Categories
News

Microsoft Edge Is Under Attack From Malicious Extensions

Microsoft Edge is finally getting a lot of publicity, which means that hackers and scammers are flocking to the browser to spread their dangerous wares. Recent reports have pulled back the curtain on malicious extensions that masquerade as official VPN apps.

The New Wave of Attacks on Microsoft Edge

The report of this new wave of attacks came in from Tech Radar. This new wave of malware infiltrated the Edge app store using a legitimate app as its cover; however,  they typically achieved this using one of two methods.

The first camp of malware was a malicious extension designed to look like a legitimate service. This camp typically used VPN services for their disguise, impersonating popular services such as TunnelBear and NordVPN.

However, there were a handful of extensions that didn't impersonate VPNs. This includes a fake Ublock Adblock and Greasemonkey addon, both of which are extensions that people install on a new browser without a second thought.

The second camp of malware did things a little differently. Instead of building an app that looks like the real thing, the malware developer actually stole legitimate extensions from the Chrome app store. They then injected malicious code into the app, then published it onto the Microsoft Edge app store.

Some of these real-but-malicious apps include the following:

The Great Suspender, Floating Player - Picture-in-Picture Mode, GoBack with Backspace, friGate CDN - smooth access to websites, Full Page Screenshot, One Click URL Shortener, Guru Cleaner - cache and history cleaner, Grammar and Spelling Checker, Enable Right Click, FNAF, Night Shift Redux, Old Layout for Facebook

As such, if you downloaded an extension on Edge recently, it's a good idea to do a quick virus scan to ensure it didn't carry something nasty with it. Also, keep your eye out for any suspicious occurrences, such as adverts appearing in search results en-masse.

A Major Issue for Microsoft

This is a huge hurdle for the company if it wants to get Microsoft Edge into the spotlight. Both Chrome and Firefox have spent a lot of time in the public eye, and both have seen their fair share of malicious extensions and hacker attacks.

Now that Microsoft Edge is making a mark on the browser world (and even overtaking Firefox for second place), malware developers are taking note. To them, Microsoft Edge is a new, insecure service with a huge userbase; in short, it's ripe for abuse.

As such, if Microsoft wants to truly win over the public, it needs to enforce tighter regulations on its third-party extensions. Failure to do so may give Microsoft Edge the reputation of an unsafe browser, which will drive people away as it did with Internet Explorer.

Microsoft's Next Challenge for Edge

With malware distributors taking note of Edge's refound popularity, Microsoft needs to secure its users as fast as possible. Can the software giant put the stop to malicious extensions, or will it become a hub for viruses and malware?

That's not to say that the other big browsers have a spotless track record. In fact, a recent report showed that malicious Chrome extensions could spy on businesses and extract sensitive information from them.

Image Credit: JMiks / Shutterstock.com

Categories
News

Radio proximity security attack targeting up to iOS 13.5 detailed by Ian Beer

Accomplished security researcher Ian Beer has shared a proof of concept attack that can run arbitrary code on or forcefully reboot compromised versions of iOS or iPadOS remotely from radio proximity distance.
Categories
News

You’ve Been Doxxed: What Is Doxxing and Is It Illegal?

Our private lives are considered our own, and we only let those in who we trust. It's why home break-ins, even if nothing valuable is taken, are so upsetting; it feels like a violation. Malicious intent motivates some people to locate your details and distribute them online as a form of violation.

This alarming practice has become so widespread as a means of digital violence that it even has a name; doxxing. It is a particular problem on social networks, especially public ones. Some users target people whose views they disagree with or even for something as fundamental as their gender, background, or ethnicity.

So, how did doxxing become so commonplace, and is there anything you can do to prevent it?

What Does It Mean to Dox Someone?

Generally, we think of our home as a safe place. It's one of the few spaces in which we can be precisely how we want to be without fear of being judged. It's also incredibly intimate and personal. That's why we protect confidential information like our address. It's a similar situation with our work and social lives, too.

Innately, we value privacy and we approach social situations differently. For instance, the way you talk and behave around work colleagues is likely different from how you might interact with your friends. We silo our lives into areas based on trust.

Our home address, full name, workplace, and other personally identifiable details are only given out when we feel comfortable with it. However, online the situation is different. On the whole, we don't give out personal information publicly online, but we do present ourselves for others to see.

Whether that's our LinkedIn profile for professional reasons, Instagram for lifestyle sharing, or Twitter for expressing our opinions, we are often more public in our beliefs, thoughts, and interests than we are in the physical world. While this fosters connections with like-minded people, it also means that you are visible to everyone, not just those who you trust.

There is a segment of internet users who believe it is right to harass, shame, or cause harm to people with whom they disagree. It's not possible to do physical harm online, so, instead, they switch to something that can sometimes be more harmful in the long run; fear and shame.

What Is Doxxing?

Using various techniques, including Open-Source Intelligence (OSINT), searching publicly available databases, analyzing social media posts and profiles, hacking, and social engineering, the attackers extract identifiable information.

Once they have this, they will publish it publicly online, hoping that their supporters or followers will harass you. This could be in an attempt to remove you from your position, get you fired from your job, cause embarrassment, and in some extreme cases, cause you physical harm.

Exposing information like this is known as doxxing. The term initially came from the abbreviation of documents, dox. Violating someone's privacy in this way became known as doxing, although it's now more common to use the double-x variant, doxxing.

It was initially a tactic employed in the early hacking scene, where most users were anonymous. In retribution for perceived slights or controversial views, hackers would dox other users to bring their true identity to law enforcement's attention.

While the methods used haven't changed much over time, the frequency and severity have. The hacking community understood the situations they were getting themselves into and the associated risks.

Not that this justifies the technique, but they could at least be prepared for the eventuality. The most significant difference now is that doxxing is often targeted at regular users, those without protection, and for a wide range of, often trivial, reasons.

Similarly, people in positions of responsibility or involved with vaccines, abortions, or other controversial areas, often find themselves at the receiving end of a doxxing attack. The same is true of women and non-white users who are frequently targeted by misogynists and racists.

This has the compounding effect of driving already marginalized communities away from social networks and public spaces and creating positive connections. The use of malicious social media bots allows doxxers to overwhelm their victim, as well. Each doxxing incident is an attempt to cause fear and harm for the individual involved.

However, cumulatively, these targeted attacks have a broader effect. Doxxing campaigns against institutions, or people with certain beliefs or characteristics, are an attempt to silence conversations. Instead of debate, those responsible for the dox want to prevent a particular world view.

Is Doxxing Illegal?

Unfortunately, doxxing is not illegal as a specific offense. This is partly because the tactic is relatively new and legislation is incredibly slow to respond to current events. Similarly, not all government officials and legislators see it as a specific problem.

In the main, this is because those in authority are generally not the victims of doxxing. It also has found a use as a political tool for similar purposes, like silencing the opposition. However, few government officials would be vocal in their support of such tactics.

There's another important reason that doxxing is not illegal, despite the harm that it causes. As an offense, it is incredibly difficult to specify in law without being too broad. There's a delicate balance between legislation wide-ranging enough to cover all doxxing events and not too far-reaching as to have unintended consequences.

That's not to say that legislation is impossible. Still, the combined effects of time, lack of political interest, and challenges in defining the problem result in no current legal remedy for doxxing. If you have been the victim of doxxing, you should still report the incident to the authorities.

Depending on the circumstances, other factors may be considered, like the attacker's relationship, how the information was spread, and further details. It's possible that, despite being unable to prosecute as a doxxing offense, there may be other legal options available.

How To Protect Yourself from Doxxing Attacks

While we'd like to imagine that most people are generally good, there are people out there who act maliciously. Before the internet, someone would need to know who you were to target you. However, these days we are easily discoverable online. As more people can see your profiles, interests, and beliefs, the more likely someone with bad intentions will come across your online presence.

As we mentioned earlier, most doxxing attacks' intended outcome is to cause fear and silence conversations. So, while it's perfectly reasonable to feel uncertain or even fearful of the potential, many believe that you shouldn't have to feel afraid of being who you are online. It's important to find a balance between expressing yourself and protecting your privacy.

Firstly, you'll want to consider whether the things you want to post about could be regarded as controversial. If so, assess how you feel about the risk of identifying yourself with those topics. You may decide it's important to stand up for your beliefs, but also value your safety and privacy. Consequently, it may be worth creating alternative accounts, profiles, or email addresses for talking about those issues.

Anonymity is undoubtedly a problem online as it allows people to be unpleasant without any repercussions. But anonymity is also one of the essential parts of the internet. In our real lives, there are expectations, societal pressures, and reputations to preserve. Pseudonymous accounts allow us to express thoughts, feelings, and views that we may not be comfortable associating with our real-world persona.

Once you've decided how to present yourself online, it's important to adjust your privacy settings on your accounts and social networks. You should also ensure that you have strong, unique passwords for each service and consider using a password manager to store them securely.

Similarly, before posting anything online, think about what you give away about yourself by doing so. For example, snapping a photo on your street gives away where you live. There are plenty of types of information you shouldn't post online.

Staying Safe Online

Unfortunately, by its nature, doxxing is not something you can always prevent. If someone is determined enough to violate your privacy, they may be able to glean enough information to do you harm. However, there are preventive steps you can take that'll make the task harder for them.

The good news is that these privacy-protecting actions are beneficial to you more generally and can help protect your information in the event of a data breach. One of the most significant changes you can make is to switch from a free email provider, like Gmail or Outlook, to a secure, encrypted option like ProtonMail or Tutanota.

Categories
News

How to Use LessPass to Manage Your Passwords | MakeUseOf

Password managers such as 1Password and LastPass are convenient, but they involve putting all your eggs in one basket.

Services that store your passwords may be vulnerable to attacks or flaws in your OS or browser. If your master password is compromised, all your passwords are compromised. Indeed, LastPass has been the target of multiple attacks over the years.

Variety in the password ecosystem is better for everyone. Using different methods makes the job of hackers much harder. With that in mind, you might consider LessPass, an alternative to the traditional password manager model.

Why Should You Use LessPass?

LessPass is not so much a password manager as a password system assistant. LessPass is free and open-source and doesn’t require you to save your passwords anywhere, neither on your hard drive nor in the cloud. Instead, it offers a way of consistently generating passwords based on your input.

LessPass does not require synchronization, so you can use it offline as an app, or online via extensions and the LessPass homepage. If you're using someone else's device, there's no need to log in to an account or install an extension to get your passwords.

LessPass is available for Android, iOS, Chrome, Firefox, as an OS-independent command-line utility and as a web app.

The Chrome extension should also work on Chrome-based browsers like Vivaldi, Opera, and Brave.

The web app is embedded on the LessPass homepage. It looks like a screenshot, but works just like the extension.

Download LessPass to get started.

Download: LessPass (Free)

How to Use the LessPass Extension

Once you've installed the extension, visit a site you want to create a password for.

LessPass will autofill the name of whatever site you're on, but you can edit that if you want.

Enter your login or username and a master password. Read our advice about creating strong passwords first.

The master password is the only one you will have to remember. LessPass uses it to calculate your other passwords.

As you enter your master password, the characters are hidden to prevent over-the-shoulder snooping.

However, as you type, LessPass generates three hint symbols on the right-hand side of the field. These change according to input, letting you know if you have correctly entered your master password without revealing it. But if you want to double-check, click on the three symbols and LessPass will display it.

Annoyingly, many sites have restrictions on what types of characters you're allowed to use in your password. LessPass allows you to decide what characters your generated password will include. You can enable or disable lower case, upper case, numbers, and special characters.

The main screen also lets you adjust the length of your passwords. The longer the password, the harder to crack, so why not use the maximum 35 characters?

Now you have entered everything, click on Generate and LessPass will calculate an extremely strong password using PBKDF2 cryptography with 100,000 iterations and sha-256 hashing.

Your new password will appear hidden in a box at the bottom of the pop-up.

The next time you enter the same basic details, LessPass will faithfully reproduce your password. To do this, it uses a "pure function", a piece of code that always returns the same output when given the same input. This is the key to how LessPass can supply all your passwords without storing a single character.

Click on the eye icon to the right of the box to show your password or click on the clipboard icon to the left to copy it for pasting.

The Counter option is useful for updating an old password without changing any other details. For example, to change your banking password, enter the details as usual, then click on the + to increase the counter, then generate a new password.

LessPass Extension Options

Click the cogwheel on the top right of your extension pop-up to access the options menu.

Here, you can set a default login name if you use the same username on every site. You can also set the default number of characters, counter value and character rules. Once you have entered your defaults, click Save to store them locally.

What is the LessPass Database?

LessPass prizes security, so it is designed to be fully-functional offline.

However, as websites rules vary, you must remember which sites allow which characters or what length the password needs to be. So, LessPass developers built the LessPass Database.

The database lets you synchronize your password preferences on a site-by-site basis. It only synchronizes the URL, username, and password rules for each site you save—no passwords are synced.

Click on the arrow-in-the-box icon to access the database sign-in.

The default option syncs to lesspass.com, but you can host your own docker instance if you have one.

Related: Reasons to Use Docker Virtualization Software

Enter your email address and master password. To avoid any security risks, click on Encrypt my master password in blue underneath the password field. This replaces your database password with a generated one.

Next, click on Register to link to the LessPass Database.

Back at the main window you will see two new icons in the top right corner: a floppy disk icon and a key.

When you generate a new password, click on the floppy disk icon to save the URL, login name, and preferences to the database.

Click on the key icon and you will see a list of the sites you have saved. Click on a specific site to send the information to the main extension screen, then enter your master password and hit Generate to calculate your site password.

How to Use the LessPass App

Image Gallery (3 Images)

The app's main screen looks similar to the extension pop-up except with a toolbar along the bottom.

You use the same basic procedure to generate passwords in the app as you do with the extension.

Once the password has been generated, you can tap on Copy to send it to the clipboard for pasting in another app or browser, or you can tap on Show to view the password in the clear.

The app automatically resets itself and clears all the data you've entered on the main screen after around 50 seconds, so you need to get your password while it's hot!

However, there are some differences in the app. Let's look at how they can make it easier to use.

Tap on the three cogs icon on the toolbar at the bottom of the screen.

Here, you can see an option to use your master password to sign-in to the database. By default, the option is set to encrypt your master password before the application uses it.

This screen also allows you to set the default login, password length, counter, and rules for special characters.

Syncing the LessPass App

Let's sync with the LessPass Database. Tap on the icon that looks like a little person on the right-hand side of the tool bar.

Tap Sign Up, then enter your email and your master password and tap Sign up again. The app will return you to the main screen.

Now, when you enter your details, you will see an option to save the password settings on the bottom right of the password field.

Image Gallery (3 Images)

Storing your Master Password

While not recommended, if you'd rather not enter your master password every time you use LessPass, you can save it locally.

First, tap on the three cog menu icon at the bottom of the screen to go to the settings page.

Scroll down until you see Insecure Options. Here you'll find a toggle switch labeled Master password with text below that reads "Keep master password locally".

If your device is already pretty secure or you want ease of use at the expense of a little security, tap on the toggle to switch on this feature.

A dialogue box will appear asking you to enter your master password. Type it in and tap OK.

If your device comes with a fingerprint reader, a message will appear instructing you to touch the sensor to authenticate your master password.

Now, when you return to the main screen a fingerprint icon should appear in the master password field. Tap the icon and the app will ask you for your fingerprint and it will then fill in the master password field automatically.

Image Gallery (3 Images)

LessPass for More Security?

Eventually, biometrics and other solutions will do away with this clunky password-centric approach to security. In the meantime, creative minds keep coming up with systems to corral our herds of passwords.

Any one specific approach to dealing with passwords is not necessarily the best option for everyone, but LessPass is an elegant system. We recommend checking it out to see if it suits your needs.

Categories
News

Grounded bars access to vital Control Center toggles without authentication

Grounded is a no-brainer jailbreak tweak that prevents certain Control Center toggles from being accessed until you first authenticate yourself with your iPhone or iPad.
Categories
News

The Next Chrome Update Will Fix Windows Security Issues

A new Google Chrome update should relieve the issues many users are currently experiencing while using the browser with Windows 10's integrated antivirus tool.

The issues stem from a bug that triggers when Windows Security is set to scan the local storage, locking users out of files, slowing Chrome down, and causing a general nuisance.

Related: The Best Antivirus Software for Windows 10

Update Google Chrome, Resolve Windows Security Issues

The issue stems from how Google Chrome and Windows Security interact when a new file is introduced to the system. As per the Chromium commit:

Antivirus programs and other scanners may briefly lock new files, which can lead to frequent problems with saving bookmarks and other files that use the ImportantFileWriter. This attempts to deal with this by retrying the racy ReplaceFile step a few times.

When you create a new file or conduct a Google Chrome task that stores data on your computer, Windows Security scans the local storage to make sure you're not downloading malware or other nasties. The frequency of access might accidentally place a temporary lock status on the files, as Windows Security believes something bad is going on, even when it isn't.

Consequently, Google Chrome runs terribly slow.

This isn't inherently bad behavior, either. You want your antivirus to scan for potentially malicious files and to protect your system. However, if that process fails, as it is here, it can cause issues.

If Chrome Is Lagging, Hit Update

The Google Chrome development team has already found a solution, with the next edition of the browser set to retry the file several times before an error occurs.

So, if Google Chrome is running slow on your computer when you download a file or create data via another method, make sure to download the next Chrome update as soon as possible.

Categories
News

What the EU’s Legislative E2E Encryption Drive Means for Your Privacy

If you are one of 1.6 billion WhatsApp users, you are already using end-to-end encryption (E2EE). This secure form of communication means that any message you send to someone can only be read by the recipient---such chat messages cannot be intercepted by third parties, including governments and criminals.

Unfortunately, criminals also use encryption to hide their tracks when doing malicious things, making secure messaging apps a prime target for government regulation. In recent news, the Council of Europe has drafted a resolution to regulate E2EE, as it heads to the European Commission for its final form.

The question is, are we on the brink of losing our privacy on messenger apps?

Terror Spike Pushes EU’s Gears into Motion

In the wake of recent attacks in France and Austria, the prime ministers of both countries, Emmanuel Macron and Sebastian Kurz respectively, introduced a Council of the European Union (CoEU) resolution draft on November 6, aimed at regulating end-to-end encryption practices.

The CoEU is the proposal body that sets the direction of policies, while the European Commission will draft actionable legislation from it. Fortunately, as a legislative opening, the draft resolution is not as problematic for privacy as one would expect:

  • The resolution does not make any specific proposals for an E2EE ban.
  • It does not propose implementing backdoors to encryption protocols.
  • It affirms the EU’s adherence to strong encryption and privacy rights.
  • It serves as an invitation to experts to fully explore the security measures under the framework "security despite encryption."

However, the resolution does propose a targeted approach:

“Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity.”

Given the trend of governments expanding the range of valid targets, this could include lawful protests as well. In the case of France, this could be the Yellow Vests movement, which was forced out of Facebook onto a secure Telegram app.

Interestingly, Telegram was the same app that Russia banned as the development team refused to create a backdoor for the government. The EU's European Court of Human Rights (ECHR) ruled such a ban as a clear violation of free expression. The ruling bore fruit as Russia lifted the two-year Telegram ban.

Does ECHR’s Telegram Ruling Serve as a Future Safeguard?

Unfortunately, this does not seem to be the case. In 2019, ECHR ruled that free expression around the topic of Holocaust does not constitute a human right. At the same time, the court ruled that the same free expression on the topic of the Armenian Genocide does constitute a human right of free speech. These incoherent rulings reveal that ECHR doesn’t uphold universal standards.

Does the EU’s Draft Resolution Affect You?

If you are worried that WhatsApp, Telegram, Viber, and other E2EE apps will suddenly expose you to hackers and data miners, don’t be. Within the EU, we are likely dealing with a hybrid solution, in which law enforcement agencies must provide courts with sufficient reasoning to invade privacy.

On the other hand, within the Five Eyes sphere, there seems to be a massive push to legislate backdoors into E2EE messenger apps. Pushback from citizenry and NGOs such as Electronic Frontier Foundation will be critical to stave off such restrictive legislation on cryptography.

Related: What Is "Five Eyes" Surveillance?

The Slippery Slope of Governments Regulating Cryptography

It is no secret that nations across the world are eager to undermine citizen privacy for the sake of alleged national security. This charge is usually led by the Five Eyes intelligence alliance. They seek to implement the broadest approach---mandating software developers to integrate backdoors into their apps. This would allow governments and tech companies to access any private data at will.

Although the governments rhetorically state they have safeguards in place against abuse, their track record is less than stellar. As Snowden leaks revealed, they seem to be unscrupulous in how they perceive citizens’ right to privacy and abuse avoidance. Moreover, backdoors are easily exploited by cybercriminals, incurring great economic damage and erosion of trust.

Mandated backdoors are not yet a reality, but governments can employ a powerful persuasion arsenal at any time a criminal/terrorist act happens. Therefore, governments have a steady momentum to erode privacy protections, arguing that:

  • Terrorists/criminals have the same access to encrypted communication protocols as the law-abiding citizenry.
  • Therefore, encrypted communication protocols must be undermined for the sake of the law-abiding citizenry.

Trying to achieve the balance between the two is an ongoing process, most recently put into the public spotlight by EU member states.

Why Is E2E Encryption Important?

When people don’t want to think about the consequences of the surveillance state, they often resort to the baseline argument:

“I have nothing to hide.”

Unfortunately, adherence to such naivety does not make your life safe from abuse. As the Facebook-Cambridge Analytica data scandal demonstrated, one should treat their personal data with as much rigor as one would safeguard the property in their home. When you are stripped of E2E encryption protocols, you create an environment that nurtures:

  • Self-censorship as a mindset.
  • Hacking and blackmail.
  • Inability to be an effective political dissident or a journalist.
  • Corporations and governments using your psychological profile against you.
  • Making governments less accountable for their negative policies.
  • Inability to effectively protect intellectual property.

Just as criminals have easy access to firearms, despite its ban and tight control across the world, so too would criminals procure other methods of communication. Simultaneously, undermining E2EE would make businesses and individual citizens vulnerable to a wide range of abuse.

What E2EE Options Do You Have at Your Disposal?

Backdoors in messenger apps can happen in three ways:

  1. Accidentally by poor coding, which is later patched when the vulnerability is discovered.
  2. Intentionally by government agencies exerting internal pressure on companies.
  3. Intentionally and openly by legislation.

We have yet to reach the third scenario. In the meantime, try to follow these security guidelines when choosing a secure messenger app:

  • Choose apps that have a good track record of resisting pressure and are highly rated by users.
  • If given an option, choose free open source software — FOSS apps. These are community-driven apps, so backdoor implementation would be quickly revealed. Sometimes, you will also find these apps under the FLOSS acronym — free/libre open source software.
  • When using email, try to use email platforms with PGP or GPG encryption protocols.

Taking those factors into account, here are some good open-source E2EE messenger apps:

Signal

Image Gallery (3 Images)

Signal has become a favorite among many privacy-minded users, and for good reasons. It employs Perfect Forward Secrecy (PFS) for all types of messages: text, audio, and video. Signal also doesn’t log your IP address, while giving you an option to send self-destructing messages. On android devices, you can even make it a default app for your SMS texting.

However, Signal does require a telephone number sign up, in addition to not providing two-factor authentication (2FA). Overall, this GDPR-compliant messenger app available for all platforms has yet to be topped.

Download: Signal for AndroidiOS | Windows (Free)

Session

Image Gallery (3 Images)

An offshoot from Signal (a fork), Session aims to have even more formidable security features than Signal. To that end, it integrated all the Signal features but left out the requirement to have a phone number or email for sign up. It doesn’t log any metadata or IP addresses, but it still doesn’t support 2FA.

Its open source development is still ongoing, so you may experience bugs. Moreover, its Onion Routing protocol, in use by the Tor browser, is also under development.

Download: Session for Android | iOS | Mac | Windows | Linux (Free)

Briar

Completely decentralized Briar is one of the latest FOSS apps with E2EE messenger protocols. Exclusive to the Android platform, Briar is the go-to solution for those who worry about a server storing their messages. Briar makes this impossible by employing peer-to-peer (P2P) protocols. Meaning, only you and the receiver get to store the messages.

Moreover, Briar adds an additional layer of protection by using the Onion Protocol (Tor). You don’t need to offer any info to start using Briar except the name of the recipient. However, if you change the device, all your messages will become unobtainable.

Download: Briar for Android (Free)

Wire

Image Gallery (3 Images)

While still remaining open source, Wire is aimed for group messaging and sharing, making it ideal for business environments. It is not free except for personal accounts. Alongside E2EE protocols, Wire employs Proteus and WebRTC with PFS, in addition to self-erasing messaging.

Wire requires either a phone number/email to sign up, in addition to logging some personal data. It also doesn’t support 2FA. Nonetheless, its GDPR compliance, open source nature, and top-of-the-line encryption algorithms make it great for corporate organizations.

Download: Wire for Android | iOS | Mac | Web | Linux (Free)

You Are Not Defenseless Against the Turning Tide

In the end, even if governments completely ban E2EE or mandate backdoors, criminals would find other methods. On the other hand, the less engaged citizenry would simply accept the new state of affairs: mass surveillance. This is why we must err on the side of caution and always push back to preserve our basic human right to privacy.

Categories
News

How to Stay Safe on Public Computers: 6 Tips to Keep in Mind

Between your laptop, smartphone, and other devices, you likely have several ways to get online. But at times, you might find yourself needing to use a computer that's not yours. Perhaps you're visiting a friend, using public resources at the library, or your work requires you to log into different systems all day.

When you're on a foreign computer, you need to take caution to keep your private information safe. Next time you have to use a computer that's open to the public, make sure you follow these guidelines to lock down your privacy and safety.

1. Don't Stay Logged Into Websites

Many websites have a convenient checkbox that allows you to stay signed in even after closing your browser. While this makes life easier for personal surfing, saving personal info in your browser is potentially dangerous. You certainly never want to do it on a shared computer that someone else could log on to.

Whenever you log into a website, keep an eye out for a Keep me signed in or similar box. Sometimes these are checked by default, so you'll want to make sure you clear the box before logging in.

Additionally, be sure to sign out once you're done working on a site that requires a login. Don't assume that closing the browser window will end your session. Some sites will close out your session when you exit your browser, but others won't. And if you don't sign out, your session could be preserved for the next person that comes along.

Even if this doesn't expose your credentials, leaving your account open for others to access could lead to them changing settings, sending nasty messages to friends, or similar.

If you accidentally tell the browser to keep your info, you'll need to clear your cookies so it forgets. This leads us to the next point.

2. Always Clear the Browser History...

What you do online says a lot about you, and when using a public computer, you don't want to leave traces around for others to discover. When you're finished working, be sure to completely clear the browser history.

You should go nuclear and clear every setting that the browser lets you delete. Don't stop at just the history list; get rid of the browser cookies, cache, and similar data too. This resets all login info you might have accidentally saved, and ensures someone won't see your email when they type its first few letters into a text box.

For full protection, also check the browser's auto-fill information to make sure it didn't save your address or other sensitive details.

3. ...Or Use Private Browsing

An alternative to deleting the history (and a simpler method) is to use the incognito or private browsing mode. Every modern browser has one; these prevent the browser from saving any history, cookies, or other browsing data from your session.

When you use private browsing, you don't need to clear the history when you're done, as the browser deletes it all upon closing the window. This also ends any sessions you were signed into, so you don't need to sign out manually.

Nothing you do in private browsing is saved, but if it makes you feel better, you can still delete cookies to be on the safe side. Keep in mind that private browsing doesn't make you invisible, though. The network administrator can still potentially see what you're doing.

4. Be Mindful of Physical Security

As a general principle, when using a computer that you aren't familiar with, know that there's always a chance that someone could have tampered with it. Because of this, you must be vigilant about your activities on any public machine.

You should avoid logging into anything that deals with finance, such as your bank or PayPal. Avoid typing in any passwords if you can get along without doing so.

Keyloggers, which are programs that record every character you type, could steal your login credentials without you even knowing. While there are ways to get around keyloggers, you likely won't have the time or admin permissions to install protective measures on a random computer. Thus, you should be vary of potential security breaches on the machine.

You can use the on-screen keyboard for a little extra protection, but this isn't foolproof. If you're dealing with something sensitive, it should wait until you get home.

5. Consider Booting an Alternate OS

Since most computers run Windows, in all likelihood the computer at your library or school will be one of them. And since Windows is the most popular, it's naturally most susceptible to malware. This may make you want to use an alternate OS when you browse a public machine.

Luckily, it's simple to boot into another operating system (usually Linux) on any computer. If it has an unlocked BIOS, which is likely but not always the case on public computers, you can boot Linux using your USB drive easily.

Using your own personalized OS on a flash drive means you'll be invulnerable to any malware that may be on the main Windows installation. However, there's still no guarantee that the public internet connection is secure. So while using Linux on a flash drive is handy and safer than using the host OS, it isn't a 100 percent safe solution.

6. Be Mindful of Your Surroundings

The above technical advice is all important, but don't abandon common sense either. While using a shared computer, it's likely that other people will be around you. Be sure you don't walk away from the machine and leave it unattended when you're working. You should also be wary of those who might look over your shoulder.

Make sure you know what a document or website contains before you open it. You don't want to load a big document with your financial info or unintentionally open an inappropriate website for all around you to see.

Use Public Computers Wisely

With these tips, you can use computers that don't belong to you with more peace of mind. But even with all these in practice, remember that there's really no way to know how safe a public computer is. It could be totally fine, or it could be filled with spyware and have a keylogger tracking your every move.

When in doubt, don't do anything on a public computer unless you would be OK with everyone in the room seeing it. Speaking of this, you should know how to use public Wi-Fi safely with your own devices, too.

Image Credit: Marco Prati/Shutterstock

Categories
News

8 Totally Free VPN Services to Protect Your Privacy | MakeUseOf

While almost all free VPNs with unlimited data are scams, there are a number of limited-data free VPNs that really don't cost anything.

However, free VPNs often don't stick around forever. Sometimes they change to a subscription model or a freemium model, while some seem to actively compromise your privacy.

But are there any free VPNs that will simultaneously protect your privacy in a reliable way? Absolutely. Keep reading to find out more.

Note: Free VPNs might be OK here and there, but there is no substitute for a paid service like ExpressVPN. Sign up now and receive three months free!

1. Speedify

Speedify is a unique service. If you live in an area with a poor internet connection, it's definitely the VPN for you. It can combine all the incoming connections in your home (including cell and Wi-Fi signals) into a single, stable, faster, and more secure access point. This combination works well to offset some of the loss of speed that all VPN users have to endure.

The company's services are entirely free to use; you get an allowance of 2GB of data per month and don't even need to make an account. All your traffic is encrypted using ChaCha or AES (depending on the device), and the company does not keep logs.

Other security features include packet loss and error correction protection, and an automatic failover. Speedify will also never sell your data.

We've got a great deal on premium Speedify for MakeUseOf readers if you would like to upgrade in the future.

2. CyberGhost for Chrome

CyberGhost has been at the forefront of the VPN industry for many years. It offers various premium models, but the free ad-supported version is a completely free VPN that is adequate for most casual users.

The free version is only available on Chrome and is bandwidth-restricted. It's not as useful if you watch a lot of Netflix or you're thinking about cutting the cord.

Most of its servers are in Europe, but there are plenty of US-based ones available too. Interestingly, the app runs on the Ethereum blockchain. It protects against privacy breaches, censorship, fraud, and third-party interference.

Use Firefox? Check out the best free VPNs for Firefox instead.

3. VPNBook

VPNBook is another totally free VPN; there are no bandwidth caps or service limitations, and there is no premium service.

That said, it's not suitable for beginners. There is no installer, no software, and little guidance. You're simply given a list of servers, and the rest is up to you.

You have a choice of PPTP VPN or OpenVPN. PPTP VPN is supported on almost all platforms, but it's easier for governments and content providers to block. OpenVPN is more secure but requires you to download an OpenVPN client along with VPNBook's configuration and certificate bundles.

The company has servers in the United States, UK, and mainland Europe.

4. Windscribe

Windscribe has versions available for Windows, Mac, Linux, Chrome, Firefox, Opera, iOS, Android, Fire Stick, Android TV, Kodi, DD-WRT routers, and Tomato routers, thus making it one of the most comprehensive free VPN solutions.

Obviously, the main feature is the VPN network, but from a privacy standpoint, it offers some great additional tools. They include a firewall to prevent exposure of your IP address in case you lose your connection, ad and tracker blocking, and a secure link generator, all included in the free package.

However, there is a restricted download limit and only servers in the United States, the UK, Canada, Hong Kong, France, Germany, the Netherlands, Switzerland, Norway, and Romania are available. The $9 per month pro version adds a further 40 countries.

5. Hide.me

Hide.me is a proxy service based in Malaysia and offers more than 1,800 free servers around the world. The free service supports PPTP, L2TP, IPsec (IKEv1 and IKEv2), OpenVPN, SoftEther, SSTP, and SOCKS.

In mid-2015, the company made the decision not to keep any logs. From a privacy perspective, this is a massive plus point; if there are no logs, there is nothing for unscrupulous authorities to seize if they are trying to track you.

Interestingly, the company also publishes a transparency report—it lists all the authorities that have requested information from them.

6. Opera VPN

Opera VPN is part of the Opera browser. It's entirely free; there are no data limits or obtrusive ads.

It comes with three main features:

  • Hidden IP Address: The software replaces your actual IP address with a virtual IP address, making it harder for sites to track you.
  • Unblock Firewalls and Websites: If administrators have blocked certain sites or types of content in your office or school, the Opera VPN will circumnavigate the restrictions.
  • Public Wi-Fi Security: The VPN will stop sniffers on public networks from accessing your data.

To turn on the service, go to Menu > Settings > Privacy and Security > Free VPN.

7. Hotspot Shield

Hotspot Shield has been around for many years. It is still one of the most popular free VPN services among users.

It's not suitable for users who want to unlock geo-restricted content as well as improving their privacy. The free version only offers 500MB of data per day. That's not enough to stream Netflix or any other service.

The free version of Hotspot Shield is also ad-supported, has fewer servers available, and limits you to a single device.

8. ProtonVPN

If you're concerned about your data being leaked to governments and ISPs, ProtonVPN provides a solution. It takes more steps than regular VPN providers to ensure your identity is safe at all times.

For example, it has "Secure Core" architecture. It means all your (encrypted web traffic is first passed through its servers in privacy-friendly countries like Iceland and Switzerland before it heads out to the wider web. As such, even if a VPN endpoint server has been compromised, attackers will still not have access to your IP address. As you would expect, the company does not keep logs.

The company also uses "Perfect Forward Secrecy" in its encryption ciphers. Consequently, your traffic can never be unencrypted, even if the encryption key is somehow compromised by a hacker at a future date.

Lastly, ProtonVPN is one of the few VPN services to offer a Tor connection. You can send all your traffic through the Tor network with a single click in the ProtonVPN app.

At the time of writing, ProtonVPN has almost 500 servers in 40 countries. Supported countries include the US, UK, Canada, Australia, and India. The free version only covers three countries (the USA, the Netherlands, and Japan) and limits you to one device.

Free VPN vs. Paid VPN

All the free VPNs we've looked at are secure, reliable, and trustworthy names. They value your privacy and you can be confident that your data is safe while using them.

However, they are no substitute for a paid VPN. If you are prepared to subscribe, you will invariably get access to more servers, more bandwidth, and more features. If you use a VPN every day, it is probably worth paying the fee.

Categories
News

Travel Booking Sites Hit by Massive Data Breach: How Can You Protect Yourself?

A hotel reservation platform has exposed users' data along with the details of at least 10 million customers worldwide. This could affect anyone who has booked a room via an online booking site in the last seven years.

Here’s what you need to know about this massive leak, how this can possibly affect you, and what you can do about it.

Which Vacation Booking Sites Were Affected?

The Spain-based Prestige Software that’s responsible for a hotel reservation system has been improperly storing several years’ worth of guest data on a misconfigured AWS S3 bucket, a popular cloud storage resource.

Users with accounts on the following sites should take steps to secure their data:

  • Agoda
  • Amadeus
  • Booking.com
  • Expedia
  • Hotels.com
  • Hotelbeds
  • Omnibeds
  • Sabre

More have been affected, but those are the highest-profile ones.

This is not a complete list since Website Planet, who exposed the data breach, hasn’t reviewed all the exposed data yet so there may be more. This could also affect other smaller or lesser-known booking sites that may have used the popular hotel reservation platform.

If you traveled anytime within the last few years, review your accounts to see if you booked any reservations online and so left details in one of the affected sites.

What Kind of Customer Data Was Exposed?

At least 10 million log files dating back to 2013 were leaked. The S3 bucket was still active and in use and new customer logins were still recorded hours after Website Planet made the discovery.

Among the sensitive data exposed was Personally Identifiable Information (PII) like customer’s full name, email addresses, phone numbers—even national ID numbers. Ever recall typing your passport number somewhere online?

It has your credit card number, cardholder’s name, and expiration date and CVV too, alongside other payment details.

There are also details of reservations like dates of stay, price per night, additional requests, number of people, and yes, guest names. If you’ve had a secret 'rendezvous' you wouldn’t want anyone to know about, you should be worried.

What Can Cybercriminals Do With Your Information?

Website Planet contacted AWS directly who then secured the S3 bucket right away. But the team cannot tell for sure if someone else found the data before they did.

So there is a chance that your information’s already being peddled on the dark web while you’re reading this. You should be wondering what cybercriminals can do with your information anyway.

Aside from blackmailing you with the juicy information they have in hand, data like this is like a gold mine for cybercriminals.

Online Identity Theft

The first thing that comes to mind when we talk of data leaks is identity fraud.

Cybercriminals can use your information to open new credit cards in your name or a line of credit. They can use your credit or debit cards for purchases, or your identity to rent an apartment. Some can use your information to get health insurance or medical care.

Phishing

Cybercriminals can also include your email in their phishing campaigns.

And since they have your other information too i.e. bank details, they can craft an email that would look like something you’d receive from your bank, complete with your credit card number. They will then send you malicious links or attachments to download malware into your computer.

Your information could be used to victimize your friends or colleagues by pretending to be you and then reaching out to all your contacts. They may trick them into sending money or downloading an infected file.

Target Wealthy Individuals for Other Scams

Scammers can also target customers who may have booked rooms in pricey hotels (and thus have more money) for more elaborate scams or extortion schemes.

Much of the information in the data leak can be used to profile a person and provide enough information for a cybercriminal to craft a follow-up spear-phishing or whaling attack.

Holiday Takeover

The data leak includes all information about future holidays. Cybercriminals can use this to call the hotel and change the reservation date and names.

Yes, they can take over your vacation or sell these reservations to others.

What Can You Do If Your Data Has Been Compromised?

Should you be worried about this? So far, there hasn’t been any reported cybercrime that can be traced back to the leak. But since there is no way to know if the data exposed was found by someone else before Website Planet, you can be a sitting duck at this point.

Fortunately, there are things you can do about it.

Check If You Were Part of the Leak

You may not remember booking a trip in 2013 but there’s a way to check, especially through your Google account. Look through your settings o see if there’s an alert that says “critical security issues found”. This will list all the sites that are linked to your account that may have been part of a breach, including this travel data leak.

Under this section, you can also check all the other linked sites, like those where you’ve recycled your password. Recycling your password is never a good idea since it will allow hackers to get into your other accounts just by hacking into one.

Otherwise, you can look for email address compromises using Have I Been Pwned. It's worth searching your Inbox for historic uses of booking sites too.

Watch Out for Phishing Emails

Monitor your Inbox and watch out for suspicious mails.

Make sure your AV’s updated so it can detect malware in attachments and phishing links within emails.

Be on the lookout for other emails and notifications that could be a sign someone else is trying to create accounts under your name. Check for emails that alert you about signing up or may tell you about a change in your other accounts.

Don't click on links within emails. Instead, go to official websites using a different tab, browser, or device.

Call Your Bank

It’s worth calling your bank to inform them that your active account might be part of a recent data leak. Ask them for ways they can help secure your account.

Set up Two-Factor Authentication (2FA) for your bank apps, and other websites where you have sensitive information.

Place a Credit Freeze

You may also want to consider placing a security freeze on your credit report. This will make it difficult for identity thieves to create new accounts or open a line of credit in your name.

No, freezing it will not affect your credit score.

RELATED: How to Prevent Identity Theft by Freezing Your Credit

Ditch Your Travel Accounts For Now

With lockdowns either currently in place and imminent in other parts of the world, it looks like people won’t be traveling as much right now. Consider removing your travel booking accounts for short time and just set up a new one when you are ready to travel again.

Monitor Your Accounts

Monitor your credit or debit accounts and watch out for fraudulent transactions. Don't recognize a transaction? Contact your bank or

Guard Your Data

Your data is a precious commodity. Know that there are people who may try to get their hands on them for illegal activities.

Always keep yourself informed about data breaches so you’ll know if your information’s been compromised. And practice digital hygiene by deleting old accounts or updating your security settings.