Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
Latest ENISA report highlights ‘golden era’ for cybercriminals
Cybercriminal activity surged during the past year, according to the latest Threat Landscape Report from ENISA. It ranked the top nine threats facing citizens, organisations and cyberspace as: ransomware, malware, cryptojacking, email-related threats, threats against data and against availability and integrity, disinformation, non-malicious threats and supply-chain attacks. (ENISA considered the risk to the latter category so significant that it dedicated an entire report to it.) The agency called out the healthcare and public health sectors as specific targets for cybercriminals despite some ransomware gangs promising not to do so.
The report surveyed the threat landscape between April 2020 and July 2021. Ransomware was responsible for a 150 per cent increase since the last report. ZDNet’s coverage led with the ETL report’s description of a “golden era” of ransomware. HelpNet Security also has a good writeup of the main points. For readers who want to go right to the source for its data and insights, ENISA has a free PDF. The report runs to 116 pages, and is packed with detail for defenders of all stripes. (Speaking of ransomware, one survey suggests half of small firms in Ireland have paid to get their data restored. Worryingly, over a quarter said they didn’t get all their data back anyway, and six out of ten said their data was leaked on the dark web.)
Phones ≠ privacy
Plenty to ponder for privacy professionals from a recent research paper out of Trinity College Dublin. Short version: there’s no way to opt out of tracking on phones with variants of the Android OS from Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS. Even when minimally configured and the handset is idle, the vendor-customised Android variants send “substantial amounts of information to the OS developer and also to third-parties (Google, Microsoft, LinkedIn, Facebook etc) that have pre-installed system apps,” the researchers wrote.
Gizmodo’s writeup focused on the paper’s conclusion that basic privacy practices like opting out of tracking, or deleting ‘snoopy’ apps, aren’t enough to prevent tracking. The 12-page paper itself is free to read. In a related phone privacy story, the Markup turns the spotlight on a little-known yet large market for phone location data. (Spoiler alert: it’s worth billions.) And lastly, for anyone who had been following Apple’s controversial proposal to install tech on phones that would scan for child abuse imagery, 14 of the world’s leading security experts wrote an analysis saying that client-side scanning (CSS) “neither guarantees efficacious crime prevention nor prevents surveillance”. The technology “tears at the heart of privacy of individual citizens” but is also fallible and could be evaded by those meant to be targeted, and misused, they added.
When asked for some quick security advice, industry professionals would often recommend VPNs for protecting data over remote access or public Wi-Fi. But now there’s a groundswell of discussion around how consumer VPNs’ approach to privacy is far from ideal. A report by Restore Privacy found that some untrustworthy companies are not just buying VPNs to consolidate the industry, but also snapping up the ‘review’ sites that rank them highly. Its analysis claims most VPN users don’t realise these sites are recommending apps that share the same parent company.
VPNs came in handy for remote working during Covid restrictions, but it might be time for firms to reevaluate them. According to CSO Online, VPNs have a lot of shortcomings for handling remote network connections. It said VPNs are “insufficient for the remote working and hybrid landscape”. The story quotes Joseph Carson of ThycoticCentrify, who said VPNs hinder employee productivity and user experience. Sean Wright from Immersive Labs said that because VPNs typically extend an organisation’s network, if the network that the user is on is insecure (like a home network, for instance), there’s greater potential for an attacker to take advantage of it. The story offers seven alternative ways to provide secure remote access.
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here