Search This Blog

Showing posts with label Privacy. Show all posts

Qwant or DuckDuckGo: Which Search Engine is More Private?


Qwant and DuckDuckGo are two privately-focused search engines that guarantee not to track your activities. Their ability to assist you in avoiding the privacy-invading methods that are all too prevalent among big search engines is one of the key components of their appeal. However, in search engine businesses, it is easy to promise one thing but instead do whichever one thing brings the most profit to the organization. 

Here, we are comparing DuckDuckGo with Qwant to discover which search engine is better at safeguarding its users' privacy beyond the marketing claims. 

Data Collection 

Any search engine company's efforts to collect data is a highly risky task. There is a very blurry line between the quantity of data that is required and the amount that is excessive. Once a search engine service crosses this blurry line, one can infer that the notion of privacy is simply abandoned. 

IP address, device type, device platform, search history, and links clicked on results pages are some of the instances of data collected by major search engine companies. 

However, they do not necessarily need to collect all that data, compromising users’ privacy. So, what kind of data do Qwant and DuckDuckGo collect on their users? 

Data Collected by Qwant 

The Qwant search engine service, according to Qwant, aims to gather as little information as possible. While this is partially accurate, it still gathers some information that could violate your privacy, such as your IP address, search phrases, preferred languages, and news trend data. The privacy of the user is heavily prioritized in the data processing methods used by Qwant. To be fair, they made a significant effort. 

Qwant's weakness is that it largely depends on outside services, some of whose privacy policies may not always protect the privacy of users. Qwant, for instance, relies on Microsoft to conduct ad services for revenue purposes. For this, it needs to collect and share the IP addresses and search terms of its users with Microsoft. Some of us may be aware that Microsoft is not exactly a privacy pioneer. 

However, Qwant asserts that it does not transmit search terms and IP addresses together. Instead, to make it difficult for the parties concerned to link search phrases to IP addresses, search terms, and IP addresses are transmitted differently utilizing several services. 

In other words, they hinder the ability of outside services to create a profile of you. However, some contend that the sheer fact that Qwant gathers this data constitutes a potential privacy breach. 

Data Collected in DuckDuckGo 

In ideal terms, the right amount of data collected is ‘no personal data at all.’ Your IP address, cookies, search terms, or any other personally identifiable data are never collected by DuckDuckGo. Every time you use the DuckDuckGo search engine, you are in fact using it as an entirely new user. There is no way for DuckDuckGo to determine if you have been there previously. 

Most of the data generated as a result of your interaction with the DuckDuckGo is destroyed once you exit the search engine. This is part of the reason why DuckDuckGo does not have a clear idea of just how many people use its search engine. 

Clearly, in terms of data collection and sharing their user data with a third party, one can conclude that DuckDuckGo is the most privacy compliant in comparison with Qwant. 

Search Leakage 

Search leakage occurs when a search engine fails to properly delete or anonymize data that can be given to a third party when you click on a link on search result pages. Your search history, browser history, and in some situations, cookies are a few examples of data that might be compromised. 

In order to prevent search leaks, both DuckDuckGo and Qwant have implemented a number of precautionary measures, including, but not limited to the encryption of your data. 

However, a challenging privacy problem for both search engines is that they store your search terms in the URL of their result pages. While it does not appear to be a privacy issue, it is. Both DuckDuckGo and Qwant unintentionally reveal your search history to the browser of your choice by keeping your search keywords in their URL parameters. 

This implies that despite your best efforts, everything you may have done to keep your search private could be undone if you use a browser that monitors your browsing activity, particularly how you use search engines. 

In terms of search leakage, neither DuckDuckGo nor Qwant convincingly outperforms the other. 

Which Search Engine is More Private? 

If one needs a less invasive option than the likes of Google, Bing, and Yahoo, then either Quant or DuckDuckGo could be an alternative. Both search engines take great care to ensure that whatever you do on their site concerns only your business. 

However, if you prefer the strictest privacy options available, then DuckDuckGo might be a better choice.  

How Does Increased User Privacy Alter Mobile Advertisement Set-up?


Since Apple came up with its ATT privacy framework in order to garner users' control over their data, tech businesses are facing challenges over making tradeoffs to adapt to the new data restrictions, while still maintaining their growth objectives. 

While mobile advertisements would no longer be able to target iOS users via their personal IDs, who certainly did not consent to be tracked, there are numerous different alternative ways at their disposal - such as contextual signals and probabilistic attribution – to aid in targeting quality potential customers across the mobile ecosystem. 

Given that the Identifier for Advertisers has been deprecated, in-app advertising may appear to be less effective (IDFA). However, with adequate data, tactics, and partners, it is not only still a feasible growth strategy but also a crucial one. 

Changes Made After iOS 14.5 

Under the new privacy restrictions introduced by Apple, app advertisers can no longer rely on the IDFA to provide them with device-level user data in order to pursue iOS device users with relevant advertisements. 

Since advertisers can no longer track users’ activities across apps on iOS, such as clicks, downloads, and conversions, advertisers are less able to measure the efficacy of their ads and use that data to manage their campaigns and ad budgets. 

Performance Marketing is Different, Not Worse 

With iOS 14.5, while advertisers would not be able to access device ID data, they can still utilize contextual signals in order to show ads to a quality audience. 

Contextual signals are the privacy-induced data points that transmit significant information regarding an ad opportunity, such as location device type, and information about the environment in which an ad is shown (i.e. characteristics of an app or website). 

With this kind of data, advertisers may use contextual targeting to precisely estimate the possibility that a user would interact with an advertisement by matching an ad to an impression opportunity. They can then decide how much to bid for each impression. 

Since users are automatically opted out of IDFA tracking, advertisers will no longer be able to access device IDs in order to access data on how a user interacts with the ad, nor target audience one-on-one based on their in-app activities. Instead, machine learning models are utilizing new contextual signals to effectively predict user response. 

New Data, New Competitive Landscape 

Contextual data can further be combined with other metrics. For Example, the number of interactions with a certain ad element reveals which aspect of the creative is most effective. Of course, this is not as accurate as using the IDFA, but thanks to advancements in machine learning (ML) technology, it is now able to absorb these signals and forecast the value of each ad impression in real-time with a level of accuracy that is almost on par with device ID-powered advertising. 

Moreover, the competitive landscape of mobile advertising is more level than it has ever been. In recent times, all tech giants (such as Facebook and Google) have limited information about their users than before. This has eventually compressed the space, and niche players with specialized historical ML models and more active algorithms compete with the tech giants. 

For the given reason, the marketing platforms that continue to make investments in enhancing the effectiveness of their models by including more predictive signals have experienced the most success in the wake of the deprecation of the IDFA. 

Through more effective bidding, lower CPIs, improved user quality, and eventually higher ROAS for their advertisers, it will be possible to continuously train models to boost their prediction accuracy.  

Norton LifeLock Issues a Warning for Password Manager Account Breach

 

Customers of Norton LifeLock have been the victims of a credential-stuffing attack. In accordance with the company, cyberattackers utilised a third-party list of stolen username and password combinations to attempt to hack into Norton accounts and possibly password managers. 

Gen Digital, the LifeLock brand's owner, is mailing data-breach notifications to customers, mentioning that the activity was detected on December 12 when its IDS systems detected "an unusually high number of failed logins" on Norton accounts. According to the company, after a 10-day investigation, the activity dates back to December 1. 

While Gen Digital did not specify how many accounts were compromised, it did warn customers that the attackers had access to names, phone numbers, and mailing addresses from any Norton account. And it added, "we cannot rule out that the unauthorized third party also obtained details stored [in the Norton Password Manager], especially if your Password Manager key is identical or very similar to your Norton account password." 

Those "details" are, of course, the strong passwords generated for any online services used by the victim, such as corporate logins, online banking, tax filing, messaging apps, e-commerce sites, and so on.

Threat actors utilize a list of logins acquired from another source — such as purchasing cracked account information on the Dark Web — to try against new accounts, hoping that users have repurposed their email addresses and passwords across multiple services. As a result, the irony of the Norton incident is not lost on Roger Grimes, KnowBe4's data-driven defense evangelist.

"If I understand the reported facts, the irony is that the victimized users would have probably been protected if they had used their involved password manager to create strong passwords on their Norton login account. Password managers create strong, perfectly random passwords that are essentially unguessable and uncrackable. The attack here seems to be that users self-created and used weak passwords to protect their Norton logon account that also protected their Norton password manager," he stated via email.

Identity and access management systems have recently been attacked by attackers, as a single compromise can unlock a veritable treasure trove of information across high-value accounts for attackers, not to mention a variety of enterprise pivot points for moving deeper into networks.

LastPass, for example, was targeted in August 2022 through an impersonation attack in which cyber attackers breached its development environment and stole source code and customer data. A follow-up attack on a cloud storage bucket utilized by the company occurred last month.

In March of last year, Okta revealed that cyberattackers had used a third-party customer support engineer's system to obtain access to an Okta back-end administrative panel used for customer management, among other things. There were approximately 366 customers affected, with two actual data breaches occurring.

Customer Engagement Rethinks After Apple's Data Privacy Rules

 


The changes to Apple's privacy policy last year were one of those events where the worried predictions turned out to be precisely the opposite of what happened – specifically, marketers will have a significant reduction in their ability to target and personalize ads based upon their online behavior, which will have a downstream impact on the social media giants' ad revenues. As a result of these factors, the money that Chief Marketing Officers (CMOs) continue to spend on marketing is becoming less and less effective. 

ROI has plunged by nearly 40% by some measures based on the data available. Marketing professionals are scrambling to keep up with the new environment. As of yet, it has not made a notable difference in the manner in which they behave. 

The marketing community still thinks that we live in an advertising world in which a vast amount of data has been made available. The majority had not yet adopted a policy that they believed would be most beneficial for them. In a post-privacy era, in which marketers are given less and less information about individuals or their digital consumption across a broad range of devices and platforms, marketers must engage with their customers as soon as they show an interest in their products. 

Value exchange

A person cannot be assumed to be an ideal demographic candidate for your product simply by reaching them, especially if your product requires a great deal of consideration. 

It is still imperative to have some exchange of value where marketers give something to customers that they need - something that is more often just more information - as a way to gain their attention and hopefully gain their loyalty in the future. 

It would be impossible to exist in mattress stores or any physical retail store if these requirements were not necessary. There is no doubt that consumers tend to stick with what they know and love, even when it comes to transactions and that is why it is now up to digital marketers to re-create the three-dimensional relationships that still exist in life instead of just online transactions. 

Several aspects of Apple's reformed privacy policy make it apparent that marketers have become far too lazy in many ways. As a result, they had become accustomed to an environment where they could observe signals that would enable them to predict future shopping behavior for every customer they encountered. 

It is crucial to understand that the absence of this world does not mean brands are doomed to fail. To put it simply, it means that they need to come up with original and creative ways of accomplishing their goals, which may even require them to re-learn some old lessons they may have forgotten over the years.   

California's Consumer Privacy Act has Been Updated

 

California's unique consumer privacy law was strengthened on January 1 as a result of a ballot initiative that 2020 voters endorsed. A new privacy law that puts new requirements on companies to make sure that employees have more authority over the gathering and utilization of their personal data takes effect this year.

What does California's Consumer Privacy Act imply?

In June 2018, Governor Brown signed the California Consumer Privacy Act (CCPA) into law. A ground-breaking piece of legislation, it imposes requirements on California businesses regarding how they acquire, use, or disclose Californians' data and gives the people of California a set of data rights equal to those found in Europe.

The California Privacy Rights Act (CPRA), which amends the historic California CCPA by extending its protections to staff, job seekers, and independent contractors, will go into effect on January 1, 2023, and firms that employ California residents must ensure they have taken the necessary steps to comply by that date.

An updated version of CCPA

Residents of California can ask for their data to be updated, destroyed, or not sold as a result. These standards now also apply to employers for the first time.

If you've noticed those boxes at the bottom of almost every website asking about your preferences for data privacy, you know the California privacy legislation has a significant impact. Employment lawyer Darcey Groden of Fisher Phillips predicts that it will also apply to employers.

While many businesses have the infrastructure in place to deal with customer data, attorney Darcey Groden noted that the employment connection is significantly more complex. In the job situation, there is just a lot of data that is continually being collected.

In most cases, you will need to account for your human resources file, health information, emails, and surveillance footage. This law is exceedingly intricate and it will be expensive to adhere to it. According to Zoe Argento, it will be particularly difficult for businesses that do not deal with consumers, for instance, businesses in the manufacturing and construction industries.

Companies with many employees and gathering a lot of data, like gig platforms, could also be significantly impacted. They normally do not have a privacy department, so this is quite new to them. Increased accountability around how some platforms use worker data to design their algorithm may result from more transparency.




A Zero-Trust Future Encourage Next-Generation Firewalls

The future of Zero Trust security relies greatly on next-generation firewalls (NGFWs). NGFWs are classified by Gartner Research as "deep packet inspection firewalls that incorporate software inspection, intrusion prevention, and the injection of intelligence from outside the firewall  in addition to protocol inspection and blocking."  As per Gartner, an NGFW should not be mistaken for a standalone network intrusion prevention system (IPS) that combines a regular firewall and an uncoordinated IPS in the same device.

Significance of Next-Generation Firewalls

1. Substantial expense in ML and AI

As part of zero-trust security management goals, NGFW providers are boosting their assets in ML and AI to distinguish themselves from competitors or provide higher value. Analytical tools, user and device behavior analysis, automated threat detection and response, and development are all focused on identifying possible security issues before they happen. NGFWs can continuously learn and react to the shifting threat landscape by utilizing AI and ML, resulting in a more effective Zero Trust approach to defending against cyberattacks.

2. Contribution of a Zero Trust 

By removing implicit trust and regularly confirming each level of a digital transaction, the zero trust approach to cybersecurity safeguards a business. Strong authentication techniques, network segmentation, limiting lateral movement, offering Layer 7 threat prevention, and easing granular, least access restrictions are all used to defend modern settings and facilitate digital transformation. 

Due to a lack of nuanced security measures, this implicit trust means that once on the network, users, including threat actors and malevolent insiders, are free to travel laterally and access or exfiltrate sensitive data. A Zero Trust strategy is now more important than ever as digitalization accelerates in the shape of a rising hybrid workforce, ongoing cloud migration, and the change of security operations. 

3. Threat monitoring to enforce least privilege access

Device software for NGFWs, such as Patch management tasks can be handled by IT teams less frequently because updates are distributed in milliseconds and are transparent to administrators.

NGFWs that interface with Zero Trust environments has automated firmware patch updates, IPS, application control, automated malware analysis, IPsec tunneling, TLS decryption, IoT security, and network traffic management (SD-WAN) patch updates.  

NGFWs used by Microsoft Azure supply Zero Trust

By enabling businesses to impose stringent access rules and segment their networks into distinct security zones, Microsoft Azure leverages next-generation firewalls (NGFWs) to deliver zero-trust security. This enhances the overall network security posture.

Azure Firewall can be set up to monitor traffic in addition to regulating it, looking for risks and anomalies, and taking appropriate action. In an effort for this, malicious communications can be blocked, infected devices can be quarantined, and security staff can be made aware of potential dangers.


NGFW firms are investing more in AI and ML to further distinguish their solutions. Companies must continue to enhance API connections, particularly with IPS, SIEM systems, and Data Loss Prevention (DLP) solutions. They must also concentrate on how software-defined networking (SDN) might increase adaptability while supplying finer-grained control over network traffic. A well-implemented Zero Trust architecture not only produces improved overall security levels but also lower security intricacy and operational overhead.

GitHub: Why it's a Hotspot of Attackers & How to Stay Secure?

 

Okta disclosed a security breach last week in which its GitHub-hosted source code was compromised by an attacker. That is merely the most recent instance in a long line of attacks that have succeeded in accessing corporate source code on GitHub. GitHub accounts for Dropbox, Gentoo Linux, and Microsoft have all previously been targeted. 

GitHub is the most well-liked source code management service for both private enterprise code repositories and open source code repositories, with 90 million active users. It is a significant component of the world's basic infrastructure and the custodian of some of the most sensitive resources and data. It makes sense why source code is becoming a more popular target for attackers. In other circumstances, like Okta, they might be attempting to obtain the source code.

If a hacker has access to private source code, they can review it for security holes and then take advantage of those flaws in subsequent attacks. To access databases and cloud services hosted by Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, attackers can also collect hard-coded keys, passwords, and other credentials that may be stored in GitHub (GCP). Intellectual property, legitimate login credentials, and a nice list of production software vulnerabilities that are ready to be exploited can all be found in a single stolen repository.

Using this method, the hacking organization Shiny Hunters, which is known to target private GitHub repositories in particular, has compromised a number of businesses and sold their data on several Dark Web marketplaces.

GitHub is without a doubt an essential component of the organization's infrastructure, but securing it is a difficult identity security issue. Unrestricted cooperation is one of the GitHub model's greatest strengths, but it also presents one of the largest challenges to contemporary IT security.

Just consider it: By 2022, everyone who is even vaguely technical has a GitHub account. Additionally, you can do everything with your GitHub account. These accounts allow us to work on side projects for ourselves, contribute to open source projects, and contribute to both public and private code repositories that are ultimately owned by our employers. That is a lot of laborious work for just one identity!

The "Sign in with GitHub" function also allows you to utilize your GitHub identity on websites and services other than GitHub itself. There's more, too: Being able to download, push, and clone code from GitHub's servers to your local machine using git operations over HTTPS and SSH, which require your GitHub identity, makes GitHub distinctive. Other services only require you to sign in to their websites.

When GitHub announced the deprecation of usernames and passwords for git operations last year, it was clear that they were aware of the security concerns. This was a positive step.

Tips for Securing Your GitHub

While GitHub offers tools to secure the environment, businesses must understand how to employ them. Unfortunately, GitHub Enterprise is necessary for some of the most crucial security features. Nonetheless, it's crucial to take measures like:
  • Don't allow personal accounts for work
  • Don't allow outside collaborators
  • Require authentication via company SSO
  • Require 2FA on all accounts
  • Audit, analyze, and audit again
Although not the first instance, the hack of Okta's GitHub repository is a potent illustration of how difficult it is to safeguard identities within businesses. We witness account takeover incidents involving workers and contractors on a daily basis. Weak authentication, lenient rules for personal email accounts, and the identity attack surface's constant expansion all have an impact.

Military Device Comprising of Thousands of Peoples' Biometric Data Sold on eBay


The last time the U.S. military used its Secure Electronic Enrollment Kit (SEEK II) devices was more than ten years ago, close to Kandahar, Afghanistan. The bulky black rectangle piece of technology, which was used to scan fingerprints and irises, was switched off and put away.

That is, until Matthias Marx, a German security researcher, purchased the device for $68 off of eBay in August 2022 (a steal, at about half the listed price). Marx had unintentionally acquired sensitive, identifying information on thousands of people for the cheap, low price of less than $70. The biometric fingerprint and iris scans of 2,632 people were accompanied by names, nationalities, photographs, and extensive descriptions, according to a story by The New York Times. 

From the war zone areas to the government equipment sale to the eBay delivery, it seems that not a single Pentagon official had the foresight to remove the memory card out of the specific SEEK II that Marx ended up with. The researcher told the Times, “The irresponsible handling of this high-risk technology is unbelievable […] It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online.”  

According to the Times, the majority of the data in the SEEK II was gathered on people who the American military has designated as terrorists or wanted people. Others, however, were only ordinary citizens who had been detained at Middle Eastern checkpoints or even people who had aided the American administration. 

Additionally, all of that information might be utilized to locate someone, making the devices and related data exceedingly hazardous, if they ended up in the wrong hands. For instance, the Taliban may have a personal motive for tracking down and punishing anyone who cooperated with U.S. forces in the area. 

Marx and his co-researchers from Chaos Computer Club, which claims to be the largest hacker group in Europe, purchased the SSEK II and five other biometric capture devices- all from eBay. The group then went on with analyzing the devices for potential flaws, following a 2021 report by The Intercept, regarding military tech seize by the Taliban. 

Marx was nonetheless concerned by the extent of what he discovered, despite the fact that he had set out from the start to assess the risks connected with biometric devices. The Times reports that a second SEEK II purchased by CCC and last used in Jordan in 2013 contained data on U.S. troops—likely gathered during training—in addition to the thousands of individuals identified on the single SEEK II device last used in Afghanistan.  

Attacks on the US Powe Grid Reach a Record High

 

In 2022, there were increased assaults on the American power grid, and regional electric utility firms are preparing their security systems for any potential dangers. Politico reported that until August 2022, there had been 101 physical and digital attacks on the infrastructure that distributes power countrywide, the most since 2012. 97 incidents were reported in 2021, which was the full year. 

A recent gunshot on two substations in North Carolina, which left 45,000 people without electricity, and a violent attack on four substations in Washington, which left 14,000 people without power on Christmas Day, are not included in this year's data. According to Ben Dunsmoor, director of communications for Northern Electric, electric utility providers are paying attention to these attacks.

“It’s not just weather anymore. There’s also that threat of those cyber attacks and physical attacks, and we do know that there are those attacks happening across the country and across the world. We are monitoring those and we do have different things in place to try and prevent some of those here in South Dakota,” said Dunsmoor.

According to Dunsmoor, Northern Electric has backup procedures and monitoring systems in place in case of physical assaults.

”A lot of our systems are monitored on a regular basis to ensure that if there’s anything done, we can catch whoever would do that, but also to catch that immediately so that there are limited power interruptions. We also have a lot of redundancy on the grid so that if there is an interruption or some damage is caused, that we can reroute power and get power back up as quickly as possible,” said Dunsmoor.

In addition to keeping an eye on systems for physical assaults, Northern Electric provides its staff with in-depth training to fend off cyberattacks.

Dunsmoor added, ”We do a lot of training, a lot of regular training throughout the year with our employees to make sure that they’re our human firewall to prevent some of these attacks here at home.”

NorthWestern Energy also invests in extensive security. The following statement was given to Dakota News Now by NorthWestern Energy Public Relations Specialist Jo Dee Black:

“The safety of our customers and our employees is our priority, which includes our investments in physical and cyber security. We work with our peer energy providers to continuously monitor and prepare for threats to the grid and other infrastructure.”

Dunsmoor stated the attacks on power have significant consequences.

“The consequences of a cyber attack are huge. Not only could it impact something as far as the power grid or power supply, but also, we’ve got a lot of member data with our billing and those type of things. We take it very seriously and try to protect the cooperative and our members the best way we can,” said Dunsmoor.

Data Security can be Enhanced Via Web Scraping

Web information aids security professionals in understanding potential weaknesses in their own systems, threats that might come from outside organizations' networks, and prospective threats that might come via the World Wide Web. 

In reality, automated tests that can find the presence of potential malware, phishing links, various types of fraud, information breaches, and counterfeiting schemes are performed using this database of public Web data.

Web scraping: What is it?

Large volumes of data can be automatically gathered from websites via web scraping. The majority of this data is unstructured and is shown in HTML format, t is transformed into structured data in a spreadsheet or database so that it can be used in a variety of applications.

These include utilizing online services, certain APIs, or even writing one's own code from scratch for web scraping. The company doing the scraping is aware of the sites to visit and the information to be collected. There are APIs on a lot of big websites, including Google, Twitter, Facebook, StackOverflow, etc., which let users access their data in a structured manner. 

How Do Web Scrapers Operate?

Web scrapers have the power to extract all the data from specified websites or the precise data that a user requires. If you wanted to find out what kinds of peelers were available, for instance, you might want to scrape an Amazon page, but you might only need information on the models of the various peelers, not the feedback from customers.

Therefore, the URLs are first provided when a web scraper intends to scrape a website. Then, all of the websites' HTML code is loaded. A more sophisticated scraper might also extract all of the CSS and Javascript parts. The scraper then extracts the necessary data from this HTML code and outputs it in the manner that the user has chosen. The data is typically stored as an Excel spreadsheet or a CSV file, but it is also possible to save it in other formats, such as JSON files.

Cybersecurity Via Web Scraping

1. Monitoring for Potential Attacks on Institutions

Some of the top firms' security teams use open Web data collecting networks to acquire data on potential online threat actors and analyze malware. 

Additionally, they continuously and automatically check the public domain for potentially harmful websites or links using Web scraping techniques. For instance, security teams can instantly recognize several phishing websites that aim to steal important customer or business data like usernames, passwords, or credit card information.

2. Scraping the Web for Cybersecurity 

Web data collecting is used by a variety of cybersecurity companies to evaluate the risk that various domains pose for fraud and viruses. In order to properly assess the risk, cybersecurity firms can utilize this to contact potentially harmful websites as a 'victim' or a legitimate user to see how the website might target an unwary visitor. 

3. Analysis and Reduction of Threats

Public Web data collecting networks are used by threat intelligence companies to get information from a variety of sources, including blogs, public social media channels, and hackers, in order to find fresh information on a range of potential dangers. 

Their insights are based on this Web data collecting, which they subsequently disseminate to a wide range of customers that want to strengthen their own system security.

Despite being utilized often in business, lawful web scraping is still a touchy subject. Where personal information is scraped, this is the most evident. Users of LinkedIn, for instance, are aggressively marketing their personal information since the platform essentially functions as a professional CV showcase. Less desirable is having those details gathered in bulk, compiled, and sold to random people.

An organization's visibility and capacity to respond to online threats across the large online terrain in real-time are both improved by integrating with Web data collecting networks.








The Risks of Stockpiling Personal Data


Data is priceless, but gathering it in one place can be risky, for it suddenly becomes a resource that is tremendously valued and something that bad players, cyber criminals, or threat actors are eager to get a hold of. Particularly when businesses are storing data, more than they actually need. 

This is one of the phenomena that security agencies were aware of for a long time and has now become a critical priority for regulators and policymakers. 

In regards to this, Paul Warren-Tape, Head of Operations for ID verification leader OCR Labs Pty Ltd. says, “Looking at the Optus attack, this was a big concern because fraudsters were using stolen PII (personally identifiable information) to try and commit identity crime […] We need to understand why a telco stores copies of people’s identity documents in the first place, as to provide ongoing services they only need to know a person’s name, address and their contact details.” Warren-Take further notes that the Medibank breach is also “deeply concerning.”

“The concerns relate to organizations not having a clear understanding of their complete data footprint, including: what do they hold, should they even be holding that information, where is it held and who else is holding it, is it all secure?” 

According to Warren-Take, every organization, specifically the ones at the top of the markets, is starting to consider what is the bare minimum of the data they should retain after confirming a person’s identity.  “They’ve obviously got regulatory requirements to verify the identity of their customers. And I think they’re subsequently holding on to copies of identity documents to demonstrate they’ve performed an identity check for audit and regulatory compliance purposes.” 

“And another reason is because prior to the raft of breaches information has been perceived as wealth, not risk,” he further told. “But holding that information opens them up to be honeypots for certain attacks, and health insurance companies may not be as well versed about cyber risks as, say, the banks are.” 

Moreover, Warren-Tape notes that banks in Australia have a higher security posture, are more experienced and cyber-aware but cannot rest on their laurels, as the threat landscape is continually evolving.  

FTC Bans Support King, That is Linked to a New Phone Spying Operation


A TechCrunch investigation has shown that a notorious phone spying company, SpyFone, is back in its business, a year after the Federal Trade Commission banned it.  

Apparently, a groundbreaking FTC order banned the stalkerware app, SpyFone, along with its parent company Support King, and its chief executive Scott Zuckerman from the surveillance industry. The regulator's five sitting commissioners unanimously approved the order, which also required Support King to retrieve the phone data it had wrongfully obtained, and inform victims that its software had been covertly placed on their devices.  

What are Stalkerware? 

Stalkerware, or spouseware, refers to apps that are covertly installed by someone with physical access to a person's phone, frequently in the pseudonym of family tracking or child monitoring. However, these apps are created to remain hidden from home screens, silently uploading a person's phone's contents, including their text messages, photos, browsing history, and precise location information, while also pretending to be family tracking or child monitoring apps.  

However, several stalkerware apps, such as KidsGuard, TheTruthSpy, and Xnspy, possess certain security flaws that expose the private data of thousands of people to greater risks. 

These apps as well include SpyFone, whose unprotected cloud storage server leaked the private information taken from more than 2,000 victims' phones, leading the FTC to launch an investigation and ensuing ban on Support King and its CEO Zuckerman from providing, distributing, promoting, or in any other way, aiding the sale of spy apps. 

TechCrunch, since then has received further data tranches, that include the data from internal servers of the stalkerware programme SpyTrac, which is being operated by programmers that are associated with Support King.  

 Find Out if Your Email Address Is Being Sold on the Dark Web


Almost everybody uses email. You have probably had a data breach if your private information, like your email address, is discovered on the dark web. There are numerous methods to sell and use your personal information.  

The portion of the Internet that is hidden and inaccessible with a standard web browser is known as the dark web.  The dark web's material is encrypted and needs special permission to access. The most popular method for accessing the black web is Tor, a program that masks IP addresses and locations. Additionally, hackers can easily purchase and sell identity-related information on the dark web, including credit card data, Social Security numbers, medical records, passports, etc. 

How to search for your email on the dark web

1. Launch a computer scan

Unusual or suspicious activity is a certain indication that your email account has been hijacked. Monitoring your laptop for viruses. For instance, it is very likely that your account has been hijacked if you find that your recovery email address or phone number has changed. 

2. Search Have I Been PWned?

You can utilize the website Have I Been Pwned to determine whether your data has been exposed as a result of a breach. The free tool gathers data while searching the internet for database dumps.

3. Employ a password manager

The entire objective of password managers is to assist users with all aspects of password management. A built-in password generator is typically included with password managers, allowing you to create complicated, secure passwords right away. 

4. Make use of two-factor authentication

A hacker will have a much harder time gaining access thanks to the additional layer of security provided by two-factor authentication. 

You must confirm the login attempt after providing your normal information. Usually, to do this, you will get a text message with a random number that you must enter in order to access your account. By doing this, even someone who knows your email and password cannot access your accounts.  

In some circumstances, opening a new email account could be the best and safest choice. From social media to banking, disconnect all of the accounts from the compromised address and link them to a new one.  

Users ought to use more than one email account to achieve optimal security. Decentralizing your online presence and protecting your devices from cyber risks can be accomplished in large part by setting up distinct accounts for work, banking services, social networking, and newsletter subscriptions. Users must ensure they are aware of cybersecurity fundamentals because maintaining online safety takes more than just securing their email account.

Another Top Password Manager is Doing Away with Passwords

 


It has been announced that the open-source password manager, Bitwarden, has become passwordless to ease and accelerate users' access to their Bitwarden vaults. It is intended to make the service easier and faster for users. With its wide range of features and low price, Bitwarden is an open-source password manager that is highly secure, comes with tons of extras, and provides security for a low price. 

Also, Bitwarden is a zero-knowledge password manager, which means no one from the company can access or view the information you store in your Bitwarden vault at any time. 

The security tools offered by Bitwarden are on par with what users would expect from a premium password manager, including strong encryption, two-factor authentication (2FA), password security auditing, password breach monitoring, and options to host it either on a cloud service or locally. It is also equipped with a unique Send feature, which allows you to securely send sensitive information and files to non-Bitwarden users while remaining private. 

It is a password manager that lets you keep unlimited passwords across unlimited devices. It is also one of the few password managers that allow unlimited passwords to be synced across unlimited devices on its free plan. This makes it a wise choice for anyone trying to manage their passwords. 

Bitwarden explained in a press release that its update to its device authentication mechanism allows users to approve a login using their mobile device. This is done by exchanging a public and private key between the website's vault and a recognized, authorized device. It is designed to help prevent fraud and identity theft. 

Password-less Bitwarden

Bitwarden is a member of the FIDO Alliance. They are one of the many companies that have been working to improve the security of passwordless logins as part of this move. This system is designed to ensure that phishing and hacking scams are reduced to a minimum. 

A recent in-house survey conducted by Bitwarden is supportive of Bitwarden's commitment to the Alliance. According to the study, "nearly half of companies plan to deploy passwordless technologies shortly," with security being a key driver behind the move. 

According to 1Password, a password management software program, almost half of employees share passwords, putting their secure credentials at risk. The decision to make logins more personal and to move away from password-relying systems, maybe the welcome news that many organizations have been waiting for. 

DuckDuckGo is thrilled to announce that, Bitwarden has been selected for the "first external password manager solution" that will be integrated into Apple's next-generation Safari browser on macOS devices to continue the work that it has been doing to ensure that users' privacy remains protected. 

Passwordless logins are becoming increasingly popular since Apple and Google showcased them at events in the past two years. Consumer interest in them has grown, but few companies have added support for them. PayPal, one of the most popular online payment systems, is now offering the updated type of authentication on its website and app. 

Companies Use Email Tracking to Spy on Users

 

Opening the email causes the little image to load in your browser or application. When it happens, the image pings the site where it is kept. Google, Outlook, and Apple email clients all have built-in security measures that stop advertisers from following users around with their covert pixels. 

A line of code added to an email message creates a square image measuring 1 pixel by 1 pixel called an email tracking pixel. Since email tracking pixels are frequently transparent and positioned in a covert location in the header or footer of the email, the receiver is not immediately aware that they are there. 

Remarketing pixels, which show user-tailored advertisements across the Internet, are examples of tracking pixels in emails that perform more sophisticated, strategic tasks. 

Users never truly see the tracking graphic for two reasons. It is little, and since it is in GIF or PNG format, the business can keep it transparent and unnoticeable to the unaided eye. 

According to research, by correlating your location and device details, advertisers and other malicious attackers may be able to correlate your email activity with your browser cookies. Hackers can now track you anywhere you go online, link your email address to your internet history, and more because of this, which creates a terrifying scenario. 

How to prevent email tracking 

Even if it prevents you from loading family photos instantly, users must block all images that are included in the email.
  • Ask before viewing external images in Gmail's settings for pictures.
  • Outlook: You want options, options for external image blocking, options for the trust center, and automatic download.
  • Turn on Protect email activities in the privacy section of the iPhone and iPad settings by going to Apple Mail. Alternately, enable IP address concealment and disable all remote content.
Users can also attempt to increase the security of their email experience in another way. Lastly, one should think about routing all of the internet activities through a VPN connection. Users can get a private relay email account that will erase the trackers from the email before users open it. 

How Tracking Pixels are Collecting Personal Data, 5 On Your Side Reveals


Have you been Christmas shopping on the internet, and later have advertisement of similar items following you all across your online pathway for days? 

This is no coincidence, for you are being tracked and it is not a virus or malware doing so, but the companies and applications deceiving you. 

In a recent report, the personal and protected medical data of thousands of local patients may have been exposed to Facebook, by tracking pixel. 5 On Your Side unveils the details of this pixel and what else are they set to expose of the victims. 

Alex Ondrick is one of the WakeMed patients who received a letter from the hospital this October. The letter apparently mentioned that some of his medical information may have been exposed on Facebook.

"Interestingly, my mother also got the letter, my step-dad got the letter, several of my friends also got the letter," Ondrick said. 

According to news outlet, the Markup, WakeMed and Duke University Hospital were found to be employing the Meta Pixel, a tracker, on their websites. While we are referring to a pixel, like the millions of pixels that make up an image on your television or computer screen. 

"Those pixels can also be used to house code, to house information […] In this particular case, it’s a very unique piece of code that takes information regarding whoever is using that website at the time, and sends that back to the web server of whoever is implementing that. In the case at hand, it’s Meta or Facebook," says Former CIA Cyber Threat Analyst Clark Walton. 

Walton further tells 5 On Your Side that the code can gather detailed information about your browsing habits, user preferences and what you click on. The owner of the pixel, such as Meta, gets that raw data. The information is then reduced to marketing data and forwarded to the website's owner. 

"The technology is not specific to Meta, certainly could be anybody," Walton said. 

The pixels present on the websites are of varying kinds and utilized by organizations of all sizes. They are invisible and unlike “cookies,” you could not block these pixels. 

"There’s not necessarily, to my knowledge, a way to opt out of if you go to a private website that’s using that pixel technology," Walton added. 

While neither agreed, 5 On Your Side contacted both Duke Health and WakeMed to interview in regards to the subject matter. 

Duke Health officials sent a statement stating, “Duke University Health System values the privacy of its patients’ medical information. DUHS has investigated the use of the Meta Pixel on our website and patient portal and has determined that DUHS did not transmit its patients’ protected health information to Meta. We continue, however, to study the issue and may share additional information if and when appropriate given pending litigation and ongoing external investigations into these matters.” 

WakeMed, on the other hand said that they directly communicated the information with individuals who might have been affected and dedicated a phone line and email address to handle any further inquiries or concerns.  

Financial Institutions are More Vulnerable to Unintentional Data Leakage

 

Netwrix has released additional findings from its global 2022 Cloud Security Report for the financial and banking sectors. Financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure than other industries surveyed.

Indeed, 44 percent of respondents in this sector believe their own IT staff is the greatest threat to cloud data security, while 47 percent are concerned about contractors and partners, compared to 30 percent and 36 percent, respectively, in other verticals surveyed. 
“Financial organizations experience accidental data leakage more often than companies in other verticals: 32 percent of them reported this type of security incident within the last 12 months, compared to the average of 25 percent. This is a good reason for them to be concerned about users who might unintentionally expose sensitive information. To address this threat, organizations need to implement a zero-standing privilege approach in which elevated access rights are granted only when they are needed and only for as long as needed,” comments Dirk Schrader, VP of security research at Netwrix.

“Cloud misconfigurations are another common reason for accidental data leakage. Therefore, security teams must continually monitor the integrity of their cloud configurations, ideally with a dedicated solution that automates the process.”

Phishing is the most common type of attack reported by all sectors. 91 percent of financial institutions, on the other hand, say they can detect phishing within minutes or hours, compared to 82 percent of respondents in other verticals.

“Even though financial organizations detect phishing quickly, it is still crucial for them to keep educating their personnel on this threat because attacks are becoming more sophisticated,” adds Schrader.

“To increase the likelihood of a user clicking a malicious link, attackers are crafting custom spear phishing messages that are directed at the person responsible for a certain task in the organization and that appear to come from an authority figure. Regular staff training, along with continuous activity monitoring, will help reduce the risk of infiltration”.

Google Play Protect Shields Users From Cyberattacks


The leading Android devices all use Google Play Services as a key component. It serves as a link between the Android OS and programs, mostly Google programs and programs from other developers that make use of Google authentication, cloud services, and Game Dashboard.

You could use an Android app that protects users from severe cyberattacks and operates through the official Google Play store called Google Play Protect.

According to a security notice from Google, "Google Play Protect removes apps that have been marked as potentially hazardous because the app actually contains malicious behavior, not only because we are unsure if the app is harmful or not."

Before allowing you to download an app, the feature verifies its security. To deceive users into manually installing the infected files, some of these malicious sites invite victims to download phoney security tools or upgrades.

Four malicious apps were detected by research:
  • Bluetooth App Sender
  • Bluetooth Auto Connect
  • Driver: Bluetooth, USB, Wi-Fi
  • Mobile Transfer: smart switch
More than a million people have downloaded all of the applications together, and they invite a significant danger of identity theft and scams.

"These apps offer capabilities that consumers desire, such as device rooting and other developer features. Users knowingly install these potentially hazardous apps," as per Google.

Essentially Google Play Protect will initially issue a warning about the app's possible dangers when a user starts to install an app that Google has categorized as 'user-wanted.'  Google will not send any more warnings if the user decides to install the program anyhow.

Main functions of Google Play Protect:
  • Verifies the security of downloaded programs from the Google Play store.
  • Detects potentially hazardous programs outside the Google Play store.
  • Warns you about hazardous applications.
  • Removes or disables unwanted applications.
  • Alerts you to apps that break the rules by hiding or making false representations of themselves.
  • Sends you privacy alerts about applications that may request access to your personal information.
  • To protect your privacy, reset your app's permissions.
Google stated in its security note that "after installation, the user-wanted classifications restrict Google Play Protect from delivering additional warnings, so there is no disturbance to the user experience."

The Google Play Services platform also enables Google to push Project Mainline modules, allowing your device to receive security upgrades without having to wait for the producer to release them.

An Online Date Led to an Inquiry into 'Systemic' Failures at American Express

 

Last summer, John Smith* had just returned to Sydney after more than a decade abroad when he met someone online. He began chatting with a man named Tahn Daniel Lee on the dating app Grindr. Lee was undergoing treatment for COVID at the time, so they communicated online for a few weeks before meeting in Sydney's Surry Hills for their first date - a Japanese dinner followed by Messina ice cream. The date would be one of many in a relationship that progressed quickly before taking a dark turn when Smith began to suspect Lee was watching his bank accounts.

The Age and The Sydney Morning Herald can disclose that American Express, one of the world's largest financial companies, would not only dismiss Smith's initial complaint without proper investigation but would also provide misleading information during an external inquiry. It comes after two major ASX-listed companies, Optus and Medibank, revealed sensitive identification and health data to criminals, igniting a national debate about how to best deal with emerging cyber threats.

The "insider threat," according to cybersecurity experts, is a major risk, and the Privacy Commissioner's inability to penalize companies that violate the law has created a culture of impunity among corporate Australia.

“Because, what is the recourse? Businesses just aren’t doing the risk management that’s required. The tone starts from the top, ” says former Australian Federal Police investigator turned cyber expert Nigel Phair.

Smith's first assumption of Lee was that he had a charming smile, and the relationship developed quickly. Lee worked as a relationship manager for American Express Centurion, an exclusive club for black cardholders who spend at least $500,000 per year.

Smith had a platinum American Express card from living in the United States, but Lee suggested he sign up in Australia so he could illustrate how to maximize the benefits. He consented and began using American Express as his primary banking card shortly thereafter. After a series of comments about items Smith had purchased, places he had been, or payments he had made, he became skeptical that Lee was watching his transactions.

“I asked him how he was able to do this without my consent or authority (one-time pin etc), and he replied, ‘because the system is completely open, I have god mode’,” Smith wrote in a complaint later filed with American Express.

Smith has autism, and while he is classified as "high functioning," he occasionally struggles to recognize inappropriate behavior. He noticed "warning signs" about Lee but ignored them while traveling to Hawaii and Hamilton Island with his new partner, he claims.

During one of these trips, Smith became uneasy with the manner in which Lee discussed his clients' affairs, including major food distributor Primo Foods, which he claimed siphoned millions of dollars to the Cayman Islands. Lee later texted, "FYI, everything I tell you about work is highly confidential." 

By April, he had attempted to end the relationship and had warned Lee that he would report his behavior to American Express. Lee reacted negatively to this. He begged Smith to continue the relationship and, at one point, called Smith's close friend out of the blue to persuade her not to file a complaint. This was the breaking point. He was hell-bent on reporting Lee.

Amex: ‘No inappropriate access’

At the same time, another American Express employee noticed unusual activity on Smith's account. Lee was subjected to an internal investigation, which swiftly cleared him of any wrongdoing. On May 26, the company wrote to Smith, claiming Lee was not in a position to access his account and, in any case, there was training and processes in place to protect customer data.

Unconvinced, Smith asked American Express to confirm that Lee's access to his account had been blocked and reported the Primo Foods discussions. Smith claims that the following week, during a phone call, he was told that if Lee had looked at his account, it was no big deal because they were partners, and discussing Centurion's clients was also no cause for concern.

Smith filed a complaint with the Privacy Commissioner, who directed it to the Australian Financial Complaints Authority. AFCA immediately requested a meeting with American Express to verify that Lee had lost the rights to Smith's account.

The company's response was quick, but it turned out to be incorrect.  “We confirm that the employee has no access to [Smith]’s account,” Amex responded.

In subsequent letters between AFCA, Smith, and American Express, the company continued to imply that there had been no inappropriate access or violation of privacy laws. Until the plot shifted. In August, three months after Lee's suspicious activity was discovered, Smith was notified by American Express that Lee had indeed accessed his personal information.  

Lee accessed Smith's private account nine times between February and April of this year, according to digital access logs. American Express then stated that while it was impossible to prevent Lee from accessing the account, he would be disciplined and the account would be monitored to ensure no further intrusions.

“American Express is unable to practically restrict American Express employees from being able to access any specific Card member data. We acknowledge that [Smith] feels uncomfortable with his previous partner access to his personal information and have made every effort to implement controls to further protect his data,” the company wrote in a letter.

In a final decision issued this month, AFCA determined that American Express violated privacy laws by letting Lee to access his accounts without authorization both before and after the relationship. It awarded Smith $2000 in damages but did not order an apology or absolve the company of any wrongdoing.

“I am satisfied the financial firm has investigated the matters raised by the complainant, and in the circumstances, it has responded appropriately,” AFCA found.

American Express declined to answer specific questions about how it investigated Smith's complaint or what action it took against Lee, but stated it maintains the "highest levels of integrity" and has cooperated with AFCA.

“Whilst they made a determination against us, they concluded that American Express had investigated and responded appropriately,” the company said. “We are satisfied that this matter poses no risk to the integrity of our systems. Protecting the privacy of our customers and the integrity of our systems remains our utmost priority.”

Current laws allow for fines of up to $2.2 million for each unauthorized access. The federal government is considering raising the penalty to $50 million per breach, which would mean that American Express could have faced penalties totaling $450 million for the nine breaches.

“Companies need to take this issue around unauthorized access to information more seriously because the penalties are significant,” CyberCX privacy law expert David Batch says. “But in reality, the Privacy Commissioner has historically not handed down those fines.”

Smith was informed in October that AFCA's systemic issues team had agreed to investigate American Express's handling of Smith's case. This team investigates serious violations and systemic issues and has the authority to refer cases to other regulators, such as the Privacy Commissioner, however, its findings are a little transparent. AFCA was unable to comment on whether the promised investigation would be carried out.

According to Nigel Phair, Professor of Cybersecurity at the University of New South Wales, the "insider threat" is a major concern for businesses, where the actions of rogue employees can jeopardize the security of the entire organization.

He claims that the government's failure to implement harsh penalties on companies that mishandle their customers' data fosters a culture of impunity among Australian corporations.

For Smith, American Express and the system designed to hold companies accountable have let him down. He now makes a point of only using the card in ways that do not reveal his location. Requests for comment from Lee and Primo Foods were not returned.

*Not his real name. He asked that his identity be kept confidential.

To Support Passkeys, 1Password has Joined Passage

Passkey functionality, which enables users to securely log in to apps and websites without a password, will be made accessible to 1Password's customers by early 2023, the company announced.

Passkeys, which employ the WebAuthn standard developed by the FIDO Alliance and the World Wide Web Consortium, replace passwords with cryptographic key pairs that enable users to sign into accounts. These key pairs consist of a public key that can be shared and a private key that cannot be shared.

For users of Android devices, installing passwords on an Android phone or tablet is also simple. Passwords are simple to set up on an iPhone or iPad. In addition to extensions for various browsers, there still are versions for Linux, Windows 11, and macOS Ventura. The issue is that these platforms are beginning to ignore the password for the passkey.

Next year, 1Password will add support for passkeys, enabling users to log in without a password. Even for current users, the business has built up an interactive demo so they can see how the feature will operate once it is released.

Passkeys eliminate the requirement for a two-factor authentication code and are more resistant to phishing and compromised credentials than passwords in terms of password brute force attacks like password spraying.

It is accurate that 1Password claims that its version will have a few benefits over its rivals. Because it works with so many different operating systems, 1Password asserts that its passkeys are the only ones that support numerous devices and enable cross-platform synchronization.

The main benefits of passkeys, according to 1Password, are that they come with strong default encryption and do not need to be memorized because they are saved on the device, while the private key is kept private from the website being signed into. Furthermore, the private key cannot be deduced from the public key.

The world of authentication will alter as a result of passwordless technologies. This partnership must make it substantially simpler for businesses to integrate a safe, password-free authentication flow into their products in order for it to grow.