Category Archives: data privacy

Firefox 63’s Enhanced Tracking Protection

Leave a reply

The newest update of Firefox – Firefox 63 – comes with a new feature called Enhanced Tracking Protection. This feature prevents against privacy-invading cross-site tracking cookies. This feature blocks cookies and storage access from the third-party cookies that are most commonly associated with privacy-harming behavior.

To enable this feature in your Firefox browser, enter your Privacy & Security settings and click on Content Blocking then check the box labeled “Third-Party Cookies”.

The one downside to this feature is that it can cause some sites to crash. However, you can disable the blocking on a site-by-site basis.

Other new features coming with Firefox 63 include the ability to have the browser mimic the light or dark theme used by the operating system, and Siri shortcuts for Firefox on iOS (for you Apple fans).

Source: https://thenextweb.com/tech/2018/10/23/firefox-63-will-prevent-cookies-tracking-you-across-sites/

New Products Inviting Hackers to Get More of Your Information

Leave a reply

In the beginning of February, the Top Secret Colonial officers hacked into a Furby Connect. Furby Connect is a children’s toy that is now on sale. These new Furbies have a new feature that has Bluetooth connection. While it seems like a cool new product it is product along with many other children’s toys and new appliances that are putting your personal life into danger.

Most people do not realize that having that having all these products hooked up to Wi-Fi and Bluetooth connection is giving anyone access basically into your home. While these new children’s toys may be convenient and easy to keep your child entertained. They keep all this information stored every time it is being used. Hackers can end up getting your mailing address, e-mail, internet history, your birthday and even the child’s birth date, video recordings and pictures of the child or anything else. It is kind of like giving your child a camera that is on record the whole time and tracks everything you do. It is just like your cell phones, they recommend wiping your whole phone once you are done with it. It is definitely something to think about while you are connecting any devices up to unsecured networks.

Don’t fall for this ‘highly effective’ Gmail scam

Leave a reply

For several months, a phishing scam has been tricking Gmail users into sharing their passwords. Recently, the security company WordFence released an alert about this scam.

The attack starts when the attacker sends an email to the victim’s Gmail account. The email address of the “sender” usually belongs to someone that the victim knows; however, the sender’s account has already been compromised by the attacker. The email contains what appears to be an image for the victim to click on.

When the victim clicks on the “image”, they are taken to a new tab which prompts for their Gmail account information. Once the victim signs in on this page, their account is compromised. The attacker then has access to the victim’s emails and personal documents. Once the attacker has access to the victim’s account, they will use this account to send the scam to more victims.

What makes this scam “highly effective” is that it is uses email addresses of people that the victim knows. Also, the fake Gmail sign-in page appears to be legitimate, containing the Google logo and normal entry fields for username and password.

In order to prevent yourself from becoming a victim of this scam, it is important to note the following:

  • Although the false attachment contains “accounts.google.com” in its URL, it also has “data:text/htm” at the beginning, which is not found on a normal Gmail URL.
  • When signing into any service, you should check the browser bar to verify the protocol and hostname. The URL should begin with “https:” and there should be a green lock icon next to the URL.
  • Gmail users can also enable two-factor authentication or “2-step verification” to make their account more secure.

For more information: Don’t fall for this ‘highly effective’ Gmail scam and WordFence Article

Beware, iPhone Users: Fake Retail Apps Are Surging Before Holidays

Leave a reply

In the past few weeks, there have been hundreds of fake retail and product applications in Apple’s App Store. The fake apps have pretended to be companies such as Dollar Tree, Foot Locker, Nordstrom, and Dillard’s. A company that tracks new shopping apps, Branding Brand, reported a large increase in these fake applications in the past few weeks.

The apps are being created to trick Black Friday shoppers into clicking them. Some apps seem to be harmless, just displaying pop-up ads whenever users click on them. Others, however, are dangerous because users can have their credit card information stolen if the app asks them to input it. Also, some of the apps can contain malware that can steal personal information and even lock the victim’s phone.

The fake apps came from developers in China; they were somehow able to get past Apple’s review process for new apps. Apple’s app screening process is less strict than Android’s; Apple focuses more on blocking malicious software and does not routinely examine the thousands of new apps that are sent to them everyday. It is important for brands and companies themselves to search for and report these fake apps, similar to how they search for and report fake websites. Last week, however, Apple did remove hundreds of fake apps after an article was published about the apps. A spokesperson for Apple claims that they have set up ways for customers to report fake apps. In September, Apple started to look through their two million apps to remove fake and unnecessary ones. Despite this, new fake apps continue to appear.

A recent example of a fake app was one called Overstock Inc. – apparently named to let customers believe that it was the real company app for Overstock.com. The developer of the app is the Chinese company Cloaker Apps. The CEO of Cloaker, Jack Lin, claims that the company only provides the back-end technology for the apps; they do not investigate their clients. However, not even Cloaker is what it seems; the company’s website states that its headquarters is in the middle of Facebook’s campus in Menlo Park, California. When Jack Lin was first interviewed, he claimed that the company only had offices in China and Japan. When asked about the office in California, he claimed to have “tens of employees” there.

China is, by far, the biggest source of fake applications. Many of the fake apps have red flags to show that they are not real, including: nonsensical menus in broken English, no reviews, and no history of previous versions of the app. So far, thousands of individuals have apparently fallen prey to the newest fake apps. However, in most cases, no serious problems have occurred. The fake apps usually target companies either with no apps or multiple apps. Some have even used Apple’s paid search ads to put their fake apps at the top of the search results.

Fake apps on Apple are a new problem, occurring more commonly in the past few months. However, with Black Friday soon approaching, it is important to remember to check the applications that you are planning to download. Also, if possible, try to use alternative methods to applications that ask for banking or personal information. For example, try to use the company’s website on your laptop or computer; also, remember to check the security on the website itself. Criminals are obviously going to take advantage of whatever situation becomes available to them. Therefore, you should always be careful of what you click or download on your phone or computer.

Article Link: Beware, iPhone Users

Internship Opening with Dominion Energy (Richmond, Virginia)

Leave a reply

There is currently an internship opening in the Richmond, Virginia office of Dominion Energy Company in their Computer Forensics department. This opening is for Criminology and Computer Science students. The intern will be responsible for working with Dominion’s Security Computer Forensic specialist in various facets of the security field. Assisting with research and analyzing automated systems are two key components of the position, along with processing electronic storage devices for evidentiary reasons.

The qualified candidate will fulfill the following requirements:
-General knowledge and understanding of security concepts, and sophisticated security technologies, to support computer forensics.

-Experience with the following operating systems; DOS, Macintosh, Linux, Android, and MS Windows is preferred.

-Experience with office products such as Word, Outlook, Powerpoint, Access, Excel, email is highly preferred.

-Consistent demonstration of strong, critical thinking and decision making skills, applied in a security environment.

-Ability to assess security incidents and take appropriate action.

-Demonstrated ability to manage the flow of sensitive information.

-Ability to coordinate and manage multiple work processes.

-Experience with Encase Forensic Software, Encase, FTK, Autopsy, Magnet is a plus.

NOTE: A valid driver’s license is also required for potential candidates.

Interested candidates can find application information at: https://www.myinterfase.com/rmu/Job/Detail/Ly9DOEN5eUhZdG9WVGJ3bzNERDJtdjlaUjZGc2lHYWY3NVB4Y21OQWdQST01

Inspiring Improvement in the Field of Automotive Cybersecurity

Leave a reply

A few weeks ago, I submitted a post about cybersecurity in the automotive industry, specifically about Volkswagen’s foray into invested into cybersecurity for automotive computers. Earlier today, the U.S. National Highway Traffic Safety Administration (NHTSA) suggested that automakers should “make shielding the electronic and computer systems of vehicles from hackers a priority, developing layers of protection that can secure a vehicle throughout its life.” These are not enforceable rules, but strong suggestions from one of the government institutions that are partially responsible for the creation of future regulations that will more strictly govern the automotive industry as a whole.

The NHTSA poses many potential security upgrades in their proposal, entitled “Cybersecurity Best Practices for Modern Vehicle.” Some of these suggestions are moves that manufacturers, like Volkswagen, are already putting into place. Most of the proposals made in the proposal are becoming standard operating procedure for automotive companies, while other suggestions are less likely to be taken into consideration. One proposal in question relates to the disclosure of proprietary information about critical components of electrical and data systems within vehicles. Jonathan Allen, acting executive director of the Automotive Information Sharing and Analysis Center, explained in an interview that this section of the industry is incredibly competitive and that companies will probably avoid disclosing this information until they are required to.

As I mentioned in my last post, the threat of automotive hacking, while still extremely small, is becoming an increasing threat. As companies begin to offer significant vehicle upgrades through wireless data links, much the same as Tesla has been over the past few years, the need for secure connections will continue to grow. Massachusetts Senator Ed Markey agrees with this sentiment and stated in an interview today that “if modern day cars are computers on wheels, we need mandatory standards, not voluntary guidance, to ensure that our vehicles cannot be hacked and lives and information put in danger.” I couldn’t agree more with this sentiment. As technology continues to impact our lives in increasingly different ways, the need for knowledgeable cyber security experts will continue to grow.

Australian Meteorology Bureau Breach

Leave a reply

“You’re only as strong as your weakest link.” For the Australian government, this phrase is extremely relevant today. The Australian Cyber Security Center confirmed yesterday that a 2015 attack on servers at Australia’s Bureau of Meteorology was initiated by a foreign intelligence service. You may be thinking, “What could hackers want with weather data?” The answer is nothing. By hacking into the weakest part of the Australian government’s network, the hackers were able to work their way throughout the system by breaching the poorly protected meteorology division.

Various reports have stated that China is behind the attacks but the Australian government states that it will not be naming a source. The Australian Cyber Security Center (ACSC) noted that the security controls in place “were insufficient to protect the network from more common threats associated with cybercrime.” They also estimate that every password on the Meteorology Bureau’s network was already compromised by the time that the investigation into the matter began.

Technology has allowed governments around the world to better store data and control their resources; unfortunately, as an entity’s cyber footprint increases, so does the type and number of potential risks that threaten them. It is vital that modern-day governments around the world put in place the countermeasures to protect their systems and data.

Ransomware Dundee: A Report on Cyber Crime Down Under

Leave a reply

Taking advice from the internet and using it in real-life situations is not usually a lifehack that I would advise; that being said, I am here to offer a bit of advice. If you ever open your mailbox and find a USB flash drive, please do not insert said drive into your computer unless you know who put it there and why they didn’t just deliver it to you directly. This may seem like common sense to most people, but residents of a Melbourne, Australia suburb did not seem to possess this rudimentary level of technological knowledge.

Police in Pakenham, Australia are currently investigating reports from numerous residents that mysterious USB drives have been appearing in mailboxes throughout the community. When inserted into a computer, the flash drive runs a program offering a free Netflix subscription. Once the user initiates the process of signing up for the service, ransomware installs itself onto the machine. For those unfamiliar with the technology, ransomware has become a relatively common method of predatory cyber activity. Ransomware works by encrypting files stored on the user’s computer, then charging the user a fee to unlock their personal files. The ransomware forces the user to pay the fee in Bitcoin so there is no trace as to where the funds are going to or who is receiving them.

So far, only three residents have stepped forward and admitted to being duped into installing the application, though police believe that others have been impacted and are too embarrassed to step forward. Over the past few years, large-scale organizations have been impacted by ransomware and have paid extreme amounts of money to unlock their files. One of the more popular targets of ransomware purveyors are healthcare organizations. One prominent example of this is an attack earlier this year on the Kansas Heart Hospital. Ransomware forced the hospital to pay over $17,000 (miniscule compared to the original request of $3.4 million) to unlock patient and personnel files and then demanded a second payment to unlock the rest of the files that were still being held captive. Experts claim that the ransomware problem will “get worse before it gets better.”

As students, and as humans in general, we love free stuff. Next time you come across a free flash drive in your mailbox, take a second to think of the potential costs that this “free” piece of technology may bring on you. Personally, I’d much rather pay the $10 for a new flash drive than run the risk of obliterating my computer’s integrity for free.

10th Annual Intersections Undergraduate Research Conference – Friday, April 22nd

Leave a reply

Everyone is cordially invited to the 10th Annual Intersections Undergraduate Research Conference on Friday, April 22, from 11:45am – 5:00pm in Sewall 3rd Floor.

This is going to be an great event. RMU students are doing some incredible work. Over 100 students will be participating, with 14 panels and 19 poster presentations.  The schedule for the conference is here: http://honors.rmu.edu/urc/program

There will also be one presentation from the CIS department: “Mobile Security Threats: How Safe Is Our Data?”. This will be presented by John Weingartner, Sarah Pfabe, Jayson Phouthavong, Aaron Steinberg, and Brandon Adams. They will present in the Pennsylvania Suite from 4:00-4:45pm.

Apple vs. FBI: The Debate between Privacy and Security

Leave a reply

What is the fuss about? The reason that the FBI and Apple are in a heated debate is over one iPhone, but it is much more than that.  The argument began after a shooting in San Bernardino, California on December 2, 2015.  Considered as the worst mass shooting in modern US history since 2012, says NBC, the shooting ended with 14 killed and 21 wounded.    The 2 suspects for the shooting were both killed in a gun fight with policemen.  Terrorism is suspected (Ortiz, 2015).  With the FBI’s hands on the iPhone of one of the suspects, the FBI is desperately trying to gain access to the information on it to see if there was another shooter; law enforcement had previously believed that there may have been 3 shooters rather than just 2 (Ortiz, 2015).

In order to collect this information, the FBI needs access to the iPhone.  However, they are are struggling to gain access.  The FBI had contacted Apple and asked that they help them get information off of the device.  When asked, Apple denied helping, claiming that the FBI wants them to create a backdoor to get into all iPhone products.  The issue here is that iPhones are encrypted.

Why is this topic so controversial? This topic is so controversial because it goes so much further beyond just one simple iPhone; this situation magnifies the debate of security versus privacy.  This is something that the US government has been in turmoil over for years, especially when terrorism is involved.

The FBI is more concerned with security over privacy, while Apple is more concerned with privacy over security.  The FBI wants access to an iPhone that they have been locked out of when they reset the iPhone’s password when attempting to get into it.  Unfortunately, Apple says that since the password has been reset, there is no longer a connection to the cloud information because there is a password disconnect (Burchette, 2016). This is why the FBI has asked for a program to hack into the encrypted iPhone.  This is also why Apple is non-compliant .

Apple has exposed this situation because this shows a government that is no longer concerned with privacy, or with the consequences of creating such a program.  The difficulty of the matter is that this all comes back around to the Patriot Act, an amendment to the United States’ Electronic Communication Privacy Act (ECPA).  The Patriot Act has been around to create a loop hole for the Wiretap Act in order for law enforcement to surpass the need for a warrant for wiretapping, if there is suspected terrorism (Craig, 2013).  Given the controversy of this Act, there is clarity as to why this iPhone dilemma has gotten so big.

Can you see both sides?  Of course.  This entire thing has two different ways of looking at one case:

  • FBI’s Point of View:  There is a need to put the security of the United States over the general privacy of the people.  There is a need to look at the risk of not knowing crucial information on terrorism.  If you do not know what is going on, there is no way that another attack can be prevented.
  • Apple’s Point of View:  There is a need to put privacy before everything else.  If a program is made to get into the encrypted iPhone, it can be used by anyone who has it, and that is why there is so much resistance to make it.  This would not be one case, this would be the start of a further loss of privacy.

What is happening as of right now?  People have begun picking sides, and sticking to them.  Apple has written up its legal response detailing their refusal to the FBI’s request(s) (Heisler, 2016).  The FBI has continued to defend itself, claiming that it is not asking for a backdoor into all iPhones, but means to get into this one in particular.

All in all… This is a highly controversial topic and it is going to be one of many cases that will further influence the Crypto Wars, the battle between privacy-minded technologists and the U.S. government (McLaughlin & Froomkin, 2016).

__

Sources:

Burchette, J. (2016, February 21). FBI Admits It Reset San Bernardino Shooter’s iPhone Password. Retrieved from The Wrap: http://www.thewrap.com/fbi-admits-it-reset-san-bernardino-shooters-iphone-password/

Craig. (2013). Cyber Law: The Law of the Internet and Information Technology First Edition (pp. 92-131). Pearson.

Heisler, Y. (2016, February 25). Here’s Apple’s long-awaited legal response to the FBI. Retrieved from BGR: http://bgr.com/2016/02/25/apple-vs-fbi-legal-filing/

McLaughlin, J., & Froomkin, D. (2016, February 26). FBI vs Apple Establishes a New Phase of the Crypto Wars. Retrieved from The Intercept: https://theintercept.com/2016/02/26/fbi-vs-apple-post-crypto-wars/

Ortiz, E. (2015, December 3). San Bernardino Shooting: Timeline of How the Rampage Unfolded. Retrieved from NBC News: http://www.nbcnews.com/storyline/san-bernardino-shooting/san-bernardino-shooting-timeline-how-rampage-unfolded-n473501