Tag Archives: online security

Your money or your data!

The scene unfolds like a cyber thriller. You fire up your PC and a message appears saying your files have been encrypted. Your screen looks like it’s from the FBI. Sometimes it identifies itself as malware. Sometimes it’s a plain-text message. When you click around in your PC (assuming you still can), you find that your photos and text files are indeed unavailable.

The screen also asks for money. To get the key to unencrypt your files, you must pay, usually in some form of untraceable currency, such as bitcoin. In most cases, there’s a firm deadline when payment must be made. If you miss it, the fees shoot up. At some point, your files are permanently encrypted.

Welcome to the world of ransomware.

While this form of malware can slip into devices in any number of ways, phishing is probably the most common vehicle. Basically, bad guys send innocent-looking emails that ask recipients to click on a link or download an attachment. (Phishing is also used to ask for money directly. A tiny piece of software infects the machine and goes about encrypting files before demanding cash. Sometimes the message pops up automatically. Sometimes there’s a time delay or a switch that lets hackers turn it on when it’s convenient to them.

And sometimes attacks are big and bold. Two assaults on major hospitals in the US, for instance, used multipronged ransomware infiltration to shutdown key networks and records. But experts largely agree that most attacks are on individuals. Mass emailing allows criminals to take advantage of long-tail effects and the fact that many people would rather just pay a few hundred (or thousand) dollars to have their data – which many consider their life – returned to them rather than fight back through various law enforcement channels.

Data hostage taking is on the rise

Given the efficacy of ransomware, the number of attacks is set to grow. In its annual Threat Landscape report, published in January 2016, the European Union Agency for Network and Information Security (ENISA) characterizes 2015 as “the year of ransomware”. According to the study, the number of reported incidences nearly doubled in 2015 compared to 2014, with aggressive phishing campaigns a hallmark of many attacks. Targets tended to be in North America and Western Europe, as residents are perceived to have the money to pay.

ENISA also notes that 2015 was a year of innovation in ransomware development and deployment. The number of new ransomware types quadrupled in the first half of the year alone. Criminals have set up service centers, allowing the non-technical to buy crimeware-as-a-service, further expanding the reach of ransomware. And stealthier delivery methods are still being developed.

Do I know you? Did I ask for this?

Phishing is still the most common delivery method. Which is convenient, in a way, as there are some practical steps you can take to avoid getting scammed. Probably the most important is to maintain an online “stranger danger” mindset. If an email looks even the slightest bit suspicious, don’t open it. If it’s from someone you don’t know, don’t open it. If it says you’ve won the lottery, are being watched by some security agency, asks about an order (you did not make), or promises rewards in some other way, don’t open it. (Similar phishing attacks also appear on Facebook.)

For emails you’ve opened, if they include links or attachments you weren’t expecting or didn’t ask for, don’t click or download. If you feel that you must do either, reply to the sender (if you know them), and ask if they did indeed send you something. If you do not know the sender – delete the email.

And of course, you should build a fortress around your device. This is where AVG can help. We provide antivirus, link scanners, attachment and download checkers, enhanced firewalls, spam blockers, and file encryption to help keep your photos, videos, files, contacts, and devices safer. If you haven’t done so already, give us a try on your PC or Android phone.

Apple hires developer of World's Most Secure Messaging App

Apple is serious this time to enhance its iPhone security that even it can not hack. To achieve this the company has hired one of the key developers of Signal — World’s most secure, open source and encrypted messaging app.

Frederic Jacobs, who worked to develop Signal, announced today that he is joining Apple this summer to work as an intern in its CoreOS security team.

“I’m delighted to

Web Summit 2015 — security was a hot topic

200 startups gave their pitches at the Web Summit this year in Dublin. Over 2,100 startups participated, the vast majority of which had “poster board” displays and one or two eager founders giving their elevator pitch. That makes the Web Summit a welcome change to other conferences that typically rotate around industry giants.

Two messages seemed to pervade the conference this year: location and security. The “location” bit was the move of the Web Summit from Dublin to Lisbon next year. As you can imagine, this was a bit of a blow to the locals, and they could not stop talking about it.  Hopefully Lisbon imports Guinness and Jameson so that a little bit of Dublin carries over.

“Security” discussions seemed more prevalent than ever before. The recent breaches at TalkTalk and Ashley Madison were discussed over and over again…and the recent UK decision to store web histories for everyone for a year was a hot topic, as was the Safe Harbor European Court of Justice ruling. But, more than that, the need for both security and privacy was raised in almost every context: from publishing your web app to talking to IoT devices. The phrase “the Internet of unpatchable crud” was being thrown around often.  Interestingly, many of these conversations were underway before people learned that I was with AVG, and thus involved with security and privacy issues directly.

Further, a lot of the discussions focused around personal security, not just enterprise security. This is a change from a year ago, or even six months ago. This bodes well for AVG’s move into protecting people as well as devices and data.

AVG has been pushing something called “the law of least data” with IoT groups for a while now. The core idea is that data should be routed as directly as possible between entities. This augments the idea of “storing only required and essential data” that has been a mainstay of good data design for a long time. My canonical example is my thermostat talking to my furnace. While setting up the relationship between the two may require the cloud, the day to day control and feedback between the two should not have to leave my house (i.e., my local area network). Even if encrypted, an eavesdropper could probably tell when someone was at home based on the volume of traffic between the two. This is a simple idea, but an important one. When you extend that thinking to many connected devices, including those dealing with health and security, you can imagine the impacts of not respecting the “law of least data.” However, the business/capitalistic forces at work today mean that every vendor wants to backhaul all data to the cloud under the rubric of “data is the new currency.” This is a dangerous architecture and one that we should all be challenging.

Many people, when asked about their personal data leaking, have a fairly resigned attitude. They say, “it is not a big deal, and I get more personalized offers; I know the tradeoffs I am making.” I like to use a simple example to help people understand that seemingly innocuous data is still valuable and can be used in unexpected ways. If you are a serious cycler, you will probably sign up for a bike ride sharing application.  It is fun; you can compete against others as motivation and track your personal progress online. However, thieves also sign up for these services. Using the simple logic that users who ride the most often and the farthest probably have the most expensive bikes, led the thieves to steal bicycles easily using the location tracking data in the services.  Again, you can extend this idea to all types of data to understand that, by default, we should be keeping our data safe and secure.

So, it was refreshing to see these, and other, security topics being actively discussed at the Web Summit. It bodes well for our industry that this is now top of mind.

 

Web Summit 2015 — security was a hot topic

200 startups gave their pitches at the Web Summit this year in Dublin. Over 2,100 startups participated, the vast majority of which had “poster board” displays and one or two eager founders giving their elevator pitch. That makes the Web Summit a welcome change to other conferences that typically rotate around industry giants.

Two messages seemed to pervade the conference this year: location and security. The “location” bit was the move of the Web Summit from Dublin to Lisbon next year. As you can imagine, this was a bit of a blow to the locals, and they could not stop talking about it.  Hopefully Lisbon imports Guinness and Jameson so that a little bit of Dublin carries over.

“Security” discussions seemed more prevalent than ever before. The recent breaches at TalkTalk and Ashley Madison were discussed over and over again…and the recent UK decision to store web histories for everyone for a year was a hot topic, as was the Safe Harbor European Court of Justice ruling. But, more than that, the need for both security and privacy was raised in almost every context: from publishing your web app to talking to IoT devices. The phrase “the Internet of unpatchable crud” was being thrown around often.  Interestingly, many of these conversations were underway before people learned that I was with AVG, and thus involved with security and privacy issues directly.

Further, a lot of the discussions focused around personal security, not just enterprise security. This is a change from a year ago, or even six months ago. This bodes well for AVG’s move into protecting people as well as devices and data.

AVG has been pushing something called “the law of least data” with IoT groups for a while now. The core idea is that data should be routed as directly as possible between entities. This augments the idea of “storing only required and essential data” that has been a mainstay of good data design for a long time. My canonical example is my thermostat talking to my furnace. While setting up the relationship between the two may require the cloud, the day to day control and feedback between the two should not have to leave my house (i.e., my local area network). Even if encrypted, an eavesdropper could probably tell when someone was at home based on the volume of traffic between the two. This is a simple idea, but an important one. When you extend that thinking to many connected devices, including those dealing with health and security, you can imagine the impacts of not respecting the “law of least data.” However, the business/capitalistic forces at work today mean that every vendor wants to backhaul all data to the cloud under the rubric of “data is the new currency.” This is a dangerous architecture and one that we should all be challenging.

Many people, when asked about their personal data leaking, have a fairly resigned attitude. They say, “it is not a big deal, and I get more personalized offers; I know the tradeoffs I am making.” I like to use a simple example to help people understand that seemingly innocuous data is still valuable and can be used in unexpected ways. If you are a serious cycler, you will probably sign up for a bike ride sharing application.  It is fun; you can compete against others as motivation and track your personal progress online. However, thieves also sign up for these services. Using the simple logic that users who ride the most often and the farthest probably have the most expensive bikes, led the thieves to steal bicycles easily using the location tracking data in the services.  Again, you can extend this idea to all types of data to understand that, by default, we should be keeping our data safe and secure.

So, it was refreshing to see these, and other, security topics being actively discussed at the Web Summit. It bodes well for our industry that this is now top of mind.

 

Web Summit 2015 — security was a hot topic

200 startups gave their pitches at the Web Summit this year in Dublin. Over 2,100 startups participated, the vast majority of which had “poster board” displays and one or two eager founders giving their elevator pitch. That makes the Web Summit a welcome change to other conferences that typically rotate around industry giants.

Two messages seemed to pervade the conference this year: location and security. The “location” bit was the move of the Web Summit from Dublin to Lisbon next year. As you can imagine, this was a bit of a blow to the locals, and they could not stop talking about it.  Hopefully Lisbon imports Guinness and Jameson so that a little bit of Dublin carries over.

“Security” discussions seemed more prevalent than ever before. The recent breaches at TalkTalk and Ashley Madison were discussed over and over again…and the recent UK decision to store web histories for everyone for a year was a hot topic, as was the Safe Harbor European Court of Justice ruling. But, more than that, the need for both security and privacy was raised in almost every context: from publishing your web app to talking to IoT devices. The phrase “the Internet of unpatchable crud” was being thrown around often.  Interestingly, many of these conversations were underway before people learned that I was with AVG, and thus involved with security and privacy issues directly.

Further, a lot of the discussions focused around personal security, not just enterprise security. This is a change from a year ago, or even six months ago. This bodes well for AVG’s move into protecting people as well as devices and data.

AVG has been pushing something called “the law of least data” with IoT groups for a while now. The core idea is that data should be routed as directly as possible between entities. This augments the idea of “storing only required and essential data” that has been a mainstay of good data design for a long time. My canonical example is my thermostat talking to my furnace. While setting up the relationship between the two may require the cloud, the day to day control and feedback between the two should not have to leave my house (i.e., my local area network). Even if encrypted, an eavesdropper could probably tell when someone was at home based on the volume of traffic between the two. This is a simple idea, but an important one. When you extend that thinking to many connected devices, including those dealing with health and security, you can imagine the impacts of not respecting the “law of least data.” However, the business/capitalistic forces at work today mean that every vendor wants to backhaul all data to the cloud under the rubric of “data is the new currency.” This is a dangerous architecture and one that we should all be challenging.

Many people, when asked about their personal data leaking, have a fairly resigned attitude. They say, “it is not a big deal, and I get more personalized offers; I know the tradeoffs I am making.” I like to use a simple example to help people understand that seemingly innocuous data is still valuable and can be used in unexpected ways. If you are a serious cycler, you will probably sign up for a bike ride sharing application.  It is fun; you can compete against others as motivation and track your personal progress online. However, thieves also sign up for these services. Using the simple logic that users who ride the most often and the farthest probably have the most expensive bikes, led the thieves to steal bicycles easily using the location tracking data in the services.  Again, you can extend this idea to all types of data to understand that, by default, we should be keeping our data safe and secure.

So, it was refreshing to see these, and other, security topics being actively discussed at the Web Summit. It bodes well for our industry that this is now top of mind.

 

Fake IRS claims: What happens when data falls into the wrong hands

Over the past 18 months we have witnessed monumental data breaches affecting tens of millions of users. As consumers though, do we worry about what happens to our leaked data?  Are attackers aggregating it with other sources, are they applying for credit in my name or even using medical services?

We should be concerned and the latest disclosure from the I.R.S. demonstrates what can be done when  attackers gain access to our valuable personal information. Using Social Security numbers, dates of birth, home addresses and other personal information, cyber criminals have accessed over 100,000 past tax returns.

Once they have the past return, they can file a new return with new data including the refund destination account. As a result, the IRS issued $50 million in refunds before detecting the intrusion method.

Fraudulent tax claims are nothing new to the I.R.S. In 2013 the agency paid out a massive $5.8 billion in falsely claimed refunds. IRS spokesperson, John Koskinen, said “These are extremely sophisticated criminals with access to a tremendous amount of data.”

Cyber criminals have amassed a huge amount of data through the many data breaches but also through our own propensity to share our data without due consideration. The IRS has successfully put a stop to this particular form of attack, but  with so much data available, it’s only a matter of time before the bad guys work out another way to make fraudulent use of it.

 

What can you do to protect against identity theft?

Avoid Cold Calls: If you don’t know the person calling then do not hand over payment or personal details. If in doubt, hang up and call the organization directly to establish you are talking to legitimate operators.

Set privacy Settings: Lock down access to your personal data on social media sites, these are commonly used by cybercriminals to socially engineer passwords. Try AVG PrivacyFix, it’s a great tool that will assist you with this.

Destroy documents: Make sure you shred documents before disposing of them as they can contain a lot of personal information.

Check statements and correspondence: Receipts for transactions that you don’t recognize could show up in your mail.

Use strong passwords and two factor authentication: See my previous blog post on this, complex passwords can be remembered simply!

Check that sites are secure: When you are sending personal data online, check that the site is secure – there should be a padlock in the address or status bar or the address should have a ‘https’ at the start. The ‘s’ stands for secure.

Updated security software: Always have updated antivirus software as it will block access to many phishing sites that will ask you for your personal data.

 

If you believe that you have been affected by a data breach, be sure to take out any identity protection service offered to you as compensation. These services scour the Internet looking for your data being misused or sold.

 

You can follow me on twitter @tonyatavg

 Title image courtesy of dineshdsouza