They say that you can never have too much good advice. So in addition to the excellent set of Safe Holiday Shopping Tips we provided last week, here are three more simple rules of the road for safe and worry-free online experience this holiday season.
1. You can do more online and through mobile; just don’t do it differently. Doing more of what you normally do isn’t as much a risk as doing different things than you normally do. Try not to change your actual behavior, even though you’re doing more shopping and browsing online and through mobile. The less you stray from your normal habits, then the less likely you’ll encounter malicious sites, apps, or messages, and the less you’ll fall victim to fraud and other scams.
2. Scrutinize unusual messages. Be wary when receiving unsolicited or odd messages – even from people you know – and be especially wary if you do decide to act on them. Just like email viruses used to troll your address books, today’s malware will access your social networks. An odd message through your social network may well mean that your friend has been hacked. There will be plenty of scams and attacks that purport to be great last-minute deals, fake holiday cards that ask you to forward along to all your Facebook friends, confirmations or verifications for transactions you never made, and even fake warning messages about scams to avoid. All of these are just different attempts to get you to click on a link.
3. Don’t log in on a page you got to from an outside link. If a message takes you to a login page for a service that you use, look closely at the URL before entering your credentials. Better yet: just go to the site using your bookmarks or standard “www.xyz.com” address rather than signing in on the page you got to from a link.
As we have recently mentioned on our blog, October is National Cyber Security Awareness Month. And I’m sure we will post more to raise awareness of the risks you personally face, the risks to the institutions you do business with, and to the government itself.
Today, though, I want you to start to broaden your outlook on this issue. While you are getting acquainted with new threats like nation-state funded attacks, cyber-terrorism, and hactivism, I’d also ask you to look at some of the things our legislatures have been proposing in the name of cybersecurity. This includes early efforts to protect critical industry sectors our energy grid or banking systems against cyberattack, and requirements that we move beyond passwords when we access Web sites where we perform transactions or access personal data. As all these initiatives come with costs, none have universal support. But some cybersecurity proposals have generated more controversy than others, including: like the SOPA and PIPA bills that coddled the media industry by conflating digital piracy with cybersecurity and whose proposed remedies would have create a regime of censorship, or the federal development and control of a so-called “Internet Kill Switch“.
There will continue to be a lot going on here legislatively, and anything that changes the government’s role in the Internet will affect you as well. So let’s make also do our job as responsible, informed citizens. Let’s make October National Cybersecurity Policy Awareness Month. Let’s get educated, and involved.
Mobile malware is becoming both more prevalent and more pernicious. Among the 160m+ avast! users today, many of you also turn to avast! Mobile Security to protect your Android device (over 10M+ downloads on Google Play Store…thank you Avast Community!).
But we also see that the awareness and level of concern over mobile malware among the general population is quite low, especially compared to awareness and concern levels of PC malware. This makes sense. We don’t see large-scale virus outbreaks on mobile devices like we’ve seen on PCs, and we don’t see our app mobile OS vendors release endless streams of security patches alongside dire warnings for users who fail to update their programs. Instead, mobile malware is more likely to use your phone for sending premium SMS messages or steal some personal data than “infect” your device.
Without seeing mobile malware outbreaks on a regular basis firsthand, or hearing about them on the news, it’s only natural that other security issues seems more real to people. When we do come across news reports about mobile device concerns, it is more likely to be about data privacy and location tracking than about malicious apps. And everyone has either lost a phone or know someone close to them who has, and so understands the disruption that this causes. Many of you also have young children with cellphones and you may worry about the texts they’re receiving and what information they be divulging on social networks via their phones.
What this means is that mobile security in the broader sense is a lot more than antimalware. There are a range of issues and concerns to address, and range of protection mechanisms we could apply. We provide many of them today through our avast! Mobile Security solutions. But we also know that there is plenty of room for us to grow here as well, and that we must expand in order to both keep and build upon those 10M+ people who trust us to protect their mobile devices.
What do you see as the single most important safeguard you could have on your mobile devices? Take our Facebook poll and see what other avast! followers have to say.
Last week, Amazon announced its new Kindle line up. There’s a lot being said about the red-hot competition between the Kindle Fire, the iPad, Google’s Nexus tablet, and Microsoft’s Surface tablet. But what drew my attention most of all was Amazon’s announcement about greater parental controls. The new Kindle Fire tablets will include an app called Kindle FreeTime for enhanced parental controls.
Parental controls on the Kindle took a big step forward this past May with the 6.3.1 release, adding the ability to password protect purchases and disable access to specific content. Amazon’s Kindle FreeTime app goes further, allowing parents to set time limits based on the type of content their children are viewing, such as games or videos. It will also support setting different policies for different children.
The first of these devices is not available until Sept 14. Judging from the commentary on the Web, there’s a lot of interest in these features, but at this stage there are also a lot more questions than answers.
- Will the Kindle FreeTime app be available for v1 Kindle Fire tablets? That’s unclear.
- Will it support time-of-day restrictions, such as “no games after 8pm”, as well as total activity time? The answer seems to be No.
- What about filtering by age-appropriateness of content, not just by content type? There’s no indication Amazon will have this.
- Will the time controls also cover books, for those parents whose kids read too much or too late into the night? No. Apparently Jeff Bezos thinks that there’s never too much of a good thing when it comes to reading, even if it’s at the expense of homework or a good night’s sleep.
- What about parental controls for the “classic” Kindle readers? Sorry, you’re out of luck. Go buy a new Kindle Fire…or put it on your Amazon Wish List
As a parent of a 12-year old girl, one who buys too many Kindle books in general and who, lamentably, has begun to gravitate towards literary content more appropriate to a 16 year old, I find Amazon is not providing me with the controls and oversight I would like. But for my 10 year old boy who is content spending his entire day hunting zombies, Kindle FreeTime is completely sufficient.
What are your feelings about parental controls for Kindles and other tablets? What works for you? Have you found any good ways to limit or monitor your child’s activities? What are your wishes or frustrations with the devices as a parent?
New reports tying the Stuxnet worm to the US government has many people asking questions. What exactly is a cyberattack? Does conducting a cyberattack have the same implications as a physical military attack? Is the US waging an undeclared war on Iran in the same way that a bombing of its nuclear facilities would have done? Is this the new face of warfare and defense?
And now there’s the recent discovery of the Flame virus. We seem to be entering an era where military and diplomatic goals are increasingly embracing the Internet and cyber tools as a vehicle with which to achieve.
One of the big challenges in understanding all this is the lack of agreed upon definitions and principles. We may refer to this attack as cyber-sabotage, while Iran may refer to it as cyber-war or even cyber-terrorism. The Flame virus would be best categorized as cyber-espionage. Without terminology that is clear and agreed upon, the classification of this action is left to be determined by the rhetoric of politicians driven by their own political goals.
There are far more disconcerting implications and considerations if the US is to conduct state-sponsored initiatives in cyberspace.
- Collateral damage: these viruses could ‘get loose’ and inflict unintended damage. We saw this with Stuxnet in 2010, as it hit more than its intended Iranian targets because of a “programming error” (by the way: it was a “programming error” that caused all the damage arising from the Morris Worm as well, for those who remember that little event in computer history)
- Re-purposing and reuse: With cyber-attacks, the targeted opponents will have access to the code that was used. This is like handing the enemy the schematics for every weapon you use against them. With the code, an opponent can replicate the malware and modify it to their own needs. The only additional ‘raw material’ being programmer talent.
- Deniability: Military personnel are clearly identifiable, and armaments all have traceable points of origin. Not so with cyberattacks. We’ve already seen this in the US, where we think past attacks came from China or North Korea, but we can’t be sure. As the US starts to employ such tools, we increase our own ability to deny our actions; war becomes a clandestine affair, which is often at odds with our democratic principles.
Paradoxically, the proponents of building up US cybersecurity defenses will suffer a setback with the US now admitting its role in Stuxnet. These proponents – many of whom are in the military or defense contractor business – had taken up Stuxnet as their cause celebre and chief argument for extending the reach of DHS, NSA, and other federal authorities into our businesses and personal lives. But the government and the cybersecurity industry can’t go clamoring for more funding to defend against a boogeyman of their own creation.
My last post was about how we’re steadily moving towards consumer online privacy regulations over the collection and use of personal online data by businesses. At the same time, however, we’re seeing the US government relentlessly expanding their efforts to monitor people online – and in ways that may completely negate any efforts to regulate the privacy practices of businesses.
It is the fear over cyberterrorism (a term you can’t expect the average person to understand) that is driving many to cede their privacy rights to the government. There are two competing cybersecurity bills working their way through Congress: the Cybersecurity Act of 2012 and the Secure IT Act. They differ fundamentally in areas of jurisdiction (the NSA versus the DHS) and whether the voluntary approach promoting and fostering public-private collaboration is sufficient, or a whether a regulatory approach is also required. But what they have in common is the aggregation and analysis of data on unprecedented scales.
In the background to all this, the Obama administration has just expanded the ability of the National Counterterrorism Center (NCTC) to retain data on people for five years (previously, it was 6 months) – even if they are not suspected of terrorist activity. The NCTC receives data from many other agencies.
So at the same time one side of the US government (the consumer protection side) is restricting what personal data businesses can collect, another side (the cybersecurity side) is moving not only to expand its own access to and control over personal data, but also to enlist in its efforts those very same businesses whose data collection efforts the FTC is otherwise trying to restrain: ISPs and mobile carriers, search engine and web portal companies, social media companies, etc. This opens a very wide door to abuse of any consumer privacy efforts currently underway with the FTC.
Monday, the FTC released a report publishing principles and recommendations for consumer privacy. The report, “Protecting Consumer Privacy in an Era of Rapid Change” (summary and full report[PDF]) provides what the FTC considers best business practices around privacy. These best practices are not regulations, but they are intended to serve as guidelines for legislators in drafting privacy regulations. And they can also serve as a framework for the federal government’s own privacy policies and personal data practices.
At the core of the report, and in broader privacy circles, we see discussions center around three foundational elements of privacy: knowledge, consent, and control.
- Knowledge. The collection and use of information should be transparent. Consumers should know what is being collected, how it is being collected, how it is being used, and how it is being shared.
- Consent. Consumers should be presented with a mechanism for agreeing to these practices. The recommendations did not mandate an “opt-in” versus “opt-out” approach: whether the default policy if the consumers don’t take any specific action would be not to collect (“opt-in”) or to collect (“opt-out”). But the report does advance the notion that it is insufficient for organizations to provide an all or nothing approach, where conditions on use of a service or product requires you to submit to full data collection.
- Control. Consumers should have choices as to whether and to what degree, to participate in data collection, and how that data could be used; and companies should make those choices simple for consumers to understand and to execute.
Consumer attitudes about privacy and data collection is undergoing a fundamental change, driven by online data collection practices. Historically in the US, businesses have traditionally been given broad latitude in their actions as long as they are not fraudulent or deceptive. However, we’re witnessing a full 180-degree turn in consumer attitudes, which is what’s behind the FTC’s actions. Consumer concern over personal data collection and use by businesses is reaching critical mass, and it’s driven by concern over Internet powerhouses such as Google and Facebook, mobile carriers and ISPs, and the shadow worlds of online advertising networks and data brokers. Restraints on businesses over their privacy practices are inevitable.
Unfortunately, not all the consumer privacy news these days is good. More about that in my next post.
The RSA Conference – the largest gathering of security vendors and the companies who buy their products – was held in San Francisco last month. Avast was in attendance, and I had the pleasure of moderating a panel on mobile security. Mobile security was also one of the top topics permeating the entire event. What I heard on the panel and throughout the conference, and what has been reinforced from my discussions with analysts and consultants to businesses, should have you all pretty worried.
The good news is that businesses want to embrace employees use of mobile phones and tablets. And it’s not just the biggest companies doing so: even small businesses are eager adopters of mobile technologies. After all, employees are more accessible and more productive when they can use their mobile devices for work. However, these are your devices; they are not the company’s and shouldn’t be treated as such. And that’s the challenge.
Businesses have legitimate concerns that these devices are inherently insecure, and that consumers don’t always secure their devices to the same level businesses do their PCs. They are also concerned about all the corporate data that these devices contain or can access, and that their loss or theft can compromise a company. And they are concerned that people will misuse their access to this data now that it’s on their person device.
The problem is that businesses want more security and control over your phone then they should have or even need: even more control than they have over the PCs they provide you.
- Because there are malicious apps, they want to keep a catalog of every app you install and be able to remove those applications without prior notice to you.
- Because mobile devices can hold private corporate data, they want the ability to wipe all data on your phone, also without prior notice to you.
- Because you could potentially misuse the phone by transferring corporate data between a business app (like email) and a personal app (like Facebook), they want to be able to monitor everything you do on that phone: your call logs, your text messages, all your social networking activity, all your browsing activity.
This blatant company disregard for employees’ privacy and property all in the name of security has gotten completely out of hand. One product that was given prominent attention at the conference basically rooted your device to put a monitoring and management layer underneath the operating system. Besides taking any semblance of control of your device away from you, this procedure would likely lead to voiding the warranty for many of your devices, especially Apple devices.
Using your mobile devices for work purposes should not require you giving up all your privacy rights or giving your company effective ownership of your device, without having to pay for it. If your company is letting you use your phone or tablet for work purposes, especially if it’s for more than email, then you should take a close look at your organization’s mobile policies – not just for what you should or should not be doing, but for what your company could be doing.