One of last year’s biggest threats is rearing its ugly head again in the form of a WannaCry phishing email scam. Early on June 21st, many people in the UK received an email informing them that the sender had infected their system with WannaCry. The senders threatened to encrypt all the recipient’s data if they didn’t pay a ransom of 0.1 Bitcoin ($650). The thing is, they haven’t actually infected anything at all.
Author: Alienor
Alienor is a technical writer at Plixer. She especially enjoys writing about the latest infosec news and creating guides and tips that readers can use to keep their information safe. When she’s not writing, Alienor spends her time cooking Japanese cuisine, watching movies, and playing Monster Hunter.
Watch Out for GDPR Phishing Scams
The EU’s General Data Protection Regulation (GDPR) goes into effect starting today. Even if you don’t follow news related to data privacy, you’ve probably noticed that something’s going on. All month, organizations have been sending notifications of privacy policy updates and asking their subscribers to officially agree to continue receiving emails (including Plixer—look for that opt-in if you’re subscribed to our blog).
How to Maintain a Secure Small Business Network (Even When You Work Alone)
Cybersecurity is never easy, but maintaining a secure small business network is arguably even harder because the IT team has much fewer staff. Even high-stakes networks, such as in hospitals or schools, are often managed by a single person. In situations like this, the biggest hurdle is time—you need to know exactly where to invest it and you have to work fast. Unfortunately, security infrastructure often can’t help you do either.
Unicode Domain Phishing Attacks: Can You Spot the Difference?
To detect a phishing scam, we typically examine hyperlinks for odd domains or subtle character changes (like a “1” in place of an “I”). But suppose a bad link looked completely normal, or perfectly mimicked one you often visit? The traditional detection methods no longer apply. This is possible with Unicode domain phishing attacks.
“Users are the weakest link” is an excuse
Users are the weakest link. How many times have you heard that? Better question, how many times have you said it yourself? We can deploy the most sophisticated technology, write the best policies, and it will all fall apart with a single click on a bad link. We’ve talked about it here, too—even I’ve written about how easily users succumb to social engineering attacks. But blaming users is just the easy thing to do. Introspection will go farther in solving the big problems.
There Are A Thousand Apps Listening
Let’s consider a hypothetical scenario. An entity you know nothing about has the power to listen to everything you say, and you have no way of knowing when that power is active. But the entity tells you not to worry about it, because it doesn’t ever use the power. Are you okay with this?
Are your smartphone apps listening?
Sapna Maheshwari, writing for The New York Times, recently 
wrote about Alphonso, “a start-up that collects TV-viewing data for advertisers.” Its software uses a smartphone’s microphone to identify audio signals in TV ads and shows, thereby tracking what you’re watching. Sometimes it can also match the places you visit. This data then goes toward ad tracking and analysis.
There are thought to be over 1,000 apps listening using the Alphonso software, including 250 games on the Google Play store. Many of these games are for children.
Yes, it’s legal
Alphonso has stated that its software does not record human speech, and that the app descriptions and privacy policies clearly explain that users have to agree to let the software access the microphone and location data. These disclosures comply with Federal Trade Commission guidelines.
An in-app message does request permission to access the microphone. It states, “this app uses audio to detect TV ads and content and shows appropriate mobile ads.” But I wonder how many people press “OK” without reading? Why do some games prohibit you from playing if you don’t grant access, even if the microphone is irrelevant to the gameplay? How often are children at the wheel when the app requests permission?
The in-app message is certainly clearer about the software’s purpose than requests for access I’ve seen before. But it doesn’t (or doesn’t have room to) fully explain how and when the software is active. For example, you’d need to read the privacy policy to realize that the apps will listen even if running in the background. And speaking from personal experience using an iPhone, the way to close an app is not intuitive. Before I learned how, I could have apps running for days or weeks.
The privacy policy problem
The common advice, which I admit to giving as well, is to read the privacy policy. But according to a study from Carnegie Mellon, the median length of a privacy policy is 2,514 words—how many of those do you have time to read? We confront so many privacy policies, that it would take 25 round-the-clock days each year to fully read each one from each website visited. That’s 53.8 billion hours for the nation.
The Carnegie Mellon researchers also figured out a hypothetical nationwide cost for reading every privacy policy: $781 billion.
Is it enough for companies to be legally innocent? Isn’t it time to be more upfront about the things users might be uncomfortable with, like apps listening in? As Dave Morgan, the founder and chief of executive of Simulmedia, says: “It’s not what’s legal. It is what’s not creepy.”
For further reading on smart devices and privacy, you may enjoy these blogs:
Asking the Hard Questions: Why Analyze Network Traffic?
There are times when we adults would be better off thinking like toddlers. More specifically, I want us all to go back to the days where we asked incessant strings of questions before our tired parents got us to stop. “Why, why, why?” This mindset helps answer the question, “Why analyze network traffic?” The simplest response I can give is that network traffic analysis is akin to the rare tireless parent who answers everything you want and need to know.
IoT Security Trends & Challenges
Before you read this blog, stop and count every electronic device around you. I’m at my work desk; within a 1-meter radius, I have ten electronic devices. In a few years, if I replaced each item with freshly launched products, at least nine of those devices would contain IoT technology.
Why is My Computer Connecting to amazonaws.com?
Did you know that ignorance is bliss? When I was in school, I didn’t think about cybersecurity at all, and had a devil-may-care approach to internet browsing. But since my first day at Plixer a few years ago, I’ve become much more aware of keeping my personal devices and information safe. As a result, I want to know every process that’s running on my computer and every host it’s connecting to.
Protecting Yourself from Hidden Malware
Much advice about avoiding malware revolves around only clicking links from trusted sources. Unfortunately, it gets harder all the time to determine who and what is a trusted source. Malware is more insidious than ever. Below, I’ve found some recent instances where malware was tricky to spot, and even nearly impossible to prevent.
