You may not want to read those terms of service,
but you really should.

Do you read an app’s terms of service agreement before you click to accept or agree? If you don’t, you’re not alone. Research has shown that very few people actually take the time to read what an app or website is asking them to agree to — even when, in the case of one study, participants unknowingly agreed to give the company at hand their future first-born children. The lengthy documents aren’t often designed to be understood, other researchers have concluded. 

“The option of reading through the terms of service or privacy policy is not easy. It’s not accessible,” said Nader Henein, a senior research director and fellow of information privacy at Gartner. “If you’ve had lawyers write up the policy, there’s a good chance that someone without a law degree and a good half hour of time to dedicate to it will not be able to decipher exactly what it’s asking for.” 

But don’t worry — we’re here to help. Here are three red flags to look out for before you hit “agree” on a privacy policy to download an app or use a service. 

Red flag No. 1: Complexity 

In legal disputes over privacy policy and terms of service documents, many cases don’t make it to litigation because there’s no expectation that someone is actually going to read the fine print, Henein said. There’s also no expectation that the reader will have the necessary training to understand the policy even if they did read it, he added. 

Apps with complex policies that bury exactly what a person is agreeing to (such as sharing their data with third parties) is disingenuous on the part of the company, and should be avoided, Henein said. 

“If the language is complex, and you read the first paragraph and it makes no sense to the average person, that tells me that the company really hasn’t considered people into the equation,” Henein said. “You need to be on your guard.” 




image source:  center for disease control


Threat actors are still taking advantage of the ongoing COVID-19 global outbreak by attempting to drop Remcos RAT and malware payloads on their targets’ computers via malicious files that promise to provide Coronavirus safety measures.

Cybaze/Yoroi ZLAb researchers recently spotted a suspicious CoronaVirusSafetyMeasures_pdf.exe executable after it was submitted to their free Yomi Hunter sandbox-based file analysis service.

While the infection vector used by the attackers is not yet known, the most probable method of dissemination is a phishing campaign that would deliver it as an email attachment.


RAT used to steal keystrokes

As the Cybaze/Yoroi ZLAb research team later discovered, the executable is an obfuscated Remcos RAT dropper that would drop a Remcos RAT executable on the compromised computer, together with a VBS file designed to run the RAT.



Researchers use a ferroelectric glass electrolyte within an electrochemical cell to create simple self-charging batteries.

A new type of battery combines negative capacitance and negative resistance within the same cell, allowing the cell to self-charge without losing energy, which has important implications for long-term storage and improved output power for batteries.

These batteries can be used in extremely low-frequency communications and in devices such as blinking lights, electronic beepers, voltage-controlled oscillators, inverters, switching power supplies, digital converters and function generators, and eventually for technologies related to modern computers.

In Applied Physics Reviews, from AIP Publishing, Helena Braga and colleagues at the University of Porto in Portugal and the University of Texas at Austin, report making their very simple battery with two different metals, as electrodes and a lithium or sodium glass electrolyte between them.

Bistable Energy Landscape for a Lithium-Glass Ferroelectric-Electrolyte

image source:

Bistable energy landscape for a lithium-glass ferroelectric-electrolyte in contact with an aluminum-negative electrode and self-cycling process in an electrochemical aluminum/lithium glass/copper cell. a) Variation of the potential energy with plated lithium leading to negative capacitance/self-charge and negative resistance/self-cycling. b) Self-charge and self-cycling processes upon alignment of the dipoles in the ferroelectric-electrolyte due to the electrical necessity of aligning the Fermi levels. Credit: Braga et al.



In a new metadata-protecting scheme, users send encrypted messages to multiple chains of servers, with each chain mathematically guaranteed to have at least one hacker-free server. Each server decrypts and shuffles the messages in random order, before shooting them to the next server in line.

System ensures hackers eavesdropping on large networks can’t find out who’s communicating and when they’re doing so.

MIT researchers have designed a scalable system that secures the metadata — such as who’s corresponding and when — of millions of users in communications networks, to help protect the information against possible state-level surveillance.

Data encryption schemes that protect the content of online communications are prevalent today. Apps like WhatsApp, for instance, use “end-to-end encryption” (E2EE), a scheme that ensures third-party eavesdroppers can’t read messages sent by end users.

But most of those schemes overlook metadata, which contains information about who’s talking, when the messages are sent, the size of message, and other information. Many times, that’s all a government or other hacker needs to know to track an individual. This can be especially dangerous for, say, a government whistleblower or people living in oppressive regimes talking with journalists.




  image - china techOn Monday, the Justice Department announced that it was charging four members of China’s People’s Liberation Army with the 2017 Equifax breach that resulted in the theft of personal data of about 145 million Americans.

The attack, according to the charges, was part of a coordinated effort by Chinese intelligence to steal trade secrets and personal information to target Americans.

Using the personal data of millions of Americans against their will is certainly alarming. But what’s the difference between the Chinese government stealing all that information and a data brokerClose X amassing it legally without user consent and selling it on the open market?

Both are predatory practices to invade privacy for insights and strategic leverage. Yes, one is corporate and legal and the other geopolitical and decidedly not legal. But the hack wasn’t a malfunction of the systimage - hackingm; it was a direct result of how the system was designed.

Equifax is eager to play the hapless victim in all this. Don’t believe it. In a statement praising the Justice Department, Equifax’s chief executive, Mark Begor, deflected responsibility, highlighting the hack as the work of “a well-funded and sophisticated military” operation. “The attack on Equifax was an attack on U.S. consumers as well as the United States,” he said.

While the state-sponsored attack was indeed well funded and sophisticated, Equifax, by way of apparent negligence, was also responsible for the theft of our private information by a foreign government.

According to the indictment, the Chinese military exploited a vulnerability in Apache Struts software, which Equifax used. As soon as Apache disclosed the vulnerability, it offered a patch to prevent breaches. Equifax’s security team, according to the indictment, didn’t employ the patch, leaving the drawbridge down for People’s Liberation Army attackers. From there, the hackers gained access to Equifax’s web servers and ultimately got a hold of employee credentials.

Though the attack was quite sophisticated — the hackers sneaked out information in small, hard to detect chunks and routed internet traffic through 34 servers in over a dozen countries to cover their tracks — Equifax’s apparent carelessness made it a perfect target.

According to a 2019 class-action lawsuit, the company’s cybersecurity practices were a nightmare. The suit alleged that “sensitive personal information relating to hundreds of millions of Americans was not encrypted, but instead was stored in plain text” and “was accessible through a public-facing, widely used website.” Another example of the company’s weak safeguards, according to the suit, shows the company struggling to use a competent password system. “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes,” it read.

The takeaway: While almost anything digital is at some risk of being hacked, the Equifax attack was largely preventable.

Since its establishment in 1899 (it was originally named Retail Credit), Equifaxhas prompted concerns over the sheer volume of data it amasses. Those fears increased as the company entered the digital age. In a March 1970 Times article about the company, Alan Westin, a professor at Columbia University, offered this warning: “Almost inevitably, transferring information from a manual file to a computer triggers a threat to civil liberties, to privacy, to a man’s very humanity … because access is so simple.”

Five decades on, that statement rings especially true. Moreover, it’s a useful frame to understand why, in a world where everything can be hacked, bloated data brokers like Equifax present an untenable risk to our personal and national security.

image - equifaxIt’s helpful to think about a hack like what happened to Equifax as part of a chain of events where, the further down the chain you go, the more intrusive and potentially damaging the results. The Equifax data we know was stolen is a perfect example of what’s known as Personally Identifiable InformationClose X. Obtaining the names, birth dates and Social Security numbers of almost half of all Americans is troubling on its own, but that basic information can then be used to procure even more personal information, including medical or financial records.

That more sensitive information can then be used to target vulnerable Americans for blackmail or simply to glean detailed information about the country by analyzing the metadata of its citizens. And so the revelations in the indictment in the Equifax case are alarming. The theft is one in a string of successful hacks, including of the federal Office of Personnel ManagementMarriott International and the insurance company Anthem. Given the volume and granularity of the data and the ability of attackers to use the information to gain even more data, it’s not unreasonable to ask, Does China now know as much about American citizens as our own government does?

In his statement on Monday, Mr. Begor, Equifax’s chief executive, noted that “cybercrime is one of the greatest threats facing our nation today.” But what he ignored was his own company’s role in creating a glaring vulnerability in the system. If we’re to think of cybercrime like an analog counterpart, then Equifax is a bank on Main Street that forgot to lock its vault.

Why rob a bank? Because that’s where the money is. Why hack a data broker? Because that’s where the information is.

The analogy isn’t quite apt, though, because Equifax, like other data brokers, doesn’t fill its vaults with deposits from willing customers. Equifax amasses personal data on millions of Americans whether we want it to or not, creating valuable profiles that can be used to approve or deny loans or insurance claims. That data, which can help dictate the outcome of major events in our lives (where we live, our finances, even potentially our health), then becomes a target.

From this vantage, it’s unclear why data brokers should continue to collect such sensitive information at scale. Setting aside Equifax’s long, sordid history of privacy concerns and its refusal to let Americans opt outClose X of collection, the very existence of such information, stored by private companies with little oversight, is a systemic risk.

In an endless cyberwar, information is power. Equifax’s services as a data broker offer something similar to its customers, promising data and insights it can leverage for corporate power. China is behaving a lot like any other data broker. The big difference is that it isn’t paying.

Like other media companies, The Times collects data on its visitors when they read stories like this one. For more detail please see our privacy policy and our publisher’s description of The Times’s practices and continued steps to increase transparencyClose X and protections.




image - phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”.

According to a 2019 study, 74 percent of respondents whose organizations have been breached acknowledged the incident exploited privileged account access. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by phishing campaigns. So, what can organizations do to prevent their users from falling for the bait of these attacks? 

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security defines phishing as “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails [or text messages] are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails [or SMS messages] often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user may then be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”

According to the 2019 Verizon Data Breach Investigations Report (DBIR), nearly one third of all breaches in the past year involved phishing. For cyber-espionage attacks, that number is a whopping 78%. Phishing attacks can be categorized into the following four types:

• Deceptive Phishing – The most common type of phishing attacks, whereby threat actors impersonate a legitimate company to steal users’ personal data and access credentials. 

• Spear Phishing – These types of attacks are more sophisticated, whereby the threat actor customizes the attack email with the target’s name, job title, company, and other personal information to make the recipient believe they have a connection to the sender. 

• CEO Fraud – This type of attack targets executives to steal their access credentials, often to commit financial fraud by subsequently tricking employees to authorize fraudulent wire transfers or gain access to W-2 information.

• Smishing – Phishing attacks are no longer limited to email, since threat actors are now also sending malicious text messages to users’ phones.

How to Protect Against Phishing

Users should apply common sense in all their communications and keep the following precautions in mind:

• Don’t post personal data that can be used for social engineering, like birthdays, travel plans, or personal contact information, publicly on social media.

• Check the sender’s email address by hovering over the ‘from’ address.

• Don’t click on links, but rather go to the sender’s website and validate the authenticity of the page indicated in the email.

• When an email from a known source seems suspicious, contact that source with a new email, rather than just hitting reply.

• Read the email and check for spelling and grammatical mistakes, as well as strange phrases. Legitimate companies know how to spell. 

• Slow down. Urgency, which forces users not to think, is the fuel attackers rely on. Take a breather and revisit the steps above before taking any action.

For businesses, IT security professionals can implement the following proactive measures to protect their organization:

• Educate users about the risk of phishing and the characteristics of these attacks.

• Implement email protection software to “sandbox” inbound emails and validate, as well as sanitize links users might click on.

• Exercise caution when deploying third-party Web tools. Investigate their security protocols to determine if they’re comprehensive enough to minimize malware injections. Obviously, restricting the use of third-party Web tools must balance security with providing a differentiated customer experience.

• Implement multi-factor authentication (MFA), which requires multiple methods for identification (something you know, something you have, and something you are), and therefore is one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. This should be standard practice for all organizations. 

• Apply risk-based access controls to define and enforce access policies based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access controls are often used in combination with MFA.

Ultimately, stealing valid credentials via phishing attacks and using them to access a network is easier, less risky, and ultimately more efficient than exploiting existing vulnerabilities, even a zero-day. Cyber security defenses need to adapt to this reality. User education and beefing up an organization’s authentication systems are two essential steps that can minimize the risks associated with phishing and subsequent cyber-attacks aimed at data exfiltration. 


When you download an app, the permissions requests and privacy policy are usually the only warnings you’ll get about the data it’s taking. Usually, you just have to take the app’s word that it’s grabbing only the data you’ve agreed to give it.

Often, though, there’s more grabbing going on than you were led to believe, security researchers have determined. More than 1,000 apps have been found to take data even after you’ve denied them permissions. For instance, menstrual tracking apps have shared sensitive info with Facebook, as well as with other companies you might not have expected. Similarly, apps designed to block robocalls have shared your phone data with analytics firms.

Anytime a device sends data, the traffic is captured and logged. Your location is used when you check the weather, but that same information can be sent to advertisers. Researchers have tools to see that log. Then they analyze it to figure out how much data gets sent and where it’s going. 

Typically, that sort of network traffic analysis was used to look outside, providing a window on what was happening on public Wi-Fi networks. In recent years, however, researchers have turned that scope onto their own phones to see what data the apps on their devices send out.

By taking a look under the hood, they’ve found that many apps are sending data that goes beyond what people agree to under privacy policies and permissions requests. 

“In the end, you’re left with a policy that’s essentially meaningless because it doesn’t describe what’s accurately happening,” said Serge Egelman, director of usable security and privacy research at the International Computer Science Institute. “The only way to answer that question is going in and seeing what the app is doing with that data.” 

Sometimes, the data is just headed to advertisers, who think they can use it to sell you products. Phone location data can be a gold mine for advertisers, who tap it to figure out where people are at certain times. But it may also be going to government agencies that leverage the technology to surveil people using data collected by apps that never disclosed what they were doing. Recently, The Wall Street Journal reported that government agencies were using such data to track immigrants.

These researchers are shining a light on a hidden world of data tracking, and raising concerns about how much information people are giving away without knowing it Continue reading “Your phone talks about you behind your back. These researchers are listening in”

Spotlight Topic:  News You Can Use

source:, 12/19/2019



Your smartphone is one of the world’s most advanced surveillance tools. This week, Times Opinion is reporting on a huge trove of location data showing the precise location movements for millions of Americans.

Once your location is shared with the companies, there’s no way to delete that information or get it back. Your best bet is to avoid sharing your location in the first place — at least until the government bestirs itself to begin regulating how that information is collected, used and sold.

1.  Stop sharing your location with apps

The most important thing you can do now is to disable location sharing for apps already on your phone. (Don’t worry, your phone will automatically send its location to emergency responders if you dial 911.) It’s easy to do this without having to open each app.

The most important thing you can do now is to disable location sharing for apps already on your phone. (Don’t worry, your phone will automatically send its location to emergency responders if you dial 911.) It’s easy to do this without having to open each app.

Many apps that request your location, like weather, coupon or local news apps, often work just fine without it. There’s no reason a weather app, for instance, needs your precise, second-by-second location to provide forecasts for your city.

Apple has recently made it harder for companies to snoop on your whereabouts via backdoor methods like checking for nearby Bluetooth and Wi-Fi networks. Make sure your phone’s operating system is updated to benefit from these safeguards.

2.  Disable your mobile ad ID

Your online activity is often tied together and tracked using your mobile advertising ID, which is a unique number created by your phone and sent to advertisers and app makers.

Since location data is sent along with your ad ID, it can be tied to other data about you. You can disable this feature entirely in your privacy settings, limiting the ways companies can tie your activities together.

3.  Prevent Google from storing your location

If you have a Google account, the company may already have saved a trove of location data tied to your devices. You can prevent Google from collecting this information by going to your account’s location activity controls and turning off location sharing.

4.  Understand location tracking is hard to avoid

You can do only so much. Location vendors are engaged in a race to find new ways to ferret out your devices, regardless of whether you followed the steps above. Some will try to identify you using your device type, I.P. address, screen size and even volume and screen brightness, in a process called “fingerprinting.”

Your mobile carrier also collects location pings while your phone is turned on, regardless of whether you followed the steps above. Telecom companies were recently caught selling that data to companies that then resold it to bounty hunters, who used it to find phones in real time. The telecom companies have since pledged to stop selling the data, but they still collect it.

Interested in doing more to keep your location to yourself? Try the Privacy Pro SmartVPN app, which allows users to monitor apps and block them from additional forms of data sharing.

Real protections will come only if federal laws are passed to limit what companies can do with the data they collect. Until then, no matter what settings we choose, we’re all at risk.

Spotlight Topic:  Ubiquitous Technical Surveillance (UTS)

source:, 12/26/2019

Two Times Opinion writers answer readers’ questions on their investigation into how companies track smartphone users and profit off their data.

The New York Times Opinion desk published an investigation last week into the location data industry, showing how companies quietly collect and profit off the precise movements of smartphone users. The investigation, One Nation, Tracked, explored the dangers that location tracking poses and argued for more regulation around these modern technologies.

We invited our readers to ask the writers behind the investigation, Stuart A. Thompson and Charlie Warzel, questions about smartphone tracking. We heard from more than 1,100; here is a selection, lightly edited. 

As one of the youngest millennials, it’s hard for me to not look at this matter with apathy, since it has been a part of my digital life as long as I have had such a life. What would you say to someone who considers themselves normal and boring — no one to stalk them, doesn’t have enough money to be influenced by location-based advertising, etc.? Why should such a person care about this?
— Emily Loof, Colorado Springs

We’ve heard this a lot throughout the Privacy Project — even from people we found in the data after we showed up on their doorstep! We get it. Many of us have nothing to hide and don’t consider ourselves that important. But what about people who do have some private part of their lives or want more privacy?

None of us really has a choice to participate in tracking or not — the system just serves up location data, usually without us noticing. So for people who do want a bit of privacy — worshipers, young people visiting Planned Parenthood, those visiting a queer space, survivors hiding from an abuser — they no longer have a real choice about their privacy. Because the tracking touches everyone, can we really give up after concluding it’s fine for us? When we participate in this system, we’re tacitly endorsing it.

There’s a great piece we urge everyone to read about how privacy is a collective concern. It really opened our eyes, and perhaps it will for you, too.

The other, more direct answer is that while you don’t care now, you might in the future. Once your location is collected, you’ll never get it back — you’ll never know where it’s gone, who’s bought it, who’s looked at it. What if new scandals give you fresh concern? What if you rose to a position of importance or prominence later? If our data simply leaked online for everyone to see, it could ruin relationships, people could be fired, and so on.

You don’t need to be so concerned today that you throw your phone in the lake. But you can have just enough concern to ask that basic laws get passed to protect people who need protecting from a largely unregulated industry.

image - cell phone tracking



Spotlight Topic:  News You Can Use


selling your data


One of the most popular antivirus companies in the world sells people’s sensitive data in a way that can put their privacy at risk, according to new reports.

The culprit: Avast is a multibillion-dollar computer security company based in the Czech Republic. Its software is used by an estimated 400 million people around the world. Last year it emerged that the company was sucking up user behavior data and selling it—and now the extent of that effort has been laid out in new reports from Vice and PCMag.

Eavesdropping on browsing: 2019 Forbes report first outlined how Avast and subsidiary AVG use browser extensions to watch everything their customers do. That data is then sold to corporate customers as “insights” through a subsidiary company called Jumpshot. Each deal is worth millions of dollars, and clients include Google, Microsoft, PepsiCo, and McKinsey.

The data is “anonymized,” but studies have repeatedly shown that de-anonymizing this kind of data is possible.

Wyden calling: Senator Ron Wyden, a Democrat from Oregon known widely as a hawk on privacy issues, has been in contact with Avast since December 2019 about the selling of user browser data.   

The increasingly bright spotlight on the company has already had some consequences. As of last week, Avast users must now affirmatively opt in to data collection and sale. 

It’s not clear what will happen to all the data that had already been sucked up , however. Wyden insists the company should delete the data collected before it asked for consent from its customers. Avast did not respond to a request for comment.