David Cameron: Potentially banning chat apps

ExpressVNP

The tragic events in Paris recently have quite rightly been derided by many governments of the world but, according to some people at least, the Charlie Hebdo shootings have also presented opportunity out of chaos.

In what the conspiracy-minded sections of the public may point to as a classic case of problem-reaction-solution, moves are already afoot to enhance security in some nations, albeit at the expense of liberty.

Take the UK for example: not so long ago proposals to implement a so-called ‘snoopers’ charter’ were hampered, in no small part due to the revelations of Edward Snowden and the details he leaked about how security agencies have perhaps been overstepping their surveillance remits.

In a clear case of Je ne suis pas Charlie, lawmakers have slipped amendments into the Counter Terrorism and Security Bill currently sitting in front of the House of Lords in draft format. If passed, ISPs would be forced to log ever more detail of their customer’s actions on the internet and that data would be available to law enforcement and security services with even less oversight than there is now.

Here at ExpressVNP we do not much like the sound of that but we are also aware that this latest move is only one of many bizarre and/or draconian moves by PM David Cameron and the UK government of late.

Earlier this month Cameron caused much consternation in security and privacy circles when he announced that the Conservative party will, if re-elected in next year’s general election, put an end to encrypted communications that cannot be read by the nation’s security services, even if they have a warrant in place.

In a speech on Monday 12 January he said:

“In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications. The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.”

Interestingly, Cameron hasn’t fleshed his proposal out with the addition of much detail – which may explain some of the erroneous reporting that suggested Snapchat could be included in a possible list of banned, backdoored or otherwise compromised messaging apps (its own guidelines make it clear that it can, under some circumstances, retrieve messages when facing a valid demand from the spooks, despite the supposed self-destructing nature of its service).

Other popular encrypted messaging services such as Chadder, Telegram Messenger, ChatSecure, Surespot, KakaoTalk and Bleep (we’ve written about them previously) may be affected though.

Cameron’s proposed ban would apply to any service that offers true end-to-end encryption of messages including the ultra-popular trio of Whatsapp, iMessage and Facetime.

While it is possible that the bad guys use such services to engage in nefarious plotting, if the technology has been implemented as it should, the service providers will not be in a position to simply hand messages over (Apple’s recent privacy update actually makes it clear that it “doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to”.) – *** us wonder, therefore, if Cameron’s goal is to get his hands on the data or simply see the back of the services altogether.

But it’s not only social and chat apps that could potentially suffer should the British prime minister have his way – his ideas would likely also apply to privacy enhancing services such as The Onion Router. Tor does of course have quite legitimate uses and is often used by activists, journalists, military personnel and even religious missionaries working in areas where incumbent regimes are less than welcoming of the message they are attempting to spread.

Perhaps the British government thinks all users of the Tor network are enemies of the state whose communications need to be under constant surveillance?

We don’t of course – that’s one of the reasons why we offer our own service – but we do know that people value their privacy, especially since Snowden revealed how governments, including the British, have a penchant for wanting to know more than they need to about those who are guilty of nothing. We also know that many users of encryption and other privacy related tools have quite legitimate reasons that can range from sidestepping overzealous censorship within their countries to keeping themselves safe after falling victim to crime.

But will this new legislation will stop terrorism?

Do you really think terrorists use communication methods that the security services can tap into? No, of course not – if Britain does away with meaningful encryption then the bad guys will find other ways to communicate and only the most stupid and unprofessional of them will pick a means that can be eavesdropped upon whether the spooks have warrants or not.

Thus, the only people who will be subject to further scrutiny of their online communications are the innocent.

That may not bother everyone – London mayor and possible future leader of the Conservative party Boris Johnson said:

“I’m not particularly interested in this civil liberties stuff when it comes to these people’s emails and mobile phone conversations. If they are a threat to our society then I want them properly listened to.”

– but it will affect them, even if they believe they have nothing to hide and hence nothing to worry about.

So what about you?

Are you someone who worries that a future government may attempt to surveil more than it needs to?

And what about the terrorists this notion is supposed to affect? Do you really think they’ll carry on as normal now or will they not find other ways to communicate that the security services cannot tap into?

And what about British business? If the government forces a secret backdoor into all encryption technology then how will they protect their business data, intellectual property and your personal information in a climate that will only encourage the bad guys to find a way to prise that door open for themselves? And if a backdoored company is subsequently breached will it then be fined by the Information Commissioner’s Office (ICO)?

What about those companies that have a business model surrounding the development of encryption technology? There are several in Britain and many are worried – we’ve already heard murmurings from UK tech start-ups that are considering moving their business elsewhere, despite numerous incentives previously provided by the government, including Tech City (aka “Silicon Roundabout”).

We have so many questions but very few answers. David Cameron’s proposals are utterly ridiculous and, we would argue, totally unworkable. They help no-one, not even the security forces which themselves admitted that the Paris hackers were already known to them before the attacks (if they had even more intelligence you could imagine a scenario wherein information overload would actually do more harm than good) and they stand to hurt everyone.

Featured Image: Edler von Rabenstein / Dollar Photo Club

ExpressVNP

Through the looking glass: Warrant-less wonderland for new police radar

ExpressVNP

Who’s peering through your windows late at night? Hopefully no one, but that’s why homeowners shell out for pricey security systems, cameras and even basic privacy tools like blinds. But as a recent Discovery News article reports, the law enforcement might also be snooping around — and doing so without a warrant — thanks to new technology known as Range-R Radar. Yikes!

Seeing is Believing?

Range-R got its start in the military but like many battlefield advancements has experienced steady stateside police adoption over the last few years. The device wasn’t talked about much until recently, when it was used without a warrant by Denver law enforcement. USA Today reports that in December 2014, Range-R was part of a police operation to find and apprehend a man who had violated his parole — officers used it to check his home and determine if he was inside. Defense lawyers argued that this new radar technology violated Fourth Amendment rights and while judges upheld the new arrest, wrote they had “little doubt that the radar device deployed here will soon generate many questions for the court.”

So what’s the big deal? Can Range-R really see through walls? Yes, and no. Unlike thermal cameras — which produce an image and require a warrant to use — this new radar only detects motion relative to stationary objects, but its sensitivity is off the charts; from 50 feet away it can determine if people are inside a house — and if they’re breathing. The system uses a Doppler motion detector operating on the microwave bandwidth and is touted as a great step forward for law enforcement, especially when it comes to high-risk arrests. The problem? With no warrants are required, and ordinary citizens are spooked about how this technology could impact their privacy.

Caller Beware

While the new radar is understandably *** waves, this isn’t the first instance of technological space invasion — if anything, both the physical and digital worlds are primed to become more monitored than ever. Consider the TeenSafe application, brain child of parents like Ameeta Jain, who grew weary of telling her children to text or call and never getting and answer. By installing this “covert app” on kids’ phones, concerned parents can monitor cell phone use, read text messages and view social media posts. A great idea for digitally naïve teens? Absolutely. But the app is in no way limited by age group or intended use — and in the wrong hands, this is big trouble.

And speaking of children, it’s worth noting that a U.S. District Court judge recently threw out a class-action lawsuit from parents on behalf of children under the age of 13 who visited the Nickelodeon website. Both Viacom and Google both asked kids for personal information such as gender and birthday and then used that information to create targeted advertising campaigns. Although Judge Stanley Chesler noted that the plaintiffs “identified conduct that may be worthy of further legislative and executive attention,” he found that there was no “existing and applicable legal authority to support their claims.” Bottom line? Tracking kids may be morally bankrupt, but there’s no law on the books to back up that sentiment.

Getting Worse

According to a January 23rd article from RT, things are only going downhill from here. Sir David Omand, a Commissioner of the Global Commission on Internet Governance, argues that increasingly sophisticated encryption methods being used by big companies and mobile apps will prompt spy agencies to commit “ethically worse” behavior to get information they want. After the recent Paris shootings, for example, several governments have begun talking about more expansive Web monitoring — up to and including reading all texts, looking at photos and scanning emails sent by anyone, anywhere.

Looking In

So who’s really looking in? When it comes to your house, it’s possible the police are using new-fangled radar to spy on your wild nights of Internet surfing but on a larger scale, just about every company and every government wants to know your digital details. At ExpressVNP, we’re privacy advocates; your IP address, your surfing habits and your downloads are nobody’s business. When it comes to home-piercing microwave radar, though…maybe try aluminum foil?

Featured Image: Highway Patrol Images / Flickr

ExpressVNP

No Wi-Fi, no problem: Hackers go low-tech to steal your data

ExpressVNP

The risks of using an unprotected, unencrypted Wi-Fi network are well-documented. Anything you transmit becomes fair game for hackers — if you decide to access a banking website, make a large purchase or fill out healthcare forms you’ve put yourself in the line of fire. Of course, there are several easy ways to solve this problem. One is to only use trusted home or work networks that offer enhanced protection, another is to choose a secure VPN service and mask your activities from prying eyes anywhere, anytime.

But the ultimate standard of protection has always been to go without Wi-Fi — turn off your wireless receiver, unplug from the Internet and rest assured that no one can steal your information unless they take your computer by brute force. As reported by Discovery News, however, a team from Georgia Tech has now found that electronic devices have a bad habit of “leaking” information even when they’re completely offline. Here’s what you need to know.

Side by Side

How are hackers getting your information if they can’t intercept wireless transmissions? Some kind of tiny recording device, perhaps, or bio-enhanced tracking chip that monitors your every movement? Sadly, it’s nothing so sophisticated. Instead, hackers rely on what’s called “side channel information” to steal your data.

What’s the most obvious way to capture electronic information? Pick up any plaintext transmitted over unsecure wireless networks. Another choice is to grab encrypted data in hopes of cracking the code or convincing users to give up their access key. But there’s a third, more sinister choice: Side channel attacks. These attacks occur when hackers analyze how information is being processed, rather than going after the information itself, and then interpret this data to produce an actionable result.

Sounds complicated, right? Luckily, Crypto Fails offers an easy example. Imagine you’re getting a gift from someone and can’t wait to discover what they’ve bought, so you start asking questions: is it a book? A game? A hat? If they couldn’t keep a secret they’d be like a public wireless network and spill the plaintext beans, saying “yes” when you hit the right answer. Chances are, however, that they’ll give nothing away by saying “no” to every question. End of story, right? Wrong. By looking at their facial expression and body language after you ask each question, it’s possible to get a sense of which “no” is really “yes”. In other words, they’re offering a host of side channel information, if you know where to look.

Computer Speak

While laptops and mobile devices don’t have facial expressions, that doesn’t mean they’re unreadable. As noted by a Discretix white ***, there are several ways to discover what computers are doing based on how they’re doing it. For example, attackers can monitor the time it takes to perform specific operations, the amount of power consumed by particular tasks or by examining faults that occur naturally in a system. Using this information, it’s possible for malicious actors to narrow down what kind of operation is being performed and what type of data is being sent. In other words, your computer never really shuts up.

Coffee Criminals?

So what does this have to do with Georgia Tech’s research? The team discovered that laptops and smartphones continuously “leak” a new kind of side channel information: Electronic emissions. They’ve also shown that it’s possible for someone sitting nearby in a coffeeshop as you work offline to steal your password using AM radios, hidden antennas or even tiny microphones. Some emissions are produced whenever a computer is running while others occur only when you’re typing, meaning that  determined hackers can “keylog” you even when you’re offline. More worrisome? There’s no electronic fingerprint, *** it almost impossible to find out who stole your information.

There is some good news, however. Assistant professor Alenka Zajic says that “if you are comparing this to Internet attacks, it is less of a problem.” That’s because hacking a few computers in the coffee shop or library using side channel attacks isn’t nearly so lucrative as compromising hundreds of Internet-enabled devices at once. Zajic also hopes that by notifying software and hardware manufacturers about this problem now, they can find ways to mask or eliminate these side channel signals.

Bottom line? If you’re visiting the local cafe, maybe leave the laptop in its case and just enjoy the coffee.

Featured image: Alejandro Escamilla / Unsplash

ExpressVNP

E-cigarettes: better for your health, not so good for your computer

ExpressVNP

Electronic cigarettes are, arguably, much better for your health than the real thing – they don’t contain tobacco – but they may contain surprises.

According to a post by Jrockilla, an “IT guy” on the Talesfromtechsupport forum, an e-cigarette belonging to his boss may have come packaged with a USB charger preloaded with malware.

Jrockilla wrote how an executive at a large corporation found malware on his computer and that the source of the infection could not be determined. After the IT department looked at all the obvious routes of entry and poured over the web logs it started looking into the less than obvious alternative points of access for the malware.

When the executive was asked whether there had been any changes of note in his life recently he said he had quit smoking a fortnight previously and switched to e-cigarettes.

Jrockilla wrote how “that was the answer they were looking for, the made in china e-cigarette had malware hard coded into the charger and when plugged into a computer’s USB port the malware phoned home and infected the system.”

When the post made its way onto Reddit it picked up well over 300 comments with most doubting the veracity of the tale. Many Redditers commented how they had taken e-cig chargers apart or seen pictures of them and noted that they did not contain USB microcontroller chips or data wires and were, simply, designed for what they were intended – a means of charging an e-cigarette.

Others pointed out how AutoRun – the bane of administrators and security personnel for far too many years – would not automatically run any malware on the charger without prompting the user first (assuming they were using a modern operating system).

Even so, the story may be true, even if it is at best likely to be a one-off or limited case. Rik Ferguson, Trend Micro’s Vice President of security research and author of the company’s countermeasures blog, told The Guardian that:

“Production line malware has been around for a few years, infecting photo frames, MP3 players and more.”

Combine that with newly discovered malware such as BadUSB – which proves it is at least possible to reprogram USB devices at the hardware level – and you can see the potential for abuse by criminals and other attackers.

So how can you counter the risk and should you even be concerned at all?

The risk of e-cigarette infection appears to be ridiculously small right now and there is in fact no confirmation that Jrockilla’s story is true in the first place. But that’s not to say that no-one will attempt to transfer malware in this manner in the future so you need to be wary.

If you are advised to only buy e-cigarettes or, more specifically, chargers from certain manufacturers then think things through carefully – many consumer electronic items are manufactured in a limited number of factories in a limited number of countries and then rebadged for different retailers – so that strategy may not yield any guarantees whatsoever.

Instead it would be far better to look at the business end of the charging process – the PC or other device into which the charger is plugged.

So, ensure that all your security and other software is fully patched and up to date and, if you have particularly sensitive data on your device, or are particularly paranoid about this type of attack, consider disabling your USB ports altogether or employing some form of device management to block unauthorised devices from being used.

ExpressVNP

Free search engines: What you’re looking for?

ExpressVNP

How much does your search engine know about you? The hope is “virtually nothing”, but in most cases that’s not true — using well-known search sites comes with tacit agreement to their data collection policies, which are often much wider in scope than many consumers believe.

To counter this concern, several free search engines now offer no-track services to help keep personal data in the hands of users rather than corporations. Are they worth a look?

So They Know a Couple Things…

Most search engines collect at least some user data, but in a security-conscious world there’s increasing scrutiny on what exactly gets collected, why, and how it ultimately gets used. Still, most users are happy enough to bring up their favorite search page and start looking under the assumption that there must be an upper limit on what’s allowable when it comes to tracking their virtual movements.

Consider search giant Google. Their privacy policy clearly lays out what they collect and says this collection happens to “show you more relevant search result and ads, to help you connect with people or to make sharing with others quicker and easier.” First up: Log information. When using any Google service your search query, IP address and unique identifier cookies are all recorded. So is your actual location, unique application numbers, personal information stored locally on your device and in addition, the company says they may send anonymous identifiers to your device. And as reported by Biz Journals, Google has also scanned the emails of non-Gmail users who sent mails to Gmail accounts. With all this data up for grabs, it’s no wonder users are looking for an alternative.

Privacy Basics

Want to protect your information online? One option is trying out ExpressVNP, which hides your IP address from prying eyes and encrypts all of your traffic so malicious actors and corporations can’t sneak a peek. Also gaining ground are private search engines; some pull results from “the big guys” and some use their own algorithms but none of them record anything about what you’re looking for, how you’re looking for it or why you care. Sure, it might mean fewer targeted results but for many that’s a small price to pay for data security. So what are some of the most popular no-track engines?

DuckDuckGo

This one started up in 2007 with a *** mandate: “to give you great search results without tracking you.” DuckDuckGo uses a custom-designed algorithm to deliver answers and allows you to modify their search interface to suit your needs. The company also says that they “don’t collect any personal information and therefore, have none to share.” A community-based model helps drive improved service and translate answers into other languages. While privacy is never an issue for DuckDuckGo users, some forum-goers report slower than average search result times, but praise the engine’s overall flexibility.

Ixquick

One of the most popular no-track search engines, Ixquick began crawling the Web in 1998. It does not collect IP addresses or cookies, never collects personal data and offers a free proxy service to anonymously browse websites. The service creates custom search results by leveraging the power of popular search engines “simultaneously and anonymously.” Ixquick offers three key features: Advanced search, global search and power search. Advanced search allows users to define their search methods (Boolean, phrases, wildcard), and then sends the query to matching search engines. Global search provides access to worldwide search engines and in other languages, while power search refinement lets you find similar answers or ignore similar results based on your specific needs.

Ixquick also boasts the unique function of having a ‘proxy button underneath each search result. This allows the user to access the page via proxy retaining the privacy of the user. Obviously this means that Ixquick will have to retrieve the page first, slowing down the user experience – but if privacy is your main concern, waiting a couple of seconds won’t hurt.

We at ExpressVNP couldn’t recommend Ixquick enough, we like the homepage functions of being able to add the search engine as a Chrome plugin.

StartPage

StartPage is another search engine from Ixquick, but one that focuses on Google results specifically. This is no surprise — according to Search Engine Land, Google gets 67.5 percent of US search traffic. StartPage grabs the best Google results for your search but without disclosing any of your personal information. In addition, the service offers URL generator which eliminates the need for cookies to remember your browser settings. In effect, it’s a private search engine for those who like Google results but take issue with their reach.

Want results without the privacy risk? Try a private service like DuckDuckGo, Ixquick or Startpage and make sure as you stare into the search engine abyss, it doesn’t stare back.

ExpressVNP

ExpressVNP celebrates Data Privacy Day 2015

ExpressVNP

January 28 2015 is Data Privacy Day, an international effort spearheaded by staysafeonline.org to help promote the effort of ‘Respecting Privacy, Safeguarding Data and Enabling Trust.” It began in the US and Canada in 2008 and has since grown into an awareness day celebrated worldwide.

We at ExpressVNP are proud to take part in this event, as we firmly believe that every individual has the right to privacy. We are concerned by the sheer amount of your personal data that third parties have access to, and the increasing ease with which they are accessing it. Therefore events like Data Privacy Day are essential, helping to promote and raise the awareness needed to educate people on the issues involved with your data privacy.

What are the goals of Data Privacy Day?

  • Educate consumers on how their personal information can be breached, and raise awareness on the risks of sharing personal information.
  • Empower consumers to raise their expectations of how third parties ought to use and manage their personal data.
  • Equip consumers with the skills to actively manage their online lives with ***, concrete tips for safeguarding their online security and privacy. Improve consumer awareness of the implications of invasion of privacy.
  • Encourage businesses and corporations to be transparent about how they collect, maintain, and use our personal data, and to effectively communicate all privacy and security controls available to consumers.

What is Data Privacy?

Data privacy is about your freedom to control who has access to your personal information, ideas, and activities on the Internet. Despite the fact that so much of our day-to-day activity takes place on the web, some of us rarely pause to consider that third-party entities might have access to our data, and that they might be using this data for profit.

When you browse online, you are providing third-party agencies around the world the necessary data to monitor your online actions and browsing habits. This means that anything you read or look at will be analyzed to build up a profile of you based on your IP address, your browser, your browsing device, your location, and so on. Companies use this data as they please, most commonly for marketing purposes, or for selling products to you. For example, a Wall Street Journal article details how Orbitz was showing Mac users pricier hotel options than Windows users.

As Internet users, we have the right to demand that our privacy is ours, and ours alone. We demand that third parties do not have the right to snoop and withdraw our data without our consent.

  • Learn what Cookies and Behavioural Tracking are with this video by the Wall Street Journal, as well as our own guide on what meta data is. You can also read the how you can opt out of online behavior advertising with the Network Advertising Initiative (NAI)
  • The Health Insurance Portability and Accountability Act of 1996 is a key fundamental in Health Privacy. It acts to protect the health privacy of individually identifiable health information. Read more about this here, and here.
  • Identity Theft is a form of stealing, in which a fraudster obtains personal information about a specific individual and passes it off as their own. Obtained information could be anything from information you mention about yourself on social media sites, to stealing credit card numbers and passwords in order to commit on and offline crimes.
  • With mobile internet increasing rapidly, the need for better education on mobile safety tips is paramount. With the amount of downloadable apps now available, Data Privacy Day aims to help educate users on how apps use your personal privacy.
  • Online Services – Banking, Dating and General Guidelines – Internet shopping is increasingly popular, but that also means more websites which accept credit card information. Be careful about where you upload financial data as unsecure websites could potentially steal and misuse your financial data. Staysafeonline.org have some great information in their privacy library.
  • Student Privacy – The Family Educational Rights and Privacy Act (FERPA) is the primary federal law which deals with education privacy. You can access this toolkit for an in-depth and step by step guide for Family Education Rights and Privacy.

Data Privacy & You

Data privacy affects everyone. Have you ever wondered why certain ads follow you around the Internet? Every time you visit a website, it creates a cookie in your browser. These cookies indicate to Internet marketers that you are interested in a certain product, which triggers them to push the product out to you more rigorously. (You can clear cookies from your browser settings to keep the pesky ads at bay!)

How to protect your data privacy

  1. Use strong passwords for your email, forums, and all social media accounts you use
  2. Stay safe from spyware threats and regularly monitor your machine for threats
  3. Keep your operating systems and vulnerable applications up to date
  4. Don’t turn off your User Account Control
  5. Go online with a non-monitoring secure browser like DuckDuckGo
  6. Don’t trust public WiFi networks, e.g. those found in coffee shops
  7. Don’t click on random links and be careful of links in email attachments
  8. Always log out of accounts
  9. Be careful of information you share on social media accounts
  10. Don’t enter sensitive information into any unsecure URL (i.e. one that doesn’t use HTTPS)

More privacy tips from StaySafeOnline.org

  • Be careful with what personal information you share online. Many apps and websites require you to enter your personal information when you sign up for their services. When you enter information like your date of birth, address, and other personal details, remember that you can never know for sure who can see it.
  • Make your profile private. Many social media sites and platforms have privacy options that let you determine what aspects of your profile are visible to the public. Take advantage of these to control what the general public can and cannot see about you!
  • Be aware of who can see your posts.It’s fun to share status updates, photos, and videos with your friends. But who else can see the things you post on social media? Be aware of who can see your stuff, and adjust the privacy settings of your posts if you’re not comfortable with your friends’ friends knowing where you went for dinner last night.
  • Use the Golden Rule. Treat others as you would like others to treat you. In other words, don’t post things about a friend that you wouldn’t want them to post about you — like their address, the name of their workplace, or an unflattering photo of them sleeping.
  • Think before you post. Whenever you’re about to share something on social media, consider that once something goes up on the Internet, it’s there indefinitely. Even if you delete it!
  • Use 2-step verification. Nowadays one password isn’t enough to protect your online accounts. Keep bad guys out with 2-step verification.

Data Privacy & The Law

So how far should privacy be taken?

In May 2014, it was reported that some of the world’s top security experts and researchers had been threatened and accused for their role in exposing vulnerabilities in Internet infrastructure. These Internet experts had used their hacking skills to expose security flaws with the intention of fixing them before black-hat hackers could exploit the vulnerabilities they had identified.

Problem is, the US Computer and Fraud Act outlaws any sort of hacking, loosely defined as the act of breaking  into a private network or system.

Hacking is not always nefarious. For example, by hacking private computers, the Critical.IO project uncovered — and fixed — a weakness in the UPnP protocol that put up to 50 million computers at risk.

There is thus a growing consensus that cybercrime laws should consider the intent behind hacking, and not just the act itself.

This begs the question: what will happen to Internet privacy in the future? As the world becomes more connected, and more and more devices and household goods require personal information, it can be said that The Internet of Things could potentially put your whole identity online.

Join us! Get involved in Data Privacy Day!

If you’re concerned about data privacy, whether it be for yourself, your children, or your company, there are many ways you can  participate and spread the message — not just on Data Privacy Day 2015, but all the time.

Social Media Security

Get the message out there! Post about Data Privacy Day and spread the word to your friends and family. You can also like the Data Privacy Day Facebook Page and Twitter account.

Once you have liked the page, go and like our ExpressVNP page or follow us on Twitter, where we regularly post about data privacy and Internet security issues. When you post, remember to use the official Data Privacy Day logo and banners!

Tell Your Loved Ones!

Send emails to friends and family letting them know about the importance of data privacy.

Tell your family members, your boss, your colleagues and spread the word about how to keep your privacy.

You can also download the Data Privacy Day promotional material here, print them out and display them in your office or at home.

As a company, ExpressVNP strives to be at the forefront of data privacy. We believe it is our duty to make data-privacy education accessible to the masses, and we are committed to promoting data-privacy initiatives on an ongoing basis.

ExpressVNP agrees with DPD that every individual needs to know about their data privacy rights and that the Internet should not turn into a wild west where everything is moderated and all forms of data are collected, creating a nanny state.

We use the Internet to do all kinds of marvelous things: keep in touch with loved ones, run our businesses, handle transactions, and build communities. Let’s do our part to make it a safe and secure space for everybody!

Like this post? Share it!

Data Privacy Day 2015 – ExpressVNP

 

ExpressVNP

Danger calling: Is BYOD worth the risk?

ExpressVNP

More than half of employees worldwide bring a personal mobile device to work. That’s the word from CIO, which notes that while adoption varies by region and country, there’s a common theme: users aren’t afraid to bring devices with or without management’s approval.

But BYOD is the wave of the future, right? That’s the hype, and many businesses have fully embraced this bring-your-own culture. Others are more reticent, and perhaps with good reason: here’s a quick look at the real risks of going BYOD.

You’re Using What?

The most obvious risk of BYOD? Foreign devices in the workplace, each with its own operating system, network settings and user controls. While it’s nice to think that all users will opt for the latest technology and secure their devices by immediately downloading the latest patches for their apps and OS, that’s not always the case. Companies are often tasked with managing a host of devices both new and not-so-new, in addition to handling staff whose technical proficiency varies widely. The result is a kind of “Wild West” environment where users bring whatever they want and IT sheriffs may be left chasing tumbleweeds.

Full Service

According to David Cripps, CSO of financial firm Investec, one of the biggest risks of BYOD adoption stems from cloud services. Consider this: While Cripps found that his company had signed up for 15 “official” cloud services that were vetted by IT staff and approved by management, the actual number in use was “a lot higher.”

Why? Because BYOD users were quick to leverage the applications and services they preferred to get their jobs done, rather than those given the green light by higher-ups. Unfortunately, many of these publicly-available services lack any kind of basic security controls; Cripps notes that “off the 3,000 or so cloud services out there, only five percent have ISO certification and only 10 percent allow some sort of two-factor authentication.” And since they’re being used on corporate networks, there’s a real risk of data compromise or loss.

So what’s driving this kind of reckless consumption? The democratization of technology gets most of the blame: users are now able to access high-powered cloud services and applications that require virtually no technical expertise or prior knowledge. While this is great for workplace productivity it also leads to a false sense of security — that services are safe because they’re “only” on a smartphone or come from a legitimate app store. Unfortunately, that’s not always the case.

Evolution of the Device

And there’s more; as noted by First Post, the evolving Internet of Things (IoT) adds an entirely new category of devices to the mix, all with their own network addresses and access to critical corporate functions. Consider the recent Backoff POS malware by way of example — this malicious code wormed into company systems by using point-of-sale terminals peripherally attached to critical network systems. Right now, device security isn’t up to snuff for smartphones and tablets. IoT devices only compound the problem.

Best Practices

So how do you manage devices in the workplace? One option is to ban them altogether or assign a specific smartphone vendor for the entire organization, but this often causes more problems than it solves. Mobile Enterprise outlines several best practices for handling BYOD, including the development of a use policy that includes standards for users along with consequences for misuse. In addition, it’s important to provide ongoing support for all mobile devices regardless of type or age. Skip this step at your own peril — an unsupported device is a vulnerable device.

Two other steps are also critical: Embracing shadow and IT and protecting your network at large. Shadow IT — the network of end users who leverage any service or app they want — should be encouraged to come forward so their choices can be made more secure, rather than for punishment. This is the old “can’t beat ’em, join ’em” argument: better to know what’s going on than be kept the dark. And while you’re at it, consider leveraging our secure VPN service to keep network traffic obscured to wandering eyes. This helps control accidental exposure, since even if an employee is using an unapproved service or sending something they shouldn’t, no one outside your company needs to know and you get time to track down the problem.

Is BYOD risky? Absolutely. Is it inevitable? Probably. Best bet? Get up to speed on what’s at stake, then take steps to mitigate potential damage. Danger is calling, but at least you can make it call collect.

ExpressVNP