Tag Archives: Business

What Will the CISO of the Future Look Like?

As the cyber landscape evolves, the role of the CISO (Chief Information Security Officer) is transforming. Managers at companies of varying size are more aware of the importance of cybersecurity than ever before, and, therefore, CISOs are increasingly present on the boards of directors. The new business context due to disruptive technological developments (such as the Internet of Things and the rise of the cloud), together with growing threat levels, requires security managers to face various changes, such as aligning with business objectives to respond to security needs. Although the profile of a CISO is still technical, its link to business objectives requires specific capabilities and a broaderbusiness vision.

New Responsibilities for a New CISO

With the increase in cyberattacks and the danger of sensitive data leaks looming over companies, the work of the new CISO takes on a role never before seen. According to a study by the Ponemon Institute, 67% of CISOs are responsible for establishing their company’s security strategies and initiatives. This figure indicates an increasing level of influence, confirming that the CISO goes from being a simple guardian of the IT area to a trusted adviser in the upper echelons of organizations.

In the above mentioned study, 60% of respondents said that their organization considers security as one of their priorities. The ability to prevent and respond to attacks is now of great importance for companies, which begin to value the tasks of the CISO to promote awareness and provide adequate training in cybersecurity among the staff, as well as investments in cybersecurity  tools to detect possible threats.

The integration between business and technology taking place with the digital revolution is creating a more complex ecosystem for companies and their employees dedicated to security. The CISO must now act according to business demands and assuming the same objectives as other executives of the company.  69% of the respondents in the Ponemon study consider that the appointment of a security director with corporate responsibility is fundamental for the company. The CISO of the future must report its activities within the organization, assume budget and compliance challenges, and implement business tactics driven by business objectives.

And let’s not forget their responsibility toward ensuring the availability of IT services at all times, as well as their airtight grip on data. In this way, the new CISO must reduce the imminent risk of data leaks, protecting the privacy of users and consumers, and complying with new regulations, such as the GDPR.

From Technician to Leader

Most security officers have a technical profile related to studies in computer science. It makes sense, taking into account the need to understand programming and work closely with your team on a technical level. However, the CISO of the future must have business vision and be able to influence the direction the company takes, with leadership skills and interpersonal and strategic communication. The CISO of the future must also be able to draw up plans and models of operations that contribute to the brand, including not only the technical side of cybersecurity but also its essential human side.

The CISO has made its way into organizations after years of being considered an afterthought, and this recognition must be welcomed by security experts as an exciting challenge. This evolution, which now requires an amalgam of technical, legal, regulatory and communicative knowledge, demonstrates the shift towards a global ecosystem much more aware of the importance of cybersecurity. It’s time to reinvent yourself and accept that the traditional IT role no longer exists. Are you ready to be the CISO of the future?

The post What Will the CISO of the Future Look Like? appeared first on Panda Security Mediacenter.

Read More

PayPal Subsidiary Data Breach Hits Up to 1.6 Million Customers

paypal-tio-networks

Global e-commerce business PayPal has disclosed a data breach that may have compromised personally identifiable information for roughly 1.6 million customers at a payment processing company PayPal acquired earlier this year.

PayPal Holdings Inc. said Friday that a review of its recently acquired company TIO Networks showed evidence of unauthorized access to the company’s network, including some confidential parts where the personal information of TIO’s customers and customers of TIO billers stored.

Acquired by PayPal for US$233 Million in July 2017, TIO Network is a cloud-based multi-channel bill payment processor and receivables management provider that serves the largest telecom, wireless, cable and utility bill issuers in North America.

PayPal did not clear when or how the data breach incident took place, neither it revealed details about the types of information being stolen by the hackers, but the company did confirm that its platform and systems were not affected by the incident.

“The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure,” PayPal said in its press release [PDF].

The data breach in TIO Networks was discovered as part of an ongoing investigation for identifying security vulnerabilities in the payment processing platform.

As soon as PayPal identified an unauthorized access to the TIO’s network, PayPal took action by “initiating an internal investigation of TIO and bringing in additional third-party cybersecurity expertise to review TIO’s bill payment platform,” PayPal press release [PDF] reads.

The company has begun working with companies it services to notify potentially affected customers.

Besides notifying, the company is also working with a consumer credit reporting agency, Experian, to provide free credit monitoring memberships for fraud and identity theft to those who are affected by the breach.

To protect its customers, TIO has also suspended its services until a full-scale investigation into the incident is completed.

“At this point, TIO cannot provide a timeline for restoring bill pay services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills,” TIO’s Consumer FAQ reads

“We sincerely apologize for any inconvenience caused to you by the disruption of TIO’s service.”

Since the investigation is ongoing, PayPal will communicate with TIO customers and merchant partners directly as soon as the company has more details on the incident. Also, the affected customers will be directly contacted by the company.

Gladius Shows Promise in Utilizing Blockchain Tech to Fight Hackers

Blockchain startups are cropping up left and right aiming to disrupt existing services and business models.

These range from the trivial to potentially game-changing solutions that can revolutionize the internet as we know it. Among those that promise to change the world, most are attempting to reconstruct the entire internet infrastructure into something that is decentralized, secure, scalable, and tokenized.

There are also those that aim to solve the most significant problems plaguing the digital world, particularly potentially costly and tedious security issues. We do not lack for dangers, ranging from data breaches to denial-of-service attacks, and other hacks.

For the most part, there are capable SaaS and software-defined services that are capable enough in addressing the threats that involve malware and DDoS.

However, blockchains offer much much more.


The plague of DDoS

Distributed denial-of-service or DDoS attacks involve a malicious hacker deploying a network of infected computers in sending traffic and making queries to the target host. By deploying a botnet with potentially thousands of unique devices, it is difficult to block on a per-IP basis.

Oftentimes, without adequate protection, a DDoS attack can slow down a website or service to a crawl until it is no longer accessible either by running out of bandwidth allocation or simply being overwhelmed with traffic.

According to this DDos Impact survey, almost half of respondents say they have encountered a DDoS attack, with more than 90 percent of these businesses being attacked a span of 12 months.

The average DDoS attack lasted between 6 to 24 hours, and at the cost of $40,000 per hour, these cost businesses about $500,000 per attack on average, with some even costing more for larger enterprises.

For small businesses, the cost can be more severe, especially for those that depend solely on their online operations and sales to thrive.

These are only the costs associated with IT activity. When a website goes down, all its business goes down with it – this can be particularly troublesome for a company running an e-commerce website or a consumer-facing application.

Blockchain-based solutions for DDoS

Sadly, a DDoS attack is something that cannot be prevented. You can only mitigate its effects, and your infrastructure can merely ward off the excessive traffic and bandwidth utilization through several means. For the most part, deploying DDoS protection entails deflecting any botnet traffic, so that your main server or cloud deployment is not overloaded.

As earlier mentioned, cloud-based DDoS protection acts as a barrier between the main server and the internet-at-large Whenever an attack occurs, the service efficiently “absorbs” the traffic to minimize the impact on the infrastructure itself.

This can only go so far, however. Even the most robust of cloud infrastructures can just handle so much traffic. Besides, for businesses, the costs involved could be overwhelming.

Here is where a blockchain and a highly distributed approach can offer more value.

Gladius, a blockchain service for DDoS prevention and website acceleration aims to leverage on its global network of individual and independent nodes in mitigating the effects of a DDoS attack and caching content all across the world to make the website load faster.

Being a decentralized network, users can rent out their spare bandwidth through a desktop client and earn money by sharing their bandwidth. Then, their excess bandwidth is distributed to nodes which in turn funnel the bandwidth to websites under DDoS attacks to make sure they stay up.

During “peace time” or periods without a DDoS, Gladius’ network also speeds up access to the internet by acting as a content delivery network, wherein web content is cached for faster delivery to the target client’s browser.

The perks of a peer-to-peer network

gladius-ddos-protection
Image Credit: Gladius

A decentralized network has additional benefits beyond the simple cloud-based deployment.

While a cloud is, to some extent, distributed, it is still owned by whoever runs the platform. In contrast, a blockchain runs completely off of a decentralized network, wherein the nodes are independently owned.

Herein lies the additional benefit.
With most blockchains, nodes are rewarded through a tokenized incentive scheme – it is the same with Gladius. Individual computer owners can earn cryptocurrency tokens whenever their resources are shared with the network.


Toward a decentralized sharing economy

Blockchain startups are representative of where we are heading in the future: a truly decentralized sharing economy. We have had a glimpse of such sharing economies with platforms like Uber, Airbnb, and the like.

However, these foster a sharing economy without the decentralized aspect – the platform is still owned by a corporate entity, for instance.

With blockchain startups, the sharing economy is built entirely upon the independent and decentralized nodes that make up the network.

Bitcoin proved that we could have an exchange of value through a decentralized system. Ethereum proved we could establish self-executing smart contracts without third parties or mediums.

With solutions like Gladius, we are likewise hopeful that the internet’s infrastructure can be disrupted for the benefit of both users and business that build value.

Did Your Childhood Monsters Dwelling Under the Bed Grow to Be Real?

Remember when you were a youngster, and lived in nightly fear of the monsters dwelling under your bed, or those hiding in the closet? That made it an act of foolishness to swing your legs over the side of the bed and expose munch-able ankles to the demons. Even worse would be to risk opening the closet door at night, to provide a portal for their crossover into the human world.
The only way to safely make it through the night was to stay motionless in bed, fully covered by your charmed-against-monsters favorite blanket, and await the safety of morning sunlight.

Krack

The demons of the night have probably long since retreated from your bedroom – but for adult internet users, they have re-emerged from the shadows, in the form of hackers and cyber attackers, still lurking, still waiting for their opportunity. And sadly, this time they are real – lately, the internet has been buzzing with the recently discovered WPA2 vulnerabilities known as KRACK.

Everyone who listens to the news occasionally, or checks their morning news feed before heading off to work, should be aware of some of the spectacular network breaches against major corporations. In fact, one or more of those violations may even have affected you personally, since several of them have resulted in massive amounts of sensitive personal information being hijacked by criminals. But such headline-grabbing attacks are far from the only depredations being carried out these days on the Internet, nor are the big corporations the only targets.

Small businesses the target of cybercriminals

Cybercriminals are starting to realize that attacks against lots of small businesses can be just as lucrative as a single attack against a major player. Ransomware attacks and other forms of malware breaches can yield significant profits when carried out in volume against small businesses, and now hackers have upped the ante to include attacks against individuals, in the form of breaching devices which are tied to the Internet of Things (IoT). It was recently demonstrated that even using an ordinary Wi-Fi connection can expose you to attack by a smart attacker, in physical proximity.

Wi-Fi Protected Access 2 (WPA2)

Wi-Fi Protected Access 2 (WPA2) is the second, and theoretically stronger, incarnation of security protocols for wireless networks, but it was recently shown to have a vulnerability which allows attackers to modify how the protocol works so that that network traffic can be intercepted. Depending on how a specific network is configured, it would have even been possible for malware to be inserted, without the attacker ever owning or disturbing standard password security, thus evading detection.

This capability makes wireless devices, including all those connected to the IoT, vulnerable to Key Reinstallation Attacks (KRACK), which compromise the encryption component of the WPA2 protocol. Without getting into the technical weaknesses which make this possible, you should know that such attacks are likely whenever a cybercriminal is physically positioned close enough to a device on a Wi-Fi network so that the signal can be intercepted and manipulated. What all this means for devices connected to the IoT, is that they would need to have software or firmware updates which close up the vulnerability to KRACK attacks. The affected manufacturers have begun issuing patches to address the problem but remember that you don’t have to only rely on patches – there are other ways to protect yourself.

Are More IoT devices Driving More Cyber Attacks?

The short answer to this is – yes. Cybercriminals are notoriously opportunistic, and the potential ubiquity of IoT devices provides merely endless possibilities for security breaches. Just “listening in” on such network traffic can provide useful, sensitive information about accounts and other data that can be converted into profits.

The monsters under your bed have grown up with you, and they have now moved into the shadows of cyberspace, waiting to nip at your ankles or to have you barge brazenly into their closet stronghold. And unfortunately, this time they are real – make sure you have a chance to fight them off by arming yourself with a protective blanket.

The post Did Your Childhood Monsters Dwelling Under the Bed Grow to Be Real? appeared first on Panda Security Mediacenter.

Read More

Panda Security and Deloitte Have Exciting Announcement for the Gartner Summit

Following the success of the Gartner Security & Risk Management Summit in the US, Panda Security will also be participating in the London conference held on 18-19 September 2017. The summit will address the major challenges facing IT security leaders today. Analysts, panellists, and presenters will offer proven practices, technologies and methods to help adjust to the digital transformation and managing the increase in cybersecurity risks.

Panda Security will discuss how to protect your business with Adaptive Defense, the new cybersecurity model. We will be at Booth #S24.

In addition to sharing experiences at stand S24, we will be giving a joint presentation in conjunction with Deloitte. Juan Santamaría, General Manager of Panda, and Edward Moore, Associate Director of Cybersecurity at Deloitte EMEA, will discuss the fundamentals of cyberdefense for companies. In a talk titled ‘From Incident Response to Continuous Response Management, Building Resilience in Organizations’, we will discuss how to avoid economic losses and reputational damages brought about by cyberattacks such as ransomware.  The session will be held on Tuesday 19 September, from 10:35-10:55 in the Solution Showcase Theatre on Level 1.

As 100% prevention is not possible, organizations must continually improve its detection and incident response capabilities to significantly reduce the probability of experiencing a damaging breach.

Learn from the directors of Panda Security and Deloitte EMEA how to maximise returns on your company’s investments using the latest resilience practices.

Adaptive Defense, the Common Link Between Deloitte and Panda Security

Businesses are currently facing unprecedented challenges as they process the large volumes and high speeds of modern digital interactions. With exponential increases in attacks originating from unknown threats (up more than 40% from last quarter alone), it’s logical to conclude that companies need to be doing more to reinforce their security and control. It’s for this reason that Panda Security and Deloitte EMEA have created a Cyber Alliance to provide an integrated, dynamic, and adaptive security ecosystem.

At the heart of this agreement is Adaptive Defense, a managed cybersecurity service based on continuous monitoring of all active processes, with automatic classification via artificial intelligence, and behaviour analysis by Security Operation Center experts. This ecosystem allows organization to become more resilient and reduces significantly the probability of experiencing a damaging breach.

You can see here further details on the joint Panda Security and Deloitte talk and add to your calendar for the Gartner Security & Risk Management Summit here.

The post Panda Security and Deloitte Have Exciting Announcement for the Gartner Summit appeared first on Panda Security Mediacenter.

Read More

Enterprise Security in the Age of Advanced Threats

panda-security-webinar

The malware and IT security panorama has undergone a major change, and enterprise security will never be the same. Hackers have improved drastically, both in terms of volume and sophistication, new techniques are allowing threats to remain on corporate networks for much longer periods than ever before.

Webinar  on the topic presented by Panda’s own Luis Corrons, Technical Director of PandaLabs.

How Predictive Intelligence Helps to Protect Companies

The task of protecting an enterprise is a challenge because it has hundreds of thousands of computers in its network; and a criminal just needs to compromise one of them to succeed. Security companies have working for decades now to advance security to ensure there is never one computer infected.

In the beginning, it was easy, the number of threats was very low, so being able to identify all threats was enough, computers were safe. Some of those threats were complex causing a nightmare for antivirus companies, as it could take several days, even weeks, for the most expert researchers just to create a detection for them. The creators of these viruses were people trying to show off their abilities, how good they were, and that was it, there was no other ulterior motive.

As the internet rose, there became a clear ulterior motive: money. Once cyber-criminals figured out how to benefit financially from these attacks, things really took off, and security companies, once again, had to adjust.

The number of new threats created is growing exponentially. In the old days a virus could take weeks or months to travel from LA to NY, now in a few seconds a virus could go from Washington DC to Tokyo.

Traditional anti-virus approaches included traditional blacklisting and whitelisting. Both blacklisting and whitelisting worked well for a while, but in the age of advanced threats, they can no longer be counted on. Cyber-criminals can try and fail a million times, but as soon as they get it right once, they win. It’s not a level playing field, and security solutions need to evolve to get ahead.

It is an uphill battle for security vendors, but as an industry, we know what it takes to combat the most sophisticated cyber-attacks. Now, it’s a matter of execution, and enterprises recognizing how important security is to their business objectives.

 

The post Enterprise Security in the Age of Advanced Threats appeared first on Panda Security Mediacenter.

Read More

A dating site and corporate cyber-security lessons to be learned

panda-security-protection-data

It’s been two years since one of the most notorious cyber-attacks in history; however, the controversy surrounding Ashley Madison, the online dating service for extramarital affairs, is far from forgotten. Just to refresh your memory, Ashley Madison suffered a massive security breach in 2015 that exposed over 300 GB of user data, including users’ real names, banking data, credit card transactions, secret sexual fantasies… A user’s worst nightmare, imagine having your most private information available over the Internet. However, the consequences of the attack were much worse than anyone thought. Ashley Madison went from being a sleazy site of questionable taste to becoming the perfect example of security management malpractice.

Hacktivism as an excuse

Following the Ashley Madison attack, hacking group ‘The Impact Team’ sent a message to the site’s owners threatening them and criticizing the company’s bad faith. However, the site didn’t give in to the hackers’ demands and these responded by releasing the personal details of thousands of users. They justified their actions on the grounds that Ashley Madison lied to users and didn’t protect their data properly. For example, Ashley Madison claimed that users could have their personal accounts completely deleted for $19. However, this was not the case, according to The Impact Team. Another promise Ashley Madison never kept, according to the hackers, was that of deleting sensitive credit card information. Purchase details were not removed, and included users’ real names and addresses.

These were some of the reasons why the hacking group decided to ‘punish’ the company. A punishment that has cost Ashley Madison nearly $30 million in fines, improved security measures and damages.

Ongoing and costly consequences

Despite the time passed since the attack and the implementation of the necessary security measures by Ashley Madison, many users complain that they continue to be extorted and threatened to this day. Groups unrelated to The Impact Team have continued to run blackmail campaigns demanding payment of $500 to $2,000 for not sending the information stolen from Ashley Madison to family members. And the company’s investigation and security strengthening efforts continue to this day. Not only have they cost Ashley Madison tens of millions of dollars, but also resulted in an investigation by the U.S. Federal Trade Commission, an institution that enforces strict and costly security measures to keep user data private.

What can be done in your company?

Even though there are many unknowns about the hack, analysts were able to draw some important conclusions that should be taken into account by any company that stores sensitive information.

·  Strong passwords are extremely important

As was revealed after the attack, and despite most of the Ashley Madison passwords were protected with the Bcrypt hashing algorithm, a subset of at least 15 million passwords were hashed with the MD5 algorithm, which is very vulnerable to bruteforce attacks. This probably is a reminiscence of the way the Ashley Madison network evolved over time. This teaches us an important lesson: No matter how hard it is, organizations must use all means necessary to make sure they don’t make such blatant security mistakes. The analysts’ investigation also revealed that several million Ashley Madison passwords were very weak, which reminds us of the need to educate users regarding good security practices.

·  To delete means to delete

Probably, one of the most controversial aspects of the whole Ashley Madison affair is that of the deletion of information. Hackers exposed a huge amount of data which supposedly had been deleted. Despite Ruby Life Inc, the company behind Ashley Madison, claimed that the hacking group had been stealing information for a long period of time, the truth is that much of the information leaked did not match the dates described. Every company must take into account one of the most important factors in personal information management: the permanent and irretrievable deletion of data.

·  Ensuring proper security is an ongoing obligation

Regarding user credentials, the need for organizations to maintain impeccable security protocols and practices is evident. Ashley Madison’s use of the MD5 hash protocol to protect users’ passwords was clearly an error, however, this is not the only mistake they made. As revealed by the subsequent audit, the entire platform suffered from serious security problems that had not been resolved as they were the result of the work done by a previous development team. Another aspect to consider is that of insider threats. Internal users can cause irreparable harm, and the only way to prevent that is to implement strict protocols to log, monitor and audit employee actions.

It is an ongoing effort to ensure the security of an organization, and no company should ever lose sight of the importance of keeping their entire system secure. Because doing so can have unexpected and very, very expensive consequences.

The post A dating site and corporate cyber-security lessons to be learned appeared first on Panda Security Mediacenter.

Read More

Panda Security, leader in Gartner’s Peer Insights program

panda-adaptive-defense

We’ve been warning for some time now that traditional antivirus solutions are no longer effective against the newer threats. Targeted and zero-day attacks, as well as the dreaded malwareless threats, are a growing concern for businesses. And not only that, we have also emphasized time and again the importance of preventing the losses and reputational damage stemming from cyber-threats, and how the new protection model leveraged by Panda Adaptive Defense and Adaptive Defense 360 can help companies reinforce their IT security posture by classifying and monitoring all processes running on their network. Panda’s new security approach provides complete endpoint visibility and allows organizations to block security attacks and respond to them immediately, implementing more robust security measures to prevent further incidents. This is not just our opinion but the opinion of our customers as well, as shown by the fact that 96 percent of participants in IT software and services review platform Gartner Peer Insights are recommending Panda’s advanced cyber-security solutions to other companies.

But, what is Gartner Peer Insights?

Peer Insights is an online platform of ratings and reviews of IT software and services. The reviews are written and read by IT professionals and technology decision-makers like you.

The goal is to help IT leaders make more insightful purchase decisions and help technology providers improve their products by receiving objective unbiased feedback from their customers.

“A product taht is great on visibility and proactive protection even againts direct attack. During the POC and Implementation, everything was easy. Even until now, the support is excellent.” – IT Assistant Manager in the Education Industry.

In this regard, Adaptive Defense, Panda Security’s Endpoint Detection and Response (EDR) solution, is the best rated software and receives 28 percent of all reviews submitted by participants. The best-rated features of Panda’s software include its detection, attack containment, remediation and investigation capabilities.   Additionally, Adaptive Defense’s 100% Attestation Service and the fact that it is cloud-based provide great value for its total cost of ownership, allowing customers to save time and money.

Outstanding capabilities to detect attacks and malware that we never though could escape. This tool does everything we need it to do,and as long as it continues to help us save time, I will continue recommending it.- Responsible For Systems in the Government Industry. 

Panda’s EPP technologies, represented by Panda Endpoint Protection, are also highly rated in the reviews. The fact that the solution can be managed from a single, central Web-based console at any time, from anywhere, is highly praised by IT security professionals,

Companies of all sizes and industries say they have become more resilient to cyber-attacks and give Panda a 4.7 out of 5 overall rating, outscoring all other security vendors.

I’d like to participate in the program, but who can write a review?

Reviews must be completed by people working with Panda Endpoint Protection or Panda Adaptive Defense/Adaptive Defense 360 on a daily basis, or people involved in the purchasing decision.

Panda Adaptive Defense delivers on its commitment to provide complete, integrated protection to users, and is at the forefront of advanced cyber-security solutions. It’s not just us who say so.Are you using Panda Endpoint Protection, Panda Adaptive Defense or Panda Adaptive Defense 360 in your organization? Would you like to share your experience with your peers? Click here to access Gartner’s Peer Insights platform and share your cyber-security experience.

The post Panda Security, leader in Gartner’s Peer Insights program appeared first on Panda Security Mediacenter.

Read More

Hotspot Shield VPN Accused of Spying On Its Users’ Web Traffic

hotspot-shield-vpn-privacy

Privacy” is a bit of an Internet buzzword nowadays as the business model of the Internet has now shifted towards data collection.

Although Virtual Private Network (VPN) is one of the best solutions to protect your privacy and data on the Internet, you should be more vigilant while choosing a VPN service which actually respects your privacy.

If you are using popular free virtual private networking service Hotspot Shield, your data could be at a significant risk.

A privacy advocacy group has filed a complaint with the Federal Trade Commission (FTC) against virtual private networking provider Hotspot Shield for reportedly violating its own privacy policy of “complete anonymity” promised to its users.

The 14-page-long complaint filed Monday morning by the Centre for Democracy and Technology (CDT), a US non-profit advocacy group for digital rights, accused Hotspot Shield of allegedly tracking, intercepting and collecting its customers’ data.

Developed by Anchorfree GmbH, Hotspot Shield is a VPN service available for free on Google Play Store and Apple Mac App Store with an estimated 500 million users around the world.

Also Read: Secure VPNs (Get Lifetime Subscription) To Prevent ISPs From Spying On You

VPN is a set of networks conjugated together to establish secure connections over the Internet and encrypts your data, thereby securing your identity on the Internet and improving your online security and privacy.

The VPN services are mostly used by privacy advocates, journalists, digital activists and protesters to bypass censorship and geo-blocking of content.

Hotspot Shield does just Opposite of What All it Promises

The Hotspot Shield VPN app promises to “secure all online activities,” hide users’ IP addresses and their identities, protect them from tracking, and keep no connections logs while protecting its user’s internet traffic using an encrypted channel.

However, according to research conducted by the CDT along with Carnegie Mellon University, the Hotspot Shield app fails to live up to all promises and instead logs connections, monitors users’ browsing habits, and redirects online traffic and sells customer data to advertisers.

“It is thusly unfair for Hotspot Shield to present itself as a 48 mechanism for protecting the privacy and security of consumer information while profiting off of that information by collecting and sharing access to it with undisclosed third parties,” the CDT complaint reads. 

“Consumers who employ Hotspot Shield VPN do so to protect their privacy, and Hotspot Shield’s use of aggressive logging practices and third-party partnerships harm its consumers’ declared privacy interests.”

Hotspot Shield also found injecting Javascript code using iframes for advertising and tracking purposes.

Reverse engineering of the apps source code also revealed that the VPN uses more than five different third-party tracking libraries.

Researchers also found that the VPN app discloses sensitive data, including names of wireless networks (via SSID/BSSID info), along with unique identifiers such as Media Access Control addresses, and device IMEI numbers.

Also Read: Secure VPN Services — Get Up to 91% Discount On Lifetime Subscriptions

The CDT also claims that the VPN service sometimes “redirects e-commerce traffic to partnering domains.”

If users try to visit any commercial website, the VPN app redirects that traffic to partner sites, including ad companies, to generate revenue.

“For example, when a user connects through the VPN to access specific commercial web domains, including major online retailers like www.target.com and www.macys.com,the application can intercept and redirect HTTP requests to partner websites that include online advertising companies,” the complaint reads.

The CDT wants the FTC to start an investigation into what the Hotspot Shield’s “unfair and deceptive trade practices” and to order the company to stop mispresenting privacy and security promises while marketing its app.

Powered by WPeMatico

Protecting your business from the next ransomware attack

With more than 120 million ransomware samples in 2015 alone, now as of 2017, it has become one of the fastest growing and lucrative threats to businesses on the web.

Ransomware disguises itself by hiding inside of email and website links and then hijack your computer until you agree to pay the ransom. Prevention is possible and important to avoiding these types of attacks. Our AVG Business survival guide will help you protect yourself and your business before the next threat occurs.

 

Photo credit: Unsplash photographer Illya Pavlov

Read More