Information Technology

Teens are known to roam, but new threats in the digital age can make sneaking out feel riskier than ever to parents. One option is to fight fire with fire: Counter threats born of technology (like meeting up with online connections) with technological solutions. You can put smart home security devices to work monitoring your teen. The same capabilities that keep those who don’t belong out — motion detection, door and window sensing, video streaming — can keep tabs on those who belong in. You just need to be able to arm and disarm the system and field notifications by smartphone.   Self-monitored home security can stand guardTraditional home security is professionally monitored. When the alarm is tripped, the notification is fielded by agents at a command center. They contact you, then emergency responders. If you have a professionally monitored system, think twice before arming it against your kids. The costs of a false alarm can be steep, depending on your municipal code. Self-monitored systems push alerts to your smartphone. It’s up to you to respond to or ignore system alerts. You’ll need to have a self-monitored home security setup in order to track your teen without accidentally looping in the police. Window/Door Sensors: Make sure doors and windows are locked through the night by installing contact sensors. Stick them anywhere that should stay shut, like the home office or the liquor cabinet. Motion Sensors: A motion sensor covers more terrain than a window/door sensor and also provides a longer leash. For example, you might not care where your kids are in the house, so long as they aren’t heading out into the foyer or garage. Off-limit rooms and points of egress can receive blanket surveillance with a single motion sensor.  Video Doorbell: A surveillance camera pointed at your teen isn’t likely to promote a trusting relationship. But a video doorbell is so much friendlier than a plain camera. It’s both a security device and a smart home tool. It captures footage of porch pirates and trespassers but also lets you tell the mail carrier where to stash deliveries. It’s no stretch to use one for notifications when your kids get home from school or to see which friends are visiting while you’re gone. Let teens know how you monitor themSensors and systems are easily disabled by any family member who knows how they function — a practical reason to inform your teen of any plans to track their comings and goings. If they don’t want to be surveilled, a tech-savvy teen will shrug off surveillance attempts. Frame your use of home security tech to keep an eye on them as a way to endorse their liberty, not take it away. For example, if you get a push notification when they get in at night, they are freed up from the responsibility of letting you know themselves. Involve your kids in your security plansCome to an agreement with your teen about when you turn to surveillance. Talk about what aspects of their daily, autonomous life cause you stress — be it their online behavior, their driving, or staying out late. If it’s their internet life that you’re worried about, negotiate browser controls. Comcast, for one, allows you to limit Wi-Fi access at the device level. Maybe getting to check your GPS when they arrive at their friend’s house would give you peace of mind and circumvents the need for them to update you. If it’s the out-at-all-hours behavior that has you on edge, let them know that you want to put a motion sensor in the hall, so you know when they get home safe. You could even set a specific keypad code for them to disarm your security system when they get home, giving some power back. When used thoughtfully, surveillance tech can streamline family communications. Extend the conversation to other parents and teensIf your parenting practices clash with those of your teen’s friends, you are more likely to have problems trying to enforce house rules. Your best bet is to collaborate with other parents. Establish shared norms around curfews and internet use so that any extra security you try to build around your teen isn’t wildly different from the unlimited freedom of their peers. 

Creating a shared community around safety doesn’t stop there. Teens are often just looking for someplace to go. Band together with other parents to provide spaces (mother-in-law cottages or dens) that have nearby adults and parental supervision but give the impression of being hands-off hang-outs. Surveillance can backfireMost parents and teens acknowledge that technology has radically altered adolescent life. But they are divided on whether that makes it right for parents to counter tech-age threats with tech-age tools. If technology has brought about a more dangerous reality for teens, are technological controls warranted? Psychologist Lisa Damour cautions of the damage surveillance can do to the parent-child relationship. In fact, “[A]dolescents who believe their parents have invaded their privacy go on to have higher levels of conflict at home.” A disgruntled teen will find ways of evading digital babysitting. Worse, they could grow sneakier and more secretive in rebuke. Veteran social worker Janet Lehman advises against holding the conversation in the heat of the moment. Give yourself time to calm down and prepare for a “problem-solving conversation,” Lehman writes. She suggests that bad behavior in kids — lying, stealing, sneaking out — is the result of having a “really poor way of solving problems… If you look at lying as a problem-solving issue, and not a moral one, you can help your child develop strategies.”According to media psychologist Pamela B. Rutledge, “Parental controls should be viewed as training wheels until a kid gets his or her balance, not a solution.” Your teen won’t learn responsibility for either their digital practices or physical wellbeing by being policed. Instead, “the only solution is education.” Many teens support parental controlsWhether and how you use technology to surveil your teen is up to you. The question is complex, bringing in big parenting questions on safety, trust, and privacy. If you believe that monitoring your teen will help keep them safe and you sane, be selective and rational about your chosen approaches. And inform your kid of any and all monitoring actions you take. According to one study, a majority of teens actually support the use of parental controls, showing that most young people get parents’ concerns. Whatever you decide, you should open up a conversation with your teen about safety and responsibility. More

Whether you’re looking for a traditional home security system or want a full automation system, Vivint has excellent plans that make it a great fit if you’re looking to simplify your life. It’s not the cheapest, but additional features like expert installation and automation make it well worth it for many customers.Pros:Expert security monitoringAdvanced home automationMonthly contracts optionsCons:More expensive than other optionsHave to pay for equipment upfrontVivint packagesPackagesPrice*Best forEase of  UseType of InstallationSmart Security Monitoring$29.99Outdoor camerasEasyProfessionalSmart Home Monitoring$39.99Home automationIntermediateProfessionalSmart Home Video Monitoring$44.99Video surveillanceAdvancedProfessionalAll information accurate as of 06/11/2020.*Plus equipment financing if paying for equipment over contract termVivint offers three basic packages that offer all of the services you need. Vivint specializes in superior equipment with full home automation — something not all home security companies offer. There is also live 24/7 support to ensure there is someone to help if you need it.

We really liked Vivint Car Guard, a helpful addition to your security when there’s a teenager or a senior driver in the home. Available separately or with your plan, Vivint Car Guard will notify you of fender benders, accidents, tows and theft with smart notifications and geo-fencing to keep the vehicle close.Who is each Vivint package best for?Vivint’s packages are highly customizable, but here are our recommendations for some of their most popular options.Smart Security Monitoring: Best for StartersSmart Home Monitoring: Best for Home AutomationSmart Home Video Monitoring: Best All-Inclusive SecuritySmart Security MonitoringWhen you need basic security monitoring without the fuss of video and home automation, smart security monitoring lets you take control of home security yourself.Smart Home MonitoringProtect your family with professional monitoring that includes extra features like window and door sensors, smoke and carbon monoxide detectors and a smart app that keeps you plugged in even when you are not at home. Smart Home Video Monitoring It’s tough to beat Vivint’s technology with indoor and outdoor cameras that identify lurkers and built-in body detectors. Vivint equipment:Basic Home EquipmentDoor sensorsMotion sensorsGlass break sensorsSmoke detectorsCarbon monoxide (CO) sensorsWater sensorsCamerasPing Indoor CameraOutdoor Camera ProDoorbell CameraVivint pricesVivint’s pricing is mid-range among its competitors. Contracts can run up to five years long, but you also have the option of a month-to-month account. However, you will have to purchase your equipment upfront that can call for an expensive initial investment. There is a 120-day warranty for purchased equipment and unlimited repair on any equipment covered under a service plan.Ease of useRegardless of your plan, you can still enjoy access to its apps. This allows you to control your home from anywhere in the world. No matter where you are, you can log into the Vivint app to unlock the door for family or turn off the light you missed on your way out. You won’t be able to receive any of these benefits until you complete the in-person installation process with an actual rep. Vivint types of installationProfessional installationVivint values customer service, and that is no more apparent than its installation process. You will benefit from a personal technician who will come out to your home to create and install your perfect security system personally.ProsYou can benefit from the expertise of a professional who can customize the right package of you. You can add on equipment during your installation appointment.You receive high-end equipment that is installed for you without the time and trouble of doing it yourself.ConsVivint does not include its equipment in its packages; instead, you must purchase it separately. Installation can be an expensive process. DIY installationVivint does not offer DIY or self-installation.Vivint types of monitoringSelf-monitoredSmart Security ServiceInteractiveCostEquipment purchase required$29.99/month$39.99/monthMonitoringDIYProfessionalProfessionalInstallationProfessionalProfessionalProfessionalMobile App Control✗✓✓When it comes to monitoring, you have plenty of options. If you want to skip the monthly monitoring service, you can go the DIY route, but you will still need to purchase your equipment upfront to avoid the contract.If you opt for a monitoring plan, you can choose from two different plans, Smart Security Service and Smart Home Service. The Smart Security plan offers you basic monitoring with fire, theft and carbon monoxide detectors, window and door sensors and smoke alarms. If you want to add video surveillance, you can opt for the Smart Home Service, which is just a few dollars more a month.Additional benefitsApp access includedApp access is included with all plans, and you have the option to add Vivint Smart Drive to store all of your data so that you aren’t forced to part with any records or footage that you may need later. However, this is an additional purchase that will cost you.No shortage of featuresVivint doesn’t slack on technology. You can benefit from up to 1080p resolution on the indoor and outdoor cameras for an even better picture, and The Ping Indoor Camera even has calling capability.Extra securityThe cameras can provide you with a wide field of vision of up to 180 degrees. Vivint also incorporates new, improved technology like infrared night vision, 4K image sensors, body and lurker detectors and a siren.Additional drawbacksLong contractsIf you don’t purchase your equipment outright, you can finance it, but that will come with a minimum contract of five years. It is a long time to commit to a home security plan when your needs can easily change before then.Requires an investmentOther companies like Ring offer DIY installation and service as low as $3 a month,  and while they don’t have Vivint’s technology, they don’t require you to spend hundreds of dollars on equipment purchases.Compare home security providers* Our rating is based, in part, on industry metrics such as Better Business Bureau grades and rankings in the J.D. Power 2019 Home Security Satisfaction Study, as well as user ratings via the Google Play Store and Apple App Store.** Pricing is for the basic package. Please note pricing will vary based on customization, package tiers, and fees.The bottom lineVivint is among the very best in the industry. The free app offers a live feed and past footage, while smart home automation lets you turn off the lights and lock the doors from anywhere in the world.The customer service is stellar, with live representatives standing by to dispatch help when and where you need it, no matter the time. It’s an additional layer of security that makes a real difference in an emergency.

Is Vivint better than ADT?

Vivint offers more options at a lower price than ADT, and its no-contract option provides far greater flexibility than its competitor. 

Is Vivint better than Ring?

Ring is a more affordable option, offering the DIY packages that Vivint lacks, but you won’t be able to benefit from a professional installation with Ring as you do with Vivint.

Do I need Wi-Fi for Vivint?

Vivint works off a wireless connection, so you will need WiFi to use your new security system. This is more convenient for you because the installation will not require any risky wires that need to be cut or moved.

Is Vivint easily hacked?

Vivint uses a wireless connection, which is not as easily hacked as a wired connection. However, any wireless connection is vulnerable to a cyberattack, so using the latest software updates and security programs is always important.

How long do Vivint batteries last?

Vivint batteries last a long time before they need to be repowered. Some devices run on traditional batteries for over eight months, while others can be recharged in a matter of hours or even minutes.

Does Vivint work if the power goes out?

Most Vivint systems utilize a wireless connection, so your wireless connection usually holds strong even if you lose power at home. If you lose WiFi, Vivint includes a backup battery in each of its devices.

Can you use Vivint without a subscitption?

The advantage of Vivint’s equipment is that once you purchase it, it will work without a professional monitoring contract. However, you will be limited to certain features and will lose access to things like the mobile app and 24/7 support.  More

The operators behind the REvil ransomware group have resurfaced after allegedly closing shop following the widespread attack on Kaseya that caused thousands of victims on July 4.Security researchers said all of the dark web sites for the prolific ransomware group — including the payment site, the group’s public site, the ‘helpdesk’ chat and their negotiation portal — went offline on July 13 after the Kaseya attack drew worldwide condemnation and tough threats from US lawmakers. 

Kaseya attack

US President Joe Biden spoke personally with Russian President Vladmir Putin after the attack, and many attributed REvil’s closure to the conversation, where Biden pressed Putin about ransomware attacks originating from Russian soil. Despite the conversation, both US authorities and Russian officials denied any involvement in REvil’s disappearance in July.But dozens of security researchers took to social media on Tuesday to show that the group’s Happy Blog and other sites connected to REvil had resurfaced. Bleeping Computer reported that the newest entry was from a victim who was attacked on July 8. Security researchers from Recorded Future and Emsisoft both confirmed that much of the group’s infrastructure was back online. Ransomware expert Allan Liska told ZDNet that most people expected REvil to return, but with a different name and a new ransomware variant. 

“Things definitely got hot for them for a while, so they needed to let law enforcement cool down. The problem (for them) is, if this is really the same group, using the same infrastructure they didn’t really buy themselves any distance from law enforcement or researchers, which is going to put them right back in the crosshairs of literally every law enforcement group in the world (except Russia’s),” Liska explained.”I’ll also add that I’ve checked all of the usual code repositories, like VirusTotal and Malware Bazaar, and I have not seen any new samples posted yet. So, if they have launched any new ransomware attacks there haven’t been many of them.”A screenshot of REvil’s Happy Blog. 
Brett Callow
A report from security company BlackFog on ransomware attacks in August found that REvil accounted for more than 23% of the attacks they tracked last month. That was more than any other group tracked in the report. REvil attacked at least 360 US-based organizations this year, according to Emsisoft threat analyst Brett Callow. The RansomWhere research site says the group has brought in more than $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.  REvil’s shut down in July left some victims in a tough spot. Mike Hamilton, former CISO of Seattle and now CISO of ransomware remediation firm Critical Insight, said one company paid a ransom after the Kaseya attack and received the decryption keys from REvil but found that they didn’t work. REvil typically offered a help desk function that aids victims with getting back their data.”Some of our customers got off really easily. If you had that agent installed on unimportant computers, you just rebuilt them and got back to life. But we got a distress call a few days ago from a company that got hit hard because they had a company that was managing a lot of their servers with the Kaseya VSA. They got a lot of their servers hit and had a lot of information on them and so they brought in their insurance company and decided to pay the ransom,” Hamilton said. “They got their decryption key and when they started to use it, they found that in some places it worked and in other places it didn’t. These ransomware gangs have customer support but all of a sudden they went dark. They’re completely gone and so there is no help and these folks are just stuck. They’re going to end up losing a lot of data and they’re going to end up spending a lot of money to completely rebuild their network from scratch.” More

The SEC has released a notice warning people to be on the look out for scams related to Hurricane Ida, which thrashed multiple states last week with torrents of rain and tornados while leaving millions without power. The SEC said people who may be receiving lump sum payouts from insurance companies due to damage from Hurricane Ida should be wary of investment scams or other online efforts to steal their money. “These scams can take many forms, including promoters touting companies purportedly involved in cleanup and repair efforts, trading programs that falsely guarantee high returns, and classic Ponzi schemes where new investors’ money is used to pay money promised to earlier investors,” the SEC explained. “Some scams may be promoted through email and social media posts promising high returns for small, thinly-traded companies that supposedly will reap huge profits from recovery and cleanup efforts.” AccuWeather CEO Dr. Joel Myers estimated that Hurricane Ida caused nearly $95 billion in total damage and economic loss after dumping inches of rain on Louisiana and then continuing its path of destruction up the East Coast. Millions of people will now need to deal with insurance companies to cover water damage and other issues stemming from the after effects of the hurricane.

Read this

Video: IT heroes of Hurricane Sandy

ZDNet interviewed a panel of IT heroes who kept their organizations running During Hurricane Sandy with successful disaster recovery plans. Watch the full 40-minute panel discussion as these IT leaders share the lessons they learned.

Read More

The SEC noted that after the devastation caused by Hurricane Katrina in 2005, there were dozens of “false and misleading statements about alleged business opportunities” that they were forced to take action against. “Be skeptical if you are approached by somebody touting an investment opportunity. Ask that person whether he or she is licensed and whether the investment they are promoting is registered with the SEC or with a state,” the SEC added. 

“Take a close look at your entire financial situation before making any investment decision, especially if you are a recipient of a lump sum payment. Remember, your payment may have to last you and your family for a long time.”The financial watchdog warned of ponzi schemes and other scams that may be targeted at those receiving payouts from FEMA or insurance companies. Cyber Security Cloud released a study last month noting that there was a growing trend of increasing cyberattacks before, during and after any sort of global or regional event.The study found a massive increase in attacks aimed at Japanese organizations ahead of the Olympics this year and attacks aimed at US organizations ahead of the Super Bowl. Cerberus Sentinel vice president Chris Clements echoed the findings of the study, telling ZDNet that scammers frequently target newsworthy events to lure victims into taking urgent action, especially when related to financial means.  “We saw widespread campaigns targeting pandemic stimulus checks and I expect we will continue to see similar targeted operations both with this instance and with any future events. Individuals and organizations both must stay on guard for any unsolicited inbound communications promising financial windfalls and requiring urgent action,” Clements said.  “Especially important is to identify ‘trusted paths’ for any legitimate relief funds or investment opportunities and to properly research their validity.”James McQuiggan, security awareness advocate at KnowBe4, told ZDNet that in stressful times, those affected by floods, hurricanes and fires need help quickly and rely on their emotions without taking the extra time to examine an email to determine its validity. “Users want to avoid clicking on links in solicitation-style emails asking people to donate or be leery of requests to download images or video clips of people in troubled times. Cybercriminals will always find emotional lures to exploit users through social engineering,” McQuiggan said. “People want to recognize and only donate to worthwhile and established organizations that support people in life’s unfortunate situations after a hurricane or medical emergency. Additionally, this is critical for users who want to help out those in need and those who require financial assistance.” More

Howard University announced on Monday that it has been hit with a ransomware attack, forcing the school to shut down classes on Tuesday, according to a statement from the prominent HBCU.The school said that on September 3, members of their technology team noticed “unusual activity” on the university’s network and shut it down in order to investigate the problem. They later confirmed it was a ransomware attack but did not say which group was behind the attack. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“The situation is still being investigated, but we are writing to provide an interim update and to share as much information as we safely and possibly can at this point in time, considering that our emails are often shared within a public domain,” Howard University said in a statement.”ETS and its partners have been working diligently to fully address this incident and restore operations as quickly as possible; but please consider that remediation, after an incident of this kind, is a long haul — not an overnight solution.”The school has contacted law enforcement and is working with forensic experts on the issue. They claim there is “no evidence of personal information being accessed or exfiltrated” but noted that the investigation is ongoing. The school was forced to cancel all classes on Tuesday in order to address the issue and the campus is only open to essential employees. Even the campus Wi-Fi is down. They noted that some cloud applications will remain accessible to students and that they will continue to update students and faculty at 2pm each day. “This is a moment in time for our campus when IT security will be at its tightest. We recognize that there has to be a balance between access and security; but at this point in time, the University’s response will be from a position of heightened security,” the school added. 

“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data. We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering. You will receive additional communications from ETS over the course of the next few hours and continuing into the next few days, especially surrounding phishing attempts and how to protect your data online beyond the Howard University community.” Howard University becomes yet another major educational institution to face a ransomware attack. Emsisoft researchers found that there was a 388% increase in successful ransomware attacks on the education sector between the second and third quarters of 2020.Comparitech researchers Rebecca Moody and George Moody found that there have been a total of at least 222 ransomware attacks affecting 3,880 schools and colleges since 2018.”Schools and colleges have suffered an estimated 1,387 days of downtime due to ransomware attacks with around 9,525 days spent on recovery efforts. 22 schools/colleges revealed the amount involved in their recovery efforts with nearly $19.2 million spent by these entities in total,” the researchers explained. “This is an average of nearly $960,000. Ransom requests varied from $5,000 to $40 million. Hackers have received at least $2.95 million in ransom payments with the average payment being $268,000. Hackers have requested at least $59.1 million in ransom payments with the average request being $2.47 million.”According to the report, there have already been at least 39 reported ransomware attacks on educational institutions this year, and these figures do not include the Kaseya attack, which affected a number of universities tangentially.Emsisoft threat analyst Brett Callow put the number even higher for 2021 at 62 US educational institutions that have been hit with ransomware. Cerberus Sentinel vice president Chris Clements said educational institutions and especially universities are popular targets for ransomware gangs because they are typically soft targets for cybercriminals to penetrate and have sprawling, disparate technology projects that can remain unpatched or orphaned with no centralized oversight by IT.  “Overly permissive access and permissions is another common issue in high education organizations that can easily be exploited by attackers if they gain access to a single user account. Secondly, ransomware gangs know that universities, despite being famous for budget issues, can produce huge amounts of money to pay ransoms when forced to,” Clements said. “This combination of relative ease of compromise and high ability to pay out extortion demands make universities incredibly lucrative targets for cybercriminals.”Tim Erlin, vice president of strategy at Tripwire, told ZDNet that universities are tough environments to secure. “Their populations vary greatly over the course of a year. They accept all kinds of devices into their networks, both from staff and students. And they change out their users at a high rate as students graduate and matriculate,” Erlin explained. “Not many other IT organizations have to deal with all of these factors.” More

Jenkins, a leading open source automation server, announced on Saturday that its deprecated Confluence service was successfully attacked through the Confluence CVE-2021-26084 exploit — something that US Cybercom warned of in a notice last week. See also: US Cybercom says mass exploitation of Atlassian Confluence vulnerability ‘ongoing and expected to accelerate’

In a statement, Jenkins documentation officer Mark Waite explained that the affected server was taken offline and the team is investigating the impact of the issue.”At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected. Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service,” Waite wrote. “From there an attacker would not be able to access much of our other infrastructure. Confluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services.”Waite added that there is no indication that any developer credentials were taken during the attack but that they “cannot assert otherwise and are therefore assuming the worst.”Jenkins said that until it re-establishes a “chain of trust with our developer community,” it will be preventing releases. Every account password has been reset and the Jenkins infrastructure team has permanently disabled the Confluence service. The team has also rotated privileged credentials and taken measures to reduce the scope of access across their infrastructure. 

“We are working closely with our colleagues at the Linux Foundation and the Continuous Delivery Foundation to ensure that infrastructure which is not directly managed by the Jenkins project is also scrutinized,” Waite noted. “In October 2019 we made the Confluence server read-only effectively deprecating it for day-to-day use within the project. At that time, we began migrating documentation and changelogs from the wiki to GitHub repositories. That migration has been ongoing, with hundreds of plugins and many other documentation pages moved from the wiki to GitHub repositories.”The notice comes after multiple IT leaders took to social media to confirm that CVE-2021-26084 was indeed being exploited.Atlassian updated its notice — released on August 25 — to confirm that the vulnerability is being actively exploited in the wild. “Affected servers should be patched immediately. The vulnerability is exploitable by unauthenticated users regardless of configuration,” Atlassian added to their previous notice. US Cybercom caused a stir when it tweeted on Friday, “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already — this cannot wait until after the weekend.”BleepingComputer confirmed on Thursday that some threat actors are installing cryptominers on both Windows and Linux Confluence servers using the vulnerability.  Shawn Smith, director of infrastructure at nVisium, told ZDNet that the Atlassian Confluence vulnerability is “definitely still being exploited.” “If we look at the list of versions that are vulnerable, it includes nearly every version — all the way back to the 4.x.x line, which was originally released in 2011. Looking at the early details, we know that nearly 15,000 servers were present online before the vulnerability disclosure — and eight days later that number had dropped by less than 4,000,” Smith said. “Now, we’re only an additional five days beyond that and it’s unlikely that a significant number of servers were patched, especially considering it was a holiday weekend in the United States.”
Censys
Cybersecurity company Censys updated their own blog post on Sunday to say that the number of vulnerable Confluence instances dropped from 11,689 to 8,597 since last Thursday. Bad Packets reported that CVE-2021-26084 exploit activity was being detected from hosts based in Russia targeting their Atlassian Confluence honeypots. They previously said they “detected mass scanning and exploited activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution.” More

Image: ProtonMail
Hosted email service provider ProtonMail has responded to criticism about its end-to-end encryption capabilities after French authorities obtained the IP address of a French climate activist who used the company’s services, saying all companies have to comply with laws, such as court orders, so long as they operate within 15 miles of land. “No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law,” Yen said in a blog post.First reported by TechCrunch, the data collection performed by French authorities was part of an investigation into a group of climate activists who have occupied a number of apartments and commercial spaces in Paris. According to ProtonMail, French authorities, with the help of Europol, were able to acquire the IP address through receiving approval from Swiss courts to do so. After Swiss courts issued the legal order, ProtonMail was required to log IP information on a climate activist’s account, which was then provided to French authorities and led to the individual being identified and arrested.ProtonMail founder and CEO Andy Yen said that while it is not subject to French or EU requests, due to being based in Switzerland, it still must comply with requests from Swiss authorities. “Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account,” the company said. “The internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address.”

Yen noted that ProtonMail neither collects the identity of its users nor user data due to it being encrypted — which meant the activist’s emails, attachments, calendars, and files were not accessed by French authorities — as there is no requirement to do so under Swiss laws. Certain court orders can compel ProtonMail to delay notifying users about their private data being used in criminal proceedings, however, according to the company’s law enforcement page.When stating the requirements that ProtonMail must follow under Swiss law, Yen also took the opportunity to criticise the approach taken by French authorities to acquire the IP address. “We are on your side, and our shared fight is with the authorities and the unjust laws we have been campaigning against for years. The prosecution in this particular case was very aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world,” Yen said. According to ProtonMail’s most recent transparency report, the number of orders the company receives from Swiss authorities has grown exponentially, rising from 13 in 2017 to 3,572 last year. Of the 3,572 orders it received last year, 195 of them were foreign requests.  Related Coverage More

It seems that every tech security vendor is talking up ‘zero trust’ as an answer to increasingly dangerous cyberattacks, but UK cybersecurity experts warn customers its definition is a bit slippery and they should proceed with caution. The UK’s National Cyber Security Centre (NCSC) this week said zero trust has become a “very fashionable term” in the tech world. To address the slipperiness of its definition, NCSC has outlined a few traps and pitfalls that organizations running a zero trust migration should be mindful of. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

So what is zero trust, according to the NCSC?   “Zero trust is the idea of removing inherent trust from the network. Just because a device is within the internal “trusted” side of a firewall or VPN, it should not be trusted by default,” it explains in a new blogpost.  “Instead, you should look to build confidence in the various transactions occurring. You can do this by developing a context through the inspection of a number of signals. These signals are pieces of information like device health or location, and can give the confidence needed to grant access to a resource.”SEE: Developers, DevOps, or cybersecurity? Which is the top tech talent employers are looking for now?However, NCSC acknowledges that not every organization will be ready to adopt a zero trust architecture. It also stressed it isn’t a standard or specification, but rather “an approach to designing a network” — meaning it can be difficult to know if you’re doing it right. 

On top of this, there may be direct and indirect costs that arise from a migration to a zero trust network design. Direct costs include new products, devices, and services. Indirect costs include training engineers, new licensing costs, and subscriptions. NCSC notes that these ongoing costs could, however, be less than the cost of maintaining and refreshing existing network services.”Moving to a zero trust architecture can be a very disruptive exercise for an organisation,” NCSC warns. “It can take several years to migrate to a “fully zero trust” model due to the extent to which changes may need to be made across your enterprise.”Defining an end state for a migration is difficult when the model you’re aiming for may evolve during rollout.”There are also broader implications for the many organizations that run big systems that just don’t mesh with zero trust concepts, for example a legacy payroll system that lacks modern authentication methods, such as two-factor authentication.   Then there are products and services that don’t mesh well with zero trust, such as BYOD architectures. Organizations could have difficulties assessing whether devices are secure without intruding on the privacy of workers. Alternatively, an air-gapped network might not able to use a cloud-based zero trust service. Finally, NCSC warns of vendor lock-in and cloud lock-in that may restrict an organization’s ability to move some systems to other services in the future.SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackJust last week, Google announced a $10 billion commitment to help the US improve the security of critical infrastructure after a meeting with US president Joe Biden. Microsoft committed $20 billion. Both companies are focussing on zero trust capabilities to address recent software supply chain and ransomware attacks on critical infrastructure. IBM is also boosting its zero trust services through the relatively new category of Secure Access Service Edge (SASE) services. All three, including 15 more vendors, are working with the US NIST to create benchmarks for zero trust architectures.   NCSC lays out five reasons why zero trust might be a good philosophy to adopt:In a zero trust model, every action a user or device takes is subject to some form of policy decision. This allows the organisation to verify every attempt to access data or resources, “making life very difficult for an attacker”.Zero trust allows strong authentication and authorisation, while reducing the network overhead of extending your corporate network out into your users’ homes.Some zero trust security controls can enable a much better user experience. For example, by using single sign-on users only have to enter credentials once, rather than every time they want to use a different application.Greater control over data access means you can grant access to specific data to the right audience.Enhancing your logging capability to include events from user devices and services gives you a much richer picture of what’s happening in your environment, allowing you to detect compromises with more accuracy. More