Information Technology

Cloudflare and Akamai have each confirmed they will continue to operate in Russia, despite being urged to do otherwise.Both companies have argued that if they were to pull their services, they would be hurting Russian citizens who are trying to access information from outside of the country, but said they condemn Russia’s unprovoked invasion of Ukraine. Cloudflare CEO Matthew Prince wrote in a blog post acknowledging that the company has received “several calls to terminate” all of its services inside Russia, including by government. “Our conclusion … is that Russia needs more internet access, not less,” he said.”As the conflict has continued, we’ve seen a dramatic increase in requests from Russian networks to worldwide media, reflecting a desire by ordinary Russian citizens to see world news beyond that provided within Russia.”He continued: “Indiscriminately terminating service would do little to harm the Russian government, but would both limit access to information outside the country, and make significantly more vulnerable those who have used us to shield themselves as they have criticized the government”.Prince also claimed that if Cloudflare were to stop operating in Russia, the Russian government would “celebrate us shutting down”. “We absolutely appreciate the spirit of many Ukrainians making requests across the tech sector for companies to terminate services in Russia. However, when what Cloudflare is fundamentally providing is a more open, private, and secure Internet, we believe that shutting down Cloudflare’s services entirely in Russia would be a mistake,” he said.A similar sentiment was echoed by Akamai, saying that deliberately choosing to maintain its network presence in Russia means it can continue to support customers. “This supports our global customers, including many of the world’s largest news services, social networks, and democratic government institutions, as they endeavor to provide vital and accurate information to all corners of the globe, including to the citizens of Russia,” the company said. Despite the decision to stay, Akamai outlined that it will suspend all sales efforts in Russia and Belarus; terminate business with state-majority-owned Russian and Belarusian customers; comply with all application sanctions; and address humanitarian needs through the Akamai Foundation. The company said it has also made it products and cybersecurity teams available to Ukrainian government agencies to help “keep the country’s citizens protected and connected to the information they need to defend their country”. See also: Ukraine crisis: Russian cyberattacks could affect organisations around the world, so take action nowMeanwhile, Cloudflare has joined forces with Crowdstrike and Ping Identity to launch what is being dubbed as a critical infrastructure defense project where the trio will provide free cybersecurity services support for four months to help eligible organisations in the US — hospitals, energy utilities, and water utilities — ramp up cybersecurity defence. Under the project, organisations will have access to the full suite of Cloudflare Zero Trust solutions, endpoint protection and intelligence services from CrowdStrike, and Zero Trust identity solutions from Ping Identity. A roadmap featuring step-by-step security measures to help businesses defend themselves from cyber attacks will also be available to all business in any industry as part of the project. “We rely on our infrastructure to power our homes, to provide access to water and basic necessities, and to maintain critical access to healthcare. That’s why it’s more important than ever for the security industry to band together and ensure that our most critical industries are protected and prepared,” Prince said. The move to ramp up cybersecurity defences is in response to the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency issuing a “Shields Up” advisory last month urging all US businesses to prepare for heightened cyber risk activity in light of the Russian invasion of Ukraine. In further updates by Meta regarding its response to the Ukrainian invasion, the social media giant said it will now be hiding information about people’s followers, who they’re following, and people who are following each other for private Instagram accounts based in Ukraine and Russia.  “This means that people following private accounts based in Ukraine and Russia will no longer be able to see who those accounts are following, or who follows them. We’re also not showing these accounts in other people’s follower or following lists, or in our ‘mutual follows’ feature,” the company said. Instagram stories that contain a link sticker pointing to a Russian state-controlled media website will also be demoted and labelled to let people know that they lead to Russian state-controlled media websites, Meta said. These steps are in addition to a range of efforts the company announced last week to limit news spread by Russian state-backed media outlets.

Ukraine Crisis More

Microsoft’s latest round of Patch Tuesday fixes includes a fix for a bug that could result in some user data not being erased after a Windows 10 or Windows 11 PC reset. That issue, originally discovered by Microsoft Most Valuable Professional Rudy Ooms in late February, resulted in some user data still being readable in the “Windows.old” folder after completing a remote or local wipe of a Windows 10 or 11 device. This issue affected Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; and Windows 10, version 20H2. Microsoft published a suggested workaround, which involved signing out from or unlinking OneDrive before resetting a Windows device. But today’s patches for Windows 11 and Windows 10 fix the issue outright.

Microsoft’s note about the fixes for this failure-to-erase-data issue says “some devices might take up to seven (7) days after you install this update to fully address the issue and prevent files from persisting after a reset. For immediate effect, you can manually trigger Windows Update Troubleshooter using the instructions in Windows Update Troubleshooter.”Microsoft also rolled out today, March 8, an update for the Windows Subsystem for Android on Windows 11. This update — version 2203.40000.1.0 from the Microsoft Store — is available to Insiders in all channels (Dev, Beta, and Release Preview). The Windows Subsystem for Android, along with the Amazon Android app store, is what enables users to run a selection of Android games and apps on Windows 11. Today’s update includes support for H.264 video hardware decoding; various networking changes; better integration between the subsystem and various Windows email clients; improved scrolling in the Amazon Appstore and Kindle apps and more.Today’s Patch Tuesday fixes and updates also should bring to Windows 11 users some of the new features that Microsoft began rolling out in preview a couple of weeks ago, including the aforementioned Android apps on Windows. Mainstream (non-Insider tester) customers could manually download the handful of new Windows 11 features as of February 15.

Windows 11 More

Last week, the Utah House of Representatives unanimously passed a consumer privacy bill — the Utah Consumer Privacy Act — moving it one step closer to becoming the fourth state to enact privacy legislation in the US. The bill will head back to the Utah Senate, where it was passed earlier this year. Officials there need to decide whether they will accept the amendments added by House members before it heads to the desk of Utah Governor Spencer Cox. Cox did not respond to requests for comment about whether he will sign the bill if it makes it to his desk.  

The Utah Consumer Privacy Act applies to companies with an annual gross revenue of $25 million and those that conduct business in Utah or produce goods for Utah residents. The bill also only applies to businesses that “control or process” the personal information of 100,000 Utah residents or “derive over 50% of its gross revenue from the sale of personal data and controls or processes personal data of at least 25,000 residents.”The bill would take effect in December 2023 and would offer Utah residents the right to notice, access, portability, and deletion — but does not offer people the right of correction. There are also exemptions for certain businesses. It includes an opt-out section that allows people to deny companies the right to target them with advertising or sell their personal information. But the bill still allows companies to conduct automated profiling and largely excludes employee data as well as any data shared between businesses. There is an opt-out provision for “sensitive” information that forces companies to also notify customers if they are collecting biometric or genetic data, health information, citizenship data, sexual orientation, racial origin, and religious beliefs.  Like other US privacy laws, enforcement is managed by the Utah Attorney General’s office but controversially does not allow for a private right of action. The Utah Department of Commerce Division of Consumer Protection will investigate companies based on customer complaints before handing the cases off to the Attorney General’s office. Dan Clarke, a US privacy law expert who has been consulted by lawmakers in multiple states on potential privacy legislation, told ZDNet that the Utah bill is modeled after Virginia’s law, even though it does not include a requirement for assessments and is silent on following the Global Privacy Control signal. 

“Laws like Utah that follow in the footsteps of Virginia are a good step towards consumer privacy at the state level, but they are generally more business-friendly and less restrictive. Many of the laws have a predominately opt-out mindset and have lower penalties, especially for non-compliance by companies that are endeavoring to try their best,” Clarke said. “There is nothing really groundbreaking in the Utah Consumer Privacy Act. UCPA’s passage really just cements the trend that’s been proliferating across legislatures in 2022, most of which follow Virginia as a template. One element that is unique is a provision for the attorney general to propose changes after an ‘enforcement assessment,’ but that won’t happen until 2025.”Consumer Reports senior policy analyst Maureen Mahoney said the bill is “far too weak to protect consumers” and added that Consumer Reports has urged the Governor to veto the measure. “It’s important that any privacy law is workable for consumers — that at the very least, as in California, they can opt out of the sale of their personal information at all companies in a single step, rather than having to hunt through hundreds if not thousands of sites one-by-one, looking for a way to opt out,” Mahoney said. “And the definitions should cover targeted advertising ,so that consumers can meaningfully opt out. Unfortunately, Utah’s bill is even weaker than Virginia’s industry-friendly measure, which lacked these key elements. Utah’s measure does not have opt-in rights for sensitive data, has a weaker opt-out, and an even weaker enforcement scheme.”Mahoney added, “All of this means that consumers won’t be able to control their data. It’s a victory for companies like Google and Facebook.”

Lisa Sotto, head of the global privacy and cybersecurity practice at law firm Hunton Andrews Kurth, explained that the Utah law differs from the Virginia law because it lacks a correction right — which she said is out-of-step with global data protection laws — and an opt-out, rather than opt-in, right for the use of sensitive data, which also is defined more narrowly than in the Virginia law.  “The Utah law is privacy protective but also reasonably business friendly. This is a welcome development in light of the current plethora of comprehensive privacy laws in the US, with a high likelihood of more to come,” she said. “Companies that have complied with the other three state privacy laws, whose effective dates precede that of the Utah law, are well-positioned to readily comply with the Utah requirements. It should be a relatively simple exercise to comply with the Utah law once a framework is in place for California, Virginia, and Colorado compliance.”The Utah legislation follows recent privacy laws enacted in Virginia and Colorado in 2021, as well as multiple laws in California over the last three years. Several states have spent years attempting to pass their own privacy laws due to the lack of any movement on privacy legislation at the federal level. New York, Texas, Washington, and dozens of other states have faced issues in pushing through their own privacy laws through due to backlash from businesses that complain the bills will create a significant amount of extra work for effectively any business with a website. Clarke, president at privacy company IntraEdge, said Washington just narrowly advanced their privacy law from the House appropriations committee, while laws in Indiana, Wisconsin, Oklahoma, and Florida are all currently cross-chamber and advancing rapidly.”I think Utah’s quick movement is more a result of off-screen negotiation to level the bill and unify after the 2021 debates with consumer advocate groups for a more comprehensive bill with private right of action, and opt-in didn’t yield the results they wanted,” Clarke said.  “The key stakeholders that wanted a more comprehensive law joined a collation deciding that something is better than nothing. This bill is a compromise between aggressive consumer privacy advocates and business-friendly supporters that was pre-wired.” More

Microsoft has released 71 security fixes for software, including 41 patches for Microsoft Windows vulnerabilities, five vulnerabilities in Microsoft Office and two in Microsoft Exchange. 

Two of the vulnerabilities are rated critical — CVE-2022-22006 and CVE-2022-24501 — while the rest are rated important.In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) vulnerabilities, denial of service bugs, privilege escalation bugs, spoofing issues, information leaks, and policy bypass exploits. None of the vulnerabilities are being actively exploited, but Sophos noted that a public proof-of-concept has been released for CVE-2022-21990.March’s security update impacted products include Exchange, Visual Studio, the Xbox app for Windows, Intune, Microsoft Defender, Express Logic, Azure Site Recovery, and the Chromium-based Microsoft Edge browser, which had 21 vulnerabilities. 

They released updates for the following products:o Microsoft Windows: 41 vulnerabilitieso Microsoft Office: 5 vulnerabilitieso Microsoft Exchange: 2 vulnerabilities 3/11 pic.twitter.com/kBSg5r08FC— SophosLabs (@SophosLabs) March 8, 2022

Some of the other vulnerabilities of interest in this update are: CVE-2022-24502: Internet Explorer Security Feature Bypass VulnerabilityCVE-2022-24508: SMB Server Remote Code Execution VulnerabilityCVE-2022-24512: .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2022-21990: Remote Desktop Client Remote Code Execution VulnerabilityCVE-2022-23277: Microsoft Exchange Server Remote Code Execution VulnerabilityCVE-2022-24459: Windows Fax and Scan Service Elevation of Privilege VulnerabilityMicrosoft also announced a slate of updates to Windows 11 on Tuesday. Recorded Future’s Allan Liska noted that Microsoft labeled CVE-2022-21990 as “Exploitation More Likely” because there is Proof of Concept code publicly available. “In order to exploit this vulnerability, the attacker must control the Remote Desktop Server that the client is connected to and launch the attack from there,” Liska said. “We have seen a number of similar vulnerabilities against the Remote Desktop Client over the last few years, none of which have been widely exploited in the wild. Even though previous vulnerabilities of this type have not been widely exploited, that doesn’t mean this one won’t be.”Liska added that CVE-2022-24501 and CVE-2022-22006 can be exploited if an attacker convinces a victim to download a “specially crafted file” which would crash and exploit the vulnerability when it is opened.”This is the kind of attack that a sophisticated phishing campaign could easily carry out,” Liska explained. Also: Microsoft is working on these new Windows 11 features hidden in test buildsIn February, the tech giant released 48 security fixes for software, including a patch for a zero-day bug but no critical-severity flaws.Cisco and Google also published security updates on Tuesday.   More

Like a cybersecurity version of “The Bachelor,” Mandiant gives its final rose to Google. The idea of a standalone Mandiant, re-obtaining the prestige it once held in the cybersecurity industry, made for a great story but an unlikely proposition long term.

ZDNet Recommends

 M&A was always the destiny for Mandiant, the only question being the winning bidder. The long and unproductive marriage to FireEye sees both companies making some interesting choices after their public, corporate divorce. FireEye combined with McAfee to become Trellix. And today, Mandiant announced an engagement to a suitor with deep pockets in Alphabet via GCP.   If we were browsing our ex-significant other’s social media sites, we would definitely say that Mandiant found a more attractive and compelling match. But that raises the question: “What if Google is just the rebound acquirer?” Let’s take a dive into what each company gets from this pairing.  Rebuilding Mandiant will take time. And lots of money.   Mandiant spent too long tied to an all- FireEye ecosystem for its MDR offerings and other associated security services and only just diversified in the last year or two to support a more open ecosystem. Because of this, Mandiant forfeited some of the prestige of its once elite Incident Response practice primarily to CrowdStrike, and watched its competitor rocket ahead of it in terms of market valuation, stock price, attach rate, and customer penetration.   Mandiant does have a strong portfolio of services and intellectual property in areas such as MDR, attack surface management (ASM), and Security Validation (its breach and attack simulation offering). However, expanding that stable of intellectual property is a capital-intensive process — requiring substantial commitment to research and development — or deep pockets to make acquisitions. And valuations for public and private cybersecurity companies are sky-high at the moment.   Google is playing catch up by spending its way to portfolio parity  Google’s cybersecurity efforts began with internal initiatives like Project Zero and relatively early adoption of Forrester’s Zero Trust approach to cybersecurity via Beyondcorp. The VirusTotal acquisition did signal Google’s interest in commercializing cybersecurity years ago. However, GCP pivoted towards an enterprise-focused commercial capability somewhat late, with X launching Chronicle in 2018 and Google Cloud acquiring it in 2019. That late start demands a premium to catch up; one Alphabet appears willing to pay.Mandiant expertise will accelerate the expansion of the Google Cybersecurity Action Team led by GCP’s CISO Phil Venables. This acquisition comes just after GCP added Siemplify to its arsenal, making its primary offerings a combination of Security Analytics and SOAR capabilities with Chronicle and Siemplify, and now Mandiant’s services heavy portfolio of solutions. GCP will also need to sort out the impact on the rest of its ecosystem. For now, GCP relies on partnerships for a complete XDR offering, and Mandiant’s MDR service coupled up with direct Google competitor Microsoft via Defender.This acquisition also augments Google Project Zero with an infusion of sophisticated practitioners in forensics, malware analysis, threat intelligence, and security research. Now two well-regarded research teams get to mix and match information and expertise, which could lead to interesting advancements and discoveries in attacker activity and techniques to defend enterprises. Mandiant’s Incident Response expertise coupled with VirusTotal data and Project Zero caliber talent could launch a new era of cybersecurity discoveries as the two teams come together. Google and Microsoft compete extensively for enterprise business, and if Google severs the information sharing that occurs between Mandiant and Microsoft. Google needs to commit to extending these relationships for this era of discoveries to materialize. Not doing so would be a mistake and a loss of epic proportions for the entire industry. Cloud competition becomes a contest for cybersecurity dominance  Forrester predicted the Tech Titans would next fight over cybersecurity. This acquisition spree is not over. GCP still has major portfolio gaps in endpoint, which it’s tried to solve via partnerships… for now.   Given that GCP needs EDR to gain full ownership of the technologies that comprise its XDR offering, its next shopping list likely includes an EDR tool. GCP wants to become a top-tier cybersecurity player, and its acquisitive actions match its goals.   Mandiant brings more to GCP than vice versa in capabilities and prestige, which gives us pause. Mandiant needed an acquirer with a complete cybersecurity product portfolio, deep pockets, and strong relationships with enterprise buyers. GCP brings one of those while it continues to pursue the others. Both companies place a premium on expertise as part of their culture, which does set this up as a better pairing than Mandiant’s prior matchup.   This post was written by VP, Principal Analyst Jeff Pollard, and it originally appeared here. More

A prolific and likely state-backed hacking group repeatedly targeted several US state governments by using software vulnerabilities in web applications and then later scanning for Log4j vulnerabilities within hours of the vulnerability coming to light in order to maintain their access.  Cybersecurity researchers at Mandiant have detailed how APT41, a state-sponsored cyber espionage and hacking group working out of China compromised at least six US government networks, as well as other organisations, sometimes repeatedly, between May 2021 and February 2022. The US Department of Justice indicted APT41 hackers in September 2020, but it doesn’t appear to have had an impact on the persistent nature of the attacks. According to analysis of the attacks, many of the initial compromises came in June 2021 via targeting insecure web applications. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Then in December 2021, a zero-day vulnerability in the widely used Java logging library Apache Log4j was disclosed, and the researchers at Mandiant say APT41 began exploiting the Log4j vulnerability almost immediately.”Within hours of the advisory, APT41 began exploiting the vulnerability to later compromise at least two U.S. state governments as well as their more traditional targets in the insurance and telecommunications industries,” Mandiant said.While a patch was released when the vulnerability was disclosed, the ubiquitous nature of Log4j means that many organisations did not know it was part of their tech infrastructure.No matter which vulnerability was being used, once inside the networks, APT41 tailored malware to the victim’s environment in order to make the attacks as effective as possible. When a new vulnerability which could be exploited appeared, the attackers didn’t abandon their previous compromise, but rather exploited the new vulnerability to gain additional persistence on the network. While the focus of the campaign was around compromising US government networks, APT41 attacks also targeted other industries, including insurance and telecommunications. It’s still uncertain what the overall goals of this particular APT41 campaign is because these hackers also often dabble in moonlighting for their own personal gain.  “APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability,” the report said. This recent campaign is another reminder that state level systems in the US are under pressure from nation-state actors like China, as well as Russia said Geoff Ackerman, principal threat analyst at Mandiant. “A preference for utilizing web exploits to target public-facing web applications, along with the ability to quickly shift targets based on available capabilities indicates that APT41 continues to pose a significant threat to public and private organizations alike around the world,” he added. State-backed hacking groups, as well as cyber criminals are quick to exploit unpatched vulnerabilities. One of the key things which organisations can do in an effort to avoid falling victim to attacks exploiting software vulnerabilities is to apply any patches or security updates as quickly as possible. MORE ON CYBERSECURITY More

If you dabble in bitcoin or other cryptocurrencies, then you may be able to get away with storing your private keys in a software wallet. But if you are serious about crypto, are mining your own bitcoins, or have serious cash invested in crypto, then a hardware wallet is something that you need to seriously consider.

A cutting-edge hardware wallet

Here we have a compact hardware wallet that not only holds your cryptocurrency private keys but can also be a device that can be used to store passwords and even be used as a U2F hardware token.The Trezor Model T is easy to use thanks to its touchscreen display. Another nice feature of the Model T is that it is quick and easy to set up; you can be up and running after going through three simple setup steps.Yes, the price has gone up in recent months (as have most things, in particular, cryptocurrency-related things), but this still remains the best hardware cryptocurrency wallet you can buy. ProsStore passwordsU2F hardware tokenSetup in three simple stepsTouchscreen displayConsPrice has gone up

Simplified version of the Trezor Model T

Need a hardware crypto wallet that costs under $100? Take a look at the Trezor One. This is a cut-down, simplified version of the Trezor Model T that’s perfect for those who want a cheaper and simpler wallet that doesn’t compromise security.There’s also a three-pack of the Trezor One available if you want to buy a set so you have backups.The price has gone up in recent months, but it remains a good deal, coming in under $100.ProsSimplified version of Trezor Model Tdoesn’t compromise securityAvailable in a three-packConsPrice has gone up

Everything is protected by a PIN code

This is a hardware bitcoin wallet that looks like a USB flash drive. The Ledger Nano S supports more than 30 different cryptocurrencies (including Bitcoin, Ethereum, XRP, Bitcoin Cash, EOS, Stellar, Dogecoin, and many more), and all ERC20 tokens, and everything is protected by an 8-digit PIN code.ProsSupports more than 30 different cryptocurrenciesprotected by an 8-digit PIN codeConsDisplay is small and isn’t a touchscreen

For those who want high security

This is the hardware wallet for those who are ultra-paranoid or who want high security. The ColdCard Mk3 device is a high-security device that is built around high-security hardware and open-source software. It also features a brilliant OLED display and a full-sized numeric keypad.You can augment the ColdCard with a range of accessories, including an adapter that allows you to power the ColdCard from a 9V PP3 battery, protecting you from attacks that might make use of a compromised USB charger.ProsBuilt around high-security hardware and open-source softwareBrilliant OLED display and a full-sized numeric keypadAugment the ColdCard with a range of accessoriesConsBitcoin only

Fireproof, waterproof, shockproof, and hacker-proof

Made from indestructible 316-marine grade stainless steel, this is a cold storage cryptocurrency wallet that’s designed and built to be fireproof, waterproof, shockproof, and hacker-proof. This is the perfect tool for keeping your seed phrases secure, which would allow you to recover your private keys in the event that you lose or break your electronic hardware wallet.ProsMade from indestructible 316-marine grade stainless steelfireproof, waterproof, shockproof, and hacker-proofConsCan be tricky to get open the first time

What is a crypto wallet?

A crypto wallet is a device that stores and manages the private keys you hold for your cryptocurrency. They act much like how you keep money in your wallet or purse, or how your bank details are stored on your credit or debit cards.

Is a crypto wallet the same as a bitcoin wallet?

Yes. Bitcoin is a type of cryptocurrency, and most hardware wallet work with a broad range of cryptocurrencies.

How did we choose these cryptocurrency hardware wallets?

There are a number of factors to consider here.Price: Not everyone wants to spend $200 on a wallet.Durability: A broken hardware wallet can leave you hating life (not to mention down the cost of the hardware), so choosing something that will last is a good investment.Reputable manufacturer: You could be trusting thousands of dollars of cryptocurrency to a hardware wallet, so you want to know that your wallet has been made by a reputable company with a track record in delivering secure and reliable products. Ease of use: Setting up a hardware wallet can be daunting enough, but it can be made all the more difficult if the documentation is poor (or non-existent) or the device itself is quirky and unpredictable.

What are the different kinds of cryptocurrency wallets?

There are two kinds of wallets: Hardware and software. A software wallet is an app that lives on your computer or smartphone, or even on the web, while a hardware wallet is a separate physical device (much like a wallet or purse). This hardware wallet is connected to a PC or mobile device to carry out transactions.Software wallets range in price from free to, well, not free, so they are great for those starting out. Since hardware wallets cost you money, there’s a financial investment that you have to make right from the beginning.

Why do you need a hardware wallet?

It’s important to note that you don’t need a hardware wallet to buy, store, or send bitcoins or any other cryptocurrency. Some people hold many thousands of dollars in bitcoin or other cryptocurrencies and don’t use a hardware wallet.However, where hardware wallets shine is the improved security that they offer compared to an app that lives on a smartphone, computer, or in the cloud. Having a device that puts an air gap between your private keys and other apps, the internet, and the bad guys offers vastly improved security from hackers and viruses.Hardware bitcoin wallets put you in complete and total control over your private keys.

What are the pros and cons of hardware crypto wallets?

ProsImproved security: Total air gap between your private keys and everything else.Better control: You hold your keys and can keep them separate from all your other devices.Easy transportation: Bitcoin hardware wallets are small and easily transported. But they can also be stored securely in a safe or safety deposit box.No reliance on a third-party app or web service: Apps and services come and go.ConsCost: Hardware bitcoin wallet solutions aren’t free.Extra complexity: There’s always a learning curve with hardware, and some bitcoin wallets have quite advanced features that will have you reaching for the manual.Loss, destruction, theft: Hardware can break, be lost, be stolen, become obsolete, or succumb to all sorts of mishaps.Another thing to take care of: If you need to make a transaction, you’ll need your wallet!

What should you consider when buying a cryptocurrency hardware wallet?

Yes, a hardware bitcoin wallet offers greater security, but you still need to make sure that you are buying a decent device from a reputable source.You also need to decide how much security you need. For some, having the air gap of a separate wallet is good enough, while others will feel the need to beef up security, and have a device that offers higher levels of security, biometrics, and even isolating the device from possible sources of attack, such as USB chargers.You also need a backup, just in case. Maybe this is another hardware wallet, or maybe you’re going to go for a “cold storage” solution that might include having your private keys printed on paper, or even engraved, stamped, or etched into metal.Another consideration is price. Unless you’re planning to hold huge cryptocurrency investments, then it might sting a bit to spend over $100 on a wallet.

ZDNet Recommends More

Several tech firms have partnered with Whistic to create a consortium focused on sharing cybersecurity information with customers. Whistic — which created a network for assessing, publishing and sharing vendor security information — will work with tech companies like Okta, Airbnb, Zendesk, Asana, Atlassian, Snap, Notion, TripActions and G2 on The Security First Initiative.

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

The initiative seeks to combat third-party data breaches by using Whistic Profiles as a standard for assessing and sharing cybersecurity details.  “Just like Asana believes collaboration and transparency between internal teams are mission-critical, we also believe it’s mission-critical to establish transparent and trusted relationships with our customers and third-party vendors,” said Sean Cassidy, head of security at Asana. “That’s why we’re excited to join with so many leading companies and see the industry collectively embrace the Security First Initiative.”Some now use Whistic Profiles in place of the typical questionnaires used for vendor assessment requirements. Gen Buckley, senior manager of customer assurance at Okta, said the Security First Initiative and the recently released MVSP security baseline both “demonstrate the importance of working together to improve security for all our mutual customers.”Also: FBI warns of online scammers impersonating government officials, law enforcementThe initiative will see the companies share their security information proactively with their customers using a Whistic Profile. Whistic CEO Nick Sorensen said the future of vendor security must be built on a foundation of collaboration and added that the “dual-sided, network approach to vendor security is the only way to meet the needs of both buyers and sellers in the ecosystem.””It’s also the most efficient way to make transparency the expectation in vendor security, and when that happens, everybody wins,” Sorensen said. A Whistic spokesperson told ZDNet that most companies now require a security or privacy assessment yet wait until the end of the purchasing process to evaluate the security of the vendor they are purchasing from. Some vendors may also take weeks or months to satisfy those requests fully.”This results in elongated sales cycles and a growing friction between vendors and their customers. Whistic and the founding members of the initiative spoke about the need for the industry to flip this entire process and lead with security first, as opposed to at the end of the process,” the spokesperson said. “At the heart of this is a more transparent, proactive approach to sharing security information than has existed historically. The traditional approach has been very black-box, with both parties not communicating well and approaching it in an almost adversarial manner as opposed to treating it like the partnership that it is. We are collectively excited for more companies to approach vendor security in a more collaborative and transparent manner moving forward.”G2 CEO Godard Abel added that their 2021 Buyer Behavior Report found that security is now the number consideration for buyers in the purchasing process. More