Information Technology

The healthcare sector should brace itself against an increase in cyberattack rates and a variety of attack vectors over the coming months, researchers have warned. 

On Tuesday, cybersecurity firm Check Point released new statistics that show a 45% increase in cyberattacks since November against the global healthcare sector, over double an increase of 22% against all worldwide industries in the same time period. 
According to the researchers, attack vectors employed by threat actors are wide-ranging; including distributed denial-of-service (DDoS) attacks, social engineering, botnets, phishing, and ransomware. 
However, ransomware, in particular, is of serious concern. 
We’ve already seen just how debilitating a ransomware attack wave can be. The WannaCry outbreak of 2017 locked up and disrupted operations for countless businesses worldwide, and in the past four years, ransomware has continued to grow in popularity due to how lucrative a criminal business it has become. 
When it comes to hospitals, some providers will pay blackmail fees demanded by ransomware operators rather than risk patient care. The death of a patient due to a ransomware attack on a hospital has already occurred. 
Check Point says that ransomware attack rates are surging against the healthcare sector. The Ryuk ransomware strain is now the most popular malware to deploy in these attacks, followed by Sodinokibi. 

Overall, an average of 626 attacks was recorded on a weekly basis against healthcare organizations in November, in comparison to 430 in October. Central Europe has been hardest hit in the past two months, with a 145% increase in healthcare-related attacks, followed by East Asia, Latin America, and then the rest of Europe and North America.
Healthcare organizations in Canada and Germany experienced the largest surge in cyberattack rates at 250% and 220%, respectively. 

Check Point says that the reason for the increase is financial, with threat actors seeking to cash in on the worldwide disruption caused by COVID-19. While bog-standard fraudsters are targeting the general public through phishing, emails, texts, and phone calls in coronavirus-related campaigns, other groups are hoping to profit through more debilitating attacks on core services. 
“As the world’s attention continues to focus on dealing with the pandemic, cybercriminals will also continue to use and try to exploit that focus for their own illegal purposes — so it’s essential that both organizations and individuals maintain good cyber-hygiene to protect themselves against covid-related online crime,” the team says. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images/iStockphoto
The New York Stock Exchange (NYSE) has reversed course on its planned delisting of a trio of Chinese telcos.
On New Year’s Eve, it was announced NYSE intended to delist China Telecom, China Mobile, and China Unicom Hong Kong in order to comply with a 12 November 2020 executive order from outgoing US president Donald Trump.
The order sought to forbid trading and investing in any of the companies previously deemed to be Communist Chinese military companies by the US Department of Defense. It also looked to ban trading in any new companies that are given such a label.
By Monday though, the NYSE had reversed course.
“In light of further consultation with relevant regulatory authorities in connection with Office of Foreign Assets Control FAQ 857 … the New York Stock Exchange LLC announced today that NYSE Regulation no longer intends to move forward with the delisting action in relation to the three issuers … which was announced on December 31, 2020,” it said in a statement.
“At this time, the issuers will continue to be listed and traded on the NYSE. NYSE Regulation will continue to evaluate the applicability of Executive Order 13959 to these issuers and their continued listing status.”
In the executive order, Trump said the People’s Republic of China (PRC) was “exploiting United States capital” to boost and update its military, which he claimed would allow Beijing to threaten the US and its overseas forces, as well as develop “advanced conventional weapons and malicious cyber-enabled actions against the United States and its people”.

“Through the national strategy of Military-Civil Fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” Trump said.
“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence, and security apparatuses and aid in their development and modernisation.”
Trump also said the PRC “exploits United States investors” to finance its military.
For its part, the China Securities Regulatory Commission hit back on Sunday and said the ban was politically motivated and ignored the rights of investors while severely damaging the market.
It added that the size of the listings on American markets was under 2.2% of the total shares on offer, so the direct impact of the delisting was “rather limited”.
“The role of the US as an international financial centre, is built on the trust of the global enterprises and investors in the inclusiveness and certainty of its rules and institutions,” the Commission said.
“The recent move by some political forces in the US to continuously and groundlessly suppress foreign companies listed on the US markets, even at the cost of undermining its own position in the global capital markets, has demonstrated that US rules and institutions can become arbitrary, reckless, and unpredictable. It is certainly not a wise move.”
Related Coverage More

A UK court has ruled that WikiLeaks founder Julian Assange will not be extradited to the US, where he would have faced over 18 charges, including espionage and breaching national security.
District Judge Vanessa Baraitser refused the US extradition request on the basis that there was a high risk of Assange committing suicide if he were to be sent to the US.
Assange came to prominence for creating WikiLeaks, which for years leaked state secrets from governments all over the world.
The extradition decision follows over a decade of Assange facing court allegations across various jurisdictions. In 2010, Assange was accused of unlawful coercion, rape, and molestation in Sweden and was ordered to be extradited to the Scandinavian country in 2011. Shortly after the order was made, Assange entered the Embassy of Ecuador in London to escape extradition. 
These charges have since been dropped.
He spent seven years in the Ecuadorian Embassy before being arrested by the British police in 2019 for previously failing to surrender to court. The arrest occurred when the Ecuadorian government withdrew its asylum.
Assange was found guilty of failing to surrender to court and sentenced to 50 weeks in jail for breaching bail conditions.

During that time, the US Department of Justice (DoJ) issued 18 charges against him. Among those charges were that Assange allegedly conspired with, and “aided and abetted”, Chelsea Manning to remove US classified documents. The department also alleged that Assange published on WikiLeaks the unredacted names of sources in Iraq and Afghanistan that provided information to the US, which put those individuals in danger.
Releasing her judgment on Monday, Baraitser categorised her analysis of the charges into three strands: Broad conspiracy, aiding and abetting Chelsea Manning with obtaining and disclosing government documents, and publishing documents that contained the names of informants.
In all three strands, Baraitser rejected Assange’s defences, saying that media members, in principle, are not released from their duty to obey the ordinary criminal law. Journalists have “duties and responsibilities” and the scope of these responsibilities depends on their situation and the “technical means” they use, she said, while noting that it could be argued that Assange is not a media member.
She also said that Assange could not prove that the releasing of government documents stopped crimes against humanity, explaining that he was unable to identify a class of people for whom he reasonably regarded himself as being responsible for. 
In terms of the extradition itself, Baraitser said that the extradition of Assange to the US was permissible under UK law despite a UK-US treaty stating that people could not be extradited from the UK to the US for a political offence due to the powers of Parliament reigning supreme in this instance. 
“Whilst it is obviously desirable for both governments to honour the terms of a treaty they have agreed, Parliament has made its intentions clear. The source of lawmaking remains with Parliament and the executive does not have the power to alter this through the provisions of a treaty,” Baraitser said.
Despite these conclusions, Baraitser blocked the extradition request as it would be “unjust and oppressive by reason of Assange’s mental condition and the high risk of suicide”. This conclusion was made following testimony from various medical experts that Assange had severe recurrent depressive disorder, which was sometimes accompanied by psychotic features and suicidal ideas. 
Assange was also found to have post-traumatic stress disorder, generalised anxiety disorder, and autism. 
In response to the extradition’s rejection, the US Justice Department said it was “extremely disappointed” but was gratified that it “prevailed on every point of law raised”.
“In particular, the court rejected all of Assange’s arguments regarding political motivation, political offense, fair trial, and freedom of speech. We will continue to seek Assange’s extradition to the United States,” the Justice Department added.
IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:
Suicide Call Back Service on 1300 659 467
Lifeline on 13 11 14
Kids Helpline on 1800 551 800
MensLine Australia on 1300 789 978
Beyond Blue on 1300 22 46 36
Headspace on 1800 650 890
QLife on 1800 184 527
Related Coverage
Edward Snowden asks Trump to pardon Wikileaks founder Julian Assange
Snowden claims the pardon would save Assange’s life.
WikiLeaks founder charged with conspiring with Anonymous and LulzSec hackers
US Department of Justice claims Assange tried to recruit hackers to commit crimes on his behalf. One of the hackers was an FBI informant, said the FBI.
Courts to decide Assange fate after UK signs US extradition request: Report
WikiLeaks founder Julian Assange will face an extradition hearing on Friday.
United States rolls out new 18-count indictment on Assange
Long-awaited superseding indictment contains 17 new felony charges against the WikiLeaks founder.
Julian Assange arrested by UK police, charged with hacking in the US
Live updates: US DOJ indicts Assange on hacking charges, confirms extradition request. More

In March of 2020, Americans began to realize that the coronavirus was deadly and going to be a real problem. What no Americans knew then was that at about the same time, the Russian government’s hack of SolarWinds’s proprietary software Orion network monitoring program was destroying the security of top American government agencies and tech companies. There were no explosions, no deaths, but it was the Pearl Harbor of American IT. 

SolarWinds Coverage

Russia, we now know, used SolarWinds’ hacked program to infiltrate at least 18,000 government and private networks. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents.
The Russians may even have the crown-jewels of Microsoft software stack: Windows and Office. In a twist, which would be hilarious if it weren’t so serious, Microsoft claims it’s no big deal. 
That’s because Microsoft has “an inner-source approach – the use of open-source software development best practices and an open-source-like culture – to make source code viewable within Microsoft.” It’s nice that Microsoft is admitting that the open-source approach is the right one for security — something I and other open-source advocates have been saying for decades. But, inner source isn’t the same thing as open source. 
When hackers, not Microsoft developers, have access to proprietary code, the door’s open for attacks. True, Microsoft’s “threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.” But, making that assumption is one thing. Dealing with reality is something else. 
For decades, one of proprietary software’s stupid assumptions is that “security by obscurity” works. While it can help — no, really it can if used intelligently — that’s not the case with proprietary code. Even with the best will in the world, I doubt that Microsoft has really undertaken the hard security code review needed to lock down its proprietary code. The almost weekly revelations of new Microsoft security holes and mishaps doesn’t make me feel warm and fuzzy about the security of its software.
While President Donald Trump has completely ignored the actions of Russian President Vladimir Putin’s government, America’s Cybersecurity Infrastructure and Security Agency (CISA) said the hacks posed a “grave risk” to US governments at all levels. 

Worse was revealed. Over the Christmas season holidays, the CISA said that all US government agencies must update to Orion’s 2020.2.1HF2 version by the end of the year. If they can’t, they must take these systems offline. 
Why? Because yet another SolarWinds’ Orion vulnerability was being used to install the Supernova and CosmicGale malware. This security hole, CVE-2020-10148, is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations. I have an even better idea than updating Orion. Dump Orion. Dump it now.  And start an investigation of the SolarWinds’ mediocre security record. 
As time goes by more and more government agencies and companies have been shown to have been hacked. This includes the Department of State; Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce; and the Department of Energy, including the National Nuclear Security Administration. 
Everyone claims that nothing too important has been revealed, but then, they would say that, wouldn’t they? 
Sen. Mark Warner (D-Virginia), ranking member on the Senate Intelligence Committee, told the New York Times the hack looked “much, much worse” than first feared. “The size of it keeps expanding.” 
How much bigger will it get? We don’t know. Personally, I’d assume that if my company had been using SolarWinds Orion software during 2020, I’ve been hacked 
It didn’t come with bombs like the attack on Pearl Harbor, but this attack on our national agencies and American Fortune 500 companies may prove to be even more damaging to our national security and our business prosperity. Now, we’ll see if American developers, system administrators, and managers can rise to the occasion to rebuild their systems the way their grandparents did in the 1940s. 
Related Stories:  More

Image: Stephen Phillips
Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim’s IP address and check it against an IP-to-geo database like MaxMind’s GeoIP to get a victim’s approximate geographical location.

While the technique isn’t very accurate, it is still the most reliable method of determining a user’s actual physical location based on data found on their computer.
However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first.
This second technique relies on grabbing the infected user’s BSSID.
Known as a “Basic Service Set Identifier,” the BSSID is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi.
You can see the BSSID on Windows systems by running the command:
netsh wlan show interfaces | find “BSSID”

Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.
This database is a collection of known BSSIDs and the last geographical location they’ve been spotted at.
These types of databases are quite common these days and are usually used by mobile app operators as alternative ways to track users when they can’t get access to a phone’s location data directly (i.e., see WiGLE, one of the most popular services used for these types of BSSID-to-geo conversions).
Checking the BSSID against Mylnikov’s database would allow the malware to effectively determine the physical geographical location of the WiFi access point the victim was using to access the internet, which is a far much accurate way of discovering a victim’s geographical position.
Using both methods together allow malware operators to confirm that the initial IP-based geolocation query is correct with the second BSSID method.
Malware operators usually check for a victim location because some groups want to make victims only inside specific countries (such as state-sponsored operations) or they don’t want to infect victims in their native country (in order to avoid drawing the attention of local law enforcement and avoiding prosecution).
However, IP-to-geo databases are known for their wildly inaccurate results, as telcos and data centers tend to acquire or rent IP address blocks on the free market. This results in some IP blocks being assigned to different organizations in other regions of the globe from their initial/actual owner.
Using a second method to double-check a victim’s geographical location isn’t widely adopted today, but the technique has clear benefits that other malware operations will surely appreciate and decide to use in the future as well. More

Singapore has confirmed its law enforcers will be able to access the country’s COVID-19 contact tracing data to aid in their criminal investigations. To date, more than 4.2 million residents or 78% of the local population have adopted the TraceTogether contact tracing app and wearable token, which is one of the world’s highest penetration rates.
This figure is double that of the adoption rate just three months ago in September, when TraceTogether had clocked 2.4 million downloads or about 40% of the population. A recent spike likely was fuelled by the government’s announcement that use of the app or token would be mandatory for entry into public venues in early-2021, when it was able to distribute the token to anyone who wanted one. 
Introduced last March, TraceTogether taps Bluetooth signals to detect other participating mobile devices — within 2 metres of each other for more than 30 minutes — to allow them to identify those who have been in close contact when needed.

In its efforts to ease privacy concerns, the Singapore government had stressed repeatedly that COVID-19 data would “never be accessed unless the user tests positive” for the virus and was contacted by the contact tracing team. Personal data such as unique identification number and mobile number also would be substituted by a random permanent ID and stored on a secured server. 
Minister-in-Charge of the Smart Nation Initiative and Minister for Foreign Affairs, Vivian Balakrishnan, also had insisted the TraceTogether token was not a tracking device since it did not contain a GPS chip and could not connect to the internet. 
He further noted that all TraceTogether data would be encrypted and stored for up to 25 days, after which it would be automatically deleted, adding that the information would be uploaded to the Health Ministry only when an individual tested positive for COVID-19 and this could be carried out only by physically handing over the wearable device to the ministry, Balakrishnan said.
In addition, “only a very limited, restricted team of contact tracers” would have access to the data, the minister had said, noting that this was necessary to reconstruct the activity map of the COVID-19 patient. All public sector data protection rules would apply to the data held by the Health Ministry, he added, including abiding by the recommendations of the Public Sector Data Security Review Committee.

However, the Singapore government now has confirmed local law enforcement will be able to access the data for criminal investigations. Under the Criminal Procedure Code, the Singapore Police Force can obtain any data and this includes TraceTogether data, according to Minister of State for Home Affairs, Desmond Tan. He was responding to a question posed during parliament Monday on whether the TraceTogether data would be used for criminal probes and the safeguards governing the use of such data.
Tan said the Singapore government was the “custodian” of the contact tracing data and “stringent measures” had been established to safeguard the personal data. “Examples of these measures include only allowing authorised officers to access the data, using such data only for authorised purposes, and storing the data on a secured data platform,” he said.
He added that public officers who knowingly disclose the data without authorisation or misuse the data may be fined up to SG$5,000 or jailed up to two years, or both. 
Asked if police use of the data violated the TraceTogether privacy pledge, Tan said: “We do not preclude the use of TraceTogether data in circumstances where citizens’ safety and security is or has been affected, and this applies to all other data as well.”
He noted that “authorised police officers” may invoke the Criminal Procedure Code to access TraceTogether data for such purposes as well as for criminal investigation, but this data would, otherwise, be used only for contact tracing and to combat the spread of COVID-19.
The Singapore police, in fact, had played a key role since February in assisting the Health Ministry in identifying and locating individuals who had been in close contact with COVID-19 patients. Law officers would conduct ground enquiries and review CCTV footage to establish the location and movement of these individuals. 
Strong demand for TraceTogether token a surprise
During parliament Monday, Education Minister Lawrence Wong said the TraceTogether platform would continue to play an integral role in Singapore’s efforts to contain the spread of COVID-19, slashing what used to take two days down to hours in contact tracing.

The minister, who co-chairs the multi-ministry COVID-19 task force, said some SG$10 million had been spent on developing TraceTogether and SafeEntry, with costs optimised by the use of off-the-shelf components to minimise manufacturing complexities. This, however, had led to tokens that were not rechargeable. The wearables currently had a battery lifespan of between six and nine months.
Amongst the 4.2 million participants of TraceTogether, some 2 million use the app on their smartphones. According to Tan, the government had not expected the strong demand for the token, given the accessibility of the mobile app. This had resulted in delays in the manufacturing and distribution of the wearable device. 
Such issues would be addressed soon as the government looked to build up inventory and resume distribution of the token at community centres where it was currently halted, he added.
The mandatory use of TraceTogether would be rolled out once everyone who wanted a token had a chance to connect one, Wong said.
According to ProPrivacy’s digital privacy and VPN expert Ray Walsh, however, that the police could access the data should serve as reminder why centralised systems were harmful to personal privacy.
In a statement released in response to the news, Walsh said: “As suspected, location information collected in the centralised database for the purposes of preventing the spread of the virus can also be leveraged by Singaporean police — thanks to existing legislation. This means citizens’ location data is being stored in such a way that is extremely damaging to their privacy, their freedom of movement, and their right to free association.
“This is extremely concerning considering that the government is planning to make the use of the TraceTogether app mandatory for all citizens,” he said. “Test and trace systems forced on the general public for the purposes of preventing the spread of the pandemic have no right being used to create an extensive surveillance network, and it is extremely unnerving to see a soon-to-be mandatory app being exploited in this way.”
Balakrishnan, though, previously noted that TraceTogether data was not stored on a centralised database, but was “decentralised and encrypted on phones and devices”. This data only would be uploaded when the individual tested posted for COVID-19, the Singapore minister had said.
Similar concerns about police access to contact tracing data in the UK had prompted the country’s Department for Health and Social Care to say neither the police nor the government would receive any data from the its contact tracing app. 
In a tweet last October, the UK National Health Service said user data of its COVID-19 app was anonymous and the app could not be used to track users’ location, for law enforcement, or to monitor self-isolation and social distancing. The contact tracing app then had clocked more than 18 million downloads since its launch in September.
Singapore’s TraceTogether app was updated last June to include the registration of passport numbers of foreign visitors, as it reopened its borders. 
During parliament, Wong had encouraged residents to download the TraceTogether app — rather than use the token — since the former would be updated with new features.
RELATED COVERAGE More

2020 was a year many of us would like to forget, and as 2021 entered with little of the fanfare usually associated with New Year’s Eve celebrations, the challenge of the COVID-19 pandemic, still, is far from over. 

Healthline

Despite surging infection rates worldwide and fresh outbreaks, however, there is hope that vaccines recently approved in some countries, such as the Oxford/AstraZeneca and Pfizer-BioNTech variants, will begin to turn the tide. 
While we wait with impatience to have our pre-COVID-19 lives and ‘normality’ restored, our place in the vaccine queue depends on a number of factors that vary from country to country: for example, the UK has chosen to vaccinate the highest-risk groups, first, such as the elderly, alongside frontline healthcare workers. 
In Britain, the situation could be best described as confused; letters have been sent to some individuals — but not all in each “group” — informing them that they will be told when their place in the queue comes up, and some appointments for second doses have been canceled in order to provide first-dose protection to as many individuals as possible. 
There is now a rising sense of urgency due to the new COVID-19 variant that appears to be more easily transmitted. Mass vaccination is no easy task, especially when two separate doses are required — and when you combine millions of people desperately waiting for news and confusion in how vaccine programs are being operated, this becomes a situation that cybercriminals can exploit. 
Over the past few weeks, scammers and other threat actors have launched their own programs: not for public health, but to steal personal information, conduct identity theft, scam victims, and all with the potential for criminal financial gain. 
In December, Interpol warned that law enforcement should be prepared to deal with COVID-19-related scams and cybercrime over the coming months. 

“Criminal networks will also be targeting unsuspecting members of the public via fake websites and false cures, which could pose a significant risk to their health, even their lives,” commented Jürgen Stock, Interpol Secretary-General. “It is essential that law enforcement is as prepared as possible for what will be an onslaught of all types of criminal activity linked to the COVID-19 vaccine, which is why Interpol has issued this global warning.”
Only four weeks after this alert was issued, Interpol’s scenarios have already come to pass, with both the general public and vaccine supply chains as top targets. 
What scams are out there?
Fake products
The worst is fake vaccines being offered for sale online, which could have a severe detrimental impact on buyer health. Check Point researchers found “coronavirus vaccines” and “coronavirus remedies” for sale through forum posts connected to the Dark Web. Vendors claiming to have access to unspecified COVID-19 vaccines are requesting up to $300 in cryptocurrency. 
Check Point has also recorded thousands of new website domains recently registered with phrases including “vaccine” and “corona”. In a related study, Interpol found that out of a sample of 3,000 websites appearing to be selling dubious medicines and medical devices, roughly 1,700 contained threats including phishing code and malware.
Phishing emails
Sending out fraudulent emails can be performed automatically and with very little effort on the part of cyberattackers and fraudsters. Coronavirus-related phishing emails were in high circulation over 2020 and show no signs of stopping — except, now, some campaigns have pivoted to vaccines as their subject. 
In some cases, fraudsters will ask recipients to go to a website and fill out a form to secure their place in a ‘vaccine queue.’ Information including names, addresses, Social Security numbers, dates of birth, and potentially medical data may be requested — all of which is Personally Identifiable Information (PII) that could be used to further more elaborate scams and social engineering attacks. 
It is also possible that cybercriminals will ask for payment to ‘register’ with fake vaccine programs.
The Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) are now commonly impersonated in phishing emails. You may expect fraudsters to now also impersonate local medical providers and government entities.
Malvertising 
If you see any advertisements online related to the COVID-19 outbreak or vaccine which does not come from official sources — such as healthcare providers, government domains, or hubs such as Facebook’s COVID-19 Help Center which only provides data from official sources — you should ignore them outright. 
Adverts like this may lead you to fraudulent websites in order to steal PII, financial data, or deploy malware on your PC. 

At present, vaccines are not being offered privately. Simply put, you cannot purchase a COVID-19 vaccine online in the same way that you can book a flu jab, and any advert or message telling you otherwise is fraudulent. 
Text messages
COVID-19-related fraudulent texts have begun making the rounds, with messages claiming that government officials require you to take an “online coronavirus test,” as reported by the Better Business Bureau. Government officials are also being impersonated, and in some samples, criminals are also trying to hook victims by sending SMS messages related to stimulus checks and IRS/tax payments. 
In the UK, the National Cyber Security Centre (NCSC) has warned (.PDF) of four main SMS scams: 
Fake government URLs that must be visited to claim coronavirus-related payments
Lockdown fine notices for breaching stay-at-home rules
Offers of health supplements to protect you against COVID-19
Financial support offers that appear to be from your bank
An SMS-based scam is also in circulation in which messages claim to be from the UK National Health Service (NHS). Recipients are told they have been identified as “eligible to apply for [a] vaccine,” and a link then leads victims to a convincing, but fake, NHS website requesting sensitive personal information.
Over the phone
While, perhaps, not as common, some scam artists are cold calling victims directly. In recent cases, the COVID-19 vaccine has been offered by fraudsters over the phone, in which victims are asked to press a number on their keypad to confirm that they wish to have a vaccine — or bank details are asked for directly. 
Information such as telephone numbers, names, dates of birth, and home addresses that has already leaked online may be used by criminals to appear more authentic when they call. 
How do I stay safe from COVID-19 scams?
The first and most important point is to never purchase medical equipment or treatments from unofficial, untrusted sources. Cybercriminals don’t care what sales vector has to be used to make a dollar or two — including exploiting demand for potentially life-saving vaccines — and there is no proof or guarantee chemical products bought online from third-parties are genuine or safe. 
You should also treat any request for PII, whether made over the phone, via text, or email, very carefully. If there is a shred of doubt that this is genuine — and it is likely to be a scam when communicated in these ways — you should give nothing over. Instead, directly email or phone your local provider, or check official websites for the latest information. 
Lastly, be wary of clicking links or downloading attachments in unsolicited messages and remember to take a breath before responding to any form of message that tries to elicit panic — such as a claimed vaccine shortage or time-based offer. Grammatical errors, too, are often a red flag for scams.  More

I’m sure that you carry a lot of data around with you on your iPhone, personal data that you wouldn’t want others to gain access to. While iOS is great at keeping your data secure, it’s a good idea every so often to take the time to check that everything is good and secure.
There’s no better time to do this than now!
Must read: Must-have tech gadgets to start 2021 the right way
Strong passcode
Biometric access using your face or fingerprint is both secure and convenient, but only a strong passcode can keep your data secure.

No matter whether you use Touch ID or Face ID, you still need a passcode, and the stronger the passcode you can use — and remember! — the better. It really is the cornerstone of your security. If this falls into someone’s hands, they own your iPhone and its data.
Remember, even if you use biometrics to access your iPhone, the passcode is still there as a backup, so make it a strong one. I also recommend changing it every few months for additional security against shoulder-surfers.
Go to Settings  > Face ID & Passcode (or Touch ID & Passcode on older iPhones with the Touch ID button), enter your existing passcode, and then tap on Passcode Options (or Change Passcode if you have this set already) to get a set of options. 

Choose between Custom Alphanumeric Code (the most secure) or Custom Numeric Code (second-best option). I don’t recommend 4-Digit Numeric Code because it’s easy for shoulder-surfers to see what your PIN code is (it’s also sometimes obvious which four numbers are in use because of the position of the greasy fingerprints on the display).
While you’re here, scroll down to Erase Data and make sure that’s on.
After 10 attempts (toward the end there will be a timer-based lockout to slow down the entry process, preventing pranksters from nuking your data), the encryption key will be deleted and your data permanently and securely wiped.
Use a password manager
The cornerstone to all good security is having good passwords.
iOS has both a password autofill feature using the built-in iCloud Keychain or third-party password managers such as LastPass, Dashlane, and 1Password. 
You can find this feature in Settings  > Passwords  > AutoFill Passwords.
Also: Best password managers in 2021
Enable two-factor authentication for your iCloud account
One of the best ways to protect your data is to set up and use two-factor authentication. This means that, even if an attacker has your iCloud username and password, Apple will send an authentication code to a device you’ve chosen, which should block most attacks.
Go to Settings  > and tap your name at the top of the screen, then go to Password & Security, then choose Two-Factor Authentication.

Make sure your iPhone is locking itself quickly
The shorter you set the lock screen timeout setting (there are options ranging from 30 seconds to never), the sooner your iPhone will require authentication to access it. Sure, it can be a bit of a speedbump, but Face ID and Touch ID are pretty fast and smooth.
This is also a good way to save battery power.
You can change the auto-lock time by going to Settings  > Display & Brightness  > Auto-Lock.
I have mine set to 30 seconds.
Use Find My
This is a handy feature to have on if you worry about your device being stolen, or if you are the sort of person who loses things. In these situations, every second counts.
To activate it go to Settings and then tap your name at the top of the screen, and go to Find My > Find My iPhone.
From here, you can also check the Send Last Location feature, which sends the location of your device to Apple when the battery is low, allowing you to find it even when the battery is flat, and Find My network, which helps you locate your iPhone even if it is offline.
Don’t give apps your precise location
Now you have the option to allow apps access to your general location, but not your precise location. It’s nice to have the choice to use location data without giving a pinpoint location.
It makes sense for some apps to have your precise location — mapping and navigation, for example, and the Tile app that tracks my stuff — but, for other apps, it might not make sense, and for those, you can tell iOS to give them location data that’s a bit vaguer.
To access this setting go to Settings > Privacy > Location Services and then check the permissions for the apps that have access to your location.
Control how much data your locked iPhone can leak
Control how much — or how little — you want to be accessible on a locked device. 
iOS gives control over the following:
Today View
Notification Center
Control Center
Siri
Reply with Message
Home Control
Wallet
Return Missed Call
USB Accessories
The bottom line is that the more you lockdown, the more secure your device and data will be. The flip side is the more you lock it down, the more often you have to unlock your device to see what’s going on. 
The USB Accessories feature is especially useful because it will prevent the Lightning port from being used to connect to any accessory if your iPhone or iPad has been locked for more than an hour.
Go to Settings  > Face ID & Passcode (or Touch ID & Passcode on iPhones with Touch ID), and enter your existing passcode and then scroll to the bottom of the page to control this.
It’s also a good idea to secure notifications. While it’s super convenient to have information displayed on the lock screen, remember that this is available to all, so you might want to lock down what’s displayed. 
To do this go to Settings  > Notifications  > Show Previews and change the setting to When Unlocked or Never.

Don’t give apps access to all your photos
Photos can be incredibly personal, and now you can choose not to give apps access to all — or for that matter, any — of your photos.
When an app first requests access to your photos, you get the option to block access, give full access, or access to selected photos.
And if you change your mind, you can head over to Settings > Privacy > Photos and make changes there. It might be a good idea to go check what permissions you’ve given existing apps and whether you want to make any tweaks.
Stop your iPhone from being tracked on Wi-Fi networks
Your iPhone can now dish out a fake MAC address to Wi-Fi routers, which prevents your device from being tracked when using network connections.
This feature is on by default, and you can find it by going Settings > Wi-Fi and then click on the “i” in a circle next to the network.
Note that while this works fine on most networks, it can cause issues. For example, some smart networks are designed to send out a notification when a new device connects. It can also mess with parental controls or corporate/enterprise networks where permissions are assigned based on MAC address (it’s not recommended to use MAC address for authentication, but it happens).
If you have problems with certain Wi-Fi networks, you may have to turn this feature off.
Use hardware authentication
I’m a big believer in using hardware authentication, which is why I recommend using something like the Yubico Yubikey. 
Get one and use it. 
Install a security app
I’ve been using iVerify for a few months, and it offers intelligent suggestions for securing iOS.
What’s that green/orange dot at the top of your screen?
A green dot appears when the camera is accessed (similar to the green LED that lights up on Macs when the camera is on), and an orange dot for microphone access. It’s a handy indicator for misbehaving apps.
Not sure what app is switching on the camera or microphone? Head over to Control Center, and you’ll notice a notice at the top showing you the most recent app that has accessed the camera or microphone.
Use a VPN, especially if you use free Wi-Fi
Do you spend a lot of time using free Wi-Fi when out and about? If you do then you really need a VPN.
See: Best VPNs of 2021
A VPN (virtual private network) allows you to create a secure connection between your device and the VPN service provider’s server, allowing you to browse the web securely and without others being able to snoop on what you are doing.
There a lot of VPN providers out there to choose from, but if you are looking for a recommendation, my choice is F-Secure’s Freedome VPN.  More