Category: Privacy

Have you ever shared a photograph where you've redacted some sensitive information? Perhaps you've cropped out part of the image you didn't want others to see? Well, users of Google's Pixel Android smartphone might be alarmed to learn that pictures they've shared in the past may have been less discreet than they imagined. Read more in my article on the Hot for Security blog.

One common misconception is that scammers usually possess a strong command of computer science and IT knowledge.

Related: How Google, Facebook enable snooping

In fact, a majority of scams occur through social engineering. The rise of social media has added to the many user-friendly digital tools scammers, sextortionists, and hackers can leverage in order to manipulate their victims.

Cybersecurity specialists here at Digital Forensics have built up a store of knowledge tracking criminal patterns while deploying countermeasures on behalf of our clients.

One trend we’ve seen in recent years is a massive surge in cases of sextortion. This online epidemic involves the blackmail of a victim by the perpetrator via material gained against them, typically in the form of nude photos and videos.

These sextortionists are some of the lowest forms of criminals, working tirelessly to exploit moments of weakness in their victims induced by loneliness and our most base-level human natures.

Since the dawn of civilization and economics, instances of fraud have always existed. Scholars have determined that the precursors of money in combination with language are what enabled humans to solve cooperation issues that other animals could not. The advancement of fraud has materialized parallel to that of currency.

Exploitation drivers

From the case of Hegestratos committing insurance fraud by sinking a ship in 300 B.C., to the Praetorian Guard selling the rights to the Roman throne in 193 AD, to the transgressions of Madoff and Charles Ponzi, fraud has always been embedded in society as a consequence of economics.

As technology has rapidly exceeded all historical imaginings, opportunities for fraudsters to exploit their victims abound. Digital exploitation refers to the abuse and manipulation of technology and the internet for illegal and unethical purposes, including identity theft, sextortion, cyberbullying, online scams, and data breaches.

The rise of digital exploitation has been a direct result of technological advancement and the widespread use of the internet in our daily lives.

Cybersecurity has similarly developed as a necessary countermeasure to prevent scammers from rampaging the privacies of citizens. Since fraudsters constantly seek new methods of exploitation, cybersecurity specialists are responsible for being identically innovative in anticipating future techniques of exploitation before they exist.

Modern measures of cybersecurity and digital forensics must not merely react to cases of fraud, but must proactively seek to exploit current systems as well in the aim of remaining vigilant against fraud-villains.

The success of digital exploitation can be attributed to several factors, including difficulty in keeping up with the latest security measures, increased reliance on technology and the internet, and a general lack of awareness and education about the dangers of the internet.

Countermeasures

To address the issue of digital exploitation, it is essential to raise awareness and educate people about the dangers of the internet, and to continue to develop and implement strong security measures to protect personal information and sensitive data.

McNulty

It may someday fall to the Federal government to deploy cybersecurity as a service such as community hubs or public utilities, but for the foreseeable future it falls upon private enterprises to assist clients suffering from a digital exploit in reclaiming their lives.

Digital Forensics experts are trained to follow digital footprints and track down IP addresses, cell phone numbers, email addresses, social media accounts and even specific devices used in these crimes. We can identify online harassers or extortionists with a high degree of success, arming clients with the evidence they need to confront a harasser, seek a restraining order or even press charges.

About the essayist: Collin McNulty is a content creator and digital marketer at Digital Forensics, a consultancy that works with law firms, governments, corporations, and private investigators

The UK has announced a ban on TikTok on government phones, becoming the latest country to have banned the Chinese-owned video app over raised security concerns.

The microscope has been on TikTok in recent months and has come under increased scrutiny due to fear is that user data from the app owned by Beijing-based company ByteDance could end up in the hands of the Chinese government.

The ban is in place with immediate effect following a security review ordered by ministers and is part of a wider range of restrictions brought in for third-party apps on government devices. The strict measures have been brought in to improve cyber hygiene, protect sensitive data that government officials have access to as well to prevent location data harvesting.

In recent months, many countries have brought in law to ban TikTok from government-owned devices including the US, Canada and the European Commission.

When the announcement was made, the cybersecurity community was quick to provide thoughts and insight…

Javvad Malik, lead security awareness advocate at KnowBe4:

It appears as if the UK is following in the steps of the European unions ban on TikTok on government devices. Risk assessments need to be undertaken and any apps which pose a threat to the government should be removed. However, there is a lack of transparency in these efforts and no real indication is given as to the actual data which is collected by TikTok and who it is shared with and for which purposes. If we were to apply this principle to other social media sites, and mobile apps in general, then many of the apps would not pass this bar. If there is a political risk, then this should be stated so that others can make informed risk decisions too, rather than using the blanket term that is being done for cybersecurity reasons – because most apps will collect data and transmit it to third parties. 

Tom Davison, Senior Director Engineering International at Lookout:

If this ban goes ahead it will follow similar decrees already issued by the European Commission and the US government. The concern here is the level of access to data which TikTok affords its parent company ByteDance, which is a Chinese company headquartered in Beijing. Governments and businesses are increasingly concerned by the volume of data which 3rd parties and foreign states might be collecting. 
Mobile apps in particular are a real source of risk given the the amount and type of data they are able to collect on their users. Upwards of 60% of internet traffic now originates from mobile devices making them the prime target for data collection and surveillance. Increasingly users mix personal and work apps on the same device, drastically increasing the risks for governments and business who are tasked with controlling data sovereignty, privacy and protection. All mobile apps will be sending data somewhere and it is essential that this is understood and considered. For example, Lookout tracks over 9 million other apps that have the capability to send data to China. While they may not necessarily be malicious there is a fundamental issue of lack of awareness which is only just beginning to be acknowledged.
Brian Higgins, Security Specialist at Comparitech:

“The National Cyber Security Centre publishes advice on drafting and implementing ‘Bring Your Own Device’ and ‘Acceptable Use’ policies so why they don’t have any for Government staff is unclear. Most Social Media platforms gather vast amounts of data that users would rather they didn’t, but personal choice allows individuals to trade their privacy for functionality. They really shouldn’t be allowed to apply the same approach whilst they are engaged in Government business at any level. We’re clearly jumping on the Bad-TikTok bandwagon here but a more useful exercise would be to review and restrict Social Media access across the estate.” 

Chris Handscomb, EMEA Solutions Engineer at Centripetal

Just a decade ago, the notion of corporate managers and government officials possessing smart mobile devices that could instantly access work information was a novelty. Today, these devices are ubiquitous, internet speeds have vastly improved, enabling individuals to consume copious amounts of high-quality content at the click of a finger.However, with this heightened connectivity, communication, and entertainment, there is the possibility of malicious actors exploiting device vulnerabilities and gathering sensitive data. This sometimes very personal data can then be on-sold to the highest bidder creating a risk factor for companies and government agencies where (potentially compromised) individual contributors are handling sensitive trade or state secrets and may now be vulnerable to blackmail.It is therefore imperative that companies and government agencies prioritise their security measures, safeguarding their employees and enterprises from potential threats.

The post TikTok to be banned from UK Government Phones appeared first on IT Security Guru.

A new report from the Bipartisan Policy Center (BPC) lays out — in stark terms – the prominent cybersecurity risks of the moment.

Related: Pres. Biden’s impact on cybersecurity.

The BPC’s Top Risks in Cybersecurity 2023 analysis calls out eight “top macro risks” that frame what’s wrong and what’s at stake in the cyber realm. BPC is a Washington, DC-based think tank that aims to revitalize bipartisanship in national politics.

This report has a dark tone, as well it should. It systematically catalogues the drivers behind cybersecurity risks that have steadily expanded in scope and scale each year for the past 20-plus years – with no end yet in sight.

Two things jumped out at me from these findings: there remains opportunities and motivators aplenty for threat actors to intensify their plundering; meanwhile, industry and political leaders seem at a loss to buy into what’s needed: a self-sacrificing, collaborative, approach to systematically mitigating a profoundly dynamic, potentially catastrophic threat.

Last Watchdog queried Tom Romanoff, BPC’s technology project director about this analysis.  Here’s the exchange, edited for clarity and length:

LW: Should we be more concerned about cyber exposures than classic military threats?

Romanoff: Classic military threats will always merit significant concern due to their direct impact on life. But for most Americans, cyberattacks are a lot more likely to happen. They can cause severe economic or social disruptions and impact a broad crosscut of our society.

Incidents of nations using cyberattacks as an extension of military operations to disrupt or destabilize targets are on the rise. As part of criminal enterprises or economic warfare, nation-states using cyber-attacks can inflict damage without firing a shot and extend power beyond their borders.

Our report connects the threats from particular nation-states and showcases how this can accelerate risks for non-military organizations.

LW: Regulation hasn’t seemed to help much; data security rules have been highly fragmented, i.e., Europe vs. the U.S. and even state-by-state in the U.S.

Romanoff: Concerns about data privacy and cybercrime are fast-tracking the push for regulations.  In the U.S., tech has enjoyed “permissionless innovation” for much of its industrial existence.

As Congress continues to debate the role of Big Tech, increased state-level regulations, and worldwide regulations, policymakers are increasingly pressured to do something to increase data protections.

Romanoff

California is leading the effort at the state level and has passed the California Consumer Privacy Act (CCPA). Similar bills, including many data privacy bills, follow California’s lead. For example, Colorado, Connecticut, Utah and Virginia  have all signed privacy laws in the last few years, and fifteen other states are considering privacy laws.

The push for a national data privacy law would have an immediate and quantifiable impact, but sadly progress is stalled. Without a national data privacy law or laws, we are left with a fragmented regulatory landscape.

The EU is moving much faster to regulate digital security.  Between the General Data Protection Regulation (GDPR), Digital Services Act (DSA), the Digital Markets Act (DMA), and the emerging ePrivacy Regulation, the EU is framing the data security debate worldwide.

The overall impact of regulations has been on how businesses collect, process, and protect personal data. There will continue to be a push to increase transparency and accountability around data handling practices.  For example, the recent FTC complaint regarding GoodRX and the Illinois case against White Castle for violations of the Biometric Information Privacy Act (BIPA)  show that the norm is trending toward increased oversight.

LW: So what difference can regulation actually make in the next few years?

Romanoff: We should expect the government to break from the self-governance/marketplace regime that has been in place and move away from incentive-based cyber compliance. I expect to see more penalties for data leaks or non-compliance.

DMA and other EU regulations will come online, creating compliance hurdles for American companies.

We can also expect the U.S. government to work toward more oversight mechanisms by finding authorities that can be interpreted through a data-security lens.

LW: It’s certainly not a surprise that nightmare breaches keep happening; your report calls out lagging corporate governance as a major variable.

Romanoff: Cybersecurity in many organizations is considered a cost, not an investment. Too often, cyber leaders are not included in board discussions or c-suites, and thus cybersecurity isn’t integrated into business decisions. This will continue to be a challenge until security is built into the business model or product from the beginning.

For example, one of our working group members talked about the need to create software development teams that knew cybersecurity just as well as UX/UI. Traditionally these are different teams- one team builds the software product, and another one tests it for vulnerabilities.

When you have a team that builds a product with cybersecurity as part of its functionality, that’s when you have full integration. It’s the same for corporate governance- when cyber is built into a product, we know this risk is being meaningfully addressed.

LW: Will infrastructure threats and/or disruptions be a catalyst?

Romanoff: Infrastructure and utility disruptions pull cybersecurity from the abstract into reality for most Americans. These sectors continue to be targeted, and events like the Colonial Pipeline shutdown pushed government agencies and companies to prepare for attacks.

No system, no matter how well protected, is 100 percent safe from attack. What is important to highlight is the resilience and contingency planning that organizations should build into their strategy before being the disruption case study.

I commend the work that CISA and DHS are doing to help organizations build out that resiliency. By partnering with cyber leaders in these sectors, CISA is working to mitigate risks before they become disruption events.

LW: What is an optimistic scenario for shrinking the trajectory of cybersecurity risks, as laid out in this report?

Romanoff: Hopefully, some of these risks will be addressed and become part of standard resilience and contingency planning.  However, eight of the risks we identified are not new. They have been a concern for some time.

We hope that the framing of this report will spur action, especially at the policy level, to allocate the necessary time and resources. Our report is a baseline for 2023, and we hope to update it as new risks emerge or as risks are addressed meaningfully, mitigating their impact.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)