FYI - Facebook has been using contact information that users explicitly provided for security purposes—or that users never provided at all—for targeted advertising.

(and)
Facebook is also grabbing your contact information from your friends
This means that, even if you never directly handed a particular phone number over to Facebook, advertisers may nevertheless be able to associate it with your account based on your friends’ phone books

https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads

Data security - Boring idea but,data have become a new form and flow of currency. How much have we adapted to this idea?

Customer data, market data, intellectual property, resource consumption data, productivity data, and dozens of other categories are a new form and flow of currency in the data-driven enterprise. However, as data flow has achieved parity with cash flow, the CISO or the CSO has not achieved parity with the CFO.

• Rather than using application names or table or column names, group data at the lowest level into buckets like "high-sensitivity personally identifiable information" or "customer payment information."
• 
  
• Too often companies focus on the relationship between users and application access. This is important, but it doesn't take into account which applications have access to what data, and therefore ignores the direct relationship between users and data
• 
  
• Through new technologies like blockchain, data flows can be recorded directly as they happen, making the resulting audit trail immutable and virtually impossible for the record to be manipulated.

https://www.darkreading.com/analytics/managing-data-the-way-we-manage-money/a/d-id/1332896

If you are using KODI media player then you should know that it could be used as a malware distribution platform for cybercriminals.

Researchers from ESET said that malware can spread through Kodi in three different ways. 

1. They could add the URL of a malicious repository to their Kodi installation, which would download add-ons whenever they update their Kodi installations 
2. They could install a ready-made Kodi build that includes the URL of a malicious repository. 
3. Users could install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates.

“Cybercriminals are increasingly abusing add-ons and scripting functionalities in response to the tightening of security measures for operating systems

The top five countries affected by the threat, according to ESET’s telemetry, are the United States, Israel, Greece, the United Kingdom and the Netherlands.

https://threatpost.com/cybercriminals-target-kodi-media-player-for-malware-distribution/137670/

Say "NO" to Free VPN because organizations are intentionally setting them up as a way to gather user data.

While many VPN service providers would want you to believe that they have charitable aims in offering VPN access for free, the reality is that most free VPN services are glorified data farms.

Hotspot Shield, in particular, is a major culprit.
Hotspot Shield hijacks and redirects user traffic from top e-commerce websites to that of its affiliate partners and also uses more than five different third-party tracking libraries to enable it serve targeted ads to its users

Very few of the users know that Hotspot Shield intentionally allows third parties to gather data from users of their VPN service.

Here’s it straight from their privacy policy page: “Our ad partners may also receive information independently from you or your device.” Data Hotspot Shield’s “ad partners” are allowed to gather may include your device’s advertising ID, IMEI, MAC address, and wireless carrier information

HOLA - A team of researchers even set up a website to expose some of the flaws in Hola — including serving as an exit node and allowing code to be executed on computers using the Hola software

Betternet - Does this by allowing its advertisers the kind of access that makes it possible for them to gather data from devices of their users



VPN services have been set up solely for the purpose of acquiring and trading with user data. How else would you explain the fact that a big data company, Talking Data, is behind some of the popular VPN apps in the Google Play store including GO VPN and Eagle VPN 

Those who do not gather these data directly give advertisers freewill to do it in order to deflect responsibility, but that is much worse. Even worse, some of the data gathered are transmitted over insecure data connections, compromising user privacy


https://www.hackread.com/almost-every-major-free-vpn-service-is-a-glorified-data-farm/

How to freeze your (more importantly, you children's) credit for free (in USA)

Everything you need in a single BLOG

Get it here:
https://www.techsupportalert.com/content/how-freeze-your-credit-free.htm

Can you rely on video surveillance recording if it could be remotely tampered by a Hacker?

Hundreds of thousands of security cameras are believed to be vulnerable (dubbed "PeekaBoo") to a zero-day vulnerability that could allow hackers to spy on feeds and even tamper with video surveillance recordings.



The vulnerability, dubbed “Peekaboo”, exists in NUUO’s Network Video Recorder software and aside from allowing remote hackers to snoop on and even alter CCTV footage, can even be abused to steal data such as credentials for all connected security cameras, IP addresses, and other data related to the devices.

First, NUUO is a leading member of the video surveillance industry.
According to some estimates there might be anything between 180,000 and 800,000 CCTV cameras in public usage that are vulnerable to “Peekaboo”

Secondly, hackers could exploit the root access they gain on vulnerable devices to disconnect live video feeds, or even tamper with security footage.

The good news is that NUUO is believed to be working on a patch. The bad news is that each camera is likely to need to be updated manually once a patch is made available.

https://www.bitdefender.com/box/blog/iot-news/peekaboo-zero-day-lets-hackers-view-alter-surveillance-camera-footage/

Welcome to the new generation of All-In-One Malware "XBash" which includes Ransomware,Bot and a worm.

It can infect both Linux and Windows. It deletes databases and creates ‘PLEASE_READ_ME_XYZ.’ .

As usual we have two choices,we can buy an expensive gadget  that has an flashy dashboard or you could simply patch your systems.

Readers are instructed to deposit 0.02 bitcoin to the address mentioned by the attacker to recover the lost data otherwise the contents will be leaked on the internet. But this is a false promise because the data simply cannot be recovered by the malware



https://www.hackread.com/linux-windows-disk-wiper-ransomware-cryptomining-xbash-malware/

How can you be sure that you are not looking at a fake login page - Safari and MS Edge browsers can preserve the address bar and load the content from the spoofed page. This vulnerability would allow an attacker to create fake login screens or other forms that could harvest usernames, passwords and other data from users who thought they were on a real landing page

Rafay Baloch spotted the vulnerability that could allow JavaScript to update the address bar while the page was still loading effectively causing the browser to display the intended address while loading content from the spoofed page.

Microsoft has already taken action and patched  the vulnerability (CVE-2018-8383) in its Edge browser (this will help only if you are patching regularly)  but Safari remains vulnerable as Apple has yet to patch

https://www.scmagazine.com/home/news/apples-safari-and-microsofts-edge-browsers-contain-spoofing-bug/

Simple and the most effective Security solution - It is time for Patch,patch,patch Tuesday

• Microsoft has fixed an actively exploited vulnerability.
• Adobe has patches for seven critical vulnerabilities  From now on it will be your fault for not applying them 

https://www.helpnetsecurity.com/2018/09/12/september-2018-patch-tuesday/

https://www.scmagazine.com/home/news/september-patch-tuesday-adobe-patches-seven-critical-vulnerabilities/

If you concerned about Identity Theft and credit history of all your family members, you should read this.

 You can "credit freeze" (restricting access to your credit file, making it far more difficult for identity thieves to open new accounts in your name) for FREE.

 Identity thieves can and often do target minors, but this type of fraud usually isn’t discovered until the affected individual tries to apply for credit for the first time, at which point it can be a long and expensive road to undo the mess.

According to the U.S. Federal Trade Commission, when the new law takes effect on September 21, Equifax, Experian and TransUnion must each set up a webpage for requesting fraud alerts and credit freezes.

The law also provides additional ID theft protections to minors. Currently, some state laws allow you to freeze a child’s credit file, while others do not. Starting Sept. 21, no matter where you live you’ll be able to get a free credit freeze for kids under 16 years old.


Under the new law, fraud alerts last for one year, but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval if you have a fraud alert on your file, they’re not legally required to do this.

https://krebsonsecurity.com/2018/09/in-a-few-days-credit-freezes-will-be-fee-free/

Windows Security folks - Take a look at the list of websites and services that a Windows PC connects to after a clean install.

Check Here:

https://mspoweruser.com/these-are-the-websites-your-clean-install-windows-pc-connects-to-by-itself/

Do you know your windows 10 PC can be set to auto-lock when you step away - All you need is a Bluetooth enabled device (your phone maybe)

Steps given below:

https://www.cnet.com/how-to/windows-10-dynamic-lock-bluetooth-range/

We know free apps make money by selling your info, how about one (Adware Doctor) that is paid to protect you actually, pilfers data secretly to a server in China (bypassing App store sandbox restrictions).

Adware Doctor
The app sidesteps Apple's sandbox and covertly collects users' browser histories and then transfers it to a server in China—which is blatant violations of Apple's developer guidelines.

Adware Doctor collects sensitive users' data—primarily any website you've visited or searched for—from all the popular web browsers including Chrome, Firefox, and Safari, and then sends that data to Chinese server at hxxp://yelabapp.com/ run by the app's makers

What's more? Adware Doctor originally was named "Adware Medic," which was clearly designed to mimic a different AdwareMedic app acquired and rebranded by MalwareBytes in 2015

Wardle contacted Apple weeks ago about the issue, but the company did nothing about it

https://thehackernews.com/2018/09/mac-adware-removal-tool.html

Recently, we have heard multiple stories revolving around "AWS S3 bucket Leaks", How can we avoid this? Here is a checklist of things you should configure to ensure your critical data is secure.

what seemed to be an obvious configuration mistake, two primary reasons surfaced:

1. Too Much Flexibility (Too Many Options) Turns into Easy Mistakes
There are five different ways to configure and manage access to S3 buckets.
The more ways to configure implies more flexibility but also means that higher chances of making a mistake. The other challenge is that there are two separate policies one for buckets and one for the objects within the bucket which make things more complex.

2. A “User” in AWS is Different from a “User” in your Traditional Datacenter
On an AWS account, the “Everyone” group includes all users (literally anyone on the internet) and “AWS Authenticated User” means any user with an AWS account


S3 Security Checklist

• Audit for Open Buckets Regularly
• Encrypt the Data
• Encrypt the Data in Transit
• Enable Bucket Versioning
• Enable MFA Delete
• Enable Logging
• Monitor all S3 Policy Changes
• Track Applications Accessing S3
• Limit Access to S3 Buckets
• Close Buckets in Real time

http://infosecisland.com/blogview/25056-Avoiding-Holes-in-Your-AWS-Buckets.html

BEWARE - cybercriminals have figured out a new way to steal funds from people’s credit cards

The malefactors use a legit remote access tool for mobile devices called AirDroid. They try to dupe as many people as possible into installing the app and authenticating with credentials provided by the attackers. The main target audience is 25 year-olds and up. The idea is to transfer money from a card by sending a specific text message to a short number on behalf of the victim. While this service number varies for different banks, regular Google search helps find it in the blink of an eye.

https://www.tripwire.com/state-of-security/featured/crooks-drain-your-credit-card-account/

Did you know: 60 percent of the business email compromise (BEC) attack are hard to detect because they don’t involve a malicious link.

• They are intended to start a conversation with the recipient — and eventually persuade the target to authorize a wire transfer or send sensitive information.
• 46.9 percent of attacks tried to initiate a wire transfer, while 40.1 percent pushed victims to click on a malicious link
• (Big surprise) Almost half of the impersonated roles and more than half of targets are not of ‘sensitive’ positions. 

https://threatpost.com/threatlist-60-of-bec-attacks-fly-under-the-radar/137156/

Is your "Security Awareness" Program going well? if not , may be you should read this.

6 Reasons Security Awareness Programs Go Wrong

1. Security Pros Get Too Technical with Top Management

2. Companies Don't Spend Enough Time Training Execs With Financial Responsibilities

3. Managers Across the Business Aren't Encouraged to Participate

4. Companies Don't Recruit Natural Leaders

5. Companies Don’t Sell the Personal Benefits of Security Awareness Programs

6. Companies Don't Plan Properly or Test Thoroughly Enough

https://www.darkreading.com/threat-intelligence/6-reasons-security-awareness-programs-go-wrong/d/d-id/1332644

Master card not only makes money WHEN you buy, they also make money by selling your info on WHAT you buy (to Google who wants track you even when you are OFFLINE).

More Here:


https://thehackernews.com/2018/09/google-mastercard-advertising.html

If you ever want to spy on your family members , make sure you do not accidentally expose their information to public (which could be worse than what you intended). I mean , the company you deal with may be good at spying but bad at securing the collected info.

MSPY   has leaked millions of sensitive records online, including passwords, call logs, text messages (Whatsapp, Facebook), contacts, notes and location data secretly collected from phones running the stealthy spyware. The database included the Apple iCloud username and authentication token of mobile devices running mSpy. 

https://krebsonsecurity.com/2018/09/for-2nd-time-in-3-years-mobile-spyware-maker-mspy-leaks-millions-of-sensitive-records/