One of last year’s biggest threats is rearing its ugly head again in the form of a WannaCry phishing email scam. Early on June 21st, many people in the UK received an email informing them that the sender had infected their system with WannaCry. The senders threatened to encrypt all the recipient’s data if they didn’t pay a ransom of 0.1 Bitcoin ($650). The thing is, they haven’t actually infected anything at all.
Cybersecurity is never easy, but maintaining a secure small business network is arguably even harder because the IT team has much fewer staff. Even high-stakes networks, such as in hospitals or schools, are often managed by a single person. In situations like this, the biggest hurdle is time—you need to know exactly where to invest it and you have to work fast. Unfortunately, security infrastructure often can’t help you do either.
To detect a phishing scam, we typically examine hyperlinks for odd domains or subtle character changes (like a “1” in place of an “I”). But suppose a bad link looked completely normal, or perfectly mimicked one you often visit? The traditional detection methods no longer apply. This is possible with Unicode domain phishing attacks.
Users are the weakest link. How many times have you heard that? Better question, how many times have you said it yourself? We can deploy the most sophisticated technology, write the best policies, and it will all fall apart with a single click on a bad link. We’ve talked about it here, too—even I’ve written about how easily users succumb to social engineering attacks. But blaming users is just the easy thing to do. Introspection will go farther in solving the big problems.
Let’s consider a hypothetical scenario. An entity you know nothing about has the power to listen to everything you say, and you have no way of knowing when that power is active. But the entity tells you not to worry about it, because it doesn’t ever use the power. Are you okay with this?
Are your smartphone apps listening?
Sapna Maheshwari, writing for The New York Times, recently wrote about Alphonso, “a start-up that collects TV-viewing data for advertisers.” Its software uses a smartphone’s microphone to identify audio signals in TV ads and shows, thereby tracking what you’re watching. Sometimes it can also match the places you visit. This data then goes toward ad tracking and analysis.
There are thought to be over 1,000 apps listening using the Alphonso software, including 250 games on the Google Play store. Many of these games are for children.
Yes, it’s legal
Alphonso has stated that its software does not record human speech, and that the app descriptions and privacy policies clearly explain that users have to agree to let the software access the microphone and location data. These disclosures comply with Federal Trade Commission guidelines.
An in-app message does request permission to access the microphone. It states, “this app uses audio to detect TV ads and content and shows appropriate mobile ads.” But I wonder how many people press “OK” without reading? Why do some games prohibit you from playing if you don’t grant access, even if the microphone is irrelevant to the gameplay? How often are children at the wheel when the app requests permission?
Is it enough for companies to be legally innocent? Isn’t it time to be more upfront about the things users might be uncomfortable with, like apps listening in? As Dave Morgan, the founder and chief of executive of Simulmedia, says: “It’s not what’s legal. It is what’s not creepy.”
For further reading on smart devices and privacy, you may enjoy these blogs:
There are times when we adults would be better off thinking like toddlers. More specifically, I want us all to go back to the days where we asked incessant strings of questions before our tired parents got us to stop. “Why, why, why?” This mindset helps answer the question, “Why analyze network traffic?” The simplest response I can give is that network traffic analysis is akin to the rare tireless parent who answers everything you want and need to know.
Before you read this blog, stop and count every electronic device around you. I’m at my work desk; within a 1-meter radius, I have ten electronic devices. In a few years, if I replaced each item with freshly launched products, at least nine of those devices would contain IoT technology.
Did you know that ignorance is bliss? When I was in school, I didn’t think about cybersecurity at all, and had a devil-may-care approach to internet browsing. But since my first day at Plixer a few years ago, I’ve become much more aware of keeping my personal devices and information safe. As a result, I want to know every process that’s running on my computer and every host it’s connecting to.
Much advice about avoiding malware revolves around only clicking links from trusted sources. Unfortunately, it gets harder all the time to determine who and what is a trusted source. Malware is more insidious than ever. Below, I’ve found some recent instances where malware was tricky to spot, and even nearly impossible to prevent.