Google’s New Application Tools for Maps, YouTube, and Assistant Put Privacy in the Hands of Its Users

Image Source: www.iStock.com/IngusKruklitis

Just in time for National Cybersecurity Awareness Month, Google Maps, YouTube, and Google Assistant were recently announced to have new tools related to user privacy and security. The new updates to these applications give users more control over what data Google can retrieve, and even gives the option for users to delete already collected data such as within Google Voice Assistant. 

Google Maps has now included an incognito mode to keep the application from tracking which places you search for and where you travel to, this thus giving its application users more control over privacy. Incognito mode also helps to keep users’ personalized recommendations from including any locations that would otherwise be irrelevant. Android and iOS users are expected to have this feature available to their Maps application this month.

Image Source: Google | https://www.blog.google/technology/safety-security/keeping-privacy-and-security-simple-you/

 

YouTube is receiving an update as well, with users now able to choose when the app will automatically delete accumulated history. You can choose to keep your watch history for three or 18 months, or just choose to keep the data until you delete it manually.

Google Assistant is also getting an update that allows users to delete any saved voice data. By saying phrases like “Hey Google, delete the last thing I said to you,” or “Hey Google, delete everything I said to you last week,” to your device, Google Assistant will delete its “Assistant Activity”. Deleting voice data from a while back would require you to go into account settings.

After it was revealed that actual people could listen to voice recordings for the purposes of improving voice assistants, Google, Amazon, and Apple all took action to remedy the privacy situation. Alexa, for instance, was implemented with the option for consumers to choose whether recordings will be reviewed. Two months ago, Apple also stated the suspension of its Siri grading program which similarly recorded user audio. The company commented on how they would incorporate consumer participation choice in the grading program with a future update. 

Image Source: Google | https://www.blog.google/technology/safety-security/keeping-privacy-and-security-simple-you/

 

This Google Assistant feature is expected to be released in all languages by next month. The English commands will be available this month. 

Lastly, Google had released Password Checkup within its Password Manager tool. The Checkup feature notifies its users if their passwords have been compromised from a data breach, weak and need to be strengthened, or whether a password has been reused. Google will be adding this tool to Chrome soon, but users can still take advantage of the feature at passwords.google.com.

Instagram is Testing New Feature That Can Help Users Combat Hackers Stealing Accounts

Image Source: iStock.com/bigtunaonline

Instagram is working on putting user account security at a high priority by making it more difficult for hackers to steal accounts to hold them hostage for ransom or sell for high profit.  

Hackers are after big influencer accounts in a scheme reported by Motherboard which involves cybercriminals targeting big name Instagrammers. The attack works through an email link that – once clicked – directs users towards a fake Instagram login page. Once a hacker steals the login credentials and has access to the account, victims are unable to sign-back in or regain access to their own profiles, as hackers change both the recovery email address and phone numbers associated with the account.

Instagram had previously acknowledged the problem of users having difficulty in accessing their accounts, to which the company had advised in setting up two-factor authentication as well as implementation of stronger passwords, but adding these extra steps of security doesn’t exactly help when a cybercriminal has already accessed an account. Phishing links have been used as a primary means of tricking influencers into signing into bogus login pages made to look authentic. Furthermore, if an influencer has used the same account credentials that were previously involved in a data breach elsewhere, cybercriminals can use this information to their advantage to gain access to an account

After users have long complained about Instagram’s lack of responsibility and initiative in taking care of the hacker issue, the company recently announced new ways of combating this ransom tactic.

If a user can’t log in to his/her page, Instagram gives one the option of sending a six-digit authentication code to the account’s original phone number or email address that was used when the account was first created. Any other devices used by hackers that are logged in will be logged out, allowing a user to recover their page by resetting their email and password. This feature is currently under testing. 

Image Source: Instagram

 

Instagram has also promised to bring another feature – one already available for Android users – to iOS. The feature allows a user to change their Instagram handle while also allowing one to maintain their previous handle for 14 days. This upcoming update is meant to deter any hackers from taking popular usernames to sell for profit. After the 14 day period is over, the username becomes available for anyone to use.

Cybercrime Groups Still Operate Over Facebook Platform

Cisco’s Talos threat intelligence researchers have identified an ongoing cybersecurity problem that looms within Facebook: dozens of groups created to trade and purchase spamming and phishing services.

The groups have been noted as partaking in “shady (at best) and illegal (at worst) activities,” using easily identifiable and locatable names such as “Spammer & Hacker Professional” or “Facebook hack (Phishing)” and yet remained up and active without intervention from Facebook itself.

Researchers at Cisco have found approximately 74 groups that partook in cybercriminal activities such as selling stolen login and account credentials and banking information. Others would sell tools for email spamming. The groups had amassed around 385,000 members in total and were easy to search for through simple keyword phrases like “spam” and “carding” when one looked into Facebook group search.

Cisco’s Talos team had notified Facebook about the hacker groups through abuse reporting, to which Facebook had responded by removing a few of the groups while keeping others up and only removing some posts deemed as a violation of policy. After the Talos researchers spoke directly with Facebook’s security team, the groups were taken down, but the issue of cybercrime on the social media site still remains a prevalent problem as new groups always seem to emerge.

Such activity isn’t new to the Facebook community. Groups like these have been operating for years on the social media platform. Brian Krebs from KrebsonSecurity had found 120 cybercrime groups back in 2018, for example, notifying Facebook in order to have the groups removed.

A spokesperson told The Verge that “[Facebook] know[s] [it] needs to be more vigilant and [they’re] investing heavily to fight this type of activity.”

Beware: TrickBot Malware Is on the Rise for Tax Day

Tax Day is coming up on April 15th, and cyber criminals are out to seek profit at many victims’ expense. A tax theme malware called TrickBot is being sent to inboxes, the hackers impersonating payroll providers like Paychex and ADP and sending malware infected Excel documents to their recipients.

TrickBot works by exploiting network vulnerabilities to essentially enter and steal sensitive information such as passwords and bank account details in order to file fraudulent Tax forms to receive returns. Scams caused by TrickBot have cost the IRS over a million in losses back in 2016.

Researchers from IBM X-Force noted how cyber criminals are using domains that look highly similar to actual payroll providers in order to deceive recipients into thinking the email is from a legitimate source.

IBM global executive security advisor Limor Kessem stated how “this campaign [is] highly targeted in its efforts to infiltrate US organizations,” and the threat from TrickBot doesn’t look like it’ll cease. Kessem continues on by explaining that “TrickBot [is] one of the most prominent organized crime gangs in the bank fraud arena, [so] we…expect to see it maintain its position on the global malware chart, unless it is interrupted by law enforcement in 2019.”

Before clicking on any email link, it is highly advised to double check the legitimacy of the email by looking closely at the sender information. Hovering over an email link also allows you to check on where the URL leads before you actually click on it; just check the small window that pops up above the link to make sure the site is safe.

540 Million Facebook User Records Found On Public Amazon Storage Server

UpGuard security firm researchers have discovered an unpleasant surprise: millions of Facebook user records were found exposed publicly on an Amazon S3 storage server without a password to protect the data.

Two third-party companies – a Mexico based media company called Cultura Colectiva and an app developer At The Pool – had left user records available for public access. User record data such as comments, likes, reactions, and account names were all stored onto the servers. At The Pool stored sensitive information from approximately 22,000 users and included data such as photos, check-ins, and friends lists.  

UpGuard had not received a reply from Cultura Colectiva after warning them about the public server data back in January. After reaching out to Amazon as well, the security firm was yet again met with indifference as no one had taken action to resolve the issue. After Bloomberg’s reporting on April 3rd, the database was then secured.

A Facebook representative commented on the matter, explaining how “Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases.” Spokespeople from the company also commented on how Facebook was not aware of the issue until the UpGuard team had brought it to their attention.

Both third-party companies had collected and stored the data in the past when Facebook was more lenient on data gathered by outside applications. However, after the Cambridge Analytica scandal, Facebook set tighter restrictions on what developers may access in regards to user data.

As of now, it is unclear on whether the data on the open storage servers were accessed by malicious actors who could potentially use it to their advantage in marketing or fraudulent schemes.

6 Security Tips to Keep in Mind When Using Device Apps

Nowadays, data breaches are happening more and more frequently, and an app you’ve once entrusted to keep your data and privacy safe can put your information at risk of being stolen through malicious hackers using security exploits, or through the developers’ means of using a third-party application to harvest your data. As you download your favorite applications from Apple’s App Store or Google’s Play Store, you’ll want to keep these security tips in mind:

  1. Using a password manager can help keep your accounts secure

Password manager applications are there to assist us when there are many accounts to keep track of. Often times, users rely upon using the same passwords which puts them at risk during massive data breaches. Easy-to-guess passwords like “Password” and “123456” are still among the top worst choices for users’ accounts, and slightly changing passwords to include a symbol or number is not always the best line of defense against hackers guessing your codes.

Using a password that is created by a random string of numbers and letters is assuredly a strong way of protecting your accounts. However, remembering these passwords comes as another issue at hand.

To help store your passwords in a secure and encrypted space, users can take advantage of password manager apps.

  1. Use a VPN when you use public WiFi

A virtual private network (VPN) can help keep your data secure when on public WiFi. VPNs can secure transactions and keep users anonymous when on the internet, ultimately masking any data transmissions.

When looking for a VPN provider via an app store, make certain you read the app’s data collection policies.

  1. Be aware of what permissions you grant to applications

Users should always be wary of what information apps ask to gain access to, such as contacts lists, location, and photos. A good form of practice is to always question an app’s request for certain permissions. For instance, if a note-keeping application asks for photo access, users should question the app’s motives in harvesting photo data.

It is also important to take note of any unusual behavior after certain application downloads. If your battery life performance drops or you notice your phone acting slower than usual, the malicious app could be collecting data in the background.

  1. Do your research on specific applications you want to download

Before you decide to download an app onto your phone, another good practice is to search the application on Google and see if it was involved in any recent data breaches or scams.

If previously involved in a data breach, take note of the way a company/developer handles the occurrence. A developer should take extreme precautionary measures to make certain this does not affect its users again, while also making sure the app’s security is heightened after a breach has already happened.

  1. Keep your phone’s software updated

Often times, OS updates are released to patch any device vulnerabilities that may allow hackers to access your data via malicious application downloads. By updating your device regularly, you can reduce the risk of hackers using data exploits to their advantage.

  1. Download legitimate applications from a trustworthy source, such as Apple’s App Store and Google’s Play Store

Most applications found within Apple’s and Google’s stores “meet a standard quality of data protection and [are]…required to produce a dedicated privacy policy [to]…protect your data,” says Stephen Hart in an interview with CNET.

It is better to avoid any untrustworthy sources outside of reputable app stores, as a user runs the risk of downloading an app that may contain a virus onto their device.

Well-Known iPhone Apps Record Your Phone Screen Without Your Knowledge

Recent investigative reporting through TechCrunch revealed that a third-party application–Glassbox–has been assisting companies in collecting screen sessions (i.e. recording your screen) from users’ iPhones without their consent. This “session replaying” is essentially programmed into the application one uses on their mobile device, and can record your every press and swipe, even taking screenshots of what you’ve engaged with on the mobile app.

Travel sites such as Air Canada or booking sites like Expedia and Hotels.com are all guilty of utilizing Glassbox–a finding that is alarming considering the fact that such sites have users input personal and financial information during ticket or booking reservation purchases.

TechCrunch also revealed how such sites failed to mention the technology used for screen recording in their privacy policies. Neither of the apps also ask for user consent in collecting screen sessions. TechCrunch’s investigation stems from the App Analyst’s discovery on Air Canada’s Glassbox use. As no information is disclosed to these application users, who is to say that other apps–both within iOS and Android–are not engaging in similar practices?

What is interesting–and particularly scary–to see is how session replay data is not masked, as sensitive information inputted by the user is susceptible to an interception cyber attack. In the previous year, Air Canada had suffered a data breach of its own mobile application, which exposed 20,000 users’ passport information.

Glassbox provided comment to The Verge:

“TechCrunch’s piece was interesting but also misleading. Glassbox and its customers are not interested in ‘spying’ on consumers,” the company said. “Our goals are to improve online customer experiences and to protect consumers from a compliance perspective. Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on web sites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling.

We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded — just as contact centers inform users that their calls are being recorded.”

New Chrome Extension from Google Can Notify You If Your Passwords Are Secure

As perfect timing for today’s Safer Internet Day, Google released a new Chrome extension that allows users to check if their passwords were exposed after the latest data breaches.

Once the extension has been added to your Chrome browser, Google notifies you with a warning if your login credentials matched any information found within an extensive database of four billion usernames and passwords from previous breaches.

Many of us are guilty with using the same passwords for our accounts, which is why breaches like that of Collection #1 remind us to use unique passwords instead. Regardless, even having many different passwords could be difficult in terms of knowing which hasn’t been compromised in such massive data breaches. However, thanks to Google’s extension, you can protect your accounts the next time you log in.

Image Source: Google

The Password Checkup extension works by encrypting the login credentials that are sent to Google. As Jon Porter from The Verge reports, “[p]asswords in the database are stored in a hashed and encrypted form, and any warning that’s generated about your details is entirely local to your machine.”

If you find out your password has been compromised, you can even use Chrome’s password generator to create a new password.

Though Chrome’s Password Checkup helps users in this time of need, this underlying concern still remains: are passwords really safe to use nowadays? WebAuthn–which uses tokens instead of passwords–may be a safer option, for example, but has yet to be implemented into more web browsers.

While you use Chrome’s new extension, make sure to utilize other resources to your advantage such as a password manager and two-factor authentication system. Furthermore, always use unique passwords when setting up your accounts.

Here Are the Worst Passwords of 2018

Splashdata has recently released its annual “Top 100 Worst Passwords” list for 2018, and the passwords used are still shocking as ever to see. Despite repeated warnings from cybersecurity experts on utilizing more complex, hard-to-guess passwords, the list still shows that the most popular choice for users is “123456”. Coming in at 2nd place is “password”. In these past five years, both passwords occupied the top of the list.

Popular name references have also been included as commonly used passwords, including “jordan”, “donald”, or “charlie”.

SplashData’s CEO Morgan Slain commented how, “Hackers have great success using celebrity names, terms from pop culture and sports, and simple keyboard patterns to break into accounts online, because they know so many people are using those easy-to-remember combinations.”

This “worst password” ranking is based on data gathered from more than 5 million passwords leaked from North America and Western Europe. Estimates have shown that 3 percent of people from the leaked accounts used the password “123456” and 10 percent had used at least one password from the Top 25.

It turns out not even breaking stories involving data breaches are enough to sway the population to strengthen their password choices.

As provided by SplashData’s list, here’s 25 of the worst passwords used in 2018:

1) 123456

2) password

3) 123456789

4) 12345678

5) 12345

6) 111111

7) 1234567

8) sunshine

9) qwerty

10) iloveyou

11) princess

12) admin

13) welcome

14) 666666

15) abc123

16) football

17) 123123

18) monkey

19) 654321

20) !@#$%^&*

21) charlie

22) aa123456

23) donald

24) password1

25) qwerty123

If any of these seem recognizable for your own accounts, we highly recommend you to update your password to something more complex. Phrases used with symbols and numbers ensure your account stays protected, as such passwords would be more difficult to guess. For example, rather than using a simple phrase like “technologyrocks”, use “T3chn0logyR0cks!” instead.

For the full list of the “Top 100 Worst Passwords of 2018,” see this post here.

Email Account Compromise Losses Reach a New High of $12 Billion According to FBI Report

Between the dates of October 2013 and May 2018, more than 78,000 business email accounts (BEC) and email account compromise (EAC) scam incidents occurred. According to recent FBI data findings, both BEC and EAC scam losses significantly increased by 136% worldwide during the time frame of December 2016 to May 2018.

With the 78,617 BEC and EAC incidents reported, financial losses totaled a whopping $12 billion. Of those reported, 41,058 occurred within the U.S., as the nation took a great loss of $2.9 billion in finances. According to further statistical data provided, Asian banks from both China and Hong Kong are the primary targets for fraudulent fund transfers; Meanwhile, other emerging targets for fraudulent transfers also include the UK, Mexico, and Turkey.  

As the FBI explains in their PSA statement:

“The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.”

Even the real estate industry has been greatly impacted, as collected statistics show an increase of 1,100% in BEC/EAC victims between the years 2015 to 2017.

With such cyber-security threats on the rise, it is most definitely encouraged to practice good cyber-hygiene to make sure your business stays safe from fraudulent email scams. With Inverselogic’s cyber-security service of simulated phishing tests, employees are trained and well prepared to identify cyber scams before clicking on an actual malware infested email link that could potentially harm your business.

Below is one example of a phishing email simulation test we created as part of our cyber-security services:

Once the link is clicked, employees are directed to an educational page that provides information on how to identify scam emails in the future.

Our business understands that network security is of utmost importance. That is why Inverselogic is here to help you every step of the way in ensuring your information is always protected from new and emerging email scam threats.  

To read more about our wide range of cyber-security services offered, please click here.