FaceApp is in the news again, and as before, not for a good reason.
Several months ago, watchdog groups around the world sounded the alarm about the Russian-made app, which raised curious eyebrows.
It just takes a photo you upload to it and ages you, what's the harm in that?
According to the FBI, quite a bit, actually. The FBI has been quietly investigating the app. They have concluded that considering its ties to Russia, it poses a potential counterintelligence threat, given the data it collects and the policies surrounding them.
It is easy to see where the concerns stem from. According to the app's terms of service, any photos uploaded to the server for 'agification' become the property of the owners of the app. They can do whatever they want with them.
Ostensibly this clause was included to allow the development team to use altered photos as part of their ongoing marketing campaign, designed to push the app onto even more devices. However, given the conclusion of Intelligence Agencies around the world that Russia meddled in the 2016 US elections, this can be a big problem. The TOS could clearly and easily be abused to serve political ends.
Part of the FBI's recent published notice about the app reads as follows:
"If the FBI assesses that elected officials, candidates, political campaigns, or political parties are targets of foreign influence operations involving FaceApp, the FBI would coordinate notifications, investigate and engage the Foreign Influence Task Force as appropriate."
With the 2020 election cycle beginning to heat up in the US, tensions are running high and apps like this one are facing understandably increased scrutiny. While it's true that simply being an active participant on social media poses more risk to the average user, the concerns here certainly seem justified. If you haven't downloaded the app yet, it bears thinking about before you take the plunge.
There's a war on Thanksgiving and Christmas, but it's taking a very different form than what commonly gets reported in the news media.
This war is being waged by hackers and scammers, and they're waging it by poisoning Holiday eCards designed to facilitate the distribution of malware.
BleepingComputer discovered the trend, noting an uptick of emails bearing headings like "You Have Received a Thanksgiving Day Greeting Card!"
Inside these emails, recipients find a word file bearing titles like "Thanksgiving-eCard.doc," with the body of the email providing helpful instructions.
All the user must do to see their eCard is open the doc and click the enable content button. Of course, doing so doesn't display an eCard at all, but rather, installs whatever malware the email sender has decided to embed.
The Holidays are a time when everybody tends to let down their guard. After all, who doesn't enjoy getting fun, festive cards? That's exactly what the hackers are relying on. It's a clever bit of social engineering that has been finding success, which is only encouraging the hackers to employ the strategy even more.
Even if you haven't received an email like this, it's likely that you know someone who has. Spread the word so more people are aware of the threat. It's such a shame that things like this are a reality that dampens the spirit of the season, but that's the reality. The more people we can alert to the dangers, the smaller the impact will be.
Stay on your guard, let all your employees know, and keep a watchful eye out. As ever, the best defense is vigilance. Don't open emails from people you don't know, and certainly don't open any attachments that may be embedded in those emails. That's the key to having a hassle-free Holiday season this year.
Recently, the Magento Marketplace was acquired by Adobe and suffered a breach that exposed a limited amount of user data to an unknown third party.
When Adobe discovered evidence of the breach, they temporarily shut the marketplace down so they could assess the extent of the breach. It has subsequently been reopened.
If you're not familiar with Magento, it is an online repository where users can find extensions, both paid and free, that enhance the capabilities of the e-commerce platform the company is known for.
The investigation into the breach is ongoing. At this point, the company can confirm that the exposed information included MageID, billing and shipping addresses, phone numbers, user names and email addresses. Also exposed were the percentages paid to developers who host their extensions on the marketplace.
The company stresses that passwords, payment card information and other detailed financial information was not exposed. They also report that the security issues that made the breach possible have been corrected.
If your data was compromised, you should have already received a notification from Magento. The company did not reveal how many users were impacted overall. Although that information may be made available as the investigation into the matter continues.
Since the company confirmed that no passwords were stolen, there's really nothing for you to do if you use the marketplace. As a precaution, however, you may want to change your password just to be safe.
Overall, Adobe and Magento's handling of the issue has been good, but this has sadly become standard fare. A company makes a misstep. Hackers take advantage. Users pay the price. Company apologizes, and then we get a new headline the following week about it happening somewhere else. Stay vigilant. It's your best defense against these kinds of issues, which seem to be increasing in their frequency.
The 2019 Holiday Season is officially upon us, and unfortunately, that means that scammers around the world are ramping up for another busy season.
Deals are abound on Black Friday and Cyber Monday. Sadly, those two big shopping days mark the beginning of a mad sprint to push out as many shopping-related scams as possible.
Researchers at ZeroFOX have been monitoring the online retail landscape and have identified more than 60,000 potential scams, most of them aimed at mundane product categories that are not categorized as luxury items. Among the most common scams on tap this year are fake promotions that promise gift cards, discounts that sound too good to be true, or coupons that promise a drastic price reduction on a popular holiday item.
As ever, the rule of thumb is this: If something seems too good to be true, it almost certainly is. It's also worth noting that your personal information is much more valuable than you've been conditioned to believe. Even if you feel as though you're being promised a fair deal in exchange for a raft of personal information, you almost certainly aren't.
Before you fill out the capture box and give away a wide range of details about yourself, stop and think. Ask how it might be used against you later on, and if it's worth the promise of (not guaranteed) the generous discount on a single consumer good you've got your eye on. If you stop to think about it in those terms, you'll find that the answer to that question is almost always a resounding no.
Be especially wary of any ad leveraging any of the following hashtags:
While many legitimate merchants use these, scammers know this and won't hesitate to leverage them this holiday season. Stay alert. Stay vigilant. Guard your data. Those are the keys to a safe holiday season this year.
Microsoft RDP has its share of problems.
That simple truth has sparked the rise of a number of open-source VNC (Virtual Network Computing) applications, which allow a user to remotely control another computer.
Regardless of which VNC solution you use, they all work pretty much the same way.
There's a "server component" which runs on the computer that shares its desktop. There is also a "client component" which runs on the computer that will access the share from a remote location.
There are a few VNC applications on the market compatible with every OS in use today. In the VNC ecosystem, the "Big Four" are LibVNC, UltraVNC, Tight VNC, and TurboVNC. Recently, researchers at Kaspersky Lab audited these four on a quest to discover how secure they were. Their findings were disappointing to say the least.
Overall, the researchers found a total of 37 serious flaws in the client and server portions of these four programs. 22 of them were found in UltraVNC, with another ten found in LibVNC, 4 in TightVNC, and one in TurboVNC, which looks to be the best of the bunch in terms of security.
The research team had this to say about their findings:
"All of the bugs are linked to incorrect memory usage. Exploiting them leads only to malfunctions and denial of service - a relatively favorable outcome. In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim's system."
Although only one flaw was found in TurboVNC, it's a serious one that would allow a determined attacker to remotely execute code on the server side.
If there's a silver lining to the recent research it is the fact that Kaspersky notified the development teams of all four of the programs they audited. Also, all four have been patched and updated. If you use any of those, just make sure you're using the latest version and you can use them with confidence. Kudos to Kaspersky for their efforts, and to the developers to responding swiftly to the company's findings.