User Location Data Raises Privacy and Security Concens

Many different types of mobile apps—including those related to productivity, education, lifestyle, social media, entertainment, and gaming—exist to provide users with ease of use, convenience, and functionality. These apps collect a vast amount of data for marketing purposes and data sharing with third parties. For example, location data, IP addresses, saved home or work addresses, and saved activity on websites and services can be collected on your device. Many apps allow advertising firms to track a user’s location, sell that information to others, and target advertisements based on a user’s location history. Users may have the option to adjust their security and privacy settings to reduce what and how information is collected and shared. However, these permissions may make it more difficult to determine what an app is doing with the accessibility of users’ data and location. The data may not be private or anonymized as expected and, therefore, may be vulnerable to malicious actors.
 

 
Image Source: anupamdas.org
 
The popular fitness app Strava tracks a user’s heart rate, activity details, GPS location, and more. Strava’s heatmap feature anonymously aggregates user activity to assist users with finding trails or exercise hotspots, meeting like-minded people, and conducting their workout sessions in more crowded and safer locations. However, in the above example, researchers discovered potential privacy concerns with Strava’s heatmap feature that could identify a user’s home address by tracking and de-anonymizing users utilizing the heatmap data and specific user metadata. They collected data through the Strava heatmap and used OpenStreetMap overlays and image analysis to detect start/stop routes next to streets, signifying that a specific home is associated with a user’s tracked activity. They also used Strava’s search feature to identify users who registered a specific city as their location, correlating high activity points on the heatmap and the user’s home address. The researchers noted that Strava users typically registered with real names and profile pictures, correlating identities with home addresses and voter registration data, if available online. Also, Strava accounts marked as “private” still display when searching for a list of all users in a specified municipality. Strava’s mitigations include starting the tracking after the user has left their home or creating an exclusion for the heatmap feature for a distance around home locations, which would provide an option for users to set privacy zones around their home locations, and/or opt out of the heatmap feature.
 

 
Image Source: arxiv.org
 
The Short Message Service Center (SMSC) of a mobile network handles SMS delivery reports and provides notifications when a message has been delivered, accepted, failed, is undeliverable, has expired, or has been rejected. Despite delays in this process, mobile networks’ fixed nature and specific physical characteristics can be predictable when standard signal pathways are followed. In the above example, researchers developed a machine learning algorithm to analyze timing data in the SMS responses to identify and extract the recipient’s location. First, measurement data was collected to correlate SMS delivery reports and the targets’ known locations. For every hour for three days, multiple SMS messages were sent to the target in the experiment as marketing messages to ignore or disregard, or as silent SMS messages displaying no content and producing no notification on the target’s screen. The timing of the SMS delivery reports was then measured and aggregated with matching location signatures to create a machine learning (ML) evaluation dataset. The ML model and training data included receiving location, connectivity conditions, network type, receiver distances, and more. 
 
Despite some limitations and extensive efforts, detecting information—such as a physical address, job location, phone number, email address, or other personal information—is still feasible, and users can easily become a target for cyberattacks, harassment, identity theft, and violence. Additionally, threat actors may engage in doxing, which is a tactic that involves the malicious targeting, compiling, and public release of personally identifiable information (PII) without permission. This information is posted on hosting websites and further disseminated on social media platforms. Doxing can also refer to revealing the real person behind an anonymous username and exposing their identity online. 
 
It is important to know how to stay secure and limit privacy concerns while using apps. Even if a user is careful with what information is voluntarily shared and what settings are adjusted, the app may be able to track activity without the user’s knowledge, and their data could still be at risk through other covert means. Beyond personal risk for individuals, businesses and organizations are advised to weigh the risks that apps introduce and consider restricting their usage in sensitive environments. It is vital to stay informed on the abilities, accesses, and permissions of apps, what data they collect, and what they do with that data.

Threat Actors Target Law Firms and Small Businesses with Impersonation Attempts: What to Look For

The NJCCIC received an uptick in reports of cyberattacks targeting law firms and small businesses. Threat actors may claim to be a construction company, supplier, or other specialty contractor seeking legal services. In one example, the threat actor included several red flags and conflicting information, such as an incorrect mailing address, email information, and website. At first glance, however, these red flags are inconspicuous and may go unnoticed. Further analysis revealed additional red flags, such as a .org top-level domain (TLD) typically used for nonprofit organizations, and the newly established website included multiple redirects and missing characters – a tactic often used by threat actors to impersonate a legitimate website. This website was able to bypass basic antivirus software, likely due to its recent creation.
Small businesses such as law firms are increasingly targeted by threat actors with the intent to gain access to the vast amounts of sensitive information they manage. A successful cyberattack may allow threat actors to gain access to internal networks and databases in attempts to commit further nefarious activity, such as ransomware , attacks, fraud, and theft. As a reminder, common red flags include misspelled email domains and websites, missing characters, and newly created website URLs. Users can quickly check website validity using trusted open-source tools such as VirusTotal, URLScan.io, MXToolBox, IPQualityScore, and the Any.Run sandbox; though, scans are publicly available and, therefore, users should avoid uploading internal files unless the user has a private account.

National Artificial Intelligence Advisory Committee Releases First Report

The National Artificial Intelligence Advisory Committee (NAIAC) has delivered its first report to the president, established a Law Enforcement Subcommittee to address the use of AI technologies in the criminal justice system, and completed plans to realign its working groups to allow it to explore the impacts of AI on workforce, equity, society and more.

The report recommends steps the U.S. government can take to maximize the benefits of AI technology, while reducing its harms. This includes new steps to bolster U.S. leadership in trustworthy AI, new R&D initiatives, increased international cooperation, and efforts to support the U.S. workforce in the era of AI. The report also identifies areas of focus for NAIAC for the next two years, including in rapidly developing areas of AI, such as generative AI.Read More

New NIST Public Working Group on AI

Today, U.S. Secretary of Commerce Gina Raimondo announced that the National Institute of Standards and Technology (NIST) is launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology. The Public Working Group on Generative AI will help address the opportunities and challenges associated with AI that can generate content, such as code, text, images, videos and music. The public working group will also help NIST develop key guidance to help organizations address the special risks associated with generative AI technologies. The announcement comes on the heels of a meeting President Biden convened earlier this week with leading AI experts and researchers in San Francisco, as part of the Biden-Harris administration’s commitment to seizing the opportunities and managing the risks posed by AI.Read More

Microsoft Security Virtual Training Day: Security, Compliance, and Identity Fundamentals

Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event:
Monday, July 24, 2023 | 2:00 PM – 4:45 PM | (GMT-05:00) Eastern Time (US & Canada)
Tuesday, July 25, 2023 | 2:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada)

Delivery Language: English
Closed Captioning Language(s): English
 
REGISTER TODAY >
 
  
Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.

Transform your business security architecture with top industry leaders

Webinar date:
Tuesday, June 27, 2023
9:00 AM Pacific Time / 12:00 PM Eastern Time Concerned about safeguarding your organization’s data? The changing demands of employees and customers have created the need for cloud transformation, which requires a modern security architecture. Businesses that meet and exceed the baseline security requirements for employees and customers can optimize the digital experience for all users while protecting data. Learn how you can securely access critical business data and software services without compromising speed or reliability. Join this upcoming webinar with Zscaler and Microsoft experts to discover how your organization can embrace zero trust security. During this interactive Q&A session, you will have the opportunity to: Gain insights on how zero trust can strengthen your organization’s security Optimize access to organizational workloads, data, and assets Attract and retain the next generation of employees
 
Improving your competitive edge with Zero Trust Framework
 
Register now >

See where you stand with the security operations self-assessment

Modern Security Operations Self-assessment   Modernize your ability to detect, respond, and recover from threats    
  Take the self-assessment   
  In today’s evolving threat landscape, security teams must continually modernize their security operations to stay prepared and keep up with adversaries. We’ve developed two resources to help you succeed. Answer the questions in the modern security operations self-assessment questionnaire to evaluate the maturity stage of your security operations. Based on your answers you’ll get recommendations to help you modernize your approach to: Triage InvestigationThreat hunting Incident management Automation Download the modern security operations guide to see best practices and lessons learned from the Microsoft Cyber Defense Operations Center. We’ve created this guide to help you develop strategies to:  Modernize your technology stack to ensure you have protection and visibility across all attack vectors Improve the processes of your security operations team and help them separate true threats from false positives Reduce your vulnerabilities and increase speed and efficiency for security teams defending against attacks.  

NIST Lightweight Cryptography Standardization Process: NIST Releases IR 8454

Status Report on the Final Round of the NIST Lightweight Cryptography Standardization Process: NIST Releases IR 8454 

NIST announces the publication of NIST Internal Report (NIST IR) 8454, Status Report on the Final Round of the NIST Lightweight Cryptography Standardization Process. This report describes the evaluation criteria and process for selecting authenticated encryption and hashing schemes suitable for applications in constrained environments. The standardization effort was a public, competition-like process based on NIST’s internal review of the finalists and public feedback.

In February 2019, 57 candidate algorithms were submitted to NIST for consideration. Among these, 56 were accepted as first-round candidates in April 2019. After four months, NIST selected 32 of the candidates for the second round. NIST announced 10 finalists in March 2021 – namely ASCON, Elephant, GIFT-COFB, Grain-128AEAD, ISAP, PHOTON-Beetle, Romulus, SPARKLE, TinyJAMBU, and Xoodyak – to move forward to the final round of the selection process. On February 7, 2023, NIST announced the decision to standardize the ASCON family for lightweight cryptography applications.

Read More

Microsoft Security Virtual Training Day: Protect Data and Mitigate Risk

Identify, remediate, and limit data risks at Security Virtual Training Day: Protect Data and Mitigate Risk from Microsoft Learn. At this free event, you’ll learn how to secure data and reduce risks with Microsoft Purview Information Protection and risk management solutions. You’ll also explore how to manage data protection policies across your organization to help protect people and data against cyberthreats. You will have the opportunity to: Manage and monitor data in new, comprehensive ways to help prevent data loss with Microsoft Purview. Identify privacy risks and help protect personal data using Microsoft Priva. Discover sensitive data and respond to inquiries efficiently with Microsoft Purview. Join us at an upcoming two-part event:
Wednesday, 19 July, 2023 | 12:00 PM – 2:45 PM | (GMT-08:00) Pacific Time (US & Canada)
Thursday, 20 July, 2023 | 12:00 PM – 2:30 PM | (GMT-08:00) Pacific Time (US & Canada)

Delivery Language: English
Closed Captioning Language(s): English
 
REGISTER TODAY >

Beware of Skimmers and Infostealers Targeting E-Commerce

A growing number of cyberattacks were discovered targeting retailers and online consumers as summer sales heat up. Though the holiday season remains the most profitable time for retailers, sale events are often launched in the slower summer months to increase revenue. Consumers often take advantage of these summer sale events including semi-annual sales; Independence, Memorial, and Labor Day sales; Father’s Day and graduation gifts; back-to-school sales, and Christmas in July sales.  Akamai researchers identified a new, large-scale, Magecart-style web skimming campaign, designed to steal personally identifiable information (PII) and credit card information from e-commerce websites. Distinct from traditional Magecart campaigns, however, this campaign uses new techniques to hijack legitimate commerce websites in order to serve as improvised command-and-control (C2) servers, using the host victim’s website to further facilitate malicious code distribution.
Cybercriminals use various evasion techniques during the campaign, masking the attack to resemble popular third-party services and allowing it to go undetected for over a month. This attack may potentially exploit known vulnerabilities found in websites’ digital commerce platforms such as Magento, WooCommerce, WordPress, and Shopify, or in vulnerable third-party services used by the website. These attacks cannot be detected by popular web security methods, such as web application firewalls (WAFs), and are executed on the client side, prolonging the attack. This may result in tens of thousands of victims and damage the reputations of victimized organizations. Additionally, consumers’ PII and credit card information are at risk of being stolen or further sold on dark web forums.
Threat actors are also targeting online sellers in a new phishing campaign to distribute Vidar information-stealing (infostealer) malware. They impersonate a customer of an online retailer claiming that they were charged a large dollar amount after an alleged order did not go through. These complaints are sent to online store administrators via email or website contact forms and contain a link to a fake Google Drive page that prompts the user to download a malware-laden PDF file. Threat actors target online sellers to steal admin credentials in order to gain access to eCommerce websites and facilitate further cyberattacks.
Infostealers are remote access trojans (RATs) designed to gather information from a system. Infostealers gather login information, like usernames and passwords, and are frequently used to further facilitate ransomware attacks. The NJCCIC and other cybersecurity firms have indicated a steady increase in attempts to distribute infostealers, such as Redline Stealer, Vidar, and Raccoon Stealer. Vidar is capable of stealing browser cookies, browser history, saved passwords, cryptocurrency wallets, text files, Authy 2FA databases, and capturing screenshots of the active Windows screen. Redline Stealer is a powerful data collection tool, capable of extracting login credentials from a wide range of sources, including web browsers, FTP clients, email applications, Steam, instant messaging clients, and VPNs. Raccoon Stealer steals personal information, including email addresses, identification numbers, bank account information, and cryptocurrency information. Cybercriminals can use this stolen information to commit identity theft, financial fraud, and other crimes.