Why ‘E-Waste Is a Big Cybersecurity Concern

January 20, 2022 Pete Cavicchia

Out with the old, in with the new — now that we are into a new year, a lot of people are thinking about clearing out technology they might no longer need. From now-obsolete laptops, cellphones, and tablets, 2022 might be the time we dispose of devices that don’t fit seamlessly into our day-to-day lives.

In fact, the United Nations reports that 53.6 million metric tons of “electronic waste” was created by the world’s population in 2019, as cited by IEEE Spectrum. Additionally, just 17 percent of this electronic waste was recycled. This means all of that leftover technology creates serious hazard for both public health and cybersecurity.

The perils of ‘e-waste’

IEEE Spectrum spoke with ERI CEO John Shegerian about the perils of this e-waste.

Shegerian, who as the chief executive of ERI, presides over one of the globe’s largest electronics disposition providers, recently published a book called The Insecurity of Everything: How Hardware Data Security is Becoming the Most Important Topic in the World. In the wide-ranging interview, Shegerian said that this waste is the world’s “fastest-growing waste stream by an order of magnitude.”

While this poses huge environmental threats, it also sheds light on serious cybersecurity vulnerabilities. Many of these devices people are simply throwing in the trash contain highly sensitive data if they fall into the wrong hands. Shegerian said we need to reorient our perspective to disposing of data the way we do with sensitive physical paper documents.

“Really in 2012, I started speaking to companies about the need to ‘shred’ data the way they shred sensitive papers, they look at us like we were green Martians,” he said in the interview.

Now, people are more receptive to his warnings. He said a big push behind writing his book was to hammer home the reality -- both to the global firms he works with and individuals — just how “ubiquitous” everyone’s technology is. It’s everywhere and it means data is often left exposed.

“They weren’t really sold on the hardware data destruction part” of device disposal, Shegerian said of people’s initial embrace of the environmental threat of “e-waste” over cybersecurity concerns.

What you should know

“I once had a big, big bank call me up: ‘John, we’ve had a breach, but we don’t believe it’s phishing or software. We think it came from hardware.’ I go out there and it turns out one of their bankers threw his laptop in the trash in Manhattan and someone fished it out,” he said. “On that laptop was information from the many clients of the entire banking firm—and the bank’s multi-billion-dollar enterprise. The liability, the data … God, just absolutely priceless. If it got into the wrong people's hands, the ransom that could have been extracted was truly of huge magnitude.”

Recommendations for the average reader are clear. If you trade in an old device to a retailer, make sure you vet them first.

Confirm that all of your data will be destroyed before they attempt to resell your phone or computer. If you plan on disposing of an old tablet or computer, remove old apps and delete sensitive photos and connected accounts — make sure no trace of your past activity is easily accessible to third parties.

As you make way for new technology, be sure to keep your data protected.

Everything You Should Know About Home Security Camera Threats

January 4, 2022 Pete Cavicchia

While a big focus of 2021 has been on cybersecurity and all of the threats posed to everything from personal smartphones, to company email accounts, to major government systems, it’s easy to overlook the seriousness of one’s physical security.

Today there are countless ways to protect your home or your business, with a wide range of high-quality security cameras and systems designed to keep you, your loved ones, your company, and your valuables safe and secure. Of course, in our age marked by Internet-connected devices, the threat of hackers is hitting even our security systems.

David Priest and Taylor Martin of CNET present a comprehensive overview of ways in which your home security cameras might be vulnerable to hacks — and ways you can mitigate that risk:

• What vulnerabilities exist — As with most Internet-connected devices, security cameras should always be updated whenever a security patch comes along. Martin and Priest reference the fact that cameras from major developers like Wyze and Google Nest come with high-end, sophisticated encryption. To make the best use of these capabilities, you should be vigilant when an app or security update comes along.

When a technician arrives to make a repair, industry standard from companies like ADT and Comcast is to “simply limit the actions technicians can take while assisting customers” to make sure no one compromises your system or data.

In short, update your software and be aware of what policies your security company has for third-party interactions with your device and data.

• What threats are out there?: Aamir Lakhani, a security expert at FortiGuard, told CNET that hackers can get hold of your camera locally if they are in the right range of the Wi-Fi network the camera utilizes. If they access the network, this could be a serious problem, especially if you have an older camera installed that might not come with the most modern encryption protections.

Lakhani added that remote hacks prove a graver threat. A data breach of the security company at large could compromise your login credentials.

One safeguard for the negative impact a compromised password could have is tied to common sense cybersecurity etiquette: Don’t reuse your password across devices and accounts. You don’t want someone to hack into your security camera as well as get access to your bank account because you use the same password for both.

• Detecting a hack: It might be very easy to be hacked and have no idea it occurred.
Lakhani told CNET that if your camera’s feed seems interrupted or isn’t working properly, you may have been compromised. This might also be a flaw in the technology. If something seems off, contact your security camera provider right away and make sure your system hasn’t been hacked.

Automating the Cybersecurity Vetting Process Between Businesses and Vendors

December 20, 2021 Pete Cavicchia

The COVID-19 pandemic has certainly presented businesses across all sectors significant challenges. Now — more than two years into the global pandemic — as companies continue to be creative in how they grow and generate profits, proving cybersecurity preparedness is becoming a key component of how to make a modern-day business thrive.

When a business works with third-party vendors, it can sometimes cause an administrative headache of making sure everyone complies with the company’s given cybersecurity protocols.

Hen Amartely writes in CPO Magazine about current solutions that have been devised to automate third-party security risk evaluations before a company decides to bring them into the fold. This more efficient process benefits both businesses and their vendors.

“Sales cycles can either make or break business growth; the longer the sale cycle, the less likely a deal will close, with dire consequences on pipeline and revenue,” Amartely writes. “When sales cycles are dragged out as a direct result of complicated cybersecurity risk assessments, business can be lost. That is why sales cycles need to be kept as short and efficient as possible. The best way to do this is to have an efficient cybersecurity assessment process in place.”

Amartely explains that when being vetted through a company’s cybersecurity assessments, vendors typically are put through a long, drawn out process that gives them less time to turn a profit and maximize a sales cycle. The security team for a vendor might have to answer repetitive, long questionnaires that come with a string of follow-up emails. She adds that fractures in morale might exist between the sales team and cybersecurity professionals within a vendor company.

A way to solve these problems can come in the form of third-party security management platforms that automate these processes, completing cybersecurity screenings more efficiently.

“For example, by providing vendors with the ability to sign up to a platform, they can gain full visibility into their own security profile, allowing them to monitor for any security gaps and have complete control over their cybersecurity even prior to being assessed by potential customers,” Amartely adds.

Additionally, these platforms can give vendors the chance to craft a comprehensive “security overview” that can be shared with clients right at the start of a sales cycle. By handing over this profile at the start of a business relationship with a new client, it can build trust as well as save time.

In this uncertain environment brought about by the pandemic, communicating to potential clients and collaborators that your business’s cybersecurity practices are foolproof is needed not just to scale up and thrive, but to ensure your precious data remains protected.

New National Cybersecurity Guidelines Put in Place for Rail Transportation

December 13, 2021 Pete Cavicchia

During an era when federal pushes to increase infrastructure spending and heightened concerns over security risks across all sectors dominate headlines, recent news that the United States government is imposing cybersecurity regulations for rail transit made waves.

CBS News recently reported on the announcement that the federal government just imposed cybersecurity mandates for “higher risk” rail transit and railroad systems.

The Department of Homeland Security and Transportation Security Administration stated that freight trains and passenger transit rail systems will have to now report all cybersecurity incidents to the federal government within a 24-hour timeframe, put in place a 24/7 cybersecurity liaison with federal agencies, institute incident response plans, and conduct vulnerability assessments to address gaps in their cybersecurity protocols.

"These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats," DHS Secretary Alejandro Mayorkas said in a statement that was published by CBS News.

Officials in the freight and passenger rail transit industries have pushed back at the idea of more federal regulations.

"Mandating a prescriptive 24-hour reporting requirement in a security directive could negatively affect cyber response and mitigation by diverting personnel and resources to reporting when incident response is most critical,” President and CEO of the American Public Transportation Association (APTA), wrote in a recent letter to U.S. lawmakers. "Additional personnel and resources needed to comply with the requirements will add significant compliance costs just as transit agencies are working to recover from the COVID-19 pandemic.”

Fears over continued cyberattacks on transportation systems is a very pressing concern for federal regulators and transit officials alike. In this year, alone, the nation has seen hacks result in supply chain shortages and fuel shortages — it does not seem out of the realm of possibility that our trains and passenger rail systems could be at elevated risk in the near future.

CBS’s report highlights a ransomware attack that affected the Southeastern Pennsylvania Transportation Authority in 2020. That service is behind Philadelphia’s rail transit system. In August 2020, the Philly Voice covered the attack, writing that hackers were able to temporarily achieve unauthorized access to the transit authority’s servers.

Cases like this are reminders that our transportation systems are particularly vulnerable, especially during high-travel periods like the holiday season and beyond.

As we have a continual national reckoning over how to keep our systems — from healthcare to banking — safe and secure, a focus will continue to be directed on our passenger and commercial trains.

This Tool Makes Sure Facebook Doesn’t Track Your Browsing History

November 30, 2021 Pete Cavicchia

Back at the start of 2020, Meta Platforms, Inc. (then known as Facebook) CEO Mark Zuckerberg announced the global implementation of the “Off-Facebook Activity” tool. The goal was to give users the ability to manage how the company’s social media platform tracked Internet viewing history.

With much in the news lately about how Facebook uses and shares your data as well as giving third-party apps access to your browsing history, the tool seems more timely — and useful — than ever.

Tech news site CNET recently detailed how you can best make use of Off-Facebook.

If you haven’t been aware of the tool, keep in mind it switches off Facebook’s default setting of sharing your account data. You can also take it upon yourself to specifically select individual companies that you don’t want to have access to your data and send you intrusive targeted ads.

CNET’s Katie Teague outlines that, first, you have to go to “Settings & Privacy” on Facebook, then go to “Settings,” select “Your Facebook Information,” and then choose “Off-Facebook Activity.” Once you’re in Off-Facebook Activity, you can clear your history. Additionally, you can switch off future data-sharing activity from your account.

Teague explains this means you are instructing Facebook to wipe away identifying information that apps are sharing. Essentially, now the social media company will no longer be privy to what sites you are visiting, preventing you from receiving targeted advertisements in your Facebook Newsfeed.

Separately, Teague pinpoints how you can also manage specific ads you encounter on the platform. It’s as simple as going to your “Settings” and then selecting “Ad Preferences.”

Once you’re in your ad preferences, you can see a full rundown of the various companies that are running ads on your feed based on your identifying Facebook information and data through “Advertisers and Businesses.” You can select unwanted companies and choose “Don’t Allow.”

She also recommends you head to “Ad Settings” in order to switch off advertisements that are derived from data from the site’s partners as well as your activity carried out through your social actions and use of other Facebook products. Keep in mind this doesn’t delete the data itself and you’ll still see other ads appearing on your feed. Teague says the Off-Facebook tool is still the most definitive way for enshrining your data and personal information from being co-opted and used for ads.

In summary, whether using Facebook — or any other social media platform — you should scrutinize how your data is being shared and look closely at settings you can enable to prevent that information from being used by third parties. Given how ubiquitous social media is right now, it’s crucial you do everything you can to protect your sensitive and personally identifying data.

A Look at the Top Social Media Scams

November 19, 2021 Pete Cavicchia

About seven-in-10 people in the United States use social media platforms. Compare that number to just 5 percent of American adults in 2005, when the Pew Research Center started tracking social media habits to see just how much a part of daily life social media is right now.

It’s pretty hard to avoid a reliance on social media accounts — from getting one’s fix of daily news, to connecting with friends and relatives, to sharing content about how you spent your time on your most recent vacation.

As has been widely reported, this makes social media platforms rife with cybercriminal activity. Given its ubiquity, social media is just as much a hotbed for phishing scams and hacks as email and online banking, for example.

Why you should be wary of cybercrime on social media

Tech blogger Kim Komando reports that a recent survey from Checkpoint Research shows social media platforms WhatsApp, LinkedIn, and Facebook made the top 10 list of faked brands used by phishing scammers.

It’s no surprise why social media companies — and the well-known brands associated with them — make for particularly potent hacking targets. They are often the places where users share their most personal, identifying data, from location to bank account information to images of personal contacts.

The top ten social platforms for scams

The website Government Technology highlights another study — this time from SocialCatfish.com — in which 726 members of a Facebook group “Social Catfish (SCF) Seekers” have all self-reported being scammed out of money online. The top 10 social sites that generated the most reports of these scams are:

Facebook
Google Hangouts
Instagram
WhatsApp
Plenty of Fish
Match.com
OurTime
Zoosk
Words With Friends
Tinder

Facebook came out at the top due to the large number of reported fake profiles that tend to flood the site and in users’ DMs. This was similar to another popular social platform — owned by Facebook — Instagram. On the photo-sharing app, fake accounts tend to proliferate, sending users at times deceiving messages asking for financial and personally identifying information.

Practice sound judgment online

Fake accounts that look and sound like real people defined the connective theme throughout the survey. It underscores the importance of being vigilant about who you interact with online and, most importantly, what kind of information you’re sharing.

Unless you are interacting with a merchant or a bank you know and trust, do not share your personal financial information or anything sensitive such as personal address or social security number. If you ever receive a message from a bot that seems to be asking for this intrusive information, steer clear.

All of these platforms have methods of reporting potential scams. If you suspect you are receiving solicitation from a hacker or a scam account, please report the suspicious account and block them from viewing or accessing your page.

U.S. Government Puts Forth These Recommendations to Prevent Next Big Hack

November 9, 2021 Pete Cavicchia

On November 3, the Biden administration mandated federal agencies to patch hundreds of cybersecurity flaws. The end goal is to prevent the next big cybersecurity crisis. This comes after major events like the SolarWinds hack — when suspected Russian hackers weaponized SolarWinds and Microsoft software to hack U.S. federal agencies — put the need to improve cybersecurity protocols center stage.

It further underscores just how ill-prepared governmental agencies, and the general public alike, are for major hacks.

The Verge reports on this new directive from the Cybersecurity and Infrastructure Security Agency (CISA), which highlighted “200 known threats that cybersecurity experts discovered between 2017 and 2020.”

Right now, these federal agencies have just six months to put patches in place to cover vulnerabilities exposed by older threats. Additionally, they have two weeks to fortify what was exposed by newer threats from the past year.

“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber-attacks,” CISA director Jen Easterly said in a statement on the directive, which was first reported by The Wall Street Journal. “While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

SolarWinds is included in the list of major threats, along with the Microsoft Exchange Server flaw. The Microsoft attack involved the hacking of emails from 30,000 American commercial and governmental organizations. What makes that attack particularly frustrating for government officials is the reality that had just “four known security holes” been patched, the attack could have been stopped in its tracks, the Verge reports.

All of this means cybersecurity threats will continue to be at the top of headlines — not just in the U.S., but around the world.

Back in May, President Joe Biden signed an executive order that sought to prevent similar attacks. This order included provisions such as two-factor authentication throughout the federal government, the institution of a Cybersecurity Safety Review Board, and uniform recommendations for responding to these kinds of attacks, the Verge adds.

This increased vigilance signals we are only heading into an ever-heightened sense of alarm over cybersecurity dangers. Shielding individuals’ sensitive data while also putting cybersecurity central to both federal and commercial policy is key to combatting these threats.

How to Scare Away Security Threats this Halloween Season

October 29, 2021 Pete Cavicchia

It’s the end of October, and we’re now in the midst of Halloween season. During a busy time that includes taking the kids out trick-or-treating, attending costume parties, or watching seasonally appropriate scary movies, it can be easy to lose track over concerns about security — both physical and cyber.

Some scary cybersecurity statistics

The conclusion of Halloween brings the end of Cybersecurity Awareness Month, but that doesn’t mean your vigilance about potential cybersecurity threats should stop. Instead, it should carry through all year, every year.

For Halloween, Pax8 Blog published an overview of cybersecurity threats that go bump in the night. Here’s a look at som e o f the statistics t hey scared up:

Hacks have a long lifecycle — IBM’s Cost of a Data B reach Report found it took an average of 212 days to detect a cyber breach as well as 75 days to contain it. They found that the total lifecycle of a hack is 287 days. To illustrate this point further, they explain that if a company had been breached by hackers on January 1, 2021, it would take until October 15 to be contained.
An escalation of ransomware attacks — They also point to the scary statistic that ransomware attacks increased by 185 percent in the United States for the first six months of 2021. In the United Kingdom it was 144 percent, according to dat a from SonicWall.
A lot of data failed to be restored — Even bleaker, Sophos found that just 65 perc ent of data was restored after a company paid ransom to cybercriminals following a ransomware attack.
Remote workers are ill-equipped for hackers’ attacks — In its State of the Phish Report, Proofpoint found 70 percent of organizations fail to institute best cybersecurity practices in remote worker trainings. This is a particularly big oversight given the rush to embrace remote work during the COVID-19 pandemic.

What all of these disturbing, worrying statistics do is offer a reminder that it’s crucial to practice proper cybersecurity hygiene. Keep passwords private and safe, utilize multi-factor authentication, and do not transmit private and sensitive data over public Wi-Fi or shared computer connections. Similarly, be wary of social media scams— and not just during Halloween. Never give your private information to a third party.

Trick-or-treat season is a time to be vigilant about physical safety and security, too

This time of year, reminders about safety extend beyond the cyber world.

If you and your family are out and about trick-or-treating on October 31, be vigilant about physical safety, too. UPMC Children’s Hospital of Pittsburgh offers some Halloween-specific safety instructions for your children. This includes making sure all children have adult supervision when they are out for Halloween, avoid sharp objects and costume accessories, visit familiar neighborhoods to collect candy, and wash all fruit and inspect exactly what kind of food items are being placed in your kids’ trick-or-treat bags.

This year also poses unique safety concerns due to COVID-19. Healthychildren.org outlines recommendations for safely enjoying the spooky holiday during the pandemic. Chief among them — focus on outdoor activities. While we are in a better place with COVID-19 than we were a year ago, congregating in large groups of strangers still poses risks. If you are concerned about COVID-19 transmission — either for yourself, your children, or your family at large — consider outdoor activities and bring a protective face mask if you are planning on going inside. Also, make sure you bring some hand sanitizer along the way.

While Halloween can be a fun time of year, make sure you celebrate safely. Always keep both your physical and digital safety at the front of your mind.