fbpx
Surveillance, Security, Monitoring, Automation, Access Control, LVT, Liquid Video Technologies, Greenville South Carolina

Chinese Secretly Installing Spyware App

China’s Border Guards Secretly Installing Spyware App on Tourists’ Phones

Chinese authorities are secretly installing surveillance apps on smartphones of foreigners at border crossings in the Xinjiang region who are entering from neighboring Kyrgyzstan, an international investigation revealed.

Xinjiang (XUAR) is an autonomous territory and home to many Muslim ethnic minority groups where China is known to be conducting massive surveillance operations, especially on the activities of Uighurs, a Muslim Turkic minority group of about 8 million people.

The Chinese government has blamed the Muslim Turkic minority group for Islamic extremism and deadly attacks on Chinese targets.

According to a joint investigation by New York Times, the Guardian, Süddeutsche Zeitung and more, the surveillance app has been designed to instantly extract emails, texts, calendar entries, call records, contacts and insecurely uploads them to a local server set-up at the check-point only.

This suggests that the spyware app has not been designed to continuously and remotely track people while in China. In fact, in the majority of cases, the report says the surveillance app is uninstalled before the phone is returned to its owner.

The spyware, called Feng Cai (蜂采) or BXAQ, also scans infected Android devices for over 73,000 pre-defined files related to Islamic extremist groups, including ISIS recruitment fliers, bomb-making instructions, and images of executions.

Surveillance, Monitoring, Security, Access Control, Automation, LVT, Liquid Video Technologies, Greenville South Carolina

Besides this, it also looks for segments from the Quran, portions of an Arabic dictionary and information on the Dalai Lama, and for some bizarre reason, the list also includes a song from a Japanese grindcore band called Unholy Grace.

The app can directly be installed on Android phones, but for tourists, journalists, and other foreigners, using Apple devices, the border guards reportedly connect their phones to a hardware-based device that is believed to install similar spyware.

According to researchers at German cybersecurity firm Cure53, who analyzed [PDF] a sample of the surveillance app, the names that appear in Feng Cai app’s source code suggest that the app was developed by a unit of FiberHome, a Chinese telecom manufacturer that is partly owned by the government.

“The app is very simple in terms of its user interface, with just three available functions: Scan, Upload, and Uninstall,” the researchers said.

However, it remains unclear how long the collected information on travelers is stored on the Chinese server, or how the government uses it.

“The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism,” Maya Wang, a Chinese researcher at Human Rights Watch, told NY Times. “You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practicing your religion, speaking what’s on your mind or even thinking your thoughts.”

It’s not the first time when Chinese authorities have been caught using spyware to keep tabs on people in the Xinjiang region, as this kind of intensive surveillance is very common in that region. However, it’s the first time when tourists are believed to have been the primary target.

In 2017, Chinese authorities had forced Xinjiang residents as well into installing a similar spyware app, called Jingwang, on their mobile devices that was intended to prevent them from accessing terrorist information.

Article Provided By: The Hacker News

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Monitoring, Access Control, Computer Networking, Networking, LVT, Liquid Video Technologies, Greenville South Carolina, iOS 13

Users Warned About iOS 13 Security Problem

When the “Sign in with Apple” functionality to appear as part of iOS 13 was announced at the Worldwide Developers Conference (WWDC) back on June 3, it was met with broad approval from Apple users. After all, what’s not to like about having an alternative to signing in to applications and services via your Facebook, Google, or Twitter account? It turns out, truth be told, quite a lot. Just how much depends upon whom you are talking to, of course.

The OpenID Foundation (OIDF), whose own OpenID Connect platform shares much in common with the proposed Apple solution and counts Google, Microsoft and PayPal amongst its members, is edging towards the not so keen side of the fence. Moreover, it’s not alone either.

In a  June 27 open letter addressed to Craig Federighi, senior vice-president of software engineering at Apple, Nat Sakimura, OIDF chairman, begins with some faint praise regarding Apple’s “efforts to allow users to log in to third-party mobile and Web applications with their Apple ID using OpenID Connect.” It very quickly goes downhill from there, however.

After explaining how OpenID Connect has been developed by a broad range of companies, along with experts from within the OIDF itself, the letter points out how it has become a widely-adopted protocol built on OAuth 2.0 to enable third-party logins in a secure and standard manner. The differences between OpenID Connect and Sign in with Apple, the letter continues, expose users “to greater security and privacy risks.”

It then goes on to insist that developers will be unnecessarily burdened by having to work on both as Apple will insist they offer it alongside the others, whereas by “closing the current gaps,” the OIDF argues, “Apple would be interoperable with widely-available OpenID Connect Relying Party software.”

So what seems to be the real problem here? The Apple system gets around having to pass your email to the third-party developer by creating a disposable one-off email address just for that purpose, assuming you choose to hide your real email address. By doing so, you also avoid the data aggregation problem that these sign-on platforms enable by seeing the various apps and services you use, which could build an accurate, and valuable, marketing profile. Opting out of emails can be done by deactivating individual service addresses, and Apple knows the apps you are using anyway so, assuming you trust it with that information, then the Sign in with Apple platform adds no new privacy concerns.

Why, then, is it being painted as such a security and privacy risk by the OIDF?

The answer comes mainly in the form of those “differences” mentioned earlier. These include failure to use the Proof Key for Code Exchange (PKCE) system that mitigates code injection and code replay attack threats. A document listing the differences was updated July 3 to acknowledge fixes that had been made since the open letter was sent.

That document can be found here and is worth reading as it also describes the specific attack and privacy problems that remain as a result of the protocol differences. These include Cross-Site Request Forgery (CSRF) attacks and potential leakage of the ID Token, which contains a set of personal data and Authorization Code, which could be used in the aforementioned code injection attack. According to this latest information, only the Apple documentation regarding the exchange of authorization codes has been fixed to date.

Sean Wright, an application security specialist, understands only too well how the problem with many open protocols is that at times organizations modify the protocol or standard just a little bit. “This causes potential compatibility issues when other organizations try to integrate,” Wright says, “so I can see why OpenID is so interested in trying to ensure that Apple sticks to the standard.” As for the security issues, these potentially stick their collective heads above the development parapet only because it will be a modification of a protocol and so open to newly introduced vulnerabilities.

A poll of information security professionals on Twitter revealed, that 60% thinking OIDF was right to call Apple out on these issues. The remaining 40% being evenly split between thinking OIDF was wrong, and it not mattering as both options improve security and privacy anyway.

“Any extra layer of security or privacy support added to accounts is a bonus in my book,” says Jake Moore, a security specialist at ESET, who continues, “but admittedly it appears this could still be even more secure by today’s standards.” Moore said that because Apple is dealing with millions of accounts, sadly this means if it were to make signing in too tricky for the average user, then there’s a risk that customers could be lost. “Albeit a bold move,” he concludes, “I like seeing accounts that force users to make their accounts more secure with strong password policies and Multi-Function Authentication as default.”

Neira Jones is a partner at the Global Cyber Alliance and an internationally renowned cyber risk and information security speaker. Jones tells that she thinks that while there will undoubtedly be teething problems, as with anything new, Sign in with Apple remains a good thing. “I do not doubt that Apple will address the security issues,” Jones says, “but whether Apple will fix the interoperability issues mentioned by OpenID remains to be seen as a number of factors are at play.” After all, Apple has traditionally been in the business of remaining a closed ecosystem, and Jones isn’t sure that will change any time soon.

Not that it’s impossible given that Facebook has announced the Libra cryptocurrency and in amongst the white paper documentation there’s a paragraph that states: “An additional goal of the association is to develop and promote an open identity standard. We believe that decentralized and portable digital identity is a prerequisite to financial inclusion and competition.”

With more than 3 billion users, Facebook is potentially hoping for a big play in the identity space, according to Jones. They may or may not succeed, but Facebook does have a trust issue. “Apple haven’t,” Jones concludes, “or certainly not to the extent of Facebook’s trust issues.”

Article Provided By: Forbes

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Monitoring, Access Control, Computer Networking, Networking, Liquid Video Technologies, Greenville South Carolina, Security Key

Google Opens its Android Security Key Tech

Google Opens its Android Security-Key Tech to iPhone and iPad Users

Google will now allow iPhone and iPad owners to use their Android security key to verify sign-ins, the company said Wednesday.

Last month, the search and mobile giant said it developed a new Bluetooth-based protocol that will allow modern Android 7.0 devices and later to act as a security key for two-factor authentication. Since then, Google said 100,000 users are already using it.

Since its debut, the technology was limited to Chrome sign-ins. Now Google says Apple device owners can get the same protections without having to plug anything in.

Google Security-Keys

Signing in to a Google account on an iPad using an Android 7.0 device (Image: Google)

Security keys are an important security step for users who are particularly at risk of advanced attacks. They’re designed to thwart even the smartest and most resourceful attackers, like nation-state hackers. Instead of a security key that you keep on your key ring, newer Android devices have the technology built-in. When you log in to your account, you are prompted to authenticate with your key. Even if someone steals your password, they can’t log in without your authenticating device. Even phishing pages won’t work because only legitimate websites support security keys.

For the most part, security keys are a last line of defense. Google admitted last month that its standalone Titan security keys were vulnerable to a pairing bug, potentially putting it at risk of hijack. The company offered a free replacement for any affected device.

The security key technology is also FIDO2 compliant, a secure and flexible standard that allows various devices running different operating systems to communicate with each other for authentication.

For the Android security key to work, iPhone and iPad users need the Google Smart Lock app installed. For now, Google said the Android security key will be limited to sign-ins to Google accounts only.

Article Provided By: techcrunch

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Access Control, Computer Networking, Monitoring, LVT, Liquid Video Technologies, Greenville South Carolina, Banking Apps

US Mobile Banking Apps Have Security Flaws

Most US mobile banking apps have security and privacy flaws, researchers say

You might figure the biggest U.S. banks would have some of the most secure mobile apps. Spoiler alert: not so much.

New findings from security firm Zimperium, shared exclusively with TechCrunch, say most of the top banking apps have security flaws that put user data at risk. The security firm, which has a commercial stake in the mobile security business, downloaded the banks’ iOS and Android apps and scanned for security and privacy issues, like data leaks, which put private user data and communications at risk.

The researchers found most of the apps had issues, like failing to adhere to best coding practices and using old open-source libraries that are infrequently updated.

Some of the apps were using open-source code from GitHub from more than three years ago, said Scott King, Zimperium’s director of embedded security.

Worse, more than half of the banking apps are sharing customer data with at least one advertiser, the researchers said.

An unnamed iOS banking app with an 86/100 risk score (Image: Zimperium)

Banks Apps

Two unnamed Android banking apps each with an 82/100 risk score (Image: Zimperium)

The researchers, who didn’t name the banks, said one of the worst offending iOS apps scored 86 out of 100 on the risk scale for several privacy lapses, including communicating over an unencrypted HTTP connection. The same app was vulnerable to two known remote bugs dating back to 2015. The researchers said the risk scores for the banks’ corresponding Android apps were far higher. Two of the apps were rated with a risk score of 82 out of 100. Both of the apps were storing data in an insecure way, which third-party apps could access and recover sensitive data on a rooted device, said King.

One of the Android apps wasn’t properly validating HTTPS certificates, making it possible for an attacker to perform a man-in-the-middle attack. Several of the iOS and Android apps were capable of taking screenshots of the app’s display, increasing the risk of data leaking.

Zimperium said two-thirds of the Android banking apps are targeted by several malware campaigns, such as BankBot, which tricks users into downloading fake apps from Google Play and waits until the victim signs in to a banking app on their phone. Using an overlay screen, the malware campaigns steal logins and passwords.

The security firm called on banking apps to do more to bolster their apps’ security.

Article Provided By: techcrunch

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Access Control, Networking, Monitoring, LVT, Liquid Video Technologies, Greenville South Carolina, Android

Android Users Plagued By Pop-Ups

440 Million Android Users Plagued By Extremely Obnoxious Pop-Ups

The mobile ad plugin, found in hundreds of Google Play apps, uses well-honed techniques from malware development to hide itself.

Over 440 million Android phones have been exposed to an obnoxious advertising plugin hidden within hundreds of popular applications available via Google Play, which ultimately can render phones almost unusable.

Lookout Research discovered the plugin being bundled with 238 unique applications that have racked up millions of downloads between them – all from one company in China, CooTek. Dubbed BeiTaPlugin, the ad module forcibly displays ads on the user’s lock screen, triggers video and audio advertisements (even while the phone is asleep) and displays out-of-app ads in other areas too.

“Users have reported being unable to answer calls or interact with other apps, due to the persistent and pervasive nature of the ads displayed,” Lookout said in a posting on Tuesday.

Developers of free mobile apps turn to advertising plugins to monetize their wares. These automatically fetch ads at specified times to display, usually within the context of the application itself. For instance, when a player completes a level in a mobile game, he usually has to suffer through a 30-second ad before being able to go onto the next challenge.

However, out-of-app ads skirt the line between legitimate business modeling and obtrusive scamminess by pushing pop-up ads to users when they’re doing other things. The offending app could push an ad to the notification area of the phone, or present a pop-up anywhere, anytime – and the unfortunate part is that the user wouldn’t know which app is the one being obnoxious.

Users in the on an Android forum discussion were monitoring their devices and came to this conclusion:

BeiTaPlugin takes this dodgy practice to an entirely new level, according to Lookout, by employing obfuscation techniques normally reserved for standard malware in order to hide from utilities that block or detect out-of-app ad plugins.

For instance, it takes a little sleep before swinging into action. “These ads do not immediately bombard the user once the offending application is installed, but become visible at least 24 hours after the application is launched,” the researchers said. “For example, obtrusive ads did not present themselves until two weeks after the application ‘Smart Scan’ had been launched on a Lookout test device.”

The BeiTaPlugin also hides its true nature by appending fake file names and suffixes to its components. It names itself “icon-icomoon-gemini.renc” in the system files – purporting to be a legitimate application called Icomoon, which is an application that provides vector icon packs for designer and developer use. One of those icon packs is named Gemini.

“Malware authors commonly employ this technique of renaming executable files to other file types (pdf, jpg, txt) to hide malicious assets in plain sight,” researchers said. “In both cases, the .rec or .renc filetype suffix is intentionally misleading; the file is actually .dex (Dalvik Executable) file type that contains executable code rather than an innocuous .renc file.”

The package is also encrypted, and the AES encryption key is obfuscated through a series of connected methods and finally called for use by a package named “Hades SDK.”

“Increased encryption and obfuscation techniques are applied to hide the plugin’s existence,” explained Lookout researchers. “All strings related to plugin activity are XOR-encrypted and Base64-encoded, courtesy of a third-party library called StringFog. Each class that facilitates the loading of the plugin is encrypted with its own separate key.”

BeiTaPlugin was bundled a popular keyboard app, TouchPal, as well as numerous add-ons to the TouchPal keyboard, and several popular health and fitness apps, according to Lookout. Lookout reported the malicious functionality to Google, and the adware has now been removed from all the affected apps on the Play store – although users with the apps already installed are still likely affected.

Google Play and other app stores are cracking down on the use of out-of-app advertising, so it’s likely that the BeiTaPlugin saga is a sign of things to come, researchers noted.

“This BeiTaPlugin family provides insight into future development of mobile adware,” Lookout said. “As official app stores continue to increase restrictions on out-of-app advertisements, we are likely to see other developers employ similar techniques to avoid detection.”

Article Provided By: threatpost

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Things Aren't As They Seem

Things Aren’t As They Seem

Mueller report details how Russians reached millions of US Facebook and Twitter users and brought them out to real-life rallies

Special counsel Robert Mueller’s report released Thursday says Russia’s Internet Research Agency, or IRA, reached millions of U.S. users on Twitter, Facebook and Instagram leading up to the 2016 presidential election. Russian operatives also communicated with the Trump campaign under false identities “without revealing their Russian association” and interacted with prominent pro-Trump activists to arrange political rallies, “confederate” events and even a #KidsforTrump organization, the report says.

“IRA-controlled Twitter accounts separately had tens of thousands of followers, including multiple U.S. political figures, who retweeted IRA-created content,” the report says. Facebook has estimated that IRA-controlled accounts reached up to 126 million people, with Twitter notifying 1.4 million people they may have been in contact with a Russia-controlled account.

The Mueller document gives a fuller picture of how both technical and in-person intelligence operatives worked together to influence sentiment leading up to the 2016 election.

An odyssey that ramped up in 2014

Russian operatives had been dabbling in social media until around 2014, when they consolidated their efforts under a single program known internally as the “translator department,” according to the report. They later began sending operatives to the U.S. to further the election goals of the program.

In June 2014, four members of the department lied to the U.S. State Department, claiming to be “friends who met at a party.” Two of them, Anna Bogacheva and Aleksandra Krylova, received visas to enter the U.S. In 2016, other operatives were seen holding up signs at an event near the White House purportedly celebrating the birthday of Yevgeniy Prigozhin, a Russian tycoon alleged to have funded some of the interference campaigns and their associated social media ad buys.

On Twitter, the IRA program broke its operation into two strategies: creating real Twitter accounts meant to represent “individual U.S. personas,” and a separate, IRA-controlled network of automated Twitter bots “that enabled the IRA to amplify existing content on Twitter.”

One of the IRA accounts, which claimed to be that of a Trump supporter from Texas, had 70,000 followers. Another anti-immigration persona had 24,000 followers. A third, called @march_for_trump, organized a series of rallies in support of Trump across the U.S. The accounts posted 175,993 tweets, though the report says only 8.4% of those were election-related.

“U.S. media outlets also quoted tweets from IRA-controlled accounts and attributed them to the reactions of real U.S. persons,” the report says.

Influential conservatives also interacted with the accounts, including TV commentator Sean Hannity, Roger Stone, former U.S. Ambassador to Russia Michael McFaul and Michael Flynn Jr.

From Twitter to real life

“The Office identified dozens of U.S. rallies organized by the IRA,” the report says. “The earliest evidence … was a ‘confederate rally’ in November 2015. The IRA continued to organize rallies even after the 2016 U.S. presidential election.”

Many of the rallies drew few participants, while others drew hundreds. “The reach and success of these rallies was closely monitored” by the Russian team, the report says.

The report clarifies that in the cases in which a pro-Trump, IRA-organized rally also coordinated with Trump’s campaign, the campaign was not aware of the origins of the organizers. “The IRA’s contacts included requests for signs and other materials to use at rallies, as well as requests to promote the rallies and help coordinate logistics.”

“The investigation has not identified evidence that any Trump campaign official understood the requests were coming from foreign nationals,” the report says.

Another two-part campaign, against Hillary Clinton

As with the IRA’s Twitter strategy, Russia’s GRU intelligence agency broke its campaign of interference against Hillary Clinton’s presidential campaign into two parts. One group developed specialized malware — malicious software used, in this case, to monitor communications. A second group was charged with honing and launching mass spearphishing operations, meant to identify key targets within Clinton’s campaign and craft believable emails persuading them to click and, therefore, install the custom malware.

The GRU officers sent hundreds of these emails to Clinton staffers, including official campaign accounts and Google accounts used by staffers.

 

Things Aren't As They Seem By: Kate Fazzini

 

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Keeping Kids Safe Online

Keeping Kids Safe Online

“Here Be Dragons”, Keeping Kids Safe Online

Sitting here this morning sipping my coffee, I watched fascinated as my 5-year-old daughter set up a VPN connection on her iPad while munching on her breakfast out of absent-minded necessity.

It dawned on me that, while daughter has managed to puzzle out how to route around geofencing issues that many adults can’t grasp, her safety online is never something to take for granted. I have encountered parents that allow their kids to access the Internet without controls beyond “don’t do X” — which we all know is as effective as holding up gauze in front of semi and hoping for the best (hat tip to Robin Williams).

More parents need to be made aware that on the tubes of the Internet, “here be dragons.”

First and foremost for keeping your kids safe online is that you need to wrap your head around a poignant fact. iThingers and their ilk are NOT babysitters. Please get this clear in your mind. Yes, I have been known to use these as child suppression devices for long car rides but, we need to be honest with ourselves. Far too often they become surrogates and this needs to stop. When I was kid my folks would plonk me down in front of the massive black and white television with faux wood finish so I could watch one of the three channels. Too a large extent this became the forerunner of the modern digital iBabysitter.

These days I can’t walk into a restaurant without seeing some family engrossed in their respective devices oblivious of the world around them, let alone each other. Set boundaries for usage. Do not let these devices be a substitute parent or a distraction and be sure to regulate what is being done online for both you and your child.

I have had conversations about what is the best software to install on a system to monitor a child’s activity with many parents. Often that is a conversation borne out of fear of the unknown. Non-technical parents outnumber the technically savvy ones by an order of magnitude and we can’t forget this fact. There are numerous choices out there that you can install on your computer but, the software package that is frequently overlooked is common sense.

All kidding aside, there seems to a precondition in modern society to offload and outsource responsibility. Kids are curious and they will click links and talk to folks online without the understanding that there are bad actors out there. It is incumbent upon us, the adults, to address that situation through education. Talk with your kids so that they understand what the issues are that they need to be aware of when they’re online. More importantly, if you as a parent aren’t aware of the dangers that are online you need to avail yourself of the information.

This is by no means that only choice out there but, it is a good starting point. The Internet is a marvelous collection of information but, as with anything that is the product of a hive mind, there is a dark side. Parents and kids need to take the time to arm themselves with the education to help guard against perils of the online world.

If you don’t know, ask. If you don’t ask, you’ll never know.

 

Keeping Kids Safe Online By:  

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Is your technology spying on you?

Is your technology spying on you?

Google Says Unlisted, Built-In Microphone on Nest Devices Wasn’t Supposed to Be ‘Secret’

 

It’s barely two months into 2019, but Nest has already had a bit of a year. After some hacking scares involving its line of home security cameras, Nest’s latest headache involves its modular Nest Secure security system. More specifically, a microphone that customers weren’t aware was included in the base device. And while Google admits it messed up, it’s definitely not convincing users the company has their best interest at heart.

Google, which owns Nest, announced earlier this month it was adding Google Assistant support for the Nest Guard—one of three products that make up its Nest Secure system. Overall, you’d think that’s a helpful feature but Google’s failure to disclose the Guard hub had a built-in microphone detracts from any benefit and has led to plenty of criticism of the company’s intent on Twitter.

 

When Nest Secure was announced back in 2017, the microphone was suspiciously absent from any tech specs for the product. And while you could technically issue voice commands to enable and disable the alarm, it required owners to have a separate Google Home device.

“The on-device microphone was never intended to be a secret and should have been listed in the tech specs,” a Google spokesperson told Gizmodo. “That was an error on our part.”

So have Nest Secure owners been unwittingly spied on all this time? Google says no. “The microphone has never been on and is only activated when users specifically enable the option.”

As for why the microphone was included in the first place, Google said it’s common for security systems to use microphones for features that rely on picking up different sounds. It also said the company “included the mic on the device so that [it] can potentially offer additional features to our users in the future, such as the ability to detect broken glass.”

All of that makes sense, but it’s unsettling in the wake of Nest’s recent privacy and security issues. A California family recently received false warnings through their Nest camera that North Korean missiles were about to strike, while last year, a woman was told through her cam that a man was going to kidnap her baby.

Google has since tried to urge Nest users to practice better security, including turning on 2FA and reseting potentially compromised passwords. But these efforts, while good in theory, put the onus on consumers when it wouldn’t be that difficult for Google to build better security into its products in the first place. Plus, it doesn’t help frazzled Nest users trust Google when it can’t be trusted to fully disclose the tech in its products to begin with.

[Business Insider]

 

Is Your VPN Leaking Your IP Address

Is Your VPN Leaking Your IP Address

 Is Your VPN Leaking Your IP Address

(Virtual Private Networks) are great for security, but one of the big reasons many people use one is to mask or change their IP address. Thus, one of the essential motivations to utilize a VPN is to conceal your actual IP address. In addition, while using a VPN, all of your web movements are encoded and sent to a VPN server. These servers, which handle all the data on the server side and is run by your VPN provider, are encrypted.

This implies that outside eyewitnesses can only see the IP address of the VPN server and not your actual IP. VPN providers take strong measures to protect user IPs, including using shared IPs and not maintaining logs. However, there is still a chance that your IP address can be discovered while using a VPN. Read on to learn how to find out if your VPN is leaking your IP and what you can do about it.

What Is an IP Leak?

An IP leak is the leaking of a user’s real IP address while connected to a VPN service. It can occur in a situation where a user’s computer is unknowingly accessing default servers rather than the anonymous VPN servers assigned by the network such as VPN. Here is simple example to understand IP leak while you are using a VPN:

Say you want to access some content that is not accessible (i.e. geo-restricted) from your home country. When you log into your VPN account, usually you can choose between servers in different countries. The VPN will “pretend” you’re actually located in the selected region. Usually that’s enough to convince you that you are now virtually in a supported country – all good so far!

But, if you go to access that content and are still facing the geo-restrictions, this means that service you are trying to access from a restricted country is actually tracking your original IP rather than the IP from the VPN server. This means your VPN is leaking your original IP.

Most IP leak types can affect any network protocol at one time or another on your smartphones, but the best VPN providers have built workarounds into their software to minimize the likelihood of an IP leakage. IP leaks aren’t normally the fault of your VPN service provider. They are often caused by vulnerabilities in existing technology like browser plugins (flash), web browsing software and operating systems on our smartphones.

Similarly, some DNS leaks can expose your original IP address to the DNS server. If your VPN has the “DNS Leak,” it means your DNS requests are being sent to an unsafe DNS server (usually one controlled by your internet provider). Some VPNs have built-in DNS leak protection, use their custom DNS servers, and use special technology to assure that your DNS requests are always routed securely, inside the encrypted VPN tunnel.

Some ISPs use a technology called “transparent DNS proxy”. Using this technology, they can intercept all DNS requests moving through their servers. If you specify the different DNS server on your home PC or router, it’s possible these requests could still be intercepted. If you have changed your DNS settings to use an ‘open’ DNS service such as Google or OpenDNS, expecting that your DNS traffic is no longer being sent to your internet provider’s DNS server, you may be shocked to find out that they are using transparent DNS proxying.

How to Check If Your VPN Is Leaking Your IP

Your ‘real’ IP address is the one which is assigned to you by your internet service provider and can be used to identify your unique internet subscription specifically. All devices on your home network will share the same IP address.

Here are few useful steps through which you can check whether your VPN is working fine and not leaking your IP address:

Step 1: Check your IP – Make sure that your VPN is NOT connected. If you are sure that your VPN is disconnected, then go to Google and type “what is my IP address” to check your real IP.

Step 2: Sign in to VPN – Log into your VPN account and connect to the server of your choice. Verify twice that you are connected.

Step 3: Check your IP again – Go to Google and type “what is my iIP address” again to check your new IP. You should see a new address, one that corresponds with your VPN and the country you selected.

Step 4: Do IP Leak test – Several free websites allow you to check if your VPN is leaking IP. There is a good tool for IP Leak tests in regards to user’s online privacy. It’s unique because it’s a modern web app and includes a free API to use on your smartphones. Most IP or DNS  leak tests used today are generally not mobile friendly, but more importantly outdated. For example, this tool’s API checks if DNS over TLS is enabled, which is missing from the older DNS leak test sites. This may be a relatively new protocol, but will become an increasingly important feature since it keeps your DNS requests encrypted. Its API also checks to see if DNSSEC is enabled or “Checking Disabled” is on or off. DNSSEC provides origin authority, data integrity, and authenticated denial of existence. So overall these results give you a more complete picture of your privacy and security settings.

What Other Leaks Can Expose Your IP Address? And How Can You Fix Them?

There is another common leak named ‘Dropped Connection’ which occurs if your VPN disconnects suddenly, in which case all your web traffic will be routed through your regular Internet connection (less secure). This is the common IP leak and also the easiest to prevent.

Choosing a VPN service with a kill-switch feature is the right choice even for your smartphones. A kill-switch is a critical piece of your VPN client software that continuously monitors your network connection and makes sure that your true IP address is never exposed online in the event of a dropped VPN connection. If it detects a change, it will instantly stop all internet connectivity and try to reconnect to the VPN automatically. I recommend looking for this feature when you are comparing VPNs.

VPNs can be a great tool for protecting your privacy online, but sometimes they can be undermined. I hope this post has opened your eyes to risks of IP leaks and the importance of regularly checking for them to ensure your information is staying safe.

 

by Anas Baig

Mobile Access Smartwatch Teaser Greenville, South Carolina

Mobile Access Control from HID

Mobile Access

Are you ready to embrace the sweeping change mobile technologies have brought to access control? HID Global’s award-winning HID Mobile Access ® solutions allow organizations to tailor access control solutions to meet the growing demands of a mobile-first world.

HID Mobile Access ® introduces a new era of convenience and functionality to access control. Breakthrough technologies meet the growing demands of a smarter, mobile-first world — while instilling confidence that identity data is secure and privacy is protected.

  • More Choice – Mobile technology is being leveraged at a rapid pace. The freedom to move access control to phones, tablets, wristbands, watches and other wearables is a matter of end-user preference. HID Mobile Access supports the widest variety of mobile devices in the industry today, or it can be used in addition to traditional card access.
  • More Applications – Managing identity in the organization is changing; IT departments, Security and Facility Management are working toward the development of consolidated access programs. HID Mobile Access enables more than one secure identity to reside in a smart device –creating a single device solution for physical and logical access control.
  • More Confidence – HID Mobile Access, powered by breakthrough credential technologies, is based on ISO standards used by the U.S. government and other organizations globally to encrypt classified or sensitive data, providing unprecedented security and privacy protection of identity data.

Mobile has become the go-to technology of the new millennium, offering convenience and portability. In light of these developments, leveraging mobile technology to access doors, parking facilities and gates – not to mention networks and other enterprise applications and much more – is a logical step in the evolution of access control.

HID Global is extending access control functionality to a mobile device allows end-users to securely and conveniently access the workplace using their smart device that is almost always on-hand. From the parking gate, to the door, to the network and more, HID Mobile Access can help organizations meet the growing demand for convenience in a mobile-first world.

Article Provided By: HID Global

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com