Red Tree Communications |

6 Things You Need to Do to Prevent Getting Hacked

summest — Tue, 10 May 2022 16:22:00 +0000

THERE ARE TWO big reasons why people get hacked. Flaws in software and flaws in human behavior. While there’s not much you can do about coding vulnerabilities, you can change your own behavior and bad habits.

Just ask former US president Donald Trump, whose Twitter password was “maga2020!” Or Boris Johnson, who revealed details of sensitive Zoom calls at the start of the pandemic in 2020. (These world leaders will have had specific security training from protection agencies too.)

The risks are just as real for the average person—even if the stakes aren’t quite so high. If your accounts aren’t properly protected, your credit card could be compromised or your private messages and photographs stolen and shared for all to see. Working out if your accounts have been hacked is a time-consuming and potentially frustrating process. You’re better off taking some steps to mitigate the risks of getting hacked in the first place. Here’s what you can do to protect yourself.

Use Multi-Factor Authentication

Arguably the most effective thing you can do to protect your online accounts is turning on multi-factor, or two-factor, authentication for as many of your accounts as possible. The method uses a secondary piece of information—often a code generated by an app or sent via SMS—alongside a password.

This secondary piece of information helps to prove it really is you trying to log in, as the codes are often accessed on the phone in your pocket. Even if you do have a password that’s easy to guess (we’ll get to that shortly), an attacker is unlikely to get access to an account with multi-factor authentication turned on unless they have your phone.

There’s a guide to all the accounts that support the method here, but in the first instance you should turn it on for all the accounts that hold personal information that could be abused. Like messaging apps such as WhatsApp, social media including Facebook, Instagram, and Twitter, and your email accounts.

Not all forms of multi-factor authentication are equal though. Code-generating apps are considered more secure than getting codes via SMS, and beyond that, physical security keys provide an even more robust layer of protection.

Get a Password Manager

Let’s talk about passwords. It’s 2021. You shouldn’t be using “password” or “12345” for any of your passwords—even if it’s a throwaway account.

All the passwords you use for your online accounts should be strong and unique. What this really means is they should be long, include a mixture of different character types, and not be used across multiple websites. Your Twitter password shouldn’t be the same as your online banking one; your home Wi-Fi network shouldn’t use the same credentials as your Amazon account.

The best way to do this is by using a password manager. Password managers create strong passwords for you and store them securely. If the fact that they can stop you getting hacked isn’t enough to make you consider using one, a password manager also means you never have to struggle to remember a forgotten password again.

From our testing of the best password managers out there, we recommend trying out LastPass or KeePass.Learn How to Spot a Phishing Attack

Quickly clicking can be your worst enemy. When a new email or text message arrives, and it includes something that can be tapped or clicked, our instincts often lead us to do it straight away. Don’t.

Hackers have used the pandemic as cover to launch wave after wave of phishing attacks and dumb Google Drive scams.

Anyone can fall for these types of scams. The main thing to do is to think before you click. Scam messages try to trick people into behaving in a way they wouldn’t normally—with, say, pretend instant demands from a boss or messages that say an urgent response is required.

There’s no foolproof way to identify every type of phishing effort or scam—scammers are constantly upping their game—but being aware of the threat can help reduce its effectiveness. Be cautious, think before you click, and download files only from people and sources you know and trust.

Update Everything

Every piece of technology you use—from the Facebook app on your phone to the operating system that controls your smart lightbulb—is open to attack. Thankfully, companies are always finding new bugs and fixing them. That’s why it’s crucial you download and update the latest versions of the apps and software you’re using.

Start with your phone. Navigate to your device settings and find out what operating system you’re using, and update it if you’re not on the latest version (iOS 14 is the latest for iPhones; Android 11 is the latest from Google). For apps and games, Apple’s iOS 13 and above downloads updates automatically, although these settings can be customized. On Android, auto-updates can also be turned on by visiting the settings page in the Google Play Store.

Once you’ve updated your phone, you need to work out what devices to update next. Generally these should be done in order of potential impact. Any laptops and computers you own should be high up the list, and then work back through other connected devices in your life. Remember: Everything is vulnerable, including your internet-connected chastity belt.

Encrypt Everything

Protecting your communications has never been easier. Over the last half-decade, companies handling our personal data—including the messages we send and the files we upload to the cloud —have realized that encryption can help them as well as their customers. Using encrypted services means that what you’re sending is better protected against surveillance and won’t be accessible if your device gets lost or stolen.

There are two main end-to-end encrypted messaging services, Signal and WhatsApp. Messages (including photos and videos) plus voice calls and video calls are encrypted by default within both apps. They both also let you use disappearing messages, which remove what you’ve sent after a set period of time. The practice can help keep your chats private, even from those that have access to your devices. Our advice is to use Signal where possible, as it collects less metadata than WhatsApp and isn’t owned by Facebook. But if you can’t get your friends to move to Signal, WhatsApp offers a lot more protection than apps that don’t use end-to-end encryption by default.

For your emails, encrypted provider ProtonMail can protect your messages, and there’s also the option to use burner email accounts for mailing lists and purchases where you don’t want to hand over your personal data.

Beyond your messages, encrypting the files on your devices can help reduce the chances of your data being compromised if you’re hacked or lose your devices. Both iPhone and iOS encrypt your hard drive by default. Just make sure you use a strong password or PIN for your devices. A little more effort is needed to encrypt the hard drive on your laptop or computer. Turn on Apple’s FileVault to encrypt your startup disk, and on Windows you can turn encryption on through the Settings menus or use BitLocker encryption.

Wipe Your Digital Footprint

The past can come back to haunt you. The old online accounts you no longer use and the login details that belong to them can be weaponized against you if you don’t do anything about them. Hackers frequently use details from previous data breaches to access the accounts people currently use.

Reducing the amount of information that’s available about your online life can help cut your risk of being hacked. A very simple step is to regularly delete your Google search history, but you can also use privacy-first Google alternatives.

Beyond this, there’s a lot more you can do to reduce your digital footprint. Find the old accounts you no longer use and delete them. It’ll reduce the amount of spam you get and reduce the number of ways hackers can target you. Use Have I Been Pwned? to find your information in old data breaches, use a VPN to boost browsing privacy, and download Tor if you really want to boost your online anonymity.

This story originally appeared on WIRED UK.

How to avoid ransomware attacks at work

summest — Wed, 14 Jul 2021 14:53:22 +0000

By Tatum Hunter, Washington Post, July 8, 2021|

When a security vulnerability at IT software-maker Kaseya led to a ransomware attack that affected 800 to 1,500 businesses, it wasn’t one employee’s fault.

But that’s not always the case.

Ransomware, which locks down a target’s computers and data, can infect a network a few different ways, including through employee accounts. Click the wrong link, open the wrong attachment or log into the wrong website, and you could put your company in a perilous position.

Depending on their roles, some employees find their inboxes flooded with hundreds of phishing emails designed to steal the recipient’s credentials, says Ryan Kalember, executive vice president of cybersecurity strategy at security firm Proofpoint. That requires constant attention, especially as ransomware attacks become more frequent and their demands more intense. The average ransomware payment has nearly tripled so far in 2021 compared to last year, with targets doling out about $850,000, according to a report by Palo Alto Networks.

“If you have a word like ‘accounts’ in your title, you will be attacked more,” Kalember says.

And that doesn’t mean others should let their guards down. Plenty of firms don’t have the resources to invest in frequent training, software upgrades and security systems — so employees become the first line of defense.

Luckily, conning people is an ancient art, and ransomware groups aren’t breaking new ground. Phishing emails aim for an emotional reaction, says Palo Alto Networks Deputy Director of Threat Intelligence Jen Miller-Osborn. These messages pull busy employees in with promises of money, important company secrets and even cute animals pictures.

Keep an eye out for these phishing red flags to avoid ransomware and cover your behind.

Here’s how employers can help individuals guard against phishing and ransomware:

Train employees to spot phishing attempts

Employees need frequent training to keep up with the evolving format and content of phishing emails. One study from a few German universities found employees’ ability to identify phishing attempts drops just six months after their initial training, and that video and interactive training courses are most effective.

Authenticate your corporate email domain.

This blocks the delivery of messages from fraudsters pretending to be a member of your organization. Check with your email service provider, like Microsoft Outlook or Google, to get started. You should also attach warnings to emails coming from external senders or containing links or attachments — both Outlook and Gmail offer this feature.

Clarify what employees should do if they click a suspicious link or attachment.

If people are afraid to report or don’t know how, they probably won’t do it. Make sure reporting procedures are outlined in your company’s security policy. Kalember recommended automated reporting, which lets employees report malicious email with the click of a button.

Leave room for human error.

Somebody is always going to open the phishing email promising adorable kitten pictures. So consider hedging your bets with anti-phishing technology like remote browsers, in which URLs open not in a traditional browser, but in a special environment in the cloud that disappears as soon as you’re done with it. That way, no matter what the URL contains, it can’t compromise the employee.

Conduct ongoing security testing.

Attackers use malicious files and compromised business email accounts to install ransomware on company computers and networks, but software vulnerabilities are another way in. Your company’s IT team — or a third party — should be actively looking for threats on your network.

How Google and Amazon are ‘spying’ on you

summest — Mon, 29 Mar 2021 16:03:10 +0000

You would be forgiven for thinking that your private conversations were just that, but two leading voice assistants are listening to everything you say, a new report claims.

Patent applications from Amazon and Google revealed how their Alexa and Voice Assistant powered smart speakers are ‘spying’ on you.

The study warns of an Orwellian future in which the gadgets eavesdrop on everything from confidential conversations to your toilet flushing habits.

Future versions of gadgets like the Echo and Home will use this data to try and sell you products, it says.

The findings were published in a report created by Santa Monica, California based advocacy group Consumer Watchdog.

It says patents reveal the devices’ possible use as surveillance equipment for massive information collection and intrusive digital advertising.

The study found that digital assistants can be ‘awake’ even when users think they aren’t listening.

The digital assistants are supposed to react only when they hear a so-called ‘wakeword.’

For Amazon’s Echo it’s ‘Alexa’ and for Google Home it’s ‘OK, Google.’

In fact, the devices listen all the time they are turned on – and Amazon has envisioned Alexa using that information to build profiles on anyone in the room to sell them goods.

Amazon filed a patent application for an algorithm that would let future versions of the device identify statements of interest, such as ‘I love skiing’, enabling the speaker to be monitored based on their interests and targeted for related advertising.

A Google patent application describes using a future release of it smart Home system to monitor and control everything from screen time and hygiene habits, to meal and travel schedules and other activities.

The devices are envisioned as part of a surveillance web in the home to chart a families’ patterns so that they can more easily be marketed to based on their interests.

John Simpson, Consumer Watchdog’s privacy and technology project director, said: ‘Google and Amazon executives want you to think that Google Home and Amazon Echo are there to help you out at the sound of your voice.

‘In fact, they’re all about snooping on you and your family in your home and gathering as much information on your activities as possible.

‘You might find them useful sometimes, but think about what you’re revealing about yourself and your family, and how that information might be used in the future.

‘Instead of charging you for these surveillance devices, Google and Amazon should be paying you to take one into your home.’

MailOnline contacted both Amazon and Google for a comment, but had yet to receive a response at the time of publication.

Google and Amazon appear most interested in using the data they get by snooping on your daily life to target advertising, Consumer Watchdog said.

However, when that information is compiled others could access it.

For example, home insurers and utility companies have already made deals with Nest to put smart devices in their customers’ homes.

Law enforcement is already seeking information from smart devices.

An Amazon Echo made headlines last year when US police investigating a murder sought to subpoena recordings made by the device.

Investigators in the same case also managed to obtain data from a smart water meter that suggested that the crime scene had been hosed down before police arrived.

Hackers and identity thieves are also likely to be able to access the data compiled by Google and Amazons snooping, the report warns.

This is not the first time that the voice search function has landed Google in hot water in recent months.

In November, MailOnline received a number of transcripts of conversations that show how Voice Assistant may be recording your conversations without you knowing.

The feature is designed to allow users to talk to enabled gadgets to search the web, launch apps and use other interactive functions.

As part of this process, Google keeps copies of clips made each time you activate it, but it has emerged that background chatter could be enough to trigger recording.

One example from an anonymous user appears to have registered the code to their back door entry system, while chatting with a friend.

A written transcript of the conversation said: ‘If you ever get booked down to my house for some reason the key safe for the back door is 0783.’

Another user’s conversation about technology appears to have been captured, without them realising the assistant was recording.

They said: ‘Mate. We’re living in the future. I’ve just installed a game through the Steam app remotely on my PC in London from my phone.’

Another clip from the same person appears to have captured them saying ‘F*** off’ to someone.

Google previously released a My Activity feature that reveals exactly how much information the company has collected about you, through your activities online.

What some people may be unaware of is that the Voice and Audio section includes recordings of your voice.

These are made when you trigger the voice assistant, which may happen inadvertently during conversations or by pressing buttons on a Voice Assistant enabled device without realising it.

A spokesman for the firm said: ‘We only process voice searches after the phone believes the hot word ‘OK Google’ is detected.

‘Audio snippets are used by Google to improve the quality of speech recognition across Search.’

They added that ambient recording is never transmitted to the cloud.

Google’s support site says that the firm records your voice and other audio, plus a few seconds before, when you use audio activation.

This includes saying commands like ‘OK Google’ or tapping the microphone icon.

Your audio is saved to your account only when you’re signed in and Voice & Audio Activity is turned on. Audio can be saved even when your device is offline.

The Mountain View company says it uses your Voice & Audio Activity to learn the sound of your voice and how you say words and phrases.

It is also used to improve speech recognition across it products.

To see your saved audio, sign in with your Google account information.

This will enable you to see all the information Google has stored on the history of your account.

To delete any, click on the three dots in the top right corner and choose ‘Delete activity by’.

This will take you to a window where you can pick if you would like to delete any information.

How To Protect Your Smartphone From Hacking

summest — Sat, 27 Feb 2021 14:28:35 +0000

Whether it’s listening to a podcast on our way to work, doing quick calculations as our mental math skills have almost completely deteriorated, or putting everything from movies to doctor’s appointments in our calendar, there’s hardly ever a moment when we don’t have our smartphone by our side. So if we were to be hacked, we’d be in deep trouble, risking information about our credit and debit cards, location, social security number, and more.

But don’t throw away your smartphone just yet! There are a number of ways to prevent hackers from gaining access to your smartphone, and none of them require much time or effort. In just a few minutes, you can go from zero to hero regarding smartphone security. Let’s get started!

Don’t Jailbreak: No, this isn’t a game of Monopoly. Jailbreaking your smartphone means that you have complete control over your smartphone, avoiding the manufacturer’s restrictions. So on an iPhone, for example, that means you’ll be able to use apps from places other than Apple’s official app store, plus make any tweaks to your phone’s iOS. However, we don’t recommend jailbreaking because with freedom comes lack of security. First of all, you shouldn’t be downloading apps that aren’t from the app store, as they haven’t been screened for malware. In fact, when you jailbreak your phone, you’re basically taking down all of the security measures that the manufacturer has built into their smartphones— think of it like bulldozing the fence around your house. While you might appreciate the view, you’re a lot more vulnerable than you were before. Jailbreaking also removes the smartphone’s virus protection, plus, you won’t be able to easily update your software, which could lead to further problems down the line.
Make Smartphone Lock Sooner: In the moments where we don’t have our smartphones on hand, you might have noticed that they lock, forcing you to enter in your passcode or biometrics like your fingerprint or face. While it might be annoying to have to sign in every time, ultimately, it’s protecting your device, so we recommend setting your auto-lock to 30 seconds, meaning it will lock with no activity for 30 seconds. And if you don’t have the lock turned on at all, needless to say, you should probably change that.
Perform All Software Updates: Companies like Google and Apple have people working around the clock to improve the smartphone’s security, so if there’s ever an iOS or Android update, do it. Although these updates can be annoying, they’re incredibly necessary for keeping up with the latest and greatest in security software. We recommend doing them at night so you’re never without your smartphone in your waking hours!
Set up Two-Factor Authentication: If you’ve been paying attention, then you know that it’s a smart idea to turn on auto-lock so you’ll have to enter a passcode to access your smartphone, but if you want to take that a step further, we’d set up two-factor authentication. That way, if someone guesses your passcode, they still won’t be able to access your phone, as your phone company will send you another code via text or phone call. Again, this will make opening your smartphone a bit more tedious, but it’s a fantastic idea if you’re serious about avoiding hackers.
Create Long Passcode: When choosing a passcode, people tend to do something fairly obvious, like their birthday, numbers in chronological order, or a portion of their phone number. Needless to say, this isn’t the safest practice. Rather, the numbers should be truly random, and be sure to use a six-digital passcode, the longest possible. While it will be a bit harder to remember this number, it will also be harder for hackers to guess, which is ultimately a good thing for your phone’s security.
Turn On Erase Data: Now, what if your smartphone is lost or stolen and for some reason, your hackers are able to access your account? Of course, this is a worst-case scenario, but in a weird way, thinking about what to do in these situations is kind of our job. Don’t worry: there is a solution, and that is to turn on Erase Data, otherwise known as setting your smartphone to self-destruct. The other option is having the phone automatically “self-destruct” after too many failed passcode attempts. Of course, this is a more extreme measure, but either will ultimately increase your smartphone’s security.
Avoid Phishing and Pop-Ups: Phishing has gotten increasingly sophisticated, sending tech-savvy people ostensibly legitimate links and pop-up ads. While phishing is a topic we have a lot more to say about, there are some basics we want to impart to you. Don’t email any sensitive information unless you are sure of the recipient, and don’t click on any links unless you are sure they are legitimate. Scroll down to find out how you can tell if a website is safe or not.
Turn Auto-Fill Off: Auto-fill, which fills out forms automatically with your personal and financial information, is both incredibly convenient and incredibly dangerous if your phone gets in the wrong hands. What’s to stop a hacker or thief from using your credit card information to buy themselves a new wardrobe from Supreme? While it might make your life a bit more tedious, it is the safest idea to turn off auto-fill on your smartphone.

Why you should care about data privacy even if you have “nothing to hide”

summest — Sun, 21 Feb 2021 20:40:39 +0000

By Sara Morrison Jan 28, 2021, 1:10pm EST

When I tell people I write about data privacy, I usually get something along the lines of these two responses:

“Is Facebook listening to me? I got an ad for parrot food, and the only possible explanation is that Facebook heard my friend tell me about his new pet parrot, because he mentioned that exact brand, which I never even heard of before.”

(No, Facebook isn’t.)

Here’s the other:

“I’m sure that’s important to someone, but I don’t have anything to hide. Why should I care about data privacy?”

A ton of personal and granular data is collected about us every day through our phones, computers, cars, homes, televisions, smart speakers — anything that’s connected to the internet, basically, as well as things that aren’t, like credit card purchases and even the information on your driver’s license. We don’t have a lot of control over much of this data collection, and we often don’t realize when or how it’s used. That includes how it may be used to influence us.

Maybe that takes the form of an ad to buy parrot food. But it may also take the form of a recommendation to watch a YouTube video about how globalist world leaders and Hollywood stars are running a pedophile ring that only President Trump can stop.

“Internet platforms like YouTube use AI that deliver personalized recommendations based on thousands of data points they collect about us,” Brandi Geurkink, a senior campaigner at Mozilla Foundation who is researching YouTube’s recommendation engine, told Recode.

Among those data points is your behavior across YouTube parent company Google’s other products, like your Chrome browsing habits. And it’s your behavior on YouTube itself: where you scroll down a page, which videos you click on, what’s in those videos, how much of them you watch. That’s all logged and used to inform increasingly personalized recommendations to you, which may be served up through autoplay (activated by default) before you can click away.

She added: “This AI is optimized to keep you on the platform so that you keep watching ads and YouTube keeps making money. It’s not designed to optimize for your well-being or ‘satisfaction,’ despite what YouTube claims. As a result, research has demonstrated how this system can give people their own private, addictive experience that can easily become filled with conspiracy theories, health misinformation, and political disinformation.”

The real-world harm this can cause became pretty clear on January 6, when hundreds of people stormed the Capitol building to try to overturn the certification of an election they were convinced, baselessly, that Trump won. This mass delusion was fed by websites that, research has shown, promote and amplify conspiracy theories and election misinformation.“If personal data is being used to promote division, consumers have a right to know.”

“The algorithmic amplification and recommendation systems that platforms employ spread content that’s evocative over what’s true,” Rep. Anna Eshoo (D-CA) said in a recent statement. “The horrific damage to our democracy wrought on January 6th demonstrated how these social media platforms played a role in radicalizing and emboldening terrorists to attack our Capitol. These American companies must fundamentally rethink algorithmic systems that are at odds with democracy.”

For years, Facebook, Twitter, YouTube, and other platforms have pushed content on their users that their algorithms tell them those users will want to see, based on the data they have about their users. The videos you watch, the Facebook posts and people you interact with, the tweets you respond to, your location — these help build a profile of you, which these platforms’ algorithms then use to serve up even more videos, posts, and tweets to interact with, channels to subscribe to, groups to join, and topics to follow. You’re not looking for that content; it’s looking for you.

This is good for users when it helps them find harmless content they’re already interested in, and for platforms because those users then spend more time on them. It’s not good for users who get radicalized by harmful content, but that’s still good for platforms because those users spend more time on them. It’s their business model, it’s been a very profitable one, and they have no desire to change it — nor are they required to.

“Digital platforms should not be forums to sow chaos and spread misinformation,” Sen. Amy Klobuchar (D-MN), a frequent critic of Big Tech, told Recode. “Studies have shown how social media algorithms push users toward polarized content, allowing companies to capitalize on divisiveness. If personal data is being used to promote division, consumers have a right to know.”

But that right is not a legal one. There is no federal data privacy law, and platforms are notoriously opaque about how their recommendation algorithms work, even as they’ve become increasingly transparent about what user data they collect and have given users some control over it. But these companies have also fought attempts to stop tracking when it’s not on their own terms, or haven’t acted on their own policies forbidding it.

Over the years, lawmakers have introduced bills that address recommendation algorithms, none of which have gone anywhere. Rep. Louis Gohmert (R-TX) tried to remove Section 230 protections from social media companies that used algorithms to recommend (or suppress) content with his “Biased Algorithm Deterrence Act.” A bipartisan group of senators came up with the “Filter Bubble Transparency Act,” which would force platforms to give users “the option to engage with a platform without being manipulated by algorithms driven by user-specific data.” Meanwhile, Reps. Eshoo and Tom Malinowski (D-NJ) plan to reintroduce their “Protecting Americans from Dangerous Algorithms Act,” which would remove Section 230 protections from platforms that amplify hateful or extremist content.

For their part, platforms have made efforts to curb some extremist content and misinformation. But these only came after years of allowing it largely unchecked — and profiting from it — and with mixed results. These measures are also reactive and limited; they do nothing to stop or curb any developing conspiracy theories or misinformation campaigns. Algorithms apparently aren’t as good at rooting out harmful content as they are at spreading it. (Facebook and YouTube did not respond to request for comment.)

It’s pretty much impossible to stop companies from collecting data about you — even if you don’t use their services, they still have their ways. But you can at least limit how algorithms use it against you. Twitter and Facebook give you reverse chronological options, where tweets and posts from people you follow show up in the order they’re added, rather than giving priority to the content and people they think you’re most interested in. YouTube has an “incognito mode” that it says won’t use your search and watch history to recommend videos. There are also more private browsers to limit data collection and prevent sites from linking you to your past visits or data. Or you can just stop using those services entirely.

And, even in algorithms, there is agency. Just because a conspiracy theory or misinformation makes its way into your timeline or suggested videos doesn’t mean you have to read or watch, or that you’ll automatically and immediately believe them if you do. The conspiracies might be much easier to find (even when you weren’t looking for them); you still choose whether or not to go down the path they show you. But that path isn’t always obvious. You might think QAnon is stupid, but you will share #SaveTheChildren content. You might not believe in QAnon, but you’ll vote for a Congress member who does. You might not fall down the rabbit hole, but your friends and family will.

Or maybe an algorithm will recommend the wrong thing when you’re at your most desperate and susceptible. Will you never, ever be so vulnerable? Facebook and YouTube know the answer to that better than you do, and they’re willing and able to exploit it. You may have more to hide than you think.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.