Month: April 2021

Simple Ways to Ensure Your Children’s Safety Online

Today, cybercrime is rampant. That presents a unique problem to parents in deciding how to approach ‘online safety’ with their children.

In the World, about 4000 cybercrime attacks occur each day, and, in fact, every 32 seconds, a hacker attacks someone online. To use the Internet safely and securely, you must know what to do and not do and distinguish between safe and unsafe.

Awareness and personal responsibility are vital components in surfing the web safely. Children should become aware of that as soon as possible.

Child-proofing the Internet is not as viable an option as some parents may hope it is. Yes, there are ways to block websites, keeping your children off of them. But it’s still preferable to educate them on the dangers the web presents.

Teach them how to keep themselves safe online. That includes what sites to avoid, links not to click, files not to download, emails to ignore, and so on. Education on the topic of cybercrime is a must.

Above all, children must learn against sharing personal information of any kind. Teach them young that giving out your full name, phone number, home address through any medium (email, Facebook, gaming platforms) is wrong.

Teach them to be cautious. Sometimes a string of innocent-seeming questions may pose a grave danger. It can start with your name, where you go to school, your postcode, and the child might not realize the escalation. Ensure it can recognize it.

As a parent, you must always keep your devices up to date with security installed on them – antivirus programs, anti-malware software, and other security software. Create unique passwords for your different accounts, and teach your children to do the same. Or use passwordless based authentication.

There are varying parenting styles. Some deem the act of monitoring their child’s online activity as an intrusion of privacy. Others perceive it as a given. Regardless of your parental views, it’s good to keep aware of what your child does on the Internet and encourage appropriate behaviors while discouraging inappropriate ones.

On the diagram, you can see a standard hacking workflow. Usually, hackers use this workflow to execute attacks. You can see that the first stage of attacks usually involves message-based fraud or social engineering.

‘Stranger danger’ has evolved beyond an in-person possibility of peril. It now lurks online, as well. Teach your children that not all online strangers are friendships waiting to happen – some are dangerous and look to cause mayhem and harm, i.e., hackers.

Make sure children realize that what goes on on the Internet stays on the Internet. If they upload a picture, it will forever be there. If they share their private details, they cannot merely ‘take them back.’

There are consequences to interacting with the web, and it’s your responsibility as a parent to teach them that valuable lesson.

In summary:

  • Stay updated: Always install updates when needed, and ensure your devices are protected.
  • Do not overshare: Be wary of sharing private details with people online. Sharing personal information can backfire. Ensure your children know this.
  •  Have a conversation with your child: Explain the many dangers that lurk online. Yes, children may be won’t ‘get it’ right away. But if that’s the case, talk to them again. 
  •  Use unique passwords: Ensure your child knows the importance of a strong password and the perils of using the same one for every account.
  • Keep an eye on their online activities: Be sure to monitor your child’s online activities to the extent that you know what they’re ‘up to’ online. Still, over monitoring is not good, so please use it carefully.

Educate your children, and make sure they know of the dangers the Internet presents and what they can do to minimize them

How Secure are the Virtual appliances?

A recent report raises questions about the software vendors’ responsibilities and claims that detected more than 400,000 Vulnerabilities across software vendors. The virtual appliances often get used to providing IT security functions like firewalls, encryption, and secure gateways. It aims to eliminate the need for dedicated hardware and can get deployed on cloud platforms.

Virtual appliances often reach consumers ready to be deployed to public and private cloud environments. Most consumers believe that virtual devices are safe and secure, free from security risks, but Orca’s report proves otherwise.

The research, conducted in April-May 2020, shows that 2,218 virtual appliances from 540 vendors got scanned and checked for known vulnerabilities and risks. The researchers ranked every appliance according to a scoring system designed for this research.

It is a good idea to encrypt your data before sending it to any virtual appliance. On the diagram you can see the standard hybrid encryption protocol using symmetric and asymmetric cryptography schemes. It offers good level of additional security.

The number of total discovered vulnerabilities is just over 400,000. The appliances received grades from A+ (exemplary) to F (failure). Only a mere 8% of products scored an A+, while 24% got an A as ‘well-maintained,’ 12% received a B as ‘above average,’ 25% were ‘mediocre’ with a C, 16% got a D as ‘poor,’ and 15% ‘failed’ with an F.

Interestingly enough, some vendors had products with an A and A+ and landed an F mark.

Correlation quality/price

Another exciting discovery by the report was that price doesn’t directly correlate with security. More expensive products don’t necessarily offer more protection. 1,489 of the products charged an average of $0.3/hour, while 510 were free, many of which were also open-source. The highest charge for appliances, which got tested in the report, was $3.00/hour. Free products received an average security score of 77.58, while fee-based ones got a 77.38.

Updates

It should come as no surprise that, as products get outdated, their vulnerability increases. Updates are essential as they can fix vulnerabilities when done regularly. The report discovered that 110 products received no updates for at least three years, 1,049 in the last year and only 312 got updated over the previous three months. Only 64 had received updates in the past month.

Feedback

Upon finishing the scans and grading process, the vendors received emails with the findings. All the vendors got contacted, but only 80 responded. Though the responses ranged, many confirmed they had taken remedial action. As a result, 287 products have received updates, and 53 got removed from distribution. Even though these numbers may seem unimpressive, that meant 36,938 (out of 401,571) discovered vulnerabilities got addressed. After a rescan, products that initially received an F ranking had improved their ranking to an A or A+.

The report also presents a few recommendations to help organizations reduce risks posed by virtual appliances. Among them are asset management and vulnerability management tools. Asset management helps to keep track of virtual devices, while vulnerability management tools assist in finding weaknesses.

Orca made sure to include in its report that all the data presented is a mere guide. A vendor’s top score doesn’t equate to a risk-free guarantee on all its virtual appliances. As already mentioned, some vendors have products with both the top and the lowest scores.

Is Identity-Based Passwordless Authentication the Way to Go?

User identity and security have continuously been reinforced in the organization by the use of strong passwords. User accounts tend to be restricted based on specific passwords typed. However, that has changed due to the technology rise that has wiped away the traditional password methods. Although some organizations still prefer passwords, authentication is slowly evolving to be passwordless due to convenience and efficiency purposes. Identity-based passwordless authentication is the focus of organizations and IT migration.

Passwordless authentication helps curb the insecurity that is common with organizations. The trends in cybercrime require that organizations implement robust measures of security in helping minimize the consequences.

Most technology-driven organizations have already implemented identity-based passwordless authentication. One popular method is biometric authentication as the main component of identity-based passwordless authentication. It integrates the biological features to develop some of the most effective solutions for signing into information systems and corporate portals. Significantly, a better approach to the management of user profile security and accessibility is by leveraging the biometric features and integration with IT to help promote a seamless process of identification. However, it is essential to ensure that the biometric data stays on your device and is adequately encrypted. In another case, once stolen, anyone can reuse it. Other methods use directly public and private key cryptography to achieve the same results.

You can see a sample passwordless authentication based architecture on the diagram. Users use a gesture to unlock a hardware device and different apps use the private key stored in this hardware device to sign a random token. Later this signature is verified on the server.

The uniqueness and strength of restricted access are robust in passwordless protection. Its features help in the promotion of quality and proper protection techniques, which are vital. Considering diverse approaches and key organizational security management measures, organizations have opted for identity-based passwordless authentication.

Cybersecurity is a significant concern, with hackers targeting high-profile organizations and creating weak points while accessing sensitive information. According to recent research, technological migration has been towards passwordless identification. The users do not have to use password authentication to access the organizational profiles. Necessarily, integration and passwordless leverage are vital in implementing the proper security protocols to achieve the desired security goals.

The feasibility of identity-based passwordless authentication is another competitive advantage. Passwords are tedious. Every time you enter them, you waste time as a significant impediment to a flawless work process. Most employers prefer passwordless authentication because they implement strategic and focused measures to improve access levels and ensure necessary and fundamental elements.

Passwords are the primary targets for hackers since they only have to master the keywords and process execution, which results in cracking of the security architecture. Biometric technology is the best way to focus and help advance its security needs, mainly by implementing efficient identification processes.

According to attackers’ behavior analytics, a strategy to reduce the attacks is by sensitizing people to implement passwordless authentication. Natural features are unique, and the level of security provided by investing in such technology is excellent. Howerer, the future will show whether it will help to improve safety and to meet various businesses’ needs regarding cybersecurity solutions.

The rise of data leaks

We are living in internet-reliant times. Everyone outsources and shifts aspects of their lives to online sources like social media, dating apps, and online workplaces and educational websites. With COVID-19 forcing us to emphasize online activities, the possibilities for data leaks are ever-growing.

Data leakage incidents are not always intentional, though most of the time, they are. Phishing attacks or malware sent via email and links are just some common examples. Both have high success rates, and once the malware is successfully installed on a device, leaking data is very easy. Private user information, including addresses, phone numbers, and more sensitive data like credit card numbers or passwords, are worth millions of dollars on the market.

845 GB of Data Leaked!

Recent examples showing the extent of leaked data in 2020 alone seem astonishing. Just a few weeks ago, nine dating apps leaked 845 GB of data. It may not sound a lot, but in fact, the leakage comprised private information of a few hundred thousand users. The leak includes explicit photos and messages that people would likely have instead kept confidential.

 Independent security researchers discovered the security breach for all affected websites.

The most shocking part of their discovery is that not a hacker was responsible for the leak but the companies themselves due to their careless configuration of the apps.

A standard workflow of data exfiltration. The hacker finds a way to infiltrate into the company infrastructure and after that uses other already hacked infrastructure to exfiltrate the data.

These websites and apps are mostly unknown, but data leaks can also happen to popular websites with millions of user account information leaked and stolen.

Big or Small – You’re Not Safe From Leaks

In 2014, a prominent commercial website’s entire user account list was leaked, with 145 million people affected. Users had to change their passwords as a consequence.

In 2012, a big social media website became a target, and 165 million business professionals’ data was readily available for sale. All users changed their passwords as well.

Other cases did not proceed as mildly. Big design software company in 2013 asked to pay their users 1.1 million dollars in compensation after credit card records and password leakage.

In 2021, the risk of data leakage is higher than at any time before; there have been numerous data breaches already, including major companies, universities, and cybersecurity providers. 

In October 2020 alone, there were 117 data breaches, the highest number recorded for a single month. Fortunately, only about 18 million user information leaked, less than the yearly running total of compromised data records of 19.5 billion. The most breached sectors were healthcare and health science, education, and the public sector.

All of these numbers show that the protection of one’s data in a time where everyone has an online presence is crucial. With COVID-19 inevitably shifting our lives towards online resources, it is up to us to take the necessary measures to protect our private information.

Cybersecurity for business travelers

Every business travel is a beautiful opportunity for people to visit their favorite countries and places. But these events are a fantastic opportunity for every sort of malicious cyber activity, too. Cyber criminals’ wet dream is many people connecting to the same hardware infrastructure, which is outdated in security because of lack of maintenance or cost savings.

Most people going on these trips are in business mode, deprotected. Usually, travelers are targets, but many hacker groups could attack local businesses or host infrastructure, too. Management personnel is wealthy and generate much interest in it as targets for cyber attacks. On the other hand, host infrastructure is a good target for hacktivism because some events have worldwide media coverage. We can imagine what happens if hackers manage to hack the internet access for hosting infrastructure and instead abc.com, they show anti-government slogans. Last but not least, travelers are excellent targets for data steal and botnets creation purposes.

So how can we keep ourselves safe? There are three primary attack vectors which travelers must have in mind. Hardware device-based attacks, data steals, and bank card information steals. The best strategy to prevent hardware-related threats is to carry only a smartphone. Modern smartphones are more capable of computing power and memory than most middle-class notebooks from the beginning of the decade. You don’t need a fully-featured laptop when you travel abroad. Modern smartphones are more than enough for day-to-day activities like chatting, email exchange, document reading. You bring your smartphone everywhere you go, so it is tough for someone to steal it. It provides many wireless ways for data exchange between devices, which decreases the risk of rubber ducky-based attacks. Often, many hotels, venues, cafes offer free wifi access for all the participants in the event. In general, using these wifi spots is a terrible idea. You can use them, but you have to know that hackers can record all the traffic on these devices. They can store all your encrypted user data, passwords, and sessions for later analysis and decryption attempts.

A better strategy is to use 4g mobile connections during your trip. In that case, the hacker must first hack the mobile internet provider connection to store and decrypt your data. Mobile internet providers are tough to hack, and that adds a layer of security to your device. This approach has a nice bonus feature; you can use the same 4g connection for internet access because of the smartphone’s internet sharing feature. I use 4g internet during my travels and hotel stays. In the most paranoid configuration, you bring two phones, one for a 4g connection and one for real work connected via wifi to the first phone. This setup offers a better level of security.

Bank card data stealing is one of the most common cybercrimes. Stealing card data is so easy that hackers steal millions of bank card credentials every day. How to prevent ourselves from these steals? With cash, of course. Cash is the ultimate paying method, never rejected, never tracked, and challenging to steal if stored properly. The average business trip has no more than ten days as a life span. The regular traveler can cover the expenses in cash during this time. However, for more extended stays bringing a considerable amount of money is not a good idea. Storing it is not easy, not to mention that many countries have an upper limit for cash transactions. In this case, carrying crypto tokens would be a fantastic idea. You can find many crypto exchanges and ATMs these days.

In conclusion, when traveling, the most valuable security advice is to stay undercover. Don’t show off yourself, don’t bring jewelry, wear functional but not expensive clothes, limit yourself to low to middle range electronic devices. You can also stay in moderate range hotels, pay in cash, and use an internet connection only when needed. And my last advice to business travelers worldwide – many cybercriminal organizations prepare themselves for your travel; please prepare yourself, too!

The Legality of Private Servers

The legality of privately owned servers is a much-discussed topic with large grey areas and varying laws in different countries.

In general, that legality is determined by a sample amendment, similar to this one: “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

In other words, this means that the government and other institutions, organizations, and people, in general, do not have the right to search or control privately owned servers. They should not check what the servers store, except that there is reasonable evidence of illegal content.

A warrant to search a privately owned server would not be issued out of false claims because a judge has to examine whether the given evidence is sufficient. However, web servers are usually quite transparent, and illegal content on them is easily detected.

How is that a grey area then, and how liable are those individuals owning servers?

In the case of illegal content linked to a specific web server, people on the internet can see the server’s content and report it if they deem it inappropriate. If many people do this, it will eventually get removed in many cases.

However, if it is not a web server, then people would have no real reason to examine it without evidence of illegal content. Responding to other people reporting illegal content on one’s server by instantly removing it can make the server owner less liable.

Private Game Servers – Legal or Not?

One interesting legal case is the video gaming industry. Online games usually connect to a central server. That presents the issue of the game being unplayable once the online game and its server are gone.

Many people have chosen to counter this issue by setting up their game servers. That also allows them to change the game, revive old games for nostalgia’s sake or change aspects about it to meet their own needs, and so on.

But how legal is it to set up a private server without the game developer’s permission? Usually, this can happen through leaked or stolen codes, which is illegal in itself as it breaches copyright.

Furthermore, private server hosts often take donations to keep the server running. Emulating current servers is more troublesome than bringing back old games that no longer exist.

More Grey Areas

Another grey zone is whether you are the one hosting the server or playing on it. While hosting may easily be illegal, playing on private servers is not. People doing it can still get in trouble, in any case.

There is a difference between official laws and license agreements that the user has with the gaming company and developer. Playing on private servers can infringe the contract you have entered into with the game developer.

Since copyright is usually concerned with distribution issues rather than private use, it is unlikely you will get fined. Still, if you want to support the game developer because you love the game and want to see more of it coming to life, you should play on the official servers instead. Not to mention connecting to a not official game server can expose your machine to cyber attacks. Most of these not official game servers do not have proper cybersecurity defenses.

The only reason and grey zone that would warrant playing on private servers is if the game’s developers abandoned it with no official server left.