Apr 11 2024

DuckDuckGo Is Taking Its Privacy Fight to Data Brokers

Category: Information Privacy,Web Search Engine,Web Securitydisc7 @ 8:03 am

For more than a decade, DuckDuckGo has rallied against Google’s extensive online tracking. Now the privacy-focused web search and browser company has another target in its sights: the sprawling, messy web of data brokers that collect and sell your data every single day.

Today, DuckDuckGo is launching a new browser-based tool that automatically scans data broker websites for your name and address and requests that they be removed. Gabriel Weinberg, the company’s founder and CEO, says the personal-information-removal product is the first of its kind where users don’t have to submit any of their details to the tool’s owners. The service will make the requests for information to be removed and then continually check if new records have been added, Weinberg says. “We’ve been doing it to automate it completely end-to-end, so you don’t have to do anything.

The personal-information removal is part of DuckDuckGo’s first subscription service, called Privacy Pro, and is bundled with the firm’s first VPN and an identity-theft-restoration service. Weinberg says the subscription offering, which is initially available only in the US for $9.99 per month or $99.99 per year, is part of an effort to add to the privacy-focused tools it provides within its web browser and search engine. “There’s only so much we can do in that browsing loop, there’s things happening outside of that, and a big one is data brokers, selling information scraped from different places,” Weinberg says.

The data broker industry is a far-reaching, $200-plus billion market, which collects, buys, and sells as much information as it can. A lack of comprehensive privacy laws in the US allows companies to easily trade everything from people’s names and addresses to financial data and specific GPS coordinates gathered from your phone. (The recently proposed American Privacy Rights Act, if passed, would create a new registry of data brokers and give people some European-style privacy rights).

DuckDuckGo’s personal-information-removal tool—for now, at least—is taking the privacy fight to people-search websites, which allow you to look up names, addresses, and some details of family members. However, Weinberg says DuckDuckGo has created it so the company isn’t gathering details about you, and it is built on technology from Removaly, which the company acquired in 2022.

Ahead of its launch, the company demonstrated how the system works and some of the engineering efforts that went into its creation. On the surface, the removal tool is straightforward: You access it through the company’s browser and enter some information about yourself, such as your name, year of birth, and any addresses. It then scans 53 data broker websites for results linked to you and requests those results to be wiped. (All 53 data brokers included have opt-out schemes that allow people to make requests.) A dashboard shows updates about what has been removed and when it will next scan those websites again, in case new records have been added.

Under the hood, things are more complex. Greg Fiorentino, a product director at DuckDuckGo, says when you enter your personal data into the system, it’s all saved in an encrypted database on your computer (the tool doesn’t work on mobile), and the company isn’t sent this information. “It doesn’t go to DuckDuckGo servers at all,” he says.

For each of the data brokers’ websites, Fiorentino says, DuckDuckGo looked at its URL structure: For instance, search results may include the name, location, and other personal information that are queried. When the personal information tool looks for you on these websites, it constructs a URL with the details you have entered.

“Each of the 53 sites we cover has a slightly different structure,” Fiorentino says. “We have a template URL string that we substitute the data in from the user to search. There are lots of different nuances and things that we need to be able to handle to actually match the data correctly.”

During testing, the company says, it found most people have between 15 and 30 records on the data broker sites it checks, although the highest was around 150. Weinberg says he added six addresses to be removed from websites. “I found hits on old stuff, and even in the current address, which I really tried to hide a bit from getting spam at, it’s still out there somehow,” Weinberg says. “It’s really hard to avoid your information getting out there.”

Once the scan for records has been completed, the DuckDuckGo system, using a similar deconstruction of each of the data broker websites, will then automatically make requests for the records to be removed, the team working on the product say. Fiorentino says some opt-outs will happen within hours, whereas others can take weeks to remove the data. The product director says that in the future, the tool may be able to remove data from more websites, and the company is looking at potentially including more sensitive data in the opt-outs, such as financial information.

Various personal-information-removal services exist on the web, and they can vary in what they remove from websites or the services they provide. Not all are trustworthy. Recently, Mozilla, the creator of the Firefox browser, stopped working with identity protection service Onerep after investigative journalist Brian Krebs revealed that the founder of Onerep also founded dozens of people-search websites in recent years.

DuckDuckGo’s subscription service marks the first time the company has started charging for a product—its browser and search engine are free to use, and the firm makes its money from contextual ads. Weinberg says that, because subscriptions are purchased through Apple’s App Store, Google Play, or with payment provider Stripe, details about who subscribes are not transferred to DuckDuckGo’s servers. A random ID is created for each user when they sign up, so people don’t have to create an account or hand DuckDuckGo their payment information. The company says it doesn’t have access to people’s Apple IDs or Google account details.

For its identity-theft-restoration service, DuckDuckGo says it is working with identity protection service Iris, which uses trained staff to help with fraudulent banking activity, document replacement, emergency travel, and more. DuckDuckGo says no information is shared between it and Iris.

Weinberg says that while the company’s main focus is providing free and easy-to-use privacy tools to people, running a VPN and the removal tool requires a different business model. “It just takes a lot of bandwidth,” he says of the VPN.

Broadly, the VPN industry, which allows people to hide their web traffic from internet providers and avoid geographic restrictions on streaming, has historically been full of companies with questionable records when it comes to privacy and people’s data. Free VPNs have long been a privacy nightmare.

DuckDuckGo says its VPN, which it built in-house and which uses the WireGuard protocol, does not store any logs of people’s activities and can be used on up to five devices at once. “We don’t have any record of website visits, DNS requests, IP addresses connected, or session lengths,” the company says in its documentation. The VPN runs through its browser, with 13 location options at launch, but shields all internet traffic passing through your phone or computer.

The company says it is conducting a third-party audit of the VPN to allow its claims to be scrutinized, and it will publish the full audit once it’s complete. “We really wanted to do something in the VPN space for a long time, we just didn’t have the resources and people to do it,” Weinberg says. “We looked at partnering in different places. If we have to completely trust a partner versus building something where we can make it anonymous, we decided we would want to do it ourselves.”

Why you should use Duckduckgo as your search engine NOW!

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: DuckDuckGo

    Apr 01 2024

    Securing privacy in the face of expanding data volumes

    Category: Information Privacydisc7 @ 8:59 am

    One of the primary concerns regarding data privacy is the potential for breaches and unauthorized access. Whether it’s financial records, medical histories, or personal communications, individuals have a right to control who can access their data and for what purposes.

    In this Help Net Security round-up, we present parts of previously recorded videos in which security experts discuss various aspects of data privacy and protection.

    Complete videos

    • Stephen Cavey, Chief Evangelist at Ground Labs, talks about how businesses and job seekers are not only prioritizing data privacy but using it as a competitive advantage in this rivalrous landscape.
    • Dana Morris, SVP Product and Engineering at Virtru, talks about privacy-preserving cryptography.
    • Kris Lahiri, CSO at Egnyte, believes data privacy violations cast a long shadow and takes a closer look at the lasting consequences.
    • Karen Schuler, Global Privacy & Data Protection Chair at BDO, discusses overconfidence in data privacy and data protection practices.
    • Romain Deslorieux, Global Director, Strategic Partnerships at Thales, discusses what companies should be planning based on current regulations and what steps they can take to prepare for the future.

    Latest Titles on Data Privacy

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

    Tags: data privacy

    Aug 17 2023

    Data Privacy Solutions

    Category: Information Privacy,Security and privacy Lawdisc7 @ 10:09 am

    Your data is an asset. Safeguarding it will help you comply with data protection laws and allow your business to thrive

    A global leader in privacy guidance, audits, tools, training and software

    IT Governance is a market leader in data privacy and cyber security solutions. Their broad suite of offerings is one of the most comprehensive in the world.

    ITG affordable solutions have assisted numerous individuals and organizations in understanding the tangible aspects of data privacy. With substantial legal and technical proficiency, coupled with a 15-year history in cybersecurity risk management, ITG customers have complete confidence in entrusting us with their needs.

    Speed up your compliance initiatives for GDPR, CPRA, and other regulations ISO 27701 by utilizing ITG collection of top-performing Tools, Templates and eBooks.

    Templates and Tools

    Training and staff awareness


    Checkout our ISO 27701 related posts to assess and built your PMS

    Checkout our previous posts on CPRA

    Checkout our previous posts on GDPR

    CISSP training course

    InfoSec tools | InfoSec services | InfoSec books | Follow our blog

    Tags: CCPA, CPRA, data privacy, Data Privacy Solutions, gdpr, ISO 27701

    Jul 27 2023


    Category: Cyber Espionage,Information Privacydisc7 @ 8:14 am

    There’s just about no one that can say they’ve never been online or used online services. We spend a significant part of our daily lives online, which can bring various risks. It’s simple for apps, websites, and hackers to track and use your online activity for their own purposes. However, we look into useful tools like rotating residential proxies and more to help prevent others from tracking you.


    People are often surprised to find out how much they’re being tracked online. With devices like your smartphone, tablet, and desktop, various apps, websites, and hackers can track your online activities. These activities could expose sensitive information like your physical location, personal information, financial information, and more.

    Others can track you using the following methods:

    • Your IP address
    • Cross-tracking between your devices
    • Cursor tracking software/Tattleware
    • Email exchanges
    • Frequently visited accounts on devices
    • Location software like map apps
    • Your search history


    The benign reason that others track you online is to learn your shopping habits and provide more targeted marketing. While this can feel invasive and result in spam emails, it’s ultimately not harmful. However, cybercriminals and hackers can also track you using the above methods and learn more confidential information, like your social security number, home address, and habits.

    Ultimately, if hackers and scammers have this information, they can also more easily scam you. Phishing attempts, false advertisements, and more are all ways you can be conned out of your money when your habits and information are known.


    Whether it’s to avoid targeted marketing and prevent your personal information from being vulnerable or to stay safe from hackers, there are various methods you can use to protect yourself online.


    Using multiple browsers to create accounts and browse the internet is a simple way of making it difficult to track you. That’s because you split your activity over various browsers that don’t share information. It also limits your exposure to web tracking, keeps your various activities separate, and you can delete information easier.


    A user agent is the software that tells the website which browser you’re using, your rendering engine, and your operating systems. This information is shared to ensure the version of the website you see is optimized for your browser and device. You can change the user agent to confuse any trackers on these websites.

    A user-agent switcher is a tool you can use to switch the type of user agent you have, making it look like you’re using a different browser and device. You also have access to various privacy extensions which work with this user-agent switcher to protect against tracking.


    Don’t use public networks to browse the internet when you’re in public. While free Wi-Fi seems beneficial, these open networks can leave a gap in your device’s defenses for hackers to sneak through. Instead, stay on your private network, and ensure you don’t give strangers access to that network or your device.


    It’s best to adjust your privacy settings on your devices and browsers to avoid online websites and hackers tracking you. Enable “Do Not Track” on your browsers and devices to keep the device from tracking you. While it won’t stop a determined hacker, it helps lessen the tracking cookies on your browsers. 

    Also, ensure that mobile apps don’t have permission to track your location, as this is another avenue that reveals your activities to others. Only use apps that require your location when using a proxy that helps block malicious websites, connections, and more.


    While we’re on the subject of cookies, another good step is not to accept website cookies. These cookies track your activity on the website, leaving a digital footprint behind. It can also reveal your habits, likes, IP addresses, and more.


    Using rotating residential proxies is an easy way to keep yourself from being tracked. Residential proxy servers contact the website on your behalf, so you’re never directly contacting it. The IP addresses it uses are from actual home devices, making you look like a natural person and enabling you to browse the web safely. 

    Rotating residential servers use a new IP address each time you make a new connection. These rotating IP addresses make it extremely difficult to track you, as the proxy takes care of the cookies and leaves no digital footprint behind to exploit.


    While there are various ways to try and avoid being tracked, there’s no way to ensure it won’t happen as long as you use the internet. Rotating residential proxies is an excellent preventative and protective measure, but we advise you never to log into your Google, Apple, Facebook, or other essential accounts while browsing unprotected. You can never be truly certain how you’re being tracked, as such you should implement as many different measures as you can to protect your privacy.

    How to Disappear: Erase Your Digital Footprint, Leave False Trails, And Vanish Without A Trace

    InfoSec books | InfoSec tools | InfoSec services

    Tags: How to Disappear, TRACKED ONLINE

    Jul 20 2023

    How do you solve privacy issues with AI? It’s all about the blockchain

    Category: AI,Blockchain,Information Privacydisc7 @ 9:18 am

    How do you solve privacy issues with AI? It’s all about the blockchain

    Data is the lifeblood of artificial intelligence (AI), and the power that AI brings to the business world — to unearth fresh insights, increase speed and efficiency, and multiply effectiveness — flows from its ability to analyze and learn from data. The more data AI has to work with, the more reliable its results will be.

    Feeding AI’s need for data means collecting it from a wide variety of sources, which has raised concerns about AI gathering, processing, and storing personal data. The fear is that the ocean of data flowing into AI engines is not properly safeguarded.

    Are you donating your personal data to generative AI platforms?

    While protecting the data that AI tools like ChatGPT is collecting against breaches is a valid concern, it is actually only the tip of the iceberg when it comes to AI-related privacy issues. A more poignant issue is data ownership. Once you share information with a generative AI tool like Bard, who owns it?

    Those who are simply using generative AI platforms to help craft better social posts may not understand the connection between the services they offer and personal data security. But consider the person who is using an AI-driven chatbot to explore treatment for a medical condition, learn about remedies for a financial crisis, or find a lawyer. In the course of the exchange, those users will most likely share some personal and sensitive information.

    Every query posed to an AI platform becomes part of that platform’s data set without regard to whether or not it is personal or sensitive. ChatGPT’s privacy policy makes it clear: “When you use our Services, we collect Personal Information that is included in the input, file uploads, or feedback that you provide to our Services.” It also says: “In certain circumstances we may provide your Personal Information to third parties without further notice to you, unless required by the law…”

    Looking to blockchain for data privacy solutions

    While the US government has called for an “AI Bill of Rights” designed to protect sensitive data, it has yet to provide the type of regulations that protect its ownership. Consequently, Google and Microsoft have full ownership over the data that their users provide as they comb the web with generative AI platforms. That data empowers them to train their AI models, but also to get to understand you better.

    Those looking for a way to gain control of their data in the age of AI can find a solution in blockchain technology. Commonly known as the foundation of cryptocurrency, blockchain can also be used to allow users to keep their personal data safe. By empowering a new type of digital identity management — known as a universal identity layer — blockchain allows you to decide how and when your personal data is shared.

    Blockchain technology brings a number of factors into play that boost the security of personal data. First, it is decentralized, meaning that data is not stored in a centralized database and is not subject to its vulnerabilities with blockchain.

    Blockchain also supports smart contracts, which are self-executing contracts that have the terms of an agreement written into their code. If the terms aren’t met, the contract does not execute, allowing for data stored on the blockchain to be utilized only in the way in which the owner stipulates.

    Enhanced security is another factor that blockchain brings to data security efforts. The cryptographic techniques it utilizes allow users to authenticate their identity without revealing sensitive data.

    Leveraging these factors to create a new type of identification framework gives users full control of who can use and view their information, for what purposes, and for how long. Once in place, this type of identity system could even be used to allow users to monetize their data, charging large language models (LLMs) like OpenAI and Google Bard to benefit from the use of personal data.

    Ultimately, AI’s ongoing needs may lead to the creation of platforms where users offer their data to LLMs for a fee. A blockchain-based universal identity layer would allow the user to choose who gets to use it, toggling access on and off at will. If you decide you don’t like the business practices Google has been employing over the past two months, you can cut them off at the source.

    That type of AI model illustrates the power that comes from securing data on a decentralized network. It also reveals the killer use case of blockchain that is on the horizon.

    Image credittampatra@hotmail.com/depositphotos.com

    Aaron Rafferty is the CEO of Standard DAO and Co-Founder of BattlePACs, a subsidiary of Standard DAO. BattlePACs is a technology platform that transforms how citizens engage in politics and civil discourse. BattlePACs believes participation and conversations are critical to moving America toward a future that works for everyone.

    Blockchain and Web3: Building the Cryptocurrency, Privacy, and Security Foundations of the Metaverse

    InfoSec books | InfoSec tools | InfoSec services

    Tags: AI privacy, blockchain, Blockchain and Web3

    Apr 03 2023

    Tor Project Creates New Privacy-Focused Browser using VPN Layer

    Category: Information Privacy,Web SecurityDISC @ 3:18 pm

    The Tor browser guarantees that your communication remains operational through a decentralized network of transfers maintained by volunteers located worldwide.

    It safeguards your internet connection from prying eyes by preventing any individual from monitoring the websites you visit, shields your physical location from being disclosed to the websites you browse, and enables access to blocked websites.

    Numerous reasons exist for why individuals may seek to share files anonymously, with the most prominent being the case of whistleblowers or political activists striving to avoid persecution.

    When a user initiates Tor, it initially passes through the first node in the circuit chosen from a pool of 2500 out of 7000 computers referred to as the “Entry Guard.” These nodes are known for their high uptime and availability.

    New Mullvad Browser

    A new browser was launched today, featuring an alternative infrastructure that includes a layer of VPN support in place of the Tor network.

    With the new Mullvad Browser, anyone can fully utilize the privacy features developed by the Tor Project.

    “Mullvad Browser, a free, privacy-preserving web browser to challenge the all-too-prevalent business model of exploiting people’s data for profit,” Torproject said.

    This could be another privacy-focused browser that does not require extensions or plugins to bolster its privacy features.

    “Our goal was to give users the privacy protections of Tor Browser without Tor. For instance, the Mullvad Browser applies a “hide-in-the-crowd” approach to online privacy by creating a similar fingerprint for all of its users.”

    The Mullvad Browser has a default private mode that obstructs third-party trackers and cookies while providing convenient cookie deletion options.

    Mullvad aims to handle all of that for you, allowing you to open the browser with the assurance that you are not easily traceable.

    “Our mission at the Tor Project is to advance human rights by building technology that protects people’s privacy, provides anonymity and helps them bypass censorship.”

    “We want to free the internet from mass surveillance and a VPN alone is not enough to achieve privacy. From our perspective there has been a gap in the market for those who want to run a privacy-focused browser as good as the Tor Project’s but with a VPN instead of the Tor Network,” says Jan Jonsson, CEO at Mullvad VPN.

    The Tor Project has released a statement affirming that the Tor Browser will continue to evolve and enhance its capabilities.

    Dark Web Onion Sites For Anonymous Online Activities: Browse The Dark Web Safely And Anonymously

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: dark web, Privacy-Focused Browser, Tor Project

    Feb 13 2023

    How to Make Sure You’re Not Accidentally Sharing Your Location

    Category: Information PrivacyDISC @ 10:42 am

    YOUR DEVICES AND apps really, really want to know where you are—whether it’s to tell you the weather, recommend some restaurants you might like, or better target advertising at you. Managing what you’re sharing and what you’re not sharing, and when, can quickly get confusing.

    It’s also possible that you have inconsistencies in the various location histories logged by your devices: Times when you thought you’d switched off and blocked location sharing but you’re still being tracked, or vice versa.

    Here we’ll cover everything you need to consider when it comes to location tracking, and hopefully simplify it along the way. Whether you want to give out access to your current location or not, you should be in control of these settings, and not be caught unawares by additional options that you missed.How Location Tracking Gets Confusing

    Screenshot of Google location sharing history

    What happens if you distinctly remember turning location tracking off on a device, yet your position is still popping up on a map? Or maybe you thought you’d left the feature on, yet you’re seeing gaps in your location history? There are a few explanations, but essentially you need to remember all the different ways your location can be logged: by your devices, by your apps, and by websites you visit.

    For example, you might have disabled location tracking on a phone but left it enabled on a tablet. Alternatively, you might have a laptop that’s tracking where you are in the background, even though you thought you’d disabled the feature in the apps you use. If you want location tracking completely enabled or disabled, you need to factor in all these different ways of keeping tabs on where you are.

    If you have a Google account, this is a good illustration. Head to your account settings on the web, then choose Data and Privacy and Location History. Select Devices on This Account, which may reveal some phones, tablets, and laptops that you’d forgotten about—any device with a check next to it in this list is saving your movements to your Google account for future reference.

    You can click Turn Off to disable this, but note the caveats that are listed in the confirmation box that appears onscreen: Your location might still be logged by your mobile devices, by the Find My Device service that helps you recover lost hardware, and by Google Maps when you’re navigating or searching around the area you’re in. This Location History setting is more of an overall toggle switch, affecting features such as the Google Timeline and the ability to quickly look up places you visit regularly.

    From the main Google account screen, there are several more places where your location gets logged and shared: Click Data and Privacy then Web & App Activity to manage location data saved by Google Maps and other apps and websites, and click People andSharing then Manage Location Sharing to see a list of specific contacts who can see where you are through various Google services.Managing Location Tracking on Mobile

    Screenshot of Android location sharing settings

    The steps to manage your location on Android vary slightly depending on the manufacturer of your phone, but the menus and instructions involved are broadly similar. On Google Pixel devices, you can open up Settings then select Location: You’ll see the Use Location toggle switch, and if you turn this off, none of your apps will be able to know where you are, nor will Google.

    If you leave the Use Location toggle switch on, you can customize location access for individual apps further down on the same screen. Note that you can choose to allow apps to know where you are at all times, or only when the app in question is running in the foreground—tap on any app in the list to make changes.

    Over on iOS, it’s a similar setup. If you select Privacy & Security from Settings, and then tap Location Services, you can turn off location tracking for the phone and all the apps on it. If you choose to leave this enabled, you can manage individual app access to your location via the list underneath. As on Android, you can choose to restrict apps to knowing your location only when the particular app itself is running, or allow them to monitor it in the background too.MOST POPULAR

    Erasing the location data that’s been collected on you is a complex process, as you need to check the records and the settings of every app that’s ever had access to your location. For Google and Google’s apps, you can head to your Google account on the web, then choose either Location History or Web & App Activity under Data and Privacy to wipe this data from the record. You’ll also find options for automatically deleting this data after 3, 18, or 36 months.

    Apple doesn’t log your movements in quite the same way, but it does build up a list of places you visit frequently (like your home and perhaps your office) so you can quickly get to them again. To clear this list on your iPhone, open Settings then choose Privacy & SecurityLocation ServicesSystem Services, and Significant Locations. You can clear this list and stop it from populating in the future.Managing Location Tracking on Desktop

    Screenshot of Windows location sharing settings

    Your laptop or desktop computer is unlikely to be fitted with GPS capabilities, so it won’t track your location in quite the same way as your phone, but applications, websites, and the operating system will still have some idea where you are—primarily through the locations that you sign into the web from (via your home Wi-Fi, for example).

    On Windows, you can open up Settings and then choose Privacy & Security and Location. As on Android and iOS, you’ll see you can turn location tracking off for individual applications (via the toggle switches on the right) or shut it down for the entire computer (the option at the top). The same screen lets you see which apps have been using your location, and enables you to wipe the log of your travels—click Clear next to Location History to do this.

    When it comes to the same process on macOS, you need to click the Apple menu and select System SettingsPrivacy & Security, and Location Services. The next screen looks very similar to the Windows one, with toggle switches for individual applications as well as for macOS itself—turn off any of the switches where you don’t want location access to be given. If you click Details next to System Services on this screen, you can clear the list of “significant locations” Apple has saved for you, just like on iOS.

    If location tracking is on for your computer and your browser of choice, that means individual websites such as Facebook, Amazon, or the Google Search can know where you are as well. Sometimes this is useful, of course (for getting the right weather forecast), but there might be times when you want to turn it off if you’re trying to keep your whereabouts private.


    Incognito Toolkit: Tools, Apps, and Creative Methods for Remaining Anonymous, Private, and Secure While Communicating, Publishing, Buying, and Researching Online

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Anonymity, privacy

    Jan 30 2023


    Category: Anonymous,Information Privacy,Information SecurityDISC @ 9:44 am


    The MAC address is (should be) unique to each network interface. By the way, if the device has several network interfaces, then each of them has its own MAC address. For example, laptops have at least two network interfaces: wired and Wi-Fi – each of them has an MAC address. Desktop computers are usually the same. When we talk about “changing  MAC addresses”, we need to understand that there are several of these addresses. By the way, each port has its own unique MAC address, if the device supports wireless networks, then each wireless interface (2.4 GHz and 5 GHz) also has its own MAC address.

    So, since the MAC address must be unique, it allows you to uniquely identify the network device. And since this network device is part of your computer, this allows you to uniquely identify your computer. Moreover, the MAC address (also called a hardware, physical address) does not change when the operating system changes.

    In short, the replacement of the MAC address is needed so that it is not possible to track and identify the device by the MAC address. But there is a more important reason (than paranoia) to learn about MAC addresses and about methods from substitution, or prohibiting changes in your system. Based on MAC addresses, user identification can be performed when connected via the Intercepting Portal. A few words about the Intercepting Portal. Captive Portal). This is a way to force the user to comply with certain conditions for providing Internet access. You can most often encounter examples of Intercepting Portals in public places that provide Internet access services via Wi-Fi to an indefinite circle of people, but who want to identify the user and / or allow access only to persons with credentials. For example, at the airport you may need to confirm your phone number via SMS to access the free Wi-Fi network. The hotel will provide you with a username and password for accessing the Internet via Wi-Fi – this ensures that only hotel customers can use Wi-Fi services. 

    Due to the features of the Intercepting Portal, user identification is based on MAC addresses. And starting with NetworkManager 1.4.0 (a popular program for managing network connections on Linux), an automatic MAC-address spoofing is now present. And in case of incorrect settings, you may encounter an Internet access problem running through the Intercepting Portal. There are also problems with customized filtering by MAC on the router.

    Well, for pentesting experts , of course, there are reasons to change the MAC address: for example, to pretend to be another user, and take advantage of its open access to the magical world of the Internet, or to increase anonymity.

    Who can see my MAC address?

    The MAC address is used to transfer data on a local network. That is, it is not transmitted when connecting to websites and when accessing the global network. Although there are exceptions: some vulnerabilities allow a person who is not on your local network to find out your MAC address.

    If you connect to the router via the local network, then the router knows your MAC address, but if you open the site on the Internet, the site owner cannot find out your MAC address. 

    All devices located on the local network can see each other’s MAC addresses (there are many scanners that can get this data). An example of a local network scan made using arp-scan. A slightly different situation with wireless network interfaces. If you are connected to an access point (router), then all the rules of the local network work: the router and other devices can find out your MAC address. But also any person who is within the reach of your Wi-Fi signal (from the phone, laptop) can find out your MAC address.


    NetworkManager may reassign MAC installed by other programs

    Starting with NetworkManager 1.4.0, this program supports MAC spoofing, and has many different options.

    So that we can understand them, we need to understand some concepts

    First, network adapters are :

    • wired (ethernet);
    • wireless (wifi).

    For each group, MAC rules are customized separately.

    Secondly, a wireless adapter can be in two states:

    • scanning (search, not connected to the network) – is set using the property wifi.scan-rand-mac-address, default set to yes, which means that during scanning it sets an arbitrary MAC address. Another acceptable value is no;
    • connected to the network – installed using the property wifi.cloned-mac-address, the default value is preserve.

    For wired interface (installed by property ethernet.cloned-mac-address) and the wireless interface in the connection state (installed by the property wifi.cloned-mac-address) the following values are available (regimes):

    • clearly specified MAC address (t.e. you can write the desired value that will be assigned to the network interface)
    • permanent: use the MAC address sewn into the device
    • preserve: do not change the device’s MAC address after activation (for example, if the MAC has been changed by another program, the current address will be used)
    • random: generate a random variable for each connection
    • stable: similar to random – i.e. for each connection to generate a random variable, NO when connecting to the same network, the same value will be generated
    • NULL / not installed: This is the default value that allows you to roll back to global settings by default. If global settings are not set, then NetworkManager rolls back to the value preserve.

    If you are trying to change the MAC in other ways and you are failing, it is entirely possible that NetworkManager, which changes the MAC in its own rules, is to blame. Since most Linux distributions with a NetworkManager graphical interface are installed and running by default, to solve your problem, you must first understand how NetworkManager works and by what rules.


    NetworkManager settings, including settings related to MAC, can be done in a file /etc/NetworkManager/NetworkManager.conf or adding an additional file with the extension . . . .conf to the directory /etc/NetworkManager/conf.d 

    The second option is highly recommended, since when updating NetworkManager usually replaces the main one . . . . . . . . . .conf file and if you made changes to /etc/NetworkManager/NetworkManager.conf, then the settings you made will be overwritten.


    If you want the MAC address to be replaced with each connection, but the same MAC is used in the connection to the same network, then the file /etc/NetworkManager/conf.d/mac.conf:

    1sudo gedit /etc/NetworkManager/conf.d/mac.conf

    Add lines :


    Lines with ethernet.cloned-mac-address & wifi.cloned-mac-address can be added individually or together.

    Check the current values :

    1ip link

    Restart the service :

    1sudo systemctl restart NetworkManager

    We will make connections to wired and wireless networks. Now check the values of MAC again 

    As you can see, MAC is replaced for both the wired and wireless interfaces.

    As already mentioned, the same addresses will be generated for the same networks, if you want different MACs each time even for the same networks, then the lines should look like this:



    Ubuntu and Linux Mint use NetworkManager versions that support automatic MAC configuration. However, if you connect a Wi-Fi card to Ubuntu or Linux Mint, you will see a real MAC. This is due to the fact that in the file /etc/NetworkManager/NetworkManager.conf indicated not to spoof :

    To change this, open the file :

    1sudo gedit /etc/NetworkManager/NetworkManager.conf

    And delete the lines :


    or comment on them to make it happen :


    or change no on yes:


    And restart NetworkManager :

    1sudo systemctl restart NetworkManager

    Similarly, you can add lines to replace MAC (these settings create a new address for each connection, but when connecting to the same networks, the same address is used):




    We will use the program ip, which is included in the package iproute2.

    Let’s start by checking the current MAC address with the command :

    1ip link show interface_name

    Where Interface_name – This is the name of a particular network interface that you want to see. If you do not know the name, or want to see all the interfaces, then the command can be started like this :

    1ip link show

    At the moment, we are interested in the part that follows after link / ether“and represents a 6-byte number. It will look something like this :

    1link/ether 00:c0:ca:96:cf:cb

    The first step for spoofing MAC addresses is to transfer the interface to a state down. This is done by the team

    1sudo ip link set dev interface_name down

    Where Interface_name replaces the real name. In my case, this wlan0, then the real team looks like this:

    1sudo ip link set dev wlan0 down

    Next, we go directly to the MAC spoofing. You can use any hexadecimal value, but some networks may be configured not to assign IP addresses to customers whose MAC address does not match any known vendor (producer). In these cases, so that you can successfully connect to the network, use the MAC prefix of any real vendor (first three bytes) and use arbitrary values for the next three bytes.

    To change the MAC, we need to run the command :

    1sudo ip link set dev interface_name address XX:XX:XX:XX:XX:XX

    Where XX: XX: XX: XX: XX: XX – This is the desired new MAC .

    For example, I want to set the hardware address EC: 9B: F3: 68: 68: 28 for my adapter, then the team looks like this:

    1sudo ip link set dev wlan0 address EC:9B:F3:68:68:28

    In the last step, we return the interface to the state up. This can be done by a team of the form :

    1sudo ip link set dev interface_name up

    For my system, a real team:

    1sudo ip link set dev wlan0 up

    If you want to check if the MAC is really changed, just run the command again:

    1ip link show interface_name

    Value after “link / ether“should be the one you installed.


    Another method uses macchanger (also known as the GNU MAC Changer). This program offers various functions, such as changing the address so that it matches a particular manufacturer, or its complete randomization.

    Set macchanger – it is usually present in official repositories, and in Kali Linux it is installed by default.

    At the time of the change of the MAC, the device should not be used (be connected in any way, or have status up). To transfer the interface to a state down:

    1sudo ip link set dev interface_name down

    For spoofing, you need to specify the name of the interface, and replace in each next command wlan0 in the name of the interface that you want to change the MAC.

    To find out the values of MAC, execute the command with the option -s:

    1sudo macchanger -s wlan0

    Something like:

    12Current MAC:   00:c0:ca:96:cf:cb (ALFA, INC.)Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)

    The “Current MAC” line means the address at the moment, and “Permanent MAC” means a constant (real) address.

    For spoofing the MAC address to a completely arbitrary address (option -r):

    1sudo macchanger -r wlan0

    About the following will be displayed :

    123Current MAC:   00:c0:ca:96:cf:cb (ALFA, INC.)Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)New MAC:    be:f7:5a:e7:12:c2 (unknown)

    The first two lines are already explained, the line “New MAC” means a new address.

    For randomization, only bytes that determine the uniqueness of the device, the current MAC address (i.e.e. if you check the MAC address, it will register as from the same vendor) run the command (option -e):

    1sudo macchanger -e wlan0

    To set the MAC address to a specific value, execute (option -m):

    1sudo macchanger -m XX:XX:XX:XX:XX:XX wlan0

    Here XX: XX: XX: XX: XX: XX – This is the MAC you want to change to.

    Finally, to return the MAC address to the original, constant value prescribed in the iron (option -p):

    1sudo macchanger -p wlan0


    NetworkManager currently provides a wealth of MAC spoofing capabilities, including a change to a random address, or to a specific one. A feature of NetworkManager is the separation of “scanning” and “connected” modes, i.e. you may not see that the settings made have already entered into force until you connect to any network.

    If after the change of MAC you have problems with connecting (you cannot connect to networks – wired or wireless), this means that there is a ban on connecting with MAC from an unknown vendor (producer). In this case, you need to use the first three octets (bytes) of any real vendor, the remaining three octets can be arbitrary says pentesting experts.

    The Art of Mac Malware: The Guide to Analyzing Malicious Software


    Nov 14 2022

    Privacy4Cars Secures Fourth Patent to Remove Privacy Information From Vehicles and Create Compliance Logs

    Data-deletion service’s patent covers removing personal information such as geolocation, biometrics, and phone records from a vehicle by using a user-computing device


    — Privacy4Cars, the first privacy-tech company focused on solving the privacy and security issues posed by vehicle data to protect consumers and automotive businesses, announced today that it has secured a new patent, further expanding its patent coverage for removing privacy information from a vehicle by using a user computing device. This patent grant marks the fourth patent that the U.S. Patent & Trademark Office has awarded to Privacy4Cars in the past three years and provides further evidence that the company is the leading innovator in the vehicle data privacy and security field.

    Since its launch in 2018, Privacy4Cars has emerged as the industry standard across auto finance companies (including captives, national and regional banks, auto lenders, and credit unions), fleets and fleet management companies, and franchised and independent dealerships. Many of today’s top companies in the automotive space — including the three largest OEM’s captives — have adopted the data-deletion service powered by the Privacy4Cars platform, and a growing number of industry associations have begun speaking out about the need to clear personal information from cars, and tapping Privacy4Cars as a resource to educate members.

    “Used vehicles are akin to large, unencrypted hard drives full of consumers’ sensitive Personal Information, including identifiers, geolocation, biometrics, and phone records,” said Andrea Amico, CEO and founder of Privacy4Cars. “This creates service, reputation, and increasingly major regulatory challenges, including the obligations companies face under the new Safeguards Rule (coming into effect on Dec. 9, 2022) and a host of existing and new state laws. At the same time, federal and local agencies are increasingly concerned about the personal information vehicles capture and store — which is driving more and more auto businesses to look for reliable solutions to simply and effectively delete data from vehicles while creating by design detailed compliance logs that prove their efforts,” he continued. “This new patent demonstrates Privacy4Cars’ commitment to meet the growing compliance and service needs of our partners. Privacy4Cars has established itself as the clear leader in the vehicle privacy space and companies increasingly recognize the superior efficiency, effectiveness, and compliance outcomes our proprietary solution offers, making Privacy4Cars the only obvious choice”.

    Privacy4Cars’ newly awarded U.S. Patent No. 11,494,514 expands the scope of patent protection for the vehicle data privacy and security innovations of Privacy4Cars’ U.S. Patent No. 11,256,827, U.S. Patent No. 11,157,648 and U.S. Patent No. 11,113,415. The new patent covers the use of a user computing device to remove privacy information from a vehicle and to create feedback about the information removal activity, including deletion logs for use in legal compliance applications.

    Privacy4Cars is currently available in the US, Canada, UK, EU, Middle East, India, and Australia, and plans to further expand its geographical reach to address the growing number of countries that have comprehensive privacy and data security laws. Privacy4Cars is available to consumers as a free-to-download app, and to businesses as a subscription service. Businesses can use Privacy4Cars’ stand-alone app or choose to integrate Privacy4Cars’ Software Development Kit to easily embed its patented data deletion solution as a feature inside their own apps.

    For more information about Privacy4Cars, please visit: https://privacy4cars.com.ABOUT PRIVACY4CARS

    Privacy4Cars is the first and only technology company focused on identifying and resolving data privacy issues across the automotive ecosystem. Our mission, Driving Privacy, means offering a suite of services to expand protections for individuals and companies alike, by focusing on privacy, safety, security, and compliance. Privacy4Cars’ patented solution helps users quickly and confidently clear vehicle users’ personal information (phone numbers, call logs, location history, garage door codes, and more) while building compliance records. For more information, please visit: https://privacy4cars.com/

    SOURCE: Privacy4Cars

    Privacy4Cars: delete car data on the App Store

    Multilayered Security and Privacy Protection in Car-to-X Networks: Solutions from Application down to Physical Layer

    Tags: Privacy4Cars

    Aug 01 2022

    Privacy guidance, audits, tools, training and software

    Privacy Main Page, Office of Privacy and Open Government, U.S. Department  of Commerce

    Privacy guidance, audits, tools, training and software

    DISC InfoSec

    #InfoSecTools and #InfoSectraining



    Ask DISC an InfoSec & compliance related question

    Tags: Privacy guidance, Tools, training

    May 08 2022

    As data privacy laws expand, businesses must employ protection methods

    Category: Information Privacy,Security and privacy LawDISC @ 10:30 am

    Data protection is challenging for many businesses because the United States does not currently have a national privacy law  —  like the EU’s GDPR  —  that explicitly outlines the means for protection. Lacking a federal referendum, several states have signed comprehensive data privacy measures into law. The California Privacy Rights Act (CPRA) will replace the state’s current privacy law and take effect on January 1, 2023, as will the Virginia Consumer Data Protection Act (VCDPA). The Colorado Privacy Act (CPA) will commence on July 1, 2023, while the Utah Consumer Privacy Act (UCPA) begins on December 31, 2023.

    For companies doing business in California, Virginia, Colorado and Utah*  —  or any combination of the four —  it is essential for them to understand the nuances of the laws to ensure they are meeting protection requirements and maintaining compliance at all times. 

    Understanding how data privacy laws intersect is challenging

    While the spirit of these four states’ data privacy laws is to achieve more comprehensive data protection, there are important nuances organizations must sort out to ensure compliance. For example, Utah does not require covered businesses to conduct data protection assessments  —  audits of how a company protects data to determine potential risks. Virginia, California and Colorado do require assessments but vary in the reasons why a company may have to take one.

    Virginia requires companies to undergo data protection assessments to process personal data for advertising, sale of personal data, processing sensitive data, or processing consumer profiling purposes. The VCDPA also mandates an assessment for “processing activities involving personal data that present a heightened risk of harm to consumers.” However, the law does not explicitly define what it considers to be “heightened risk.” Colorado requires assessments like Virginia, but excludes profiling as a reason for such assessments. 

    Similarly, the CPRA requires annual data protection assessments for activities that pose significant risks to consumers but does not outline what constitutes “significant” risks. That definition will be made through a rule-making process via the California Privacy Protection Agency (CPPA).

    The state laws also have variances related to whether a data protection assessment required by one law is transferable to another. For example, let’s say an organization must adhere to VCDPA and another state privacy law. If that business undergoes a data protection assessment with similar or more stringent requirements, VCDPA will recognize the other assessment as satisfying their requirements. However, businesses under the CPA do not have that luxury  —  Colorado only recognizes its assessment requirements to meet compliance.

    Another area where the laws differ is how each defines sensitive data. The CPRA’s definition is extensive and includes a subset called sensitive personal information. The VCDPA and CPA are more similar and have fewer sensitive data categories. However, their approaches to sensitive data are not identical. For example, the CPA views information about a consumer’s sex life and mental and physical health conditions as sensitive data, whereas VCDPA does not. Conversely, Virginia considers a consumer’s geolocation information sensitive data, while Colorado does not. A business that must adhere to each law will have to determine what data is deemed sensitive for each state in which it operates.

    There are also variances in the four privacy laws related to rule-making. In Colorado and Utah, rule-making will be at the discretion of the attorney general. Virginia will form a board consisting of government representatives, business people and privacy experts to address rule-making. California will engage in rule-making through the CPPA.

    The aforementioned represents just some variances between the four laws — there are more. What is clear is that maintaining compliance with multiple laws will be challenging for most organizations, but there are clear measures companies can take to cut through the complexity.

    Overcoming ambiguity through proactive data privacy protection

    Without a national privacy law to serve as a baseline for data protection expectations, it is important for organizations that operate under multiple state privacy laws to take the appropriate steps to ensure data is secure regardless of regulations. Here are five tips. 

    It is critical to have someone on staff or to serve as a consultant who understands privacy laws and can guide an organization through the process. In addition to compliance expertise, legal advice will be a must to help navigate every aspect of the new policies. 

    Identify data risk 

    From the moment a business creates or receives data from an outside source, organizations must first determine its risk based on the level of sensitivity. The initial determination lays the groundwork for the means by which organizations protect data. As a general rule, the more sensitive the data, the more stringent the protection methods should be.

    Create policies for data protection

    Every organization should have clear and enforceable policies for how it will protect data. Those policies are based on various factors, including regulatory mandates. However, policies should attempt to protect data in a manner that exceeds the compliance mandates, as regulations are often amended to require more stringent protection. Doing so allows organizations to maintain compliance and stay ahead of the curve.

    Integrate data protection in the analytics pipeline

    The data analytics pipeline is being built in the cloud, where raw data is converted into usable, highly valuable business insight. For compliance reasons, businesses must protect data throughout its lifecycle in the pipeline. This implies that sensitive data must be transformed as soon as it enters the pipeline and then stays in a de-identified state. The data analytics pipeline is a target for cybercriminals because, traditionally, data can only be processed as it moves downstream in the clear. Employing best-in-class protection methods — such as data masking, tokenization and encryption — is integral to securing data as it enters the pipeline and preventing exposure that can put organizations out of compliance or worse.

    Implement privacy-enhanced computation

    Organizations extract tremendous value from data by processing it with state-of-the-art analytics tools readily available in the cloud. Privacy-enhancing computation (PEC) techniques allow that data to be processed without exposing it in the clear. This enables advanced-use cases where data processors can pool data from multiple sources to gain deeper insights. 

    The adage, “An ounce of prevention is worth a pound of cure,” is undoubtedly valid for data protection — especially when protection is tied to maintaining compliance. For organizations that fall under any upcoming data privacy laws, the key to compliance is creating an environment where data protection methods are more stringent than required by law. Any work done now to manage the complexity of compliance will only benefit an organization in the long term.  

    *Since writing this article, Connecticut became the fifth state to pass a consumer data privacy law.

    Data Privacy Law: A Practical Guide to the GDPR

    Information Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best Practices

    👇 Please Follow our LI page…

    DISC InfoSec

    #InfoSecTools and #InfoSectraining



    Tags: Privacy by Design, Security and privacy Law

    Apr 18 2022

    Trans-Atlantic Data Privacy Framework’s Impact on AppSec

    Earlier this year, the White House announced that it is working with the European Union on a Trans-Atlantic Data Privacy Framework. According to a White House statement, this framework will “reestablish an important legal mechanism for transfers of EU personal data to the United States. The United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”

    This is encouraging news. As The National Law Review pointed out, the EU had concerns about the protection of their citizens’ data from U.S. government surveillance. But it may also be the push needed to advance greater data privacy protections in America.

    “The joint statement references the U.S. putting in place ‘new safeguards’ to ensure that intelligence activities are ‘necessary and proportionate’, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available,” said Stephen Bailey of NCC Group in an email comment.

    Data Privacy and AppSec

    The world runs on apps, so it is necessary to look at how the Trans-Atlantic Data Privacy Framework will impact app development and app security.

    “For application developers, the single biggest challenge to complying with increasingly rigorous data protection frameworks is getting control of their data, particularly sensitive and personally identifiable information,” explained Chris McLellan, director of operations at the nonprofit Data Collaboration Alliance.

    Today, every new app, whether bought or built, traps data in a silo, which can only be connected through the exchange of copies or point-to-point data integration.

    “These copies make it incredibly difficult—and in some cases, even impossible—to support GDPR outcomes like ubiquitous data access controls, portability, custodianship, deletion (the right to be forgotten) and precision auditability: Things that could potentially, although they’re unlikely to, be included in the post-Privacy Shield framework. But they are definitely looming on the horizon both internationally and domestically, for example, in California and Utah,” said McLellan.

    As data privacy frameworks become more common and we begin to see more joint efforts internationally, organizations have to think about how they share and store data in the future, taking compliance requirements into greater consideration.

    Organizations need to get more serious about minimizing their use of data and start implementing strategies that introduce real control to the data they manage, McLellan says. They should be exploring ways now to eliminate data silos and copies that have resulted in rampant data proliferation.

    data privacy shield security remote work

    No Quick Fixes

    But, as McLellan pointed out, there are no quick fixes. Unwinding years of “an app for everything and a database for every app” mantra will be difficult, and McLellan believes this is best approached in two stages.

    Stage One: Immediately treat the symptoms of data proliferation by evaluating and adopting privacy-enhancing technologies that help organizations anonymize and encrypt data, and better manage consent. “They should also investigate the potential to adopt first-party and zero-party data collection practices that redirect customer and other sensitive data away from the third-party apps (e.g. Google Analytics), over which they have no control,” McLellan explained. “Organizations should also adopt processes and workflows that help them establish ‘purpose-based’ data access requests.”

    Stage Two: Organizations should explore ways to address the root causes of data proliferation. Everyone within the organization’s technology teams—CIO, CDO, application development, data and IT teams—should familiarize themselves with emerging frameworks like zero-copy integration, a framework that is on track to become a national standard in Canada.

    “It’s the evolution of privacy-by-design and signals the beginning of the end for application-specific data silos and copy-based data integration. Such frameworks are made possible by new categories of technology, including data fabrics, dataware and blockchain that support ‘zero copy’ digital innovation. Many leading organizations, particularly in finance and health care, are already ahead of the curve in adopting this approach,” said McLellan.

    Data protection regulations at home and abroad reflect a burgeoning global trend toward citizens and consumers gaining greater control and ownership of data as its rightful owner.

    “These regulatory shifts,” said McLellan, “will need to be met by an equally significant shift in how U.S. businesses manage data and build new applications if there’s any hope to comply with new laws as they’re passed.”

    Data Privacy: A runbook for engineers

    👇 Please Follow our LI page…

    DISC InfoSec

    #InfoSecTools and #InfoSectraining



    Tags: Data Privacy Framework, Data privacy runbook

    Mar 10 2022

    Build your DPO career with self-paced online learning

    Category: GDPR,Information Privacy,Security and privacy LawDISC @ 10:15 am

    Are you planning a career as a DPO (data protection officer)?

    Certified GDPR Foundation, Practitioner and Data Protection Officer (C-DPO) Accelerated Self-Paced Online Combination Training Course
    Are you planning a career as a DPO (data protection officer)? Our unique combined GDPR (General Data Protection Regulation) and DPO training course is now available in a low-cost self-paced online format.

    Delivered by an experienced data privacy consultant, the Certified GDPR Foundation, Practitioner and Data Protection Officer (C-DPO) Accelerated Self-Paced Online Combination Training Course provides the knowledge to implement and maintain GDPR compliance and fulfil the DPO role.

    Work at your own pace with self-paced online training – a more affordable, flexible and less disruptive way to study. Designed by GDPR experts, this course features pre-recorded video modules supported by a learner guide and interactive exercises and tests.

    The course includes essential elements of our GDPR / Data Privacy Roles Learning Path, which provides a unique guide to which training courses and qualifications will help you enhance your GDPR or DPO career.

    Don’t Panic! I’m A Professional Data Protection Officer – 2023 Diary: Funny 2023 Planner Gift For A Hard Working Data Protection Officer

    Tags: data protection officer, DPO, DPO (data protection officer)

    Feb 21 2022

    BEC scammers impersonate CEOs on virtual meeting platforms

    The FBI warned US organizations and individuals are being increasingly targeted in BECattacks on virtual meeting platforms

    The Federal Bureau of Investigation (FBI) warned this week that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.

    Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both entities and individuals who perform legitimate transfer-of-funds requests

    Cybercriminals are targeting organizations of any size and individuals, in BEC attack scenarios attackers pose as someone that the targets trust in, such as business partners, CEO, executives, and service providers.

    Scammers use to compromise legitimate business or personal email accounts through different means, such as social engineering or computer intrusion to conduct unauthorized transfers of funds.

    Crooks started using virtual meeting platforms due to the popularity they have reached during the pandemic.

    The Public Service Announcement published by FBI warns of a new technique adopted by scammers that are using virtual meeting platforms to provide instructions to the victims to send unauthorized transfers of funds to fraudulent accounts.

    “Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars.” reads the FBI’s PSA.

    Crooks are using the virtual meeting platforms for different purposes, including impersonating CEOs in virtual meetings and infiltrating meetings to steal sensitive and business information.

    Below are some of the examples provided by the FBI regarding the use of virtual meeting platforms by crooks:

    • Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake1” audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
    • Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
    • Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
    BEC virtual meeting platforms

    Below are recommendations provided by the FBI:

    • Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
    • Use secondary channels or two-factor authentication to verify requests for changes in account information.
    • Ensure the URL in emails is associated with the business/individual it claims to be from.
    • Be alert to hyperlinks that may contain misspellings of the actual domain name.
    • Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
    • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
    • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
    • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

    Tags: CEO, scammers impersonate

    Feb 19 2022

    Google Privacy Sandbox promises to protect user privacy online

    Category: Information Privacy,Security and privacy LawDISC @ 12:34 pm

    Google announced Privacy Sandbox on Android to limit user data sharing and prevent the use of cross-app identifiers. The company states that the Privacy Sandbox technologies are still in development.

    “Privacy Sandbox on Android will strengthen privacy, while providing tools app developers need to support and grow their businesses. It will introduce new solutions that operate without cross-app identifiers – including Advertising ID – and limit data sharing with third parties.” reads the announcement.

    Google is also committed tp fighting and reducing covert data collection.

    The goals of the Privacy Sandbox are:

    • Build new technology to keep your information private
    • Enable publishers and developers to keep online content free
    • Collaborate with the industry to build new internet privacy standards

    Google will continue to support existing ads platform features for at least two years. The IT giant is inviting developers to review the proposed solution and provide their feedback through the Android developer portal.

    “Starting today, developers can review our initial design proposals and share feedback on the Android developer site. We plan to release developer previews over the course of the year, with a beta release by the end of the year. We’ll provide regular updates on designs and timelines, and you can also sign up to receive updates.” concludes the announcement. “We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.”

    The Watchman Guide to Privacy

    Tags: Guide to Privacy, privacy

    Feb 17 2022

    50 Key Stats About Freedom of the Internet Around the World

    Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.

    Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.

    Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.

    To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:

    Digital Rights

    Freedom of Information

    Right to Internet Access

    Freedom from Internet Censorship

    Net Neutrality

    The Bottom Line

    The Internet in Everything: Freedom and Security in a World with No Off Switch

    Tags: digital privacy, Freedom of the Internet Around

    Feb 09 2022

    Adding Data Privacy to DevSecOps

    Category: Information PrivacyDISC @ 1:44 pm

    Colorado and Virginia passed new data privacy laws in 2021. Connecticut and Oklahoma are among the states that could enact new legislation around data privacy protections in 2022. California, which kicked off the conversation around data privacy at the state level, is updating its laws. Couple that with the EU’s GDPR and other data privacy laws enacted worldwide, and it is clear that data privacy has become incredibly important within cybersecurity. And that includes within the DevSecOps process.

    It’s been enough of a challenge to integrate security into the DevOps process at all, even though it is now recognized that adding security early in the SDLC can eliminate issues further along in app development and deployment. But adding data privacy? Is it really necessary? Yes, it is necessary, said Casey Bisson, head of product growth at BluBracket, in email commentary. Applications now include more and more personal data that needs protection, such as apps that rely on medical PII. Those apps must have security and privacy baked into each phase of the SLDC via DevSecOps.

    “There have been far too many examples of leaks of PII within code, for instance, because many companies don’t secure their Git repositories,” said Bisson. “As more sensitive information has made its way into code, it’s natural that hackers will target code. True DevSecOps will bake privacy concerns into every stage and will make these checks automated.”

    Data in the Test Process

    In DevSecOps, applications are developed often by using test data. “If that data is not properly sanitized, it can be lost,” said John Bambenek, principal threat hunter at Netenrich, in an email interview. “There is also the special case of secrets management and ensuring that development processes properly secure and don’t accidentally disclose those secrets. The speed of development nowadays means that special controls need to be in place to ensure production data isn’t compromised from agile development.” Beyond test data, real consumer data has to be considered. Ultimately, every organization has information they need to protect so it’s important to focus on data privacy early in development so the team working on the platform can build the controls necessary into the platform to support the privacy requirements the data has, explained Shawn Smith, director of infrastructure at nVisium, via email. “The longer you wait to define the data relationships, the harder it is to ensure proper controls are developed to support them.”

    Bringing Privacy into DevSecOps

    Putting a greater emphasis on privacy within DevSecOps requires two things—data privacy protocols already in place within the organization and a strong commitment to the integration of cybersecurity with data privacy. “An organization needs to start with a strong privacy program and an executive in charge of its implementation,” said Bambenek. “Especially if the data involves private information from consumers, a data protection expect should be embedded in the development process to ensure that data is used safely and that the entire development pipeline is informed with strong privacy principles.” The DevSecOps team and leadership should have a strong understanding of the privacy laws and regulations—both set by overarching government rules and by industry requirements. Knowing the compliance requirements that must be met offers a baseline to measure how data must be handled throughout the entire app development process, Smith pointed out, adding that once you have the base to build upon, the controls and steps to actually achieve the privacy levels you want will fall into place pretty easily. Finally, Bisson advised DevSecOps professionals to shift security left and empower developers to prevent any credentials or PII from being inadvertently accessible through their code before it makes it to the cloud. “DevSecOps teams should scan code both within company repositories and outside in public repos; on GitHub, for instance. It’s so easy to clone code that these details and secrets can easily be leaked,” said Bisson.

    Consumers don’t understand how or where in the development process security is added, and it’s not entirely necessary for them to understand how the sausage is made. The most important concern for them is that their sensitive data is protected at all times. For that to happen most efficiently, data privacy has to be an integral part of DevSecOps.

    Understanding Privacy and Data Protection: What You Need to Know

    #DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement

    Tags: DevSecOps

    Jan 13 2022

    CPRA Cheat sheet

    Download ISO/IEC 27701 2019 Standard and Toolkit

    CPRA compliance gap assessment tool 

    Tags: CPRA, CPRA Cheat sheet, CPRA compliance gap assessment tool, ISO 27701 2019 Standard and Toolkit

    Jan 10 2022

    Eight resolutions to help navigate the new hybrid office model

    Category: Information Privacy,Information SecurityDISC @ 12:37 pm

    Here are some resolutions to follow to ensure your organization safely navigates the new hybrid office model.

    1. Increase security awareness. The human factor is always the weakest link in cybersecurity. CISOs must stretch communications skills and create new channels to deliver education about information security. They must expand messages beyond phishing warnings to include topics such as laws and regulations that connect security with the business. Information privacy is a key topic.

    2. Know who is connecting. Throughout the pandemic, the challenge of secure connectivity has been persistent. The bottom line is that secure VPN, single sign-on, and two/multi factor authentication are a must to validate and only allow in authentic users. Access and security logs must be carefully analyzed to identify any suspicious activity.

    3. Secure VPNs and patch updates. VPNs hit the headlines at the start of the pandemic because many companies reinstated VPNs that were previously disabled without patching them first. Hackers took advantage of the situation, scanning for devices that they could exploit. Routine patching must be part of the security model and must be a top priority when it comes to safeguarding a business with work-from-home employees.

    4. Secure the cloud. The cloud and “on demand” models have become hugely important for helping users access the applications they need to do work from anywhere. While this shift to the cloud has its productivity benefits, it has not come without its security challenges. It is important to remember that cloud environments are not automatically secure when they are first created. Securing them requires knowledge and time. To keep business safe, security controls must span all environments – providing 360-degree application protection for both the application surface and the cloud application infrastructure.

    5. Know your suppliers. The SolarWinds vulnerability highlighted the need for companies to thoroughly evaluate the tools and services they integrate into their operations. This includes the careful installation and configuration of the product or service, tracking patches and new releases from the vendor, and monitoring for any suspicious behavior. In a highly sensitive environment, some companies may choose not to use third-party products or services.

    6. Know the enemy. From nation-state attacks and climate hacktivists to disgruntled employees, security teams need to understand the techniques, tactics, and procedures used by malicious actors. By getting to know their adversaries, security will be better prepared to detect and evict threat actors who might be targeting their environment. Many security companies issue threat alerts that can be used to gather the latest intel to inform a security strategy. Continuous monitoring and analysis are required to detect and respond to these threats as soon as possible.

    7. Maintain visibility. Companies need to make sure they can maintain visibility and consistency of security control posture across a collection of platforms, infrastructures, and technologies. Having visibility and control via security and development dashboards is a must. These dashboards should provide actionable analytics, automation, and customized controls.

    8. Balance the load. Companies need sufficient capacity to balance the load on the network and scale to meet the needs of remote workers. After all, there is no point in having a secure network if every time it is accessed by large numbers of employees it fails because it can’t cope with demand. Since employee productivity depends on applications being available and accessible, CISOs must find appropriate solutions that provide business continuity. Those with multiple data centers should use global load balancing to ensure availability across data centers and the cloud.

    CISOs have much to address moving forward in the new year. Fortunately, these eight resolutions can help ensure continuous improvements for safely navigating the new (out-of-) office reality.

    How to keep your home office Safe and Secure

    Hybrid Work Management

    Hybrid Work Management: How to Manage a Hybrid Team in the New Workplace (A super-short book about how to analyze, plan, manage, and evaluate your team’s hybrid work arrangement) by [Hassan Osman]

    Tags: hybrid office model, Hybrid Work Management

    Jan 02 2022


    Category: data security,Information Privacy,NIST PrivacyDISC @ 11:15 am

    The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can: 

    * Achieve scaled privacy compliance quickly
    * Remain one step ahead of legislative developments with affordable advice and support
    * Reduce privacy risks with one simple subscription service
    * Enjoy peace of mind with your own dedicated data privacy manager

    NIST Cybersecurity Framework

    NIST Cybersecurity Framework: A pocket guide by [Alan Calder]

    Data Governance

    Tags: Data Governance, NIST Cybersecurity Framework, NIST PRIVACY FRAMEWORK, Privacy as a Service

    Next Page »