BlackBerry found that public services now rank as the second most targeted industry by threat actors

Read More

Farewell, summer. Hello, back-to-school season! While the chill may not be in the air yet, parents may be feeling the slight shiver of unease as their kids, tweens, teens, and young adults return to school and become re-entangled with the technology they use for their education and budding social lives. 

Before they hop on the bus or zoom off to college, alert your children to the following 10 online cybersecurity best practices to ensure a safe school year online. 

1. Keep Track of Mobile Devices

It sounds obvious but impart the importance to your kids of keeping their eyes on their devices at all times. Lost cellphones and laptops are not only expensive to replace but you lose control of the valuable personally identifiable information (PII) they contain. Protect all devices with unique, hard-to-guess passwords. Even better, enable biometric passwords, such as fingerprint or face ID. These are the hardest passwords to crack and can keep the information inside lost or stolen devices safe. 

2. Don’t Share Passwords

Streaming services host the most buzzworthy shows. All their friends may be raving about the latest episodes of a zombie thriller or sci-fi visual masterpiece, but alas: Your family doesn’t have a subscription to the streaming service. Cash-conscious college students especially may attempt to save money on streaming by sharing passwords to various platforms. Alert your children to the dangers of doing so. Sharing a password with a trusted best friend might not seem like a cyberthreat, but if they share it with a friend who then shares it with someone else who may not be so trustworthy, you just handed the keys to a criminal to walk right in and help themselves to your PII stored on the streaming service’s dashboard.     

Once the cybercriminal has your streaming service password, they may then attempt to use it to break into other sensitive online accounts. Criminals bank on people reusing the same passwords across various accounts. So, make sure that your children always keep their passwords to themselves and have unique passwords for every account. If they’re having a difficult time remembering dozens of passwords, sign them up for a password manager that can store passwords securely. 

3. Keep Some Details a Mystery on Social Media

Walk down any city or suburban street, and you’re likely to see at least one Gen Zer filming themselves doing the latest dance trend or taking carefully posed pictures with their friends to share on social media. According to one survey, 76% of Gen Zers use Instagram and 71% are on social media for three hours or more every day.1 And while they’re on social media, your children are likely posting details about their day. Some details – like what they ate for breakfast – are innocent. But when kids start posting pictures or details about where they go to school, where they practice sports, and geotagging their home addresses, this opens them up to identity fraud or stalking.  

Encourage your children to keep some personal details to themselves, especially their full names, full birthdates, address, and where they go to school. For their social media handles, suggest they go by a nickname and omit their birthyear. Also, it’s best practice to keep social media accounts set to private. If they have aspirations to become the internet’s next biggest influencer or video star, they can create a public account that’s sparse on the personal details. 

4. Say No to Cyberbullying

Cyberbullying is a major concern for school-age children and their parents. According to McAfee’s “Life Behind the Screens of Parents, Tweens, and Teens,” 57% of parents worry about cyberbullying and 47% of children are similarly uneasy about it. Globally, children as young as 10 years old have experienced cyberbullying.  

Remind your children that they should report any online interaction that makes them uncomfortable to an adult, whether that’s a teacher, a guidance counsellor, or a family member. Breaks from social media platforms are healthy, so consider having the whole family join in on a family-wide social media vacation. Instead of everyone scrolling on their phones on a weeknight, replace that time with a game night instead. 

5. Learning and Failing Is Always Better Than Cheating

ChatGPT is all the rage, and procrastinators are rejoicing. Now, instead of spending hours writing essays, students can ask artificial intelligence to compose it for them. ChatGPT is just the latest tool corner-cutters are adding to their toolbelt. Now that most kids, tweens, and teens have cellphones in their pockets, that means they also basically have cheating devices under their desks. 

To deter cheating, parents should consider lessening the pressure upon their kids to receive a good grade at any cost. School is all about learning, and the more a student cheats, the less they learn. Lessons often build off previous units, so if a student cheats on one test, future learning is built upon a shaky foundation of previous knowledge. Also, students should be careful about using AI as a background research tool, as it isn’t always accurate. 

6. Phishing

Phishing happens to just about everyone with an email address, social media account, or mobile phone. Cybercriminals impersonate businesses, authority figures, or people in dire straits to gain financially from unsuspecting targets. While an adult who carefully reads their online correspondences can often pick out a phisher from a legitimate sender, tweens and teens who rush through messages and don’t notice the tell-tale signs could fall for a phisher and give up their valuable PII.  

Pass these rules onto your students to help them avoid falling for phishing scams: 

Never share your passwords with anyone. 
Never write down your Social Security Number or routing number or share it via email. 
Be careful of electronic correspondences that inspire strong feelings like excitement, anger, stress, or sadness and require “urgent” responses.  
Beware of messages with typos, grammar mistakes, or choppy writing (which is characteristic of AI-written messages). 

7. Social Engineering

Social engineering is similar to phishing in that it is a scheme where a cybercriminal ekes valuable PII from people on social media and uses it to impersonate them elsewhere or gain financially. Social engineers peruse public profiles and create scams targeted specifically to their target’s interests and background. For instance, if they see a person loves their dog, the criminal may fabricate a dog rescue fundraiser to steal their credit card information. 

It’s important to alert your children (and remind your college-age young adults) to be on the lookout for people online who do not have pure intentions. It’s safest to deal with any stranger online with a hefty dose of skepticism. If their heartstrings are truly tugged by a story they see online, they should consider researching and donating their money or time to a well-known organization that does similar work. 

8. Fake News

With an election on the horizon, there will probably be an uptick in false new reports. Fake news spreaders are likely to employ AI art, deepfake, and ChatGPT-written “news” articles to support their sensationalist claims. Alert your students – especially teens and young adults who may be interested in politics – to be on the lookout for fake news. Impart the importance of not sharing fake news with their online followings, even if they’re poking fun at how ridiculous the report is. All it takes is for one person to believe it, spread it to their network, and the fake news proponents slowly gather their own following. Fake news turns dangerous when it incites a mob mentality. 

To identify fake news, first, read the report. Does it sound completely outlandish? Are the accompanying images hard to believe? Then, see if any other news outlet has reported a similar story. Genuine news is rarely isolated to one outlet.   

Parents with students who have a budding interest in current events should share a few vetted online news sources that are well-established and revered for their trustworthiness. 

9. Browse Safely

In a quest for free shows, movies, video games, and knockoff software, students are likely to land on at least one risky website. Downloading free media onto a device from a risky site can turn costly very quickly, as malware often lurks on files. Once the malware infects a device, it can hijack the device’s computing power for the cybercriminal’s other endeavors or the malware could log keystrokes and steal passwords and other sensitive information. 

With the threat of malware swirling, it’s key to share safe downloading best practices with your student. A safe browsing extension, like McAfee Web Advisor, alerts you when you’re entering a risky site where malware and other shifty online schemes may be hiding. 

10. Stay Secure on Unsecure Public Wi-Fi

Dorms, university libraries, campus cafes, and class buildings all likely have their own Wi-Fi networks. While school networks may include some protection from outside cybercriminals, networks that you share with hundreds or thousands of people are susceptible to digital eavesdropping.   

To protect connected devices and the important information they house, connect to a virtual private network (VPN) whenever you’re not 100% certain of a Wi-Fi’s safety. VPNs are quick and easy to connect to, and they don’t slow down your device.  

Gear Up for a Safe School Year 

While diligence and good cyber habits can lessen the impact of many of these 10 threats, a cybersecurity protection service gives parents and their students valuable peace of mind that their devices and online privacy are safe. McAfee+ Ultimate Family Plan is the all-in-one device, privacy, and identity protection service that allows the whole family to live confidently online.  

1Morning Consult, “Gen Z Is Extremely Online”  

The post 10 Back-to-School Tech Tips for Kids, Teens and College Students appeared first on McAfee Blog.

Read More

Menlo Security co-founder highlights the challenge relating to web browser security and how to overcome them

Read More

Carole takes us into the sinister side of Barbie, while Graham describes a stalkerware operation that has been spilling its secrets.

All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

Read More

Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into benign mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research.

At issue is a mobile malware obfuscation method identified by researchers at ThreatFabric, a security firm based in Amsterdam. Aleksandr Eremin, a senior malware analyst at the company, told KrebsOnSecurity they recently encountered a number of mobile banking trojans abusing a bug present in all Android OS versions that involves corrupting components of an app so that its new evil bits will be ignored as invalid by popular mobile security scanning tools, while the app as a whole gets accepted as valid by Android OS and successfully installed.

“There is malware that is patching the .apk file [the app installation file], so that the platform is still treating it as valid and runs all the malicious actions it’s designed to do, while at the same time a lot of tools designed to unpack and decompile these apps fail to process the code,” Eremin explained.

Eremin said ThreatFabric has seen this malware obfuscation method used a few times in the past, but in April 2023 it started finding many more variants of known mobile malware families leveraging it for stealth. The company has since attributed this increase to a semi-automated malware-as-a-service offering in the cybercrime underground that will obfuscate or “crypt” malicious mobile apps for a fee.

Eremin said Google flagged their initial May 9, 2023 report as “high” severity. More recently, Google awarded them a $5,000 bug bounty, even though it did not technically classify their finding as a security vulnerability.

“This was a unique situation in which the reported issue was not classified as a vulnerability and did not impact the Android Open Source Project (AOSP), but did result in an update to our malware detection mechanisms for apps that might try to abuse this issue,” Google said in a written statement.

Google also acknowledged that some of the tools it makes available to developers — including APK Analyzer — currently fail to parse such malicious applications and treat them as invalid, while still allowing them to be installed on user devices.

“We are investigating possible fixes for developer tools and plan to update our documentation accordingly,” Google’s statement continued.

According to ThreatFabric, there are a few telltale signs that app analyzers can look for that may indicate a malicious app is abusing the weakness to masquerade as benign. For starters, they found that apps modified in this way have Android Manifest files that contain newer timestamps than the rest of the files in the software package.

More critically, the Manifest file itself will be changed so that the number of “strings” — plain text in the code, such as comments — specified as present in the app does match the actual number of strings in the software.

One of the mobile malware families known to be abusing this obfuscation method has been dubbed Anatsa, which is a sophisticated Android-based banking trojan that typically is disguised as a harmless application for managing files. Last month, ThreatFabric detailed how the crooks behind Anatsa will purchase older, abandoned file managing apps, or create their own and let the apps build up a considerable user base before updating them with malicious components.

ThreatFabric says Anatsa poses as PDF viewers and other file managing applications because these types of apps already have advanced permissions to remove or modify other files on the host device. The company estimates the people behind Anatsa have delivered more than 30,000 installations of their banking trojan via ongoing Google Play Store malware campaigns.

Google has come under fire in recent months for failing to more proactively police its Play Store for malicious apps, or for once-legitimate applications that later go rogue. This May 2023 story from Ars Technica about a formerly benign screen recording app that turned malicious after garnering 50,000 users notes that Google doesn’t comment when malware is discovered on its platform, beyond thanking the outside researchers who found it and saying the company removes malware as soon as it learns of it.

“The company has never explained what causes its own researchers and automated scanning process to miss malicious apps discovered by outsiders,” Ars’ Dan Goodin wrote. “Google has also been reluctant to actively notify Play users once it learns they were infected by apps promoted and made available by its own service.”

The Ars story mentions one potentially positive change by Google of late: A preventive measure available in Android versions 11 and higher that implements “app hibernation,” which puts apps that have been dormant into a hibernation state that removes their previously granted runtime permissions.

Read More