Inverselogic’s 2019 Holiday Gift Guide

It seems like yesterday that we celebrated the New Year, and in a blink of an eye, the holiday season has arrived once again. Inverselogic’s 2019 year was quite eventful and exciting with the onboarding of new client projects such as the establishment of Second Home’s new Los Angeles based location – a co-working space that evokes a futuristic atmosphere, the debut of Cellar Thief’s new website – an e-commerce store for wine enthusiasts – in addition to the site launches for Walker Wines and Blacksmith Wines – two stores that celebrate discriminating collectors who seek rare wines from the world, such as French Bordeaux or Italian Barolo. Even though the year is coming to a close, we are still busy with ongoing Windows 10 operating system upgrades as well as our preparation for the upcoming 106th Annual Rosebowl Game – a perfect way to kickstart 2020 with one of the year’s largest sporting events. 

While 2019’s conclusion is fast approaching, our enthusiasm for imparting valuable cyber security information never wanes. Alongside this, Inverselogic strives to provide all our clients with top quality technology services, and our dedication to client satisfaction has been and always will be one of our principal missions. Additionally, our team is committed to delivering innovative technology solutions that best serve our clients’ needs and ensure their continued success.

We would like to express our sincerest gratitude to all our wonderful clients for making 2019 another fantastic, prosperous year. Every year brings us the opportunity to learn, grow, and succeed with our clients. We’re thankful for our business partnerships and the goals that we achieve through every project together. From our team to yours, we hope your 2019 was just as successful.

Inverselogic welcomes the forthcoming new year as we look forward to what 2020 may bring. We would like to wish you a fun and safe holiday season and a very Happy New Year!

Please enjoy our annual Holiday Tech Gift Guide, which features all of this year’s newest and coolest gadgets. We understand that holiday shopping can be hectic around this time, so we’re here to make your experience stress-free as you search for that perfect gift for your loved ones!

Some App Developers Had Access to Facebook Users’ Data Through the Platform’s Groups

Earlier this month, Facebook admitted that about 100 application developers still had access to Facebook user data, specifically those in Groups on the platform. The news comes as a surprise considering how Facebook took measures to restrict access to sensitive data in April 2018 after the Cambridge Analytica scandal. At the time, Facebook’s newly enforced rules limited third party access to users’ personal data – such as names and profile pictures – and instead allowed access to Group content.

Even after nearly a year and a half later, Facebook still has issues with controlling how much access third parties have. A post published by Facebook director Konstantinos Papamiltiadis stated that the platform’s implemented rules in 2018 were inconsistently carried out, allowing developers to collect personal information from users. Those 100 application developers have now been restricted from doing so. 

Facebook’s director stated that 11 developers had access to user’s data in the last 60 days but had not used the data in any unethical practices. Facebook is now requesting that all data collected by those developers be deleted. Papamiltiadis did not specify what personal data they had access to, however, he did state that the developer apps consisted mainly of “social media management [tools] and video streaming app[lications]…”

UPS Drones Began Delivering Prescription Medications in US

Image Source: UPS

A subsidiary of UPS called UPS Flight Forward began its drone delivery in North Carolina at the beginning of November. Through a partnership with CVS Pharmacy and Matternet, the company successfully delivered medication to both a home and retirement community. 

The drone delivered packages without human operation, although it was monitored remotely. During its delivery, the machine lowered the package it carried through use of a cable. This approach to delivering residents’ packages has taken the burden off those who have restricted mobility. 

Drone deliveries have been happening since earlier this year, with UPS delivering medical supplies to North Carolina’s WakeMed Hospital beginning in March. Google also launched its own drone delivery operation called Wing in October this year, transporting supplies like over-the-counter medications to residents in Virginia. UPS’s Flight Forward now allows for easy, stress-free delivery of prescription medications to residents.

In order for companies to operate drone delivery services, they must receive a Part 135 Standard certification that is administered through the Federal Aviation Administration, granting said companies the ability to carry packages weighed over 55 pounds and fly an unlimited amount of drones during day or night. UPS recently received its Part 135 certification this September. With this granted certification, companies like UPS can explore new possibilities for their drone delivery services, perhaps extending their delivery locations and even categories beyond prescription medications or medical supplies. Google’s Wing has already tested delivering a range of items from Walgreens and a gift shop called Sugar Magnolia in Virginia.

New Google Pixel 4 has One Big Privacy Issue with Face Unlock Feature

Google has created their own version of the face recognition unlock system for their Pixel 4 and 4 XL. Google’s system is similar to that of Apple’s Face ID technology and has changed their fingerprint authentication on the Pixel 4 to solely implement this method of phone unlock. However, there’s a huge privacy issue with their system: the phone can be unlocked even if your eyes are fully closed. 

The phone can be unlocked by someone else if the device is held up to your face – eyes closed or not. The unlock system will also work if you’re asleep and someone wanted to unlock your phone without you knowing. Contrary to Google’s unlock system, Apple’s requires your eyes to be fully open to unlock, thus making it more secure for its device users. 

Whether or not Pixel has intentions to add more security to the face unlock system remains unknown. A Google representative commented on the issue in a statement to The Verge, explaining: “We don’t have anything specific to announce regarding future features or timing, but like most of our products, this feature is designed to get better over time with future software updates”. With nothing yet officially announced, the privacy issue still stands, allowing a nosy friend or significant other to access a user’s device at ease. 

As of now, the only way to combat this issue is a lockdown function equipped on Android phones. Lockdown can be accessed through the power menu, and once pressed, the device disables the face unlock feature until the user’s PIN code is entered. If you choose to do lockdown, notifications will not be displayed on your phone screen. Bluetooth devices also lose the ability to unlock the phone.

5 Cybersecurity Threats That You Should Look Out for

Ransomware attacks, cyber attacks, data breaches – these are just a few cybersecurity threats that catches one’s attention. However, here are some other types of threats you may not have expected:

Malicious USBs That Could Carry Viruses 

Some USB Sticks could be very dangerous if initially tampered with and – once plugged in – can install a backdoor on PCs. You should be very cautious of plugging in a USB drive to your PC if you are unsure of where it’s from. Other USB sticks may not start causing immediate damage once inserted. Instead, such USBs could carry viruses that could wreak havoc on your computer after initial download. Always make sure you know where the USB comes from, keep your computer’s operating system up-to-date, and have the proper security tools installed.  

Browser Extensions That May Do More Harm Than Good

Browser extensions have everyday useful features, but some extensions need close evaluation from its users. Extension developers could use these programs to collect data on what you search online. If you happen to choose the wrong extension, it could end up annoying you with pop-ups, installing unneeded software, and could also sell your browser data. To help prevent this, minimize your extension downloads, do your research on the developers behind each extension, and just stick to the ones you know of. 

Charging Cables That Could Give Hackers Access To Your Device

The purpose of a charging cable is to give power to your device and help sync information. However, there are some charging cables out there that look very similar to your everyday charger, but they could give hackers access to your device’s information. All you would have to do is click “trust this computer” when a malicious cable is plugged in, and the hacker would have access to your device. To help prevent this issue, be mindful of the charging cables you purchase or only use the charging cables that come with your device.

Photo Uploads That Give More Information Away Than Wanted

There’s nothing wrong with posting photos on social media. However, you should be careful with putting your pictures on “public”, as uploaded photos can carry your location data. Apps like Facebook and Instagram remove this information, but apps like Google Photos track the location of where the photo has been taken. Posting the photo online with a location tag can add the location back to a photo even if you remove the location data. This photo data can put you at risk of identity theft or online stalking if a cybercriminal were to use your pictures for these malicious purposes. To prevent this, keep your social profiles on “private” mode.

Smart Home Devices That Could Be Hacked

As homes get smarter, hackers have the chance to target them. If hackers are able to access homes, they could make sure doors remain unlocked or check your security cameras. To combat this, buy devices that are well-known and make certain that all your devices – including your router – are always up-to-date with the latest software. Also, do not keep default passwords for your smart home device accounts. Make sure your passwords are hard to guess and are not used elsewhere. For more protection, turn on two-factor authentication for your device accounts.

Google’s New Application Tools for Maps, YouTube, and Assistant Put Privacy in the Hands of Its Users

Image Source: www.iStock.com/IngusKruklitis

Just in time for National Cybersecurity Awareness Month, Google Maps, YouTube, and Google Assistant were recently announced to have new tools related to user privacy and security. The new updates to these applications give users more control over what data Google can retrieve, and even gives the option for users to delete already collected data such as within Google Voice Assistant. 

Google Maps has now included an incognito mode to keep the application from tracking which places you search for and where you travel to, this thus giving its application users more control over privacy. Incognito mode also helps to keep users’ personalized recommendations from including any locations that would otherwise be irrelevant. Android and iOS users are expected to have this feature available to their Maps application this month.

Image Source: Google | https://www.blog.google/technology/safety-security/keeping-privacy-and-security-simple-you/

 

YouTube is receiving an update as well, with users now able to choose when the app will automatically delete accumulated history. You can choose to keep your watch history for three or 18 months, or just choose to keep the data until you delete it manually.

Google Assistant is also getting an update that allows users to delete any saved voice data. By saying phrases like “Hey Google, delete the last thing I said to you,” or “Hey Google, delete everything I said to you last week,” to your device, Google Assistant will delete its “Assistant Activity”. Deleting voice data from a while back would require you to go into account settings.

After it was revealed that actual people could listen to voice recordings for the purposes of improving voice assistants, Google, Amazon, and Apple all took action to remedy the privacy situation. Alexa, for instance, was implemented with the option for consumers to choose whether recordings will be reviewed. Two months ago, Apple also stated the suspension of its Siri grading program which similarly recorded user audio. The company commented on how they would incorporate consumer participation choice in the grading program with a future update. 

Image Source: Google | https://www.blog.google/technology/safety-security/keeping-privacy-and-security-simple-you/

 

This Google Assistant feature is expected to be released in all languages by next month. The English commands will be available this month. 

Lastly, Google had released Password Checkup within its Password Manager tool. The Checkup feature notifies its users if their passwords have been compromised from a data breach, weak and need to be strengthened, or whether a password has been reused. Google will be adding this tool to Chrome soon, but users can still take advantage of the feature at passwords.google.com.

Apple Will Release a Special iPhone for Security Research Purposes

Apple will release a special modified iPhone for research purposes only. With new software installed within its operating system, this modified iPhone is set to be a part of Apple’s bug-bounty program. While Apple’s bug-bounty program was initially introduced in 2016, this is the first time such iPhones will be used for this service.  

These new iPhones will be included in Apple’s iOS Security Research Device Program and will only available to the security research team. The program supplies security researchers with this uniquely modified iPhone to which these analysts will use to help with making security-related improvements. This would make it easier for ‘experienced bug hunters’ to work on Apple products. 

These modified iPhones will have “advanced debugging capabilities and a root shell, among other modifications designed to make the software more open and accessible for researchers,” says Lisa Eadicicco of Business Insider

In August, Apple announced that the new Research Device Program is one of many updates in their bug-bounty program. They have yet to announce how many applications they will accept into this program. Apple will pay a $1 million reward to researchers who find flaws and to whoever could take control of a device with no user interaction involved. The company will expand their bug-bounty program, so it will include most of Apple’s products, such as the Apple Watch, Mac computers, and their Apple TV, in addition to the current iOS.

Cybercriminals Impersonate These Well-Known Companies in Phishing Emails

Suspicious emails coming through to your mailbox? Does the email claim to be from Microsoft and need your login information to fix an unfounded issue? Cybercriminals increasingly send victims emails such as these, impersonating large-scale companies to appear legitimate, and it’s not only Microsoft impersonations. From Facebook to Amazon, to Paypal and Netflix, it’s a good idea to double check where those emails are actually coming from.

Cybersecurity company Vade Secure conducted an analysis of companies that were most impersonated and found that Microsoft was one of the most used brands in phishing schemes, with an increase of 15.5% since the previous year. Due to the popularity in Outlook mail and Office365, Microsoft is a widely popular impersonation target. With businesses and corporations relying on Office365 for keeping restricted and sensitive files, hackers look for any means necessary to get their hands on such valuable information. Access to Office365 accounts can also open more doors for targeting other users to gain access to more accounts. 

Illegitimate emails claiming to be from Microsoft ask users to log in via a link provided by the hacker and open up a spoof page that mirrors the actual website, prompting users to input their login credentials and submitting it to the cybercriminal.

Paypal comes out as the second most common company to be used in phishing schemes, as the brand is easily recognizable by many. While Paypal still remains a popular choice in targeting victims with fake emails, malicious URL targeting has been declining.

The third most popular company to be used in a phishing attack is Facebook, as Vade Secure tracked a 176% increase in fake URL use to target users’ social media accounts. The social network acts as a perfect opportunity for hackers to send phishing messages to victims’ friends. Facebook access can particularly be harmful if victims have third party applications connected, to which cybercriminals can also access. 

The report further lists other brands like Netflix, Bank of America, and Apple that are also used in these emails. Amazon is now the eighth most popular brand for phishing use by hackers, and its use has grown over 400% in just a year, this likely due to the popularity in Amazon Prime Day and the extensive number of shoppers on the site. 

Phishing attacks are continuously utilized by hackers due to the cheap and easy way it reaches a mass of users. If you receive any such suspicious emails in your inbox, mark it as spam immediately. If you are ever unsure about your account, log in through the company’s official site instead of clicking on malicious email links.

Google Study Reveals Many People Are Still Using Breached Passwords

Recently, a Google study showed that about 316,000 passwords have already been breached and are still in use. These used password credentials also include financial and governmental accounts. The information used to create this study was from Google Chrome’s Password Checkup extension. Google recently stated on their blog, “The study illustrates how secure, democratized access to password breach alerting can help mitigate one dimension of account hijacking.”

The Password Checkup Extension activates when someone signs into a site, which uses one out of 4 billion username/passwords that Google finds unsafe due to a third-party breach. Google found out that out of 21 million passwords and usernames, 1.5% of these sign-ins were risky. They also stated that many people like to reuse passwords that tend to be vulnerable, which puts them at risk. People use vulnerable passwords when it comes to entertainment and news websites, and sometimes on shopping sites where there could be credit card information stored. About 26 percent of unsafe passwords were reset by users. In addition to that, 60 percent of those new passwords are secured, leaving out the possibility of guessing attacks, which would take a hacker over a hundred million guesses before figuring out the user’s new password. 

Not changing used passwords can lead to cybercriminals gaining unauthorized account access. There have been “credential-stuffing incidents”, which affected companies like Dunkin Donuts and State Farm. Hackers would use lists of breached usernames and passwords to log in to web application accounts through automated requests. When the right username and password combination are found, cybercriminals can gain access to the targeted account. 

Google recommends using their Password Checkup Extension as a precautionary measure to alert users of whether their password has been breached. It is good practice to use different passwords for all your accounts and store them in a secure password manager application. As always, avoid using simple-to-guess passwords and instead use phrases with numbers and symbols. 

New Trojan Malware Spreads via Word Document

There’s a new trojan malware spreading through malicious Word documents, and cybercriminals are using this virus to steal personal information and sensitive banking details. The malware, Ursnif trojan, attacks Windows operating systems and is popular with hackers since its main source code was leaked, becoming a more widely available option for cybercriminals to take advantage of. This type of trojan has existed in different forms over the years, starting in 2007 when the code first surfaced in the Gozi banking trojan. 

Since the code was leaked, hackers have customized it to their liking, stealing banking account information and other valuable account details. Cybersecurity firm Fortinet has identified a new version of the trojan that spreads through Word documents, it’s file format name: “info_[date].doc.” The hacker attaches a malicious macro script to launch once the document’s macros (a series of operations done through a single command) have been enabled.  

The macros can be enabled by clicking “Enable Content” which releases a VBA code that drops a version of the Ursnif malware onto the victim’s computer. This malware then runs “iexplorer.exe” processes to connect to a command and control server on the hacker’s end. In an effort to sway user suspicion, the host list for the server refers to security companies as well as Microsoft. 

Researchers have stated that the campaign is still operating. Even though these techniques might seem a little basic, an easy phishing email attack could give these cybercriminals a chance to invade networks and initiate an extensive cyberattack. 

As always, be mindful of the emails you receive, especially those with unsolicited document attachments, and check the sender email address to verify if the email is spam. When in doubt, directly contact the company referenced in the email using a phone number provided on the actual website.