Protecting your online privacy

In recent years, products intended to deliver conveniences directly to our doorsteps have begun to present tacit privacy intrusions into the modern home. Always-on smart speakers, e.g. Amazon Echo, from online retailers make it easier than ever to order products, but they also enable those companies to listen to our every word. Those same companies are monitoring our behaviours across the  Internet.

“Google knows quite a lot about all of us,” said cybersecurity expert Bruce Schneier in a recent interview with the Harvard Gazette. “No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.”

Giant corporations like Google aren’t the only ones intruding into our daily lives to collect our personal data for financial gain—cybercriminals are intent on doing the same. Crimes such as identity theft and extortion can be carried out with stealthy malware, such as remote access tools (RATs) used to spy on users via laptop webcams.

Until there’s a major shift in our society’s attitudes (and public policies) toward Internet privacy, the duty falls on individual users to safeguard their own private data, identities, and other sensitive information. Here are some tips to take back control over your privacy:

Configure your web browser to delete cookies after closing. You can also take control of other advanced privacy features in your web browser to have greater control of what you’re sharing with websites you visit.

Cover your webcam with tape, a sticker, or something else that can block the camera lens and also be easily removed when you need to use it.

Don’t share sensitive information on social media. Check your privacy settings on sites like Facebook and Twitter and make sure only your trusted followers can see your complete profile. For instance, do your Facebook friends really need to know your real birthday? Deliberately sharing a fake birthday on social media can be a crafty way to enhance your privacy.

Lock your screens. All of them. Losing a device like your laptop or smartphone could spell disaster if they were to end up in the wrong hands. Strong, uncommon PINs and passwords can lock down your devices from would-be thieves.

Use fake answers for password security questions. Honest answers to security questions can often be found with just a little online digging. Why can’t your mother’s maiden name be “7O7F1@!3kgBj”? This brings us to our next tip…

Use a password manager app to generate and store strong, unique passwords for all of your accounts. (A password manager can also safely store those fake security answers mentioned above.)

Use security software to monitor and protect your digital devices from threats like malware, spyware, and phishing attacks, which can steal your private data.


Cloud Recon

These days many organizations have migrated at least some of their IT services to a cloud environment. Cloud adaptation could be as basic as the use of Microsoft Office 365 on some workstations, or it could be much more comprehensive, such as the use of a fully integrated Azure or Amazon AWS infrastructure. With this increased importance comes an increased level of risk as well, which needs to be taken into account when allocating resources to security tasks. This is especially when it comes to regular penetration testing and vulnerability scanning of cloud services.

Reconnaissance and enumeration: When it comes to penetration testing and vulnerability scanning, knowledge is everything. The more information an attacker has about a targeted organization, the easier and further the system can be compromised. From a defensive perspective, the more information an entity has  about the network; the better an organization can protect and monitor it. There are many ways to gather this required information, both passively (reconnaissance) and actively (enumeration).

DNS Records: The first step in (public) cloud reconnaissance is to identify whether the target is using any cloud services and if so, which services they are. The best way to do this is to query specific DNS records. DNS MX Records are used to direct email to a company’s e-mail servers for processing, which means they hold important information. If the records point to for instance, the target is likely using Office 365 for e-mail services. Many other service providers require the same type of authentication. If there is a DNS TXT record named amazonses for instance, the target is likely to use Amazon Simple Email Service. More information is available as well via CNAME, SPF and DFS records. There are a lot of tools available that can easily extract the required DNS information. Nmap, DNSEnum, and DIG are some of the tools that come pre-installed with Kali Linux .

Network and Application Scanning:  Traditional tools such as Nmap and Kismet scan the cloud perimeter without any issues. What is new, however, is that a cloud target is located within a shared network, owned by the Cloud Service Provider (CSP). To avoid any impact on other customers and any defensive or legal action from the CSP, always ask (you should always do this!) for written approval before starting scans, both to and from a cloud instance.

Cloud Specialized Tools: Development of new and adapted reconnaissance, enumeration and exploitation tools, specialized in targeting public cloud providers has been limited. However, there are a few useful cloud specific reconnaissance tools though. For instance, Azurite is a reconnaissance and visualization tool that gives a good understanding of which Azure services are in use and how they are connected. An interesting development from the offensive side is the use of bots that search sites like GitHub for uploaded code, accidentally containing cloud account access (API) keys.

Vulnerability scanning:  Finally, the most comprehensive, but the noisiest method or network reconnaissance is the use of a vulnerability scanner. Such a scanner simply runs through a standard or customized profile of passive and active scans and lists the detected vulnerabilities, sometimes alongside remediation actions. Such a scanner could be placed inside the cloud instance, such as the Qualys Virtual Scanner Appliance for Amazon AWS. Another option is to use the security services of the Cloud Service Provider, for instance in the form of Amazon Inspector. As with network scanning, prior written authorization from the Cloud Service Provider is required.

It is increasingly important for any company to know what network and security information is publicly accessible via the Internet. After proactively gathering this information, actions can be taken to limit the exposure and with that, the security risks. Regular scans of the perimeter, analysis, and clean-up of DNS records, taking obsolete services and cloud instances offline; there is much an organization could do to be proactive from a security perspective. In the end, it is critical to know what company data is out there so it can be best protected from malicious entities.


Protect Your Customers and Prevent Against CNP Fraud


Research conducted by AXA in 2016 found that in the previous year, 7 in 8 purchases in Europe were made online, and with phone payments and ecommerce on the up, the threat of Card-not-present (CNP) fraud will continue to rise. According to the Nilson Report , in 2015, fraud losses to merchants occurred overwhelmingly from CNP transactions, and the problem is only getting worse. Worldwide losses from card fraud are predicted to reach and eye watering $31 billion by 2020.

With this in mind, there are some key practices that businesses should be relying on, to protect their customers from CNP fraud. Here are our top six pieces of advice:

1. Use fraud detection software: There are a number of fraud prevention tools that merchants can use to pick up on fraudulent activity, including 3D secure payments and Web Application Firewalls. These can supplement your payment systems and help keep your customers’ data safe by detecting if any illicit activity is taking place.

2. Hide your data:  Holding some customer data, however, is sometimes unavoidable. To protect customer information from being hacked when it’s not in use, make sure it is obscured and encrypted. This means that any hacker trying to access personally identifiable information (PII) won’t be able to read it or use it for fraudulent activity.

3. Keep your employees informed: One common way that fraudsters can do a lot of damage is through the use of phishing emails. These emails may ask your employees to move money into a different account, enter their password, or send a customers’ personal details. It’s important to keep your employees informed about these sorts of risks, so they can always be on the lookout for fraudulent activity – and know when they need to report suspicious emails.

4. Be on guard against insider threats: While a hacker can do serious damage, the threats that sit inside your company can’t be ignored. Pause and Resume call recording, also known as stop/start, is a common data security solution used by contact centres. The technology works by pausing the call recording when your customer is reading payment card details out loud. The recording is then resumed once the sensitive information has been taken. But this practice means that employees could easily write down your customer data to use for their own fraudulent purposes, or even sell it to the highest bidder.

5. Stay on top of regulations: The Payment Card Industry Data Security Standard (PCI DSS) was created to offer increased protection to customers against card fraud. Compliance with this standard is not only compulsory for all organisations that take card payments, but many of its requirements are designed to help safeguard your customers’ card details. With the ever-changing regulatory landscape – the EU GDPR and UK Data Protection Bill are just around the corner – it’s important to stay on top of these regulations to keep customer data safe, and ensure your company doesn’t find itself facing a hefty fine.

6. Protect your contact centre: With more customers turning to the phone when it comes to making a purchase, your contact centre remains an integral part of your business. Therefore, making sure it has adopts a stringent approach to data security is extremely important. Companies can invest in technologies like Semafone Cardprotect, which reduces the risk of fraud by allowing customers to type their card details directly into their telephone keypad while staying on the line with the agent instead of reading them out loud.

To ensure your company is fully protected against the potential damage of CNP fraud – whether that’s reputational or financial – you need to have the right data security in place. Implementing these steps will help reduce the risk to your organisation.