Topic

Security

A collection of 76 issues
Latest — Jun 14, 2024

Cybersquatting, i.e., the registration of domain names similar to a trademark already owned by someone, has existed for about as long as the Internet itself. However, even today, many companies are new to encounters with individuals who want to make money from the similarity of domains.

To successfully combat cybersquatters, it's important to consider their possible interest before registering a domain name for your website. What should you think about and what actions should you take? We explain in this article.

What is cybersquatting?

A person who registers domains that are consistent with someone else's trademarks is called a cybersquatter. Their non-cybersquatter counterpart, the common squatter, occupies a vacant building and asserts rights to it.

The principle remains the same, while the object is the humble ‘Domain’. Is there a company or brand name, but the domain consonant with it is somehow free? Then it needs to be occupied, sat on comfortably, and held until the owner who needs this domain name pays a ransom for it.

Simply put, cybersquatting is a type of entrepreneurial activity. Its goal: to be the first to find a potentially needed domain, register it for a standard symbolic value, and then resell it at a much higher price.

Types of cybersquatting

With many people wanting to make money on your website's domain or another company’s web resource, several types of cybersquatting exist:

Typosquatting or counting on user error involves registering a name one letter different from the original. If there’s a website example.com, registering exemple.com means some visitors will land there due to the typo. By displaying ads before they realize their mistake, you can make money.

Branded cybersquatting or counting on fame. A company has registered the domain example.ru, but it didn’t use example.com or example.biz. These will be registered by a cybersquatter.

Unsuccessful cybersquatting. An entrepreneur wants to launch a new product and announces his plans on social networks without registering the domain. The cybersquatter will get there first and the entrepreneur will have to pay more for the domain.

Cybersquatting with a trademark, which by law is worth more than the registered domain name. A site without a registered trademark finds a cybersquatter, who registers the TM for himself and, voilà, can now legally take away the domain through the court.

Drop domain cybersquatting involves domains not renewed in time by the rightful holder. Such a domain falls into a special section of the registrar's site, where the most promising quickly pass into the hands of entrepreneurs. When the owner remembers that the domain has not been renewed, it already belongs to another person.

Another phenomenon often confused with cybersquatting is called domaining. In this case, entrepreneurs use popular words in various industries without claiming a specific unique domain name. This is done expecting that someone wanting to create a new site will buy a favorable and easy-to-promote domain at a higher price.

For domains, words like business, photo, market, shop, and others are often used in various combinations. They also often take the surnames of famous people and names of settlements. The domain ivanivanov.ru could interest an entrepreneur with this name. Cityname.com with the name of a particular city is suitable for the site of its administrative structures or tourist portal.

How cybersquatters choose domains

Registering hundreds and thousands of unique domains with all kinds of typos and similar names is expensive. To keep his business afloat, it's important for a cybersquatter to choose successful combinations. To do this, entrepreneurs specializing in the resale of domain names often:

• Monitor situations in companies. For example, rumors of a merger between companies A and B. Therefore, a name containing fragments of each of their names is likely needed. Cybersquatters can register these before employees of the new large organization.

• Look for companies that already exist but don't have their own website yet. For example, those finding customers through social networks and other marketing channels. Domains consonant with their names are also bought for the future.

• Check the registration of a trademark on the company's domain name. The scheme of taking the domain from the owner is not always possible, but it still works.

Cybersquatting is real

Companies often believe those wanting to register a domain and resell it more favorably exist in a parallel universe. However, companies all over the world regularly encounter them.

Not all disputes over a domain arise for personal gain and fit the definition of cybersquatting. Sometimes the reason is the consonance in the names of two companies. For example, in 2014, the recruitment portal HeadHunter sued the Russia-based company HH&HR over the use of the domain hh-hr.ru. The court sided with the portal and ruled to seize the domain name in its favor. At that time, HeadHunter had no intention of using the domain name for commercial purposes.

But in 2017, Google sued Vitaly Popov over a case more akin to cybersquatting. The domain secret.ɢoogle.com was used to send messages saying "Vote for Trump" during the US election. The name differed from Google by just one letter. It started with an uppercase but small Latin "G", i.e., "ɢ", which in Unicode is denoted by the symbol 0262.

The battle between Italian clothing brand Lotto Sports Italy and Canadian David Dent for the domains LottoStore.com and LottoWorks.com ended with the latter winning. However, it was an epic two-part duel. The Canadian resident bought the two domains and planned to create gaming-themed websites. The clothing brand sued Dent and initially won. The court ordered the transfer of the domain names to the company. The Canadian appealed, and Lotto Sports Italy was eventually found guilty of reverse domain seizure. The company paid $237,000.

Cybersquatters and the law

No matter how dubious the activity of some squatters may seem, it doesn't negate the fact: cybersquatting is entirely within the legal field. It's not illegal to register domains and trademark names.

Yet the world is trying to combat cybersquatters. The main arbiter of domain disputes is the WIPO (World Intellectual Property Organisation), which unites 157 member countries. It has developed the UDRP — Uniform Domain Dispute Resolution Policy.

There are two ways for companies and brands that have faced domain name seizure: pay the amount demanded by the cybersquatter or go to court, where it's necessary to provide justification for their claims to the domain. For those slow to act, there's a third option: wait. If the domain name is rare and doesn't cause other market participants particular interest, the cybersquatter might eventually reduce the price. However, this is a path with unpredictable results.

Summing up: how to fight cybersquatting

It's important not only to know what cybersquatting is but also to think in advance about how to protect yourself from this phenomenon. A few simple rules will help:

• Check for a domain that matches the name of the company or brand before finalizing the name. Using an original, "off-the-beaten-path" name reduces the risk of domain disputes due to conflicts of interest.

• Don't publicize the brand or company name before the domain name is officially registered. Cybersquatters don't sleep! — Don't limit yourself to one domain when registering. It's better to choose several similar ones in different popular domain zones. This reduces the risk of someone creating dubious content on a similar domain.

• Register a trademark on the selected domain name immediately. This isn't a panacea, but in most domain disputes, its presence becomes a decisive argument for the court.

• Make timely payments for domain renewal to avoid dealing with squatters who quickly re-register drop domains to themselves.

If you can do all of this — it’s safe to say that you’ll be safe from the squatters!

Your domain is my domain: how to protect yourself from cybersquatting

May 28, 2024 — 3 min read

A simple file or photograph shared with a colleague might encompass data that the sender didn't plan to divulge. For instance, a snapshot of a cat, besides the visible content, might inform the recipient about the location and time it was captured, and even the gadget utilized.

This holds true for social media platforms — an image uploaded online harbors details that might not only jeopardize the user but also disclose, perhaps, their whereabouts. Moreover, e-commerce transactions and various online actions create such digital traces. However, not everyone is acquainted with the concept of file metadata at present.

In this piece, we will elucidate the potential hazards of file metadata, ways to safeguard it, and how to individually eliminate undesired data embedded in transmitted images and other files.

The dangers of metadata

All our online activities — sharing images, and files, posting articles, curating music playlists, shopping, and so forth — create so-called digital traces besides the conveyed information. These are generated mainly due to metadata. Frequently, this reality is overlooked by the general populace, escalating the risk of unauthorized activities.

By analyzing, say, images on social platforms, a malefactor can deduce a victim's regular routes, favorite spots, and preferences. Utilizing this data, they might orchestrate a phishing scheme or employ social engineering tactics.

It's vital to note that corporations are equally, if not more, vulnerable compared to individual users when metadata falls into the wrong hands. Metadata can often assist criminals in decoding pilfered data. Hence, without comprehending the file's content and its potential use, cyber criminals resort to metadata, facilitating a quicker comprehension and monetization of the stolen assets. Alternatively, they might exploit metadata to ascertain the software utilized by a firm and plan a more targeted assault.

Metadata is generated automatically, without user intervention. Typically, it encompasses details about the creation time and place, attributes, author's remarks (if added to the file), and information about the software version used during creation. This data is quite personal and sensitive, given that in certain scenarios, metadata can narrate the history of file transfers and modifications.

The purpose of metadata

Primarily, metadata facilitates license restriction implementation and author identification. Furthermore, it aids websites and apps in organizing and recognizing content. And, for telecom operators, it helps in monitoring user engagement on specific platforms.

Any targeted marketing, audience segmentation based on preferences, location, habits, and professional sphere, stems from analyzing user metadata, or more precisely, the digital imprints left on social platforms and the broader internet. Metadata enables marketers to discern not only your smartphone model but also alarmingly accurate search queries.

Securing and erasing metadata 

Metadata is safeguarded similarly to conventional data, particularly concerning organizations rather than individual users. For the layman, the optimal approach is to erase metadata prior to file transmission to prevent the dissemination of unnecessary data and avoid leaving digital traces.

On an iPhone, it's straightforward to remove photo metadata:
• Launch the Photos application and choose the image you wish to strip of metadata
• Tap the "Share" symbol at the lower right corner and opt for the "Do not retain metadata" feature
• Press the "Done" button

To view a file's metadata on Android, Google Photos needs to be downloaded, and for deletion, a third-party application is required. Numerous choices are available in the store; it's advisable to scrutinize the description and additional features while selecting.

Additional tools and tips

Also, websites offering metadata removal services are excellent tools where you can effortlessly upload files prior to sending them, without the necessity to download anything or alter device settings. It should be noted that free versions impose file size restrictions, generally up to 5MB.

As per experts, the supreme strategy for metadata protection is to eliminate any metadata that might disclose sensitive details before dispatching a document anywhere. Moreover, if required, app software can be pre-configured to prevent metadata storage in documents altogether.

In the context of work-related files, metadata can be discarded when sharing them externally, but internally and when collaborating with contractors, metadata serves as a crucial component. Metadata functions as a historical record, aiding in understanding the preceding data, especially if older datasets are preserved.

Sensitive EXIF data encapsulates vital technical specifics about an image. It can reveal the camera or phone's brand and model, the creation time, and even the camera and flash configurations.

This data can be effortlessly deleted in Windows via Explorer. You need to launch it, navigate to the desired image, right-click on it, and choose "Properties," followed by the "Details" tab, where properties and personal information can be easily removed.

Conclusion

You can remove metadata using applications, online utilities, fundamental device configurations, and settings during transmission. However, remember that metadata can be beneficial, particularly concerning work-related matters. For instance, metadata can assist in identifying the software and editor used to create a file, its initial title, and creation date. This might facilitate file conversion or its utilization in a new system. Moreover, even a regular user might need to recall the time and place of file creation or image capture.

But it's essential to remember that if metadata isn't safeguarded, the same details can be accessed by an adversary and used against you. For instance, knowledge about the software version and other device specifics can be highly valuable for cyber criminals when choosing tools for.

Metadata 101

May 13, 2024 — 3 min read

2023 was characterized by an evolving array of cyber threats and a significantly broadened spectrum of digital vulnerabilities, pushing organizations to reassess and strengthen their cybersecurity infrastructures. Despite a widespread yearning for a break from the relentless tide of phishing, ransomware, and credential stuffing incidents, cybercriminals are gearing up to use their proven strategies from this period to orchestrate even more intricate and damaging campaigns in 2024. It’s become increasingly imperative for those in the cybersecurity realm to forecast and brace for the predominant challenges and trends that will define the cybersecurity landscape in 2024.

The following are key prognostications intended to serve as vital strategic insights for IT and cybersecurity professionals, aiding them in effectively prioritizing their efforts to navigate and mitigate the rapidly evolving threat landscape

Compromised credentials

The ongoing reliance on traditional usernames and passwords for access control and authentication has perpetuated the issue of compromised credentials. This has been a consistent weak spot, often exploited in cyberattacks. Detailed analyses of data breaches repeatedly pinpoint compromised credentials as a principal attack vector. Intriguingly, a study by the Identity Defined Security Alliance (IDSA) highlights that identity-related cyberattacks are both widespread (with 94% of respondents experiencing such attacks) and largely preventable (with a 99% prevention rate). Despite these alarming statistics, a significant number of organizations remain underprepared, lacking crucial identity-related security measures. This is particularly concerning given the rise of non-human identities stemming from digital transformations, such as in DevOps, cloud computing, and IoT (Internet of Things). Therefore, the expectation for 2024 is a continued emphasis on enhancing identity security, with organizations encouraged to intensify their implementation of Zero Trust models and decrease their dependency on traditional password-based systems.

Ransomware

Ransomware has proven to be a lucrative venture for cybercriminals, who exploit vulnerabilities within organizations to execute devastating attacks. Examples of these include high-profile breaches involving entities like the Kansas Court System, Yamaha Motors, and Western Digital. The emergence of Ransomware-as-a-Service has simplified the process of launching such attacks. Over the past year, ransomware tactics have evolved into complex extortion schemes, involving not just data encryption but also data exfiltration and threats of public disclosure if ransoms aren't paid. This trend was exemplified by the Alphv/BlackCat ransomware group's SEC complaint against MeridianLink. With new SEC disclosure regulations mandating prompt reporting of major cybersecurity incidents, such tactics are expected to gain even more traction. Therefore, enterprises are advised to enhance their ransomware preparedness, with a specific focus on the recovery of endpoints and essential infrastructure like Active Directory.

Hacktivism amidst global conflicts

The intersection of global conflicts and the upcoming 2024 Presidential elections in the United States is expected to create a fertile environment for hacktivism. Hacktivists, often self-identified as defenders of free speech, may seek to disrupt the controlled flow of information during times of conflict or elections by exposing sensitive data or initiating cyberattacks. This could lead to a blurring of lines between state-sponsored hacking and independent hacktivist activities. The role of hacktivists in influencing public opinion through various cyber operations, including the potential use of deepfake technologies, is expected to be significant in 2024.

Vulnerability management 

In response to the increasing exploitation of zero-day vulnerabilities by cyber adversaries, the White House's National Cybersecurity Strategy, released in March 2023, has redirected focus towards organizations' responsibility to secure their software. This strategy underscores the importance of comprehensive vulnerability management, which involves identifying, assessing, prioritizing, and mitigating security vulnerabilities. This increased emphasis on liability for independent software vendors is anticipated to drive technological advancements in vulnerability management tools and bring renewed attention to this critical aspect of cybersecurity.

Transformation in security awareness training

The realm of security awareness training is poised for a significant transformation in 2024. With the widespread adoption of generative artificial intelligence in the sphere of cyber threats, traditional training methods are becoming obsolete. Future training programs are expected to integrate continuous breach and attack simulations (BAS) to test and enhance the effectiveness of user-focused controls. These programs will also likely focus on equipping software developers with secure coding practices to preemptively address vulnerabilities.

Conclusion

In summary, the year 2024 emphasizes the crucial need for a delicate balance between robust cybersecurity measures and the resilience to adapt to cyber threats. As IT and security professionals prepare for the challenges ahead, prioritizing the continuous visibility, protection, and management of the entire digital attack surface is paramount. Protecting mission-critical assets and developing the capability to anticipate, withstand, recover from, and adapt to various cyberattacks will remain at the forefront of effective organizational cybersecurity strategies.

Five cybersecurity predictions for 2024

May 5, 2024 — 5 min read

Of course, losing access to your Google or Gmail account is going to be upsetting. If you've forgotten your password, or if someone has hacked into your account and changed it, Google provides a list of actions that you may take to regain access to your account. Indeed, they may come in handy at times, but the methods of password recovery for Google accounts tend to change from time to time and relying on them as a fallback is never a good idea.

Not only have we provided all the necessary links in the “Password recovery” section down below for those who have lost access to certain accounts, but we’ll today be focusing on what can be done to ensure you never lose access to your account again. Here are some things to consider:

Regularly backup your data

If you have a current backup of your data, it will be less of a blow if you ever lose access to your account. Takeout is the name Google has given to the feature that allows you to download your data. You may download all of the data from all of your Google applications, or just part of the data from some of them. You might even decide to download the data from a single app, such as Gmail, from your Google account.

For each sort of data, the download formats are different. For example, MBOX files may be imported to Gmail or most other email services and applications.

Keep your old passwords

Keep a copy of your old passwords in case you forget your current one. Google uses this method to verify your identity if you ever lose your password. In the event that you haven't updated your password in a while, you may not be able to recall your old password. It's a good idea to maintain a copy of your previous Google passwords in a secure place when you change your password.

When using a password manager such as Passwork, you can keep track of your previous passwords. Because of that, we strongly recommend using one. When you establish a new password on an app or website, most password managers only allow you to update the current entry; however, with a password manager, you may create a new password and then go back and change the name of the old one to something like "Gmail — old password". By the way, this is also a problem with Apple Keychain — when you change your password, it asks whether you would like to update your old password. You’ll obviously press “Update”, and bam, your previous password is lost in the void. So keep an eye on that.

Why is this important? Well, as we’ve hinted at, Google asks you to enter the previous password in some cases as a fallback plan.

Fill in the recovery info

Google provides you with many ways to recover your password:

  1. Go to your Google account and choose "Security" from the left-hand column
  2. Scroll all the way down to "Ways that we can verify that it’s you"
  3. Fill them in
  4. PROFIT

Now, Google will use those options to recover your password when needed, or just to verify it’s you when weird login behaviour is detected. Among all the options, the ‘Recovery phone’ is the most convenient one — trust me, you’ll forget that ‘Security Question’ in just a few days. ‘Recovery email’, to be honest, isn't secure enough — we, Earthlings, tend to use weak passwords, so your account might be compromised if a hacker manages to guess your ‘NicknameDateOFBirth’ password.

Remember the day you registered

If everything else fails, Google may ask you to provide an estimated date of when you created the account. The best way to get this date is by searching for a Gmail welcome email.

To locate the welcome email, go to the ‘All Mail’ folder on your computer (to see it, you may need to click ‘More’ to expand the folders). You may also hover your cursor over the page information in the upper right-hand corner and choose ‘Oldest’.

This will move the email you received first to the top of the list. If, on the other hand, you imported non-Gmail emails into your inbox from before 2004, the welcome email will not appear at the top of the inbox hierarchy. Also, if you haven’t imported all of your emails, you’ll encounter some problems.

The email may also be found by searching for "welcome," "Gmail team," "gmail-noreply@google.com," or "googlecommunityteam-noreply@google.com," among other similar words and phrases.

However, when I personally tried it, I couldn't find it. This is because I delete all the mail on my account once a year. For people like myself, there’s a weird hack — your POP settings might show the date on which you created your Gmail account.
To access them, click the gear icon in the top right-hand corner, select See all settings, then click Forwarding and POP/IMAP.

Look for the Status line in the POP download section. If you're fortunate, you'll come upon the following information:

Status: POP is enabled for all mail that has arrived since [Here is your date]”

Important:

If you’ve ever changed your POP settings, the date on which you created your Gmail account won’t be shown.

Password recovery

There’s only one place where you can recover your password — it’s this “Google Recovery” page. Everything else is likely phishing scams. The only other alternative option, in case of an adversary like losing your password, is the “Can’t sign into your Google Account” page.

Basically, you should follow the instructions on screen and pray to Google's mothership that hope shall be restored.

If your prayers haven’t been heard, and all pages cycle through a loop with a “Please try again” message, visit the “Tips to complete account recovery steps” page — it helped me several times to understand exactly what Google wants from me.

The last page you can visit, if everything else fails, is “Create a replacement Google Account”.

Conclusion

If you have important data stored on any cloud: Gmail, Google Drive, Docs, etc. — back them up using offline storage. Use two-factor authentication to always keep your mobile phone as a recovery option. Keep hold of your password change history and remember the date you registered your account.

I forgot my GMail password!

Feb 10, 2024 — 4 min read

Are you having trouble remembering your passwords or accessing your account? Perhaps you’re stressing out that you may have been hacked? Well, in any case, restoring your Facebook account utilising reliable Facebook account recovery solutions shall be covered by this article, so buckle up!

In order to regain access to your Facebook account, you can use one of several automated methods. Many are based on the information you provided when you set up your account, which isn’t helpful if you can’t remember the most important piece of information you provided when you set up the account — your password. Also, some information will be out of date, like your recovery phone number or your active email address.

And even if all methods listed below fail, we’ve got an alternative for you right at the very bottom of the article.

Firstly, make sure that you aren't still logged into Facebook somewhere else!

Android and iOS Facebook apps, as well as mobile browsers may all be used to access the site, so you might be logged in on them.

If you are logged in, you can ‘recover’ your account by simply changing the password, and it can be done without a confirmation reset code!

But if you are not logged into Facebook on other devices or browsers — try Facebook's Default Account Recovery Methods.

If at all feasible, log into your Facebook account using the same internet connection and computer or phone that you've used on a regular basis in the past. If Facebook detects your network and device, you may be able to reset your password without having to provide any extra information to Facebook. But first and foremost, you must authenticate your account.

Find and recover your account by providing contact information

The best option is to directly go to the Facebook Recovery Page.

To sign in, enter an email address or phone number that you previously associated with your Facebook profile. When looking for a phone number, test it both with and without your country code, for example, 1, +1, or 001 for the United States; all three variants should work just fine. Even if it doesn't explicitly say so, you may use your Facebook credentials to log in — instead of your mobile number or email.

Your profile will be summarised once you have successfully identified your account, as seen in the screenshot below. Please double-check that this is indeed your account and that you still have access to the email address or phone number mentioned before proceeding. The option of choosing between email or phone recovery may still be available to you.

If everything appears to be in order with the contact information that Facebook has on file for you, though, click Continue. A security code will be sent to you by Facebook.

Retrieve the code from your email or phone (depending on whatever method you used), input it, and rejoice in the knowledge that you have regained access to your Facebook profile.

At this point, you have the option of creating a new password, which we highly advise you to do.

If you don't receive the code via email, check your spam folder, or make sure you can receive text messages from unknown senders if the code doesn't arrive to your mobile.

If you are still unable to receive the code, choose Didn't get a code? from the drop-down menu. You can return to the previous screen by clicking the X in the bottom-left corner of the Enter Security Code box.

Maybe you'll get lucky and discover that you don't, in fact, have access to the account at all!

Log back into your Facebook account

You should immediately reset your password and update your contact information if you have regained access to your Facebook account after a suspected hijacking.

To keep your Facebook account safe, follow two simple rules. Don't forget to get rid of any email addresses or phone numbers that you no longer have access to. Also, enable two-factor authentication on all of your social media accounts in order to prevent a loss of access in the future.

Don’t forget, the Facebook Help Community is a great place to find answers to your issues.

If all else fails, creating a new Facebook profile might not be as bad as you think

Over the past few years, we've received a large number of letters from users who were unable to regain access to their Facebook accounts, despite following each and every one of the instructions listed above.

Typically, their contact information was out of date, the recovery codes offered by Facebook were ineffective, or the corporation never responded to their request for identification verification. And at that point, you’re pretty much out of options.

You have to accept the fact that you must move on. Even though it's painful, you must learn from your mistakes and register a new user account.

Always include legitimate contact details, don’t forget to up the security on your Facebook account, and completely re-create your profile from the ground up. Despite the inconvenience, it’s a better option than doing nothing. Not to mention, you won’t have any of those embarrassing old photos, and you can only add people as friends that really matter to you now.

How to recover your Facebook account

Dec 18, 2023 — 3 min read

Over the past decade, data has transitioned from mere information to a precious asset. Numerous enterprises thrive on data, while others crumble with its loss. Customer personal information, analytics, financial transaction records and more hold monetary value. Yes, there's an abundance of informational "clutter" around, but even amid hard-to-spot data, a skilled cybercriminal can discover a gold mine. 

The acceleration of information technology is rapid, with fresh information emerging and being processed every moment. Often, companies simply lack the time to sift the "wheat" from the "chaff" and, as a result, release sensitive data, like customers' home addresses for delivery, into the open. 

Most firms have mastered data collection, some have ventured into processing it, and a fewer number into analyzing it, but not all have grasped how to safeguard it. In this article, we’ll explore what qualifies as sensitive data, how to shield it, and the primary blunders made while handling sensitive data.

What sets apart ordinary data from sensitive data? 

With the trend of data accumulation in the market, corporations have embraced it wholeheartedly. This opens up numerous avenues for growth, business broadening and optimization, and introducing new offerings to the market. For instance, by scrutinizing customer conduct, you can present them with the products they need at the opportune moment. Or, simply, knowing customers' birthdays, send a discount coupon as a present, encouraging a new purchase. The possibilities are myriad, and they stem from entirely diverse data types. That's why enterprises amass data even before understanding its use. It's for the just-in-case scenario. 

Similarly, it's not always feasible to instantly determine the significance of data and the extent of protection required. Some opt for overcaution, storing data securely from the outset, while others leave it in public view, thus risking it. The sensitivity of data can be gauged by asking — what’s the fallout if it’s pilfered? 

Two outcomes exist. Nothing occurs — the data isn't sensitive. The offender, directly or indirectly, could inflict harm on the business or customers. For instance, by pilfering personal data, like full names and phone numbers, and releasing them online, the company’s reputation takes a hit. Or, by stealing an individual’s data — their address, purchasing tendencies, and, say, date of birth, orchestrate a social engineering assault.

Sensitive data encompasses information that could potentially jeopardize its possessor. For regular folks, it’s mainly personal and financial data, medical details, relationship data, personal visuals, and data on preferences. For companies, it includes internal business records, customer and employee databases, confidential documents, market evaluations, and the like. 

Recognizing sensitive data 

The theft or exposure of sensitive data undermines a company's customer privacy, triggers financial setbacks, and could even threaten an organization’s security. Hence, distinguishing sensitive personal data from common data is crucial. This involves carrying out a data classification and risk assessment. 

This could encompass evaluating potential damage in case of a data breach, as well as examining legal mandates for specific data types. Primarily, anything related to sensitive information and personal data should be guarded. However, the task of identifying data types doesn’t conclude here. For instance, trade secrets can be shielded under 21 orders or at your discretion, but personal data must be classified and shielded by law. Information security experts opine that to pinpoint sensitive company data, the IS division, along with representatives from various sectors — accounting, legal, HR, and marketing — should formulate guidelines to identify sensitive information. The primary focus here would be potential financial or reputational harm from information leakage. Yet, the potential threat indicator of a data breach may not always be objective. Numerous cyber incidents involving social engineering demonstrate that even seemingly harmless data about a person can be utilized to perpetrate a crime.

Key blunders in handling sensitive data 

Both enterprises and users can be culpable for sensitive data leakage. On the corporate side, the usual culprit is a basic disregard for information security norms. For instance, unprotected corporate networks, operating on outdated operating systems, or absence of antivirus protection. On the user side — unawareness of cyber hygiene norms and a lack of understanding of what data might be sensitive. Common errors enabling sensitive data leakage: 

• Inadequate password and account safeguards
• Lack of data categorization within the firm
• Improperly set up security systems
• Absence of data encryption
• Employees are untrained in cyber hygiene 

Moreover, information is often undervalued by both corporations and individuals. For instance, a person may deem their passport information crucial but be indifferent about sharing their health information on social networks. Like any other domain of information security, elementary measures are paramount. For example, remembering updates, prompt training of staff in cyber hygiene, and employing protective software.

Conclusion 

The subject of sensitive data is steadily gaining traction, as only in recent times have assailants learnt to actively exploit personal or corporate data to commit offenses. For larger and more technologically advanced companies, the issue is being addressed at a more sophisticated level, as they have not only learnt how to analyze and segment data but also how to defend it. However, there's another facet to consider - the company service users themselves. They may possess minimal awareness of the worth of their personal data and trigger leaks.

Sensitive information: distinguishing the crucial from the commonplace

Dec 12, 2023 — 4 min read

Prominent enterprises have endured substantial setbacks due to security breaches within their mobile applications, underscoring the criticality of app security that is often overshadowed by server-side concerns. Contrary to popular belief, mobile apps are not mere interfaces for server data; their vulnerabilities can inflict extensive damage, not limited to a single user but potentially devastating to the business at large. This article aims to elucidate this often-overlooked risk by showcasing notable instances where mobile app vulnerabilities have led to significant financial and reputational harm.

TikTok's multi-faceted security dilemmas 

The year 2020 was marked by significant scrutiny directed at TikTok, a widely used social platform. The app was caught accessing clipboard data on Apple devices without user authorization, a clear invasion of privacy that could potentially lead to the exposure of sensitive personal and professional information. The same period saw the emergence of other security loopholes that provided attackers with the capability to compromise accounts, exfiltrate personal data, or circulate harmful content. The situation was further aggravated by concerns over TikTok's alleged ties to foreign government entities. The controversy was so severe that it led to the app's prohibition in several regions and culminated in a class-action lawsuit that cost the company $92 million in settlements. This series of events underscored the imperative for app developers to meticulously govern data collection practices to safeguard user privacy.

Strava's global heatmap incident 

The fitness-oriented app Strava faced its own share of controversy in 2018 when it released a global heatmap of user fitness activities. What might have been a novel idea turned sour when it inadvertently compromised the safety of military personnel by revealing their movements and even the locations of military facilities. Although Strava claimed that the map was anonymous, resourceful individuals managed to de-anonymize the data, proving that even data represented as anonymous can be reconstructed to reveal identities. This incident sparked a global debate on the security ramifications of sharing fitness tracking data through apps and the potential threats it could pose to individuals and national security.

Starbucks' mobile app compromise

In 2015, Starbucks, the global coffeehouse chain, confronted a serious breach when its mobile app fell victim to an attack. Due to inadequate authentication processes, cybercriminals managed to hijack customer accounts. This security oversight led to unauthorized access to payment details and illegal transactions, leaving customers financially vulnerable and causing a major dent in Starbucks’ corporate image.

WhatsApp and a spate of security breaches

WhatsApp, one of the most popular messaging apps worldwide, wasn't immune to security flaws. In 2019, a vulnerability was exploited to install Pegasus spyware on users' devices, leading to a significant breach of confidential information, including personal messages and call logs. Another flaw, known as "Media File Jacking," was identified, affecting both Android and iOS users. This particular vulnerability allowed cybercriminals to alter media files, replacing them with inappropriate or harmful content. A notably critical issue emerged in 2021, involving WhatsApp's group chat feature, which inadvertently exposed users to phishing and other social engineering attacks due to flawed invitation controls. These incidents collectively contributed to a substantial erosion of trust among WhatsApp users.

Clubhouse's privacy controversy 

Clubhouse, the audio-based social network that gained rapid popularity, faced serious backlash when a significant vulnerability was discovered. The flaw allowed malicious actors to secretly record and broadcast live audio conversations, a blatant violation of user privacy. Furthermore, the transmission of user IDs in plain text made it possible to de-anonymize conversations, adding fuel to the growing privacy concerns. The repercussions included a severe reputational hit and heightened skepticism about the security protocols of emerging social media apps.

Signal's unexpected security flaw 

Signal, an app that prides itself on security, encountered a surprising setback when a vulnerability was discovered, allowing for PIN brute-force attacks. This revelation was particularly alarming given the app's reputation for robust security, and it inevitably affected its perceived reliability.

Zoom's security and privacy scandals 

Zoom, a leader in video conferencing, faced multiple issues in 2020. A vulnerability was exploited by uninvited individuals to intrude on private meetings, leading to the infamous "Zoom-bombing" incidents. Furthermore, misleading claims about the app's encryption standards led to public uproar when it was revealed that Zoom had the technical capability to access private conversations. This forced the company to revamp its encryption system on a tight schedule, incurring considerable costs.

Snapchat's ongoing security struggles 

Snapchat, popular among younger demographics, has had its fair share of security woes. Various vulnerabilities allowed for account breaches and even real-time location tracking, posing a severe threat to user safety and privacy. These issues resulted in negative publicity and declining user engagement.

Uber and Airbnb's security breaches 

Both Uber and Airbnb have experienced security breaches that enabled attackers to take over user accounts. These incidents, involving unauthorized rides and bookings, underlined the critical importance of robust authentication mechanisms and the potential financial and reputational damages stemming from such breaches.

Fortnite’s gaming data breach 

Fortnite, a gaming sensation, hasn’t been spared from security flaws. Vulnerabilities discovered allowed attackers to hijack accounts, make unauthorized in-game purchases, and access sensitive personal data. These incidents brought to light the risks associated with online gaming platforms and the need for enhanced security measures, particularly given the young age demographic of many users.

Conclusion 

In summary, it's evident that mobile app vulnerabilities are a widespread issue, often underreported or overlooked by the general populace. Users must recognize the gravity of the personal and sensitive information stored within their devices and the apps they use. It's prudent to avoid reusing passwords, to be wary of suspicious apps, and to exercise caution when sharing information online. In an era where digital threats are increasingly sophisticated, vigilance is our first line of defense.

Unveiling the giants: corporations whose flawed apps inflicted business catastrophes

Dec 11, 2023 — 3 min read

In 2024, the digital finance landscape is increasingly challenged by sophisticated forms of fraud, particularly carding. This type of credit card fraud, involving the unauthorized use of stolen card information, poses significant risks to both individuals and financial institutions. This comprehensive exploration delves into the mechanisms of carding, its evolutionary trajectory in the realm of financial fraud, and the multi-faceted strategies being employed to protect bank accounts in this digitally-dominated era.

Understanding carding

Carding is a complex process initiated by the illicit acquisition of credit card information. This can occur through various methods: 

• Sophisticated hacking operations that breach financial databases
• Phishing schemes designed to deceive individuals into divulging their details
• Large-scale data breaches at major retailers or financial institutions

Once fraudsters acquire this data, they test it to verify its legitimacy and then use or sell it for unauthorized transactions, often leveraging the anonymity of the dark web. The speed and stealth with which carding operations are conducted make them a particularly pernicious and challenging form of financial fraud to counteract.

The evolution of financial fraud

Financial fraud has undergone a significant transformation over the years. Initially, fraudsters employed physical methods like skimming devices on ATMs. However, the digital revolution brought about more complex and less detectable methods, including malware that captures sensitive information and sophisticated phishing operations. These digital methods necessitate equally advanced countermeasures in security and consumer awareness.

Regulatory bodies have escalated their efforts in enforcing data security standards. Financial institutions are now mandated to comply with rigorous data protection regulations, including conducting regular security audits and adhering to cybersecurity best practices. These regulations are crucial in ensuring a baseline of security across the financial sector.

Protecting bank accounts in 2024

Enhanced authentication

In response to these threats, banks have significantly enhanced their security measures. The integration of biometric verification methods, such as fingerprint and facial recognition technologies, has introduced a personalized layer of security challenging for fraudsters to replicate. Additionally, two-factor authentication (2FA), combining knowledge-based (passwords) and possession-based (a mobile device for OTPs) elements, has become a standard security practice, drastically reducing unauthorized account access.

Advanced encryption

Encryption is a cornerstone in securing data transmission. Modern banking involves sophisticated encryption protocols that cloak data during transmission, making it virtually impenetrable to interception and misuse. This ensures that even if data is captured by unauthorized entities, it remains secure and indecipherable.

AI and machine learning

The adoption of artificial intelligence and machine learning has been a game-changer in detecting and preventing fraud. These technologies analyze extensive transaction data, identifying anomalous patterns indicative of fraudulent activity. By quickly flagging these irregularities, banks can proactively address potential fraud, often before customers are aware of any risk.

Secure banking applications

The development of secure banking applications has been a focus for financial institutions. These applications come equipped with features like automatic logout after periods of inactivity, fraud alert systems, and encrypted communication channels for reporting suspicious activities. Such features empower customers to safely manage their accounts and contribute to the overall security framework.

Consumer education

Consumers are essential in safeguarding their financial information. Vigilant monitoring of account activities, cautious sharing of personal information, and using secure networks for online banking are fundamental preventive measures. Prompt reporting of any anomalies or suspicious activities to their banks is also vital in preventing the escalation of potential fraud.

Educating these consumers is pivotal in the fight against financial fraud. Banks are actively investing in campaigns to heighten awareness about safe online practices, such as recognizing phishing attempts, using secure networks for financial transactions, and the criticality of promptly reporting unusual account activities.

Conclusion

Given the dynamic nature of financial security, continuous collaboration across sectors is imperative. Financial institutions, technology companies, and law enforcement agencies must maintain open channels of communication and strategy sharing. Ongoing innovation in security technologies and consistent consumer education are critical in staying ahead of evolving threats.

As we proceed through 2024, the safeguarding of bank accounts from threats like carding requires an integrated approach. This strategy involves leveraging cutting-edge technology, enforcing strict regulatory measures, cultivating informed consumer habits, and maintaining constant vigilance. By comprehending the complexities of financial fraud and adopting comprehensive, proactive security measures, we can aim for a more secure financial environment for all participants.

Navigating financial security: carding and bank account protection in 2024

Nov 10, 2023 — 4 min read

In the current digital landscape, where we frequently engage in conversations without visual context, our reliance on audio cues to verify the identity of our conversational partners has intensified. Our brains have developed an astonishing ability to discern and recognize the intricate details in someone’s voice, akin to an auditory signature that is unique to each individual. These vocal signatures, composed of elements such as pitch, pace, timbre, and tone, are so distinctive that we can often identify a familiar voice with just a few spoken words. This remarkable auditory acuity serves us well, but it is under threat by the advent of advanced technologies capable of simulating human voices with high accuracy—voice deep fakes.

What are deep fakes? 

The term 'deepfake' has quickly become synonymous with the darker potential of AI. It signifies a new era where artificial intelligence can manipulate reality with precision. Early deepfakes had their tells, but as the technology has progressed, the fakes have become almost indistinguishable from the real thing. 

The entertainment industry's experimentation with deep fakes, such as the lifelike replicas of celebrities in a TV show, serves as a double-edged sword. It showcases the potential for creative innovation but also hints at the perils of AI in the wrong hands, where the distinction between truth and fiction becomes perilously thin.

The creation of voice deep fakes is rooted in complex AI systems, particularly autoencoders, which can capture and replicate the subtleties of human speech. These systems don't just clone voices; they analyze and reproduce the emotional inflections and specific intonations that make each voice unique.

The implications are vast and varied, from actors giving performances in multiple languages without losing their signature vocal emotion, to hyper-personalized virtual assistants. Yet, the same technology also opens avenues for convincing frauds, making it harder to trust the unseen speaker.

The dangers of convincing voice deep fakes

Crafting a voice deepface is a sophisticated endeavor. It involves a series of complex steps, starting with the collection of voice data to feed into AI models. Open-source platforms have democratized access to this technology, but creating a voice deep fake that can pass for the real thing involves not just the right software but also an expert understanding of sound engineering, language nuances, and the intricate details that make each voice distinctive. This process is not for the faint-hearted; it is a meticulous blend of science and art.

The misuse of deepfake technology has already reared its head in various scams, evidencing its potential for harm. Fraudsters have leveraged these fake voices to imitate CEOs for corporate espionage, mimic government officials to spread disinformation, and even duplicate voices of family members in distress as part of elaborate phishing scams. These incidents are not simply one-off events but indicative of a troubling trend that capitalizes on the inherent trust we place in familiar voices, turning it against us.

The path that deepfake technology is on raises profound questions about the future of trust and authenticity. Currently, the most advanced tools for creating deep fakes are closely held by technology companies and are used under strict conditions. But as the technology becomes more accessible, the ability to create deep fakes could fall into the hands of the masses, leading to widespread implications. This potential democratization of deepfake tools could be a boon for creativity and individual expression but also poses a significant threat in terms of misinformation, privacy, and security.

The defense against deep fakes: a multifaceted approach

To tackle the challenge of deep fakes, a robust and varied approach is essential. Researchers are developing sophisticated detection algorithms that can spot signs of audio manipulation that are imperceptible to the human ear. Legal experts are exploring regulatory measures to prevent misuse. And educational initiatives are aiming to make the general public more aware of deep fakes, teaching them to critically evaluate the media they consume. The effectiveness of these measures will depend on their adaptability and continued evolution alongside deepfake technology.

Awareness is a powerful tool against deception. By educating the public on the existence and methods behind deep fakes, individuals can be more vigilant and less susceptible to manipulation. Understanding how deep fakes are made, recognizing their potential use in media, and knowing the signs to look out for can all contribute to a society that is better equipped to challenge the authenticity of suspicious content. This education is vital in an era where audio and visual content can no longer be taken at face value.

Navigating the ethical landscape of deepfake technology is critical. The potential benefits for creative industries, accessibility, and personalized media are immense. Yet, without a strong ethical framework, the negative implications could be far-reaching. Establishing guidelines and best practices for the responsible use of deepfakes is imperative to prevent harm and to ensure that innovation does not come at the cost of truth and trust.

Conclusion

As voice deep fakes become more advanced, they pose a significant challenge to the trust we place in our auditory perceptions. Ensuring the integrity of our digital communications requires not just caution but a comprehensive strategy to navigate this new terrain. We must foster a society that is equipped to recognize and combat these audio illusions—a society that is as critical and discerning of what it hears as it is of what it sees. It is a complex task, but one that is essential to preserving the fabric of trust that binds our digital and real-world interactions together.

The trustworthiness of sound in the age of voice deepfakes

Sep 21, 2023 — 4 min read

Information security (IS) courses are needed not only for IS department employees and not even only for certain employees of a company but for everyone. Information security training in today's world, where virtually all areas of life have been digitized, should be on par with fire safety and other fundamental rules that employees are required to observe in the workplace.

Even the most ordinary employee today has access to corporate email or other means of communication within the company, as well as internal information systems and archives. If they do not know the basic rules of cyber hygiene or do not update them in a timely manner, they can become a springboard for attackers to access sensitive company data.

In this article, we will discuss the importance of cyber hygiene in the enterprise, why this knowledge needs to be updated, the pros and cons of in-house and third-party cyber security courses, and what should be included in a cyber hygiene course.

Why cyber hygiene training matters

Almost every aspect of modern business operations has been transformed by the digital revolution. From communication to data storage, the modes have shifted from tangible to virtual platforms. This transition has been a boon in many ways. However, the virtual world, much like its physical counterpart, is not devoid of threats.

Previously, threats were physically visible, like a fire, necessitating measures like fire drills. Today, threats are more intangible, often lurking behind an innocent-looking email or website link. This paradigm shift means that cyber safety has become as crucial as any other workplace safety protocol. It is here that cyber hygiene courses play a significant role.

Most employees, regardless of their designation or role, interface with digital tools like emails, messaging platforms, and digital databases. This widespread access to digital tools, while indispensable, poses a significant risk. If employees are not equipped with basic cyber hygiene knowledge, even unintentional actions can expose the entire organization to threats.

A deep dive into the essentials of cyber hygiene training

Every company has a diverse set of employees, from those in HR and marketing to IT professionals, legal experts, and database managers. While their roles vary, their interaction with the company's IT infrastructure is common, necessitating cyber hygiene training for all in the following categories:

Awareness of threats. The digital realm has a vast array of threats, from phishing attacks to malware and deceptive social engineering tactics. Comprehensive training ensures employees can identify these threats, mitigating potential risks.

Password protocols. A strong password can often be the first line of defense against cyber-attacks. Employees need guidance on creating robust passwords and the benefits of two-factor authentication.

Data protection. Data is often referred to as the 'new oil.' In a business context, data can include everything from company secrets to customer details. Understanding the importance of data and the protocols for its protection is paramount.

Incident management. Not every threat can be prevented. However, swift action can often limit the damage. Employees should be trained to recognize unusual activities and report them promptly.

The in-house vs. third-party training dilemma

Recognizing the need for training is only the beginning. The subsequent challenge is determining the optimal delivery method. The question arises: should businesses lean on their established in-house IT teams, or would it be wiser to seek the expertise of external professionals?

When considering the Advantages of Engaging External Specialists, several factors stand out:

Proficiency. Firms in the cybersecurity domain naturally offer a reservoir of specialized knowledge. Their immersion in the field ensures that they bring a high degree of expertise to the table.

Bespoke solutions. Each business has its nuances. Recognizing this, external specialists are adept at fashioning strategies that are uniquely tailored, focusing on a company's specific requirements and vulnerabilities tied to their industry.

State-of-the-art tools. Another compelling reason to consider them is their familiarity with the latest in the cybersecurity landscape. These experts have their fingers on the pulse, utilizing cutting-edge tools and being aware of evolving threat scenarios. This ensures training remains pertinent and forward-thinking.

Yet, it's essential to balance these benefits with potential drawbacks. Among the challenges of relying on external expertise are the costs involved, which can stretch the budget, especially for larger organizations. There's also the concern that an external perspective might miss nuances inherent to a company's internal processes and culture.

On the other hand, the Benefits of Internal Training are manifold:

Personalization. An internal approach offers a distinct advantage in its adaptability. Companies can sculpt the training, ensuring it's laser-focused on their infrastructure and unique challenges.

Autonomy. Having in-house training offers an unparalleled level of control. Every stage, from conception to delivery, remains under the company's purview.

The economic perspective. While the outset might require considerable investment, the long-term financial implications of in-house training can often skew towards being more economical.

Yet, as with all strategies, there are inherent challenges to consider. Relying solely on in-house capabilities can sometimes lead to gaps in expertise. Limited resources might also become a constraint, and the time commitment to design and implement robust training modules shouldn't be underestimated.

Ensuring periodic refreshers

Experts recommend holding awareness courses at least once a year to update employees' knowledge and skills. Whenever new technologies are introduced or new security threats emerge, separate training should be conducted. This is to ensure that knowledge is up-to-date and to avoid compromising the effectiveness of the company's defenses.

Employees who have already taken a full course do not need to retake the same course every year. Testing can be done to determine if the employee has lost knowledge, as well as new training on updates and new attack techniques. For those employees who have forgotten some of the topics and have difficulty with them, a shortened version of the training can be scheduled. Also, knowledge should be updated after a cyber incident and a case study should be conducted.

The bottom line

Cybersecurity today has become an important part of human security. While in the past it was more common to steal money in the underground or on the street, today it is increasingly being done online. Whereas in the past, attackers only had physical opportunities to harm a business, today any company can be attacked online.

Statistically, the most common cause of a cyberattack is human error. That's why employee cyber hygiene training is the foundation of all the basics in a company's information security. No matter how advanced anti-viruses are installed, no matter how professional the IS department is, one small mistake by an ordinary manager and the company's database is in the hands of attackers or a malicious program enters the company's network.

Regular sessions on cyber security not only prevent such incidents but can also help raise threat awareness and strengthen the security culture of an organization.

The necessity of cyber hygiene training in today's digital world