Cybersecurity
November 30, 2017 Entefy

10 cybersecurity and privacy threats that will make you miss Nigerian prince and lottery email scams

Phishing refers to any attempt to obtain a person’s sensitive private data—usernames, passwords, bank account numbers—or plain old cash, usually using a misleading email or other communication. If you’ve ever received an email from a down-on-his-luck Nigerian prince looking for some help, you’ve been targeted in a phishing scam. Believe it or not, people around the world lose $12 billion annually to phishing.

The New Zealand-based Internet safety nonprofit Netsafe has a novel tool for fighting back against phishing, called Re:scam, an AI-powered chatbot that responds to phishing emails. Not once, but again and again, as long as the scammer continues sending emails. Anyone can use Re:scam by sending a phishing email to a dedicated Netsafe email address. You can see the chatbot in action in this article.

Though Re:scam offers some humor, there’s nothing funny about the $12 billion annual loss due phishing scams. Phishing is digital activity we all need to be aware of, on the same list as malware and the unannounced collection or misuse of our sensitive private data. To help keep you informed about what’s going on in personal data security, we’ve assembled 10 examples of hacking and data collection threats to your digital security:

  1. Take a closer look at Facebook’s “People You May Know.” Facebook may know way more about you than you ever imagined, or intended. Case in point: a one-time sperm donor received a Facebook recommendation that he should connect with the child born of his donation—despite having no Facebook connection to the child’s parents. “Behind the Facebook profile you’ve built for yourself is another one, a shadow profile, built from the inboxes and smartphones of other Facebook users. Contact information you’ve never given the network gets associated with your account, making it easier for Facebook to more completely map your social connections.” 
  2. Entefy has previously examined privacy problems with so-called “Internet of Toys” products. Despite consumer concerns about invasive data collectors masquerading as toys, Mattel attempted to launch an Amazon Echo-style device intended for use by children. Briefly, because they quickly announced it was canceling plans to bring to market a smart device called Aristotle. Aristotle was “aimed at children from infancy to adolescence and was set to hit stores in 2018. The voice-activated Wi-Fi device with a companion camera was billed as a ‘first-of-its kind connected kids room platform’ that was designed to ‘comfort, entertain, teach, and assist during each development state — evolving with a child as their needs change.’” After a consumer safety petition gathered 15,000 signatures, two Congressmen sent a letter to Mattel in which they wrote: “This new product has the potential to raise serious privacy concerns as Mattel can build an in-depth profile of children and their family. It appears that never before has a device had the capability to so intimately look into the life of a child.”
  3. Google Home Mini given to a journalist ahead of the product’s launch suffered from hardware defects that caused the unit to make thousands of recordings without being purposefully activated. Or in his words, “spying on me 24/7.” Google resolved the situation by disabling the malfunctioning features. Nevertheless, the defect reinforces just how potentially problematic an Internet-connected home device can be if hacked or otherwise misused to secretly collect data about you and your family.
  4. File this under “potentially worrisome.” Apple’s iOS 11, the operating system that powers iPhones and iPads, has a new feature that provides machine learning functionality that third-party apps can make use of. Called Core ML, it lets developers make use of Apple’s artificial intelligence capabilities so third-party (non-Apple) apps can crunch user data to provide personalization services. Which isn’t itself a problem. But questions instantly emerged about privacy and security: “It’s hard to tell during App Store screening [Apple’s approval of a new app] whether a Core ML model can accidentally or willingly leak or steal sensitive data.”
  5. There’s a potentially serious privacy loophole in iOS that could allow any app with permission to access the iPhone’s camera to secretly take photos and videos without you knowing. Some apps might request camera access when starting up to obtain a profile picture of you, or to handle media you want to send to friends. If users grant an app permission to access their device’s camera, that app can now do much more than take a photo of you. What’s worse, there’s no indication of the app’s activity, so you’re none the wiser.
  6. Here’s a reminder of just how important software updates and vigilant security practices are these days. One malware research organization looked into the ransomware economy and found that there was a 2,502% increase in the sale of ransomware on the dark web from 2016 to 2017—in just one year. Entefy has covered how blockchain technology can improve cybersecurity, but it may be years before the potential for that increase in cybersecurity is fully realized. Until then, be careful out there.
  7. Security software provider Symantec shared some startling findings about malware on the Google Play app store: “We have encountered a new and highly prevalent type of Android malware posing as apps on Google Play and later adding compromised devices into a botnet. So far we have identified at least eight such apps, with an install base ranging from 600,000 to 2.6 million devices. This malware appears primarily targeting users in the United States, but also has a presence in Russia, Ukraine, Brazil, and Germany.” The company notified Google Play of these malicious apps and Google has confirmed removing these apps from the store.
  8. In an announcement straight out of a spy movie, security researchers at an Israeli university showed that security cameras infected with malware can receive secret signals and leak sensitive information. According to the researchers, “Security cameras are unique in that they have ‘one leg’ inside the organization, connected to the internal networks for security purposes, and ‘the other leg’ outside the organization, aimed specifically at a nearby public space, providing very convenient optical access from various directions and angles.” Hackers can potentially use this covert communication channel to install malware and steal data from any computing device connected to the same network as the camera.
  9. Not even pacemakers are safe from hackers. The FDA issued an emergency firmware patch intended to protect people who have a pacemaker from hackers. The FDA stated, “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.” The software patch took just 3 minutes to update and did not require surgical removal and replacement of the vulnerable devices.
  10. Another category of security threat plagues the servers that power infrastructure like the electrical grid and banking networks. One such backdoor was found in software used by banks and energy companies. Called ShadowPad, the malicious code allowed hackers to secretly collect data as it passed through infected servers. This particular vulnerability was discovered by a security research firm after 17 days. The potential for a future backdoor malware to go undetected raises the specter of an energy grid shutdown like happened in the Ukraine

Entefy regularly covers data trackers and cybersecurity threats, most recently in a presentation highlighting threats to your sensitive private data.