Kaspersky Banned from Operating in the USA
The security firm Kaspersky, a familiar name in the market for consumer antivirus software, will be banned from operating in the United States, announced the US Commerce Department. Kaspersky is based in Russia, and has long had to navigate the perilous socio-political landscape between Russia, the United States, and European Union. Since Russia’s war of aggression in Ukraine, the US and EU have levied sweeping sanctions against Russia, and those efforts extend into the digital domain where Russia has repeatedly violated international norms by attempting to influence elections and providing safe haven (and sometimes funding) for ransomware gangs and scammers. Kaspersky says that they are a privately managed company with no ties to the Russian government, but the Biden administration claims that Russia under Vladamir Putin has shown a willingness to weaponize Russian companies against their geopolitical adversaries. Antivirus software must run with extra privileges that make it especially dangerous if abused. Kaspersky has announced they will be winding down business in the USA, as reported by Kim Zetter and confirmed to Tech Crunch.
The Bottom Line: If you use Kaspersky, it’s time to switch to a new antivirus provider. We recommend Malwarebytes.
How Secure is Public Wi-Fi?
Kaspersky may have been banned from operating in the United States but their researchers still write useful security blogs. In a piece posted to the Kaspersky blog, they detail how they sent a team of researchers to test the public Wi-Fi networks in Paris ahead of the Olympic games and even there, where you’d expect a little extra effort, the picture is bleak. Kasperksy’s team detected 24,766 unique public Wi-Fi access points. Of those, only 1373, or 6%, were secured with the modern WPA3 standard that would make them safe to use. Many used older security standards, but fully 25% used out of date hardware, misconfigurations, and other problems that would make them easily exploitable by scammers and hackers. While Paris has undergone a significant makeover for the Olympics, these statistics suggest that their public Wi-Fi situation is still typical of large cities: a hodgepodge of hotels, coffee shops, and cafes operated by network administrators with widely varying technical skill and commitment to privacy.
The Bottom Line: Avoid public Wi-Fi. If you have to use public Wi-Fi, you could use a VPN to protect your traffic, but while this may provide some protection, VPNs are not engineered to protect you from malicious actors who share your local network, nor from untrusted networks in general (for more on that, see Leviathan Security’s writeup of TunnelVision). Instead, avoid using public Wi-Fi wherever possible. Instead, rely on your iPhone’s hot-spot to provide an internet connection to your other devices.
Verizon Failed to Protect TracFone Customer Data
Not as bad as the AT&T breach, but telecom provider Verizon is also on the hook this month for failing to protect user data, reports Bleeping Computer. The Federal Communications Commission reached a settlement with Verizon which, along with the fine, requires them to update their security practices. The settlement is over allegations that TracFone, which is a wholly-owned subsidiary of Verizon, failed to prevent hackers from breaching the company multiple times between 2021 and 2023, stealing data and gaining access that enabled the hackers to perform SIM swapping attacks on an unknown number of customers. SIM swapping is where a scammer tries to take control of your phone number by convincing your phone company to switch the number to a new phone and it can be a lot easier if the scammer has hacked the phone company in question. SIM swapping is especially dangerous because your phone number is used by many companies as proof of your identity: they send a text to that phone number and if you can prove you received the text then they believe that you are who you say you are. This is still the most common form of multi-factor authentication.
The Bottom Line: Banks and other critical service providers should not use phone numbers as a proof of identity, but they often do, and so we’re often stuck with it. If your accounts support other multi-factor authentication options besides text messages, ones such as authenticator apps, then we recommend switching. Your iPhone has a built-in authenticator app. To prevent SIM swapping attacks, use unique strong passwords that you don’t have to memorize by employing a password manager. This will ensure that your account with your phone carrier is protected with a unique strong password as well. Also, every phone company in the United States allows you to add an extra layer of security that will prevent your number being moved to a new device unless you enter a PIN. Here are instructions for AT&T, Verizon, and T-Mobile.
Chrome Backslides on Privacy Promises
Cookies are small files sent to your computer when you visit a web page, usually to record that you’ve logged in to that website, what items are in your shopping cart, or tons of other useful things to help fulfill the website’s function. Cookies are useful, and not automatically bad. Third-party cookies are sent to your computer from someone other than the maker of the webpage you’re visiting, such as through advertisements embedded on the page. These can be used by advertisers and data brokers to track your activity across different websites. Most people view this technique as intrusive and unnecessary, and Safari, Brave, and Firefox web browsers block all third-party cookies by default, Microsoft Edge is in the process of phasing them out, and Google had promised that Chrome would end their use as well. The move to end their use is supported by the World Wide Web Consortium, the main standards body for the Internet. But now, Google has reneged on their promise, and announced that third-party cookies will remain in Chrome.
The Bottom Line: Don’t use Chrome. This is merely the latest in a long series of episodes demonstrating time and time again that Chrome is in the business of learning about you so it can sell the data. Safari, Firefox, Brave, and Duck Duck Go are all private and secure alternatives. Of the lot, Firefox offers the most similar experience and is probably the easiest to adopt. It’s free too, and if you set it up on a Mac or Windows machine, then it will import your Chrome bookmarks as part of the setup process. Safari is already installed on your device.