Monthly Archives: February 2017

For Mac users, security is in the numbers.

Macs are really no more secure than a PC, but for many years there just weren’t as many out there because of the expense of the hardware and other issues. They’ve historically been a much less popular choice among both consumers, enterprises, and hackers alike.

The PC attack surface is much wider; therefore, criminals develop malware that works on PCs because the payout is much higher. James Plouffe, lead solutions architect at mobile-security company MobileIron, said there are, however, a couple of oft-overlooked things that also protect Macs.

First, Plouffe said, “MacOS is actually BSD Unix derivative. Granted, it’s heavily customized but this meant that, unlike Windows (which had a long tail of viruses reaching back to the days of MS-DOS), bad actors had a lot more heavy lifting to do to be able to attack macOS.”

Apple was also a trend setter in that they were, “The first major OS vendor to bring the concept of “app sandboxing” the desktop. There’s also an element of sandboxing available in Safari: each “tab” runs as its own process and has it’s own sandbox. It’s not a panacea, of course, but it can go a long way toward preventing infection,” Plouffe said.

Still humans remain the weakest link. In nearly one-third of breaches, “Attackers were able to effect a compromise without having to rely on getting their code running. I think you’ll actually see that number grow, because techniques like social engineering and phishing are more durable and– more importantly– portable across platforms,” Plouffe said.

David Dufour, senior director of engineering at Webroot, said, “There hasn’t been a significant increase in Mac-specific malware but we are seeing a rise in cross platform threats such as spyware, adware, and potential unwanted applications on Macs.”

[Macs] has good security features, but it is not bullet proof.

Thomas Reed, director of Mac offerings at Malwarebytes

“Many of these incidents are occurring through exploits in third-party solutions from Adobe, Oracle’s Java and others, providing a mechanism for delivering malicious software and malware,” Dufour said.

The cause for the rise, said Dufour, is that “Attackers are adept at using exploits in third-party software to deliver malicious programs to Macs and other operating systems.”

Mikhail Kuzin, malware analyst at Kaspersky Lab, said Mac has seen a rise in AdWare because it’s an easy way for software developers to earn money.

“The most popular class of AdWare for Mac is now third-party installers. These programs allow those using it for distribution to include monetization of advertisements, showing some additional offers to the user during the installation process.”

One of the biggest security risks specific to Adware is that sometimes these additional offers install without an end user’s approval. “Often times, even when the approval is actually needed, the user may not notice the corresponding text with a checkbox, as it is usually extremely small and difficult to read. Instead, they just click ‘next,’ so a PUA is then detected,” Kuzin said.

The opportunistic malware problem on Macs is definitely increasing.

Chester Wisniewski, Sophos senior security adviser and principal research scientist

Chester Wisniewski, Sophos senior security adviser and principal research scientist, said, “The opportunistic malware problem on Macs is definitely increasing.”

Unlike Windows, which has hundreds of millions of pirating that aren’t getting updates, there is less of that in the Mac world. Wisniewski said, “Apple makes it easy to keep up to date.”

Mac threat ignored

Still the Mac threat has been largely ignored for a long time, but Mac users are starting to understand the need for more protection.

On the truly malicious side, there has been an uptick in password stealing areas. “Mac Trojans that try to take your keychain to access corporate credentials, any and all credentials stored in the back keychain. It’s an opportunistic publicly known malware against Macs,” said Wisniewski.

“The Apple specific malware is very different from what we see in the Windows world. There is very little ransomware. There was KeRanger ransomware for Mac, but that wasn’t very widespread. The vast majority of what we see are potentially unwanted application (PUAs),” Wisniewski said.

Thomas Reed, director of Mac offerings at Malwarebytes, agreed that the biggest threat to Macs is with the unwanted applications. “In my eyes, there are three different categories. Malware, which is outright malicious. Adware, which is more scamming, less ethical, and the potentially unwanted programs (PUPs), which are not detected as malicious but none the less things you don’t want.”

Even though the number of malware for Macs was a total of only seven different malware families last year, which Reed said is on par with previous years, there has been a big explosion in the adware and the PUPs.

“There has been a lot of adware mostly belonging to Ironcore, Cross Rider, MacKeeper, and Advanced Mac Cleaner. These also affect machines in the Windows world,” Reed said.

While malware is most harmful, Adware is more of a scam toward the advertisers. “They get paid by advertising companies for putting ads in the user’s face. Injecting them into websites or replacing ads or redirecting the user to different search engines,” Reed said.

On the surface, these are not really harmful to the user or computer, but they can open up security holes. “They can create security vulnerabilities. A few years ago, there was a vulnerability in Mackeeper where they could create a custom URL so that if the user clicked it would open the URL in Mackeeper and run custom code in that URL. After that vulnerability was discovered it was being used to deliver malware onto Macs,” Reed said.

“Mac is not significantly or implicitly more secure,” said Reed. “It has good security features, but it is not bullet proof. It’s more security by obscurity. Most are targeting Windows where the big money is. The numbers really are a problem for Windows, but Macs are not bullet proof.”

Just recently, the first Mac-specific malware of the year, Fruitfly, was discovered. “It looks like it’s been around for a while. We think it traces back to at least 2014 probably earlier than that, but we are not sure. We also found a piece of malware for Windows that looks similar. It can run in Linux as well. This is a more sophisticated threat than we’ve seen on the Mac in a while,” Reed said.

Whether using a Mac or a PC, enterprises need to remember that in a targeted attack, the risks are equal. “Whether it’s a nation state or a malicious actor, if somebody is after your stuff, they are going to take over your system whether it’s one or the other,” Wisniewski.

Enterprises should take steps to minimize their risk of Adware. “The first step is to be vigilant, and carefully inspect what you’re installing and read all fine print. Educate yourself or your employees on how to recognize junk before you agree to download it,” Dufour said.

Installing antivirus software will also help to mitigate the risk of Adware. “Traditionally, anti-virus software is built to detect and remove viruses and other serious malware, but some do protect against Adware and PUAs. Anti-virus technology will further bolster protection against Adware, especially when end user education falls short,” Dufour said.

via:  csoonline

The malware has also been found targeting a human rights activist.

Just because you’re using a Mac doesn’t mean you’re safe from hackers. That’s what two security researchers are warning, after finding a Mac-based malware that may be an attempt by Iranian hackers to target the U.S. defense industry.

The malware, called MacDownloader, was found on a website impersonating the U.S. aerospace firm United Technologies, according to a report from Claudio Guarnieri and Collin Anderson, who are researching Iranian cyberespionage threats.

The fake site was previously used in a spear phishing email attack to spread Windows malware and is believed to be maintained by Iranian hackers, the researchers claimed.

Visitors to the site are greeted with a page about free programs and courses for employees of U.S. defense companies Lockheed Martin, Raytheon, and Boeing.

The malware itself can be downloaded from an Adobe Flash installer for a video embedded in the site. The website will provide either Windows or Mac-based malware, depending on the detected operating system.

Iran Threats – A screenshot of the fake site. 

The MacDownloader malware was designed to profile the victim’s computer, and then steal credentials by generating fake system login boxes and harvesting them from Apple’s password management system, Keychain.

However, the malware is of shoddy quality and is “potentially a first attempt from an amateur developer,” the researchers said.

For instance, once the malware is installed, it’ll generate a fake Adobe Flash Player dialog box, only to then announce adware was discovered on the computer that it’ll attempt to clean up.

“These dialogues are also rife with basic typos and grammatical errors, indicating that the developer paid little attention to quality control,” the researchers said.

In addition, the malware failed to run a script to download additional malicious coding onto the infected Mac. 

But despite the shoddy quality, the malware still managed to evade detection on VirusTotal, which aggregates antivirus scanning engines.

The researchers found other circumstantial evidence that the malware is linked to Iran. An exposed server that the MacDownloader agent uploaded to showed wireless networks called “Jok3r” and “mb_1986.” Both of these names have ties to previous Iranian hacking groups, including one known as Flying Kitten, which is suspected of targeting U.S. defense contractors and political dissidents.

In an email, Anderson said a colleague of theirs also observed MacDownloader targeting a human rights activist.

The danger is that many human rights supporters, especially in Iran, are dependent on Apple devices, the researchers said. “While this [malware] is neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple computers,” they wrote in their report.

Mac malware is fairly rare, according to security researchers. That’s because hackers tend to attack Windows-based devices, because of their popularity.

However, Mac-based malware is still popping up here and there. Last month, researchers found another kind designed to spy on biomedical research centers. A separate Mac-based Trojan was found months earlier, targeting the aerospace industry.

via:  csoonline

Even mobile security software sometimes falls prey to vulnerabilities.

VMware this week issued a security advisory regarding vulnerabilities with its AirWatch Agent and Inbox apps for Google Android.

Agent, the app for enrolling devices in AirWatch, detects rooted devices so IT can prevent them from having unrestricted access to corporate networks and data. A flaw in this feature allows rooted devices to bypass detection, however.

AirWatch’s containerized email app, Inbox, also has a potentially major security flaw. Rooted Android devices can decrypt any local data the app accesses, which could let unauthorized users access confidential data.

“VMware has a pretty solid reputation, so for these flaws to get out is a little surprising,” said Jack Narcotta, analyst at Technology Business Research Inc., in Hampton, N.H.

VMware responds to Android security flaws

VMware did not say how widespread the AirWatch security vulnerabilities are or for how long they have existed. The company notified customers and worked to resolve the issues in the AirWatch Android apps as soon as it became aware, a spokesperson said.

The Agent app vulnerability could leave an organization open to a denial-of-service attack, malware or a Trojan horse, Narcotta said.

“This could be very dangerous,” he said.

To resolve this issue, VMware urged IT departments to upgrade their Android users’ Agent apps to version 7.0.

To remedy the Inbox app problem, IT should push the version 2.12 update to users and update to AirWatch Console 9.0 Feature Pack 1. The updated management console lets IT enable pin-based encryption.

via:  techtarget

Cybercriminals that specialize in ransomware, which affects thousands of computers and mobile devices every year, are ramping up their attacks against businesses. It is here that they can get their hands on valuable information and large sums of cash. This particular kind of malware, which hijacks devices and demands a ransom for their return, has managed to conquer another kind of technology: smart TVs.

Last December, the American developer Darren Cauthon announced on Twitter that a family member’s television had fallen victim to one of these attacks. As Cauthon explained, it all came about after the victim had installed an app to watch movies on the Internet, apparently from a third-party website.

The television in question was an LG model that came out in 2014 that is compatible with Google TV, a version of Android tailored to televisions. Once it had infiltrated the device, the malicious software demanded a ransom of $500 dollars to unlock the screen, which simulated a warning from the Department of Justice.

The appearance of the false message would lead you to believe that it’s a version of the ransomware known as Cyber.police, also known as FLocker. Ordinarily this ransomware affects smartphones with Google’s operating system. After hijacking the device, the malware collects information from the user and the system, including contact information and the location of the device, to be sent encrypted to cybercriminals.

To avoid paying the ransom, Cauthon unsuccessfully attempted to restore the television set to factory values, but eventually had to resort to the manufacturer’s own services to return it to a state prior to the installation of the malware. Although his relative managed to regain control of the machine without paying any sum to the criminals, he did end up having to pay the manufacturer $340 for the service, not much less than the ransom itself.

The Cauthon case has not caught security experts by surprise, given that last summer a team of researchers had warned of FLocker’s activity on smart TVs. In addition to the United States, ransomware attacks have been reported on smart TVs in Japan.

LG’s post-2014 model are no longer compatible with Google TV, but rather use WebOS, an open source operating system based on Linux. However, new attacks should not be ruled out, as cybercriminals continually refine their tools, which are increasingly focused on infecting Internet of Things devices at business and in the household.

via:  pandasecurity

Vizio has agreed to fork over $2.2 million to settle complaints that the smart TV maker collected data on viewing habits from 11 million TVs without consumers’ knowledge or consent.

The sum will settle charges with the Federal Trade Commission (FTC) and the New Jersey attorney general’s office, announced the FTC in a press release on Monday.

According to the agencies’ complaint, beginning in February 2014, the company manufactured smart TVs that automatically captured second-by-second information about video displayed on the smart TV.

This included video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts and other streaming devices.

In addition to collecting this data, the federal and state agencies alleged that the company sold demographic information to third parties, including viewers’ sex, age, income, marital status, household size, education level, home ownership, and household value.

“The complaint alleges that Vizio’s data tracking – which occurred without viewers’ informed consent – was unfair and deceptive, in violation of the FTC Act and New Jersey consumer protection laws,” said the FTC.

A stipulated federal court order requires Vizio to prominently disclose and obtain consent for its data collection and sharing practices. It also prohibits misrepresentations about the privacy, security, or confidentiality of consumer information the company collects.

Furthermore, Vizio was ordered to delete data collected before March 1, 2016, and to implement a comprehensive data privacy program.

The fine includes a $1.5 million payment to the FTC and $1 million to the New Jersey Division of Consumer Affairs.

Vizio’s general counsel Jerry Huang responded to the FTC settlement in a statement, saying the company was pleased to reach a resolution.

“Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” said Huang.

The company also noted that the program never paired viewing data with personally identifiable information, such as name or contact information.

“Today, the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and Vizio now is leading the way,” the company stated.

via:  tripwire

American television manufacturer Vizio has had its knuckles rapped and been forced to pay $2.2m in an agreement with the Federal Trade Commission after collecting data including IP addresses and demographic information on 11m users.

There is no suggestion that the company was retaining individuals’ information. The initial complaint, upheld unanimously by theNew Jersey Division of Consumer Affairs, said that the TV contained a “smart interactivity” feature containing technology that “enables program offers and suggestions”. This entailed collecting data but users were not informed about this.

The company’s Facebook page states that it has reached an agreement with the FTC on what it may and may not do with customer data, and the statement to which it links it stressed that it was aggregating data rather than using it in any contentious manner.

The statement doesn’t mention the financial settlement, although the FTC’s own announcement makes the payment explicit, breaking it down as $1.5m to the FTC and $1m to the New Jersey Division of Consumer Affairs, with $300,000 of that amount suspended. A number of hostile comments on the Facebook page have met with a simple direction to the company’s statement.

Arguably it would be difficult to direct people to programming they want to view without collecting data on their viewing habits and doing some sort of aggregation; the issue is that this wasn’t made explicit. Daniel Nesbitt, research director of Big Brother Watch, said:

In too many cases citizens simply have no idea what they’re handing over about themselves. All too often the vital information about how their personal data will be used is buried in jargon filled terms and conditions, which are all but unreadable to the average person. Companies have to start being much clearer about what they’re asking for.

Citizens should always be asked before their data is collected, they have to be able to understand how their information is being used and say no to it if they don’t feel comfortable.

Big Brother Watch has put together a paper on deciphering terms and conditions here.

via:  sophos

A bill set to update online privacy laws dating back three decades just cruised through the House by unanimous vote for the second time. The bipartisan bill known as the Email Privacy Act (H.R. 387), introduced by Colorado Rep. Jared Polis and Kansas Rep. Kevin Yoder, would require the government to seek a warrant in order to access the email of American citizens.

As it stands, ambiguity surrounding the Electronic Communications Privacy Act (ECPA) — a law passed in 1986 — lets the government exercise warrantless searches if emails are more than 180 days old and live on third-party servers.

Last year, the same bill passed in the House before stalling out in the Senate, partly at the hands of Trump-appointed attorney general and then Senator Jeff Sessions from Alabama. Last June, Sessions proposed an amendment to the reinvented ECPA that would create exceptions for “emergency disclosures.” That surveillance-friendly loophole was just one of the tweaks that caused the bill to stall out before it could come to a vote.

Following the vote, Google Director of Law Enforcement and Information Security Richard Salgado issued a statement praising the House and urging the Senate to seize the “historic opportunity” for reform:

“The Email Privacy Act updates the Electronic Communications Privacy Act (ECPA) to require the government to obtain a warrant before it can compel companies like Google to disclose the content of users’ communications. Since 2010, Google has testified before Congress four times in support of this reform, which will protect all users, and we are proud of our efforts…

This Act will fix a constitutional flaw in ECPA, which currently purports to allow the government to compel a provider to disclose email contents in some cases without a warrant, in violation of the Fourth Amendment. The Email Privacy Act ensures that the content of our emails are protected in the same way that the Fourth Amendment protects the items we store in our homes.

This is consistent with the practice around the country already and what the Constitution requires; the Sixth Circuit Court of Appeals concluded in 2010 that ECPA is unconstitutional to the extent it permits the government to compel a service provider to disclose to the government a user’s electronic communications content without a warrant. Today’s vote demonstrates that this conviction is widely shared.”

In a statement on the bill, the ACLU’s Neema Singh Guliani also commended the House for once again passing the Email Privacy Act and implored the Senate to do the same:

“Last year, this bills’ progress was derailed by Senate efforts to water down its provisions and attach amendments that would have weakened Americans’ privacy. We urge the Senate to not repeat past mistakes; instead it should act quickly to pass legislation that ensures that Americans’ Fourth Amendment rights are protected in the digital age.”

With Sessions out of the way, the Email Privacy Act may find less friction in the Senate — but in 2017’s uncertain political climate, that doesn’t exactly have digital privacy advocates resting easy.

via: techcrunch

Texas police in the town of Cockrell Hill have lost eight years’ worth of digital evidence after getting hit by a ransomware attack in December and refusing to pay up.

According to a news release posted by local station WFAA, this attack came about the same way that so many do: somebody in the department clicked on an email that had been doctored to look like it was coming from a legitimate, department-issued email address. The email planted a virus that then corrupted all files on the server.

The FBI’s Cybercrimes unit and the police department’s IT support staff determined that the best way to scrub all remnants of the virus was to wipe the server of all affected files.

So that’s what they did: they destroyed all Microsoft Office documents – including Word and Excel files – as well as all bodycam video, some photos, some in-car video, and some police department surveillance video, dating back as early as 2009.

Dallas Police Chief Stephen M Barlag said in a letter sent to the Dallas County district attorney’s office that the department had tried to save digital evidence from criminal cases, but the lost material is gone for good.

Every attempt was made to recover any potential digital evidence in criminal cases, however if requests are made for said material and it has been lost, there is no chance of recovery or producing the material.

Cockrell police don’t know how much digital data is lost, but Barlag stressed that they’ve still got hard copies of all documents and “the vast majority” of the videos and photographs on CD or DVD.

The digital data wasn’t being backed up automatically, Barlag said. Or rather, it was, but automatic backup didn’t kick in until after the server got infected, “so it just backed up infected files”. He added that of the lost files, “none of this was critical information”.

At least one defense attorney begs to differ. J Collin Beggs, a Dallas criminal defense lawyer said: “Well, that depends on what side of the jail cell you’re sitting.”

Beggs has been asking for video evidence in a client’s case since the summer. The lost evidence came to light when Beggs questioned a police detective in court.

Why not just pay the ransom?

According to the department’s news release, the malware triggered a webpage that told police employees that their files were locked and that they’d get a decryption key if they forked over Bitcoins and transfer fees that amounted to nearly $4,000.

Don’t do it, said the FBI Cybercrimes unit: paying is no guarantee you’ll ever see that decryption key.

We were told by the FBI that paying doesn’t always get you your information back. They told us that some people whose files are infected pay, and they get their files back, but sometimes it doesn’t work. So we decided it was not worth it to pay, and potentially, not get anything back anyway.

This is all true, much to the chagrin, we’re sure, of the “honorable” ransomware disseminators. After all, they have a “brand” to protect. Most well-known ransomware brands have made sure you’ll get a key when you pay the ransom, in order to maintain a reputation that it’s worth paying up.

In fact, you could say that was what the CryptoLocker crew brought to the ransomware party. Crooks hadn’t made any money before because they either got the crypto wrong or failed to deal with payment for, and delivery of, the key.

The “honor among thieves” reputation of ransomware crooks has been ruined recently by newcomers who either screw up the crypto, thus providing free recovery, or who ruin the recovery and fail to return the files after taking payment.

We’ve coined this “boneidleware”: wannabe ransomware thrown up by lazy crooks who take the money and run.

Police departments, just like the hospitals, colleges, TV stations and other organizations that have been victimized by ransomware, have had different reactions. Not all police departments have snubbed the call of the crooks who kidnapped their files, be they makers of ransomware or boneidleware.

For example, in November 2013, a Swansea, Massachusetts, police department paid CryptoLocker crooks $750 for a decryption key after they were attacked.

Paying crooks ransom money rankles, says Sheriff Todd Brackett of Lincoln County, Maine, whose system was frozen in 2015: “My initial reaction was ‘No way!’ We are cops. We generally don’t pay ransoms.” After “48 long hours,” Brackett reluctantly paid, he told NBC News, with a big sigh.

Other police departments have held fast. In Durham, New Hampshire, the police chief refused to pay. The files were deleted. He was, however, able to recover most of them from a backup system.

The same goes for the Collinsville, Alabama, police department: the chief refused to pay when attacked in 2014. He never saw the files again.

It’s not an easy choice. Do we applaud cops for refusing to pay, even if it spoils some of the cases they’re working on? Even if this means that some criminals wind up going free, given that the evidence to convict has been wiped clean?

And what about chain of custody? Shouldn’t that evidence have been auto-backed up? Protected from modification or loss?

Those are, unfortunately, Monday morning quarterback questions. What’s more important is to ask them before any data gets locked up by crooks. In the meantime, here’s a recap of our advice on preventing and recovering from attacks, be they ransomware or other nasties:

What to do?

Here are some links we think you’ll find useful:

• To defend against ransomware in general, see our article How to stay protected against ransomware.
• To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
• To protect against misleading filenames, tell Explorer to show file extensions.
• To protect against VBA malware, tell Office not to allow macros in documents from the internet.

via:  sophos

Voice-activated, internet-connected personal assistants are all the rage these days. Ask a group of friends what they got for Christmas and at least one will tell you how much they love their new Amazon Echo, Google Home or some equivalent.

This piece of smart home technology is a beautiful thing. But like all good things, there are risks.

This is an appropriate time to review those risks – and what users can do to protect their sensitive information.

Your technology is listening

The main concern among security experts when it comes to smart home devices is the degree to which they are listening. They obviously listen for any commands the user might utter, but what else is it taking in, and how could that put privacy at risk?

A murder case in Arkansas makes for an interesting case study.

Arkansas police are hoping that an Amazon Echo found at a murder scene in Bentonville will help them with their investigation into the death of a man strangled in a hot tub.

The Echo answers to the name of Alexa and will play music and answer simple questions on voice command. It also records what you say and sends that recording to a server.

While Amazon’s smart assistant only records what’s said to it after it’s triggered by someone saying “Alexa”, police are hoping that the devices’ habit of piping up in response to a radio or TV might mean it inadvertently recorded something that might be of use to them.

But like other tech retailers, Amazon has resisted pressure to hand over this kind of customer information to law enforcement. Amazon stores voice recordings from the Echo on its servers to improve its services, but the Seattle-based company, which has apparently released the account details of the alleged attacker to police, has declined to provide the voice recordings they are seeking via a search warrant.

Though it remains unclear if this particular Echo recorded anything useful, the case raises a bigger question: with Echo/Alexa, Siri, Cortana and Google’s Home assistant in many homes these days, and knowing that some of the technology is listening and recording, who might be able to exploit that?

In this case law enforcement wants to access a device. But in the future, it may be hackers looking to have a listen.

Lessons from the Dyn attack

Personal assistants fit into the larger concept of the smart home, so it’s useful to look at threats that have already targeted Internet of Things (IoT) devices.

Security experts have long predicted threats targeting everyday home devices connected to the internet, and the threat was made plain last fall when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit.

To be clear, that attack infected IoT devices and used them to target a company. It’s not the same as being snooped on, but in many cases the end goal is on the same wavelength: the bad guys want to see or hear what you have for personal data so they can use the information to benefit themselves or their cause.

A few short years ago, IoT attacks were discussed as some potential threat in a distant future. Now they are real. To some experts, it’s only a matter of time before hijacked personal assistants become a clear and present danger.

Defensive measures

Those who choose to use this technology can’t and shouldn’t expect 100% privacy. If not for the ability of Amazon Echo and Google Home to listen, these things would become nothing more than doorstoppers and paperweights.

But there are certainly things users can do to limit the risk of unintended consequences. Here are just a few examples:

• Not currently using your Echo? Mute it The mute/unmute button is right on top of the device. The “always listening” microphone will shut off until you’re ready to turn it back on.
• Don’t connect sensitive accounts to Echo On more than a few occasions,  daisy chaining multiple accounts together has ended in tears for the user.
• Erase old recordings If you use an Echo, then surely you have an Amazon account. If you go on Amazon’s website and look under “Manage my device” there’s a handy dashboard where you can delete individual queries or clear the entire search history.
• Tighten those Google settings If you use Google Home, you’re already aware of the search giant’s appetite for data collection. But Google does offer tools to tighten things up. Like the Echo, Home has a mute button and a settings page online, where you can grant or take away various permissions.

via:  nakedsecurity

Dropbox today released Smart Sync, its tool that allows users to access files stored online in Dropbox accounts automatically on a desktop without having the file stored locally.

Previously dubbed Dropbox Infinite, Smart Sync gives businesses a way to share and access files without needing to have massive ones stored on their desktop. The idea is that businesses regularly deal with piles and piles of large files which can quickly overwhelm local computers, but still need to find ways to work with teammates on what to do with those files. The files behave like you would normally expect on a desktop — a photo opens into a photo on preview, and so on.

“Everything users need for whole team or company is right from desktop system,” group product manager Genevieve Sheehan said. “Users have a ton of information, all of which they don’t need to keep on their device but need to have access into all of it. They can quickly get wherever they need without having to bounce across to web apps, it’s all where they expect it to be. This gives teams simplified teamwork more power, and less overhead.”

The files aren’t “streamed” per se — as in, you’re not viewing a photo or something like that in some container that is running a program that allows you to interact with it in a low-bandwidth way. Instead the file is synchronized, opened, and after editing it is delivered back up to the cloud and then cleared out.

Naturally this requires an Internet connection, but in a demo the product looked pretty seamless. That might be different with even larger files (such as ones that are hundreds of megabytes to a gigabyte or more), but the intent is to ensure that hard drives don’t get overwhelmed. One part of Smart Sync even allows employees to look into the basic data of the file, which will be identical to everything the file would be normally — just with a tiny amount of space it’s taking up.

Sheehan stressed that an important part of the launch was to ensure that employees across a business could collaborate across multiple different environments. In that way, a user on a windows device can access and manage a file, and synchronize and show up exactly as you might expect on a Mac. Smart Sync uses available kernel extensions and has been thoroughly vetted for security,Sheehan said.

“You can have a team with different devices and geographies,” Sheehan said. “They have the same access and same features without having to all upgrade their system and make sure everyone is on the same Windows or Mac version.”

Smart Sync will be available for all Dropbox Business and enterprise customers today for early access. Administrations can still opt-in to Smart Sync if they determine they still want to ensure these files are stored locally.

via:  techcrunch