A Real-World Example from the Workplace: Recently, a new employee at a company received a fraudulent text message on her personal phone, supposedly from the company’s president. The president had not sent any text, and the company had not stored her personal phone number. How did the threat actor know? It’s possible that a data broker linked the new employee’s private phone number with the president’s name at the new company by eavesdropping on a conversation, such as her telling a friend about her new job. Upon investigation, the employee found that some unexpected apps had access to her microphone.

A Real-Word Family Example: Last week, a husband and wife discussed dental options for their child at the breakfast table with their phones nearby. They hadn’t typed anything into a computer or searched online, yet less than an hour later, one received a text message from a company offering dental aligners. How could this happen? An app on their phone might have accessed the microphone, listened to the conversation, and shared the information with a data broker. The data broker then provided this information to a company selling dental aligners, prompting them to send a targeted text message. Have you or someone you know had similar experiences?

How It Happens: Some apps collect data, including audio data from a microphone, and sell it to data brokers, also known as Marketing Data Aggregation Warehouses. These brokers aggregate and sell data to various businesses, including marketing and advertising firms. These businesses then use the information to send targeted advertisements or, in the case of threat actors, perform sophisticated phishing attacks designed to extract sensitive information or commit fraud.

Apps are supposed to request your permission to access your microphone. However, this “user’s consent” often comes from clicking “Do you agree to the privacy policy” during installation. Most users do not read these policies and agree just to use the app. Privacy policies can be vague, stating that the user allows the app to collect information and share data with third parties.

Several types of apps can gather information for sale to data brokers and request microphone access in their privacy policies. These include:

• Social Media and Communication Apps: Use microphone access for features like voice messaging and video recording, sharing collected data for advertising.
• Virtual Assistants: Require microphone access for functionality, collecting voice queries and background noise for service improvement and advertising.
• Gaming Apps: Mobile games with voice chat request microphone access for communication, sharing user data for advertising.
• Productivity Apps: Note-taking and voice recorder apps request access for audio notes and transcriptions, collecting valuable user data.
• Health and Fitness Apps: Fitness trackers and health apps request microphone access for voice input, collecting sensitive health data.
• Utility Apps: Simple apps like flashlights and calculators sometimes request unnecessary permissions, including microphone access, to gather user data covertly.
• Marketing and Rewards Apps: Request location and microphone access to collect user data, which is then sold to data brokers.

These apps often include clauses in their privacy policies that allow microphone data collection, which users might unknowingly grant, leading to targeted advertising and other uses by data brokers.

For further reading, refer to articles like “FTC Cracks Down on Mass Data Collectors” by the Federal Trade Commission.

Protecting Your Privacy: To protect against such risks, Apple, Google, and Microsoft have all implemented ways to help ensure your microphone’s privacy even if users agree to the privacy policy. Instructions for disabling access to your mic are listed below. It’s crucial to regularly review and update app permissions on your devices, ensuring that only essential apps have access to sensitive data like the microphone.

Beyond Annoying Ads: Threat actors can use similar tactics to perform targeted attacks and commit fraud against individuals and their companies. For instance, the fraudulent text message received by the new employee could lead to more sophisticated phishing attacks intended for extracting sensitive information, transferring money, or other financial fraud.

Follow the instructions in the following draft memo you can send your workers and tell your family:

Memo to All Employees: Securing Your Microphone Privacy Settings

Dear Team,

We are committed to ensuring the privacy and security of our employees’ personal and professional information. Recent reports have highlighted the risks associated with apps accessing device microphones without explicit consent, potentially leading to targeted fraud and privacy breaches.

To protect your privacy and our organization’s security, we ask all employees to take a few moments to review and update the microphone privacy settings on their devices. Below are step-by-step instructions for various platforms:

For Apple Devices:

1. Go to Settings > Privacy > Microphone.
2. Turn off the microphone for all applications that do not need access to your mic.

For Android Devices:

1. Go to Settings > Type Microphone, Privacy, or Permission Manager in the search box. If you do not see the privacy settings, you might need to use a search engine or chatbot to find specific instructions for your device model and version of Android.
2. Turn off the microphone for all apps that do not need access to your mic.

For Windows:

1. Go to Settings > Privacy & Security > Microphone.
2. Turn off the microphone for all apps that do not need access to your mic.

For Macs:

1. Click on the Apple symbol > System Settings > Privacy & Security > Microphone.
2. Turn off the microphone for all apps that do not need access to your mic.

Practical Steps:

• Revoke Unnecessary Access: Disable microphone access for all apps that do not need it. Allow exceptions for essential apps such as video conferencing tools and browsers if you use them for meetings. If you are uncertain, restrict access; the app will request permission if it needs access in the future.
• Test Essential Apps: Before your next meeting, verify that the apps you frequently use for video conferencing and other essential functions work correctly with the microphone settings you have configured.
• Restrict Other Permissions: While adjusting your microphone settings, you’ll see other settings. To further protect your privacy, consider restricting access to your camera, location, contacts, and other sensitive data.

We live in a world where protecting our privacy is increasingly our responsibility. Threat actors are becoming more sophisticated, so it’s crucial to stay vigilant and proactive in securing our devices.

Thank you for your attention to this important matter. If you have any questions or need assistance, please ask.

(In the last sentence, you can give them more specific guidance on what to do if they have a question)

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Are Threat Actors Listening to Your Phone? Secure Your Mic to Reduce Security Risks and Protect Your Privacy appeared first on Foster Institute.

• They may be married and have a family
• Introverted with a close group of friends
• Often learned to program at a young age
• College educated, often in electronics, IT, or physics
• No social media accounts – to avoid drawing attention
• Believe that soft drugs, such as marijuana, help them work

Notice that the Secret Service doesn’t specify a gender.

Please forward this to your friends, so they know their adversaries a little bit better.

The post A Hacker Profile – Who Are They? appeared first on Foster Institute.

$250,000 if they can hack the autopilot
$100,000 if they can hack the modem or tuner
$100,000 if they can hack the key fob or phone-as-a-key

Microsoft, VMWare, and other companies are offering big prizes to someone for breaking their security.

Challenges like this are an excellent way for companies to find security holes in their hardware, software, and services. Most companies offer a bounty system to pay successful attackers every day of the year.

If you want to go, or even compete, the event is March 20-22 in Vancouver. Visit CanSecWest.com.

The post Tesla Will Give a Car to a Hacker if they can Break In appeared first on Foster Institute.

If you will be in Vegas, leave your laptop and phone at home – lest you end up on the infamous wall of shame for being hacked. The website is defcon dot org

The post Hacker Convention Starts Later This Week appeared first on Foster Institute.

Gaining access to your account can provide everything from photos stored in your phone, to the passwords of Wi-Fi access points to which you’ve connected to in the past. That is very concerning.

When attackers know your browsing history, your email messages, your past search terms and the links you’ve clicked, they can use that information to perform very effective attacks tailored to trick you and the members in your company. With knowledge of your passwords, they can wreak all kinds of havoc.

Go get an idea of the kind of data that is stored in the cloud and is potentially accessible to attackers who use the right tools, see google dot com /policies/privacy/

Additionally, there are tools available, such as cloud explorer, that make it easy for even non-technical attackers to conveniently gain access to the sensitive information stored in your phone.

Please forward this to whomever is concerned about their mobile device’s security.

The post Attackers Can Hack Your Phone Without Having Your Phone appeared first on Foster Institute.

Immediately change your password on Facebook.

If you haven’t done so, and every Facebook user should do this, turn on login approvals.

Go to Facebook dot com slash help and find the box at the top of the page named: Ask a question. Enter these words: How do I turn on login approvals.
Then follow the instructions.

Next, again at Facebook dot com slash help and, in the search box, enter: report an imposter account. The guide literally walks you through the process of what to do.

Please forward this to anyone you know who uses Facebook.

The post If Someone Impersonates You on Facebook appeared first on Foster Institute.

As demonstrated last week, attackers attempt to guess usernames and passwords on systems in an attempt to gain access to those computers.

The most concerning part, since your network is already under attack, is that one or more of the attempts might have been successful.

Those thousands of unsuccessful login attempts on a computer are, in a way, reassuring because the attacker was having difficulty finding a combination that worked.

The reason that some computers have fewer attack attempts can be because an attacker successfully gained access after a smaller number of guesses.

This is often the case since the attacks are automated so an attacker will not usually get tired of trying. Once one of the tries is successful, then that’s when the attacker stops guessing usernames and passwords. At that point, they already have access.

Have your internal, or outsourced, IT Pro examine failed logon attempts and see if the usernames seem random like the list published last week. If the usernames are similar to those on that list, then that’s an indication that an attacker was attempting to gain access. If there are a small number of attempts, then that attacker may have gained access to the computer.

Now that’s concerning.

Please forward this to your friends and associates so that they can be more aware of how to protect the security of their organization.

The post How To Know if a Password Attack Succeeded appeared first on Foster Institute.

Flash is a tool used on web-sites to, among other things, play videos.

When people visit websites, they can be vulnerable to what is referred to as a drive by download. Just by visiting a site, even a legitimate site, their computer may be exposed to an attack.

That attack can happen via a Flash video within an advertisement that was surreptitiously posted by an attacker.

It is always a good idea to use “click to play” functionality that prevents Flash content from running automatically.

Now, when Google stops accepting advertisements with Flash content, that will significantly diminish the Flash vector of attack.

The post No Flash Attacks After June 30 appeared first on Foster Institute.

Read the interview by entering this search phrase into Google:

My hack stole your credit card site:money.cnn.com

Forward this to your friends who want to discover this hacker’s point of view on attacking tens of thousands of companies…

The post This Hacker Tells All appeared first on Foster Institute.

Help protect yourself at the foundation: First, discuss and determine how aggressive you want to be with your patches – and get them applied. Second, be sure to make users something other than local administrators.

The post Hacking Easier than Protection appeared first on Foster Institute.