IT NEWS

TikTok, the now widely popular social media platform that allows users to create, share, and discover, amateur short clips—usually something akin to music videos—has been enjoying explosive growth since it appeared in 2017. Since then, it hasn’t stopped growing—more so during the current pandemic. Although the latest statistics continue to show that in the US the single biggest age group (32.5 percent, at the time of writing) is users between 10 and 19 years of age, older users (aged 25 to 34 years) in countries like China, Indonesia, Malaysia, Saudi Arabia, and the UAE are quickly overtaking their younger counterparts.

Suffice to say, we can no longer categorize TikTok as a “kids’ app”.

This, of course, further enforces the many concerns parents already have about the app. We’re not even talking about the possibilities of young children, tweens, and teens seeing dangerous challenges and trends, or pre-teens lip-synching to songs that make grown up eyes go wide, or watching some generally inappropriate content. We’re talking about potential predators befriending your child, cyberbullies who are capable of following targeted kids from one social media platform to another, and a stream of unrestricted content from users they don’t even follow, or aren’t even friends with.

Limitations and guardrails

Eric Han, TikTok’s Head of Safety in the US, announced last week that all registered accounts of users aged 13 to 15 years have been set to private. This means that people who want to follow those accounts need to be pre-approved first, before they can see a user’s videos. It’s a way for TikTok to give tweens an opportunity to make informed choices about who they welcome into their account.

Furthermore, TikTok will be rolling out more changes and adjustments, such as:

• Limitations to video commenting. Users within this age group will be able to decide whether they want their friends, or no one, to comment. Currently, anyone can comment, by default.
• Limitations to availability of Duet and Stitch. In September last year, TikTok introduced two editing tools: Duet and Stitch. These were made available only to users ages 16 years and above. TikTok also limited the use of video clips to Friends only, among 16 to 17-year-old users.
• Limitations to video downloads. Users ages 16 years and above only can download content within TikTok’s app. This feature is turned off by default for users ages 16 to 17, but they have the option to enable it.

Read: TikTok is being discouraged and the app may be banned

• Limitations to suggested accounts. Users who are 16 years and under are not allowed to suggest their TikTok account to others.
• Limitations to direct messaging and live streaming. Users who are 16 years and under are not allowed to live stream, and can’t be messaged privately by anyone.
• Limitations in virtual gifting. Only users who are 18 years and over can purchase, send, and receive virtual gifts.

Growing pains

This isn’t the first time TikTok has tried to prove that they’re serious about making and implementing such changes for the benefit of their userbase. Here is a rundown of the social media platform’s security and privacy growth and challenges from a couple of years back.

• After making a $5.7 million USD settlement with the Federal Trade Commission (FTC) in 2019, for violating the Children’s Online Privacy Protection Act by failing to seek parental consent for users under the age of 13, TikTok had set out to delete profiles of users who are within this age bracket.
• TikTok introduced account linking for parents and/or guardians in April 2019. Called Family Pairing, responsible grown-ups are now equipped to connect their TikTok accounts with their teen’s, enabling them to remotely modify settings of their accounts.
• In December 2019, TikTok teamed up with Family Online Safety Institute (FOSI) to host internet safety seminars. Its aim was “to help parents better understand the tools and controls they have to navigate the digital environment and the resources FOSI offers through its Good Digital Parenting initiative.”
• In January 2020, TikTok updated their community guidelines, to clarify how it moderates harmful or unsafe content. It said it wanted to “maintain a supportive and welcoming environment”, so that “users feel comfortable expressing themselves openly”.
• In February 2020, the company partnered with popular content creators in the US, to create videos reminding users to, essentially, stop scrolling their phone and take a break—in true TikTok fashion. This is part of their “You’re in Control” initiative, a user-centric series of videos that tries to informs users of TikTok’s “safety features and best practices”.
• At the same time, TikTok was also trying to curb online misinformation, (which is rampant on social media platforms), by working with third-party fact checking and media literacy organizations, such as the Poynter Institute.

Are TikTok’s changes enough?

Tools provided by social media platforms like TikTok can be helpful and useful. However, these companies can only do so much for their users. Parents and/or guardians should never expect their child’s favorite social network to do all the heavy lifting when it comes to keeping young users safe. More than anything, grown-ups should be more involved in their children’s digital lives. Not just as an observer, but by being an active participant in one form or another.

There is no substitute for educating yourself about social media. Look into the pros and cons of using it, and then educate your kids about it.

Tell them it’s okay to say “no”, to not follow the herd, that although something may look fun and cool, to stop and think about it first before reacting (or doing).

Everything starts in the home. Choosing security and privacy is no different. You are their first line of defense, not those default settings. So, let’s take up that mantle, and be one.

The post Are TikTok’s new settings enough to keep kids safe? appeared first on Malwarebytes Labs.

A common sentiment, shared by many people down the years, is that storing passwords in browsers is a bad idea. Malware, for example, would specifically target password storage in browsers and plunder everything in sight.

Password managers weren’t exactly flying off the shelves back in 2007, your only real options were home grown. People ended up saving logins in all sorts of odd places: Text files, email accounts…you name it. Naturally, security-minded folks gravitated towards saving passwords in browsers, because what else were they going to do?

The browser password wars

Even just 8 years ago, it was still a hotly contested debate. The problem then was that passwords were stored in plain text. They aren’t now, but if the device you’re using is compromised it doesn’t matter. Malware files can decrypt your passwords, or wait for you to do it. So, no matter how recently you look, many of the same threats still exist for browser passwords. And new ones emerge, like the rogue advertisers trying to grab autofill data.

Let’s be clear: things are better now for passwords in browsers than they used to be. Even something as basic as having to enter your Windows password to view or copy saved passwords is reassuring. Making use of encryption, instead of leaving data lying around in plaintext, is excellent. Browsers taking things one step beyond simply storing, and checking for stolen passwords is great. Real time phishing protection is the icing on an ever-growing cake.

With that in mind, Chrome continues to make inroads in the name of beefing up browser password safety.

Weak password? Chrome 88 can help

Beginning with Chrome version 88, you can now check for weak passwords (open Settings and search for “Passwords”) and alter them on the fly, with just a few clicks. The “Change password” button doesn’t alter anything inside the browser, which may disappoint. It simply takes you to the site where you use that feeble password. At this point, you’ll have to manually alter the details. The browser should then detect you’ve altered the password and update its password database, as it normally would.

If you really want to know what the stored password is but can’t remember it, you’ll need your Windows login, as mentioned earlier.

There’s not a huge amount to add about this new feature, as it is indeed incredibly simple to use. A list of all your potentially weak passwords is displayed, and off you go to fix them all. This is to its benefit. It’s easy to get bogged down in password minutiae and end up not bothering.

You don’t need bells and whistles while looking for weak passwords. You just want a list of sites, and to be told where there’s a problem. In this regard, the new functionality more than delivers.

Browser or password manager?

Having said all of that…you may still wish to ignore all the above and stick with a dedicated password manager. No matter what password features are added to browsers, some folks will never want anything to do with that. There are a wealth of choices available. Totally offline, or online functionality: the choice really is yours. I’d be surprised if there isn’t something for everyone in the options available. But if you really don’t want a password manager, then browsers are a better solution than nothing at all.

Do you prefer to keep all your tools in the browser basket, or cast passwords away into dedicated password managers? Either way, we wish you many years of secure password management to come.

The post Chrome wants to make your passwords stronger appeared first on Malwarebytes Labs.

The research team at JSOF found seven vulnerabilities in dnsmasq and have dubbed them DNSpooq, collectively. Now, some of you may shrug and move on, probably because you haven’t heard of dnsmasq before. Well, before you go, you should know that dnsmasq is used in a wide variety of phones, routers, and other network devices, besides some Linux distributions like Red-Hat. And that’s just a selection of what may be affected.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerabilities disclosed by the JSOF team have been listed as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686 and CVE-2020-25681.

What is DNSpooq?

DNSpooq is the name the researchers gave to a collection of seven vulnerabilities they found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and so far JSOF has identified approximately 40 vendors that use it in their products, as well as some major Linux distributions. DNSpooq includes some DNS cache poisoning vulnerabilities, and buffer overflow vulnerabilities that could potentially be used to achieve remote code execution (RCE).

Domain Name System (DNS) is an internet protocol that translates user-friendly, readable URLs, such as malwarebytes.com, to their numeric IP addresses, allowing the computer to identify a server without the user having to remember and input its actual IP address. Basically, you could say DNS is the phonebook of the internet. DNS name resolution is a complex process that can be interfered with at many levels.

Dnsmasq (short for DNS masquerade) is free software that can be used for DNS forwarding and caching, and DHCP services. It is intended for smaller networks and can run under Linux, macOS, and Android. In essence, dnsmasq accepts DNS queries and either answers them from a local cache or forwards them to an actual DNS server.

What is DNS cache poisoning?

If you have ever moved your website to a different server, you will have noticed how long it can take before everyone actually lands on the new IP address. This happens because DNS records are normally cached in a number of different places, for performance. Records can be cached in your browser, by your operating system, on your network, by your ISP, and so on. When a cache entry expires it will update from the next upstream cache. Because of this, it can take a while for new records to get updated in all the places they’re stored. This phenomenon is referred to as DNS propagation.

If false information is added to a compromised DNS cache, that information can spread downstream to other caches. This method of providing a false IP address is called DNS cache poisoning. Cache poisoning can be done at all levels, local, router and even at the DNS server level.

What is a buffer overflow?

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches an address boundary and writes into an adjacent memory region. Buffer overflows can be used to overwrite useful data, cause network crashes, or replace memory with arbitrary code that the instruction pointer later executes. In that last case it may offer an opportunity for RCE.

Who should worry?

JSOF has identified over 40 companies and respective products they believe are using dnsmasq. You can find a complete list on their website about DNSpooq, under Vendors. Some names worth mentioning: Asus, AT&T, Cisco, Dell, Google, Huawei, Linksys, Motorola, Netgear, Siemens, Ubiquiti, and Zyxel. Check out the list if you want to verify whether you are using one of the affected devices.

What can be done about DNSpooq?

For users of dnsmasq the quickest fix is to update it to version 2.83 or above.

In the long run it would be better for all of us if we started using a less vulnerable method than DNS, like DNSSEC, which protects against cache poisoning. Unfortunately is still not very widely deployed. Neither is HSTS, which is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks.

Stay safe, everyone!

Header image and research courtesy of JSOF

The post DNSpooq bugs haunt dnsmasq appeared first on Malwarebytes Labs.

Metadata, which gives background information on pieces of data, is typically hidden. It becomes a problem when accidentally revealed. Often tied to photography mishaps, it can be timestamps. It might be location. In some cases, it can be log analysis. Many tutorials exist to strip this information out. This is because it can reveal more than intended when it hits the public domain. Default settings are often to blame. For example, a mobile photography app or camera may embed GPS data by default.

Some people may find this useful; quite a few more may object to it as a creepy privacy invasion.

Well, that’s metadata. Now you have an idea what kind of things can lurk without knowledge. We can see what happens when we deliberately enable a data / tagging related function.

Watermarking: what’s the deal?

An interesting story has recently emerged on The Intercept, of voluntary data (in the form of watermarks) wrapped into Zoom recordings, which could cause headaches in unexpected ways. Watermarks aren’t hidden—they’re right there by design, if people choose to use them. And the visual side of this data is supposed to be viewable during the call.

The Intercept talks about accidental identity reveals, via data embedded into calls, in relation to the ever-present videoconferencing tool. You’d be forgiven for thinking the identity reveal referenced in the article had something to do with the watermarks, but no.

The reveal happened because someone recorded a video call and dropped it online, with participant’s faces on display. The people involved appear to be at least reasonably well known. The secret identity game was up regardless of what was under the hood.

Cause and effect

What the rest of the article is about, is theorising on the ways embedded metadata could cause issues for participants. Zoom allows for video and audio watermarking, with video of course being visual and so easier to spot. Video displays a portion of a user’s email address when someone is sharing their screen. Audio embeds the information of anyone recording the call into the audio, and Zoom lets you know who shared it. You must ask Zoom to do this, and the clip has to be more than 2 minutes in length.

Essentially, video watermarking is to help you know who is sharing and talking during the call. Audio watermarking is to allow you to figure out if someone is sharing without permission. The Intercept explores ways this could cause problems where confidentiality is a concern.

Some identity caveats

If Zoom content is shared online without permission, it may not matter much if revealing metadata is included, unless the video call is audio only. This is because people can be easy to identify visually. Is a public figure of some sort involved? The game is already lost. If they’re not normally a public facing persona, people could still find them via reverse image search or other matching tools. And if they can’t, a well-known location, or a name-badge, could give them away. There are so many variables at work, only the participants may know for sure.

Hunting the leaker: does it matter?

While the other concern of identifying the leaker is still important, your mileage may vary in terms of how useful it is, versus how much of an inadvertent threat it presents. It’s possible the leaker may not care much if they’re revealed. They may have used a fake identity, or even compromised a legitimate account in order to do the leaking.

It’s also possible that someone with a grudge could leak something then pretend they’d been compromised. If this happened, would you have a way of being able to determine the truth of the matter? Or would you simply take their word for it?

Weighing up the risk

All good questions, and a valuable reminder to consider which videoconferencing tools you want to make use of. For some organisations and individuals, there’s a valid use for the metadata dropped into the files. For others, it might be safer on balance to leave them out. It might even be worth using a virtual background instead of something which reveals personal information. It might be worth asking if you even need video at all, depending on sensitivity of call.

The choice, as always, is yours.

The post Zoom watermarking: pros and cons appeared first on Malwarebytes Labs.

This is the story of a vulnerability that was brought about by the incorrect use of an encryption technique. After it was discovered by researchers, the vulnerability was patched and that should have been the end of the story. Unfortunately the patch caused problems of its own, which made it very unpopular. Cybercriminals seized the opportunity to use the vulnerability for their own purposes. This is the story of ZeroLogon.

What is ZeroLogon?

The ZeroLogon vulnerability was discovered by researchers at Secura and is listed in the Common Vulnerabilities and Exposures (CVE) database under CVE-2020-1472:

“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.”

This vulnerability exploits a cryptographic flaw in Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC), which allows users to log on to servers that are using NTLM (NT LAN Manager). Researchers explained that the issue stems from the incorrect use of AES-CFB8 encryption, which requires randomly generated initialization vectors for each authentication message. Sadly, Windows didn’t take this requirement into consideration. An attacker can use zeros for the initialization vector, allowing them to take over a domain controller in a matter of seconds.

How bad is this vulnerability?

Very bad, is the short answer. ZeroLogon has been successfully weaponized by malware authors, who use it for the lateral infection of corporate endpoints. The sophisticated Trickbot Trojan uses ZeroLogon, which means that it can spread across a vulnerable network easily. Ryuk ransomware has also been seen using the ZeroLogon vulnerability.

Is there a patch?

Yes, but there’s a “but”. The vulnerability was actually patched in August 2020, and it wasn’t until a researcher published a report about the vulnerability in September that we started to see it used in malicious activity.

In late October, Microsoft warned that threat actors were actively exploiting systems that were unpatched against ZeroLogon privilege escalation.

In November Microsoft also added detection rules to Microsoft Defender to “detect adversaries as they try to exploit this vulnerability against your domain controllers.”

The general advice is to use Secure RPC to prevent these attacks. Secure RPC is an authentication method that authenticates both the host and the user who is making a request for a service. Secure RPC uses the Diffie-Hellman authentication mechanism, which uses DES encryption rather than AES-CFB8.

Why isn’t everything patched against ZeroLogon by now?

The problem with the patch is that it is not enough to update the server side (Domain Controller), because clients also need to be updated for the protocol to work. And even though Microsoft took care to issue patches for Windows devices, it didn’t provide a solution for legacy operating systems that are no longer supported, or for third-party products. This means that enforcing Secure RPC may break operations for these incompatible systems.

So, what’s next?

Now, Microsoft has announced that it will enforce the use of Secure RPC .

“beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default.  This will block vulnerable connections from non-compliant devices.  DC enforcement mode requires that all Windows and non-Windows devices use Secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.”

Having read that you might be thinking: “But you said it might break incompatible systems!” True, so Microsoft has made a list of actions that will result in a detailed update plan.

The update plan outlined by Microsoft includes the following actions:

• UPDATE your Domain Controllers with an update released August 11, 2020 or later.
• FIND which devices are making vulnerable connections by monitoring event logs.
• ADDRESS non-compliant devices making vulnerable connections.
• ENABLE enforcement mode to address CVE-2020-1472 in your environment.

This probably means there is still no happy ending to this story. Addressing the non-complaint devices will not be as easy at it sounds, in many cases. In many cases it will end with sysadmins making an exception for such a device. It is advisable however to at least try and follow the steps. Because in the end it will pay off to remove (or at least limit) the vulnerable devices and machines on your network. The cybercriminals will not let go of this treasure so easily.

Stay safe, everyone!

The post The story of ZeroLogon appeared first on Malwarebytes Labs.

A nation state attack leveraging software from SolarWinds has caused a ripple effect throughout the security industry, impacting multiple organizations. We first reported on the event in our December 14 blog and notified our business customers using SolarWinds asking them to take precautionary measures.

While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

How did this impact Malwarebytes?

We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks.

We immediately activated our incident response group and engaged Microsoft’s Detection and Response Team (DART). Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.

Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use.

What we know: SolarWinds Attackers Also Target Administrative and Service Credentials

As the US Cybersecurity and Infrastructure Security Agency (CISA) stated, the adversary did not only rely on the SolarWinds supply-chain attack but indeed used additional means to compromise high-value targets by exploiting administrative or service credentials.

In 2019, a security researcher exposed a flaw with Azure Active Directory where one could escalate privileges by assigning credentials to applications. In September 2019, he found that the vulnerability still existed and essentially lead to backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph.

Third-party applications can be abused if an attacker with sufficient administrative privilege gains access to a tenant. A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials. In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.

For many organizations, securing Azure tenants may be a challenging task, especially when dealing with third-party applications or resellers. CrowdStrike has released a tool to help companies identify and mitigate risks in Azure Active Directory.

Coming together as an industry

While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets. It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.

We would like to thank the security community, particularly FireEye, CrowdStrike, and Microsoft for sharing so many details regarding this attack. In an already difficult year, security practitioners and incident responders responded to the call of duty and worked throughout the holiday season, including our own dedicated employees. The security industry is full of exceptional people who are tirelessly defending others, and today it is strikingly evident just how essential our work is moving forward.

Update: Clarified statement about “Azure Active Directory weakness”.

The post Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at IoT problems, Microsoft’s Patch Tuesday, and how cybercriminals want access to your cloud services. We also explored how VPNs can protect your privacy, and asked if MSPs have picked the right PSA.

Other cybersecurity news

• Hot phishing targets: Some brands are more appealing to scammers than others (Source: ZDNet)
• Not so private: Student finds way to watch private YouTube videos (Source: The Register)
• Gone dark: Dark-web marketplace DarkMarket taken down (Source: Interpol)
• Don’t lose your keys: Researchers lock horns with Google Titan (Source: Naked Security)
• Malware under fire: Malware vulnerability database launches (Source: Daily Swig) 
• Holiday phishing: Iranian APT group launches not-so-festive attack (Source: Bank Info Security)
• COVID scams: Vaccine used as bait by criminals (Source: IT Pro)
• Holes in the safety net: Banks warned not to scrap protection (Source: This is money)
• Scam confusion: Pushy sales tactics mistaken for scam (Source: Guardian)
• Mac Malware on the run: Malware operation avoids detection for 5 years (Source: ZDNet)

Stay safe, everyone!

The post A week in security (January 11 – January 17) appeared first on Malwarebytes Labs.

WhatsApp has been in the news recently after changes to its privacy policy caused a surge of interest in rival messaging app Signal. Initial reports may have worried a lot of folks, leading to inevitable clarifications and corrections. But what, you may ask, actually happened? Is there a problem? Are you at risk? Or should you keep using your apps as you were previously?

Setting the scene

WhatsApp users found themselves facing down an in-app notification this past week, letting them know of upcoming privacy policy changes. The message read:

By tapping Agree, you accept the new terms, which take effect on February 8, 2021. After this date, you’ll need to accept the new terms to continue using WhatsApp. You can also visit the Help Center if you would prefer to delete your account.

Generally, I’m somewhat suspicious whenever a trusted app starts popping messages, or anything else I wasn’t expecting. After the initial burst of “Is this genuine?”, follows the part where I try to dig out the parts that have changed and see how it compares to what went before.

What worked…

Giving users a bit of time to see the upcoming changes, and work out if they want to be part of it, is good and should be encouraged. Often, privacy policy and EULA changes spring from nowhere, giving little to no time at all to digest them. Regardless of how everything else about this notification panned out, WhatsApp should be applauded for giving everyone plenty of forewarning.

…and what didn’t

The key focus of concern around the update, was how data would be shared going forward. Aspects which people objected to included some data remaining on a device even after deleting an account, lines about “respecting privacy” being removed from the privacy policy, and things like phone numbers being shared with Facebook.

This would naturally be a cause for concern for some people.

The messaging fixer-upper

This situation wasn’t ideal for WhatsApp, who had to clarify the mixed messages spreading online. They stressed that the upcoming update is related to messaging businesses on WhatsApp. Messages are still subject to the same privacy they were previously, and neither WhatsApp nor Facebook can read your messages or hear your calls.

Additionally, more clarifications had to be made that the changes don’t apply to EU/EEA/UK regions despite people in those areas being shown the privacy policy popup. This is not ideal and raises questions as to why the notification was sent to everybody if it didn’t apply to everybody. All that tends to happen in those situations is people get confused and start to worry. What happens after that, is lots of articles appear explaining what to do if you want to switch to other services.

Writers have described this potential migration away from WhatsApp as “self-inflicted”, and that seems to be an accurate summary. Simply by having to explain the differences between forms of messaging, data collection is thrown into sharp relief. That is to say, you may not have known prior to this how much…or little…your favourite apps collect.

But now you do. The data collection genie is out of the bottle, and yet it may not matter too much.

Decisions, decisions

Ultimately, people will use what they feel most comfortable with. This misstep isn’t going to kill WhatsApp, and if you still want to use it, don’t worry. It won’t be going anywhere. As with all things, informed choices are the best choices. We regularly remind people that it’s time for a security password spring clean whenever a major breach takes place.

On a similar note, this may be a good time to brush up on all those T&Cs tied to your favourite apps. Dig into what they do, which pieces of data they collect and use. At the absolute minimum, ensure your messages are as secure as can be and that only you and the recipients can read them (look for “end-to-end encryption”). Some people are fine with data collection, for others it’s a deal breaker.

Ultimately, the decision is down to you.

The post What’s up with WhatsApp’s privacy policy? appeared first on Malwarebytes Labs.

Have you ever experienced the feeling of relief that comes when you do something silly, but you’re glad you did it where people don’t know you? Or maybe you wished you were somewhere like that, but alas…

That is what a Virtual Private Network (VPN) can do for you: it can put you in a place where you are unknown.

To determine if and when you need a VPN, you must define what your goal is. If your main goal is to improve your privacy online, then a VPN is one of the possible solutions. Privacy is a right that is yours to value and defend. If you don’t fall into the categories of people who say “I have nothing to hide” or “they already know everything about me” then you may care enough about your privacy to use a VPN.

For the latest Malwarebytes Labs reader survey we asked “Do you use a VPN?” 2,330 responded and an impressive 36 percent said they now used a VPN. For perspective, ten years ago, only 1.5 percent of Americans used VPNs.

So, how does a VPN work?

In short and easy terms, a VPN acts as a middle-man between a user and the Internet. When the user wants to visit a site, they send information to the VPN over an encrypted connection, the VPN visits the site, and then it sends the data to the user over the same encrypted connection. These connections are not limited to web browsing, even though that is the first one that usually comes to mind.

In this post we will focus on the consumer using a VPN to browse the web. But it is good to know that many organizations use a VPN to allow secure, remote access to company resources. For example, an employee working from home can log in on a VPN to get access to systems, files or email, for example.

Hide your IP address

Your IP address is the address your home network uses on the Internet. It is usually assigned to you by your Internet Service Provider (ISP). The first thing a website you visit will receive is your IP address, because it’s the return address for the information that you requested. If you are using a VPN the website will receive the IP address of the VPN server instead. The VPN will reroute the information so that it reaches your screen, without the website ever seeing your IP address.

Not everyone is willing to share their IP address because it can be used to determine their approximate location, and to identify their ISP (who can, in turn, identify who the IP is assigned to).

Hide your traffic from your ISP

Speaking of which, people who distrust their ISP and don’t want them to know which sites they’re visiting, route their traffic through a VPN. The encrypted tunnel between the user and the VPN stops anyone, including their ISP, from seeing their traffic. And this isn’t a theoretical or unlikely problem: In the USA ISPs can sell information about their users’ browsing habits to the highest bidder.

If you use a VPN to hide your traffic from your ISP it’s important to keep in mind that you are now putting your trust in the hands of that VPN provider instead. In theory, the VPN provider can now track your online behavior.

Pretend to be in another country

Another reason we often hear for using a VPN, is when you want to pretend you are in another country. Certainly, a VPN is the easiest solution to accomplish that. Some websites or services are only available in certain territories (geofenced), so pretending to be somewhere you aren’t can give you access to resources that would otherwise be hidden from you.

Imagine being a foreign correspondent in a country where news media from abroad are blocked or redacted. Or you are having a vacation in a country where Facebook is forbidden, and you want to check up on your family and friends. That is where using a VPN comes in very handy. Keep in mind however that in many such countries the use of a VPN is forbidden as well and using one could get you into trouble.

Disadvantages of using a VPN

So far, we have discussed the advantages and reasons for choosing a VPN. Why does there always have to be a downside? In this case, it’s a typical you win some, you lose some scenario.

• It can make browsing slower. Even though Internet traffic can theoretically move at the speed of light, taking a detour takes time. Using a VPN can have a performance impact that varies from hardly noticeable to considerable. Another point to research when you are deciding which one to use.
• Some websites will block known VPN servers. Usually this is for reasons that would be grounds for not wanting to visit those sites anyway, but it can be annoying to disable your VPN for a specific site.
• Some sites don’t work correctly. Some sites are designed without considering that a visitor might be using a VPN. This can sometimes result in a partial loss of the information being sent back and forth so you may have to fill out a form twice or you may have to temporarily disable the VPN to complete the data transaction.
• Overconfidence can come back to bite you. Just because you are hiding behind a VPN, that doesn’t mean it’s impossible to find out who you are. And if your actions might put you in danger where you are using the VPN, some extra measures may be needed.

Choosing a VPN

To achieve the goal of enhancing privacy it is most important to choose a VPN that you can trust. A VPN provider that logs your activities and either sells them to advertisers or surrenders them to the authorities may not have the same goals as you do.

Another important feature for a VPN is that it encrypts the traffic between your computer and the VPN server, so that nobody can tap into the connection to find out what you are doing. That encryption stops at the VPN server, so anyone with access to that server can see see or modify the traffic. Again, putting too much trust in such a feature can prove to be misguided.

To go back to our comparison, even if they can’t conclusively prove that it was you, sometimes a strong suspicion can be just as damaging for your reputation.

Stay safe, everyone!

The post How a VPN can protect your online privacy appeared first on Malwarebytes Labs.

Not long ago, we helped MSPs pick the right remote monitoring and management (RMM) platform for them, and make it an essential part of their service toolkit. As you may recall, an RMM is a tool that helps MSPs do the work. And what better way to track the work—and other elements associated with it—than to have professional service automation (PSA) software do it for you?

“Do we really need a PSA?”

A PSA is, essentially, an all-in-one tool that helps MSPs manage an array of tasks, such as project management, collaboration, invoicing, ticketing, resource planning, and reporting and data analysis (to name a few), of every client project, throughout its lifecycle. It keeps all data and processes about a project available and linked in one place, so MSPs can see the big picture and waste no time making decisions or adjustments as needed. Some may think and liken PSA software to Enterprise Resource Planning (ERP) software for MSPs.

Many MSPs are realizing that they have little time and patience to waste on tedious and time-consuming tasks when they could have been doing more productive things. If you’re an organization that is just breaking into the MSP world, or already have years of experience, “Do we really need a PSA?” should no longer be the question you ask.

A PSA is not just a nice-to-have anymore. It has become an integral and critical platform that MSPs must have to scale effectively and profitably. What you should be asking instead is “Which PSA is right for my business?”

Benefits of using a PSA

Gone are the days when PSAs were akin to helpdesk software. They have evolved beyond merely managing support tickets and tasks. The modern-day PSA’s kit can offer (but is not limited to) the following benefits:

• Significantly cut the time it takes to search for documentation
• Reduced time spent on doing repetitive tasks
• Improved service level agreements (SLAs)
• Accurate tracking and recording of onsite services from start to finish
• Automatic generation of billing statements
• Efficient management of customer engagement
• Automatic patching and system updating
• Increased customer satisfaction
• A uniform consolidation of data used to make mission critical decisions

Know that each PSA in the market right now offers different solutions and bundles, and that MSPs could be impacted by them differently as well.

Of course, not every benefit above is what MPSs would want.

Not all MSPs, for example, want a suite that automatically applies patches to the system, because they would rather do some rigorous testing themselves first, before deployment. Picking the right PSA eventually boils down to what your organization needs, what you want to automate and/or improve on, and what best fits into your business practices and processes.

PSA considerations for the smart MSP

Before MSPs can take a deep dive into implementing a PSA suite, they must realize that this is no easy feat. It is a time-consuming, disruptive, and sometimes expensive task to undertake. But patience and perseverance have their rewards. Here are three simple questions MSPs should ask when deciding which PSA to pick.

“How well does it integrate with our other tools?”

While a PSA houses all of an MSP’s data under one virtual roof and boasts an assortment of other tools for their employees to use, it’s not the only system the business uses. An MSP could have its own bespoke customer relationship management (CRM) tool or use other systems from third parties, too, such as an accounting, data backup and recovery, RMM, and, of course, endpoint security software. Make sure that the PSA of your choice can achieve deep integrations with the tools you rely on.

“Is it scalable?”

Every organization’s goal is to grow its customer base, making it especially important for MSPs to have a PSA that can scale with its growth. Pick a PSA that has been designed and built with scalability in mind, so it can cope with these “growing pains”.

On an additional note, you will want to know how the cost of the PSA will change as your business grows. Make sure that it’ll still be within a reasonable budget and sustainable in the long run.

“Will it help us achieve accountability and efficiency?”

One of the main reasons for using a PSA is to bridge those gaps that are inherently found in disparate systems used by different departments in an organization. A good PSA should be able to eradicate siloed data by tracking, recording, and reporting everything. This way, employees are expected to perform tasks efficiently and in a timely manner, clients are provisioned with the best resources to get issues resolved quickly, and bills are issued accurately.

“Can it provide data that’ll help us make informed decisions?”

A PSA can also help MSPs handle unforeseen hurdles, such as customer security issues, or delays in project deliveries. Your choice of PSA should be capable of not only collecting and keeping data from different departments but also processing, analyzing, and presenting it to your users in a way that shows trends, reveals problem points, and forecasts needs, so that you can make improvements, create plans months ahead, and effectively respond to security threats.

All we need is time

Of all the different assets MSPs must manage efficiently in order to be profitable and remain competitive, the most important is time. And what better way to manage time than to automate important but mundane daily tasks, so employees can make better use of their time and provide a higher level of security to customers. That said, the choice of investing or not investing in a PSA is no longer up for debate for MSPs. The benefits of having one as part of your toolkit just far outweighs the costs and initial challenges that naturally come with change. At the end of the day, you’ll be glad you went for one.

The post MSPs, have you picked the right PSA for you yet? appeared first on Malwarebytes Labs.