist who covered the gangs of Los Angeles.

More on how to stay safe on the dark web

Already went through VPNs, anonymizing web browsers, and disposable operating systems, so I won’t bother reminding you about those. Here some other things you can try to bolster your security.

1. Minimize or rescale your Tor browsing window

Sounds rather off, doesn’t it? Well, there’s a reason why it’s recommended to browse with a minimized or rescaled window – you can be tracked based on your active window’s dimensions (yeah, they really can do that). So, do yourself a favor and rescale that Tor window as much as you can before proceeding.

2. Tweak the security settings

Tor has an in-build slider which lets you adjust the level of security. Just click on the onion icon and choose Security Settings. Adjust the slider until the cursor points to safest. This means that the JavaScript will be disabled by default on every website and some symbols and images will not be displayed.

3. Never use your credit and debit card for purchases

I’ll go farther than that and say stay away from darknet shops. Maybe some of them are legit, but are you really willing to take that chance? Still, if you’re really itching to purchase a new phone or God knows whatever, I would advise you to stick with Bitcoins or your favorite crypto coin. Using credit or debit cards for this sort of things is like painting a big bullseye on your bank account while yelling: “come here and take my money.”

4. Close Tails after finishing your session

When you’re done surfing or shopping on the dark web, don’t forget to shut down Tails. The major advantage of using a live OS such as Tails is that, on shut down, the OS wipes itself from the thumb drive you’ve installed it. That’s why it’s never a good idea to burn Tails on DVD.

5. Don’t stick your nose where it doesn’t belong

Great life advice, but it’s even more valuable where the darknet is concerned. Keep in mind that many criminal organizations are using the dark web to communicate or sell merchandise. Some of these channels are under watch. You may very well end up in the middle of a stakeout that could turn ugly. So, if the website looks fishy, close the tab, and forget about it.

Wrap-up

This is where I get off – been a long journey and I hope I’ve managed to at least change your perspective on the dark web. So, to wrap it up nice and tight, remember to take all the necessary precautions, refrain from using your debit or credit card, stay away from dubious groups, and have fun while you’re at it. As always, for comments, rants, ad-libs, or beer donations, shoot me a comment. Cheers!

The post How to Get on the Dark Web: A Step-by-Step Guide appeared first on Heimdal Security Blog.

Cryptocurrency exchange Binance offers $290,000 bounty to unmask blackmailer

One of the world’s largest cryptocurrency exchanges has revealed that it is being blackmailed to the tune of 300 Bitcoin (approximately US $3.5 million) by someone who is threatening to release some 10,000 sensitive photographs of its customers.

Read more in my article on the Tripwire State of Security blog.

5 Digital Risks That Could Affect Your Kids This New School Year

digital risks

digital risksStarting a new school year is both exciting and stressful for families today. Technology has magnified learning and connection opportunities for our kids but not without physical and emotional costs that we can’t overlook this time of year.

But the transition from summer to a new school year offers families a fresh slate and the chance to evaluate what digital ground rules need to change when it comes to screen time. So as you consider new goals, here are just a few of the top digital risks you may want to keep on your radar.

  1. Cyberbullying. The online space for a middle or high school student can get ugly this time of year. In two years, cyberbullying has increased significantly from 11.5% to 15.3%. Also, three times as many girls reported being harassed online or by text than boys, according to the U.S. Department of Education.
    Back-to-School Tip: Keep the cyberbullying discussion honest and frequent in your home. Monitor your child’s social media apps if you have concerns that cyberbullying may be happening. To do this, click the social icons periodically to explore behind the scenes (direct messages, conversations, shared photos). Review and edit friend lists, maximize location and privacy settings, and create family ground rules that establish expectations about appropriate digital behavior, content, and safe apps.Make an effort to stay current on the latest social media apps, trends, and texting slang so you can spot red flags. Lastly, be sure kids understand the importance of tolerance, empathy, and kindness among diverse peer groups.
  2. Oversharing. Did you know that 30% of parents report posting a photo of their child(ren) to social media at least once per day, and 58% don’t ask permission? By the age of 13, studies estimate that parents have posted about 1,300 photos and videos of their children online. A family’s collective oversharing can put your child’s privacy, reputation, and physical safety at risk. Besides, with access to a child’s personal information, a cybercriminal can open fraudulent accounts just about anywhere.
    Back-to-School Tip: Think before you post and ask yourself, “Would I be okay with a stranger seeing this photo?” Make sure there is nothing in the photo that could be an identifier such as a birthdate, a home address, school uniforms, financial details, or password hints. Also, maximize privacy settings on social networks and turn off photo geo-tagging that embeds photos with a person’s exact coordinates. Lastly, be sure your child understands the lifelong consequences that sharing explicit photos can have on their lives.
  3. Mental health + smartphone use. There’s no more disputing it (or indulging tantrums that deny it) smartphone use and depression are connected. Several studies of teens from the U.S. and U.K. reveal similar findings: That happiness and mental health are highest at 30 minutes to two hours of extracurricular digital media use a day. Well-being then steadily decreases, according to the studies, revealing that heavy users of electronic devices are twice as unhappy, depressed, or distressed as light users.
    Back-to-School Tip: Listen more and talk less. Kids tend to share more about their lives, friends, hopes, and struggles if they believe you are truly listening and not lecturing. Nurturing a healthy, respectful, mutual dialogue with your kids is the best way to minimize a lot of the digital risks your kids face every day. Get practical: Don’t let your kids have unlimited phone use. Set and follow media ground rules and enforce the consequences of abusing them.
  4. Sleep deprivation. Sleep deprivation connected to smartphone use can dramatically increase once the hustle of school begins and Fear of Missing Out (FOMO) accelerates. According to a 2019 Common Sense Media survey, a third of teens take their phones to bed when they go to sleep; 33% girls versus 26% of boys. Too, 1 in 3 teens reports waking up at least once per night and checking their phones.digital risks
    Back-to-School Tip:
    Kids often text, playing games, watch movies, or YouTube videos randomly scroll social feeds or read the news on their phones in bed. For this reason, establish a phone curfew that prohibits this. Sleep is food for the body, and tweens and teens need about 8 to 10 hours to keep them healthy. Discuss the physical and emotional consequences of losing sleep, such as sleep deprivation, increased illness, poor grades, moodiness, anxiety, and depression.
  5. School-related cyber breaches. A majority of schools do an excellent job of reinforcing the importance of online safety these days. However, that doesn’t mean it’s own cybersecurity isn’t vulnerable to cyber threats, which can put your child’s privacy at risk. Breaches happen in the form of phishing emails, ransomware, and any loopholes connected to weak security protocols.
    Back-to-School Tip: Demand that schools be transparent about the data they are collecting from students and families. Opt-out of the school’s technology policy if you believe it doesn’t protect your child or if you sense an indifferent attitude about privacy. Ask the staff about its cybersecurity policy to ensure it has a secure password, software, and network standards that could affect your family’s data is compromised.

Stay the course, parent, you’ve got this. Armed with a strong relationship and media ground rules relevant to your family, together, you can tackle any digital challenge the new school year may bring.

The post 5 Digital Risks That Could Affect Your Kids This New School Year appeared first on McAfee Blogs.

Can a Smart TV Get a Virus?

Asking the real questions here – can a smart TV get a virus? We’re about to find out. If you’re into gaming or streaming, you’ve probably bought yourself a wide QLED.

Smart TVs are awesome since they give you access to tons of content without the need to use an intermediary – remember when you had to hook up your desktop or laptop to the TV just to see a movie?

Since most smart TVs out there run an OS akin to Android, the question about whether or not TVs can get viruses seems only natural. So, if you’re still worried about someone hijacking your smart during an epic streaming night, check out this guide. Enjoy!

It started with a tweet…

Like every ‘great’ Internet smash, the entire smart TV malware gig started with a tweet from Samsung. Try as I might, but I couldn’t get ahold of the said message since the company was kind enough to delete not long after it went live. However, it did not go away quietly (into the night) – pretty soon, people began wondering whether or not their TVs are safe.

Per Samsung’s statements, the tweet was part of their cybersecurity awareness campaign.

Awareness or not, it does pose a rather interesting question: can a smart TV get a virus? Everybody agrees to disagree that the answer is “no” since smarts do not tap into the same resources as PCs, Macs, tablets, or smartphones. True, but not very convincing.

So, I started poking around to seek the answer to this elusive question. Long story short – yes, your smart TV can get a virus if you download stuff that, well, you shouldn’t download. Android TVs are more vulnerable compared to the non-Android models since they have full access to Google Play’s apps library.

Yes, one wrong download and you can probably end up with a bricked set or even with a compromised router. Daunting as it may seem, the chances of this actually happening are slim to none.

Of course, many agree that any kind electronic device can be hacked, but is it really worth it? Think of it this way: if someone were to hack his way into your PC, he could steal precious stuff like financial info. That’s a prize worth having.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

Stepping up the game

First of all, a wide-spread cyberattack should be capable of targeting several types of chipsets. It’s true that most smart TVs use ARM- or MIPS-based cores, but the tech itself used to bring the sets to life, differs from that employed to build PCs or smartphones.

That would be the first limitation. The second one would be the fact that all TV operating systems are written in ‘read-only’ form, which means that the set itself can view and read the code, but it cannot write or overwrite on its own accord.

So, what does that even mean? Well, it kind of translates to someone having to redo the whole code to change the attribute from ‘read-only’ to ‘read-and-write’. Sounds easy enough on paper, but reality says otherwise; no one’s going through that much trouble just to hack a TV set!

Another ‘countermeasure’ smart TV manufacturers use is the digital signature. Each time a new firmware update becomes available, it simply overwrites the old one. Being digitally-signed means that in the event that malware does find its way inside your TV, it will simply be picked up by the in-built antivirus and deleted.

Now, even if the malware manages to evade detection (and that’s a very big ‘if’), worst case scenario – it will gain access to the TV’s config & general settings sections. Not much damage it can do from there (maybe trigger a voltage overload in those CPU cores or something).

So can a smart TV get a virus?

Not quite – TVs, just like any other electronics, CAN become infected. Well, that’s a bummer – how can a device get and not get infected at the same time? Let me try to clear things up a bit. So, for a TV to get viruses, Trojans, or any kind of ransomware, you would need to perform a specific set of actions.

For instance, if you insert a USB flash stick that harbors a bug, then your smart TV gets infected. It’s as easy as that. There’s even a story to go along with that claim; several of them, actually.

Fishing for Trojans

Apparently, in 2015, a Tom’s Guide user reported that he unwillingly transformed his Samsung smart TV into a breeding pool for trojans. As the story goes, the user plugged a USB stick into the TV without knowing that the stick was infected with win32.waldek.ACL, a trojan notorious for its ability to reconfigure the affected machine’s DNS and to restrict access to some websites.

Nothing appears to have happened to the TV, but once the user inspected the thumb drive on a computer, he saw that it was indeed infected with that particular trojan. His AV managed to bust the win32 variant, without any issues.

However, each time he would plug the stick into his TV and then back into the PC, his AV would detect an infection. I don’t know how this story ends, but I guess returning the set to its factory setting can root out just about any kind of malware from the smart TV’s buffer.

There are other accounts of smarts getting bitten by the ‘love bug’.

When gaming turns…viral

During the same year, Candid Wueest, a cybersecurity researcher managed to prove what others couldn’t: that someone can hold your TV for ransom. In other words, ransomware’s universal. Now, keep in mind that Wueest’s ‘experiment’ worked because, well, he wanted it to work.

Here’s how it went down: in his demo, Wueest managed to infect a Sony Android TV with ransomware using a Man-in-the-Middle attack, by replacing a game installation file with ransomware. As a result, the TV locked itself up. What’s even worse is that you can’t do anything because there’s no way of actually clicking on the instructions’ link to see the payment details.

So, yes, it’s possible, but certain conditions must be met. First of all, the researcher was able to access the network path; IRL that could happen if the hacker was either on the same network as his victim or hijacks the victim’s DNS resolution.

Second, before starting this unlikely experiment, he enabled the TV’s Android ADB debugging feature, which granted him access to some pretty advanced features. Last, but not least, he knew where the experiment was headed and how it would end.

He eventually purged the ransomware by using the ADB shell. Lesson learned – it can happen, but there’s a boorishly long list of ifs to go along with that assumption.

Sis’s sys got pwned

The winter of 2016 brings us yet another case of what appears to be a ransomware infiltration. Lucky for us, this wasn’t another experiment, but the real McCoy. According to Reddit user u/tell_me_im_funny, his sister’s LG smart became infected while she was navigating on the TV’s web browser.

A couple of minutes later, the set got ‘bricked’, the only thing capable of displaying would be a message reading “Your computer has been infected, please gib money to fix it.”

This time, there was no ADB shell, no access to the network pathway, and no one to call for help. In a later ad-lib, the user said that he managed to ‘unbrick’ his sister’s TV by performing a hard-reset (returning the TV to the factory settings).

Netflix is so gauche

And in hoping I haven’t bored you to death with my cybersec ‘penny dreadfuls’, the last story comes all the way from Kansas. Darren Cauthon, the protagonist and a software dev in his spare time, said that back in 2015, his Google Android-powered smart tv picked up a bug during his attempt at downloading a movie-streaming application.

Cauthon recalled streaming some flick when all of a sudden, the screen froze. Naturally, he tried rebooting the TV. However, upon restart, instead of the familiar LG start screen, Cauthon was met by a message allegedly sent by the Federal Bureau of Investigation. Apparently, the software dev was informed that due to some “suspicious files”, the device has been locked. The full text reads:

Department of Justice
Federal Bureau of Investigation

FBI Headquarters

Washington DC Department, USA

As a result of full scanning of your device, some suspicious files have been found and your attendance of the forbidden pornographic sites has been fixed. For this reason, your device has been locked. Information on your location and snapshots containing your face have been uploaded on the FBI Cyber Crime Department’s Datacenter.

Of course, Cauthon’s first thought was ransomware. And yes, his hunch was right – after downloading the wrong movie-streaming app, his TV became infected with FLocker, otherwise known as Dogspectus or Frantic Locker, a Cyber.Police ransomware variant. Since the bug made it into his TV and not his PC or phone, Cauthon was able to get rid of it by returning the set to its factory settings.

What’s there to be done if your TV does get a virus?

For the sake of argument, let’s say your smart TV picks up a trojan or ransomware. What are you going to do then? Well, there are several ways to root out malware from your device. Check these out.

1. Force-scan the TV and attached storage devices

Most modern smart TVs have in-built antivirus software. Sure, it’s signature-based and wouldn’t make much of a difference in case of Advanced Persistent Threats, but still better than nothing.

Keep in mind that your TV’s AV is not as sophisticated as the one on your computer. Certain functions like auto-scan or scheduled scans may not be available. So, it’s up to you to conduct periodical scans of your device. Here’s what to do:

Step 1. Navigate to Settings using your remote.

Step 2. Go to General Settings.

Step 3. Head to System Manager.

Step 4. Under Smart Security, click on Scan.

Step 5. Enjoy a virus-free streaming experience!

(*) This method applies to Samsung smart TVs. For other brands, please consult the user’s manual. Look for things like “smart security”, “smart hub”, or “online security.

2. Return TV to factory settings

Just like Cauthon, you could return your smart TV to factory settings in case of a ransomware infection. Bear in mind that in a Denial-of-Service attack, some or all of your TV’s functions will be disabled. This means that you will need to find an alternative way to do that. My advice to you would contact your brand’s customer service for technical info.

Now, if you’re the ‘proud’ owner of Samsung smart just like I am, you can find the reset to the factory settings option in Support, under Self-Diagnosis. Keep in mind that you might be required to provide your PIN code to complete the operation (if you haven’t messed around with the security settings, the default PIN is 0000).  Bon chance!

3. Regular software updates

Yes, I know that this tip does not qualify as a fix, but you know how it goes with that proverbial ounce of prevention. Anyway, keep your TV’s firmware and all downloaded apps up to date. Almost all smart TVs have an auto-updater or, rather, semi-auto update feature since it will prompt you to install the latest version.

If you have an older set, try checking at least once per month for any updates. Do the same for your apps. Why keeping everything up to date? Because over 80 percent of malware infections occur due to outdated apps which turn into breach points.

4. Wired over wireless

If you can choose between a wired and a wireless connection, go with the first. Wired connections are harder to hack compared to the wireless ones. Of course, there’s the entire cable management issue, but everything can be solved with a bit of patience and some cable ties.

5. Avoid shady vendors

Now, if that TV really can’t wait, do yourself a favor and buy yours from a legit vendor. Don’t fall for bogus discounts, giveaways, or whatnots because that’s how you end up with rip-offs and malware-infected devices. Lesson learned – say YES to Samsung or LG and NO to Samysung or MG.

6. Refrain from plugging (infected) USB sticks into your TV

Seems pretty obvious, but I still need to say it: never, ever stick a malware-infected memory stick or portable hard-drive into your smart TV. It would be wise to run a quick scan on your PC or Mac before plugging in the stick. And I wouldn’t recommend using sticks other than your own.

7. Ditch generic web browsers

If you don’t have an Android smart TV, then you’ve no other choice but to use the in-built one. Now, if you really don’t like the default one, you should stick with the usual ‘suspects’ like Chrome, Mozilla, Firefox, Opera, or Brave. Why? Because they’re much more secure compared to generic ones.

Wrap-up

So, can a smart TV get a virus? That would be a “yes”. Still, you should take this with a grain of salt – sure, malware can brick your TV or whatever, but it’s still not nearly as dramatical compared to what would happen if the same bug got into your computer.

As always, keep your apps up to date, perform regular scans, avoid dubious memory sticks, and stick with the big brands. For any question, comments, rants, or suggestions, feel free to shoot me a comment. Cheers!

The post Can a Smart TV Get a Virus? appeared first on Heimdal Security Blog.

Capital One Data Breach: How Impacted Users Can Stay More Secure

Capital One is one of the 10 largest banks based on U.S. deposits. As with many big-name brands, cybercriminals see these companies as an ideal target to carry out large-scale attacks, which has now become a reality for the financial organization. According to CNN, approximately 100 million Capital One users in the U.S. and 6 million in Canada have been affected by a data breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, and more.

According to the New York Post, the alleged hacker claimed the data was obtained through a firewall misconfiguration. This misconfiguration allowed command execution with a server that granted access to data in Capital One’s storage space at Amazon. Luckily, Capital One stated that it “immediately fixed the configuration vulnerability.”

This breach serves as a reminder that users and companies alike should do everything in their power to keep personal information protected. If you think you might have been affected by this breach, follow these tips to help you stay secure:

  • Check to see if you’ve been notified by Capital One. The bank will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services. Be sure to take advantage of the services and check out the website Capital One set up for information on this breach.
  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible. Capital One will allow you to freeze your card so purchases can no longer be made.
  • Change your credentials. Err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Capital One Data Breach: How Impacted Users Can Stay More Secure appeared first on McAfee Blogs.

Apple’s Siri Eavesdrops on Customers

Consumer audio recorded by Apple’s Siri platform has been shared with external contractors.

A whistleblower working as a contractor revealed that the company’s digital voice assistant software records audio collected by consumer devices–including iPhones, Apple Watches, and HomePods–and shares it with external contractors. The recordings contained potentially sensitive information.

“A small portion of Siri requests are analysed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. Siri responses are analysed in secure facilities and all reviewers are under the obligation to adhere to Apple’s strict confidentiality requirements,” Apple told the Guardian, which broke the story. 

Apple’s customer-facing privacy policy does not explicitly say that recordings from devices could be shared with contractors, which raises concerns for privacy and consumer advocates.

“Amazon and Google allow users to opt out of some uses of their recordings; Apple offers no similar choice short of disabling Siri entirely,” wrote Alex Hern for the Guardian.

Privacy concerns about the practice are compounded by the fallibility of Apple’s voice recognition software. The phrase “Hey, Siri” can be triggered by other sounds and words. Siri is also activated in Apple Watches when the user raises their wrist and speaks.  

News about Apple’s overshare followed on the heels of news about Google’s virtual assistant software

Apple has recently attempted to distance itself from Google and other IoT devices with ad campaigns directly targeting their competitors as less privacy-friendly.

Read more here

The post Apple’s Siri Eavesdrops on Customers appeared first on Adam Levin.

Cyber News Rundown: Hackers Expose US Colleges

Reading Time: ~ 2 min.

Vulnerability Exposes Dozens of U.S. Colleges

At least 62 U.S. colleges have been compromised after an authentication vulnerability was discovered by hackers, allowing them to easily access user accounts. At several of the compromised colleges, officials were tipped off after hundreds of fraudulent user accounts were created within a 24-hour period. The vulnerability that was exploited stemmed from a Banner software program that is very widely used by educational institutions; however, many colleges had already patched the flawed software versions and so were unaffected.

Data Breach Affects Lancaster University Applicants

Officials recently announced that a data breach compromised the personal records of all 2019 and 2020 applicants of Lancaster University. Additionally, some applicants have been receiving fraudulent tuition invoices, which the University recommends recipients delete immediately. The breach occurred sometime on Friday, and University officials quickly began contacting the affected parties and securing their IT systems.

Facebook to Pay $5 Billion in FTC Fines

Nearly a year after the Cambridge Analytica discovery, the FTC has issued a record fine of $5 billion to be paid by Facebook in recompense for their deceitful use of the private information from their hundreds of millions of their users. The staggering sum Facebook must pay sets a strong incentive for all industries to handle their customers’ sensitive data with the appropriate security and care, and also to address follow-up actions in the wake of a breach more adequately than Facebook did.

Remote Android Trojan Targets Specific Victims

A new remote-access Trojan, dubbed Monokle, has been spotted working through the Android™ community with a laundry list of dangerous capabilities, most of which are designed to steal information from the infected devices. To make Monokle even more dangerous, it can also install trusted certificates that grant it root level access and near total control over the device.

Fake Browser Update Distributes TrickBot

As TrickBot continues its multi-year streak of mayhem for computer systems and sensitive information, criminals created a new set of fake updates for the Google™ Chrome and Mozilla™ Firefox browsers that would push a TrickBot download. The updates appear to have originated at a phony Office365 site that does give users a legitimate link to a browser download, though it quickly prompts the user to install an update which installs the TrickBot executable.

The post Cyber News Rundown: Hackers Expose US Colleges appeared first on Webroot Blog.

Push Notifications 101: Security Risks and How to Disable Them Across Devices

We’re all acquainted by now with push notifications since most browsers, website, and apps are using this form of marketing as a way of getting more ‘in your face’. While push notifications per se are not a bad idea (when used sparingly), I think we can all agree that they tend to overdo it.

If a few years ago you could confidently click on a link, open a page and read or watch what you came there to see, nowadays you can’t. First, you need to click to accept cookies or a GDPR agreement, then click a few more times for closing all the other pop-ups and ads which stream forth.

funny meme pop ups

Usually, this is enough to get rid of them. Just go through the 5-6 clicks routine and then the view clears up. But lately, push notification emerged and started being more and more widely used. Unfortunately, these are harder to get rid of once they start pouring through.

Even more troubling, push notifications are not just annoying and intrusive when unrequested. They can also carry dangerous malware. The purpose of malware hidden in push notifications is either to deliver a flood of more ads (malvertising, such as the recent SundownEK campaign) or to actually help hackers break into your accounts and steal your money, data or identity.

Serious Concerns about Malware in Push Notifications

multiple pop ups spam

As recently as last month, a new strain of Android Trojan malware was putting serious pressure on mobile phone users by delivering malvertising campaigns. The malware, dubbed Android.FakeApp.174, was delivered by multiple fake apps imitating legit apps. Those were taken down from the Google App Store once the malware was discovered, but the infection already spread by then.

The push notifications that just kept coming and coming were so aggressive that they eventually took over users’ phones. So much of the system’s resources were used for displaying these ads, that no bandwidth remained for using the device for its intended purposes.

This type of advertising deluge is typical for malvertising campaigns. This refers to the type of malware that keeps pushing advertising onto users, regardless of the fact that users will not be persuaded by the ads since they are so annoying. The purpose is not for you to be convinced by the ads, but for the hackers to exploit a pay-per-view advertising program. They earn money just by having their ads displayed, and they created the malvertising hack just to cheat the system and make more money with their unstoppable spam. If they can also steal some data while they’re at it, all the better.

In the case of the Android.FakeApp.174 malware I mentioned above, the purpose of the campaign was not to just flood users with malvertising, but also to direct them towards scam websites. This way, some users even fell for scams and entered sensitive info on phishing forms which were mimicking legit email and banking service sites.

Classic PCs were also targeted by similar campaigns in the past. A notorious malware was redirecting users when browsing to the Push-notification.tools site (link sanitized for your safety). This is what the Push-notification virus redirect looked like:

push notifications tools redirect

Basically, the malware was blocking all the content you wanted to browse with this pop-up asking you to click ‘Allow’. If you succumbed to it, you were giving the malware a free pass to deliver all kinds of spam to your desktop, even when the browser was closed.

Usually, this type of malware first enters your computer when you download ‘free’ software (pirated or cracked) from torrents and other sources of pirated content. You’ll get a malware ‘bonus’ especially in packages containing multiple pieces of software. One more reason to stay away from illegitimate content.

How to Review Push Notifications in Browsers (and Remove Them)

Are you getting suspicious push notifications and you’re unsure of whether they are malware or not? Or, even if you’re sure they’re not malware, you’d like to take back the permissions and you don’t know how?

Don’t worry, removing push notifications (when they are legit) is very easy. Here is how. (For malicious push notifications, things can be more complicated and I’ll discuss it in more detail below).

For Google Chrome, just go to Settings / content / notifications, or directly copy-paste this link into the browser address: chrome://settings/content/notifications?search=notifications

This will reveal the list of websites you allowed to send you push notifications, as well as the list of websites you blocked push notifications from. If you see one you don’t remember approving or wish to take back permission from, just click the vertical dots bar for that domain and select ‘Remove’.

For Mozilla Firefox, the process is almost identical. Go to Settings / content / notifications and you can see all the websites you allowed such pop-ups from. You can also select a No Notifications default option in Mozilla, if you want.

For Safari / Opera / other browsers, you can also easily find the path to reviewing push notifications in your browser settings. Just look around or drop me a question if you can’t find it.

What about Ad Blockers?

Some users opt for ad blockers in an attempt to simplify their digital life. They just install a browser extension and stop seeing ads, for good. This is legit and safe, so if that’s what you want to do, go ahead and install the Ad Block Plus extension, for example.

However, in my opinion, this is not the way to go. First of all, push notifications can be useful, when you’re actually getting those you are interested in. You just need to review permissions from your browser and restrict the list to stuff you really want to find out about.

Second of all, adblockers are also not displaying any on-page ads, some of which can have value for you as well. I know that some ads can be annoying, especially when persistent. But some can also remind you of some item you’ve seen and postponed buying etc. Personally, I do enjoy ads sometimes for their reminder value, or for helping me discover new things I might be interested in. Still, this is a matter of preference so it’s entirely up to you.

How to Get Rid of Malicious Push Notifications

virus notification pop up scam

A typical malicious pop-up meant to scare you into downloading yet more malware.

Here are the typical signs that the ads (push notifications) you are getting are malicious (caused by a malware infection):

  • Ads appear even in places where they shouldn’t (like your desktop, even when the browser is closed)
  • The browser home page changes without your permission
  • The websites you used to visit without issues are now not displaying properly, or you get redirected to another address
  • You get pop-ups which are advertising fake software or updates, or warnings that you are infected, followed by prompts to install a specific clean-up tool (DON’T!)
  • You see apps and programs installed on your device (with shortcuts and everything) that you don’t remember installing

If you experience any from this list above, there’s a high chance that you were infected with malicious push notifications.

Unfortunately, there isn’t a quick one-size-fits-all fix, since there are different types of malware out there. Your best bet is to check your browser’s list of allowed push notifications and disable everything that doesn’t look familiar. All of them, if need be.

Then, scan your PC and clean it up with professional anti-malware software.

If you’d like to try our complete cybersecurity suite for home use (containing both reactive and proactive layers of security), here’s a month on the house:

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

Final Advice

To prevent infections with malicious push notifications and to keep your browsing experience as clean as possible, it’s best to be cautious.

Keep the list of websites from which you accept push notifications short. A few of your favorites are enough; if you’re interested to see updates from the other portals, you can always enter them at your own pace, right? (Of course, I hope that if you enjoy this blog and our content, you will accept push notifications from us.) 🙂

Also, don’t venture online unprotected. Keep your devices secured with a reputable cybersecurity product so you don’t get infected even if you do come across an infected link or file.

Stay safe and don’t hesitate to leave a comment if you have a question or some experience with push notifications worth sharing.

The post Push Notifications 101: Security Risks and How to Disable Them Across Devices appeared first on Heimdal Security Blog.

Out from the Shadows: The Dark Web

Reading Time: ~ 4 min.

You’ve likely heard of the dark web. This ominous sounding shadow internet rose in prominence alongside cryptocurrencies in the early 2010s, eventually becoming such an ingrained part of our cultural zeitgeist that it even received its own feature on an episode of Law & Order: SVU. But as prominent as the dark web may be, few average internet users can properly explain what it is and the cyber threats it provides a haven for. Let’s step back from the pop culture mythos and dive into what makes the dark web so dark.

Don’t let cybercriminals steal your money or identity. Protect your devices with cloud-based security.

Open Web, Deep Web, and Dark Web: Know the Difference

The open web, or surface web, is the internet we use every day. This includes all the web content that can be found through search engines and is accessed by traditional web browsers. Though you might find it surprising that the open web accounts for just 5% of the internet. The rest is made up of the deep web. 

The deep web is the section of the internet that is not indexed by search engines and cannot be found through traditional search methods. This means that the only way to access deep web content is through a direct URL. While rumors about the deep web make it seem as if it is exclusively used for nefarious purposes, content on the deep web is often banal. It is largely comprised of school and university intranet systems, email and banking portals, internal sites for businesses and trade organizations, and even things like your Netflix or Hulu queues. Nothing to be afraid of there.

While the dark web is technically a part of the deep web, it takes anonymity a step further by using overlay networks to restrict access, often attracting users engaged in illicit activity. These networks use special anonymized software to grant users access; the largest and most famous of which is Tor. Tor stands for “The Onion Router,” which references its “onion routing” technique of using encapsulated layers of encryption to ensure privacy. Tor websites are most easily recognized by their “.onion” domains, and by the fact that they cannot be accessed through traditional web browsers. You may have heard stories about the NSA trying to shut Tor down, but don’t expect the services to go away soon. It has funding from high places, with a recent FOI request revealing that one of Tor’s largest financial contributors has long been the U.S. State Department—likely to offer encrypted communication options for State Department agents working in the field.

Is the Dark Web Illegal?

The dark web isn’t inherently illegal—the illegality comes from how it can be used. Darknet markets, such as the infamous and now defunct original Silk Road, showcase how thin the line is between legal and illegal dark market activities. As long as what you are purchasing is legal, using a darknet market is as lawful as making a purchase from any other online retailer. But buying illicit drugs or human organs? Yeah, that’s definitely illegal. 

Although not as remarkable as some of the more grotesque items available, one of the most commonly found items for sale on the dark web is data. With a reported 281 data breaches in just the first quarter of 2019, we have already seen 4.53 billion records exposed this year alone. That’s potentially more than 4 billion chances for hackers to profit off the victimization of strangers, and a majority of them will use the dark web to do so. We have seen several high-profile data breaches resurface on the dark web—Equifax, Canva, Under Armor, and Evite all recently had their user data available for sale on darknet markets.

The Dark Web and Malware-as-a-Service

Beyond selling your data, the dark web can be used to harvest it as well. Webroot Security Analyst, Tyler Moffitt, explains this growing threat:

“Anyone can create malware in today’s landscape where the dark web is very accessible,” says Moffit. “There are ransomware services on .onion links that will allow you to input just a few bits of information, like a bitcoin address, desired ransom, late fees, etc., and unique binaries are generated to distribute however they like. The only ‘catch’ is that the portal creator usually takes a cut (around 30%) for any ransom payments made.”

These malware-as-a-service attacks mean that an attacker doesn’t even need to know how to execute one; they just need to know how to navigate to the portal. Therein lies the largest dark web danger for many consumers—anonymized cyberattacks available at the click of a mouse.

Keeping Your Data Off the Dark Web

Like a hydra with its multiple heads, black markets will likely never be wiped out. When you shut one down, two more will pop up. Darknet markets are just their newest evolution. While you can’t expect to see this threat disappear anytime soon, you can take steps to keep your data secure and off the dark web.

Using an up-to-date antivirus solution will help stop malware from scraping your data on the dark web. You can also lock your credit (called freezing) to help prevent new credit lines being open without additional information. Another recommendation is avoiding public WiFi without a VPN, as it leaves you susceptible to a man-in-the-middle attack (MITM). Even with these precautions, a breach may still occur. Keeping your sensitive accounts secured with a trusted password manager can also help prevent cyber attacks from spreading beyond their breach point. 

Follow us on Facebook and Twitter to stay up to date on the latest threats to your online security and privacy.

The post Out from the Shadows: The Dark Web appeared first on Webroot Blog.

Cyber News Rundown: Evite Data Breach

Reading Time: ~ 2 min.

Over 100 Million Accounts Exposed in Evite Breach

More than 100 million users of Evite were exposed after the company’s servers were compromised earlier this year. While the company doesn’t store financial information, plenty of other personally identifiable information was found in the leaked database dump. The initial figures for the breach were thought to be much lower, as another database dump of 10 million Evite users was found on an underground marketplace around the time they discovered the unauthorized access, though that site was shut down soon after.

American Express Suffers Phishing Attack

Many American Express customers recently fell victim to an email phishing attack that used the uncommon tactic of hiding the URL domain when hovering over the hyperlink. The attack itself, which requests the victim open a hyperlink to verify their personal information before re-routing them to a malicious site, was reliably full of spelling and grammar mistakes. The phishing landing page, though, looks nearly identical to the real American Express site and even has a drop-down list to catch multiple types of user accounts.

NHS Worries Over XP Machines

Over five years after Microsoft officially ceased support for Windows XP, the UK government has revealed that there are still over 2,000 XP machines still being used by its National Health Services (NHS). Even after becoming one of the largest targets of the 2017 WannaCry attacks, the NHS has been incredibly slow to roll out both patches and full operating sytem upgrades. While the number of effected systems, the NHS has over 1.4 million computers under their control and is working to get all upgraded to Windows 10.

Google Defends Monitoring of Voice Commands

Following a media leak of over 1,000 voice recordings, Google is being forced to defend their policy of having employees monitor all “OK Google” queries. After receiving the leaked recordings, a news organization in Belgium was able to positively identify several individuals, many of whom were having conversations that shouldn’t have been saved by the Google device in the first place. The company argues that they need language experts to review the queries and correct any accent or language nuances that may be missing from the automated response.

Monroe College Struck with Ransomware

All campuses of Monroe College were affected by a ransomware attack late last week that took down many of their computer systems. The attackers then demanded a ransom of $2 million, though it doesn’t appear that the college will cave to such exorbitant demands. Currently, the college’s systems are still down, but officials have been working to contact affected students and connect them with the proper assistance with finishing any coursework disrupted by the attack.

The post Cyber News Rundown: Evite Data Breach appeared first on Webroot Blog.

Downloaded FaceApp? Here’s How Your Privacy Is Now Affected

If you’ve been on social media recently, you’ve probably seen some people in your feed posting images of themselves looking elderly. That’s because FaceApp, an AI face editor that went viral in 2017, is making a major comeback with the so-called FaceApp Challenge — where celebrities and others use the app’s old age filter to add decades onto their photos. While many folks have participated in the fun, there are some concerns about the way that the app operates when it comes to users’ personal privacy.

According to Forbes, over 100,000 million people have reportedly downloaded FaceApp from the Google Play Store and the app is the number one downloaded app on the Apple App Store in 121 different countries. But what many of these users are unaware of is that when they download the app, they are granting FaceApp full access to the photos they have uploaded. The company can then use these photos for their benefit, such as training their AI facial recognition algorithm. And while there is currently nothing to indicate that the app is taking photos for malicious intent, it is important for users to be aware that their personal photos may be used for other purposes beyond the original intent.

So, how can users enjoy the entertainment of apps like FaceApp without sacrificing their privacy? Follow these tips to help keep your personal information secure:

  • Think before you upload. It’s always best to err on the side of caution with any personal data and think carefully about what you are uploading or sharing. A good security practice is to only share personal data, including personal photos, when it’s truly necessary.
  • Update your settings. If you’re concerned about FaceApp having permission to access your photos, it’s time to assess the tools on your smartphone. Check which apps have access to information like your photos and location data. Change permissions by either deleting the app or changing your settings on your device.
  • Understand and read the terms. Consumers can protect their privacy by reading the Privacy Policy and terms of service and knowing who they are dealing with.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Downloaded FaceApp? Here’s How Your Privacy Is Now Affected appeared first on McAfee Blogs.

Family Safety: Twitter, Instagram Beef Up Measures to Fight Hate Speech, Bullying

The past few weeks have proven to be wins for family safety with several top social networks announcing changes to their policies and procedures to reduce the amount of hateful conduct and online bullying.

Twitter: ‘Dehumanizing Language Increases Risk’

In response to rising violence against religious minorities, Twitter said this week that it would update its hateful conduct rules to include dehumanizing speech against religious groups.

“Our primary focus is on addressing the risks of offline harm, and research shows that dehumanizing language increases that risk . . . we’re expanding our rules against hateful conduct to include language that dehumanizes others based on religion,” the company wrote on its Twitter Safety blog.

Twitter offered two resources that go in-depth on the link between dehumanizing language and offline harm that is worth reading and sharing with your kids. Experts Dr. Susan Benesch and Nick Haslam and Michelle Stratemeyer define hate speech, talk about its various contexts, and advise on how to counter it.

Instagram: ‘This intervention gives people a chance to reflect.’ 

Instagram announced it would be rolling out two new features to reduce potentially offensive content. The first, powered by artificial intelligence, prompts users to pause before posting. For instance, if a person is about to post a cruel comment such as “you are so stupid,” the user will get a pop-up notification asking, “are you sure you want to post this?”

A second anti-bullying function new to Instagram is called “Restrict,” a setting that will allow users to indiscreetly block bullies from looking at your account. Restrict is a quieter way to cut someone off from seeing your content than blocking, reporting, or unfollowing, which could spark more bullying.

These digital safety moves by both Instagram and Twitter are big wins for families concerned about the growing amount of questionable content and bullying online.

If you get a chance, go over the basics of these new social filters with your kids.

Other ways to avoid online bullying:

Wise posting. Encourage kids to pause and consider tone, word choice, and any language that may be offensive or hurtful to another person, race, or gender. You are your child’s best coach and teacher when it comes to using social apps responsibly.

Stay positive and trustworthy. Coach kids around online conflict and the importance of sharing verified information. Encourage your child to be part of the solution in stopping rumors and reporting digital skirmishes and dangerous content to appropriate platforms.

Avoid risky apps. Apps like ask.fm allow anonymity should be off limits. Kik Messenger, Yik Yak, Tinder, Down, and Whisper may also present risks. Remember: Any app is risky if kids are reckless with privacy settings, conduct, content, or the people they allow to connect with them.

Layer security. Use a comprehensive solution to help monitor screentime, filter content, and monitor potentially risky apps and websites.

Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in and monitor game time conversations and make every effort to help him or her balance summer gaming time.

Make profiles and photos private. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying and online conflict.

The post Family Safety: Twitter, Instagram Beef Up Measures to Fight Hate Speech, Bullying appeared first on McAfee Blogs.

Watch Your Webcam: Tips to Protect Your Mac From Zoom Hackers

You’ve probably heard of the popular video conferencing platform, Zoom. This platform enables its millions of users in various locations to virtually meet face to face. In an effort to enhance user experience and work around changes in Safari 12, Zoom installed a web server that allows users to enjoy one-click-to-join meetings. Unfortunately, a security researcher recently disclosed that this product feature acts as a flaw that could allow cybercriminals to activate a Mac user’s webcam without their permission.

How exactly does this vulnerability work? Cybercriminals are able to exploit a feature that allows users to send a meeting link directly to a recipient. When the recipient clicks on the link, they are automatically launched into the video conferencing software. If the user has previously installed the Zoom app onto their Mac and hasn’t turned off their camera for meetings, Zoom will auto-join the user to a conference call with the camera on. With this flaw, an attacker can send a victim a meeting link via email message or web server, allowing them to look into a victim’s room, office, or wherever their camera is pointing. It’s important to note that even if a user has deleted the Zoom app from their device, the Zoom web server remains, making the device susceptible to this vulnerability.

While the thought of someone unknowingly accessing a user’s Mac camera is creepy, this vulnerability could also result in a Denial of Service (DoS) attack by overwhelming a user’s device with join requests. And even though this patch has been successfully patched by Zoom, it’s important for users to realize that this update is not enforced by the platform. So, how can Zoom users avoid getting sucked into a potentially malicious call? Check out these security tips to stay secure on conference calls:

  • Adjust your Zoom settings. Users can disable the setting that allows Zoom to turn your camera on when joining a meeting. This will prevent a hacker from accessing your camera if you are sent a suspicious meeting link.
  • Update, update, update. Be sure to manually install the latest Zoom update to prevent DoS or other potential attacks. Additionally, Zoom will introduce an update in July that allows users to apply video preferences from their first call to all future calls. This will ensure that if a user joins their first meeting without video, this setting will remain consistent for all other calls.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Watch Your Webcam: Tips to Protect Your Mac From Zoom Hackers appeared first on McAfee Blogs.

Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer

If you haven’t seen your kids in a few hours but can hear outbursts of laughter from a nearby room, chances are, they — along with millions of other kids — are watching YouTube. The popular digital video hub has more viewers than network television and soaks up more than 46,000 years of our collective viewing time annually. Chances are your kids will be part of the YouTube digital mosh pit this summer, but do you know the risks?

Types of screen time

The quality of online time for kids usually shifts during the summer months. For example, there’s active screen time and passive screen time. Knowing the difference between the two can help your family decide best how to balance device use — especially when it comes to consuming endless hours on YouTube.

Active screen time requires a person’s cognitive and/or physical engagement and develops social, language, or physical skills. Engaging in activities such as researching, creating original content, learning a new program, and playing educational games is considered active screen usage. Active screen time tends to go up during the school year and down in the summer.

Passive screen time is passively absorbing information via a screen, app, or game for entertainment reasons only. This includes scrolling through social networks, watching movies binge watching), and watching YouTube videos. Little to no thought or creativity is required when a person engages in repetitious, passive screen activities.

According to a Common Sense Media study, children ages 8 to 12, spend nearly six hours per day using media, and teenagers average closer to nine hours a day (numbers don’t include school work). It’s safe to say that during the summer, these numbers climb even higher — as do the risks.

Here are a few ways to balance screen time and boost safety on YouTube this summer.

YouTube: 5 Family Talking Points

  • Explore YouTube.The best way to understand the culture of YouTube is to spend time there. Ask your kids about their favorite channels and what they like about them. Get to know the people they follow — after all, these are the people influencing your child. Here’s a sampling of a few top YouTubers: MattyBRaps (music), JoJoSiwa (music, dance), Brooklyn and Bailey (vlogs, challenges, music), Baby Ariel (challenges, vlog), Johnny Orlando (music), PewDiePie (comedy), Jacy and Kacy (crafts, challenges), (Bethany Mota (shopping hauls), Grav3yardgirl (makeup), Smosh (comedy).
  • Respect age limits. YouTube is packed with humor, tutorials, pranks, vlogs, music, reviews, and endlessly engaging content. However, age limits exist for a good reason because the channel also has its share of dangerous content. The darker side of YouTube is always just a click away and includes sexual content, hate content, harassment and cyberbullying, violent and graphic content, and scams.
  • Turn on restricted mode. By turning on the restricted mode you can block videos with mature content from a user’s searches, related videos, playlists, and shows — this is a big deal since many “up next” videos (on the right side of the screen) are cued to play automatically and can lead kids to sketchy content. In addition to the restricted mode, consider an extra layer of protection with filtering software for all your family devices.
  • Opt for YouTube Kids. For kids under 13, YouTube Kids is a safe video platform, specially curated for young viewers. Kids may snub any platform designed “for kids,” however, if you are worried about younger kids running into inappropriate content, this is your best video option.
  • Discuss the ‘why’ behind the rules. As a parent, you know the possible ways YouTube — or other social platforms — can be harmful. Don’t assume your kids do. Kids are immersed in their peer groups online, which means danger and harm aren’t primary concerns. Even so, before you lecture kids about the dangers of YouTube, open up a dialogue around the topic by asking great questions. Here are just a few to get you started:

  • Do you understand why it’s important to filter YouTube content and respect age limits (inappropriate content, cyberbullying)?
  • Do you understand why unboxing and makeup videos are so popular (advertisers want you to purchase)?
  • Do you understand why we need to balance between screen time this summer? (mental, physical health)
  • Do you know why this piece of content might be fake or contain questionable information (conspiracy, hate, or political videos)?

As the public increasingly demands social networks do more to remove harmful or objectionable content, one thing is clear: Despite strides in this area by a majority of platforms, no online social hub is (or will likely ever be) 100% safe. The best way to keep kids safe online is by nurturing a strong parent-child connection and having consistent conversations designed to equip and educate kids about digital risks and responsibility.

The post Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer appeared first on McAfee Blogs.

Study: Fortnite Game Becoming the Preferred Social Network for Kids

According to a study recently released by National Research Group (NRG), the wildly popular video game Fortnite is growing beyond its intended gaming platform into a favored social network where kids go daily to chat, message, and connect.

The study represents the most in-depth study on Fortnite to date and contains essential takeaways for parents trying to keep up with their kids’ social networking habits. According to the NRG study, “Fortnite is the number one service teens are using, and audiences cite its social elements as the primary motivators for playing.”

The popular game now claims more than 250 million users around the world, and for its audience of teens (ages 10-17) who play at least once a week, Fortnite consumes about 25% of their free time, cites NRG adding that “Fortnite presents a more hopeful meta-verse where community, inclusivity, creativity and authentic relationships can thrive.”

Summer gaming 

With school break now upon us, the NRG study is especially useful since screentime tends to jump during summer months. Here are some of the risks Fortnite (and gaming in general) presents and some tips on how to increase privacy and safety for young users who love this community.

Fortnite safety tips 

Activate parental controls. Kids play Fortnite on Xbox One, PlayStation 4, Nintendo Switch, and iOS. Parents can restrict and monitor playing time by going into the Settings tab of each device, its related URL, or app. Another monitoring option for PC, tablets, and mobile devices is monitoring software.

Listen, watch, learn. Sit with your kids and listen to and watch some Fortnite sessions. Who are they playing with? What’s the tone of the conversation? Be vocal about anything that concerns you and coach your child on how to handle conflict, strangers online (look at their friend list), and bullying.

Monitor voice chat. Voice chat is an integral part of Fortnite if you are playing in squads or teams. Without the chat function, players can’t communicate in real-time with other team members. Voice chat is also a significant social element of the game because it allows players to connect and build community with friends anywhere. Therein lies the risk — voice chat also allows kids to play the game with strangers so the risk of inappropriate conversation, cyberbullying, and grooming are all reported realities of Fortnite. Voice chat can be turned off in Settings and should be considered for younger tween users.

Scams, passwords, and tech addiction. When kids are having a blast playing video games, danger is are far from their minds. Talk about the downside so they can continue to play their favorite game in a safe, healthy way. Discuss the scams targeting Fortnite users, the importance of keeping user names and passwords private (and strong), and the reasoning behind gaming screen limits.

Social networks have become inherent to kids’ daily life and an important way to form meaningful peer bonds. With new networks emerging every day such as Fortnite, it’s more important than ever to keep the conversation going with your kids about the genuine risks these fun digital hangouts bring.

The post Study: Fortnite Game Becoming the Preferred Social Network for Kids appeared first on McAfee Blogs.

Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online?

Take it down, please. 

The above is a typical text message parents send to kids when they discover their child has posted something questionable online. More and more, however, it’s kids who are sending this text to parents who habitually post about them online.

Tipping Point

Sadly — and often unknowingly — parents have become some of the biggest violators of their children’s privacy. And, there’s a collective protest among kids that’s expressing itself in different ways. Headlines reflect kids reigning in their parent‘s posting habits and parents choosing to pull all photos of their kids offline. There’s also a younger generation of voices realizing the effect social media has had on youth, which could be signaling a tipping point in social sharing.

Ninety-two percent of American children have an online presence before the age of 2, and parents post nearly 1,000 images of their children online before their fifth birthday, according to Time. Likewise, in a 2017 UNICEF report, the children’s advocacy group called the practice of “sharenting” – parents sharing information online about their children – harmful to a child’s reputation and safety.

Digital Footprint

This sharenting culture has fast-tracked our children’s digital footprints, which often begins in the womb. Kids now have a digital birth date — the date of the first upload, usually a sonogram photo — in addition to their actual birth date. Sharing the details of life has become a daily routine with many parents not thinking twice before sharing birthdays, awards, trips, and even more private moments such as bath time or potty training mishaps.

Too often, what a parent views as a harmless post, a child might see as humiliating, especially during the more sensitive teen years. Oversharing can impact a child’s emotional health as well as the parent-child relationship, according to a University of Michigan study.

Diminishing Privacy 

So how far is too far when it comes to the boundaries between public and private life? And, what are the emotional, safety, and privacy ramifications to a child when parents overshare? The sharenting culture has forced us all to consider these questions more closely.

Children’s diminishing privacy is on advocacy agendas worldwide. Recently, the UK Children’s Commissioner released a report called “Who Knows About Me?” that put a spotlight on how we collect and share children’s data and how this puts them at risk.

5 safe sharing tips for families

  1. Stop and think. Be intentional about protecting your child’s privacy. Before you upload a photo or write a post, ask yourself, “Do I really need to share this?” or “Could this content compromise my child’s privacy (or feelings) today or in the future?”
  2. Ask permission. Before publicly posting anything about your child, ask for his or her permission. This practice models respect and digital responsibility. If posting a group photo that includes other children, ask both the child’s consent and his or her parent’s.
  3. Keep family business private. Resist sharing too much about your family dynamic — good or bad — online. Sharing your parenting struggles or posting details about what’s going on with you and your child could cause embarrassment and shame and irreparably harm your relationship.
  4. Consider a photo purge. With your child’s wellbeing, safety, and privacy in mind — present and future — consider going through your social networks and deleting any photos or posts that don’t need to be public.
  5. Talk to kids about the freedom of expression. Every person who logs on to the internet can expect fundamental freedoms, even kids. These include the right to privacy, how our data is shared, and the freedom of expression online. Discuss these points with your children in addition to our collective digital responsibilities such as respect for others, wise posting, downloading legally, citing works properly, and reporting risky behavior or content.

When it comes to parenting, many of us are building our wings on the way down, especially when it comes to understanding all the safety implications around data privacy for children. However, slowing down to consider your child’s wellbeing and privacy with every post is a huge step toward creating a better, safer internet for everyone.

The post Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online? appeared first on McAfee Blogs.

The iOS Twitter Bug: 3 Tips to Protect Your Location Data

Many of us use social media to keep our family and friends up-to-date on our everyday lives. We don’t typically expect social media companies to keep their partners updated on our every move as well. But for some Twitter users, this is exactly the situation they’ve found themselves in. On Monday afternoon, the social media company disclosed a bug that resulted in some Twitter users’ locations being shared with an unnamed Twitter partner.

So, how exactly did this bug disclose the locations of certain Twitter users? The social network accidentally sent advertising partners location data for a process called real-time bidding. This process lets advertisers pay for space based on certain users’ locations. Twitter intended to remove the location data from what it sent to its partners but failed to do so. Affected users include those who had more than one Twitter account on an iOS device. If the user chose to share their precise location on one account, Twitter says it may have collected and shared data for the other account on the same mobile device even if that account had opted out of location sharing. Although the location data was “fuzzed” to only show a ZIP code or city, it is still unclear as to how long this location sharing took place.

According to Twitter, the location data was not retained by the partner and they have fixed the problem to ensure that it doesn’t happen again. And while affected users have already been notified by the social network, there are some steps users can take to help protect their data:

  • Turn off location services. While social media is meant for sharing, there is some information, like your location, that ought to be kept private. If a cybercriminal knows where you are at a specific point in time, they could potentially use that information to your disadvantage. Consider your overall privacy and opt out of sharing your location data with social media platforms.
  • Update, update, update. No matter what type of bug might be affecting a certain platform, it’s always crucial to keep your software up-to-date. Turning on automatic updates will ensure that you are always equipped with the latest patches and security fixes.
  • Use a comprehensive security solution. Using a solution like McAfee Total Protection helps to add an extra layer of security in case a bug does expose your device or data.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The iOS Twitter Bug: 3 Tips to Protect Your Location Data appeared first on McAfee Blogs.

Cyber News Rundown: FBI Phishing Scam

Reading Time: ~2 min.

“FBI Director” Phishing Campaign

A new email phishing campaign has been making its way around the web that claims to be from “FBI Director Christopher Wray,” who would love to assist with a massive wire transfer to the victim’s bank account. Unfortunately for anyone hoping for a quick payday, the $10 million check from Bank of America won’t be arriving anytime soon, unless they are willing to enter more personal information and send it to a Special FBI agent using a Yahoo email address. While most phishing campaigns use scare tactics to scam victims, taking the opposite approach of offering a large payout seems less likely to get results.

Magecart Skimming Script Works on Dozens of Sites

Following the many Magecart attacks of recent years, a new payment skimming script has been found that allows attackers to compromise almost any online checkout page without the need to customize it for the specific site. The script currently works on 57 unique payment card gateways from around the world and begins injecting both the loader and the exfiltration script when the keyword “checkout” is searched for in the address bar.

Scammers Target Google Search Ads

Scammers are now turning towards Google Ads to post fake phone numbers posing to be customer support for popular websites such as eBay and Amazon. These phone scammers will often tell those who call that there is something wrong with their account and ask for a Google Play gift card code before they can help. The ads will look as if they are legitimate which causes confusion to those who call the phony numbers listed.  

Citycomp Data Dumped After Blackmail Attempt

Shortly after discovering that their systems had been breached, Citycomp announced they would not be paying a ransom for a large chunk of stolen client data. Unfortunately for Citycomp, the hackers decided to make the data publicly available after not receiving their requested $5,000. Amongst the stolen data is financial and personal information for dozens of companies for which Citycomp provides infrastructure services, though it may only be an initial dump and not the entire collection.

Email Scam Robs Catholic Church of Over $1.7 Million

The Saint Ambrose Catholic Parish in Ohio recently fell victim to email scammers who took nearly $2 million from the church currently undergoing a major renovation. The scammers targeted monthly transactions made between the church and the construction company by providing “updated” bank information for the payments and sending appropriate confirmations for each transfer. The church was only made aware of the breach after the construction company called to inquire about two months of missing payments.

The post Cyber News Rundown: FBI Phishing Scam appeared first on Webroot Blog.

Cybersecurity for the Public Interest

The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly explaining that there's no way to provide this capability without also weakening the security of every user of those devices and communications systems.

It's an impassioned debate, acrimonious at times, but there are real technologies that can be brought to bear on the problem: key-escrow technologies, code obfuscation technologies, and backdoors with different properties. Pervasive surveillance capitalism­ -- as practiced by the Internet companies that are already spying on everyone -- ­matters. So does society's underlying security needs. There is a security benefit to giving access to law enforcement, even though it would inevitably and invariably also give that access to others. However, there is also a security benefit of having these systems protected from all attackers, including law enforcement. These benefits are mutually exclusive. Which is more important, and to what degree?

The problem is that almost no policymakers are discussing this policy issue from a technologically informed perspective, and very few technologists truly understand the policy contours of the debate. The result is both sides consistently talking past each other, and policy proposals­ -- that occasionally become law­ -- that are technological disasters.

This isn't sustainable, either for this issue or any of the other policy issues surrounding Internet security. We need policymakers who understand technology, but we also need cybersecurity technologists who understand -- ­and are involved in -- ­policy. We need public-interest technologists.

Let's pause at that term. The Ford Foundation defines public-interest technologists as "technology practitioners who focus on social justice, the common good, and/or the public interest." A group of academics recently wrote that public-interest technologists are people who "study the application of technology expertise to advance the public interest, generate public benefits, or promote the public good." Tim Berners-Lee has called them "philosophical engineers." I think of public-interest technologists as people who combine their technological expertise with a public-interest focus: by working on tech policy, by working on a tech project with a public benefit, or by working as a traditional technologist for an organization with a public benefit. Maybe it's not the best term­ -- and I know not everyone likes it­ -- but it's a decent umbrella term that can encompass all these roles.

We need public-interest technologists in policy discussions. We need them on congressional staff, in federal agencies, at non-governmental organizations (NGOs), in academia, inside companies, and as part of the press. In our field, we need them to get involved in not only the Crypto Wars, but everywhere cybersecurity and policy touch each other: the vulnerability equities debate, election security, cryptocurrency policy, Internet of Things safety and security, big data, algorithmic fairness, adversarial machine learning, critical infrastructure, and national security. When you broaden the definition of Internet security, many additional areas fall within the intersection of cybersecurity and policy. Our particular expertise and way of looking at the world is critical for understanding a great many technological issues, such as net neutrality and the regulation of critical infrastructure. I wouldn't want to formulate public policy about artificial intelligence and robotics without a security technologist involved.

Public-interest technology isn't new. Many organizations are working in this area, from older organizations like EFF and EPIC to newer ones like Verified Voting and Access Now. Many academic classes and programs combine technology and public policy. My cybersecurity policy class at the Harvard Kennedy School is just one example. Media startups like The Markup are doing technology-driven journalism. There are even programs and initiatives related to public-interest technology inside for-profit corporations.

This might all seem like a lot, but it's really not. There aren't enough people doing it, there aren't enough people who know it needs to be done, and there aren't enough places to do it. We need to build a world where there is a viable career path for public-interest technologists.

There are many barriers. There's a report titled A Pivotal Moment that includes this quote: "While we cite individual instances of visionary leadership and successful deployment of technology skill for the public interest, there was a consensus that a stubborn cycle of inadequate supply, misarticulated demand, and an inefficient marketplace stymie progress."

That quote speaks to the three places for intervention. One: the supply side. There just isn't enough talent to meet the eventual demand. This is especially acute in cybersecurity, which has a talent problem across the field. Public-interest technologists are a diverse and multidisciplinary group of people. Their backgrounds come from technology, policy, and law. We also need to foster diversity within public-interest technology; the populations using the technology must be represented in the groups that shape the technology. We need a variety of ways for people to engage in this sphere: ways people can do it on the side, for a couple of years between more traditional technology jobs, or as a full-time rewarding career. We need public-interest technology to be part of every core computer-science curriculum, with "clinics" at universities where students can get a taste of public-interest work. We need technology companies to give people sabbaticals to do this work, and then value what they've learned and done.

Two: the demand side. This is our biggest problem right now; not enough organizations understand that they need technologists doing public-interest work. We need jobs to be funded across a wide variety of NGOs. We need staff positions throughout the government: executive, legislative, and judiciary branches. President Obama's US Digital Service should be expanded and replicated; so should Code for America. We need more press organizations that perform this kind of work.

Three: the marketplace. We need job boards, conferences, and skills exchanges­ -- places where people on the supply side can learn about the demand.

Major foundations are starting to provide funding in this space: the Ford and MacArthur Foundations in particular, but others as well.

This problem in our field has an interesting parallel with the field of public-interest law. In the 1960s, there was no such thing as public-interest law. The field was deliberately created, funded by organizations like the Ford Foundation. They financed legal aid clinics at universities, so students could learn housing, discrimination, or immigration law. They funded fellowships at organizations like the ACLU and the NAACP. They created a world where public-interest law is valued, where all the partners at major law firms are expected to have done some public-interest work. Today, when the ACLU advertises for a staff attorney, paying one-third to one-tenth normal salary, it gets hundreds of applicants. Today, 20% of Harvard Law School graduates go into public-interest law, and the school has soul-searching seminars because that percentage is so low. Meanwhile, the percentage of computer-science graduates going into public-interest work is basically zero.

This is bigger than computer security. Technology now permeates society in a way it didn't just a couple of decades ago, and governments move too slowly to take this into account. That means technologists now are relevant to all sorts of areas that they had no traditional connection to: climate change, food safety, future of work, public health, bioengineering.

More generally, technologists need to understand the policy ramifications of their work. There's a pervasive myth in Silicon Valley that technology is politically neutral. It's not, and I hope most people reading this today knows that. We built a world where programmers felt they had an inherent right to code the world as they saw fit. We were allowed to do this because, until recently, it didn't matter. Now, too many issues are being decided in an unregulated capitalist environment where significant social costs are too often not taken into account.

This is where the core issues of society lie. The defining political question of the 20th century was: "What should be governed by the state, and what should be governed by the market?" This defined the difference between East and West, and the difference between political parties within countries. The defining political question of the first half of the 21st century is: "How much of our lives should be governed by technology, and under what terms?" In the last century, economists drove public policy. In this century, it will be technologists.

The future is coming faster than our current set of policy tools can deal with. The only way to fix this is to develop a new set of policy tools with the help of technologists. We need to be in all aspects of public-interest work, from informing policy to creating tools all building the future. The world needs all of our help.

This essay previously appeared in the January/February 2019 issue of IEEE Security & Privacy. I maintain a public-interest tech resources page here.

Google offers auto-delete option for location, web tracking history

Google has added a control option to users’ accounts that will allow them to instruct the company to auto-delete their location history, browsing and search data once a certain length of time has passed. “Choose a time limit for how long you want your activity data to be saved—3 or 18 months—and any data older than that will be automatically deleted from your account on an ongoing basis,” the company explained. The new control option … More

The post Google offers auto-delete option for location, web tracking history appeared first on Help Net Security.

Consumers care deeply about their privacy, security, and how their personal information is handled

65% of consumers are concerned with the way connected devices collect data. More than half (55%) do not trust their connected devices to protect their privacy and a similar proportion (53%) do not trust connected devices to handle their information responsibly, according to a survey by IPSOS Mori on behalf of the Internet Society and Consumers International. The survey was conducted in the United States, Canada, Japan, Australia, France and the United Kingdom. Connected devices … More

The post Consumers care deeply about their privacy, security, and how their personal information is handled appeared first on Help Net Security.

Cybercriminals targeting social media: Facebook and Instagram are becoming phishers’ favorites

Social media phishing, primarily Facebook and Instagram, saw the highest quarter- over-quarter growth of any industry with a 74.7 percent increase, according to the Vade Secure Phishers’ Favorites report for Q1 2019. While Facebook has been in the top 10 since report’s inception, Instagram cracked the top 25 for the first time, taking the #24 spot on the Phishers’ Favorites list. With the headlines about Facebook storing hundreds of millions of user passwords in plain … More

The post Cybercriminals targeting social media: Facebook and Instagram are becoming phishers’ favorites appeared first on Help Net Security.

A wave of regulation is coming to the cryptocurrency economy

There is a concerning trend of cross-border crypto payments leaving U.S. exchanges and entering offshore and untraceable wallets, a CipherTrace report reveals. In the twelve months ending March 2019, crypto transfers from U.S. exchanges to offshore exchanges grew 21 points or 46 percent compared to the same period two years ago. Once these payments reach exchanges and wallets in other parts of the globe, they fall off the radar of U.S. authorities. This highlights a … More

The post A wave of regulation is coming to the cryptocurrency economy appeared first on Help Net Security.

Microsoft 365 updates for better enterprise data privacy

Microsoft has announced new privacy controls for Microsoft 365 enterprise customers: they will be able to revoke access to encrypted emails, block sensitive information from being shared or leaked when using Teams, use new data investigation capabilities, and improve compliance. These new features come at the same time as new steps to increase customers’ transparency and control over their data. “We’ve realized that customers want a simpler experience – information should be easier to find, … More

The post Microsoft 365 updates for better enterprise data privacy appeared first on Help Net Security.

How much does the average employee know about data privacy?

With the impacts and repercussions of the looming California Consumer Privacy Act (CCPA) on the minds of many privacy professionals, new research from MediaPRO shows more work is needed to train U.S. employees of this first-of-its-kind privacy regulation. MediaPRO’s 2019 Eye on Privacy Report reveals 46 percent of U.S. employees have never heard of CCPA, which sets specific requirements for the management of consumer data for companies handling the personal data of California residents. Passed … More

The post How much does the average employee know about data privacy? appeared first on Help Net Security.

Unprotected Database Exposed Details of Over 80 Million U.S. Households

Security researchers found an unprotected database stored on the cloud that contained detailed information of over 80 million U.S. households. vpnMentor’s Noam Rotem and Ran Locar discovered the unprotected database hosted on a Microsoft cloud server during the course of a web mapping project. When they peered inside, they found that the asset contained 24 […]… Read More

The post Unprotected Database Exposed Details of Over 80 Million U.S. Households appeared first on The State of Security.

United Airlines covers up seat cameras to respond to privacy concerns

United Airlines opted to cover every camera in entertainment systems embedded within the back of plane seats in response to privacy concerns.

Flying on United Airlines planes it is possible to find cameras included in screen and entertainment products used by the airline and mounted in the back of the seats.

“A viral photo showing a camera in a Singapore Airlines in-flight TV display recently caused an uproar online.” reported BuzzFeed. “The image was retweeted hundreds of times, with many people expressing concern about the privacy implications. As it turns out, some seat-back screens in American Airlines’ premium economy class have them, too.”

In response to user privacy concerns, the airline decided to cover every camera in entertainment systems, but pointed out that their purpose was not the surveillance of the passengers.

A company spokesman announced that the cameras will now be covered.

The company explained that the presence of the cameras could open for future applications for business and entertainment (i.e. gaming, video conferencing).

“As with many other airlines, some of our premium seats have in-flight entertainment systems that came with cameras installed by the manufacturer.” reads a United Airlines spokesperson’ statement. “None of these cameras were ever activated and we had no plans to use them in the future, however we took the additional step to cover the cameras. The cameras are a standard feature that manufacturers of the system included for possible future purposes such as video conferencing.” 

The company is using stickers to cover these cameras, even for all new premium seats.

Recently also Singapore Airlines was criticized for the usage of cameras under the screen with the seats pointing to the passengers.

United Airlines 2

“These cameras on our newer IFE systems were provided by the original equipment manufacturers,” Singapore Airlines replied. “We have no plans to enable or develop any features using the cameras.”

Passengers and experts fear that facial recognition technology will be widely adopted in commercial aviation, for example, to monitor individuals during the boarding.

Pierluigi Paganini

(SecurityAffairs – United Airlines, privacy)

The post United Airlines covers up seat cameras to respond to privacy concerns appeared first on Security Affairs.

Attackers breached Docker Hub, grabbed keys and tokens

Docker, the company behing the popular virtualization tool bearing the same name, has announced late on Friday that it has suffered a security breach. There was no official public announcement. Instead, the company sent an alert to potentially affected customers and urged them to change their passwords check their security logs. What happened? “On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data,” the … More

The post Attackers breached Docker Hub, grabbed keys and tokens appeared first on Help Net Security.

A surprising number of used drives sold on eBay hold sensitive data

42% of used drives sold on eBay are holding sensitive data, with 15% containing personally identifiable information (PII), according to Blancco Technology Group. Conducted in conjunction with partner, Ontrack, the Blancco Technology Group study analyzed 159 drives purchased in the U.S., U.K., Germany and Finland. The information found included: A drive from a software developer with a high level of government security clearance, with scanned images of family passports and birth certificates, CVs and financial … More

The post A surprising number of used drives sold on eBay hold sensitive data appeared first on Help Net Security.

High Value Cryptocurrency Stolen by Hackers

Reading Time: ~2 min.

Hackers Breach Private Keys to Steal Cryptocurrency

A possible coding error allowed hackers to compromise at least 732 unique, improperly secured private keys used in the Ethereum blockchain. By exploiting a vulnerability, hackers have successfully stolen 38,000 Ethereum coins so far, translating to over $54 million in stolen funds, though the current number is likely much higher. While uncommon, such attacks do show that the industry’s security and key-generation standards have plenty of room for improvement.

Prominent Malware Reverse Engineer Faces Jail Time

The malware researcher Marcus Hutchins, who successfully reversed and stopped the WannaCry ransomware attacks in 2017, is facing up to six years of jail time for prior malware creation and distribution. Hutchins’ charges all tie back to his involvement in the creation of Kronos, a widespread banking Trojan that’s caused significant damage around the world.

Data Exposed for Thousands of Rehab Patients

Personally identifiable data belonging to nearly 145,000 patients of a Pennsylvania rehab facility have been found in a publicly available database. After a Shodan search, researchers discovered the database that contained roughly 4.9 million unique documents showing information ranging from names and birthdays to specific medical services provided and billing records, all of which could be used to to steal the identity of these thousands of individuals.

Study Finds Password Security Still Lacking

After this year’s review of password security it may come as no surprise that the top five passwords still in use are simple and have remained at the top for some time. Using a list generated from past data breaches, researchers found the password “123456” was used over 23 million times, with similar variations rounding out the top five. Several popular names, sports teams, and bands like blink182 and Metallica are still in use for hundreds of thousands of accounts. While these passwords may be easy to remember, they are exceedingly simple to guess. Stronger passwords should include multiple words or numbers to increase the complexity.

Bodybuilding Site Breached through Phishing Campaign

The website bodybuilding.com has announced they were the victim of a data breach stemming from an email phishing campaign in July 2018 that could affect many of the site’s clients. Fortunately, the site doesn’t store full payment card data, and the data it does store is only stored at the customer’s request, leaving little data for hackers to actually use. The site also forced a password reset for all users issued a warning about suspicious emails coming from bodybuilding.com, noting they may be part of another phishing campaign.

The post High Value Cryptocurrency Stolen by Hackers appeared first on Webroot Blog.

The strengths and weaknesses of different VPN protocols

One in four internet users use a VPN regularly, but how much does the average user know about what goes on behind the software?

Pulling back the curtain, a VPN runs on various VPN protocols that govern the way a VPN client communicates with a VPN server. Different protocols create different ways that connect your device and the internet through encrypted tunnels.

The history of VPN protocols dates back to 1996 when a Microsoft employee came up with Peer-to-Peer Tunneling Protocol (PPTP). The protocol, though not perfect, allowed people to work from home through a secure internet connection.

Since then, VPN protocol technology has evolved and, at the moment, there are five widely used VPN protocols. A breakdown of these five VPN protocols complete with their pros and cons is key to understanding VPN protocols in depth.

VPN

1. PPTP

As noted above, Peer-to-Peer Tunneling Protocol was the first to be developed, and it is over 20 years old. The protocol relies on encryption, authentication and peer-to-peer protocol (PPP) negotiation. In essence, that means it only needs a username, password, and server address to create a connection.

Most devices support PPTP and because of how easy it is to set-up and is rather popular among VPN companies. PPTP is incredibly fast, and as a result, people who want to circumvent geo-restricted content prefer the protocol.

However, the speed comes at the cost of encryption. Of all the protocols, PPTP has the lowest level of encryption. Even Microsoft recommends that people stay away from PPTP because, from a security standpoint where encryption is key, PPTP is extremely unsafe.

That said, if your only concern is speed, then PPTP is the protocol for you.

Pros

  • Super-fast
  • Easy to set up and use
  • Nearly all platforms support the protocol

Cons

2. OpenVPN

First released in 2001, the OpenVPN protocol has become one of the most popular and widely used protocols. It is an open-source protocol which means coders can add to or edit the protocol, scrutinize the source code for vulnerabilities, and solve identified issues immediately.

OpenVPN uses SSL technology, and it is available on nearly all platforms, including Windows, Linux, iOS, Android, macOS, Blackberry, and routers. It operates on both Layer 2 and 3, and it contains extra features that facilitate the transport of IPX packets and Ethernet frames. Moreover, it has NetBIOS functionality and depending on the setup; it can share port 443 with HTTPS.

OpenVPN is incredibly secure thanks to the fact that it uses a 160-bit SHA1 hash algorithm, AES 256-bit key encryption (in addition to others), and 2048-bit RSA authentication.

That said, OpenVPN has a significant weakness—the amount of latency or rather the considerable delay during operation. With the use of more powerful computers and the use of SSL certificates, one can get around this weakness.

Pros

  • Secure
  • Easily bypasses firewalls
  • Supports a variety of cryptographic algorithms
  • It is open-source which means it’s easy to vet
  • Supports Perfect Forward Secrecy

Cons

  • Needs a third-party software for set-up
  • It can be difficult to configure
  • Potentially higher latency periods

3. L2TP/IPsec

To fully understand Layer 2 Tunneling Protocol (L2TP), it is essential first to mention Layer 2 Forwarding (L2F). Cisco developed L2F soon after the release of PPTP to try and improve on the flaws of PPTP. Unfortunately, L2F wasn’t perfect either.

Therefore, in 1999, they concerned released L2TP as an improvement on both PPTP and L2F. L2TP combines the best of both L2F and PPTP to provide a more secure and reliable tunneling protocol.

However, note that L2TP is simply a tunneling protocol and provides neither encryption nor privacy. Due to the lack of encryption, L2TP cannot function as a secure protocol alone and must be paired with IPsec which is a security protocol that carries with it the required encryption. The bundling of L2TP and IPsec protocols leads to the use of something known as double encapsulation.

In double encapsulation, the first encapsulation will create a PPP connection to a remote host and the second encapsulation will contain IPsec.

L2TP supports AES 256 encryption algorithms—some of the most secure—and it prevents man-in-the-middle attacks because data cannot be altered when in transit between the sender and receiver.

Bear in mind that due to the double encapsulation, the protocol has reduced speed. Moreover, the L2TP protocol can only communicate via User Datagram Protocol (UDP). The restriction to UDP means it is easy to block.

Pros

  • Secure according to most
  • Works in almost all platforms
  • Easy to set up
  • Supports multithreading which increases performance

Cons

  • Both Edward Snowden and John Gilmore noted that NSA might have deliberately weakened IPSec which means it can be compromised.
  • Firewalls can easily block it because it only communicates over UDP.
  • Slower than OpenVPN due to double encapsulation

4. SSTP

Secure Socket Tunneling Protocol (SSTP) is very similar to OpenVPN with the only difference being that it is proprietary software that Microsoft developed and introduced in Windows Vista.

Just like OpenVPN, SSTP supports AES 256-bit key encryption, and it uses 2048-bit SSL/TSL certificates for authentication. The protocol has native support for Linux, Windows, and BSD systems. The rest, e.g., Android and iOS only have support via third-party clients.

Pros

  • Provides support for a wide range of cryptographic algorithms
  • Supports Perfect Forward Secrecy
  • Easy to use especially because the protocol is already integrated into Windows

Cons

  • Does not do as well on other systems as it does on Windows
  • It is impossible to audit underlying code because the protocol is proprietary

5. IKEv2

Internet Key Version 2 (IKEv2) is a tunneling protocol that provides a secure key exchange session. The protocol was a collaboration between Microsoft and Cisco. Similar to L2TP, it is often paired with IPsec to provide for authentication and encryption.

IKEv2 is uniquely suited to mobile VPN solutions. That is because it is very good at reconnecting anytime there is a temporary loss of internet connection. Second, it is adept at reconnecting during a network switch (e.g. from mobile data to Wi-Fi).

IKEv2 is not as popular as OpenVPN, PPTP or L2TP/IPsec but a good number of VPNs, especially those that specialize in mobile VPNs use it. Because it is proprietary software, it only has native support for Windows, iOS, and Blackberry.

Pros

  • Extremely stable and does not drop the VPN connection when switching networks
  • Incredibly fast
  • Supports Perfect Forward Secrecy
  • Supports a variety of cryptographic algorithms
  • Easy to set-up

Cons

  • Suffers from the same IPsec drawbacks (NSA tampering)
  • Does not support a considerable number of platforms
  • Firewalls can block the protocol

Summary

From the discussion above; the one clear thing is that no one VPN protocol can satisfy all the user requirements. Some VPN protocols prioritize speed while other prioritize security.

Consequently, it is not a surprise to find a VPN provider that has found a way to incorporate all five in a bid to provide the best possible service.

About the author: Susan Alexandra

Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67@gmail.com

Pierluigi Paganini

(SecurityAffairs – VPN, privacy)


The post The strengths and weaknesses of different VPN protocols appeared first on Security Affairs.

Consumers trust banks most with their personal data, 68% still fear identity theft

People trust banks and other financial entities to safeguard their personal data more than other organizations. New nCipher Security research also illustrates how easily that trust can be eroded, along with Americans’ personal data protection concerns relative to banking and digital payments. Consumers trust banks most The survey results show that people trust the financial sector in general and their banks in particular more than any other industry vertical or organizations that touch their data. … More

The post Consumers trust banks most with their personal data, 68% still fear identity theft appeared first on Help Net Security.

Facebook Braces for Multibillion Dollar Fine

Facebook announced that it was preparing for a massive fine from the Federal Trade Commission for its mishandling of user privacy. The fine could be as much as $5 billion.

The social media giant revealed the fine as a one-time expense in its annual earnings statement, explaining a 51% decline in income, “in connection with the inquiry of the FTC into our platform and user data practices.”

“We estimate that the range of loss in this matter is $3.0bn to $5.0bn,” the company’s statement explained. “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”

Facebook has been the target of an FTC investigation to determine if it had violated a 2011 consent decree following the 2018 revelation that it improperly shared data with Cambridge Analytica.

Despite the size of the fine, the company showed continuous growth and an expansion of its ecosystem of apps.

Read more about the story here.

The post Facebook Braces for Multibillion Dollar Fine appeared first on Adam Levin.

Smashing Security #125: Pick of the thief!

WannaCry's "accidental hero" pleads guilty to malware charges, Samsung and Nokia have fingerprint fumbles, the NCSC publishes a list of 100,000 dreadful passwords, and Apple finds itself at the centre of an identity mix-up. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes.

Where data privacy executives plan to focus their strategies and budgets

Adapting to an increasingly volatile regulatory environment is the top priority for privacy executives, with only approximately four in 10 confident in their current abilities to keep pace with new requirements, according to a Gartner. Conversations with Gartner clients and Gartner’s annual survey data reveals where data privacy executives plan to focus their strategies and budgets for 2019. Their top five priorities highlighted the need to strengthen strategic approaches to engage with quickly shifting regulatory, … More

The post Where data privacy executives plan to focus their strategies and budgets appeared first on Help Net Security.

A casual approach to workplace communications presents major security risks

Workers are comfortable sharing personal, sensitive and confidential information over chat platforms. They practice risky digital habits, and don’t care if their communications are leaked. Symphony Communication Services Workplace Confidential Survey, which polled over 1,500 workers in the U.S. and U.K., examined the growth of new collaboration tools and platforms entering the workplace. The findings highlight a worryingly casual attitude to workplace communications that pose a threat to businesses. “The way we work is changing,” … More

The post A casual approach to workplace communications presents major security risks appeared first on Help Net Security.

How Business can address the Security Concerns of Online Shoppers

It’s no secret that cybersecurity is an epidemic problem that affects online businesses on a global scale. E-commerce businesses are especially affected by data breaches because it weakens the consumer’s trust in online businesses to protect their personal data. In response to the growing number of breaches, governments and enterprises alike are stepping up to the plate to provide sustainable solutions to the problem.

The UK is aiming to become a world leader in cybersecurity by investing a substantial amount of money (to the tune of £70 million) in the Industrial Strategy Challenge Fund. The fund represents the government’s commitment to increase funding in research and development by £4.7 billion over a four year period. One of the primary goals of the investment will be to supply the industry with the money necessary to design and develop state-of-the-art hardware that’s more secure and resilient to common cyber threats.

The logic stems from the fact that cybercriminals are constantly finding new ways to exploit current technology, so the best way to combat future attacks is to design chips and hardware with stronger security features built into them to outpace cyber threats. However, this means businesses will have to invest in new IT systems as it rolls out to keep their security measures up to par.

For the time being, online business owners need to do everything in their power to address the privacy concerns of their users. In some cases, this might mean investing in more secure and modern e-commerce platforms that offer security features, such as TLS (still commonly known as SSL) protection and security software to protect against malware attacks, or simply generating new, strong admin passwords on a regular basis.

The fact is, there is no way to provide customers with a 100% guarantee their personal data is safe, but there are actions webmasters and companies can do to make their websites a lot safer to use by their customers. To help you learn more about how you can secure your site from cyber threats, Wikibuy has laid out 15 steps in the infographic below.


How Business Owners Can Address Online Shopping Concerns

EU To Build Massive Biometric Database

The European Union’s parliament voted to create a biometric database of over 350 million people.

The Common Identity Repository, or CIR, will consolidate the data from the EU’s border, migration, and law enforcement agencies into one system to be quickly accessible and searchable by any or all of them. Information will include names, birthdates, passport numbers as well as fingerprints and face scans.

While the CIR’s purpose is to eliminate several bottlenecks currently affecting border control and law enforcement, many are concerned about its privacy and security implications.

“[U]nlike other personal data, biometric data are neither given by a third party nor chosen by the individual; they are immanent to the body itself and refer uniquely and permanently to a person,” wrote the European Data Protection Supervisor, an independent EU institution responsible for advising on matters of privacy and security, in an opinion document on the Repository.

“[T]he consequences of any data breach affecting the CIR could seriously harm a potentially large number of individuals. If it ever falls into the wrong hands, the CIR could become a dangerous tool against fundamental rights if it is not surrounded by strict and sufficient legal, technical, and organizational safeguards,” the EDPS continued.

Once deployed, the CIR will be the third largest government biometric database in the world, right behind India’s Aadhaar and the Chinese government’s tracking systems. With the Aadhaar’s history of breaches and recent revelations about Chinese government tracking ethnic and religious minorities, there seems to be plenty cause for alarm here.

The post EU To Build Massive Biometric Database appeared first on Adam Levin.

Facebook admitted to have stored millions of Instagram users’ passwords in plaintext

Other problems for Facebook that admitted to have stored millions of Instagram users’ passwords in plaintext

Yesterday, Facebook made the headlines once again for alleged violations of the privacy of its users, the company admitted to have ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission

In March, Facebook admitted to have stored the passwords of hundreds of millions of users in plain text, including “tens of thousands” passwords belonging to Instagram users as well.

Unfortunately the issue was bigger than initially reported, the company updated the initial press release confirming that millions of Instagram users were affected by the problem.

The disconcerting discovery was made in January by Facebook IT staff as part of a routine security review. The passwords were stored in plain text on internal data storage systems, this means that they were accessible only by employees.

Facebook quickly fixed the issue and notified the affected users.

Now Facebook confirmed to have discovered “additional logs of Instagram passwords” stored in a readable format. The social network giant pointed out that the passwords were never “abused or improperly accessed” by any of its employees.

Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).” reads the updated statement.

instagram

Summarizing, millions of Instagram users had their account passwords stored in plain text and searchable by thousands of Facebook employees.

Let me suggest to change your password using strong ones and enable the
two-factor authentication.

Pierluigi Paganini

(SecurityAffairs – Instagram, privacy)

The post Facebook admitted to have stored millions of Instagram users’ passwords in plaintext appeared first on Security Affairs.

Cyber News Rundown: Phishing Attack on Global IT Outsourcer

Reading Time: ~2 min.

Major IT Outsourcer Suffers After Phishing Attack

Global IT services provider Wipro announced they are in the process of investigating a data possibly affecting some of their clients. These types of companies are popular for hackers because, by breaching a single IT service company, they gain access to a far larger pool of victims through compromised credentials belonging to client networks. It’s still unclear how long the hackers had access to the systems, but some reports claim the attack was ongoing for several months.

Age-Verification Hits UK Porn Viewers

The UK has passed a measure that will subject users to age-verifications before being allowed to enter a pornographic website, as part of their ongoing fight to make the UK safer online. This measure was originally introduced as a way to decrease ransomware infections and slow the stream of stolen credentials from paid accounts for higher-traffic sites. The new law has an 88% backing from UK parents and will go into full effect on July 15.

Data Breach Affects Navicent Patients

A recent Navicent Health announcement revealed the email systems of the health care services provider were compromised in July, 2018, possibly affecting over 275,000 patients. While the remainder of their internal systems were untouched, the email server did contain patient data, including social security numbers and billing information. Fortunately, Navicent responded to the breach quickly and began notifying the proper authorities, as well as their client base, in addition to providing identity monitoring services for those whose information was exposed.

Chrome for iOS Bug Redirects Users to Ads

A new bug, found only in the iOS version of Chrome, has exposed up to half a million users to unwanted advertising redirects, sometimes from legitimate websites. The bug works by allowing malicious code to be executed from within page advertisements, which can then overlay onto the device’s screen until clicked. The majority of this campaign’s victims are based in the US and were targeted over a four-day period in early April.

Microsoft Loses Subdomain for Live Tiles

A German researcher recently took control of a subdomain used by Microsoft to assist websites with correctly formatting RSS feeds into a usable XML format for Windows 8 and 10 Live Tiles. Because the subdomain wasn’t registered to Microsoft or their Azure cloud services, and any malicious actor could have compromised the domain, the researcher purchased it and alerted Microsoft of his findings.

The post Cyber News Rundown: Phishing Attack on Global IT Outsourcer appeared first on Webroot Blog.

DevSecOps Podcast Episodes Recap

The week of April 15th I dedicated every Security In Five podcast episode to DevSecOps and the push to move security left. I was motivated to talk about this push because it’s a concept and challenge I deal with almost daily with my own projects and working with clients. DevSecOps, or DevOps if you are […]

The post DevSecOps Podcast Episodes Recap appeared first on Binary Blogger.

Google will check apps by new developers more thoroughly

In an attempt to thwart Android developers who are set to distribute malicious apps through Google Play, Google will be taking more time when reviewing apps by developers with newly minted accounts. This reviewing process will take days, not weeks, Google assures, and should allow them to do more thorough checks before approving apps to be featured in the store. Sameer Samat, VP of Product Management, Android & Google Play, also says that they know … More

The post Google will check apps by new developers more thoroughly appeared first on Help Net Security.

Building a modern data registry: Go beyond data classification

For organizations, understanding what data they store and analyze is gaining increasing urgency due to new privacy regulations, from the Global Data Privacy Regulation (GDPR) to the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD). But these regulations are not the only reason organizations are focused on privacy. Security imperatives and pressure to extract more value from the information they store has also put pressure on companies to get data privacy … More

The post Building a modern data registry: Go beyond data classification appeared first on Help Net Security.

Facebook Acknowledges “Unintentional” Harvesting of Email Contacts

Facebook announced that it “unintentionally” harvested the email contacts of 1.5 million of its users without their consent.

The social media company automatically uploaded the information from users who had registered with the site after 2016 and provided their email addresses and passwords. Upon submitting a form to “confirm” their accounts, registrants saw a screen showing that their email contact lists were harvested without any means of providing consent, opting out, or interrupting the process.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings,” a Facebook spokeperson said.

Facebook’s requests for user email passwords during account registration has garnered strong criticism from security and privacy experts and led to the company halting the practice earlier this month.

The news comes at an awkward time for the gaffe-prone company in light of its recent attempts to rebrand itself as being more privacy-focused.

The post Facebook Acknowledges “Unintentional” Harvesting of Email Contacts appeared first on Adam Levin.

Facebook ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission

Facebook made the headlines once again for alleged violations of the privacy of its users, this time collecting contacts from 1.5 Million email accounts without permission.

New problems for Facebook, the company collected contacts from 1.5 Million email accounts without user’permission.

We recently read about an embarrassing incident involving the social network giant that asked some newly-registered users to provide the passwords to their email accounts to confirm their identity.

Some experts speculated that the social network giant was using the password to access the email accounts and collect their contacts.

New of the day is that Facebook admitted it was collecting email contacts of some of its users.

“Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts. Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network” reported the Business Insider.
“The Silicon Valley company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.”

Of course, Facebook declared that it has “unintentionally” uploaded email contacts from up to 1.5 million new users on its servers since May 2016, but the company was never authorized to do it and did not receive their consent.

Facebook passwords

This means that roughly 1.5 million users unintentionally shared passwords for their email accounts with the social network.

According to a Facebook spokesperson who spoke with Business Insider, the company was using harvested data to “build Facebook’s web of social connections and recommend friends to add.”

“At the time, it wasn’t clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.” continues the Business Insider.

Facebook stopped using this email verification process a month ago, when a researcher using the pseudononymous of “e-sushi” noticed that the social network was asking some users to enter their email passwords when they signed up for new accounts.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the spokesperson said in a statement.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

The list of incidents that involved the company in the last year is long. In April experts found 540 Million Facebook user records on unprotected Amazon S3 buckets.

In March 2019, Facebook admitted to having stored the passwords of hundreds of millions of users in plain text.

In October 2018, Facebook disclosed a severe security breach that allowed hackers to steal access tokens and access personal information from 29 million Facebook accounts.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission appeared first on Security Affairs.

10 Chrome Extensions to Boost Your Online Safety in 2019

Chrome is the most popular internet browser nowadays, so we’ve decided to research extensions that increase your online safety. Even though it claims to automatically protect you from security issues, such as phishing attacks and dangerous websites, as the online threatscape evolves, it never hurts to add extra layers of protection.

pasted image 0 40

Web Browser Market Share, March 2019, according to W3Counter

In this guide, we’ll walk you through a variety of Chrome extensions, ranging from anti-tracking solutions, ad blockers, password managers, and VPN solutions, to name a few.

We hand-picked the add-ons from a wide palette of solutions, with the intention to help you browse safely on the internet.

So let’s jump in.

Here are some of the best privacy and safety-related Chrome extensions.

1. Privacy Badger

Privacy Badger is a browser add-on developed by The Electronic Frontier Foundation (EFF), that blocks advertisers and third-party trackers from tracking the web pages you visit. Essentially, whenever it detects advertisers who track you across different websites without your consent, it automatically stops them from inserting any more content into your browser.

image13 1

Keep in mind this isn’t a standard ad blocker, as it wasn’t created with the intention to completely block ads.

What it really does is focus on stopping any visible or invisible third-party scripts or images that seem to be tracking your activity despite the fact that you specifically refused to be tracked by sending a Do Not Track header. Most of these third-party trackers happen to be advertisements, so that’s why most of them will be blocked.

Does it make sense to simultaneously use Privacy Badger and a standard ad blocker? If you really despise ads, EFF advises on using a combination between Privacy Badger and uBlock Origin.

Download: Privacy Badger

2. Ghostery

Ghostery is similar to Privacy Badger – it detects and blocks third-party technologies which track you and it also markets itself as an ad blocker. Thus, it provides a clean and fast browsing experience, while preventing advertisers from tracking your activity.

image18 1

The Smart Blocking feature increases the pages’ loading speed, by automatically blocking and unblocking trackers.

image7 1

Download: Ghostery

3. HTTPS Everywhere

HTTPS Everywhere is an add-on created by the Electronic Frontier Foundation (EFF) and the Tor Project, that changes websites from insecure “HTTP” to secure “HTTPS”.

image10 1

Why use “HTTPS” instead of “HTTP?”

“HTTP” is not encrypted and can be vulnerable to threats, such as man-in-the-middle attacks. HTTPS should be used especially on insecure networks (such as public Wi-Fi), as these are most likely to be accessed by people on the same network who can steal your private information.

image2 2

Many websites do offer some support for encryption over HTTPS, but they make it difficult to use. For example, they can link unencrypted sites to encrypted pages.

HTTPS Everywhere takes care of those issues by rewriting requests to these sites to HTTPS.

Here you can access information about the project’s Git repository and also get involved in development if you are interested to do that.

Download: HTTPS Everywhere

4. LastPass

LastPass is a password manager which stores all of your passwords so you don’t have to remember them.

Using the same password for all your accounts is the worst thing you can do, so LastPass will contribute to your overall security hygiene.

image14 1

What you do need to remember is the master password used to guard the rest of your passwords. This tool uses strong encryption algorithms, so even the folks from LastPass don’t have access to your data.

image1 3

It integrates with a variety of two-factor authentication options so you can protect yourself with an extra layer of security. You should really turn on this feature just in case someone manages to steal your master password, and this way they can be stopped from accessing your account.

Download: LastPass 

5. Vanilla Cookie Manager

Vanilla Cookie Manager is an extension that allows you to delete unwanted cookies. It gives you the option to shut off cookies completely or just remove third-party cookies.

image11 1

Vanilla Cookie Manager allows you to whitelist the cookies that you would like to keep from websites trusted by you.

image20 1

Does it make sense to manage cookies?

Let’s start off by briefly explaining what they are and what they do.

Cookies are text strings stored on your computer in a directory. They are harmless, in the sense that they can’t infect your PC with malware. Yet, they can store information about your activity on websites.

So how do cookies work?

Web servers transmit cookies that are stored in your browser, and the next time a page is referenced, the browser returns the cookie to the server.

Obviously, it’s your choice if you want to alter cookies. Some users prefer to browse the internet without concerning too much about their information being collected, while others prefer to remain completely anonymous.

Download: Vanilla Cookie Manager

6. Perspective Guard

The Perspective Guard extension is based on a rather unique concept running on artificial intelligence, and its main purpose is to let you know if you might come across fake news.

image17 1

Its developers promise not to store your data so you can rest assured you are browsing the internet privately.

What it does is monitor the social networks and websites you access and gives you an overview of the type of content you encounter.

The content you see is classified as Negative, Neutral, or Positive.

image3 1

You also have the option to be notified if you are likely to become a victim of social engineering campaigns.

Download: Perspective Guard

7. minerBlock

minerBlock is an add-on used against those malicious hackers who try to steal your computer processing power to mine cryptocurrency without your consent.image19 1

This technique is called “crypto jacking”, short for “cryptocurrency hijacking”. For a full overview of the concept and a guide on how to avoid becoming a victim, access our article.

How does the minerBlock extension work?

It uses two different ways to stop crypto miners: by blocking requests/scripts loaded from a blacklist, and by detecting suspicious behavior inside loaded scripts and deleting them right away.

Download: minerBlock

8. uBlock Origin

For all of you out there who simply don’t want to see any ads, uBlock Origin is a great Chrome extension to help you block them all.

image22 1

This ad blocker also seems to be the easiest on CPU and memory, as per their comparison below:

image5 1

image6 1

Source: Google Chrome uBlock Origin Store

Download: uBlock Origin

9. CyberGhost VPN Free Proxy

VPN tools are a great way to access websites from countries that would otherwise not be available in your location. Not only that, but you are also protected against malicious actors and data miners since a VPN hides your real IP address and encrypts your connection.

image16 1

CyberGhost has all of these features in place and has been awarded the “Best Value” category at the BestVPN.com Awards in 2019, so we recommend you check it out.

image9 1

Download: CyberGhost VPN Free Proxy

10. Hotspot Shield VPN Free Proxy

Hotspot Shield VPN is another Chrome extension you should try out.

image12 1

It has both a free and paid version. The free one lets you access 95% of its features – hides your IP, prevents personal information theft, encrypts your activity on any network, and you can automatically secure popular websites or bypass unwanted ones.

image8 1

Download: Hotspot Shield VPN Free Proxy

Do Chrome extensions work in Incognito Mode?

Chrome extensions will not work in Incognito mode by default since this browsing alternative stops the browser from saving your history, cookies, and website data.

Yet, you do have the possibility to activate the Chrome add-ons manually so they run in Incognito as well.

Here is how:

Step #1: Open an Incognito window, and click on the Settings option.

image21 1

Step #2: The Extensions menu will open in a new Tab. Select the Details option from the add-on you would like to activate.

image23 1

Step #3: Activate Allow in incognito.

image15 1

And you’re all set. You can now use the add-ons you want in Incognito mode.

Are all Chrome extensions safe to use?

As a general rule, be careful when you browse the Chrome Web Store for extensions, as there are chances you run into add-ons that can compromise your security and privacy.

Here are some guidelines to keep in mind:

  • Always look at the extensions’ rating and try to choose the ones that have at least 4.3 out of 5 stars. And also make sure you read the user reviews.
  • Install extensions from trusted sources. You may want to look into who actually developed the add-on and see if the source looks suspicious or not.
  • Pay attention to what permissions the extensions require. If an extension you are already using suddenly asks you to grant another permission, this means it may have been compromised.
  • Never install too many extensions. Stick to the ones you really need. Too many of them can both slow down your browser and make it difficult to keep an eye on to notice if something fishy is going on.
  • Don’t rely on security browser extensions exclusively and also install an anti-malware solution on your computer.
The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

What security and privacy add-ons have we missed? Are there any Chrome extensions that you would advise against? Share your thoughts in the comments section below.

The post 10 Chrome Extensions to Boost Your Online Safety in 2019 appeared first on Heimdal Security Blog.

Smashing Security #124: Poisoned porn ads, the A word, and why why why Wipro?

Smashing Security #124: Poisoned porn ads, the A word, and why why why Wipro?

The hacker who lived the high life after spreading malware via porn sites, Wipro demonstrates how to turn a cybersecurity crisis into a PR disaster, and why are humans listening in to your Alexa conversations?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Brian Honan.

RobbinHood Ransomware Demands Grow $10K Per Day after Fourth Day

The ransom demands imposed by the new “RobbinHood” ransomware family increase $10,000 each day beginning on the fourth day following encryption. The creators of RobbinHood appear to be aiming their attacks at entire networks. When they’ve gained access to a target, they use their ransomware to encrypt as many computers as possible. They then drop […]… Read More

The post RobbinHood Ransomware Demands Grow $10K Per Day after Fourth Day appeared first on The State of Security.

Cyber News Rundown: Tax Extortion Ransomware Scams Corporations

Reading Time: ~2 min.

Tax Extortion Emails Bring Major Threats

A new email campaign has been spotted threatening ransomware and DDoS attacks over fake tax documents allegedly held by the attackers if a Bitcoin ransom isn’t paid. The campaign authors also threaten to send fake tax documents to the IRS through a poorly-worded ransom email that even provides Wikipedia excerpts for each threat put forward. Fortunately, as the campaign seems to be focused on corporations rather than individuals, no payments have been made to the attacker’s crypto coin wallet address.

Hotel Reservation Data Leaking Through Third-Party Services

As major data breaches continue to flood headlines, a recent study has revealed that nearly two of every three hotels exposes information about its guests to third-parties. Excerpts of the data show names, social security numbers, and payment card details that could give unauthorized users the ability to compromise identities or make changes to current reservations. Most of the exposed data involves comping through third-party services run on hotel websites offering customers additional packages.

Ransomware Conspirator Jailed in the UK

Police in the UK have officially charged and jailed a man for his part in the operation of a global ransomware campaign with ties to a Russian criminal organization. Charges range from fraud and blackmail to computer misuse relating to DDoS attacks and the Essex man is set to face at least six years. By masquerading as an advertising agent looking to purchase ad space on high-traffic sites, he was able to infect ad links with malware and other exploits to spread his campaign.

Firefox Begins Blocking Cryptomining Scripts

Even after the demise of CoinHive, cryptomining scripts are still being secretly deployed on thousands of websites without the knowledge of their owners and visitors. With the release of Firefox 67 beta, Mozilla is hoping to completely protect their users from malicious scripts that download and run cryptominers and other unwanted tracking software by using a blacklist created by Disconnect, a VPN developer with a reputation for privacy protection. Additionally, the new Firefox version will block fingerprinting scripts commonly used to invade a user’s browsing privacy.

MyCar App Uses Hardcoded Credentials

Thousands of cars were left vulnerable after a widely used vehicle telematics systems was found to be using hardcoded credentials in their mobile apps. Used in dozens of different car models to enable remote control functions, the hardcoded credentials leave these vehicles accessible to anyone with the app’s source code and the plaintext credentials within. Fortunately for users, the latest iOS and Android versions of the MyCar app have been updated to resolve this vulnerability.

The post Cyber News Rundown: Tax Extortion Ransomware Scams Corporations appeared first on Webroot Blog.

The One Word No One Is Talking About in the Disney-Fox Deal

On March 20, The Walt Disney Company completed its purchase of 21st Century Fox. The acquisition added huge properties like The Simpsons and National Geographic as well as film blockbuster franchises to Disney’s star-studded stable that includes Star Wars, Marvel Comics, Pixar, the Muppets, and a decades-long catalog of major intellectual properties.

While major acquisitions and mergers often give rise to anti-trust issues–and this one was no exception, the transfer of properties with complex privacy policies, and how that works going forward has not been a big topic of discussion.

Corralling such a massive amount of children’s and family-friendly entertainment under one roof may seem, at least on the surface, like a world-friendly move, but to quote a song from Disney’s 1995 direct-to-video sequel, “Pocahontas 2”–“things aren’t always what they appear.”

While Disney’s acquisition lacks the dark mirror quality of Amazon’s ever-expanding home networking business or Google’s inescapable array of services (all of them tracking users with mindboggling granularity), there is considerable consumer data tied to the properties that just changed hands, all of it governed by the privacy policies attached to them, which also changed hands but cannot be changed without user consent. This is not about whatever privacy fail we might expect next from Facebook. It’s about the potential privacy conflicts caused by Disney’s acquisition of Fox.

It Was All Started by a Mouse

Walt Disney liked to remind people that his company started humbly, “by a mouse.” Today, we are also dealing with something mouse-related: Our data.

Few of us ever read the privacy policies we agree to when we download software or an app–the exception here being those among us who are in the business of selling data. Privacy policies are binding. When a company changes hands, the data in its possession is governed by the privacy policy that was in place when the user accepted its terms, and that remains the case even after it’s transferred to its new owner. They can be changed, with user consent, which is usually given by users who are not studying the new terms of engagement.

Disney of course pre-dates the era of a surveillance economy, but it has invested aggressively in data analytics and customer tracking. Strategic data deployment has been central to Disney’s increased profits in recent years, both at its theme parks and brick-and-mortar stores. While RFID tracking for customers, facial recognition, personalized offers based on prior purchases and behavior can all vastly improve customer experience, we’ve seen far too many instance of companies abusing their privileged access to consumer data.

The “Don’t Be Evil” Option

Companies can start with good intentions (see Google’s recently retired “Don’t Be Evil” motto) and eventually expand their data mining practices to Orwellian dimensions. It’s a matter of grave concern.

When a disproportionate number of the customers being tracked are children, this should be even greater cause for concern. That’s the red button aspect of prime interest in the Disney-Fox deal.

Case in point, the 2017 lawsuit filed against Disney and still pending in court that claims the company was tracking children through at least 42 of its mobile apps via unique device fingerprints to “detect a child’s activity across multiple apps and platforms… across different devices, effectively providing a full chronology of the child’s actions.”

Disney denies these allegations, but they did cop to generating “anonymous reporting” from specific user activity through “persistent identifiers,” and that the information was collected by a laundry list of third party providers, many of which are ad tracking platforms.

The company is by no means alone in this practice. A 2018 study found that 3,337 family- and child- oriented apps available on the Google Play store were improperly tracking children under the age of 13. It’s not hard to see why. If consumer data is valuable, starting the process of collecting data associated with an individual as early as possible can provide marketing companies with extremely deep data about their target’s preferences and habits long before they have a disposable income. The U.S. Children’s Online Privacy Protection Rule (“COPPA”) was created to stop this from happening. But as we’ve seen from companies like TikTok, it’s often skirted or flouted outright and the penalties are often laughable compared to profits.

The collection of data on kids is a problem. Enter Disney, the sheer scale of that empire making its data position comparable to that held by Facebook or Google. It is similar with Fox properties, though to a lesser extent. The upshot: An immense amount of data just changed hands and no one is talking about it–and they should be.

Changing Privacy Policies

While privacy policies are easy to find, they are not so much fun to read. They are not all alike. But without engaging in a tale of the tape regarding Disney and Fox policies, there is still reason for concern.

The problem from a privacy standpoint is a side-effect of Disney’s aggressive expansion. Those of us who love Marvel Comics, and who signed up for related sites or apps before 2009 or Star Wars before 2012, or who subscribed to National Geographic before this year, all belong to Disney’s data holdings now. We have no way of knowing how our data is being used, or whether the privacy policy we agreed to is the one governing the current use of our data. Disney announced changes to each of its new properties’ privacy policies on its main website and updated them accordingly, but is that enough?

Companies can reserve the right to change their privacy policies, and if we don’t like it we can always opt out. Things become murkier when data is purchased by a third party; this can happen with acquisitions, or when major retailers go belly up. It happened when Radio Shack went out of business, and its entire customer database was suddenly put up for sale to the highest bidder.

The creation of meaningful standards for consumer privacy is a moving target, but it should be a legislatively mandated consideration for large scale mergers and acquisitions. Once a customer’s information is sold, there’s no way to get it back. An effective stopgap might be to demand a data transfer “opt out” button when we’re giving consent to privacy policies. When it comes to children, we might even consider legislating automatic “opt out” for anyone under a certain age. Where safeguarding children’s data is concerned, there’s still much work to be done.

This article originally appeared on Inc.com.

The post The One Word No One Is Talking About in the Disney-Fox Deal appeared first on Adam Levin.

The scourge of stalkerware

Stalkerware

Stalkerware. Software that allows someone else to spy upon every SMS text message you send or receive, who you’re speaking to on your smartphone phone, the pictures in your photo library, every social media post you make, your current location, and where you go and when.

The EFF’s Eva Galperin calls on the security industry to take stalkerware more seriously.

A Year Later, Cybercrime Groups Still Rampant on Facebook

Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.

Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.

Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.

“Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers found. “While some groups were removed immediately, other groups only had specific posts removed.”

But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings.  This is precisely what I experienced a year ago.

Not long after Facebook deleted most of the 120 cybercrime groups I reported to it back in April 2018, many of the groups began reemerging elsewhere on the social network under similar names with the same members.

Instead of reporting those emergent groups directly to people at Facebook’s public relations arm — something most mere mortals aren’t able to do — KrebsOnSecurity decided to report the re-offenders via Facebook’s regular abuse reporting procedures.

What did we find? KrebsOnSecurity received a series of replies saying that Facebook had reviewed my reports but that none of the groups were found to have violated its standards. KrebsOnSecurity later found that reporting the abusive Facebook groups to a quarter-million followers on Twitter was the fastest way to get them disabled.

How else have Facebook’s public statements about its supposed commitment to security and privacy been undermined by pesky facts over the past few weeks?

  • KrebsOnSecurity broke the news that Facebook developers wrote apps which stored somewhere between 200 million and 600 million Facebook user passwords in plain text. These plaintext passwords were indexed by Facebook’s data centers and searchable for years by more than 20,000 Facebook employees.
  • It emerged that Facebook’s new account signup page urges users to supply the password to their email account so Facebook can harvest contact details and who knows what else. Yes, that’s right: Facebook has been asking new users to share their email password, despite decades of consumer advice warning that is exactly what phishers do.
  • Cybersecurity firm UpGuard discovered two troves of unprotected Facebook user data sitting on Amazon’s servers, exposing hundreds of millions of records about users, including their names, passwords, comments, interests, and likes.

  • Facebook is making users searchable by marketers and others via phone number, even when that phone number was only provided solely for the purposes of multi-factor authentication.

Once again, that old adage applies: If you can’t quite figure out how you’re the customer in a given online relationship, that’s probably because you’re best described as the product being sold to others.

I long ago stopped providing personal information via any Facebook account. But for my part, there remain probably three big reasons why I’m still on Facebook.

For better or worse, a great many sources choose to share important information this way. Also, sometimes Facebook is the fastest way to find a potential source and get their attention.

Secondly, many people unfortunately still get much of their news from Facebook and prefer to be notified about new stories this way.

Finally, I periodically need to verify some new boneheaded privacy disclosure or security screw-up manufactured by Facebook.

I would probably never delete my Facebook account, for the same reason I wouldn’t voluntarily delete my accounts from various cybercrime forums: For my part, the potential benefits of being there outweigh the potential risks. Then again, I am likely far from your typical Facebook (ab)user.

But what about you, Dear Reader? How does your Facebook cost/benefit analysis break down? Have any of the recent or not-so-recent Facebook scandals prompted you to delete your account, or to heavily restrict what types of information you store on the social network or make available to others? Sound off in the comments below.

Cyber News Rundown: Massive Data Breach at Georgia Tech

Reading Time: ~2 min.

Massive Data Breach at Georgia Tech

It was recently revealed that the personal information on over 1.3 million people was illicitly accessed by hackers who breached Georgia Tech systems in December of last year. The breach is the second of the year for the university, and was only discovered after IT staff noted performance issues on a widely used web application that interacts with a major database for both students and staff. 

Restaurant Firm Admits to Data Breach

Earl Enterprises, the parent firm of several popular restaurants around the country, recently announced they had fallen victim to a point-of-sale breach at multiple restaurant locations over the last 10 months. At least 100 restaurants, including all locations of the Italian chain Buca di Beppo, have begun working on restoring their systems and contacting affected customers. Nearly 2.1 million payment card accounts have been found in a dark web marketplace that were posted just a month before the company made its discovery.

Toyota Confirms Sales Data Breach

Personal information for over 3.1 million individuals may have been compromised before officials found signs of unauthorized activity on an internal network used in multiple sales subsidiaries of Toyota and Lexus. While the company’s dealerships continue to provide service and parts to customers, this specific breach comes only a month after another cyber attack that impacted Toyota dealerships in Australia, leaving many customers worried about the safety of their data.

GPS Watches Display PWNED! Message

Nearly a year after researchers contacted the watch maker Vidimensio about multiple vulnerabilities in their GPS watches, a new message has appeared on watch maps. The phrase “PWNED!” has been seen on at least 20 different watch models as a message alerting the company to their poor security infrastructure, as end-users are susceptible to being tracked through their watches. More alarmingly, many of the devices were found to have this vulnerability after Germany passed a law banning smart-watches for children that were capable of remote-listening after it was found they often ran on unpatched firmware.

Ransomware Strikes Albany, NY

The city of Albany, New York has been working to restore normal operations after a ransomware attack took down several key components of its systems. Aside from a few document-specific requests, however, the vast majority of the functionality was left undisturbed throughout the attack and recovery process. According to officials, all public safety services remained fully operational and had staff working around the clock to continue to provide assistance or direct individuals to a working facility.

The post Cyber News Rundown: Massive Data Breach at Georgia Tech appeared first on Webroot Blog.

Cyber News Rundown: Hacker Exposes 26 Million Personal Records

Reading Time: ~2 min.

Gnosticplayers Adds 26 Million More Records for Sale

After the first 3 major data dumps, which totaled over 600 million records, the hacker known as Gnosticplayers has released his latest cache of data, which contains at least 26 million personal user records. These data caches hold customer information for 32 companies overall and have been obtained over just the past couple months, making the data that much more lucrative. The hacker claims these breaches are done simply out of frustration that security is still not being taken seriously by many major companies from across the globe, which may explain why the price tag for each dump is so low.

Hackers Set Off Tornado Sirens in Texas Towns

At least 30 tornado warning sirens in two Texas towns were triggered in the early morning hours by an unknown hacker. While officials quickly shut down the sirens, they did so just 24 hours prior to a major storm during which they might have needed to use these critical emergency systems. This attack is very similar to one that affected the entire Dallas area in 2017, when hackers successfully compromised a radio system that set off over 100 tornado sirens across the city.

Marketing Firm Exposes 230 Million Records

Another misconfigured Amazon database, this time belonging to Exactis, carries the blame for a data breach that could affect at least 230 million individuals, with more data on 110 million individual records tied to businesses. While it is still unclear exactly how long the database was accessible, the company and an external security auditor maintain that the data was not accessed maliciously during its time online, though the independent researcher who first discovered the database reports that the data may have been spotted for sale on the dark web.

Ransomware Cripples Major Aluminum Manufacturer

Norsk Hydro, a major Aluminum producer, suffered a ransomware attack that successfully shut down a large portion of the company’s operations. The attack forced the company to switch to manual operations at all of its facilities around the world, and temporarily take down their website while they worked to restore their systems from backups. Fortunately, the company retains backups for their major operations, so normal production should resume within the week.

Gearbest Leaks 1.5 Million Customer Records

Following the trend of unprotected databases, researchers recently found yet another one, this time belonging to Gearbest (a Chinese e-commerce site). This database contained unencrypted personal records for over 1.5 million customers around the globe, including payment data, ID and passport info, and even data that could compromise Gearbest itself, as URLs for an internal software platform were also exposed. The company has since claimed that the number of exposed records is much smaller than originally posted. However, they also maintain that they use strong encryption on all stored data, despite this latest evidence to the contrary. 

The post Cyber News Rundown: Hacker Exposes 26 Million Personal Records appeared first on Webroot Blog.

When is it fair to infer?

While the GDPR framework is robust in many respects, it struggles to provide adequate protection against the emerging risks associated with inferred data (sometimes called derived data, profiling data, or inferential data). Inferred data pose potentially significant risks in terms of privacy and/or discrimination, yet they would seem to receive the least protection of the personal data types prescribed by GDPR. Defined as assumptions or predictions about future behaviour, inferred data cannot be verified at the time of decision-making. Consequently, data subjects are often unable to predict, understand or refute these inferences, whilst their privacy rights, identity and reputation are impacted.

Reaching dangerous conclusions

Numerous applications drawing potentially troubling inferences have emerged; Facebook is reported to be able to infer protected attributes such as sexual orientation and race, as well as political opinions and the likelihood of a data subject attempting suicide. Facebook data has also been used by third parties to decide on loan eligibility, to infer political leniencies, to predict views on social issues such as abortion, and to determine susceptibility to depression. Google has attempted to predict flu outbreaks, other diseases and medical outcomes. Microsoft can predict Parkinson’s and Alzheimer’s from search engine interactions. Target can predict pregnancy from purchase history, users’ satisfaction can be determined by mouse tracking, and China infers a social credit scoring system.

What protections does GDPR offer for inferred data?

The European Data Protection Board (EDPB) notes that both verifiable and unverifiable inferences are classified as personal data (for instance, the outcome of a medical assessment regarding a user’s health, or a risk management profile). However it is unclear whether the reasoning and processes that led to the inference are similarly classified. If inferences are deemed to be personal data, should the data protection rights enshrined in GDPR also equally apply?

The data subjects’ right to being informed, right to rectification, right to object to processing, and right to portability are significantly reduced when data is not ‘provided by the data subject’ for example the EDPB note (in their guidelines on the rights to data portability) that “though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject, these data will typically not be considered as “provided by the data subject” and thus will not be within scope of this new right’.

The data subject however can still exercise their “right to obtain from the controller confirmation as to whether or not personal data concerning the data subject has being processed, and, where that is the case, access to the personal data”. The data subject also has the right to information about “the existence of automated decision-making, including profiling (Article 22(1),(4)) meaningful information about the logic involved, as well as the significance and consequences of such processing” (Article 15). However the data subject must actively make such an access request, and if the organisation does not provide the data, how will the data subject know that derived or inferred data is missing from their access request?

A data subject can also object to direct marketing based on profiling and/or have it stopped, however there is no obligation on the controller to inform the data subject that any profiling is taking place – “unless it produces legal or significant effects on the data subject”.

No answer just yet…

Addressing the challenges and tensions of inferred and derived data, will necessitate further case law on the interpretation of “personal data”, particularly regarding interpretations of GDPR. Future case law on the meaning of “legal effects… or similarly significantly affects”, in the context of profiling, would also be helpful. It would also seem reasonable to suggest that where possible data subjects should be informed at collection point, that data is derived by the organisation and for what purposes. If the data subject doesn’t know that an organisation uses their data to infer new data, the data subject cannot exercise fully their data subject rights, since they won’t know that such data exists.

In the meantime, it seems reasonable to suggest that inferred data which has been clearly informed to the data subject, is benevolent in its intentions, and offers the data subject positive enhanced value, is ‘fair’.

The post When is it fair to infer? appeared first on BH Consulting.

These Cookie Warning Shenanigans Have Got to Stop

These Cookie Warning Shenanigans Have Got to Stop

This will be short, ranty and to the point: these warnings are getting ridiculous:

These Cookie Warning Shenanigans Have Got to Stop

I know, tell you something you don't know! The whole ugly issue reared its head again on the weekend courtesy of the story in this tweet:

The reason I don't know if it makes it better or worse is that on the one hand, it's ridiculous that in a part of the world that's more privacy-focused than most it essentially boils down to "take this cookie or no access for you" whilst on the other hand, the Dutch DPA somehow thinks that this makes any sense to (almost) anyone:

And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.

Is this really what we want? To continue chucking up cookie warnings to everyone and somehow expecting them to make an informed decision about the risks they present? 99% of people are going to click through them anyway (note: this is a purely fabricated figure based on the common-sense assumption that people will generally click through anything that gets in the way of performing the task they set out to complete in the first place). And honestly, how on earth is your average person going to make an informed decision on a message like this:

Do you know how hard it is to explain OAuth to technical people, let alone the masses? Oh wait - it's not OAuth - it's Oath but even I didn't get that at first because nobody really reads these warnings anyway! And now that I have read it and I know it's Oath, what does that really mean? Oh look, a big blue button that will make it all go away and allow me to do what I came here for in the first place...

But say you are more privacy focused and you wanted to follow that link in the original tweet. Here's your fix:

These Cookie Warning Shenanigans Have Got to Stop

And if you're smart enough to actually understand what cookies are and be able to make an informed decision when prompted with a warning like TechCrunch's, then you're smart enough to know how to right click on a link and open it incognito. Or run an ad blocker. Or something like a Pi-hole.

Or you move to Australia because apparently, we don't deserve the same levels or privacy down here. Or have I got that back to front and Europeans don't deserve the same slick UX experience as we get down here? You know, the one where you click on a link to read an article and you actually get to read the article!

So let's be European for a moment and see how that experience looks - let's VPN into Amsterdam and try to control my privacy on TechCrunch:

These Cookie Warning Shenanigans Have Got to Stop

Are you fucking serious? This is what privacy looks like? That's 224 different ad networks that are considered "IAB Partners" (that'd be the Interactive Advertising Bureau) and I can control which individual ones can set cookies. And that's in addition to the 10 Oath foundational partners:

These Cookie Warning Shenanigans Have Got to Stop

You can't disable any of those either by the look of it so yeah, no privacy on that front. But at least you can go and read their privacy policy, right? Sure, Unruly's is 3,967 words, Facebook's is 4,498 words and Zentrick's is another 3,805 words. Oh - and remember that you need to accept cookies on each one of those sites too and you're going to want to read about how they and their partners track you...

These Cookie Warning Shenanigans Have Got to Stop

And the ridiculous thing about it is that tracking isn't entirely dependent on cookies anyway (and yes, I know the Dutch situation touched on browser fingerprinting in general too). Want to see a perfect example? Have a go of Am I Unique and you'll almost certainly be told that "Yes! You can be tracked!":

These Cookie Warning Shenanigans Have Got to Stop

Over one million samples collected and yet somehow, I am a unique snowflake that can be identified across requests without a cookie in sight. How? Because even though I'm running the current version of Chrome on the current version of Windows, less than 0.1% of people have the same user agent string as me. Less than 0.1% of people also have their language settings the same as mine. Keep combining these unique attributes and you have a very unique fingerprint:

These Cookie Warning Shenanigans Have Got to Stop

The list goes on well beyond that screen grab too - time zone, screen resolution and even the way the canvas element renders on the page. It's kinda cool in a kinda creepy way.

And here's the bit that really bugs me (ok, it all bugs me but this is the worst): how do we expect your normal everyday person to differentiate between cookie warnings and warnings like these:

These Cookie Warning Shenanigans Have Got to Stop
These Cookie Warning Shenanigans Have Got to Stop

I know what these are and you probably do too by virtue of being on this blog, but do you really think most people who have been conditioned to click through the warning that's sitting between them and the content they wish to read understand the difference between this and a cookie warning? We literally have banks telling people just to ignore these warnings:

So in summary, everyone clicks through cookie warnings anyway, if you read them you either can't understand what they're saying or the configuration of privacy settings is a nightmare, depending on where you are in the world you either don't get privacy or you don't get UX hell, if you understand the privacy risks then it's easy to open links incognito or use an ad blocker, you can still be tracked anyway and finally, the whole thing is just conditioning people to make bad security choices. That is all.

How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep

Spring Break and reputation management

Spring Break and reputation management Spring Break 2019 is in full swing, which means high school and college kids have hit the road determined to make this rite of passage epic. Unfortunately, not everyone will return home with his or her online reputation intact.

Despite the headlines and warnings, kids are still uploading their lives 24/7 and not all of their choices will be wise. While impressive at the moment, showcasing one’s exceptional beer pong or body shot skills could become a future digital skeleton.

Define it

The decision to share reckless content online has damaged (even destroyed) scholarships, opportunities, reputations, and careers.

Each day more than one billion names are searched on Google, and 77% of job recruiters look up potential employees up online during the hiring process, according to BrandYourself.com. Also, 45% of people have found content in an online search that made them decide not to do business with someone.

As elementary as it sounds, the first step to helping your child safeguard his or her online reputation this spring break is defining what is and is not appropriate online content.

Spring Break and reputation management

Technology has created a chasm between generations so don’t assume your values align with your child’s in this area. Behavior once considered inappropriate has slowly become acceptable to kids who grew up in the online space. Also, peers often have far more influence than parents.

So take the time to define (and come to an agreement on) content you consider off limits such as profanity, racy photos, mean, disrespectful, or racist comments, irresponsible or prank videos, or pictures that include alcohol or drug use. (Yes, state the obvious!)

Untag It

Spring Break and reputation management

Turn off tagging. Like it or not, people often judged us by the company we keep. Your child’s online behavior may be stellar but tag-happy, reckless friends can sink that quickly. To make sure your child doesn’t get tagged in risky photos on Twitter, Instagram, or Facebook, encourage them to adjust privacy settings to prevent tagging or require user approval. Also, help your kids to pay more attention to unflattering Snapchat photos and Snapchat story photos that other people post about them that can be problematic if shared elsewhere.

Lock It

Amp privacy settings. By adjusting privacy settings to “friends only” on select social networks content, digital mistakes can be minimized. However, we know that anything uploaded can be shared and screen captured before it’s deleted so tightening privacy settings isn’t a guarantee.

Google It

Spring Break and reputation management To get a clear picture of your child’s digital footprint and what a school or future employer might find, Google your child’s name. Examine the social networks, links, and sites that have cataloged information about your child. One of the best ways to replace damaging digital information is by creating positive information that overshadows it. Encourage your child to set up a Facebook page that reflects their best self — their values, their goals, and their character. Make the page public so others can view it. They may also consider setting up a LinkedIn page that highlights specific achievements, goals, and online endorsements from teachers and past employers.

If for some reason there’s damaging content that can’t be removed by request, encourage your child to set up a personal website and blog weekly. This can be a professional or hobby blog, but the idea is to repopulate the search results with favorable content and push the tainted content further down on Google.

Balance It

In your guiding, don’t forget the wise words of Cyndi Lauper who reminds us all, “Girls just wanna have fun!” Strive for balance in giving kids the room to make memories with friends while at the same time equipping them to make wise choices online.

The post How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep appeared first on McAfee Blogs.

Why it’s too easy to manipulate voters – and steal the EU elections | Eleonora Nestola

It’s time to act, as personal data is being used to target voters – and the EU commission isn’t doing enough to stop this

On 11 July last year the UK Information Commissioner’s Office (ICO) published its first report on the Cambridge Analytica scandal. This is a date I will never forget, a date that substantially changed my vision of the current threats to our democratic society. It is a day that became a call to arms for me – and, for once, I had the understanding, the knowledge and the expertise to support the fight. I felt it was time to put all of this to good use for civil society, and so I set out to discover how online electoral campaigning works. And let me tell you, the system is not in good health and we Europeans should all be made more aware of that.

Related: This is Europe: stay close with the Guardian’s email updates

Voters become unaware they are receiving political messages based on bias. The risks are enormous

Related: Data protection laws are shining a needed light on a secretive industry | Bruce Schneier

Continue reading...

The Risks of Public Wi-Fi and How to Close the Security Gap

public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

The Risks

By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

Rising Star: VPNpublic wi-fi risks

The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

Who Needs a VPN?

If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

How VPNs work

To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

Stay Safe on Public Wi-Fi 

Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

Mumsnet reports itself to regulator over data breach

Company apologises after bug meant users were able to log into accounts of strangers

Mumsnet has reported itself to the information commissioner after a data breach resulted in users accidentally logging into the accounts of strangers.

Related: Mumsnet forums are a guilty pleasure, but there are truths, too

Related: Mumsnet brings in tougher forum rules after transgender row

Continue reading...

#PrivacyAware: Will You Champion Your Family’s Online Privacy?

online privacyThe perky cashier stopped my transaction midway to ask for my email and phone number.

Not now. Not ever. No more. I’ve had enough. I thought to myself.

“I’d rather not, thank you,” I replied.

The cashier finished my transaction and moved on to the next customer without a second thought.

And, my email and phone number lived in one less place that day.

This seemingly insignificant exchange happened over a year ago, but it represents the day I decided to get serious and champion my (and my family’s) privacy.

I just said no. And I’ve been doing it a lot more ever since.

A few changes I’ve made:

  • Pay attention to privacy policies (especially of banks and health care providers).
  • Read the terms and conditions of apps before downloading.
  • Block cookies from websites.
  • Refuse to purchase from companies that (appear to) take privacy lightly.
  • Max my privacy settings on social networks.
  • Change my passwords regularly and keep them strong!
  • Delete apps I no longer use.
  • Stay on top of software updates on all devices and add extra protection.
  • Have become hyper-aware before giving out my email, address, phone number, or birth date.
  • Limit the number of photos and details shared on social media.

~~~

The amount of personal information we share every day online — and off — is staggering. There’s information we post directly online such as our birth date, our location, our likes, and dislikes. Then there’s the data that’s given off unknowingly via web cookies, Metadata, downloads, and apps.

While some data breaches are out of our control, at the end of the day, we — along with our family members — are one giant data leak.

Studies show that on average by the age of 13, parents have posted 1,300 photos and videos of their child to social media. By the time kids get devices of their own, they are posting to social media 26 times per day on average — a total of nearly 70,000 posts by age 18.

The Risksonline privacy

When we overshare personal data a few things can happen. Digital fallout includes data misuse by companies, identity theft, credit card fraud, medical fraud, home break-ins, reputation damage, location and purchasing tracking, ransomware, and other risks.

The Mind Shift

The first step toward boosting your family’s privacy is to start thinking differently about privacy. Treat your data like gold (after all, that’s the way hackers see it). Guiding your family in this mind-shift will require genuine, consistent effort.

Talk to your family about privacy. Elevate its worth and the consequences when it’s undervalued or shared carelessly.

Teach your kids to treat their personal information — their browsing habits, clicks, address, personal routine, school name, passwords, and connected devices — with great care. Consider implementing this 11 Step Privacy Take Back Plan.

This mind and attitude shift will take time but, hopefully, your kids will learn to pause and think before handing over personal information to an app, a social network, a retail store, or even to friends.

Data Protection Tips*

  1. Share with care. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future.
  2. Own your online presence. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information.online privacy
  3. Think before you act. Information about you, such as the games you like to play, your contacts list, where you shop and your geographic location, has tremendous value. Be thoughtful about who gets that information and understand how it’s collected through websites and apps.
  4. Lock down your login. Your usernames and passwords are not enough to protect critical accounts like email, banking, and social media. Strengthen online accounts and use strong authentication tools like a unique, one-time code through an app on your mobile device.

* Provided by the National Cyber Security Alliance (NCSA).

January 28 National Data Privacy Day. The day highlights one of the most critical issues facing families today — protecting personal information in a hyper-connected world. It’s a great opportunity to commit to taking real steps to protect your online privacy. For more information on National Data Privacy Day or to get involved, go to Stay Safe Online.

The post #PrivacyAware: Will You Champion Your Family’s Online Privacy? appeared first on McAfee Blogs.

Cyber Security Roundup for December 2018

The final Cyber Security Roundup of 2018 concludes reports of major data breaches, serious software vulnerabilities and evolving cyber threats, so pretty much like the previous 11 months of the year.

5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.


A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.

Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.  
NASA InSight Lander arrives on Mars 

It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images

Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.

The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.

Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant.  The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
Security company Insinia cause controversy after it took over the Twitter accounts by Eamon Holmes, Louis Theroux and several others celebs. Insinia said it had managed the account takeover by analysing the way Twitter handles messages posted by phone, to inject messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent. However, Insinia were accused of being unethical and breaking the UK Computer Misuse Act in some quarters.

Unsecured internet connected printers are being hacked again, this time they were used to sent print out messages of support for Swedish YouTube star PewDiePie. A hacker named TheHackerGiraffe was said to have targeted up 50,000 printers after using Shodan to search for open printer ports online, the scan was said to have found 800,000 vulnerable printers.

An Financial Conduct Authority (FCA) report warned UK banks about their over-reliance on third-party security providers. The FCA said companies "generally lacked board members with strong familiarity or specific technical cyber-expertise. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. The report also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Busting 5 Cybersecurity Myths

It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.

Only the IT department is responsible for cybersecurity

It is not wrong to say that the IT department is responsible to implement new processes and policies to keep the cybersecurity in a top notch state. However, they just don’t have a magic stick to protect all of the computers in the network. In reality each employee should be extremely careful when receiving and opening different e-mail messages from colleagues or third parties. It is dangerous since the infection can spread across all of the departments within the organization and this may cause a further data breach for example.

Using just an antivirus software is enough

Antivirus software might have been enough to safe your business from potential attack 20 years ago – nowadays it definitely is just not enough to protect your whole organization. Hackers find new ways to disable your antivirus and hide their attacks in the system. With ransomware gaining more popularity among hackers the time of getting infected and getting your information locked is just a matter of seconds. So using an antivirus is not always enough, but you also need to stay informed about the latest threats. Check out our database of cyber security vendors to find the best solution for your personal or business needs.

A strong password is enough

It is not a secret that having a long and complex password on your accounts is an essential. However, even big tech giants like Facebook or Apple experience data breaches and are pretty often a target for hackers. Every website requires you to create a strong password, but it is also good to use two-factor-authentication (2FA). At first the user was getting an SMS with a code for 2FA, but even this can be compromised by using a cloned sim card. So make sure you have an app like Google Authenticator for example to make your accounts more secure.

Threats are being spread only through the Internet

Some users may think that disconnecting from the internet will prevent the threats spreading around the network and they are completely wrong. Just imagine what happens if an employee brings an infected flash drive and plugs it in – all of the computers may become infected and your company may lose valuable information. You may have your information stolen even when you shop at a local retailer. So threats are not only online, but in our daily life and we need to be very careful and take care of our personal information.

Only certain industries experience cyber attacks

Some businesses still believe that they may be not targeted by hackers because they are a small or mid-sized business or in a specific industry. Well, they are completely wrong. Some companies also believe they do not have anything that hackers may find valuable to steal. In reality there is information like personal addresses or credit card numbers which can make every business in every industry a potential target. Here are the industries which are most vulnerable to cyber-attacks nowadays:

 Top 10 Sectors Breached

The post Busting 5 Cybersecurity Myths appeared first on CyberDB.