TikTok Engaging in Excessive Data Collection

source: infosecurity-magazine.com  |  image: pexels.com

 

TikTok has been engaging in excessive data collection and connecting to mainland China-based infrastructure, Internet 2.0 has claimed in a new white paper.

The latest report, overseen by Internet 2.0’s head security engineer Thomas Perkins, is an analysis of “the source code of TikTok mobile applications Android 25.1.3 as well as IOS 25.1.1”, with Internet 2.0 carrying out static and dynamic testing between 1 July to 12 July 2022 that focused on device and user data collection.

The report identified multiple instances of unwarranted data harvesting, including:

  • Device mapping
  • Hourly monitoring of device location
  • Persistent calendar access
  • Continuous requests for access to contacts
  • Device information

Continue reading “TikTok Engaging in Excessive Data Collection”

Microsoft Disrupts Russian Cyber-Espionage Group Seaborgium

source: infosecurity-magazine.com  |  image: pexels.com

 

Microsoft claims to have disrupted a prolific Russian state-backed threat group known for conducting long-running cyber-espionage campaigns against mainly NATO countries.

In an update on August 15, the tech giant said it had disabled accounts used by the “Seaborgium” group for reconnaissance, phishing, and email collection, and updated detections against its phishing domains in Microsoft Defender SmartScreen.

Also known by threat researchers as Callisto Group, ColdRiver, TA446 and other monikers, Seaborgium is a “highly persistent threat actor” that focuses most of its time on the US and UK, and occasionally the countries of the Baltics, Nordics and Eastern Europe.

“Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion,” said Microsoft.

Continue reading “Microsoft Disrupts Russian Cyber-Espionage Group Seaborgium”

 

Smishing vs. Phishing: Understanding the Differences

 

source: proofpoint.com  |  image: pexels.com

 
What have smishing offenders learned from their phishing email counterparts?

Email-based credential theft remains by far the most common threat we encounter in our data. But SMS-based phishing (commonly known as smishing and including SMS, MMS, RCS, and other mobile messaging types) is a fast-growing counterpart to email phishing. In December 2021, we published an article exploring the ubiquity of email-based phish kits. These toolkits make it straightforward for anyone to set up a phishing operation with little more than a laptop and a credit card. Since then, we’ve tracked their evolution as they gain new functions, including the ability to bypass multifactor authentication.

In this blog post we’re going to look at smishing vs. phishing and what smishing offenders have learned from their email counterparts, as well as some significant differences that remain between the two threats.

Setting the (crime) scene

A modern email phishing setup can be as simple as one person with a computer and access to common cloud-hosted services. But for a smishing operation, the picture is somewhat different. While software smishing kits are available to buy on the dark web, accessing and abusing mobile networks requires a little more investment.

Continue reading “Smishing vs. Phishing: Understanding the Differences”

 

5 Ways to Make Your Passwords Instantly More Secure

 

source: cnet.com  |  image: pexels.com

 

If you think your passwords are uncrackable, think again.

Despite years of warnings, experts say most people are still using weak passwords to protect even their most sensitive information. Many people are reusing those insecure passwords to protect multiple accounts, putting more of their data at risk should any of the accounts be compromised.

“It’s the total account takeover scenario,” said John Buzzard, lead fraud and security analyst at Javelin Strategy & Research, referring to a cybercriminal cracking one password and then using it to access other accounts. “Consumers lose control over their entire digital lives.”

World Password Day, which takes place on Thursday, is a good time to review your digital security. Sure, it’s a totally made-up celebration that Intel created in 2013. But it’s still a good reminder to take a close look at your logins and make sure they check the required security boxes.

Continue reading “5 Ways to Make Your Passwords Instantly More Secure”

Security News This Week: The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption

source: wired.com  |  image: nsa.gov

 

 

The US is readying new encryption standards that will be so ironclad that even the nation’s top code-cracking agency says it won’t be able to bypass them.

The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards. 

“There are no backdoors,” said Rob Joyce, the NSA’s director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor.

The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today’s computers can’t. But it’s also one that the White House fears could allow the encrypted data that girds the U.S. economy – and national security secrets – to be hacked. 

Continue reading “Security News This Week: The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption”

Anatomy of a Phishing Scam As Told Through Scamming the Scammer

 

image - phishing

source: blog.avast.com. |  image:  pixabay.com

to view all images associated with this blog post, go to Avast.com

Here’s a “scam the scammer” SMS conversation to highlight some of the red flags to look out for the next time your “boss” messages you.

Sometimes it feels like scammers are coming at you from every direction these days. They’re on the phone. They’re on SMS. They’re on social media. Sorting the real from the nonsense can feel like a full time job but, for some people, that “job” turns into fun.

That’s what happened recently when a professional woman in New York City decided to play around a little bit with her “boss,” (spoiler: not her boss) who was making odd requests via text. And while “scam the scammer” situations like this one are often hilarious, they’re also a great way to learn about the methodology that scammers use to trick people into giving them money. 

So let’s take a look at the following “scam the scammer” SMS conversation to highlight some of the red flags to look out for the next time your “boss” messages you. 

1. They set up a situation where you can’t talk to them on the phone.

“Josh” makes it clear up front that he can’t talk on the phone. Obviously there are some situations where this is legitimate — like if he was actually Josh and was actually at a conference — but “Cris,” as an employee, would likely know if her boss was out of office. The scammer is hoping that Cris doesn’t know her boss’ schedule.

Continue reading “Anatomy of a Phishing Scam…”

DoD Identity Awareness, Protection, and Management (IAPM) Guide

 

Click the image above to view this amazing guide & resource

 

HOW TO USE THIS GUIDE The Identity Awareness, Protection, and Management (IAPM) Guide is a comprehensive resource to help you protect your privacy and secure your identity data online. The IAPM Guide is divided into chapters detailing key privacy considerations on popular online services, mobile apps, and consumer devices available in the market today. Each section provides you with tools, recommendations, and step-by-step guides to implement settings that maximize your security. The guide is updated periodically. While some of the chapters in the IAPM Guide deal with technical issues, they do not require a technical background to follow. The U.S. Department of Defense creates this guide to provide recommendations for readers to keep their identities private and secure online. Please note the information presented here is subject to change.

Free Cybersecurity Tools and Services List

Published by CISA

 

source: pewresearch.org  | image by pixabay.com

 

Asked to ‘imagine a better world online,’ experts hope for a ubiquitous – even immersive – digital environment that promotes fact-based knowledge, offers better defense of individuals’ rights, empowers diverse voices and provides tools for technology breakthroughs and collaborations to solve the world’s wicked problems

 

This report is the second of two analyzing the insights of hundreds of technology experts who responded in the summer of 2021 to a canvassing of their predictions about the evolution of online public spaces and their role in democracy in the coming years. In response to the primary research question, many said they expect that these forums will be significantly improved by 2035 if reformers, big technology firms, governments and activists tackle the problems created by misinformation, disinformation and toxic discourse. At the same time, they expressed ongoing concerns about the destructive forces in culture and technology that could continue to plague online life and disrupt beneficial change in the coming years.

Continue reading “Free Cybersecurity Tools and Services List Published by CISA”

Be Careful If You Get a Strange USB Drive in the Mail – It Might Be a Virus

 

source: idropnews.com, contributed by Artemus founder, Bob Wallace  |  image: pixabay.com

 

Cybercriminals have found a novel way to install malicious software on your computer. Instead of using online tools, they’re sending USB drives directly to victims in the mail throughout the United States.

According to the FBI, a cybercrime group is mailing out physical USB drives hoping that the potential victims connect them to their computers.

The cybercriminals used the United States Postal Service and United Parcel Service to send all the USB drives. But they didn’t send just drives. They also made sure to impersonate the U.S. Department of Health and Human Services. The messages claimed that the USB drives contained a COVID-19 warning. Other mailed USBs claimed that they were from Amazon and that they had an Amazon gift card inside.

This is nothing new since cyber attackers have often used phishing to impersonate big companies and organizations to make you trust them.

According to the report, these USB drives contain malware known as BadUSB attacks. This malicious software lets the cybercriminal control the computer with the USB drive to do things like create new commands on the computer, install different types of malicious software, or redirect traffic.

Unfortunately, this isn’t the first time this happened. Back in 2020, there was another attack with a similar process, and cybercriminals sent out a bunch of USB drives in the mail.

That time, the mail claimed that it was a gift card from Best Buy, but in reality, it was also a BadUSB malware that was used to install malware and exploit other vulnerabilities in many organizations’ PCs. They also were used to deploy many ransomware strains like BlackBatter and REvil.

Needless to say, you need to be careful of what you get in the mail and what you plug into your computer. Even if the package is addressed to you, you should avoid at all costs plugging one into your computer.

If the USB drive comes from a company or a person you’re familiar with—and you trust– try contacting them to make sure they actually sent you the USB drive. Even then, if it isn’t actually anything important, you should try to avoid using the USB drive in your computer to prevent any possible cyber attacks.