security

Auto Added by WPeMatico

What you missed in cybersecurity this week

There’s not a week that goes by where cybersecurity doesn’t dominates the headlines. This week was no different. Struggling to keep up? We’ve collected some of the biggest cybersecurity stories from the week to keep you in the know and up to speed.

Malicious websites were used to secretly hack into iPhones for years, says Google

TechCrunch: This was the biggest iPhone security story of the year. Google researchers found a number of websites that were stealthily hacking into thousands of iPhones every week. The operation was carried out by China to target Uyghur Muslims, according to sources, and also targeted Android and Windows users. Google said it was an “indiscriminate” attack through the use of previously undisclosed so-called “zero-day” vulnerabilities.

Hackers could steal a Tesla Model S by cloning its key fob — again

Wired: For the second time in two years, researchers found a serious flaw in the key fobs used to unlock Tesla’s Model S cars. It’s the second time in two years that hackers have successfully cracked the fob’s encryption. Turns out the encryption key was doubled in size from the first time it was cracked. Using twice the resources, the researchers cracked the key again. The good news is that a software update can fix the issue.

Microsoft’s lead EU data watchdog is looking into fresh Windows 10 privacy concerns

TechCrunch: Microsoft could be back in hot water with the Europeans after the Dutch data protection authority asked its Irish counterpart, which oversees the software giant, to investigate Windows 10 for allegedly breaking EU data protection rules. A chief complaint is that Windows 10 collects too much telemetry from its users. Microsoft made some changes after the issue was brought up for the first time in 2017, but the Irish regulator is looking at if these changes go far enough — and if users are adequately informed. Microsoft could be fined up to 4% of its global annual revenue if found to have flouted the law. Based off 2018’s figures, Microsoft could see fines as high as $4.4 billion.

U.S. cyberattack hurt Iran’s ability to target oil tankers, officials say

The New York Times: A secret cyberattack against Iran in June but only reported this week significantly degraded Tehran’s ability to track and target oil tankers in the region. It’s one of several recent offensive operations against a foreign target by the U.S. government in recent moths. Iran’s military seized a British tanker in July in retaliation over a U.S. operation that downed an Iranian drone. According to a senior official, the strike “diminished Iran’s ability to conduct covert attacks” against tankers, but sparked concern that Iran may be able to quickly get back on its feet by fixing the vulnerability used by the Americans to shut down Iran’s operation in the first place.

Apple is turning Siri audio clip review off by default and bringing it in house

TechCrunch: After Apple was caught paying contractors to review Siri queries without user permission, the technology giant said this week it will turn off human review of Siri audio by default and bringing any opt-in review in-house. That means users actively have to allow Apple staff to “grade” audio snippets made through Siri. Apple began audio grading to improve the Siri voice assistant. Amazon, Facebook, Google, and Microsoft have all been caught out using contractors to review user-generated audio.

Hackers are actively trying to steal passwords from two widely used VPNs

Ars Technica: Hackers are targeting and exploiting vulnerabilities in two popular corporate virtual private network (VPN) services. Fortigate and Pulse Secure let remote employees tunnel into their corporate networks from outside the firewall. But these VPN services contain flaws which, if exploited, could let a skilled attacker tunnel into a corporate network without needing an employee’s username or password. That means they can get access to all of the internal resources on that network — potentially leading to a major data breach. News of the attacks came a month after the vulnerabilities in widely used corporate VPNs were first revealed. Thousands of vulnerable endpoints exist — months after the bugs were fixed.

Grand jury indicts alleged Capital One hacker over cryptojacking claims

TechCrunch: And finally, just when you thought the Capital One breach couldn’t get any worse, it does. A federal grand jury said the accused hacker, Paige Thompson, should be indicted on new charges. The alleged hacker is said to have created a tool to detect cloud instances hosted by Amazon Web Services with misconfigured web firewalls. Using that tool, she is accused of breaking into those cloud instances and installing cryptocurrency mining software. This is known as “cryptojacking,” and relies on using computer resources to mine cryptocurrency.

Malicious websites were used to secretly hack into iPhones for years, says Google

Security researchers at Google say they’ve found a number of malicious websites which, when visited, could quietly hack into a victim’s iPhone by exploiting a set of previously undisclosed software flaws.

Google’s Project Zero said in a deep-dive blog post published late on Thursday that the websites were visited thousands of times per week by unsuspecting victims, in what they described as an “indiscriminate” attack.

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a security researcher at Project Zero.

He said the websites had been hacking iPhones over a “period of at least two years.”

The researchers found five distinct exploit chains involving 12 separate security flaws, including seven involving Safari, the in-built web browser on iPhones. The five separate attack chains allowed an attacker to gain “root” access to the device — the highest level of access and privilege on an iPhone. In doing so, an attacker could gain access to the device’s full range of features normally off-limits to the user. That means an attacker could quietly install malicious apps to spy on an iPhone owner without their knowledge or consent.

Google said based off their analysis, the vulnerabilities were used to steal a user’s photos and messages as well as track their location in near-realtime. The “implant” could also access the user’s on-device bank of saved passwords.

The vulnerabilities affect iOS 10 through to the current iOS 12 software version.

Google privately disclosed the vulnerabilities in February, giving Apple only a week to fix the flaws and roll out updates to its users. That’s a fraction of the 90 days typically given to software developers, giving an indication of the severity of the vulnerabilities.

Apple issued a fix six days later with iOS 12.1.4 for iPhone 5s and iPad Air and later.

Beer said it’s possible other hacking campaigns are currently in action.

The iPhone and iPad maker in general has a good rap on security and privacy matters. Recently the company increased its maximum bug bounty payout to $1 million for security researchers who find flaws that can silently target an iPhone and gain root-level privileges without any user interaction. Under Apple’s new bounty rules — set to go into effect later this year — Google would’ve been eligible for several million dollars in bounties.

When reached, a spokesperson for Apple declined to comment.

Web host Hostinger says data breach may affect 14 million customers

Hostinger said it has reset user passwords as a “precautionary measure” after it detected unauthorized access to a database containing information on millions of its customers.

The breach is said to have happened on Thursday. The company said in a blog post it received an alert that one of its servers was improperly accessed. Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database. That database contained customer usernames, email addresses, and passwords scrambled with the SHA-1 algorithm, which has been deprecated in favor of stronger algorithms after researchers found SHA-1 was vulnerable to spoofing. The company has since upgraded its password hashing to the stronger SHA-2 algorithm.

Hostinger said the API database stored about 14 million customers records. The company has more than 29 million customers on its books.

The company said it was “in contact with the respective authorities.”

hostinger

An email from Hostinger explaining the data breach. (Image: supplied)

News of the breach broke overnight. According to the company’s status page, affected customers have already received an email to reset their passwords.

The company said that financial data was not compromised, nor was customer website files or data affected.

But one customer who was affected by the breach accused the company of being potentially “misleading” about the scope of the breach.

A chat log seen by TechCrunch shows a customer support representative telling the customer it was “correct” that customers’ financial data can be retrieved by the API but that the company does “not store any payment data.” Hostinger uses multiple payment processors, the representative told the customer, but did not name them.

Chief executive Balys Kriksciunas told TechCrunch that the remarks made by the customer support representative were “misleading” and denied any customer financial data was compromised. A company investigation into the breach, however, remains under way.

Updated with remarks from Hostinger.

Related stories:

Tesla Model 3 owner implants RFID chip to turn her arm into a key

Forget the keycard or phone app, one software engineer is trying out a new way to unlock and start her Tesla Model 3.

Amie DD, who has a background in game simulation and programming, recently released a video showing how she “biohacked” her body. The software engineer removed the RFID chip from the Tesla Model 3 valet card using acetone, then placed it into a biopolymer, which was injected through a hollow needle into her left arm. A professional who specializes in body modifications performed the injection.

You can watch the process below, although folks who don’t like blood should consider skipping it. Amie DD also has a page on Hackaday.io that explains the project and the process.

The video is missing one crucial detail. It doesn’t show whether the method works. TechCrunch will update the post once a new video delivering the news is released.

Amie is not new to biohacking. The original idea was to use the existing RFID implant chip that was already in her hand to be able to start the Model 3. That method, which would have involved taking the Java applet and writing it onto her own chip, didn’t work because of Tesla’s security. So, Amie DD opted for another implant.

Amie DD explains why and how she did this in another, longer video posted below. She also talks a bit about her original implant in her left hand, which she says is used for “access control.” She uses it to unlock the door of her home, for instance.

 

 

How safe are school records? Not very, says student security researcher

If you can’t trust your bank, government or your medical provider to protect your data, what makes you think students are any safer?

Turns out, according to one student security researcher, they’re not.

Eighteen-year-old Bill Demirkapi, a recent high school graduate in Boston, Massachusetts, spent much of his latter school years with an eye on his own student data. Through self-taught pen testing and bug hunting, Demirkapi found several vulnerabilities in a his school’s learning management system, Blackboard, and his school district’s student information system, known as Aspen and built by Follett, which centralizes student data, including performance, grades, and health records.

The former student reported the flaws and revealed his findings at the Def Con security conference on Friday.

“I’ve always been fascinated with the idea of hacking,” Demirkapi told TechCrunch prior to his talk. “I started researching but I learned by doing,” he said.

Among one of the more damaging issues Demirkapi found in Follett’s student information system was an improper access control vulnerability, which if exploited could have allowed an attacker to read and write to the central Aspen database and obtain any student’s data.

Blackboard’s Community Engagement platform had several vulnerabilities, including an information disclosure bug. A debugging misconfiguration allowed him to discover two subdomains, which spat back the credentials for Apple app provisioning accounts for dozens of school districts, as well as the database credentials for most if not every Blackboard’s Community Engagement platform, said Demirkapi.

“School data or student data should be taken as seriously as health data. The next generation should be one of our number one priorities, who looks out for those who can’t defend themselves.”
Bill Demirkapi, security researcher

Another set of vulnerabilities could have allowed an authorized user — like a student — to carry out SQL injection attacks. Demirkapi said six databases could be tricked into disclosing data by injecting SQL commands, including grades, school attendance data, punishment history, library balances, and other sensitive and private data.

Some of the SQL injection flaws were blind attacks, meaning dumping the entire database would have been more difficult but not impossible.

In all, over 5,000 schools and over five million students and teachers were impacted by the SQL injection vulnerabilities alone, he said.

Demirkapi said he was mindful to not access any student records other than his own. But he warned that any low-skilled attacker could have done considerable damage by accessing and obtaining student records, not least thanks to the simplicity of the database’s password. He wouldn’t say what it was, only that it was “worse than ‘1234’.”

But finding the vulnerabilities was only one part of the challenge. Disclosing them to the companies turned out to be just as tricky.

Demirkapi admitted that his disclosure with Follett could have been better. He found that one of the bugs gave him improper access to create his own “group resource,” such as a snippet of text, which was viewable to every user on the system.

“What does an immature 11th grader do when you hand him a very, very, loud megaphone?” he said. “Yell into it.”

And that’s exactly what he did. He sent out a message to every user, displaying each user’s login cookies on their screen. “No worries, I didn’t steal them,” the alert read.

“The school wasn’t thrilled with it,” he said. “Fortunately, I got off with a two-day suspension.”

He conceded it wasn’t one of his smartest ideas. He wanted to show his proof-of-concept but was unable to contact Follett with details of the vulnerability. He later went through his school, which set up a meeting, and disclosed the bugs to the company.

Blackboard, however, ignored Demirkapi’s responses for several months, he said. He knows because after the first month of being ignored, he included an email tracker, allowing him to see how often the email was opened — which turned out to be several times in the first few hours after sending. And yet the company still did not respond to the researcher’s bug report.

Blackboard eventually fixed the vulnerabilities, but Demirkapi said he found that the companies “weren’t really prepared to handle vulnerability reports,” despite Blackboard ostensibly having a published vulnerability disclosure process.

“It surprised me how insecure student data is,” he said. “School data or student data should be taken as seriously as health data,” he said. “The next generation should be one of our number one priorities, who looks out for those who can’t defend themselves.”

He said if a teenager had discovered serious security flaws, it was likely that more advanced attackers could do far more damage.

Heather Phillips, a spokesperson for Blackboard, said the company appreciated Demirkapi’s disclosure.

“We have addressed several issues that were brought to our attention by Mr. Demirkapi and have no indication that these vulnerabilities were exploited or that any clients’ personal information was accessed by Mr. Demirkapi or any other unauthorized party,” the statement said. “One of the lessons learned from this particular exchange is that we could improve how we communicate with security researchers who bring these issues to our attention.”

Follet spokesperson Tom Kline said the company “developed and deployed a patch to address the web vulnerability” in July 2018.

The student researcher said he was not deterred by the issues he faced with disclosure.

“I’m 100% set already on doing computer security as a career,” he said. “Just because some vendors aren’t the best examples of good responsible disclosure or have a good security program doesn’t mean they’re representative of the entire security field.”

The Cost of Email Phishing

When did email become the weakest link? How can you protect your organization from email phishing attacks?

There have always been problems with people clicking on malicious links and somehow having them sent directly to you seems to make it more likely you will click on it.

One out of every 99 emails is a phishing scam which means that every employee in your organization is getting almost 5 phishing emails every workweek. Unfortunately, most people rely on their email program to filter out such messages.

Phishing Attacks Are Very Common — And Very Costly

Almost a third of phishing emails make it past default email security and 5% of those have been whitelisted by a system admin. There are several very common forms of phishing attacks:

  • 41% are credentialing attacks in which hackers try to gain access to the target’s usernames and passwords, costing $400 per account to clean up.
  • 51% of attacks are links that prompt the download of malware which can cause an average of $2.4 million in damage when successful
  • 0.4% of attacks are spearphishing attacks in which high-level people in an organization are targeted. While these are the least common attacks, they can be the most expensive, averaging $7.2 million per incident.
  • 8% of attacks are extortion attempts and when they are successful, they can cost an average of $5,000 per user.

Last year, 64% of information security professionals were targeted by spearphishing attacks while 35% of working professionals don’t even know what a phishing attack means. The cost of phishing comes in more than cleanup – it can also do serious reputational damage.

The average cost of a phishing attack on a midsized business is $1.6 million. There’s lost productivity while everyone tries to halt and undo the damage. There’s also a loss of proprietary data and perhaps the worst of all is the damage to a company’s reputation after a breach. A third of consumers will stop using a business once a breach has occurred and it could take years to recover from such an incident.

It’s Entirely Too Easy To Fall For The Bait

phishing attack

Even if you are in the 65% of working professionals who know what a phishing attack is, it’s still very easy to fall victim. Successful phishing campaigns play to our emotions and sense of urgency. They often feature subject lines designed to scare or cajole us into action.

Subject lines such as “complaint filed” or “open enrollment” make us believe there’s an action that needs to be taken immediately or something bad might happen. It may include losing our family’s health insurance or getting fired from our jobs.

It also doesn’t help that a quarter of phishing emails spoof trusted brands. When you are expecting a package from Amazon and happen to get an email from Amazon in your inbox, it might seem believable enough that you open it to see what’s going on.

The most common signs of phishing include:

  • Address of a crypto wallet
  • Link to a WordPress site
  • BCC to many others
  • Shortened URLs
  • From a trusted brand
  • Link to a file on Google Drive

Because these are all things that have legitimate uses, hackers can exploit them to make us think they are completely safe. Knowing the threat is the best way to avoid falling victim, but that may not be enough. If hackers weren’t so good at what they do, which is understanding human psychology, we would have no need for email scanning software.

It Helps To Have Backup

The existing spam filters in your email program catch a lot of the problems but not all of them. This lulls us into a false sense of security and leaves us believing that if something lands in our inboxes, it’s probably safe.

Unfortunately, this is just not the case. Learning how to avoid phishing attacks and schemes is crucial and it means reminding employees of these tactics on a regular basis. It can also help to get additional email scanning software to catch anything that looks real enough to be a threat.

Learn more about how email became the weakest link and how you can fight back from the infographic below.

How Email Became the Weakest Link [infographic]
Courtesy of Avanan

 

 

The post The Cost of Email Phishing appeared first on Dumb Little Man.

Capital One’s breach was inevitable, because we did nothing after Equifax

Another day, another massive data breach.

This time it’s the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Consumers and small businesses affected are those who obtained one of the company’s credit cards dating back to 2005.

That includes names, addresses, phone numbers, dates of birth, self-reported income and more credit card application data — including over 140,000 Social Security numbers in the U.S., and more than a million in Canada.

The FBI already has a suspect in custody. Seattle resident and software developer Paige A. Thompson, 33, was arrested and detained pending trial. She’s been accused of stealing data by breaching a web application firewall, which was supposed to protect it.

Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had — and hid from the public for several months — two years prior.

Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action.

Equifax’s chief executive Richard Smith “retired” before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened. An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine — which amounted to about 20% of the company’s annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly.

Legislatively, nothing has changed. Equifax remains as much of a “victim” in the eyes of the law as it was before — technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Mark Warner, a Democratic senator serving Virginia, along with his colleague since turned presidential candidate Elizabeth Warren, was tough on the company, calling for it to do more to protect consumer data. With his colleagues, he called on the credit agencies to face penalties to the top brass and extortionate fines to hold the companies accountable — and to send a message to others that they can’t play fast and loose with our data again.

But Congress didn’t bite. Warner told TechCrunch at the time that there was “a failure of the company, but also of lawmakers” for not taking action.

Lo and behold, it happened again. Without a congressional intervention, Capital One is likely to face largely the same rigmarole as Equifax did.

Blame the lawmakers all you want. They had their part to play in this. But fool us twice, shame on the credit companies for not properly taking action in the first place.

The Equifax incident should have sparked a fire under the credit giants. The breach was the canary in the coal mine. We watched and waited to see what would happen as the canary’s lifeless body emerged — but, much to the American public’s chagrin, no action came of it. The companies continued on with the mentality that “it could happen to us, but probably won’t.” It was always going to happen again unless there was something to force the companies to act.

Companies continue to vacuum up our data — knowingly and otherwise — and don’t do enough to protect it. As much as we can have laws to protect consumers from this happening again, these breaches will continue so long as the companies continue to collect our data and not take their data security responsibilities seriously.

We had an opportunity to stop these kinds of breaches from happening again, yet in the two years passed we’ve barely grappled with the basic concepts of internet security. All we have to show for it is a meager fine.

Thompson faces five years in prison and a fine of up to $250,000.

Everyone else faces just another major intrusion into their personal lives. Not at the hands of the hacker per se, but the companies that collect our data — with our consent and often without — and take far too many liberties with it.

The Most Devastating Cyber Attack: How to Prevent Ransomware

Large corporations, governments, and even small businesses are always at a high risk of being attacked. Hackers and cybercriminals aim to steal your money no matter who or what you are.  Cyber-attacks have an increase of 235%, according to a report issued by Malware Labs in 2019.

Malware, Man-In-The-Middle, and phishing are some of the most common types of cyber attacks, but which could be more destructive? The answer is ransomware.

Ransomware is on the rise in the cyber world. It is a type of malware attack that will steal your data. Criminals will demand ransom to return your data.

In the U.S., Cleveland Hopkins International Airport and Baltimore City faced ransomware attacks. These drove smaller businesses, thinking that large corporations and governments are the only targets of a ransomware attack.

The truth, however, is that every business should prepare itself to prevent this attack. Every business needs to know how to prevent ransomware.

Difference between ransomware and other cyber attacks

ransomware

Ransomware doesn’t lack confidential information or personal data to be effective. This distinct behavior makes it different from other cyber attacks. It surfs for data in an organization that is valuable enough for the victim to pay the ransom just to get them back.

Ransomware is a very effective approach of hackers to paralyze an organization. It restricts their access to their information, deliver services, and accept payments. All these obstacles will turn customers of an organization away.

How to Prevent Ransomware

Ransomware can cost a lot to a business so it must prepare itself to combat not only ransomware but all kinds of cyber attacks.

Several best practices businesses should implement to protect themselves from cyber attacks include:

Security Software

Security software is crucial for an organization to detect and deter fraudulent activity. This software should be strong enough to verify activities and detect potential harm to the organization.

If your business is online, then your organization must use an identity verification service. It is an anti-fraud technology for online businesses that can verify your customer and even employees online. It is capable of detecting if someone is pretending to be someone.

Firewall & Intrusion Detection/Protection

Installing a firewall is a crucial security measure and any business should not neglect it. It can deny and allow access to a company network or a part of the network. By restricting access with the help of a firewall, an organization can prevent scammers.

Web & Email Filtering

cyber attack

All efforts of preventing ransomware from getting in the network become useless when an end-user inadvertently opens a malicious email and click a malicious link. For end-users, it is becoming increasingly complex to detect all malicious emails as phishing attempts are becoming more sophisticated.

By email safety awareness training and email filtering for employees, an organization can mitigate the risk. It’s one of the best ways on how to prevent ransomware.

User Education

Users/clients are the most valuable asset of a company. Their protection should be the priority of any organization. An organization should arrange regular awareness programs for users to educate them about malicious links and persons.

See Also: 5 Top Cyber Security Training Tips For Employees

Backup offers the best protection

Taking backup on regular basis can secure you from ransomware. In case you become a victim of ransomware, you can use your previous backup to keep going. Usually, taking backup costs you little to nothing but restoring backup could take days or weeks. It will cost you in labor and downtime to restore and recover your systems to make them fully functional.

Various types of backup, disaster, and threat prevention strategies are circulating in the market and every solution is valuable according to its use. You can protect your business by implementing a solution that mitigates risks attached to your business.

Your IT team or technical department should understand and analyze business deeply to provide and implement the best solution for unique problems. An IT team must identify which type of backups are beneficial for specific organizations and how to restore them more efficiently in less time in case of any critical situation.

The post The Most Devastating Cyber Attack: How to Prevent Ransomware appeared first on Dumb Little Man.

Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping

Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.

Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.

The Walkie Talkie app on Apple Watch allows two users who have accepted an invite from each other to receive audio chats via a ‘push to talk’ interface reminiscent of the PTT buttons on older cell phones.

A statement from Apple reads:

We were just made aware of a vulnerability related to the Walkie-Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue. We apologize to our customers for the inconvenience and will restore the functionality as soon as possible. Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously. We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent.  We apologize again for this issue and the inconvenience.

Apple was alerted to the bug via its report a vulnerability portal directly and says that there is no current evidence that it was exploited in the wild.

The company is temporarily disabling the feature entirely until a fix can be made and rolled out to devices. The Walkie Talkie App will remain installed on devices, but will not function until it has been updated with the fix.

Earlier this year a bug was discovered in the group calling feature of FaceTime that allowed people to listen in before a call was accepted. It turned out that the teen who discovered the bug, Grant Thompson, had attempted to contact Apple about the issue but was unable to get a response. Apple fixed the bug and eventually rewarded Thompson a bug bounty.  This time around, Apple appears to be listening more closely to the reports that come in via its vulnerability tips line and has disabled the feature.

Earlier today, Apple quietly pushed a Mac update to remove a feature of the Zoom conference app that allowed it to work around Mac restrictions to provide a smoother call initiation experience — but that also allowed emails and websites to add a user to an active video call without their permission.

WeWork acquires Waltz, an app that lets users access different spaces with a single credential

WeWork announced today that it will acquire Waltz, a building access and security management startup, for an undisclosed amount. Waltz’s smartphone app and reader allows users to enter different properties with a single credential and will make it easier for WeWork’s enterprise clients, such as GE Healthcare and Microsoft, to manage their employees’ on-demand memberships to WeWork spaces.

WeWork’s announcement said “with deep expertise in mobile access and system integrations, Waltz has the most advanced and sophisticated products to provide that single credential to our members and to help us better connect them with our spaces.” Waltz was founded in 2015 by CEO Matt Kopel and has offices in New York and Montreal. After the acquisition, Waltz will be integrated into WeWork, but maintain its current customer base.

WeWork has been on an acquisition spree over the past year as it evolves from co-working spaces to a software-as-a-service provider. Companies it has bought include office management platforms Teem (for $100 million) and Managed by Q, as well as Euclid, a “spatial analytics platform” that allows companies to analyze the use of workspaces by their employees and participation at meetings and other events.

Likewise, Waltz isn’t just an alternative to keys or access cards. Its cloud-based management portal gives companies data about who enters and exits their buildings and also allows teams to set “Door Groups,” which restricts the use of some spaces to certain people. According to Waltz’s help site, it can also be used to make revenue through ads displayed in its app.

SentinelOne raises $120M for its fully-autonomous, AI-based endpoint security solution

Endpoint security — the branch of cybersecurity that focuses on data coming in from laptops, phones, and other devices connected to a network — is an $8 billion dollar market that, due to the onslaught of network breaches, is growing fast. To underscore that demand, one of the bigger startups in the space is announcing a sizeable funding round.

SentinelOne, which provides real-time endpoint protection on laptops, phones, containers, cloud services and most recently IoT devices on a network through a completely autonomous, AI-based platform, has raised $120 million in a Series D round — money that it will be using to continue expanding its current business as well as forge into new areas such as building more tools to automatically detect and patch software running on those endpoints, to keep them as secure as possible.

The funding was led by Insight Partners, with Samsung Venture Investment Corporation, NextEquity participating, alongside all of the company’s existing investors, which include the likes of Third Point Ventures, Redpoint Ventures, Data Collective, Sound Ventures and Ashton Kutcher, Tiger Global, Granite Hill and more.

SentinelOne is not disclosing its valuation with this round, but CEO and co-founder Tomer Weingarten confirmed it was up compared to its previous funding events. SentinelOne has now raised just shy of $130 million, and PitchBook notes that in its last round, it was valued at $210 post-money.

That would imply that this round values SentinelOne at more than $330 million, likely significantly more: “We are one of the youngest companies working in endpoint security, but we also have well over 2,000 customers and 300% growth year-on-year,” Weingarten said. And working in the area of software-as-a-service with a fully-automated solution that doesn’t require humans to run any aspect of it, he added, “means we have high margins.”

The rise in cyberattacks resulting from malicious hackers exploiting human errors — such as clicking on phishing links; or bringing in and using devices from outside the network running software that might not have its security patches up to date — has resulted in a stronger focus on endpoint security and the companies that provide it.

Indeed, SentinelOne is not alone. Crowdstrike, another large startup in the same space as SentinelOne, is now looking at a market cap of at least $4 billion when it goes public. Carbon Black, which went public last year, is valued at just above $1 billion. Another competitor, Cylance, was snapped up by BlackBerry for $1.5 billion.

Weingarten — who cofounded the company with Almog Cohen (CTO) and Ehud Shamir (CSO) — says that SentinelOne differs from its competitors in the field because of its focus on being fully autonomous.

“We’re able to digest massive amounts of data and run machine learning to detect any type of anomaly in an automated manner,” he said, describing Crowdstrike as “tech augmented by services.” That’s not to say SentinelOne is completely without human options (options being the key word; they’re not required): it offers its own managed services under the brand name of Vigilance and works with system integrator partners to sell its products to enterprises.

There is another recurring issue with endpoint security solutions, which is that they are known to throw up a lot of false positives — items that are not recognized by the system that subsequently get blocked, which turn out actually to be safe. Weingarten admits that this is a by-product of all these systems, including SentinelOne’s.

“It’s a result of opting to use a heuristic rather than deterministic model,” he said, “but there is no other way to deal with anomalies and unknowns without heuristics, but yes with that comes false positives.” He pointed out that the company’s focus on machine learning as the basis of its platform helps it to more comprehensively ferret these out and make deductions on what might not otherwise have proper representation in its models. Working for a pilot period at each client also helps inform the algorithms to become more accurate ahead of a full rollout.

All this has helped bring down SentinelOne’s own false positive rate, which Weingarten said is around 0.04%, putting it in the bracket of lower mis-detectors in this breakdown of false positive rates by VirusTotal:

“Endpoint security is at a fascinating point of maturity, highlighting a massive market opportunity for SentinelOne’s technology and team,” said Teddie Wardi, Managing Director, Insight Partners, in a statement. “Attack methods grow more advanced by the day and customers demand innovative, autonomous technology to stay one step ahead. We recognize SentinelOne’s strong leadership team and vision to be unique in the market, as evidenced through the company’s explosive growth and highly differentiated business model from its peer cybersecurity companies.”

By virtue of digesting activity across millions of endpoints and billions of events among its customers, SentinelOne has an interesting vantage point when it comes to seeing the biggest problems of the moment.

Weingarten notes that one big trend is that the biggest attacks are now not always coming from state-sponsored entities.

“Right now we’re seeing how fast advanced techniques are funnelling down from government-sponsored attackers to any cyber criminal. Sophisticated malicious hacking can now come from anywhere,” he said.

When it comes to figuring out what is most commonly creating vulnerabilities at an organization, he said it was the challenge of keeping up to date with security patches. Unsurprisingly, it’s something that SentinelOne plans to tackle with a new product later this year — one reason for the large funding round this time around.

“Seamless patching is absolutely something that we are looking at,” he said. “We already do vulnerability assessments today and so we have the data to tell you what is out of date. The next logical step is to seamlessly track those apps and issue the patches automatically.”

Indeed it’s this longer term vision of how the platform will be developing, and how it’s moving in response to what the current threats are today, that attracted the backers. (Indeed the IoT element of the “endpoint” focus is a recent additions.

“SentinelOne’s combination of best-in-class EPP and EDR functionality is a magnet for engagement, but it’s the company’s ability to foresee the future of the endpoint market that attracted us as a technology partner,” a rep from Samsung Venture Investment Corporation said in a statement. “Extending tech stacks beyond EPP and EDR to include IoT is the clear next step, and we look forward to collaborating with SentinelOne on its groundbreaking work in this area.

8 Ways You’re Actually Inviting Burglars Into Your Home

According to FBI crime statistics, there were an estimated 7,694,086 property crimes nationwide with losses of $15.3 billion in 2017.

Though you certainly don’t want your home to become the next target of potential thieves, sometimes you might be unwittingly inviting burglars into your home and putting your property (your family as well) at risk.

To avoid ending up in a low-hanging fruit in the eyes of intruders, make sure you’re away from these 8 home security mistakes:

Unlocked doors, windows, and other entrances

unlocked door

The shocking fact is that 32% of homeowners leave a window open and 13% leave a door unlocked. This offers a great opportunity for thieves to sneak into your home without alerting your neighbors.

So, take a few seconds before you leave home to double check all your doors, windows, and other entry points. And don’t forget about your storage shed, basement or garage as well!

No lights on at night

A dark home at night can be a clear sign that your house is vacant. Instead of turning all your lights on when you’re away from home (smart burglars will easily see through this trick), it’s better to install timers on interior lamps. That way, you can create an appearance that the house is occupied.

Uncollected mails, newspapers, and packages

If you plan to go away for a vacation or on a business trip, ask a reliable neighbor, friend or family member to pick up your mails, newspapers, and packages in advance. You may request the post office to hold your mails and ask the newsagent to stop delivering your papers until you come back home.

Leaving ladders and tools out

Leaving a ladder, hammer, saw and other tools in open areas is practically inviting trouble for yourself. Once these fall into the hands of burglars, the next thing you can expect, without any doubt, would be forced entry into your home.

Place your tools in your garage or basement after use. Also, make sure that your basement and garage are well locked.

Untrimmed bushes and landscape

Overgrown bushes not only provide ideal shelter for burglars to hide when casing your house but also indicate that you have been away for a long time. It might lure burglars into your home.

Trim the bushes and mow your lawn regularly to make sure no one can hide in it. If you’re going away for a long period of time, hire someone to attend to the landscape during your absence.

Displaying valuable items in plain view

Are you leaving your garden furniture and lawn decorations in plain sight? Or do you just throw away the box of your brand-new TV or computer on the curb? Watch out!

Thieves select homes to break into by taking note of boxes curbed as trash, especially during holiday seasons. A safer way to dispose of the trashes for valuables is to cut them up and toss them in the trash can.

Leaving spare keys under carpet/stones

You might think it is a great idea to hide your spare keys under the carpet or stones but never underestimate the burglars. They’re good at hide-and-seek games.

Doormats, flowerpots, mailboxes, and stones are normally the first places smart thieves would search for. If you’re afraid that you might be locked out, give a set of keys to a trustworthy family member or your friend.

Showing off on social media

It is understandable that you love to share a memorable experience during a trip on social media. But take heed, posting your vacation details on Facebook, Twitter, and Instagram is basically announcing to the burglars that your home is unoccupied and free to break into.

So instead of posting your real-time vacation moments, wait until you come back home to share the photos online.

See Also: Home Security: Try These 10 Ways to Make Your Home Safer – Without a Gun

The post 8 Ways You’re Actually Inviting Burglars Into Your Home appeared first on Dumb Little Man.

Internet Access While Traveling: Tips for Keeping Your Data Safe

Are you tired of unreliable and painfully slow internet when traveling? Do you worry about your security?

It does feel like an endless battle waiting for apps to respond and pages to load. Imagine spending your precious traveling time looking at a blank screen instead of enjoying the beautiful environment.

To ensure you enjoy your internet access without worrying about your security while traveling, we have put together some really helpful tips.

Ensure you stick to secure sites

First, check the website if it’s secure. You can check if a site is secure by going through the security information using a trusted browser like Firefox or Chrome. You’ll know a site’s connection is safe when there’s a green lock on the left side of the URL.

It is important that you try avoiding entering sensitive information on non-secured sites, especially when using a public network. This includes entering credit card numbers, passwords, and other personal details.

See Also: 8 Easy Steps To Your Browser Security And Privacy

Avoid using apps

internet connection while tracvelling

App security is less stringent when compared to browser security. In case you are using apps from popular brands like Paypal, you will definitely be okay.

However, it is important that you try avoiding entering sensitive information into apps from not so popular companies. This is crucial, especially when using a similar password for various websites.

Switch off file sharing

Ensure that your files are secure.

In most cases, when you are using your laptop on the home network, you normally share folders with your parents, siblings or friends. This is okay as long as you remember to turn it off when connecting to a public Wi-Fi.

If you forget to turn off file sharing, every person who connects to the same Wi-Fi can view your files.

The most recent computers are smart and capable of automatically turning off file sharing when you connect to public Wi-Fi. However, it is advisable that you always double check.

Update your anti-virus

It is important that you never connect your devices to any free Wi-Fi network without an updated antivirus. Most smartphones and laptops these days come with built-in software like the Windows Defender. However, you are still advised to step up and download software like Avast, which is capable of giving you an extra layer of protection.

Use VPN

traveling with internet access

You can consider using a VPN, which will act as your private internet bodyguard. VPN will hide your IP address and encrypt your connection to ensure everything you send over the internet is hidden.

VPN is cheap and accessible. You should never have an excuse for failing to use one.

See Also: How to Set Up a VPN

Conclusion

The above measures will not make you bulletproof. However, they will help in reducing your chance of being targeted and improve your internet access while traveling.

The post Internet Access While Traveling: Tips for Keeping Your Data Safe appeared first on Dumb Little Man.

Sprint customers say a glitch exposed other people’s account information

Several Sprint customers have said they are seeing other customers’ personal information in their online accounts.

One reader emailed TechCrunch with several screenshots describing the issue, warning that they could see other Sprint customers’ names and phone numbers. The reader said they informed the phone giant of the issue, and a Sprint representative said they had “several calls pertaining to the same issue.”

In all, the reader saw 22 numbers in a two-hour period, they said.

Several other customers complained of the same data exposing bug. It’s unclear how widespread the issue is or for how long the account information leak persisted.

Logged in to pay my @sprint bill, saw what looked like the details of another user. Did this 3 times. I called, rep said they’d been getting other similar calls. Advice on clarifying if this is the privacy breach it looks like? @EFF @publiccitizen @NCLC4consumers @eyywa

— Kylie B-C (@notthatkylie) March 14, 2019

@sprint are you having a known issue with your website?! I’m trying to set permissions on my account and some other damil’s information is on my account!

— Thelma Cheeks (@Tcheeksiamhair) March 19, 2019

If you are a @sprint customer please be aware that there has been a data breach. I have logged on to my account twice and both times have seen other customers’ devices. A phone call with @sprintcare resulted in them hanging up on me.

— Madeline Finch (@themadfinch) March 19, 2019

Another customer told TechCrunch how the Sprint account pages were initially throwing errors. The customer said they scrolled down their account page and saw several numbers that were not theirs. “I was able to click each one individually and see every phone call they made, the text messages they used, and the standard info, including caller ID name they have set,” the customer told TechCrunch.

Of the customers we’ve spoken to, some are pre-paid and others are contract.

We’ve reached out to Sprint for more but did not hear back. We’ll update when more comes in.

Facebook won’t let you opt-out of its phone number ‘look up’ setting

Users are complaining that the phone number Facebook hassled them to use to secure their account with two-factor authentication has also been associated with their user profile — which anyone can use to “look up” their profile.

Worse, Facebook doesn’t give you an option to opt-out.

Last year, Facebook was forced to admit that after months of pestering its users to switch on two-factor by signing up their phone number, it was also using those phone numbers to target users with ads. But some users are finding out just now that Facebook’s default setting allows everyone — with or without an account — to look up a user profile based off the same phone number previously added to their account.

The recent hubbub began today after a tweet by Jeremy Burge blew up, criticizing Facebook’s collection and use of phone numbers, which he likened to “a unique ID that is used to link your identity across every platform on the internet.”

For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that. pic.twitter.com/zpYhuwADMS

— Jeremy Burge 🐥🧿 (@jeremyburge) March 1, 2019

Although users can hide their phone number on their profile so nobody can see it, it’s still possible to “look up” user profiles in other ways, such as “when someone uploads your contact info to Facebook from their mobile phone,” according to a Facebook help article. It’s a more restricted way than allowing users to search for user profiles using a person’s phone number, which Facebook restricted last year after admitting “most” users had their information scraped.

Facebook gives users the option of allowing users to “look up” their profile using their phone number to “everyone” by default, or to “friends of friends” or just the user’s “friends.”

But there’s no way to hide it completely.

Security expert and academic Zeynep Tufekci said in a tweet: “Using security to further weaken privacy is a lousy move — especially since phone numbers can be hijacked to weaken security,” referring to SIM swapping, where scammers impersonate cell customers to steal phone numbers and break into other accounts.

See thread! Using security to further weaken privacy is a lousy move—especially since phone numbers can be hijacked to weaken security. Putting people at risk. What say you @facebook? https://t.co/9qKtTodkRD

— zeynep tufekci (@zeynep) March 2, 2019

Tufekci’s argued that users can “no longer keep keep private the phone number that [they] provided only for security to Facebook.”

Facebook spokesperson Jay Nancarrow told TechCrunch that the settings “are not new,” adding that, “the setting applies to any phone numbers you added to your profile and isn’t specific to any feature.”

Gizmodo reported last year that when a user gives Facebook a phone number for two-factor, it “became targetable by an advertiser within a couple of weeks.”

If a user doesn’t like it, they can set up two-factor without using a phone number — which hasn’t been mandatory for additional login security since May 2018.

But even if users haven’t set up two-factor, there are well documented cases of users having their phone numbers collected by Facebook, whether the user expressly permitted it or not.

In 2017, one reporter for The Telegraph described her alarm at the “look up” feature, given she had “not given Facebook my number, was unaware that it had found it from other sources, and did not know it could be used to look me up.”

WhatsApp, the messaging app also owned by Facebook (alongside Messenger and Instagram), uses your phone number as the primary way to create your account and connect you to its service. Facebook has long had a strategy to further integrate the two services, although it has run into some bumps along the way.

To the specific concerns by users, Facebook said: “We appreciate the feedback we’ve received about these settings and will take it into account.”

Concerned users should switch their “look up” settings to “Friends” to mitigate as much of the privacy risk as possible.

When asked specifically if Facebook will allow users to users to opt-out of the setting, Facebook said it won’t comment on future plans. And, asked why it was set to “everyone” by default, Facebook said the feature makes it easier to find people you know but aren’t yet friends with.

Others criticized Facebook’s move to expose phone numbers to “look ups,” calling it “unconscionable.”

Alex Stamos, former chief security officer and now adjunct professor at Stanford University, also called out the practice in a tweet. “Facebook can’t credibly require two-factor for high-risk accounts without segmenting that from search and ads,” he said.

Since Stamos left Facebook in August, Facebook has not hired a replacement chief security officer.

The case against behavioral advertising is stacking up

No one likes being stalked around the Internet by adverts. It’s the uneasy joke you can’t enjoy laughing at. Yet vast people-profiling ad businesses have made pots of money off of an unregulated Internet by putting surveillance at their core.

But what if creepy ads don’t work as claimed? What if all the filthy lucre that’s currently being sunk into the coffers of ad tech giants — and far less visible but no less privacy-trampling data brokers — is literally being sunk, and could both be more honestly and far better spent?

Case in point: This week Digiday reported that the New York Times managed to grow its ad revenue after it cut off ad exchanges in Europe. The newspaper did this in order to comply with the region’s updated privacy framework, GDPR, which includes a regime of supersized maximum fines.

The newspaper business decided it simply didn’t want to take the risk, so first blocked all open-exchange ad buying on its European pages and then nixed behavioral targeting. The result? A significant uptick in ad revenue, according to Digiday’s report.

“NYT International focused on contextual and geographical targeting for programmatic guaranteed and private marketplace deals and has not seen ad revenues drop as a result, according to Jean-Christophe Demarta, SVP for global advertising at New York Times International,” it writes.

“Currently, all the ads running on European pages are direct-sold. Although the publisher doesn’t break out exact revenues for Europe, Demarta said that digital advertising revenue has increased significantly since last May and that has continued into early 2019.”

It also quotes Demarta summing up the learnings: “The desirability of a brand may be stronger than the targeting capabilities. We have not been impacted from a revenue standpoint, and, on the contrary, our digital advertising business continues to grow nicely.”

So while (of course) not every publisher is the NYT, publishers that have or can build brand cachet, and pull in a community of engaged readers, must and should pause for thought — and ask who is the real winner from the notion that digitally served ads must creep on consumers to work?

The NYT’s experience puts fresh taint on long-running efforts by tech giants like Facebook to press publishers to give up more control and ownership of their audiences by serving and even producing content directly for the third party platforms. (Pivot to video anyone?)

Such efforts benefit platforms because they get to make media businesses dance to their tune. But the self-serving nature of pulling publishers away from their own distribution channels (and content convictions) looks to have an even more bass string to its bow — as a cynical means of weakening the link between publishers and their audiences, thereby risking making them falsely reliant on adtech intermediaries squatting in the middle of the value chain.

There are other signs behavioural advertising might be a gigantically self-serving con too.

Look at non-tracking search engine DuckDuckGo, for instance, which has been making a profit by serving keyword-based ads and not profiling users since 2014, all the while continuing to grow usage — and doing so in a market that’s dominated by search giant Google.

DDG recently took in $10M in VC funding from a pension fund that believes there’s an inflection point in the online privacy story. These investors are also displaying strong conviction in the soundness of the underlying (non-creepy) ad business, again despite the overbearing presence of Google.

Meanwhile, Internet users continue to express widespread fear and loathing of the ad tech industry’s bandwidth- and data-sucking practices by running into the arms of ad blockers. Figures for usage of ad blocking tools step up each year, with between a quarter and a third of U.S. connected device users’ estimated to be blocking ads as of 2018 (rates are higher among younger users).

Ad blocking firm Eyeo, maker of the popular AdBlock Plus product, has achieved such a position of leverage that it gets Google et al to pay it to have their ads whitelisted by default — under its self-styled ‘acceptable ads’ program. (Though no one will say how much they’re paying to circumvent default ad blocks.)

So the creepy ad tech industry is not above paying other third parties for continued — and, at this point, doubly grubby (given the ad blocking context) — access to eyeballs. Does that sound even slightly like a functional market?

In recent years expressions of disgust and displeasure have also been coming from the ad spending side too — triggered by brand-denting scandals attached to the hateful stuff algorithms have been serving shiny marketing messages alongside. You don’t even have to be worried about what this stuff might be doing to democracy to be a concerned advertiser.

Fast moving consumer goods giants Unilever and Procter & Gamble are two big spenders which have expressed concerns. The former threatened to pull ad spend if social network giants didn’t clean up their act and prevent their platforms algorithmically accelerating hateful and divisive content.

While the latter has been actively reevaluating its marketing spending — taking a closer look at what digital actually does for it. And last March Adweek reported it had slashed $200M from its digital ad budget yet had seen a boost in its reach of 10 per cent, reinvesting the money into areas with “‘media reach’ including television, audio and ecommerce”.

The company’s CMO, Marc Pritchard, declined to name which companies it had pulled ads from but in a speech at an industry conference he said it had reduced spending “with several big players” by 20 per cent to 50 per cent, and still its ad business grew.

So chalk up another tale of reduced reliance on targeted ads yielding unexpected business uplift.

At the same time, academics are digging into the opaquely shrouded question of who really benefits from behavioral advertising. And perhaps getting closer to an answer.

Last fall, at an FTC hearing on the economics of big data and personal information, Carnegie Mellon University professor of IT and public policy, Alessandro Acquisti, teased a piece of yet to be published research — working with a large U.S. publisher that provided the researchers with millions of transactions to study.

Acquisti said the research showed that behaviourally targeted advertising had increased the publisher’s revenue but only marginally. At the same time they found that marketers were having to pay orders of magnitude more to buy these targeted ads, despite the minuscule additional revenue they generated for the publisher.

“What we found was that, yes, advertising with cookies — so targeted advertising — did increase revenues — but by a tiny amount. Four per cent. In absolute terms the increase in revenues was $0.000008 per advertisment,” Acquisti told the hearing. “Simultaneously we were running a study, as merchants, buying ads with a different degree of targeting. And we found that for the merchants sometimes buying targeted ads over untargeted ads can be 500% times as expensive.”

“How is it possible that for merchants the cost of targeting ads is so much higher whereas for publishers the return on increased revenues for targeted ads is just 4%,” he wondered, posing a question that publishers should really be asking themselves — given, in this example, they’re the ones doing the dirty work of snooping on (and selling out) their readers.

Acquisti also made the point that a lack of data protection creates economic winners and losers, arguing this is unavoidable — and thus qualifying the oft-parroted tech industry lobby line that privacy regulation is a bad idea because it would benefit an already dominant group of players. The rebuttal is that a lack of privacy rules also does that. And that’s exactly where we are now.

“There is a sort of magical thinking happening when it comes to targeted advertising [that claims] everyone benefits from this,” Acquisti continued. “Now at first glance this seems plausible. The problem is that upon further inspection you find there is very little empirical validation of these claims… What I’m saying is that we actually don’t know very well to which these claims are true and false. And this is a pretty big problem because so many of these claims are accepted uncritically.”

There’s clearly far more research that needs to be done to robustly interrogate the effectiveness of targeted ads against platform claims and vs more vanilla types of advertising (i.e. which don’t demand reams of personal data to function). But the fact that robust research hasn’t been done is itself interesting.

Acquisti noted the difficulty of researching “opaque blackbox” ad exchanges that aren’t at all incentivized to be transparent about what’s going on. Also pointing out that Facebook has sometimes admitted to having made mistakes that significantly inflated its ad engagement metrics.

His wider point is that much current research into the effectiveness of digital ads is problematically narrow and so is exactly missing a broader picture of how consumers might engage with alternative types of less privacy-hostile marketing.

In a nutshell, then, the problem is the lack of transparency from ad platforms; and that lack serving the self same opaque giants.

But there’s more. Critics of the current system point out it relies on mass scale exploitation of personal data to function, and many believe this simply won’t fly under Europe’s tough new GDPR framework.

They are applying legal pressure via a set of GDPR complaints, filed last fall, that challenge the legality of a fundamental piece of the (current) adtech industry’s architecture: Real-time bidding (RTB); arguing the system is fundamentally incompatible with Europe’s privacy rules.

We covered these complaints last November but the basic argument is that bid requests essentially constitute systematic data breaches because personal data is broadcast widely to solicit potential ad buys and thereby poses an unacceptable security risk — rather than, as GDPR demands, people’s data being handled in a way that “ensures appropriate security”.

To spell it out, the contention is the entire behavioral advertising business is illegal because it’s leaking personal data at such vast and systematic scale it cannot possibly comply with EU data protection law.

Regulators are considering the argument, and courts may follow. But it’s clear adtech systems that have operated in opaque darkness for years, without no worry of major compliance fines, no longer have the luxury of being able to take their architecture as a given.

Greater legal risk might be catalyst enough to encourage a market shift towards less intrusive targeting; ads that aren’t targeted based on profiles of people synthesized from heaps of personal data but, much like DuckDuckGo’s contextual ads, are only linked to a real-time interest and a generic location. No creepy personal dossiers necessary.

If Acquisti’s research is to be believed — and here’s the kicker for Facebook et al — there’s little reason to think such ads would be substantially less effective than the vampiric microtargeted variant that Facebook founder Mark Zuckerberg likes to describe as “relevant”.

The ‘relevant ads’ badge is of course a self-serving concept which Facebook uses to justify creeping on users while also pushing the notion that its people-tracking business inherently generates major extra value for advertisers. But does it really do that? Or are advertisers buying into another puffed up fake?

Facebook isn’t providing access to internal data that could be used to quantify whether its targeted ads are really worth all the extra conjoined cost and risk. While the company’s habit of buying masses of additional data on users, via brokers and other third party sources, makes for a rather strange qualification. Suggesting things aren’t quite what you might imagine behind Zuckerberg’s drawn curtain.

Behavioral ad giants are facing growing legal risk on another front. The adtech market has long been referred to as a duopoly, on account of the proportion of digital ad spending that gets sucked up by just two people-profiling giants: Google and Facebook (the pair accounted for 58% of the market in 2018, according to eMarketer data) — and in Europe a number of competition regulators have been probing the duopoly.

Earlier this month the German Federal Cartel Office was reported to be on the brink of partially banning Facebook from harvesting personal data from third party providers (including but not limited to some other social services it owns). Though an official decision has yet to be handed down.

While, in March 2018, the French Competition Authority published a meaty opinion raising multiple concerns about the online advertising sector — and calling for an overhaul and a rebalancing of transparency obligations to address publisher concerns that dominant platforms aren’t providing access to data about their own content.

The EC’s competition commissioner, Margrethe Vestager, is also taking a closer look at whether data hoarding constitutes a monopoly. And has expressed a view that, rather than breaking companies up in order to control platform monopolies, the better way to go about it in the modern ICT era might be by limiting access to data — suggesting another potentially looming legal headwind for personal data-sucking platforms.

At the same time, the political risks of social surveillance architectures have become all too clear.

Whether microtargeted political propaganda works as intended or not is still a question mark. But few would support letting attempts to fiddle elections just go ahead and happen anyway.

Yet Facebook has rushed to normalize what are abnormally hostile uses of its tools; aka the weaponizing of disinformation to further divisive political ends — presenting ‘election security’ as just another day-to-day cost of being in the people farming business. When the ‘cost’ for democracies and societies is anything but normal. 

Whether or not voters can be manipulated en masse via the medium of targeted ads, the act of targeting itself certainly has an impact — by fragmenting the shared public sphere which civilized societies rely on to drive consensus and compromise. Ergo, unregulated social media is inevitably an agent of antisocial change.

The solution to technology threatening democracy is far more transparency; so regulating platforms to understand how, why and where data is flowing, and thus get a proper handle on impacts in order to shape desired outcomes.

Greater transparency also offers a route to begin to address commercial concerns about how the modern adtech market functions.

And if and when ad giants are forced to come clean — about how they profile people; where data and value flows; and what their ads actually deliver — you have to wonder what if anything will be left unblemished.

People who know they’re being watched alter their behavior. Similarly, platforms may find behavioral change enforced upon them, from above and below, when it becomes impossible for everyone else to ignore what they’re doing.

The social layer is ironically key to Bitcoin’s security

A funny thing happened in the second half of 2018. At some moment, all the people active in crypto looked around and realized there weren’t very many of us. The friends we’d convinced during the last holiday season were no longer speaking to us. They had stopped checking their Coinbase accounts. The tide had gone out from the beach. Tokens and blockchains were supposed to change the world; how come nobody was using them?

In most cases, still, nobody is using them. In this respect, many crypto projects have succeeded admirably. Cryptocurrency’s appeal is understood by many as freedom from human fallibility. There is no central banker, playing politics with the money supply. There is no lawyer, overseeing the contract. Sometimes it feels like crypto developers adopted the defense mechanism of the skunk. It’s working: they are succeeding at keeping people away.

Some now acknowledge the need for human users, the so-called “social layer,” of Bitcoin and other crypto networks. That human component is still regarded as its weakest link. I’m writing to propose that crypto’s human component is its strongest link. For the builders of crypto networks, how to attract the right users is a question that should come before how to defend against attackers (aka, the wrong users). Contrary to what you might hear on Twitter, when evaluating a crypto network, the demographics and ideologies of its users do matter. They are the ultimate line of defense, and the ultimate decision-maker on direction and narrative.

What Ethereum got right

Since the collapse of The DAO, no one in crypto should be allowed to say “code is law” with a straight face. The DAO was a decentralized venture fund that boldly claimed pure governance through code, then imploded when someone found a loophole. Ethereum, a crypto protocol on which The DAO was built, erased this fiasco with a hard fork, walking back the ledger of transactions to the moment before disaster struck. Dissenters from this social-layer intervention kept going on Ethereum’s original, unforked protocol, calling it Ethereum Classic. To so-called “Bitcoin maximalists,” the DAO fork is emblematic of Ethereum’s trust-dependency, and therefore its weakness.

There’s irony, then, in maximalists’ current enthusiasm for narratives describing Bitcoin’s social-layer resiliency. The story goes: in the event of a security failure, Bitcoin’s community of developers, investors, miners and users are an ultimate layer of defense. We, Bitcoin’s community, have the option to fork the protocol—to port our investment of time, capital and computing power onto a new version of Bitcoin. It’s our collective commitment to a trust-minimized monetary system that makes Bitcoin strong. (Disclosure: I hold bitcoin and ether.)

Even this narrative implies trust—in the people who make up that crowd. Historically, Bitcoin Core developers, who maintain the Bitcoin network’s dominant client software, have also exerted influence, shaping Bitcoin’s road map and the story of its use cases. Ethereum’s flavor of minimal trust is different, having a public-facing leadership group whose word is widely imbibed. In either model, the social layer abides. When they forked away The DAO, Ethereum’s leaders had to convince a community to come along.

You can’t believe in the wisdom of the crowd and discount its ability to see through an illegitimate power grab, orchestrated from the outside. When people criticize Ethereum or Bitcoin, they are really criticizing this crowd, accusing it of a propensity to fall for false narratives.

How do you protect Bitcoin’s codebase?

In September, Bitcoin Core developers patched and disclosed a vulnerability that would have enabled an attacker to crash the Bitcoin network. That vulnerability originated in March, 2017, with Bitcoin Core 0.14. It sat there for 18 months until it was discovered.

There’s no doubt Bitcoin Core attracts some of the best and brightest developers in the world, but they are fallible and, importantly, some of them are pseudonymous. Could a state actor, working pseudonymously, produce code good enough to be accepted into Bitcoin’s protocol? Could he or she slip in another vulnerability, undetected, for later exploitation? The answer is undoubtedly yes, it is possible, and it would be naïve to believe otherwise. (I doubt Bitcoin Core developers themselves are so naïve.)

Why is it that no government has yet attempted to take down Bitcoin by exploiting such a weakness? Could it be that governments and other powerful potential attackers are, if not friendly, at least tolerant towards Bitcoin’s continued growth? There’s a strong narrative in Bitcoin culture of crypto persisting against hostility. Is that narrative even real?

The social layer is key to crypto success

Some argue that sexism and racism don’t matter to Bitcoin. They do. Bitcoin’s hodlers should think carefully about the books we recommend and the words we write and speak. If your social layer is full of assholes, your network is vulnerable. Not all hacks are technical. Societies can be hacked, too, with bad or unsecure ideas. (There are more and more numerous examples of this, outside of crypto.)

Not all white papers are as elegant as Satoshi Nakamoto’s Bitcoin white paper. Many run over 50 pages, dedicating lengthy sections to imagining various potential attacks and how the network’s internal “crypto-economic” system of incentives and penalties would render them bootless. They remind me of the vast digital fortresses my eight-year-old son constructs in Minecraft, bristling with trap doors and turrets.

I love my son (and his Minecraft creations), but the question both he and crypto developers may be forgetting to ask is, why would anyone want to enter this forbidding fortress—let alone attack it? Who will enter, bearing talents, ETH or gold? Focusing on the user isn’t yak shaving, when the user is the ultimate security defense. I’m not suggesting security should be an afterthought, but perhaps a network should be built to bring people in, rather than shut them out.

The author thanks Tadge Dryja and Emin Gün Sirer, who provided feedback that helped hone some of the ideas in this article.

Yahoo agrees $50M settlement package for users hit by massive security breach

One of the largest consumer internet hacks has bred one of the largest class action settlements after Yahoo agreed to pay $50 million to victims of a security breach that’s said to have affected up to 200 million U.S. consumers and some three billion email accounts worldwide.

In what appears to be the closing move to the two-year-old lawsuit, Yahoo — which is now part of Verizon’s Oath business [which is the parent company of TechCrunch] — has proposed to pay $50 million in compensation to an estimated 200 million users in the U.S. and Israel, according to a court filing.

In addition, the company will cover up to $35 million on lawyer fees related to the case and provide affected users in the U.S. with credit monitoring services for two years via AllClear, a package that would retail for around $350. There are also compensation options for small business and individuals to claim back costs for losses associated with the hacks. That could include identity theft, delayed tax refunds and any other issues related to data lost at the hands of the breaches. Finally, those who paid for premium Yahoo email services are eligible for a 25 percent refund.

The deal is subject to final approval from U.S. District Judge Lucy Koh of the Northern District of California at a hearing slated for November 29.

Since Yahoo is now part of Oath, the costs will be split 50-50 between Oath and Altaba, the holding company that owns what is left of Yahoo following the acquisition. Altaba last month revealed it had agreed to pay $47 million to settle three legal cases related to the landmark security breach.

Yahoo estimates that three billion accounts were impacted by a series of breaches that began in 2013. The intrusion is believed to have been state-sponsored attack by Russia, although no strong evidence has been provided to support that claim.

The incident wasn’t reported publicly until 2016, just months after Verizon announced that it would acquire Yahoo’s core business in a $4.8 billion deal.

At the time, Yahoo estimated that the incident had affected “at least” 500 million users but it later emerged that data on all of Yahoo’s three billion users had been swiped. A second attack a year later stole information that included email and passwords belonging to 500 million Yahoo account holders. Unsurprisingly, the huge attacks saw Verizon negotiate a $350 million discount on the deal.

AdGuard resets all user passwords after account hacks

Popular ad-blocker AdGuard has forcibly reset all of its users’ passwords after it detected hackers trying to break into accounts.

The company said it “detected continuous attempts to login to AdGuard accounts from suspicious IP addresses which belong to various servers across the globe,” in what appeared to be a credential stuffing attack. That’s when hackers take lists of stolen usernames and passwords and try them on other sites.

AdGuard said that the hacking attempts were slowed thanks to rate limiting — preventing the attackers from trying too many passwords in one go. But, the effort was “not enough” when the attackers know the passwords, a blog post said.

“As a precautionary measure, we have reset passwords to all AdGuard accounts,” said Andrey Meshkov, AdGuard’s co-founder and chief technology officer.

AdGuard has more than five million users worldwide, and is one of the most prominent ad-blockers available.

Although the company said that some accounts were improperly accessed, there wasn’t a direct breach of its systems. It’s not known how many accounts were affected. An email to Meshkov went unreturned at the time of writing.

It’s not clear why attackers targeted AdGuard users, but the company’s response was swift and effective.

The company said it now has set stricter password requirements, and connects to Have I Been Pwned, a breach notification database set up by security expert Troy Hunt, to warn users away from previously breached passwords. Hunt’s database is trusted by both the UK and Australian governments, and integrates with several other password managers and identity solutions.

AdGuard also said that it will implement two-factor authentication — a far stronger protection against credential stuffing attacks — but that it’s a “next step” as it “physically can’t implement it in one day.”

North Korea skirts US sanctions by secretly selling software around the globe

Fake social media profiles are useful for more than just sowing political discord among foreign adversaries, as it turns out. A group linked to the North Korean government has been able to duck existing sanctions on the country by concealing its true identity and developing software for clients abroad.

This week, the US Treasury issued sanctions against two tech companies accused of running cash-generating front operations for North Korea: Yanbian Silverstar Network Technology or “China Silver Star,” based near Shenyang, China, and a Russian sister company called Volasys Silver Star. The Treasury also sanctioned China Silver Star’s North Korean CEO Jong Song Hwa.

“These actions are intended to stop the flow of illicit revenue to North Korea from overseas information technology workers disguising their true identities and hiding behind front companies, aliases, and third-party nationals,” Treasury Secretary Steven Mnuchin said of the sanctions.

As the Wall Street Journal reported in a follow-up story, North Korean operatives advertised with Facebook and LinkedIn profiles, solicited business with Freelance.com and Upwork, crafted software using Github, communicated over Slack and accepted compensation with Paypal. The country appears to be encountering little resistance putting tech platforms built by US companies to work building software including “mobile games, apps, [and] bots” for unwitting clients abroad.

The US Treasury issued its first warnings of secret North Korean software development scheme in July, though did not provide many details at the time. The Wall Street Journal was able to identify “tens of thousands” of dollars stemming from the Chinese front company, though that’s only a representative sample. The company worked as a middleman, contracting its work out to software developers around the globe and then denying payment for their services.

Facebook suspended many suspicious accounts linked to the scheme after they were identified by the Wall Street Journal, including one for “Everyday-Dude.com”:

“A Facebook page for Everyday-Dude.com, showing packages with hundreds of programs, was taken down minutes later as a reporter was viewing it. Pages of some of the account’s more than 1,000 Facebook friends also subsequently disappeared…

“[Facebook] suspended numerous North Korea-linked accounts identified by the Journal, including one that Facebook said appeared not to belong to a real person. After it closed that account, another profile, with identical friends and photos, soon popped up.”

Linkedin and Upwork similarly removed accounts linked to the North Korean operations.

Beyond the consequences for international relations, software surreptitiously sold by the North Korean government poses considerable security risks. According to the Treasury, the North Korean government makes money off of a “range of IT services and products abroad” including “website and app development, security software, and biometric identification software that have military and law enforcement applications.” For companies unwittingly buying North Korea-made software, the potential for malware that could give the isolated nation eyes and ears beyond its borders is high, particularly given that the country has already demonstrated its offensive cyber capabilities.

Between that and sanctions against doing business with the country, Mnuchin urges the information technology industry and other businesses to exercise awareness of the ongoing scheme to avoid accidentally contracting with North Korea on tech-related projects.

Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data

Most modern computers, even devices with disk encryption, are vulnerable to a new attack that can steal sensitive data in a matter of minutes, new research says.

In new findings published Wednesday, F-Secure said that none of the existing firmware security measures in every laptop it tested “does a good enough job” of preventing data theft.

F-Secure principal security consultant Olle Segerdahl told TechCrunch that the vulnerabilities put “nearly all” laptops and desktops — both Windows and Mac users — at risk.

The new exploit is built on the foundations of a traditional cold boot attack, which hackers have long used to steal data from a shut-down computer. Modern computers overwrite their memory when a device is powered down to scramble the data from being read. But Segerdahl and his colleague Pasi Saarinen found a way to disable the overwriting process, making a cold boot attack possible again.

“It takes some extra steps,” said Segerdahl, but the flaw is “easy to exploit.” So much so, he said, that it would “very much surprise” him if this technique isn’t already known by some hacker groups.

“We are convinced that anybody tasked with stealing data off laptops would have already come to the same conclusions as us,” he said.

It’s no secret that if you have physical access to a computer, the chances of someone stealing your data is usually greater. That’s why so many use disk encryption — like BitLocker for Windows and FileVault for Macs — to scramble and protect data when a device is turned off.

But the researchers found that in nearly all cases they can still steal data protected by BitLocker and FileVault regardless.

After the researchers figured out how the memory overwriting process works, they said it took just a few hours to build a proof-of-concept tool that prevented the firmware from clearing secrets from memory. From there, the researchers scanned for disk encryption keys, which, when obtained, could be used to mount the protected volume.

It’s not just disk encryption keys at risk, Segerdahl said. A successful attacker can steal “anything that happens to be in memory,” like passwords and corporate network credentials, which can lead to a deeper compromise.

Their findings were shared with Microsoft, Apple, and Intel prior to release. According to the researchers, only a smattering of devices aren’t affected by the attack. Microsoft said in a recently updated article on BitLocker countermeasures that using a startup PIN can mitigate cold boot attacks, but Windows users with “Home” licenses are out of luck. And, any Apple Mac equipped with a T2 chip are not affected, but a firmware password would still improve protection.

Both Microsoft and Apple downplayed the risk.

Acknowledging that an attacker needs physical access to a device, Microsoft said it encourages customers to “practice good security habits, including preventing unauthorized physical access to their device.” Apple said it was looking into measures to protect Macs that don’t come with the T2 chip.

When reached, Intel would not to comment on the record.

In any case, the researchers say, there’s not much hope that affected computer makers can fix their fleet of existing devices.

“Unfortunately, there is nothing Microsoft can do, since we are using flaws in PC hardware vendors’ firmware,” said Segerdahl. “Intel can only do so much, their position in the ecosystem is providing a reference platform for the vendors to extend and build their new models on.”

Companies, and users, are “on their own,” said Segerdahl.

“Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case,” he said.

Epic Games just gave a perk for folks to turn on 2FA; every other big company should, too

Let’s talk a bit about security.

Most internet users around the world are pretty crap at it, but there are basic tools that companies have, and users can enable, to make their accounts, and lives, a little bit more hacker-proof.

One of these — two-factor authentication — just got a big boost from Epic Games, the maker of what is currently The Most Popular Game In The World: Fortnite.

Epic is already getting a ton of great press for what amounts to very little effort.

Son: Do you know what two-factor authentication is?
Me: Uh, yeah?
Son: I get a free dance on @Fortnitegame if I enable two factor. Can we do that?

Incentives matter.

— Dennis (@DennisF) August 23, 2018

The company is giving users a new emote (the victory dance you’ve seen emulated in airports, playgrounds and parks by kids and tweens around the world) to anyone who turns on two-factor authentication. It’s one small (dance) step for Epic, but one giant leap for securing their users’ accounts.

The thing is any big company could do this (looking at you Microsoft, Apple, Alphabet and any other company with a huge user base).

Apparently the perk of not getting hacked isn’t enough for most users, but if you give anyone the equivalent of a free dance, they’ll likely flock to turn on the feature.

It’s not that two-factor authentication is a panacea for all security woes, but it does make life harder for hackers. Two-factor authentication works on codes, basically tokens, that are either sent via text or through an over-the-air authenticator (OTA). Text messaging is a pretty crap way to secure things, because the codes can be intercepted, but OTAs — like Google Authenticator or Authy — are sent via https (pretty much bulletproof, but requiring an app to use).

So using SMS-based two-factor authentication is better than nothing, but it’s not Fort Knox (however, these days, even Fort Knox probably isn’t Fort Knox when it comes to security).

Still, anything that makes things harder for crimes of opportunity can help ease the security burden for companies large and small, and the consumers and customers that love them (or at least are forced to pay and use them).

I’m not sure what form the perk could or should take. Maybe it’s the promise of a free e-book or a free download or an opportunity to have a live chat with the celebrity, influencer or athlete of a user’s choice. Whatever it is, there’re clearly something that businesses could do to encourage greater adoption.

Self-preservation isn’t cutting it. Maybe an emote will do the trick.

Australia bans Huawei and ZTE from supplying technology for its 5G network

Australia has blocked Huawei and ZTE from providing equipment for its 5G network, which is set to launch commercially next year. In a tweet, Huawei stated that the Australian government told the company that both it and ZTE are banned from supplying 5G technology to the country, despite Huawei’s assurances that it does not pose a threat to national security.

We have been informed by the Govt that Huawei & ZTE have been banned from providing 5G technology to Australia. This is a extremely disappointing result for consumers. Huawei is a world leader in 5G. Has safely & securely delivered wireless technology in Aust for close to 15 yrs

— Huawei Australia (@HuaweiOZ) August 22, 2018

Earlier today, the Australian government issued new security guidelines for 5G carriers. Although it did not mention Huawei, ZTE or China specifically, it did strongly hint at them by stating “the Government considers that the involvement of vendors who are likely to be subject to extrajudicial directions from foreign government that conflict with Australian law, may risk failure by the carrier to adequately protect a 5G network from unauthorized access or interference.”

Concerns that Huawei, ZTE and other Chinese tech companies will be forced to comply with a new law, passed last year, that obligates all Chinese organizations and citizens to provide information to national intelligence agencies when asked have made several countries wary of using their technology. Earlier this month, the United States banned the use of most Huawei and ZTE technology by government agencies and contractors, six years after a Congressional report first cited the two companies as security threats.

In its new security guidelines, the Australian government stated that differences in the way 5G operates compared to previous network generations introduces new risks to national security. In particular, it noted the diminishing distinctions between the core network, where more sensitive functions like access control and data routing occur, and the edge, or radios that connect customer equipment, like laptops and mobile phones, to the core.

“This new architecture provides a way to circumvent traditional security controls by exploiting equipment in the edge of the network – exploitation which may affect overall network integrity and availability, as well as the confidentiality of customer data. A long history of cyber incidents shows cyber actors target Australia and Australians,” the guidelines stated. “Government has found no combination of technical security controls that sufficiently mitigate the risks.”

Last year, Australia introduced the Telecommunications Sector Security Reforms (TSSR), which takes effect next month and directs carriers and telecommunication service providers to protect their networks and infrastructure from national security threats and also notify the government of any proposed changes that may compromise the security of their network. It also gives the government the power to “intervene and issue directions in cases where there are significant national security concerns that cannot be addressed through other means.”

Huawei’s Australian chairman John Lord said in June that the company had received legal advice that its Australian operations are not bound to Chinese laws and he would refuse to hand over any data to the Chinese government in breach of Australian law. Lord also argued that banning Huawei could hurt local businesses and customers by raising prices and limiting access to technology.

TechCrunch has contacted ZTE and Huawei for comment.

3D printed guns are now legal… What’s next?

Jon Stokes
Contributor

Jon Stokes is one of the founders of Ars Technica, an author, and a former Wired editor. He currently hacks ruby at Collective Idea, and runs AllOutdoor.com.

On Tuesday, July 10, the DOJ announced a landmark settlement with Austin-based Defense Distributed, a controversial startup led by a young, charismatic anarchist whom Wired once named one of the 15 most dangerous people in the world.

Hyper-loquacious and media-savvy, Cody Wilson is fond of telling any reporter who’ll listen that Defense Distributed’s main product, a gun fabricator called the Ghost Gunner, represents the endgame for gun control, not just in the US but everywhere in the world. With nothing but the Ghost Gunner, an internet connection, and some raw materials, anyone, anywhere can make an unmarked, untraceable gun in their home or garage. Even if Wilson is wrong that the gun control wars are effectively over (and I believe he is), Tuesday’s ruling has fundamentally changed them.

At about the time the settlement announcement was going out over the wires, I was pulling into the parking lot of LMT Defense in Milan, IL.

LMT Defense, formerly known as Lewis Machine & Tool, is as much the opposite of Defense Distributed as its quiet, publicity-shy founder, Karl Lewis, is the opposite of Cody Wilson. But LMT Defense’s story can be usefully placed alongside that of Defense Distributed, because together they can reveal much about the past, present, and future of the tools and technologies that we humans use for the age-old practice of making war.

The legacy machine

Karl Lewis got started in gunmaking back in the 1970’s at Springfield Armory in Geneseo, IL, just a few exits up I-80 from the current LMT Defense headquarters. Lewis, who has a high school education but who now knows as much about the engineering behind firearms manufacturing as almost anyone alive, was working on the Springfield Armory shop floor when he hit upon a better way to make a critical and failure-prone part of the AR-15, the bolt. He first took his idea to Springfield Armory management, but they took a pass, so he rented out a small corner in a local auto repair ship in Milan, bought some equipment, and began making the bolts, himself.

Lewis worked in his rented space on nights and weekends, bringing the newly fabricated bolts home for heat treatment in his kitchen oven. Not long after he made his first batch, he landed a small contract with the US military to supply some of the bolts for the M4 carbine. On the back of this initial success with M4 bolts, Lewis Machine & Tool expanded its offerings to include complete guns. Over the course of the next three decades, LMT grew into one of the world’s top makers of AR-15-pattern rifles for the world’s militaries, and it’s now in a very small club of gunmakers, alongside a few old-world arms powerhouses like Germany’s Heckler & Koch and Belgium’s FN Herstal, that supplies rifles to US SOCOM’s most elite units.

The offices of LMT Defense, in Milan, Ill. (Image courtesy Jon Stokes)

LMT’s gun business is built on high-profile relationships, hard-to-win government contracts, and deep, almost monk-like know-how. The company lives or dies by the skill of its machinists and by the stuff of process engineering — tolerances and measurements and paper trails. Political connections are also key, as the largest weapons contracts require congressional approval and months of waiting for political winds to blow in this or that direction, as countries to fall in and out of favor with each other, and paperwork that was delayed due to a political spat over some unrelated point of trade or security finally gets put through so that funds can be transfered and production can begin.

Selling these guns is as old-school a process as making them is. Success in LMT’s world isn’t about media buys and PR hits, but about dinners in foreign capitals, range sessions with the world’s top special forces units, booths at trade shows most of us have never heard of, and secret delegations of high-ranking officials to a machine shop in a small town surrounded by corn fields on the western border of Illinois.

The civilian gun market, with all of its politics- and event-driven gyrations of supply and demand, is woven into this stable core of the global military small arms market the way vines weave through a trellis. Innovations in gunmaking flow in both directions, though nowadays they more often flow from the civilian market into the military and law enforcement markets than vice versa. For the most part, civilians buy guns that come off the same production lines that feed the government and law enforcement markets.

All of this is how small arms get made and sold in the present world, and anyone who lived through the heyday of IBM and Oracle, before the PC, the cloud, and the smartphone tore through and upended everything, will recognize every detail of the above picture, down to the clean-cut guys in polos with the company logo and fat purchase orders bearing signatures and stamps and big numbers.

The author with LMT Defense hardware.

Guns, drugs, and a million Karl Lewises

This is the part of the story where I build on the IBM PC analogy I hinted at above, and tell you that Defense Distributed’s Ghost Gunner, along with its inevitable clones and successors, will kill dinosaurs like LMT Defense the way the PC and the cloud laid waste to the mainframe and microcomputer businesses of yesteryear.

Except this isn’t what will happen.

Defense Distributed isn’t going to destroy gun control, and it’s certainly not going to decimate the gun industry. All of the legacy gun industry apparatus described above will still be there in the decades to come, mainly because governments will still buy their arms from established makers like LMT. But surrounding the government and civilian arms markets will be a brand new, homebrew, underground gun market where enthusiasts swap files on the dark web and test new firearms in their back yards.

The homebrew gun revolution won’t create a million untraceable guns so much as it’ll create a hundreds of thousands of Karl Lewises — solitary geniuses who had a good idea, prototyped it, began making it and selling it in small batches, and ended up supplying a global arms market with new technology and products.

In this respect, the future of guns looks a lot like the present of drugs. The dark web hasn’t hurt Big Pharma, much less destroyed it. Rather, it has expanded the reach of hobbyist drugmakers and small labs, and enabled a shadow world of pharmaceutical R&D that feeds transnational black and gray markets for everything from penis enlargement pills to synthetic opioids.

Gun control efforts in this new reality will initially focus more on ammunition. Background checks for ammo purchases will move to more states, as policy makers try to limit civilian access to weapons in a world where controlling the guns themselves is impossible.

Ammunition has long been the crack in the rampart that Wilson is building. Bullets and casings are easy to fabricate and will always be easy to obtain or manufacture in bulk, but powder and primers are another story. Gunpowder and primers are the explosive chemical components of modern ammo, and they are difficult and dangerous to make at home. So gun controllers will seize on this and attempt to pivot to “bullet control” in the near-term.

Ammunition control is unlikely to work, mainly because rounds of ammunition are fungible, and there are untold billions of rounds already in civilian hands.

In addition to controls on ammunition, some governments will also make an effort at trying to force the manufacturers of 3D printers and desktop milling machines (the Ghost Gunner is the latter) to refuse to print files for gun parts.

This will be impossible to enforce, for two reasons. First, it will be hard for these machines to reliably tell what’s a gun-related file and what isn’t, especially if distributors of these files keep changing them to defeat any sort of detection. But the bigger problem will be that open-source firmware will quickly become available for the most popular printing and milling machines, so that determined users can “jailbreak” them and use them however they like. This already happens with products like routers and even cars, so it will definitely happen with home fabrication machines should the need arise.

Ammo control and fabrication device restrictions having failed, governments will over the longer term employ a two-pronged approach that consists of possession permits and digital censorship.

Photo courtesy of Getty Images: Jeremy Saltzer / EyeEm

First, governments will look to gun control schemes that treat guns like controlled substances (i.e. drugs and alchohol). The focus will shift to vetting and permits for simple possession, much like the gun owner licensing scheme I outlined in Politico. We’ll give up on trying to trace guns and ammunition, and focus more on authorizing people to possess guns, and on catching and prosecuting unauthorized possession. You’ll get the firearm equivalent of a marijuana card from the state, and then it won’t matter if you bought your gun from an authorized dealer or made it yourself at home.

The second component of future gun control regimes will be online suppression, of the type that’s already taking place on most major tech platforms across the developed world. I don’t think DefCad.com is long for the open web, and it will ultimately have as hard a time staying online as extremist sites like stormfront.org.

Gun CAD files will join child porn and pirated movies on the list of content it’s nearly impossible to find on big tech platforms like Facebook, Twitter, Reddit, and YouTube. If you want to trade these files, you’ll find yourself on sites with really intrusive advertising, where you worry a lot about viruses. Or, you’ll end up on the dark web, where you may end up paying for a hot new gun design with a cryptocurrency. This may be an ancap dream, but won’t be mainstream or user-friendly in any respect.

As for what comes after that, this is the same question as the question of what comes next for politically disfavored speech online. The gun control wars have now become a subset of the online free speech wars, so whatever happens with online speech in places like the US, UK, or China will happen with guns.

Ticketfly’s website is offline after a hacker got into its homepage and database

Following what it calls a “cyber incident,” the event ticket distributor Ticketfly took its homepage offline on Thursday morning. The company left this message on its website, which remains nonfunctional hours later:

Following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly has been the target of a cyber incident. Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We are working to bring our systems back online as soon as possible. Please check back later.

For information on specific events please check the social media accounts of the presenting venues/promoters to learn more about availability/status of upcoming shows. In many cases, shows are still happening and tickets may be available at the door.

Before Ticketfly regained control of its site, a hacker calling themselves IsHaKdZ hijacked it to display apparent database files along with a Guy Fawkes mask and an email contact.

I sent an email yesterday reporting that the ticketfly website was hacked. All of the user data and site is completely downloadable. They need to come clean on the fact that your data was comprised and still is downloadable at this very moment! #ticketfly #cybercrime #wordpress pic.twitter.com/Ur0AsZpDij

— Michael Villado (@mvillado) May 31, 2018

According to correspondence with Motherboard, the hacker apparently demanded a single bitcoin (worth $7,502, at the time of writing) to divulge the vulnerability that left Ticketfly open to attack. Motherboard reports that it was able to verify the validity of at least six sets of user data listed in the hacked files, which included names, addresses, email addresses and phone numbers of Ticketfly customers, as well as some employees. We’ll update this story as we learn more.

Update: Ticketfly has added an FAQ page on the incident. The company notes that the event “resulted in the compromise of some client and customer information” and is conducting an investigation as it works to get its site back online.

Facebook is updating how you can authenticate your account logins

You’ll soon have more options for staying secure on Facebook with two-factor authentication.

Facebook is simplifying the process for two-factor verification on its platform so you won’t have to give the company your phone number just to bring additional security to your device. The company announced today that it is adding support for third-party authentication apps like Duo Security and Google Authenticator while streamlining the setup process to make it easier to get moving with it in the first place.

Two-factor authentication is a pretty widely supported security strategy that adds another line of defense for users so they aren’t screwed if their login credentials are compromised. SMS isn’t generally considered the most secure method for 2FA because it’s possible for hackers to take control of your SIM and transfer it to a new phone through a process that relies heavily on social engineering, something that isn’t as much of a risk when using hardware-based authentication devices or third-party apps.

Back in March, Facebook CSO Alex Stamos notably apologized after users started complaining that Facebook was spamming them on the phone numbers with which they had signed up for two-factor authentication. They insisted that it won’t happen again, but it also definitely won’t if they don’t have your number to begin with.

The new functionality is available in the “Security and Login” tab in your Facebook settings.

FBI reportedly overestimated inaccessible encrypted phones by thousands

The FBI seems to have been caught fibbing again on the topic of encrypted phones. FBI director Christopher Wray estimated in December that it had almost 7,800 phones from 2017 alone that investigators were unable to access. The real number is likely less than a quarter of that, The Washington Post reports.

Internal records cited by sources put the actual number of encrypted phones at perhaps 1,200 but perhaps as many as 2,000, and the FBI told the paper in a statement that “initial assessment is that programming errors resulted in significant over-counting of mobile devices reported.” Supposedly having three databases tracking the phones led to devices being counted multiple times.

Such a mistake would be so elementary that it’s hard to conceive of how it would be possible. These aren’t court notes, memos or unimportant random pieces of evidence, they’re physical devices with serial numbers and names attached. The idea that no one thought to check for duplicates before giving a number to the director for testimony in Congress suggests either conspiracy or gross incompetence.

The latter seems more likely after a report by the Office of the Inspector General that found the FBI had failed to utilize its own resources to access locked phones, instead suing Apple and then hastily withdrawing the case when its basis (a locked phone from a terror attack) was removed. It seems to have chosen to downplay or ignore its own capabilities in order to pursue the narrative that widespread encryption is dangerous without a backdoor for law enforcement.

An audit is underway at the Bureau to figure out just how many phones it actually has that it can’t access, and hopefully how this all happened.

It is unmistakably among the FBI’s goals to emphasize the problem of devices being fully encrypted and inaccessible to authorities, a trend known as “going dark.” That much it has said publicly, and it is a serious problem for law enforcement. But it seems equally unmistakable that the Bureau is happy to be sloppy, deceptive or both in its advancement of a tailored narrative.

Top Security Ideas for Businesses You Need to Implement ASAP

A thief walks through an unlocked door and manages to steal valuable property – money, fixtures and intellectual property.

A security guard, working a double shift, falls asleep and fails to prevent a violent crime on the premises.

An office employee wanders into the wrong area of the building and suffers an injury due to lack of proper safety clothing or equipment.

Off-shift vandalism shuts down a factory line for days, costing the organization thousands of dollars.

These are all examples of poor physical security systems and procedures and they should never happen.

When things are under control, the organization operates smoothly and its people are kept safe and comfortable.

But when security systems fail, results can be disastrous.

How effective are your organization’s security measures?

A physical security assessment can tell you a lot about how “under control” things are in your organization or facility. If you’re unsure of that, check out these security ideas for business you can start using today.

Don’t Wait Until It’s Too Late

organization security

Get a straightforward assessment of your organization’s security systems before disaster strikes.

Start with a consultation with a qualified and experienced security firm. They know what to look for and what to recommend to keep your operation running smoothly.

A comprehensive assessment will evaluate the following:

  • Access to the facility and to various areas within the facility of the right personnel at the right times
  • Compliance with codes and regulations as well as with current best practices.
  • Preparedness for a variety of contingencies- from fire to natural disasters and other emergencies.
  • Risk management across a range of potential vulnerabilities- from personal injury liability to asset protection.
  • Environmental responsibility and security of materials and equipment, which could pose risks to safety and health.
  • Problems which might exist within an organization’s current security systems and procedures, including gaps and vulnerabilities, which may not have been previously considered or “caught.”
  • Vulnerabilities to the security of the organization’s data and intellectual property.
  • Appropriateness of the organization’s security program, given such factors as the location of the facility, the type of business, or the amount of foot or vehicle traffic anticipated at peak times.
  • The effectiveness of the current security program

Maximize Your Security Resources

security cameras

A great security firm not only knows how to find gaps and vulnerabilities but is sensitive to the limits of your organization’s resources.

It’s one thing to have the best security money can buy but most organizations have to maximize a limited budget. They need the most efficient and effective security program for the money they can afford to invest.

A professional assessment will not only show where the operation might be vulnerable but also reveal possible redundancies.

In Conclusion

Make sure things are under control in your organization. Call a security professional, and walk through the operation right away to learn what a potential thief or vandal might already know about your organization’s vulnerabilities. After all, the time to know about a gap in your security system is before a disaster strikes.

The post Top Security Ideas for Businesses You Need to Implement ASAP appeared first on Dumb Little Man.

Data Security Tips for the Remote Workforce

As technology advances at a rapid pace, hackers and cybercriminals are finding it easier to hack into a company’s system to steal data. According to the SMB cybersecurity report, almost 43% of all small businesses in the United States suffered through a data breach and were victims of cybercrime in 2016.

Therefore, it is important for you to develop and implement the best cyber data security tips to prevent such attacks from taking place.

What Are the Threats?

Data Loss and Device Failure

Forgetting to back up your data and not updating your device on a regular basis can cause huge problems. You could lose data due to human error, experience file corruption or even overheating of your device. This makes it important that you keep a backup of your data in your Cloud accounts so you can easily access the information that you need.

Stolen Devices

Another threat that can harm your business operations is when your device gets stolen and the criminals get access to your company’s information. People often steal devices in order to sell them for cash.

Cybercrime

cyber crime

Cybercrime is a virtual crime which happens online. It includes stealing of personal and financial information.

There are rules and laws that are created to stop such illegal activities. Whenever you see any illegal activity on online platforms, you should report it to the authorities right away.

How Can You Enhance the Security for Remote Employees?

Create Backups and Recovery Plans

Having backups and recovery plans are the best strategies you can implement. You should also have regularly scheduled system cleanings and updates to maintain the security of your company’s system.

Backing up information is extremely important because it helps restore the original data in case you lose your device or it gets compromised by hackers or intruders.

Spread Knowledge

The rules and regulations regarding security tend to change quite frequently because technology is advancing. This is why you need to update your security strategies to cope with the changing threats.

You need to research threats that can be harmful to your company so that you can educate your workforce for more effective security. Your employees play a vital role in the security of your company. They have crucial information, which can be extremely dangerous if leaked outside.

Update your employees regularly and get them the latest tools to fight the threats and defend against the attacks.

Use Two-Factor Authentication

In order to enhance the security of your company, you should use a Two-Factor Authentication as it makes it more difficult for hackers to operate. The Two-Factor Authentication system will lock your account and require a password along with a code to unlock it. This is a strong type of system that keeps unauthorized people away from your accounts.

Update Your Software Automatically

When running a business, you need to update it on a regular basis. Waiting for an installation of the latest update is not an option. You need to have the latest version installed to serve your customers.

In addition to this, the latest versions allow for better performance because they include solutions that weren’t available previously.

Use VPN for Secure Networks

There are many employers that offer remote employees access to the secure network so that they can work without any obstacles. An encrypted connection will allow employees to safely and securely browse the internet while preventing third party interception.

Off-site employees should never use open or public Wi-Fi connections. They might get intercepted by hackers and the company information can get leaked. Employees should be provided a VPN so that they can easily work in a safe environment with no issues.

See Also: How to Set Up a VPN

Security Protocol and Access Controls

You should keep a constant check on the security protocol and access controls of your network because employees might not be using the information correctly. You need to keep an eye on the information that’s flowing in and out of your company in order to check for fraudulent activities.

Protect Smart Devices

protect smart devices

You should protect the mobile devices of your organization at all times. This is to prevent unauthorized access to confidential information.

You can do that with strong passwords, photo recognition, thumb impressions, and pattern unlocking systems. In addition to those, you can use a two-factor authentication to enhance the security of your devices.

See Also: 8 Easy Steps To Your Browser Security And Privacy

Security is of utmost importance and should not be taken for granted. You cannot compromise your organization’s security because hackers and cybercriminals are always looking for opportunities to hack into your system. That is why you need to implement these data security tips and strategies to ensure a safe working environment.

The post Data Security Tips for the Remote Workforce appeared first on Dumb Little Man.

7 Surprising Reasons Public Safety Is At Risk In 2018

Public safety is (and has always been) a major concern. Moving into 2018 and the future, there are many possible new public safety risks that companies and individuals need to be aware of. Are you aware of all the issues faced by the public today?

Ready to learn more about a handpicked selection of them? Let’s dive right into it!

Glitches in The System

If anything can affect our safety and security in the future, it has to be glitches in the system. From self-driving car bugs, to sports stadium software gone wrong, to police scheduling systems breaking, there are many possible reasons the public might be at risk.

Cybersecurity: Hacks, Data Leaks, & Breaches

Cybersecurity is becoming a hot topic moving into 2018. From giant insurance hacks, government data leaks, to SMB database breaches, none of your information is safe anymore. Who knows what offline effect these cybersecurity breaches could bring directly and indirectly.

See Also: Using Zero Trust Network Segmentation To Protect Your Business From Hackers

Gun Violence

gun violence

Gun control is the hot topic in North America right now. It’s easy to observe that gun violence is statistically rising up the charts. This is an issue that we cannot ignore and requires intervention from diplomats, scholars, politicians and the public before arriving at a conclusion.

Criminal Violence

Physical violence has always been in existence. With access to guns, and the intense pressures of modern culture and a politically charged climate, criminal violence has to be prevented at all costs. The failure to break up feuds and public rants could cause a huge damage to public property.

Vape Dangers

Are you a vaper? People who use vaping apparatus can be a nuisance and can cause public turmoil especially when a short-tempered person confronts a vaper. Vapes are known to explode on rare occasions, so in places like crowded stadiums, it’s something that can easily cause threats to public safety.

Social Engineering

With Facebook and other mass marketing tools now available to all businesses, the ability to mold the subconscious is becoming more prevalent than ever. Be sure to spread a positive message and have the right security measures in place in case of danger.

Natural Disasters

natural disasters

Natural disasters only appear to be increasing and getting more severe as global warming continues to affect us all. It’s important that the government takes all the precautionary steps during times of emergency. More importantly, all the right public safety measures have to be in place when you are planning any events or gatherings where a lot of people will be in one place.

See Also: Safety Tips for Natural Disasters: A Quick Guide On How To Secure Your Property

That was a quick rundown of a small selection of things that we all should be trying to help fix and eradicate in our lives for ourselves and the public. Check out this infographic titled ‘Safety in Numbers’.

Infographic

Share this article if you agree and feel free to comment any other risk factors associated with public safety!

The post 7 Surprising Reasons Public Safety Is At Risk In 2018 appeared first on Dumb Little Man.

Protecting Yourself From Fake Social Media Accounts

Fake news.

You’ve probably been hearing a lot about it lately.

What is fake news and why is it so important that you know how to spot it?

Fake news is not someone saying something you don’t agree with. It’s not one political party pointing out facts that happen to be inconvenient to the opposition.

It’s made-up stories disseminated with the sole purpose of creating divisiveness and spreading misinformation.

The widespread availability of the Internet has led to an openness in the exchange of information that humanity has never before experienced. Unfortunately, this has also led to folks taking advantage of this openness to spread divisiveness. The greatest tool in their shed? Social media.

Fake Social Media Accounts Spread Fake News

During the election cycle in 2016, Stanford University conducted a study of fake news circulating on Facebook and the results were shocking.

Researchers found 115 fake pro-Trump stories circulating on Facebook that had been shared 30 million times at that time. They also found 41 fake pro-Clinton stories that had been shared 7.6 million times.

We’ve all seen them- implausible headlines, questionable websites, and recycled photos.

The problem is that people do believe them and fake social media accounts use this fact to spread such stories like wildfire.

How Big Is The Problem Of Fake Social Media Accounts?

Between 2014 and 2016, the number of fake social media accounts grew 11 times, a shockingly sharp uptick. While as a percentage, fake social media profiles don’t seem especially prevalent.

However, by volume, there are way more fake profiles than you may think. Check out these numbers:

  • 2-3% or 60 million fake Facebook accounts
  • 9-15% or 48 million fake Twitter accounts
  • 8% or 24 million fake Instagram accounts

How Can You Spot Fake Social Media Accounts?

fake social media account
Via skstechnologies

Have you ever received a friend request from someone you are already friends with that has the same profile picture and everything? That was probably a hacker trying to gain access to your or your friend’s personal information.

In addition to looking for duplicate accounts of people you know, there are a few other ways to spot fake social media accounts.

Here are some great examples:

  • Profile pictures that are of celebrities or objects
  • Accounts with almost no followers or have thousands of followers
  • Public figures who aren’t verified
  • Accounts with little user engagement

What Should You Do If You Are Being Impersonated?

Impersonators wield a lot of power in today’s open social media society.

Just setting up a social media account and pretending to be a real person can gain you a lot of trust right off the bat. So, what do you do when someone is impersonating you?

Start by reporting the impersonator. Know that reporting the impersonator may or may not work and even if you get one account shut down, there’s always the possibility that another one will be created.

Impersonator accounts can be used to gain access to personal information or to publicly shame, embarrass, or humiliate the person they are impersonating. If you are a target of either, make sure to monitor all social channels regularly to find and report them immediately.

Why Does Any Of This Matter?

Social media is the new telephone.

Instead of calling our friends and catching up one by one, social media has allowed us to catch up with all of our friends at once, multiple times a day.

Logging off is one way to avoid fake news but is that really a reasonable solution?

We didn’t get rid of telephones when telemarketers became a problem.

Plus, most people aren’t going to log off anyway.

Fake news and fake social media profiles are a real problem and you can only solve them with education and awareness. Learn more about where fake social media accounts come from by checking out this infographic.

Where do fake social media accounts come from?
Source: SocialCatfish.com

The post Protecting Yourself From Fake Social Media Accounts appeared first on Dumb Little Man.

8 Easy Steps To Your Browser Security And Privacy

Bad news.

There’s really no such thing as the most secure browser.

Want proof?

In a poll in 2013, Firefox was voted as the most secure web browser. However, in a hacking contest in March of 2014, Firefox was deemed as the least secure after it went down to four zero-day exploits.

Because you can’t really rely on one browser to protect you and your data, it’s critical that you know how to make your favorite browser the most secure browser for you.

Here are some steps you can follow:

Check your browser’s default setting

The most convenient way to start using any device, including browsers, is by its default setting. It is, however, not the most secure way.

In fact, it can expose you to a lot of potential threats.

With your browser’s default configuration, hackers can easily access your program and even make internal changes without you knowing.

Creepy, right?

The best solution to that is to configure all your browsers as well as your operating system before use. Doing that can greatly increase your security.

Use only one browser when dealing with sensitive activities

use only one browser

Your computer probably has multiple browsers installed and that’s actually a good thing. It means you’ll be able to dedicate one browser for one activity only, limiting the risk of compromising your sensitive data.

Think of it this way:

You can use one browser to pay your bills or purchase something online. You can use a separate browser for researching and random browsing.

This way, if someone hacked the one you are using for general web browsing, the other browser won’t be compromised.

Of course, this doesn’t mean that using separate browsers will automatically protect your data. You also have to play your part to make your browser the most secure browser.

It can also help if you can make a complete browser comparison first before deciding which ones to use.

Update your browser

Security holes will keep on popping up as more and more security threats emerge. One of the few ways you can protect yourself is by updating your browser.

Make sure to follow your vendor’s instructions when updating your browser. If your operating system no longer supports newer browsers, it’s time to get that updated as well.

Browsers like Chrome and Firefox have an auto-update feature by default. If yours isn’t enabled, check if your computer’s firewall is preventing the auto-update or someone else has configured it the way it is.

Get an antivirus installed

A good anti-virus remains one of the best ways to stay protected on the internet. Just make sure that the one you are using is real as a fake antivirus software is already a security threat on its own.

And if you already have one, keep it up-to-date. Using an expired antivirus is more likely to put your security at risk.

Now, listen closely.

While you might think that the antivirus that came with your computer is enough to protect you, it actually isn’t. You see, free antivirus programs aren’t that comprehensive.

It can only provide limited protection and it can only detect certain threats. It has lower and slower scanning performance, too.

The bottom line?

Don’t skimp on your antivirus program and be sure to keep it updated.

Be careful in installing plugins and extensions

Extensions and plugins might look harmless but they can be extremely dangerous. They have access to your every move online. And because they know everything, you can just imagine the damage they can create.

They know what you’ve been searching and they can capture your passwords. These extensions can even insert advertisements in the pages you visit.

One problem with extensions is that they frequently require access to everything. For example, an extension that’s meant to make changes in Google.com will require access to everything related to Google.

Most of the time, that includes your email and Google account.

To stay safe, use fewer extensions and plugins as possible. If you aren’t using the ones already installed on your computer, uninstall them and stick with the ones you use frequently.

If you are planning on adding more, make sure to read the permissions they require.

Use pop-up blockers

turn off pop up blockers
Via hotComm

Ads and pages that pop out of nowhere aren’t just annoying; they can also be dangerous.

By using a pop-up blocker, you’ll be able to prevent those ads from installing harmful malware on your computer. They can also prevent your screen from cluttering.

Now, if the website you are trying to access needs you to temporarily disable the blocker, remember to reactivate it once you are done.

Turn on fraud protection

There are tons of untrustworthy websites on the internet. If you aren’t careful, you can inadvertently visit one of those phishing sites and expose your sensitive information.

Phishing sites are sites that are made to look legit and trustworthy so that they can get your personal details. This includes your credit card number and password in your cached data.

To stop that from happening, always turn on fraud protection. It can blacklist known phishing sites so you won’t be able to access them.

See Also: 7 Top Tips to Avoid Being Caught in a Phishing Net

Be careful with auto-complete features

Being able to log into your email or any of your accounts without typing your login details sound convenient. However, in terms of safety and security, it’s a totally different story.

Just think about what can happen when your laptop or device gets stolen or lost. It’s like giving away your personal login information to everyone.

For protection, always turn that feature off. You can do that by accessing your browser’s setting.

If you are using Chrome, for example, you can open its Setting window, select Advanced, and make the necessary changes in the Manage Password section.

In case you are using Firefox, access the Options window, select Privacy, and look for History. Once you are there, select Firefox will: Use custom settings for history and disable the Remember search and form history option.

These changes don’t take a lot of time. In fact, you can complete them in less than a minute.

See Also: How To Maintain Your Privacy Online

 

The post 8 Easy Steps To Your Browser Security And Privacy appeared first on Dumb Little Man.

Certain Sonos and Bose models can be accessed by hackers to play sound remotely

 Researchers at Trend Micro have discovered a potential hack opening key speakers from Sonos and Bose to remote access. As first reported by Wired, the Sonos Play:1, Sonos One, and Bose SoundTouch systems can be located and taken over through an online scan, letting hackers play music through the system. For now, the access appears to be largely prank-based. The researchers, naturally, used… Read More

How to Set Up a VPN

If you want to protect your online privacy and prevent unwanted people, such as government agencies and advertising companies, from tracking you and using your private information to their advantage, there are a few ways as effective as VPNs to do it.

However, not everyone is really aware of what they really are and their advantages. To help you out, we’re here to discuss how to set up a VPN and how you can start using it.

How do VPNs Work?

As the term suggests it, a Virtual Private Network or VPN is a network of servers you can connect virtually (using the internet instead of a physical connection) to enhance your privacy. It does this by encrypting all the traffic that comes from your device and then rerouting it through one of the servers that compose it to mask your online trace.

Each part of the process presents a benefit for the user. The encryption of communications between the user and the VPN makes it impossible for Internet Service Providers and other eavesdroppers to snoop on your online activity. On the other hand, tunneling your connection through a VPN server makes websites think it is the server that’s accessing them when it’s actually you who’s doing it.

That offers you two benefits:

First, this prevents the website from tracking information about you coming from your device. You’d be accessing every website as if it were the first time you’re doing it and advertising companies would be unable to tailor ads for you.

The second benefit of tunneling is tied to the location of the server. Servers located in different countries allow you to access web content as if you were connecting from the same location of the server. This lets you access content from websites that isn’t available in your region.

Clear and Easy Way to Set Up a VPN

set up vpn

To use a VPN, you have to find a provider of the service online. This is perhaps the hardest part of the process since there is a very wide variety of VPN services available online. Not all of them are equally good and some of them may even end up doing more harm than good.

We recommend you use one of the following providers. We have already tried out and verified the quality of their service.

  • NordVPN
  • VyprVPN
  • PureVPN
  • ExpressVPN
  • IPVanish

After you’ve made your pick between them, all you have to do is follow these steps:

Purchase a Subscription

The first thing you have to do after you’ve picked a VPN service provider is to buy one of the subscription plans they offer. Keep in mind that the longer the subscription time you buy, the more value you’ll get for every penny you spend.

Download and Install the Software Client

Most VPN providers will ask you to download their software in exchange for letting you connect. This software client contains all the options you need for a safe connection that suits your needs.

Adjust the Settings

After you’ve installed the software, you have to open it and configure your connection to your specific needs. Most of these settings will come preconfigured for the most common and convenient settings, but you might want to tweak it a little bit.

Particularly regarding communication protocols and encryption algorithms, you’ll want to use OpenVPN and 256-bit AES encryption, respectively. These are the most reliable settings you could wish to have on a VPN, so they are the ones we recommend you to use. If you’re curious, you can look up any other settings online before messing with them but do this with extreme caution.

Choose a Country

After you’ve dealt with the technical details, it’s time to choose the location of the server you’ll be connecting to. This is important if your goal is to bypass the region lock of a website.

For instance, if all you want is to be able to access Netflix’s full library, then you’ll want to connect to a server in the US. VPN services usually let you decide this using a drop-down menu on their software.

Connect and Enjoy

After all this, you’re ready to hit the connect button and start browsing the web as you’d normally do. You’ll now be completely anonymous to the websites you visit. Your ISP won’t be able to monitor your online activity, too.

It’s only responsible for us to spread the benefits of VPN usage to contribute to a safer internet. They are a very powerful tool that helps you protect your online privacy and that of your loved ones.

The post How to Set Up a VPN appeared first on Dumb Little Man.

Powered by WPeMatico

Using Zero Trust Network Segmentation To Protect Your Business From Hackers

Cyber security is a major concern no matter what size or type of business you have.

Despite how critical it is, a lot of people are still not doing enough to protect themselves. They don’t take information security seriously – until something bad happens.

Take security breaches for example. They can be costly, often putting small businesses out of business for a few months.

There are practices that could stave off most attacks. Unfortunately, since humans are the weakest link in the cyber security chain, breaches can happen no matter what type of preparation a company does.

To help reduce this risk, there’s a newer and safer model for cyber security. It’s called the Zero Trust model with network segmentation.

What Is Zero Trust?

business protection

In the old ways of cyber security, gaining access to a network was as simple as putting in your username and password. Once you’re in, you have access to everything.

Unfortunately, this model has some pretty obvious weaknesses. Hackers only need to gain access to your login data, which is easy to do through social engineering.

In the zero trust model, everyone is assumed to be a hacker.

Login info will get a person into the front door. Once he’s inside, he’ll find many more doors. This leaves fewer chances for hackers to exploit.

This model regularly checks activity logs, too. This is done in real time to detect any threats as quickly as possible.

Even the Department of Homeland Security recommends zero trust segmented networks. It suggests:

  • Design network segments based on need-to-know and zero trust principles
  • Ensure that sensitive information is segmented, even from other sensitive information
  • Layer security measures so each segment has its own requirements for access

See Also: Are There Benefits to Implementing Business Intelligence for Small Business?

How Much Do Data Breaches Cost?

According to Hackerpocalypse: A Cybercrime Revelation from Cybersecurity Ventures:
“Cybersecurity Ventures predicts global annual cyber crime costs will grow from $3 trillion in 2015 to $6 trillion annually by 2021, which includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”

The cost of cleaning breached records varies by company and by industry.

Retail breaches are great examples. They are the most publicized type of breaches because they affect several consumers at once. Generally, they cost millions of dollars per incident to clean up. They also cost the retail outlet in lost sales and reputational damage.

Small data breaches can happen to small businesses, too. In such cases, breaches can cost tens of thousands of dollars to clean up. This can easily put a company out of business.

After all, how many small businesses have tens of thousands of dollars they aren’t using to put toward cleaning a data breach?

How To Implement Zero Trust Segmented Networks

zero trust implementation

Even if you don’t have a large corporation with an information security team and a network architecture specialist, there are still ways for you to protect your small business.

  • Software can automate some security needs
  • Next generation firewalls can provide greater security
  • BYOD and password hygiene policies can go a long way
  • Security consultants often specialize in working with small businesses to find Info Sec solutions
  • SaaS and NaaS providers can give your business the same level of security as large corporations

See Also: Wireless Network Hacking And How To Avoid Being Hacked

Don’t Let InfoSec Get Away From You

Doing something about your company’s information security before it’s too late is crucial if you want to stay in business. Hackers are always looking for vulnerabilities to exploit, so the time to act to make your network safer is now. You are the weakest link and hackers know that. Don’t let them destroy your businesses by not acting to protect it. Learn more about zero trust network segmentation from this infographic!

Source

The post Using Zero Trust Network Segmentation To Protect Your Business From Hackers appeared first on Dumb Little Man.

Powered by WPeMatico

IBM dangles carrot of full encryption to lure buyers to new z14 mainframe

IBM z14 mainframe computer IBM is doing its damnedest to keep the mainframe relevant in a modern context, and believe it or not, there are plenty of monster corporations throughout the world who still use those relics from the earliest days of computing. Today, the company unveiled the z14, its latest z-Series mainframe, which comes with the considerable draw of full encryption. Is that enough for even corporate giants… Read More

Powered by WPeMatico

Security researchers: EFF's got your back at this summer's technical conferences

Are you a security researcher planning to present at Black Hat, Defcon, B-Sides or any of this summer’s security events? Are you worried a big corporation or the government might attack you for revealing true facts about the defects in the security systems we entrust with our safety, privacy and health?
(more…)

Powered by WPeMatico

TrueFace.AI busts facial recognition imposters

TwitterFacebook

Facial recognition technology is more prevalent than ever before. It’s being used to identify people in airports, put a stop to child sex trafficking, and shame jaywalkers

But the technology isn’t perfect. One major flaw: It sometimes can’t tell the difference between a living person’s face and a photo of that person held up in front of a scanner. 

TrueFace.AI facial recognition is trying to fix that flaw. Launched on Product Hunt in June, it’s meant to detect “picture attacks.”

The company originally created Chui in 2014 to work with customized smart homes. Then they realized clients were using it more for security purposes, and TrueFace.AI was born.  Read more…

More about Tech, Security, Artificial Intelligence, Innovation, and Ai

Powered by WPeMatico

How To Maintain Your Privacy Online

Threats to online privacy seem to grow every day so make sure you know how to protect yourself. There are a lot of things you can do to stay safe online. Unfortunately, not all of them are guaranteed to work.

Clearing your browser history, for example, can’t really do anything. Installing an ad blocker won’t get the job done, too. If you really want to protect your online privacy, here are the things you need to do.

Use secure passwords and usernames

It seems so convenient to just use the same usernames and passwords for every site. That way, you can remember them even without writing things down.

But, consider this:

If you use an easy-to-guess password for your social media and use the same one to log in to your bank, you’ve just made it super easy for someone to gain access to your bank account.

To protect yourself, choose passwords that are at least eight characters long and make sure they contain different types of characters. Use numbers, capital letters, lower-case letters, and symbols. Change your password for every site you frequent, too.

Writing with Computer

Use a password manager

The next step in password protection is to use a password manager. It’s an app that can generate crazy-long passwords that you couldn’t possibly remember. It encrypts not only your password but also your security questions and their answers, your credit card numbers and their PINs and other vital security information.

Now, all you have to remember is the password to your password manager.

Don’t click on the link

You know better, right? So, why do you click on those links you get on your email?

Usually, it’s because the email came from someone you trust. However, what if your friend clicked on a malicious link? Your friend’s entire address list could have been hacked and that includes you.

As much as possible, don’t click on suspicious links, even if they came from people you trust.

Lock down your social networks

Sure, those warnings that pop up on Facebook every month or so about how the platform is going to steal all your data are indeed trollish. But, even though they’re fake news, they actually have a point.

You need to lock down your social media privacy settings which are often defaulted to Public. This setting means everyone can see everything on your wall.

For your online privacy, change your settings to Friends. If you should unlock a single post to Public, make sure you haven’t inadvertently opened up your whole account to the world.

The bonuses here? Real life bad guys can’t see when you’re away from home to break in and steal your non-virtual stuff and your bosses and ex can’t see what you did on the weekend.

See Also: Don’t Get Your Identity Stolen – Here’s How

Look for a secure connection

When you’re about to log on to a site, take a look at the URL. Does it say “http” or “https”?

That “s” stands for “secure” and it means that your data (including your username and password) are being encrypted as they travel back and forth across the web. This is particularly vital when you’re making online purchases or handling other financial transactions.

Often, you’ll see a padlock icon next to the URL to confirm the secure connection. While you’re at it, secure your own devices by setting and actually using the lock screens on each device.

Block cookies

It’s so cute when a brand you’ve shopped with sends you just the perfect ad, isn’t it? Except, it’s not so cute after all.

That brand or advertiser found you by attaching cookies to your browser and now they’re following you — and not in a good way. In some cases, they can even follow you from all your devices to keep track of your online behavior.

Block those third-party cookies. The advertisers will still be able to track the pages you visit, but they’ll have to work a whole lot harder to do it.

Use a VPN

A VPN or Virtual Private Network is probably one of the best and simplest ways to protect your online privacy. With a VPN, your data is encrypted so your internet service provider can’t see your internet usage — and neither can anyone else. VPNs provide protection against hackers and they keep your surfing safe when you’re using Wi-Fi.

Photo credit: indiatimes.com

Use Tor

Head to Tor to anonymize your IP address automatically. With Tor, your browsing experience becomes private — well, as private as you can be, given that you’re still on the internet. It can hide your information from hackers who want your identity, corporations that want your money and data and government that wants who even knows what.

There are a lot of dodgy people on the internet. Don’t let them into your virtual home. Take these basic steps today to protect and maintain your online privacy.

The post How To Maintain Your Privacy Online appeared first on Dumb Little Man.

Powered by WPeMatico

Companies, governments brace for a second round of cyberattacks in WannaCry’s wake

A silhouette of a hacker with a black hat in a suit enters a hallway with walls textured with blue internet of things icons 3D illustration cybersecurity concept As the world readies to open for business on Monday, companies and governments are bracing for a second round of cyberattacks in the aftermath of Friday’s WannaCry hack.
Indeed, security experts are already warning that a new version of WannaCry has emerged over the weekend that doesn’t have the kill switch protocol that stopped the initial version of the cyberattack late on… Read More

Powered by WPeMatico

How To Be Successful: The Surprising Tip You Might Not Know About

Different types of people achieve various levels of success. While some seem to be lucky enough to be successful in an instant, there are people who have to work really hard to achieve their desired status in society.

It all comes down to the Hierarchy of Needs, how you approach each tier and how you can make the Law Of Attraction work for you. Once you understand these things, crazy levels of success can be yours!

The Hierarchy of Needs breaks down human nature into these five facets:

  1. Physiological Needs

The first requirement for humans is our physiological needs. They are the basic things we need for survival, like oxygen, shelter, and food. Once we meet these needs, we can then move on to seeking the second tier.

basic survival

2. Security and safety

This tier includes employment, money and being able to proactively provide for yourself and your family. If we fail to achieve the first two needs, we, as humans, can bend our morals and values to obtain them. Take, for example, stealing food so your family can eat.

3. Love and belonging

This level involves love, intimacy, family and friendships.

A lot of us have our physiological and security needs handled most of the time. Once those things are obtained, we’re free to go for the next need in the hierarchy.

4. Self-esteem

This includes gaining confidence, achievement and respect.

This is where gaining recognition for your work and what you do play a big role. This is where you achieve real wealth which you can freely enjoy as you go higher in the hierarchy.

5. Self-actualization

The top part of the hierarchy is self-actualization. This is the full expression of your creativity, where everything you do is an expression of your deeper self.

self actualization

Before you can reach the top tier, you have to go through the lower levels first. You’re not really going to be worried about self-actualization when you can’t feed yourself.

The hierarchy of needs explains a lot about life.

Today, we live in a world where we can easily find like-minded people who can lift us up and allow us to be who we really are. This has made tier 3 much easier to obtain. No matter where you live, you’ll find other people you feel connected to.

But, culturally, our thoughts and behaviors are still stuck in the past and they won’t make progressing that easy. This is where those bold, driven and extreme people surpass many in their pursuit of their pie-in-the-sky goals.

There’s a hidden system within this structure that, once known, can allow you to transform your life. Once you apply the Law Of Attraction in relation to the Hierarchy Of Needs, you’ll attract circumstances, people, and opportunities that will allow your life to go where you desire.

My tip: Skip tier three, focus directly on those top two levels and let the Law Of Attraction go to work. Once you put this life hack to work, everything else will be easy.

By shifting your attention to the self-esteem and self-actualization levels, you’ll instantly start attracting the people and vehicles that will help you be successful.

Be bold, driven and a bit crazy as you focus on gaining self-esteem and reaching self-actualization.  The rest of the hierarchy will fall into place for you in the most wonderful way. Knowing how to be successful is only a part of the process. You also need to put in a lot of work to reach the top of the hierarchy.

See Also: 4 Things Highly Successful People Do Differently

The post How To Be Successful: The Surprising Tip You Might Not Know About appeared first on Dumb Little Man.

Powered by WPeMatico

Home Inspection and Its Powerful Benefits

A celebration is typically in order when you finally get to buy that dream house of yours. It’s a huge prize and achievement after so much hard work and saving. But, what if you open that door only to see occasional power surges and broken pipes?

Opening your doors to those things is the most horrible way to start that next phase of your life. One way you can prevent those things from happening is through a home inspection.

Doing a home inspection is an excellent way to find problems that you didn’t get to see during your first visit to the property. By doing a home inspection prior to making a purchase, you’ll be saving yourself tons of headaches, frustrations and the high cost of repair.

Still not convinced? Here are some home inspection benefits you should know about.

Peace of Mind

home inspection

When we notice something out of place, it bothers us and makes us want to know what’s making us uneasy. A home inspection is one way of understanding that kind of problem.

See Also: 10 Important Home Features That Home Buyers Want

Safety

One of the main reasons you buy a house is for safety. It can protect you and your loved ones from the weather, dangerous elements, and other things that can compromise your safety. Doing an inspection can and will provide the security you need, like preventing personal injuries from happening.

A slight power surge may mean that some wirings are rotting or rats have begun chewing on the wires. You can already consider that as a fire hazard, and lots of tragic stories have been born from that.

Water dripping from the ceiling can be solved temporarily by a bucket, but what if it becomes full and turns into a slipping hazard? Never underestimate what a simple home inspection can do.

Savings

home inspection savings

A lot of homeowners disregard home inspection due to its cost. This way of thinking should be completely changed if you want to save a vast fortune. Knowing what needs repairs or fixing as soon as possible can prevent disasters, not only physically, but financially as well.

Having to face an abysmal ton of repairs in the future is a real headache. With home inspection, you can sort out what needs to be fixed immediately to prevent it from causing, even more, problems.

Why wait for that rusty and leaky pipe to fall and break that expensive bath tub upstairs? Why wait for that wire to burn down the house when you can change that wire for a small fee?

A home inspection can save you from that headache and that financial drawback that you were so desperately afraid of in the first place.

See Also: Warning: 7 Home Inspection Pitfalls That Can Cost You A Fortune

Takeaway

It’s normal for people to feel euphoric when they get to purchase their dream house. Because of the overwhelming emotions, they can inadvertently skip home inspection. They tend to disregard the idea, thinking that newer properties are impossible to have defects and damages.

Home inspection can provide us with a more comfortable life in the long run. From significant savings to saving the entire house we own, early assessment of our property is the next best thing we can do after popping that bottle of champagne.

The post Home Inspection and Its Powerful Benefits appeared first on Dumb Little Man.

Powered by WPeMatico

A year later, no action from Chinese company whose insecure PVRs threaten all internet users

It’s been more than a year since RSA’s Rotem Kerner published his research on the insecurities in a PVR that was “white labeled” by TVT, a Chinese company and sold under over 70 brand-names around the world. In the intervening year, tens of thousands of these devices have been hijacked into botnets used by criminals in denial of service attacks, and TVT is still MIA, having done nothing to repair them.

(more…)

Powered by WPeMatico

A big challenger is about to change the way you use Facebook to log in on websites

TwitterFacebook

There are two ways to log in on websites: try to recall the email address and password you registered with —  or simply hit the “Facebook Login” button. 

The convenience of the latter underscores the popularity of social authentication options. You’ll see Facebook and Google login buttons on popular sites including Netflix, Uber, Spotify, Imgur and Linkedin, just to name some.

Facebook itself estimates that some 350 million people log into a new app or site with their Facebook credentials every month. 

Olga Kuznetsova, Engineering Manager at Facebook told us that the Facebook Login button ranks in the top three of consumer account creation and sign-in preferences worldwide. Read more…

More about Security, Google, Mobile Connect, Gsma, and Facebook

Powered by WPeMatico