Category Archives: Lawyers

SECOND ROUND OF STIMULUS CHECKS

It seems everyone in America thinks a second stimulus check for consumers still reeling from the effects of COVID-19 is needed to re-ignite the U.S. economy.

Everyone except the U.S. Senate, specifically Majority Leader Mitch McConnell.

While two polls, one conducted by WalletHub and another by CNBC/Change Research, showed nearly nine out of 10 Americas are in favor of a another stimulus check, McConnell wants more time to think about it.

The Senator from Kentucky has been preaching a wait-and-see approach since passing the $2.4 trillion CARES Act March 27. He doesn’t seem anxious to throw more money at a U.S. economy still staggering and in desperate need of financial help for coronavirus.

In no particular order, McConnell is worried that:

  • Another relief package would add trillions more to the federal deficit already skyrocketing past $25 trillion
  • Businesses and schools will be bombarded lawsuits related to the coronavirus
  • Unemployed workers will continue taking advantage of government handouts and resist seeking employment
  • A rush to do something will cause more problems than it solves

Will There Be a Second Round of Stimulus Checks?

Democrats and some Republicans in the Senate have voiced optimism that another relief package will get serious debate during the month of June and might even include some discussion of the $3 trillion HEROES Act that recently passed in the House of Representatives.

The HEROES ACT called for another $1,200 stimulus check for those making less than $75,000 ($2,400 for couples filing jointly), plus $1,200 each for up to three children.

During a radio interview in his home state of Kentucky, McConnell called the HEROES Act “not a serious piece of legislation” and said, “if there is another bill, it will originate in the Senate.”

His peers, no doubt hearing the financial screams of their constituents, will want to respond by talking seriously about the proposal that would put as much as $6,000 into a family budget.

At the very least, the popularity of the first stimulus check almost guarantees that some form of direct financial aid will be coming this summer.

When Might There Be a Second Stimulus Check?

The Senate is in session until July 3, when they will go on a two-week break surrounding the July Fourth holiday. That gives them more than a month to offer new ideas or extract worthy ones from the HEROES Act.

The first relief bill, the $2.1 trillion CARES Act, took only 10 days to draw up, debate and pass. Expecting that kind of action in Round Two would be considered wildly optimistic.

McConnell is adamant that the Senate will draw up the next relief bill, but didn’t say what it would look like or whether a second round of stimulus checks would be part of it. His focus – and likely most potent bargaining chip – is legislation that includes liability protection for businesses and schools.

“Part of getting back to normal is to not let there be a second epidemic in the wake of the pandemic, and the epidemic would be an epidemic of litigation,” McConnell said. “Businesses and schools are not going to open if they’re afraid of being sued. We need to deal with that, or we have no chance of getting back to normal.”

McConnell also is intent on helping states provide unemployment benefits, though he’s opposed to extending the $600 a week bonus that the CARES Act adds to state unemployment checks. That provision expires at the end of July, and may not be resuscitated.

“A lot of folks are getting paid more not to work than to work and that is counterproductive,” he said. “The goal here is to get people back to work. Structuring it the same way again would be a mistake.”

What Is America Saying about Stimulus Checks?

Whenever a new “normal” returns, most Americans want it to include a second stimulus check. The WalletHub poll conducted in late April, showed 84% of Americans want a second wave of stimulus checks. The poll also showed 160 million Americans were three months away from running out of money, meaning time is of the essence.

The CNBC/Change Research poll involved people in the battleground states of Arizona, Florida, Wisconsin, Pennsylvania, Michigan and North Carolina. It was conducted the first week in May and 94% of respondents said it’s important that people who have lost jobs or wages receive relief. Another 74% of respondents support recurring direct payments to individuals until the pandemic ends.

Whether they get it – and how much it’s worth – will depend on how urgently McConnell steers legislation through the Senate. The Majority Leader has made it clear he’s concerned about how the relief packages are impacting the federal deficit, which has flown past $25 trillion.

The CARES Act helped add another $737 billion to this year’s deficit in April, by far the largest monthly shortfall in the 40 years data has been collected.

“We now have a national debt that is the size of our economy for the first time since World War II,” McConnell said. “We’ve got to be aware here of what we’re doing to the long-term future of our country with this level of debt.

“That’s why I think this next bill should be carefully crafted after we begin to see the impact of reopening again.”

Details on the HEROES Act

While McConnell completely dismisses the HEROES Act, there are going to be parts of it that Democrats will push to keep. It is loaded with huge coronavirus cash relief to seemingly every sector of American life. Among the things it provides:

  • Almost $875 billion for state and local governments
  • $200 billion in hazard pay for some essential workers
  • $850 million for child and family care for essential workers
  • $75 billion to expand COVID-19 testing and contact tracing
  • $100 billion for rental assistance for low-income households
  • $75 billion to help homeowners pay their mortgages, property taxes or utilities
  • $25 billion to help the Postal Service survive a steep drop off in revenue.

“Some of the members say let’s take a pause,” Pelosi said on the House floor. “Do you think this virus is taking a pause? Do you think that the rent takes a pause? Do you think that putting food on the table – or the hunger that comes if you can’t – takes a pause?”

The proposed second stimulus payment in the HEROES Act is larger than the first stimulus check under the CARES Act.

But it is a one-time payment, and therefore is far less generous that several other Democratic proposals by Senator Bernie Sanders and members of the progressive caucus. They wanted payments of $2,000 and even $10,000 every week, depending on family size, for the duration of the pandemic. In fact, one of the proposals requested payments for a year after the pandemic.

Those bills never came up for a vote, causing some progressive backlash against Pelosi. Congressional Progressive Caucus co-chair Pramila Jayapal proposed a bill in April that would have ensured workers receive 100% of their salaries up to $100,000 and provided businesses with funding to cover “essential” expenses such as rent. She was the only progressive member to vote against Pelosi’s bill, saying it didn’t go far enough.

Still, it’s a big, first step. Here’s a closer look at the key points:

  • Stimulus payment – $1,200 for individuals and dependents (Up to $6,000 for families)
  • Payment duration – One-time payment
  • Eligibility – Eligibility would be based on the same income limits as the CARES Act ($75,000 for single filers; $150,000 for married couples filing jointly; $112,500 for heads of households.
  • Payment distribution – Same as the CARES Act. Payments would be distributed through direct deposit or paper check.
  • Cost – $3 trillion.
  • Who introduced the bill? – House Democrats
  • Will it pass? – No, not in its current form. But it puts the ball in the Republicans court, the first step in a massive, trillion-dollar COVID-19 relief bill that likely will pass sometime this summer, and include a second stimulus check.

HOW TO KNOW WHEN YOUR PHONE HAS BEEN HACKED

by Natasha Stokes on May 01, 2019

Techlicious editors independently review products. To help support our mission, we may earn affiliate commissions from links contained on this page.

From email to banking, our smartphones are the main hub of our online lives. No wonder that smartphones are starting to stack up to computers as common targets for online hackers.

Security researchers recently revealed one attack campaign that released malicious Android apps that were nearly identical to legitimate secure messaging programs, including WhatsApp and Signal, tricking thousands of people in nearly 20 countries into installing it. These apps were downloaded via a website called Secure Android, and once installed, gave hackers access to photos, location information, audio capture, and message contents. According to EFF Staff Technology Cooper Quentin, of note is that the malware did not involve a sophisticated software exploit, but instead only required “application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware.”

Malware is often downloaded from non-official sources, including phishing links sent via email or message, as well as malicious websites such as the Secure Android site mentioned above. (While security experts recommend always downloading from official app stores – like the Apple App Store or Google Play – some countries are unable to access certain apps from these sources, for example, secure messaging apps that would allow people to communicate secretly.

Across the board, mobile malware has been on the riseup – in part due to an increase in political spies trying to break into the devices of persons of interest. Once this malware is online, other criminals are able to exploit compromised devices too. Malware can include spyware that monitors a device’s content, programs that harness a device’s internet bandwidth for use in a botnet to send spam, or phishing screens that steal a user’s logins when entered into a compromised, legitimate app.

Then there are the commercial spy apps that require physical access to download to a phone – often done by those well-known to the victim such as a partner or parent – and which can monitor everything that occurs on the device.

Not sure if you may have been hacked? We spoke to Josh Galindo, director of training at uBreakiFix, about how to tell a smartphone might have been compromised. And, we explore the seven ways your phone can be hacked and the steps you can take to protect yourself.

6 Signs your phone may have been hacked

1. Noticeable decrease in battery life

While a phone’s battery life inevitably decreases over time, a smartphone that has been compromised by malware may start to display a significantly decreased lifespan. This is because the malware – or spy app – may be using up phone resources to scan the device and transmit the information back to a criminal server.

(That said, simple everyday use can equally deplete a phone’s lifespan. Check if that’s the case by running through these steps for improving your Android or iPhone battery life.

2. Sluggish performance

Do you find your phone frequently freezing, or certain applications crashing? This could be down to malware that is overloading the phone’s resources or clashing with other applications.

You may also experience continued running of applications despite efforts to close them, or even have the phone itself crash and/or restart repeatedly.

(As with reduced battery life, many factors could contribute to a slower phone – essentially, its everyday use, so first try deep cleaning your Android or iPhone.)

3. High data usage

Another sign of a compromised phone is an unusually high data bill at the end of the month, which can come from malware or spy apps running in the background, sending information back to its server.

4. Outgoing calls or texts you didn’t send

If you’re seeing lists of calls or texts to numbers you don’t know, be wary – these could be premium-rate numbers that malware is forcing your phone to contact; the proceeds of which land in the cyber-crim’s wallet. In this case, check your phone bill for any costs you don’t recognise.

5. Mystery pop-ups

While not all pop-ups mean your phone has been hacked, constant pop-up alerts could indicate that your phone has been infected with adware, a form of malware that forces devices to view certain pages that drive revenue through clicks. Even if a pop-up isn’t the result of a compromised phone, many may be phishing links that attempt to get users to type in sensitive info – or download more malware. The vast majority of such pop-ups can be neutralised simply by shutting the window – though be sure you’re clicking the right X, as many are designed to shunt users towards clicking an area that instead opens up the target, sometimes malicious, site.

6. Unusual activity on any accounts linked to the device

If a hacker has access to your phone, they also have access to its accounts – from social media to email to various lifestyle or productivity apps. This could reveal itself in activity on your accounts, such as resetting a password, sending emails, marking unread emails that you don’t remember reading, or signing up for new accounts whose verification emails land in your inbox.

In this case, you could be at risk for identity fraud, where criminals open new accounts or lines of credit in your name, using information taken from your breached accounts. It’s a good idea to change your passwords – without updating them on your phone – before running a security sweep on your phone itself.

SOS steps

If you’ve experienced any of these symptoms of a hacked smartphone, the best first step is to download a mobile security app.

For Android, we like Avast, which not only scans for malware but offers a call blocker, firewall, VPN, and a feature to request a PIN every time certain apps are used – preventing malware from opening sensitive apps such as your online banking.

iPhones may be less prone to hacks, but they aren’t totally immune. Lookout for iOS flags apps that are acting maliciously, potentially dangerous Wi-Fi networks,  and if the iPhone has been jailbroken (which increases its risk for hacking). It’s free, with $9.99/month for identity protection, including alerts of logins being exposed.

Who would hack your phone?

By now, government spying is such a common refrain that we may have become desensitized to the notion that the NSA taps our phone calls or the FBI can hack our computers whenever it wants. Yet there are other technological means – and motives – for hackers, criminals and even the people we know, such as a spouse or employer, to hack into our phones and invade our privacy.

7 ways your phone can be hacked

From targeted breaches and vendetta-fueled snooping to opportunistic land grabs for the data of the unsuspecting, here are seven ways someone could be spying on your cell phone – and what you can do about it.

1. Spy apps

There is a glut of phone monitoring apps designed to covertly track someone’s location and snoop on their communications. Many are advertised to suspicious partners or distrustful employers, but still more are marketed as a legitimate tool for safety-concerned parents to keep tabs on their kids. Such apps can be used to remotely view text messages, emails, internet history, and photos; log phone calls and GPS locations; some may even hijack the phone’s mic to record conversations made in person. Basically, almost anything a hacker could possible want to do with your phone, these apps would allow.

And this isn’t just empty rhetoric. When we studied cell phone spying apps back in 2013, we found they could do everything they promised. Worse, they were easy for anyone to install, and the person who was being spied on would be none the wiser that there every move was being tracked.

“There aren’t too many indicators of a hidden spy app – you might see more internet traffic on your bill, or your battery life may be shorter than usual because the app is reporting back to a third-party,” says Chester Wisniewski, principal research scientist at security firm Sophos.

Likelihood

Spy apps are available on Google Play, as well as non-official stores for iOS and Android apps, making it pretty easy for anyone with access to your phone (and a motive) to download one.

How to protect yourself

  • Since installing spy apps require physical access to your device, putting a passcode on your phone greatly reduces the chances of someone being able to access your phone in the first place. And since spy apps are often installed by someone close to you (think spouse or significant other), pick a code that won’t be guessed by anyone else.
  • Go through your apps list for ones you don’t recognize.
  • Don’t jailbreak your iPhone. “If a device isn’t jailbroken, all apps show up,” says Wisniewski. “If it is jailbroken, spy apps are able to hide deep in the device, and whether security software can find it depends on the sophistication of the spy app [because security software scans for known malware].”
  • For iPhones, ensuring you phone isn’t jailbroken also prevents anyone from downloading a spy app to your phone, since such software – which tampers with system-level functions – doesn’t make it onto the App Store.
  • Download a mobile security app. For Android, we like Avast and for iOS, we recommend Lookout for iOS.

2. Phishing by message

Whether it’s a text claiming to be from your financial institution, or a friend exhorting you to check out this photo of you last night, SMSes containing deceptive links that aim to scrape sensitive information (otherwise known as phishing or “smishing”) continue to make the rounds.

Android phones may also fall prey to messages with links to download malicious apps. (The same scam isn’t prevalent for iPhones, which are commonly non-jailbroken and therefore can’t download apps from anywhere except the App Store.)

Such malicious apps may expose a user’s phone data, or contain a phishing overlay designed to steal login information from targeted apps – for example, a user’s bank or email app.

Likelihood

Quite likely. Though people have learned to be skeptical of emails asking them to “click to see this funny video!”, security lab Kaspersky notes that they tend to be less wary on their phones.

How to protect yourself

  • Keep in mind how you usually verify your identity with various accounts – for example, your bank will never ask you to input your full password or PIN.
  • Avoid clicking links from numbers you don’t know, or in curiously vague messages from friends, especially if you can’t see the full URL.
  • If you do click on the link and end up downloading an app, your Android phone should notify you. Delete the app and/or run a mobile security scan.

3. SS7 global phone network vulnerability

A communication protocol for mobile networks across the world, Signalling System No 7 (SS7), has a vulnerability that lets hackers spy on text messages, phone calls and locations, armed only with someone’s mobile phone number. An added concern is that text message is a common means to receive two-factor authentication codes from, say, email services or financial institutions – if these are intercepted, an enterprising hacker could access protected accounts, wrecking financial and personal havoc.

According to security researcher Karsten Nohl, law enforcement and intelligence agencies use the exploit to intercept cell phone data, and hence don’t necessarily have great incentive to seeing that it gets patched.

Likelihood

Extremely unlikely, unless you’re a political leader, CEO or other person whose communications could hold high worth for criminals. Journalists or dissidents travelling in politically restless countries may be at an elevated risk for phone tapping.

How to protect yourself

  • Use an end-to-end encrypted message service that works over the internet (thus bypassing the SS7 protocol), says Wisniewski. WhatsApp (free, iOS/Android), Signal (free, iOS/Android) and Wickr Me (free, iOS/Android) all encrypt messages and calls, preventing anyone from intercepting or interfering with your communications.
  • Be aware that if you are in a potentially targeted group your phone conversations could be monitored and act accordingly.

4. Snooping via open Wi-Fi networks

Thought that password-free Wi-Fi network with full signal bars was too good to be true? It might just be. Eavesdroppers on an unsecured Wi-Fi network can view all its unencrypted traffic. And nefarious public hotspots can redirect you to lookalike banking or email sites designed to capture your username and password. And it’s not necessarily a shifty manager of the establishment you’re frequenting. For example, someone physically across the road from a popular coffee chain could set up a login-free Wi-Fi network named after the café, in hopes of catching useful login details for sale or identity theft.

Likelihood

Any tech-savvy person could potentially download the necessary software to intercept and analyze Wi-Fi traffic – including your neighbor having a laugh at your expense (you weren’t browsing NSFW websites again, were you?).

How to protect yourself

  • Only use secured networks where all traffic is encrypted by default during transmission to prevent others from snooping on your Wi-Fi signal.
  • Download a VPN app to encrypt your smartphone traffic. ExpressVPN (Android/iOS from $6.67/month) is a great all-round choice that offers multi-device protection, for your tablet and laptop for example.
  • If you must connect to a public network and don’t have a VPN app, avoid entering in login details for banking sites or email. If you can’t avoid it, ensure the URL in your browser address bar is the correct one. And never enter private information unless you have a secure connection to the other site (look for “https” in the URL and a green lock icon in the address bar).

5. Unauthorized access to iCloud or Google account

Hacked iCloud and Google accounts offer access to an astounding amount of information backed up from your smartphone – photos, phonebooks, current location, messages, call logs and in the case of the iCloud Keychain, saved passwords to email accounts, browsers and other apps. And there are spyware sellers out there who specifically market their products against these vulnerabilities.

Online criminals may not find much value in the photos of regular folk – unlike nude pictures of celebrities that are quickly leaked– but they know the owners of the photos do, says Wisniewski, which can lead to accounts and their content being held digitally hostage unless victims pay a ransom.

Additionally, a cracked Google account means a cracked Gmail, the primary email for many users.

Having access to a primary email can lead to domino-effect hacking of all the accounts that email is linked to – from your Facebook account to your mobile carrier account, paving the way for a depth of identity theft that would seriously compromise your credit.

Likelihood

“This is a big risk. All an attacker needs is an email address; not access to the phone, nor the phone number,” Wisniewski says. If you happen to use your name in your email address, your primary email address to sign up for iCloud/Google, and a weak password that incorporates personally identifiable information, it wouldn’t be difficult for a hacker who can easily glean such information from social networks or search engines.

How to protect yourself

  • Create a strong password for these key accounts (and as always, your email).
  • Enable login notifications so you’re aware of sign-ins from new computers or locations.
  • Enable two-factor authentication so that even if someone discovers your password they can’t access your account without access to your phone.
  • To prevent someone resetting your password, lie when setting up password security questions. You would be amazed how many security questions rely on information that is easily available on the Internet or is widely known by your family and friends.

6. Malicious charging stations

Well-chosen for a time when smartphones barely last the day and Google is the main way to not get lost, this hack leverages our ubiquitous need for juicing our phone battery, malware be damned. Malicious charging stations – including malware-loaded computers – take advantage of the fact that standard USB cables transfer data as well as charge battery. Older Android phones may even automatically mount the hard drive upon connection to any computer, exposing its data to an unscrupulous owner.

Security researchers have also shown it’s possible to hijack the video-out feature on most recent phones so that when plugged into a malicious charge hub, a hacker can monitor every keystroke, including passwords and sensitive data.

Likelihood

Low. There are no widely known instances of hackers exploiting the video-out function, while newer Android phones ask for permission to load their hard drive when plugged into a new computer; iPhones request a PIN. However, new vulnerabilities may be discovered.

How to protect yourself

  • Don’t plug into unknown devices; bring a wall charger. You might want to invest in a charge-only USB cable like PortaPow ($6.99 on Amazon)
  • If a public computer is your only option to revive a dead battery, select the “Charge only” option (Android phones) if you get a pop-up when you plug in, or deny access from the other computer (iPhone).

7. FBI’s StingRay (and other fake cellular towers)

An ongoing initiative by the FBI to tap phones in the course of criminal investigations (or indeed, peaceful protests) involves the use of cellular surveillance devices (the eponymous StingRays) that mimic bona fide network towers.

StingRays, and similar pretender wireless carrier towers, force nearby cell phones to drop their existing carrier connection to connect to the StingRay instead, allowing the device’s operators to monitor calls and texts made by these phones, their movements, and the numbers of who they text and call.

As StingRays have a radius of about 1km, an attempt to monitor a suspect’s phone in a crowded city center could amount to tens of thousands of phones being tapped.

Until late 2015, warrants weren’t required for StingRay-enabled cellphone tracking; currently, around a dozen states outlaw the use of eavesdropping tech unless in criminal investigations, yet many agencies don’t obtain warrants for their use.

Likelihood

While the average citizen isn’t the target of a StingRay operation, it’s impossible to know what is done with extraneous data captured from non-targets, thanks to tight-lipped federal agencies.

How to protect yourself

  • Use encrypted messaging and voice call apps, particularly if you enter a situation that could be of government interest, such as a protest. Signal (free, iOS/Android) and Wickr Me (free, iOS/Android) both encrypt messages and calls, preventing anyone from intercepting or interfering with your communications. Most encryption in use today isn’t breakable, says Wisniewski, and a single phone call would take 10-15 years to decrypt.

“The challenging thing is, what the police have legal power to do, hackers can do the same,” Wisniewski says. “We’re no longer in the realm of technology that costs millions and which only the military have access to. Individuals with intent to interfere with communications have the ability to do so.”

From security insiders to less tech-savvy folk, many are already moving away from traditional, unencrypted communications – and perhaps in several years, it’ll be unthinkable that we ever allowed our private conversations and information to fly through the ether unprotected.

20 MOST DANGEROUS PHONE APPLICATIONS

20 most dangerous mobile apps: How to best mitigate the risk

John P. Mello Jr.,
Freelance writer

Mobile apps can be a nightmare for IT. There are millions of them, and most were developed without any concern for security. Some IT organizations have tried to counter potential threat from mobile apps by blacklisting programs they deem risky, but that’s not always effective.

Here are the top pitfalls of blacklisting, and alternative approaches to controlling the chaos that can result when a company’s employees are working on mobile devices connected to the company network.

The 20 most-blocked mobile apps

An analysis by Appthority of the blacklists of its enterprise customers is revealing. For example, here are the top 10 Android apps blackballed by enterprises:

  • Poot-debug(W100).apk
  • AndroidSystemTheme
  • Where’s My Droid
  • Weather
  • Wild Crocodile
  • Star War
  • ggzzversion
  • Boyfriend Tracker
  • Chicken Puzzle
  • Device Alive

In its analysis, Appthority ranks risk on a scale of 1 to 10, with 1 being the lowest risk. Eight of the apps in the Android top 10 had a risk score of 9, primarily because they contained malware. The other two apps—Boyfriend Tracker and Chicken Puzzle—scored a 6 because of data issues or privacy concerns.

On the iOS side of things, these apps were blacklisted the most:

  • WhatsApp Messenger
  • Pokémon GO
  • WinZip Utilities
  • CamScanner Productivity
  • Plex
  • WeChat
  • Facebook Messenger
  • eBay Kleinanzeigen
  • Netease News
  • Device Alive

The seven riskiest apps scored a 7. Their sins included sending SMS messages or sensitive data without encryption. Three programs—Pokémon GO, Plex, and Device Alive—scored a 6 because they did things such as access address books and cameras without permission and tracked a phone user’s location.

Blacklisting’s deficiencies

While these 20 apps were the most commonly blacklisted, there were plenty more in Appthority’s list of 100 enterprise apps that were as risky or riskier to use. Many of those apps ask for permissions that can be a prelude to risky behavior—the ability to read and send text messages, for example, or access a phone’s camera, microphone, and address book.

Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, said the proof was in the permissions.

“Users should avoid installing apps that require too many dangerous permissions. The more permissions an application has, the more risk it presents in the case that it’s hacked.”
—Leigh-Anne Galloway

The sheer volume of apps available to users can make blacklisting problematic. “Blacklisting apps has never had much success in stopping breaches in the PC world, and I don’t see it as working in mobile either,” said Georgia Weidman, CEO of Shevirah, a provider of tools for assessing and managing mobile device risk.

“If you blacklist an app, a million more with those same issues will take their place. Taking a set of apps and blacklisting them isn’t going to solve any particular problem.”
—Georgia Weidman

What’s more, one enterprise’s risky app is another’s anointed app. “WhatsApp is on the list of bad apps,” Weidman noted, “but a lot of organizations use WhatsApp or a similar secure, encrypted messenger for corporate communication.”

We can’t look at every application deeply enough to say yes or no definitively about whether its risky behavior is due to a sloppy developer or someone with malicious intent, she added.

Shadow IT complicates security

Making matters worse, employees often use productivity apps without IT’s knowledge. Referred to as shadow IT, this practice has become prevalent within the bring-your-own-device (BYOD) culture, where people use their personal devices and download apps without informing IT, explained Michela Menting, digital security research director at ABI Research.

This is not always done maliciously by the employee, she said. Often they do this in good faith, to increase their productivity or facilitate their work in some way, she said.

“They forget that by not telling IT, they can put their organization at risk.”
—Michela Menting

By keeping IT in the dark, mobile users broaden the attack surface available to an organization’s adversaries. “BYOD extends your corporate environment to your employees’ homes, vehicles, neighborhoods—and then enables them to bring whatever they picked up into your environment,” said Devon Kerr, principal threat researcher at Endgame, a maker of cybersecurity solutions for enterprises.

“It is an inheritance model that is being taken advantage of by threat actors to gain a foothold in otherwise resistant organizations.”
—Devon Kerr

One of the riskiest apps for an enterprise may not appear on any top 10 list at all: email. Email is risky for two reasons. Corporate credentials are needed to access a mailbox, and email is used to share a lot of sensitive corporate information.

Whitelisting apps can help

If emails or credentials are stored somewhere other than on a device or are accessible to a third party, in any way, the business is at significant risk, said Matt Hathaway, Senior Director of Product Marketing at Uptycs.

“The most important action for IT staff to take around email apps is to evaluate the most common, whitelist those that are secure, and configure their email servers to decline authentication attempts from any apps which aren’t on this whitelist,” Hathaway said.

For external programs, whitelisting should extend beyond email apps to all external mobile apps, added Positive Technologies’ Galloway. “IT must also create rules” for the use of personal devices that can be used for work, she said.

Another approach is to host all applications accessible to a user’s phone. Then when employees attempt to access corporate resources, they can do so only through the hosted apps. That essentially makes the phone act like a remote desktop client.

Daniel Kennedy, research director for information security and networking at 451 Research., said that in a true BYOD environment, IT’s ability to control risky apps is limited. Enterprise mobility management or mobile device management tools provide part of the answer by allowing for capabilities on employee-owned devices, such as access revocation, conditional access, data wipe, additional authentication, and data separation, he said.

“Blocking access to company data or blacklisting certain apps based on risk are other options.”
—Daniel Kennedy

Gautam Aggarwal, CMO and head of products at NSS Labs, a security testing, enterprise research, and threat analysis company, agreed that keeping a tight rein on access is a key to reducing mobile app risk. “The best approach to mitigate potential risks is to establish access-control policies that govern the use of mobile applications and, specifically, access to high-value applications and data on the network,” he said.

“Regardless of your organization’s size, maintaining visibility into the types of devices accessing applications on the network is crucial to maintaining a proper security posture.”
—Gautam Aggarwal

Thwarting threats with SIEMs

That kind of visibility can be obtained through the use of security information and event management (SIEM) software. SIEMs collect information from multiple network sources and analyze that data for potential or existing threats.

The tools monitor network activity and can generate alerts when suspicious activity is encountered, said Avast researcher Martin Hron.

“When used properly, a SIEM can notably reduce the risk of an enterprise network being infiltrated by malicious mobile applications installed on employees’ phones.”
—Martin Hron

To fully address mobile threats, though, a SIEM may need additional help. For example, some tools can track security issues on mobile devices and make that information available to a SIEM through APIs. This allows the SIEM to centralize both device monitoring and incident response.

SIEMs can help detect malicious activity from mobile apps if the company also uses an enterprise mobility management solution, which accumulates mobile device data, Positive Technologies’ Galloway explained. “In those cases, a SIEM helps detect incidents such as theft of a device or confidential information.”

Nothing’s perfect

A word of warning for SIEM shoppers was voiced by Endgame’s Kerr: “A SIEM is only as good as the human beings who are monitoring it and the procedures those human beings developed. If your organization is already struggling to monitor social media, monitoring mobile devices is going to be exceptionally challenging.”

“Mobile device management, enterprise mobility management, mobile antivirus—pick your poison—they all provide value in controlling mobile apps,” added Shevirah’s Weidman. “But just as we still see PC malware, none of these products are going to 100% protect you.

TERRIFYING PLACES ON THE INTERNET THAT WILL STEAL YOUR SLEEP FOREVER

 

13 Terrifying Places on The Internet That Will Steal Your Sleep Forever

They say that the internet that is visible to our eyes is only 5% of the entire network: a tip of the iceberg. The remaining 95% is a place you would never, in your wildest dreams, want to find yourself. Also known as the Deep Web, this almost invisible web surface cannot be accessed through the usual search engines like Chrome, Safari or Firefox, and harbors the most grotesque, deranged and despicable things known to mankind. Those that are capable of making your blood curdle and sending chills down your spine. Active drug markets, child pornography, human experimentation, red rooms and cannibal forums. Everything and anything is possible on the Deep Web. Following are some of the many horrifying things users have found on the Deep Web, those that still haunt them every single night.

1. How to Cook a Woman

While there have been many reports of forums full of people swapping tips on having humans for lunch. But perhaps the most chilling is the one lucky individual who stumbled upon a detailed guide on how to butcher and properly cook women. This page had information on what body types to use for specific cuts, how to prepare these cuts, and how to cook the girl so she lives as long as possible. It horrifies me that people way worse than the freaks on Criminal Minds exist.

2. Stillborn Babies Collection

A deep web user happened to stumble upon a forum where mothers shared photos of their stillborn babies. It is a site for women who can’t deal with the fact that their babies had been stillborn. It was filled with pictures of dead fetuses dressed up and had this really sad, creepy song playing as you scrolled through. I don’t think a forum could get more depressing and creepier than that!

 

3. Human Leather

Yes, that’s right: HUMAN LEATHER! This website is filled with products made from human flesh like food, wallets, belts, etc. If you fancy products made out of human skin, what am I saying, of course we all do! If you understood I was being sarcastic then good for you, if you didn’t then this site is probably for you!

4. Living Sex Dolls

This deep web story is sick and disturbing.  It is not for the faint-hearted.  If you are a sensitive person, you should stop reading right here. Continue at your own risk.

It is believed that a surgeon living in Easter Europe sold something peculiar on the Dark Web: Live Sex Dolls. He would adopt several young girls between the ages of 6-18 from a local orphanage that was happy to get rid of any extra mouths to feed. He would then take them home and surgically remove all of their limbs and sexually torture them.

The girls were only fed from a bottle minimum, their teeth were removed and a rubber was inserted in their mouths to maintain beauty and to assist with fellatio. The girls were then physically and mentally abused to turn them into unquestioning, unfeeling slaves. They were electrocuted, their genitals were sliced and were beaten regularly by the surgeon. The doctor destroyed their sense of hearing by playing extremely loud music and sounds on headphones, and used laser to blind the girls.  Almost all of their senses were destroyed to make them more docile. He tortured them for months preparing them for their new owner before they were ready to be sold for $40000 on the Dark Web!

5. Dead Girls

Well this is one disturbing site the does exactly what it says on the tin, lots and lots of photos of dead girls. The site is supposed to be full of photos of girls ranging from 5 to 16, all dead from various ways and means. While that’s just morbid there are a number of creepypasta stories surrounding the site and the subsequent madness that followed with seeing all those dead girls.

6. Hitmen for Hire

Yes, there are websites on the Dark Web that offer Hitmen for hire. These websites also post pictures as proof that these guys actually mean business. Getting someone killed is as you expect not cheap but from the looks of it, they’ll get the job done.

7. IRL Cannibal Forums

What may sound like Hannibal or Silence of The Lamb fan forums, are actually real life cannibal forums about eating people and being eaten by people. Some members even chat and arrange meetups there to eat each other like, “I need someone to eat my fresh meat. I am juicy and tender.” And all that crazy shit.

8. Child Pornography

Of the most deranged things found on the Deep and Dark Web, child abuse seems to be the most prevalent. Although many of these websites have been shut down by the authorities, there still remain an array of predators and pedophiles operating anonymously on the Deep Web.

9. Human Experimentation

This unholy creep fest is a room on the deep web. The guys who run this site believe that not all humans are equal, and to prove their point they find homeless people and perform dark and possibly painful experiments on them, similar to the likes of the Japanese unit 731 that existed during World War II. Experiments range from water/fluid restriction, injecting pregnant women with bleach, starvation, radiation exposure and even sterilization. Fake or not, it is bone-chilling and some of the experiments that were documented were creepy. Yep, told you it was a sick place.

10. Summoning Demons

Don’t think you’re having enough fun at your regular party? Worry no more, you can go ahead and summon a demon and get that party going! Yeah, but jokes aside, very creepy!

11. Drug Markets

Perhaps the most famous thing about the deep web is the fact that you can get every and any drug ever made. Ranging from premium quality marijuana to pills and acid, the Deep Web is laden with websites that engage in the sale of drugs. ‘The Silkroad’ was a very popular and the most credible source for some fine bud or anything else until it got taken down very recently.

12. Professional hackers, Fake ID’s and Credit Card Fraudulence

There is a whole bunch of sites where you can find people to hack anything for you, be it is your ex’s account or a top secret government website. These guys are up for anything. The deep web is also home to anonymous sellers who advertise their goods on topic-specific forums like copied credit cards on a credit card fraud board. Apart from forging credit cards, people can also purchase fake identification too. An American passport could cost you around 700 Euros, or 973.91 USD.

13. Red Rooms/ Live Torture Streams

While the existence of such rooms has not been proven as of yet, people have repeatedly claimed to have found terrifying live streams. Some guy stumbled on a live stream where a girl was sitting in a chair and commanded people from a chat window to tell her what kind of abuse she should do to herself. After many cuts, bruises, eye gouging, the girl eventually killed herself on the live stream.

This is not the only case where people have brought harm to themselves on a live stream on the deep web. These live streams are popularly known as “Red Rooms”: a place even ISIS is believed to have started using as a platform to conduct beheadings and murder.