Information Technology

First, the good news. Starting with the mid-April release of Google’s Chrome 90 web browser, Chrome will default to trying to load the version of a website that’s been secured with a Transport Layer Security (TLS). These are the sites that show a closed lock in the Chrome Omnibox, what most of us know as the Chrome address (URL) bar. The bad news is that just because a site is secured by HTTPS doesn’t mean it’s trustworthy. 

ZDNet Recommends

A few years ago, WordFence, a well-regarded WordPress security company, found that SSL certificates are being issued by certificate authorities (CA) to phishing sites pretending to be other sites. Because the certificates are valid, even though they’re operating under false premises, Chrome reports these sites as being secure. True, the data sent along that connection is secure, but safe? I think not! Of course, CAs shouldn’t issue bogus security certificates. Unfortunately, it happens. A perfect example of “Why we can’t have nice things,” it’s been revealed that Let’s Encrypt, the free, open, and automated CA, had been used to create thousands of SSL certificates for phishing sites illegally using “PayPal” as part of their name. It’s not just PayPal. Google, Microsoft, and Apple have also had their names taken in vain by phishers. It’s also not just that the CA process can be abused. Paul Walsh, founder and CEO of the zero-trust security company, MetaCert and co-founder of the World Wide Web Consortium (W3C) URL Classification Standard, sees many other problems with our naïve belief that HTTPS alone is enough to secure our internet connections. True, Walsh tweeted, “When DNS-based security services were first introduced, most of the web wasn’t encrypted, and threat actors didn’t use trusted domains like Google, Microsoft, GitHub, et al. So they were effective in the past, but less effective today.” When the leading free CA, Let’s Encrypt, began in 2015, less than a fifth of websites were secured by HTTPS. Today, 82.2% of sites are covered. That was then. This is now. And there are other problems.First, Walsh believes that what Google is doing is “great in theory, but their execution sucks. I think it’s unethical for a single company that represents a single stakeholder to railroad what they think is the right thing for every website creator and every person that uses the web.” Walsh isn’t the only one that feels that way, while many people think of this as a small, but real, step forward in web security, others think, “Forcing https on people’s throats is a stupid idea.”

Besides, as Walsh observed in his analysis of website security, “the basic [URL] padlock is designed to tell users when their connection to a website is encrypted. A padlock doesn’t represent anything related to trust or identity. Browser designers didn’t do a good job with the design of their UI. They should have made website identity more obvious — such as a separate icon on the toolbar — making it completely separate to the padlock.”In other words, you can be “safely” secured to a site that’s pretending to be the real Amazon, eBay, or PayPal. That’s a fail.Also: What is phishing? Everything you need to know to protect yourself from scam emails and moreThis happens not just because of the fake sites with real HTTPS certificates. Walsh points out that Modlishka attacks create a reverse-proxy between you and the website you want to visit. It looks like you’re connected to the real thing because you get authentic content from the legitimate website but the reverse-proxy is silently redirecting all your traffic to and from the Modlishka server. Thus, your “credentials and sensitive information such as a password or crypto wallet address entered by the user are automatically passed on to the threat actor. The reverse proxy also asks users for 2FA tokens when prompted by the website. Attackers can then collect these 2FA tokens in real-time, to access the victims’ accounts.”Ouch.Besides that, Walsh is not at all convinced that free and easy HTTPS certificates is a good thing at all. Walsh wrote, “The volume of cyberattacks that use automatically issued free DV certificates has weakened the Trusted Computing Base (TCB) of the internet in my opinion. And free DV certificates are an existential threat to the safety and wellbeing of society.”The answer? According to Walsh, CAs should: Tighten up their identity verification processes.Reduce the cost, time, and effort of acquiring identity verification.Browser vendors should design a meaningful icon for identity verification for the browser toolbar — away from the padlock.Browser vendors should improve the user experience so websites’ real identity is intuitive.Then, and only then, will the web be well on its way to being truly secure. Related Stories: More

Now that you’re finally serious about backing up your Windows PC or Mac, you’ve probably figured out that the backup software included with your preferred operating system just isn’t going to cut it.Also: PC and Mac backup: How to protect your data from disasterSure, you can use the built-in tools (Time Machine on a Mac or File History on Windows 10), if you’re willing to settle for a limited feature set with few options outside the standard settings. But replacing those default utilities with one of these third-party alternatives unlocks a wide range of useful features and capabilities that can save you time and disk space, not to mention helping you sleep better.

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

Backup software features to look forOn the backup side, these are the features that matter most:The ability to create a disk image that can restore the entire contents of a PC or Mac, so you can recover quickly after a disk crash or other data disasterOngoing backups that can save your work daily, hourly, or in real-time, so you never risk losing important workProtection from ransomware attacksThe option to save backup files on a local drive, on a network server, or in the cloudAnd when the day arrives that you have to call on those backups to recover your files, a good backup program will allow you to quickly mount that backup image as a virtual drive to retrieve individual files or folders. Or you can boot from recovery media to restore an entire image.Those backup files come in handy even if you didn’t have a data catastrophe. Good backup software offers an effortless way to migrate your PC or Mac when you upgrade to a new device, allowing you to be productive immediately without having to reinstall apps or re-create settings.How we choseYou might be startled by just how many third-party backup products there are to choose from. We were even more surprised by the sheer number and complexity of purchase and subscription options for those products.

Those that offer a free version try (sometimes very aggressively) to upsell you to one of their paid plans, which typically come in multiple tiers, in home and commercial versions, and with varying discounts for longer subscription terms and multiple licenses. Getting all the bells and whistles you think you need, especially if you have multiple devices to protect, can run up a pretty hefty bill.All the products we’ve included here have a good reputation, as evidenced by comments on public forums and reviews from trusted sources. It’s worth noting that backups can fail for a variety of reasons, usually at the worst possible time, so we’ve given extra marks to companies that offer easily accessible support options.The most important feature we looked for is the ability to create a backup image that can be stored on a local drive (typically USB or network storage). Some programs also offer the ability to back up to the cloud. We’ve highlighted those programs for the benefit of those who have that combination of manageable data sets and high bandwidth that make an all-cloud option feasible. We didn’t include products like Carbonite, which are exclusively focused on cloud-based backup.Other important features we looked for include easy options for restoring a single file or folder from a backup set, as well as robust scheduling and reporting options.As always, this listing doesn’t represent a full hands-on review. We didn’t stress-test these apps, and we encourage you to do your own testing to ensure that the backup and restore features (especially the latter) meet your standards for ease of use and robustness.

A solid free version, with a vast array of upgrade options

The free version of Macrium Reflect 7 is surprisingly robust, offering solid imaging and cloning capabilities that are licensed for use in home and business environments. The resulting images can be browsed in Windows Explorer or mounted instantly in a Hyper-V VM.You’ll need to upgrade, though, if you want to add file/folder backups to the mix, or encrypt your backups, or create space-saving incremental backups. The Home and Workstation versions ($70 and $75 per PC, respectively, with discounts for multiple licenses) also add protection against ransomware attacks.The company also offers Server and Server Plus editions as well as a specialized Technicians edition ($799) that allows IT pros to create snapshots of an unlimited number of PCs or servers using a USB flash drive instead of installing the software to each PC.  

View Now at Macrium

Would you like security software with your backups?

Acronis is one of the best-known names in backup, with its flagship True Image product recently celebrating its 18th birthday. The latest version, True Image 2021, is available on Windows PCs and MacOS and offers a wide range of antimalware features in addition to the familiar backup tools.True Image 2021 is offered in three subscription editions. The entry-level Essential package ($50 per year) does disk imaging and file backups to local and network destinations. For cloud backup, you’ll need to upgrade to the pricier Advanced or Premium editions, ($90 and $125 per year, respectively), which offer 500 GB or more of cloud storage in Acronis’s protected data centers. All three editions include incremental and differential backups as well as non-stop backups.Acronis doesn’t offer a free version of True Image, although you can try it out for free for 30 days without having to supply a credit card.

View Now at Acronis

The free edition comes with incessant upsell offers

EaseUS Todo Backup comes in three editions, including a free offering that covers most of the backup bases. You can back up an entire system, a specific disk, or data locations of your choosing. And you can send that backup file to a local drive, a network location, or one of three popular cloud locations: Dropbox, OneDrive, and Google Drive.If you choose the free option, however, be ready for constant reminders that the company really wants you to upgrade to one of its paid products. Those reminders include pop-up notifications and orange reminders in the user interface that specific features aren’t available to you.Those paid upgrades are primarily available as subscriptions, at a yearly cost of $30 per PC for the Home edition and $39 for Pro. With the home upgrade, you lose the upsells and get the ability to transfer a system to a new PC. The Pro edition includes a Smart Backup feature that runs every half-hour to capture recent changes.

View Now at EaseUS

Surprisingly sophisticated and free for home use

Paragon’s Backup & Recovery Community Editions are free for home use, but you’ll need a license if you want to use them for commercial purposes or as part of a business network joined to a domain. The free edition includes versions for Mac and Windows as well as Backup for Hyper-V Host, which does full backups and one-click restores of virtual machines in non-production environments.The Backup & Recovery version 17 interface is easy to use, with options to schedule full system backups with incremental or differential updates as well as data backups focusing on key locations. Those backup features are part of a larger paid product, Paragon Hard Disk Manager 17, which costs $80 for a home version covering three PCs or $99 for a single business license. The full product also includes advanced partitioning tools, drive migration features, and disk wiping methods.

View Now at Paragon Software

Pro and EZ options available

NTI’s website has the old-school look you’d expect from a company that has been around since Windows 95 was still new and fresh. For Windows, you can take your choice of NTI Backup Now Pro and  NTI Backup Now EZ, with list prices of $70 and $50, respectively. For Mac users, the complete backup solution is NTI Shadow 5 for Mac, which lists for $40 for a single license. There’s no free edition, but you can get a 30-day trial, and the company is aggressive with discounts.NTI Backup Now Pro offers a full range of backup options, with file backups, drive imaging, and cloud backups using Microsoft Azure. A Continuous Backup option (not available on Backup Now EZ) ensures that work you do between scheduled backups is protected.It’s worth noting that NTI has a warning on its product page that its complete system restore operation isn’t compatible with “some tablet PCs (e.g. Microsoft’s Surface Pro tablets).” This warning appears to be outdated but it should be a red flag for anyone whose primary PC fits that description.

View Now at NTI Corp

ZDNet Recommends More

Two severe vulnerabilities have been patched in the Facebook for WordPress Plugin.

Disclosed by the Wordfence Threat Intelligence team this week, the bugs impact Facebook for WordPress, formerly known as Official Facebook Pixel. The plugin, used to capture user actions when they visit a page and to monitor site traffic, has been installed on over 500,000 websites. On December 22, the cybersecurity researchers privately disclosed a critical vulnerability to the vendor which has been issued a CVSS severity score of 9. The vulnerability, described as a PHP Object injection, was found in the run_action() function of the software. If a valid nonce was generated — such as through the use of a custom script — an attacker could supply the plugin with PHP objects for malicious purposes and go so far as to upload files to a vulnerable website and achieve Remote Code Execution (RCE). “This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness,” the team says.  The second vulnerability, deemed of high importance, was discovered on January 27. The cross-site request forgery security flaw, which leads to a cross-site scripting issue, was introduced accidentally when the plugin was rebranded. 

When the software was updated, an AJAX function was introduced to make plugin integration easier. However, a permissions check problem in the function opened up an avenue for attackers to craft requests that could be executed “if they could trick an administrator into performing an action while authenticated to the target site,” according to Wordfence.”The action could be used by an attacker to update the plugin’s settings to point to their own Facebook Pixel console and steal metric data for a site,” the team says. “Worse yet, since there was no sanitization on the settings that were stored, an attacker could inject malicious JavaScript into the setting values.” Malicious JavaScript could, for example, be used to create backdoors in themes or create new admin accounts for hijacking entire websites.  The reports were accepted by Facebook’s security team and a patch for the first vulnerability was released on January 6, followed by a second fix on February 12. However, the patch for the second bug required tweaking and a full fix was not published until February 17. Both vulnerabilities have been updated in version 3.0.4, and so it is recommended that webmasters update to the latest version available of the plugin, which is currently 3.0.5. ZDNet has reached out to Facebook for comment and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Two in five businesses have experienced a cyber attack over the course of the last year, with one particular threat by far the most commonly faced.And the rise in remote working coupled with a slight drop in organisations using security monitoring tools to identify abnormal activity could mean that the actual number of organisations which have fallen victim to cyber crime is higher. They just don’t know they’ve been compromised yet.The figures are detailed in the annual Cyber Security Breaches Survey from the Department for Digital, Culture, Media and Sport (DCMS), which shows how businesses approach cybersecurity and the impact of attacks.The 2021 report comes following a year where organisations had to quickly adapt to remote working, potentially heightening cyber risk as employees were no longer protected behind corporate firewalls, but are rather working from their own homes.Over 80 percent of organisations which identified cyber attacks during the last year were targeted by phishing emails, with cyber criminals using malicious messages in efforts to drop malware or coerce people into clicking on malicious links. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) Just over a quarter of organisations identified email attacks where attackers were impersonating people or businesses online – this could either be an attempt to steal credentials, or trying Business Email Compromise attacks, where cyber criminals attempt to trick employees into making large financial transfers, often pretending to be an important business deal or contract.

Email has long been a common means of conducting cyber attacks, but the shift towards remote work over the last year means people are more reliant on it for workplace collaboration. The report suggests that this could be why some businesses aren’t able to identify cyber attacks or data breaches.Just over one in twenty organisations say they’ve identified an attempted ransomware attack.While the majority of organisations which have identified a cyber attack have attempted to take action, including providing additional staff training, updating antivirus software, changing firewall configurations or installing other new software, just over a third didn’t take any action at all after detecting an incident.The report also notes that there’s been an increase in organisations which have taken out some form of cyber insurance in order to help cover the financial costs associated with cyber attacks.The report makes several recommendations to organisations in order ensure their networks are secure and resilient to cyber attacks. These include protecting accounts with multi-factor authentication and boosting staff awareness around cybersecurity issues with training. The report also recommends that organisations take more action around supply chain risk management, so there’s greater protection against attacks which might attempt to exploit the supply chain as a means of network access.”It is important for organisations, management boards and IT teams to recognise that good cyber security facilitates better business resilience. This has not always been appreciated during the pandemic, when the focus on short-term business and IT service continuity has sometimes overshadowed discussions on cyber security,” said the report.”When emerging from the pandemic, there may be an opportunity for cyber security teams to reframe these discussions, to show that cyber security is an integral component of business resilience,” it concluded. MORE ON CYBERSECURITY More

Cloudflare has launched a new web security offering to prevent Magecart-style attacks. 

Magecart is an umbrella term used to describe JavaScript-based, card-skimming attacks. Legitimate websites and e-commerce platforms containing vulnerabilities — such as in a back-end content management system (CMS) or third-party script dependencies — are exploited, JavaScript code is embedded in e-commerce-related pages, and then any payment card information submitted to these pages is harvested and sent to attackers. Countless companies have, and continue to, fall prey to Magecart attacks. Past victims include British Airways, Ticketmaster, Newegg, and Boom! Mobile.  “These attacks are challenging to detect because many application owners trust third-party JavaScript to function as intended,” Cloudflare says. “Because of this trust, third-party code is rarely audited by the application owner. In many cases, Magecart attacks have lasted months before detection.” To combat this issue, on Thursday, Cloudflare debuted Page Shield, a client-side security solution.  The Script Monitor feature, included in Page Shield, checks third-party JavaScript dependencies and records any new additions over time.  Script Monitor, currently in Beta and found under the Firewall section of customer dashboards, also adds a Content-Security-Policy-Report-Only header to content passing through Cloudflare’s network. 

When JavaScript attempts to execute, browsers will send reports back to the company which are checked to see if there are any new changes — and then customers are alerted so customers can “investigate and determine whether the change was expected,” Cloudflare says.  The company is also working with cybersecurity partners to obtain Magecart JavaScript samples. Eventually, it is hoped that Page Shield will be accurate enough to alert clients when dependencies appear to be malicious.  Business and Enterprise customers can now sign up to access the Page Shield closed beta. Earlier this week, the company introduced Cloudflare Browser Isolation, a zero-trust browser system for protecting the remote workforce — and the organizations they work for — from threats by creating a gap between active browsing sessions and end-devices.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft Teams has become a core platform in the new ‘work from home’ era and reflecting its growing importance, Microsoft has launched a bug bounty rewards program for researchers who find security flaws in desktop software. Microsoft is offering up to $30,000 to security researchers in its Teams bug bounty with “scenario-based awards for vulnerabilities” if they have a big impact on customer privacy and security. Rewards start at $6,000.

More on privacy

The top reward reflects the growing importance of Microsoft Teams, which has 115 million daily active users.SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)The bug bounty only applies to the Microsoft Teams desktop client, which is available for Windows 10, macOS and Linux. The bounty does not apply to the Teams app for desktop browsers or the native mobile apps for iOS and Android. The $30,000 reward is available for researchers who can clearly outline a remote code execution bug using native code in the context of the current user with no user interaction. Microsoft is also offering $15,000 for a bug that allows an attacker to obtain authentication credentials for other users, but phishing is excluded. 

It’s offering $10,000 for cross site scripting (XSS) flaws or other remote code injection that allows an attacker to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with no user interaction. The same amount is available for researchers who can demonstrate a way to elevate privileges in a way that hops over the Windows and user boundary. The $6,000 reward is available for researchers who find a XSS or other “code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal user interaction.”Microsoft is also offering general bounty awards for the Teams desktop app that fall outside the scenario-based awards, with rewards ramping up to $15,000. SEE: Cybercrime groups are selling their hacking skills. Some countries are buyingTeams in the browser continues to fall under the Online Services Bounty Program.Teams rival Zoom last year revamped its own bug bounty program with Luta Security. More

It started out as a normal Thursday for Tony Mendoza, senior IT director at Spectra Logic, a data storage company based in Boulder, Colorado. And then the ransomware attack began. “We got some notifications of some system failings and it quickly turned into a lot of unrelated systems failing, which is really abnormal,” says Mendoza. He realised that the company was under attack – and that its files were being encrypted.

ZDNet Recommends

“When it hit, we ran to our server room and data centre and started pulling plugs out so it couldn’t propagate itself – which brought our entire infrastructure down,” he says.  SEE: What is cyber insurance? Everything you need to know about what it covers and how it works  In total, three-quarters of the production environment was compromised with ransomware. The hackers left a ransom note demanding a payment of $3.6 million in bitcoin in exchange for the decryption key.  “Figuring out what it was was fairly simple, because they tell you who they are, and they tell you where to send the money. It was NetWalker because it said so in the ransomware letter,” explains Mendoza.  Another problem: the attack came in May 2020, when many employees had just started to work remotely because of the COVID-19 outbreak, so there was no way of easily communicating what was going on outside the building.

Despite that, the IT team had to assess the damage that had been done and what the options were for getting data back – if it was going to be possible at all. There was some hope – the company had backups,  which were separate from the rest of the network and safe from the incident.  “We’re still under attack, we’re still trying to stop the bleeding, we still don’t know what the extent of the damage was – but we knew we had data to work with,” says Mendoza. Every organisation that falls victim to a ransomware attack ultimately has to face one major question – do they they give in to the ransom demand in order to retrieve their data? Cybersecurity companies and law enforcement agencies around the world argue against giving into extortion surrounding ransomware attacks, because not only does it hand over hundreds of thousands or even millions of dollars in bitcoin to criminals, it proves that the attacks work, which encourages ransomware attackers to continue with campaigns. However, some victims feel as if they’ve got no choice and they’ll pay the ransom, perceiving it to be the quickest and easiest way to get their data returned and the network back up and running – although that isn’t without issues. There are instances where attackers have either taken the money and ran, or taken the ransom then just returned with a second attack. Spectra Logic had cyber insurance, which could potentially have covered the cost of paying the ransom. That might have been the simpler short-term decision for restoring the network, but it was quickly decided that with the backups still available, Spectra Logic wouldn’t give in to the ransom demand. So instead of communicating with the cyber criminals at all, Mendoza contacted the FBI. “I went from being in a panic to being reassured by them that they’d seen it before, we’re not alone in this and they’re going to put tools in place to start protecting us. That was the biggest thing, getting protected,” he explained. The FBI also assigned a specialist team to help Spectra Logic deal with the immediate fallout from the attack over the course of the days that followed.  Attempting to restore the network turned out to be a 24/7 job for the small team over the course of the following week. For much of that time, people were sleeping at the office in order to have the most time possible to focus on restoring the network. “From the Thursday morning, we spent 24 hours everyday for the next five days working on this – we slept in shifts. Three of us would work through the night while two people slept for a few hours,” said Mendoza. “There was no leaving and coming back, it was go sleep on the couch in case we need you. It was five days of all hands on deck.” As well as this, he was having to provide the board with updates on the ongoing situation. They wanted answers about when the network was going to be restored and when business was going to be back to normal. “I’m dealing with leadership in the company and I don’t want to lie to them and say I know when it’ll be up – I had to tell them I don’t know what’s going on or when systems will be up,” he says.

It took days of working around the clock but eventually the IT department, with the aid of cybersecurity specialists, was able to restore some functionality to the network a week after the ransomware attack, without paying out to the attackers. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) “Our cybersecurity team provided us with the expertise and tools, monitoring and logging to get the threat out of our system. Monday morning they give us a green light; it’s done, they’ve stopped it and removed it,” Mendoza remembers. “The FBI told us we’re going the hard way, but the right way – and it ended up being the easy way when we came back and said we were back up eight days later; it was shocking for them,” he added. But it didn’t mean everything was immediately back to normal – it took weeks more to bring back systems that weren’t critical to the business, and during that whole time careful attention was required just to make sure the attackers hadn’t somehow managed to spread the ransomware again, which meant constantly monitoring all activity on the network for another month. A lot of ransomware attacks never become public knowledge, and examples of companies that go into detail about what happened are still few and far between. But Mendoza says it’s important to be transparent about dealing with a ransomware attack, because it’s important to show that it is possible to recover from an attack without lining the pockets of cyber criminals. “What we realised was we protected our data and there’s a way to thwart ransomware. We couldn’t find public information when we were looking for it, so we wanted to make it a common thing, that it’s okay to talk about being impacted by ransomware,” he said. So what is the key lesson Mendoza would say that other organisations need to take away from Spectra Logic’s experience? It’s backup your systems – and do so offline – so, if the worst happens and the organisation falls, you still have backups offline. “You’ve got to limit your attack blast radius. Backup your data in multiple locations on multiple mediums and the key is to air-gap it. Whether it’s physical air-gap or virtual air-gap, you’ve got to put a wall between an attack and your data,” he said. And how did the company end up falling victim to a ransomware attack in the first place? Analysis of the incident revealed a phishing email sent to an employee working from home was how hackers gained their initial access to the network. In the aftermath of the ransomware attack, Spectra Logic has worked to improve its cybersecurity culture, both on-site and for remote workers in an effort to learn from the incident. The company is now actively looking for potential cybersecurity threats that might have been missed before. “Initially after the attack, when the wounds were fresh, we talked about security. Six months later, we’re still concerned about security and we’re more aware of phishing attacks. We were kind of complacent before,” he says: now staff will notify him if a phishing email isn’t picked up by the malware system. “There’s more awareness now.” 

MORE ON CYBERSECURITY More

The Federal Trade Commission (FTC) has sent millions of dollars in refunds to students affected by allegedly false University of Phoenix ads claiming partnerships with major tech firms. 

According to the US regulator, the University of Phoenix (UOP), an online university, “falsely touted its relationships and job opportunities with companies such as AT&T, Yahoo!, Microsoft, Twitter, Adobe, and the American Red Cross” in allegedly “deceptive” advertisements.Furthermore, the FTC alleges that UOP, together with parent company, Apollo Education Group, claimed its curriculums were tailored with these partnerships in mind to give its students a better chance to secure a job with one of these companies.  According to the FTC, some ads specifically targeted “military and Hispanic consumers,” including veterans and military spouses. “In reality, these companies did not partner with UOP to provide special job opportunities for UOP students or develop curriculum,” the FTC claims. “Instead, UOP and Apollo selected these companies for their advertisements as part of a marketing strategy to drive prospective student interest.” So far, over 147,000 students have been sent close to $50 million in refunds.  Students enrolled in bachelor’s, master’s, or associate’s degrees between October 15, 2012, and December 31, 2016, could be eligible to claim if they paid more than $5,000 in fees and did not receive debt cancellation from the FTC’s prior settlement with UOP. 

The settlement, which in total has been agreed for $191 million, includes close to $141 million to settle unpaid balances owed by students eligible to have their debts cleared due to the lawsuit.  UOP and the FTC originally settled the allegations in 2019. The university was required to pay $50 million in cash — which is now on its way to students — as well as wipe existing student debt.  ZDNet has reached out to UOP and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More