Popsugar’s Twinning app is leaking everyone’s uploaded photos

I thought the worst thing about Popsugar’s Twinning tool was that it matched me with James Corden.

Turns out, the hundreds of thousands of selfies uploaded to the tool can be downloaded by anyone who knows where to look.

The popular photo matching tool taking the web by storm is fairly simple. “It analyzes a selfie or uploaded photo, compares it to a massive database of celebrity photos to find matches, and finally gives you a ‘twinning percentage’ for your top five look-alikes,” according to Popsugar, which developed the tool. Then, you share those matched photos on Facebook and Twitter so everyone knows that you don’t look at all like one of the many Kardashians.

All of the uploaded photos are stored in a storage bucket hosted on Amazon Web Services. We know because the web address of the bucket is in the code on the Twinning tool’s website. Open that in your web browser, and you’re looking at a real-time stream of uploaded photos.

We verified the findings by uploading a dummy photo of a certain file size at a specific time. Then, we scraped a list of filenames uploaded during that time period from the bucket’s web address, downloaded them, and found our uploaded image by searching for that photo of a certain file size. (We didn’t download any more than necessary to preserve people’s privacy.)

TechCrunch reached out to Popsugar president Lisa Sugar and vice-president of engineering Mike Patnode, but did not hear back.

As data leaks go, this is definitely on the low-end. You might not care that their selfies were exposed and easily downloadable. (Many photos were already leaking out of Google’s search results — even before people shared their selfie matches on Twitter!) It’s not as if the site was leaking your passwords or your Social Security number. Most probably didn’t go in expecting any reasonable level of security or privacy to begin with.

But like any free app, quiz or some viral web tool, it’s worth reminding that you’re still putting your information out there — and you can’t always get it back. Worse, you almost never know how secure your data will be, or how it might end up being used — and abused — in the future.

This is Captain Buzzkill, signing off.

Mark Zuckerberg is ‘proud’ of how Facebook handled its scandals this year

After the year Mark Zuckerberg’s had, you’d think he’d struggle to appear so chipper.

“I’m proud of the progress we’ve made,” he said in an end-of-year note posted on his Facebook page for everyone to see. Acknowledging that the social network played its part in the spread of hate speech, election interference and misinformation, Zuckerberg’s note seemed more upbeat about his response to the hurricane of hurt caused by the company’s laissez-faire attitude to world affairs and less concerned about showing contrition and empathy for the harm Facebook caused in the past year — including its inability to keep its users’ data safe and, above all else, its failure to prevent its site from being used to incite ethnic violence and genocide.

Zuckerberg’s tone-deaf remarks read like 1,000 words of patting himself on the back.

But where the Facebook co-founder pledged to “focus on addressing some of the most important issues facing our community,” he conveniently ignored some of the most damaging, ongoing problems that the company has shown little desire to solve, opting instead for quick fixes or simply pretending they don’t exist.

“More than 30,000 people working on safety…” isn’t enough to police the platform

A decade ago, Facebook had just 12 people moderating its entire site — some 120 million users. Now, the company relies largely on an army of underpaid contractors spread out across the world to moderate millions of potentially rule-breaking posts on the site each week.

Zuckerberg said the company has this year increased those working on safety to “more than 30,000 people.” That’s on top of the 33,600 full-time employees that Facebook had as of the end of September. But that’s a massive task to police Facebook’s 2.27 billion monthly active users. Those 30,000 new safety contractors equates to about one moderator for every 75,660 users.

Facebook’s contractors have long complained about long hours and low pay, and that’s not even taking into account the thousands of gruesome posts — from beheadings to child abuse and exploitation — they have to review each day. Turnover is understandably high. No other social network in the world has as many users as Facebook, and it’s impossible to know what the “right number” of moderators is.

But the numbers don’t add up. Facebook’s army of 30,000 safety staffers isn’t enough to combat the onslaught of vitriol and violence, let alone against an advanced adversary like the nation-state actors that it’s constantly blaming.

Facebook lost its chief security officer this year — and hasn’t found a replacement

Zuckerberg made no mention of the photo data exposure and account breaches that the company had to contend with this year, even if he couldn’t avoid mentioning Cambridge Analytica, the voter research firm that misused 87 million Facebook users’ information, just the once.

Yet, Zuckerberg made no commitment to doubling down on the company’s efforts to secure the platform, despite years of its “move fast and break things” mentality. Since the departure of former chief security officer Alex Stamos in August, the company hasn’t hired his replacement. All signs point to nobody taking the position at all. While many see a chief security officer as a figurehead-type position, they still provide executive-level insight into the threats they face and issues to handle — no more than ever after a string of embarrassing and damaging security incidents.

Zuckerberg said that the company invests “billions of dollars in security yearly.” That may be true. But without an executive overseeing that budget, it’s not confidence-inducing knowing that there’s nobody with the years of experience needed to oversee a company’s security posture in control of where those billions go.

There was no acknowledgement of Facebook’s role in Myanmar’s genocide

Fake news, misinformation and election meddling is one thing, but Zuckerberg refused to acknowledge the direct impact Facebook had on Myanmar’s ethnic violence — which the United Nations is calling genocide.

It can’t be much of a surprise to Zuckerberg. The UN said Facebook had a “determining role” in inciting genocide in the country. He faced questions directly from U.S. lawmakers earlier this year when he was told to testify to senators in April. Journalists are regularly arrested and murdered for reporting on the military-backed government’s activities. The Facebook boss apologized — which human rights groups on the ground called “grossly insufficient.”

Facebook said last week that it has purged hundreds of accounts, pages and groups associated with inciting violence in Myanmar, but continues to refuse setting up an office in the country — despite groups on the ground saying would be necessary to show it’s serious about the region.

“That doesn’t mean… people won’t find more examples of past mistakes before we improved our systems.”

Zuckerberg said in his note that the company “didn’t focus as much on these issues as we needed to, but we’re now much more proactive.”

“That doesn’t mean we’ll catch every bad actor or piece of bad content, or that people won’t find more examples of past mistakes before we improved our systems,” he said. Some have seen that as a hint that some of the worst revelations are yet to come. Perhaps it’s just Zuckerberg hedging his bets as a way to indemnify his remarks from criticism when the next inevitable bad news break hits the wires.

In his 1,000-word post, Zuckerberg said he was “proud” three times, he talked of the company’s “focus” four times and how much “progress” was being made five times. But there wasn’t a single “sorry” to be seen. Then again, he’s spent most of his Facebook career apologizing for the company’s fails. Any more at this point would probably come across as trite.

Zuckerberg ended on as much as a cheery note as he began, looking to the new year as an opportunity for “building community and bringing people together,” adding: “Here’s to a great new year to come.”

Well, it can’t be much worse than this year. Or can it?

911 emergency services go down across the US after CenturyLink outage

911 emergency services in several states across the U.S. remain down after a massive outage at a CenturyLink data center.

The outage began after 12pm ET on Thursday, according to CenturyLink’s status page, and continues to cause disruption across 911 call centers. Some states have seen their services restored. CenturyLink has not said what caused the outage beyond an issue with a “network element,” but said in its latest update — around 11am ET on Friday — that the company said that it was “seeing good progress, but our service restoration work is not complete.”

In a tweet, the telecoms giant said it was “working tirelessly” to get its affected systems back up and running.

CenturyLink, one of the largest telecommunications providers in the U.S., provides internet and phone backbone services to major cell carriers, including AT&T and Verizon. Data center or fiber issues can have a knock-on effect to other companies, cutting out service and causing cell site blackouts.

In this case, the outage affected only cellular calls to 911, and not landline calls.

Several states sent emergency alerts to residents’ cell phones warning of the outage.

Among the areas affected include Seattle, Washington and Salt Lake City, Utah. Several other states, including Idaho, Oregon, Arizona and Missouri, are also affected, local news has reported.

Many other police departments tweeted out alternative numbers for 911 in the event of an emergency.

Police in Boston, Massachusetts tweeted that their service was restored this morning.

Ajit Pai, chairman of the Federal Communications Commission, which regulates and monitors 911 services, said the commission is investigating the outage.

“When an emergency strikes, it’s critical that Americans are able to use 911 to reach those who can help,” said Pai in a statement. “The CenturyLink service outage is therefore completely unacceptable, and its breadth and duration are particularly troubling.”

“I’ve directed the Public Safety and Homeland Security Bureau to immediately launch an investigation into the cause and impact of this outage. This inquiry will include an examination of the effect that CenturyLink’s outage appears to have had on other providers’ 911 services,” he said.

TechCrunch will have more when it comes in.

Google & Facebook fed ad dollars to child porn discovery apps

Google has scrambled to remove third-party apps that led users to child porn sharing groups on WhatsApp in the wake of TechCrunch’s report about the problem last week. We contacted Google with the name of one these apps and evidence that it and others offered links to WhatsApp groups for sharing child exploitation imagery. Following publication of our article, Google removed that app and at least five like it from the Google Play store. Several of these apps had over 100,000 downloads, and they’re still functional on devices that already downloaded them.

A screenshot from today of active child exploitation groups on WhatsApp . Phone numbers and photos redacted

WhatsApp failed to adequately police its platform, confirming to TechCrunch that it’s only moderated by its own 300 employees and not Facebook’s 20,000 dedicated security and moderation staffers. It’s clear that scalable and efficient artificial intelligence systems are not up to the task of protecting the 1.5 billion user WhatsApp community, and companies like Facebook must invest more in unscalable human investigators.

But now, new research provided exclusively to TechCrunch by anti-harassment algorithm startup AntiToxin shows that these removed apps that hosted links to child porn sharing rings on WhatsApp were supported with ads run by Google and Facebook’s ad networks. AntiToxin found 6 of these apps ran Google AdMob, 1 ran Google Firebase, 2 ran Facebook Audience Network, and 1 ran StartApp. These ad networks earned a cut of brands’ marketing spend while allowing the apps to monetize and sustain their operations by hosting ads for Amazon, Microsoft, Motorola, Sprint, Sprite, Western Union, Dyson, DJI, Gett, Yandex Music, Q Link Wireless, Tik Tok, and more.

The situation reveals that tech giants aren’t just failing to spot offensive content in their own apps, but also in third-party apps that host their ads and that earn them money. While these apps like “Group Links For Whats” by Lisa Studio let people discover benign links to WhatsApp groups for sharing legal content and discussing topics like business or sports, TechCrunch found they also hosted links with titles such as “child porn only no adv” and “child porn xvideos” that led to WhatsApp groups with names like “Children 💋👙👙” or “videos cp” — a known abbreviation for ‘child pornography’.

In a video provided by AntiToxin seen below, the app “Group Links For Whats by Lisa Studio” that ran Google AdMob is shown displaying an interstitial ad for Q Link Wireless before providing WhatsApp group search results for “child”. A group described as “Child nude FBI POLICE” is surfaced, and when the invite link is clicked, it opens within WhatsApp to a group called “Children 💋👙👙”.  (No illegal imagery is shown in this video or article. TechCrunch has omitted the end of the video that showed a URL for an illegal group and the phone numbers of its members.)

Another video shows the app “Group Link For whatsapp by Video Status Zone” that ran Google AdMob and Facebook Audience Network displaying a link to a WhatsApp group described as “only cp video”. When tapped, the app first surfaces an interstitial ad for Amazon Photos before revealing a button for opening the group within WhatsApp. These videos show how alarmingly easy it was for people to find illegal content sharing groups on WhatsApp, even without WhatsApp’s help.

Zero Tolerance Doesn’t Mean Zero Illegal Content

In response, a Google spokesperson tells me that these group discovery apps violated its content policies and it’s continuing to look for more like them to ban. When they’re identified and removed from Google Play, it also suspends their access to its ad networks. However, it refused to disclose how much money these apps earned and whether it would refund the advertisers. The company provided this statement:

“Google has a zero tolerance approach to child sexual abuse material and we’ve invested in technology, teams and partnerships with groups like the National Center for Missing and Exploited Children, to tackle this issue for more than two decades. If we identify an app promoting this kind of material that our systems haven’t already blocked, we report it to the relevant authorities and remove it from our platform. These policies apply to apps listed in the Play store as well as apps that use Google’s advertising services.”

App Developer Ad Network Estimated Installs   Last Day Ranked
Unlimited Whats Groups Without Limit Group links   Jack Rehan Google AdMob 200,000 12/18/2018
Unlimited Group Links for Whatsapp NirmalaAppzTech Google AdMob 127,000 12/18/2018
Group Invite For Whatsapp Villainsbrain Google Firebase 126,000 12/18/2018
Public Group for WhatsApp Bit-Build Google AdMob, Facebook Audience Network   86,000 12/18/2018
Group links for Whats – Find Friends for Whats Lisa Studio Google AdMob 54,000 12/19/2018
Unlimited Group Links for Whatsapp 2019 Natalie Pack Google AdMob 3,000 12/20/2018
Group Link For whatsapp Video Status Zone   Google AdMob, Facebook Audience Network 97,000 11/13/2018
Group Links For Whatsapp – Free Joining Developers.pk StartAppSDK 29,000 12/5/2018

Facebook meanwhile blamed Google Play, saying the apps’ eligibility for its Facebook Audience Network ads was tied to their availability on Google Play and that the apps were removed from FAN when booted from the Android app store. The company was more forthcoming, telling TechCrunch it will refund advertisers whose promotions appeared on these abhorrent apps. It’s also pulling Audience Network from all apps that let users discover WhatsApp Groups.

A Facebook spokesperson tells TechCrunch that “Audience Network monetization eligibility is closely tied to app store (in this case Google) review. We removed [Public Group for WhatsApp by Bit-Build] when Google did – it is not currently monetizing on Audience Network. Our policies are on our website and out of abundance of caution we’re ensuring Audience Network does not support any group invite link apps. This app earned very little revenue (less than $500), which we are refunding to all impacted advertisers.”

Facebook also provided this statement about WhatsApp’s stance on illegal imagery sharing groups and third-party apps for finding them:

“WhatsApp does not provide a search function for people or groups – nor does WhatsApp encourage publication of invite links to private groups. WhatsApp regularly engages with Google and Apple to enforce their terms of service on apps that attempt to encourage abuse on WhatsApp. Following the reports earlier this week, WhatsApp asked Google to remove all known group link sharing apps. When apps are removed from Google Play store, they are also removed from Audience Network.”

An app with links for discovering illegal WhatsApp Groups runs an ad for Amazon Photos

Israeli NGOs Netivei Reshet and Screen Savers worked with AntiToxin to provide a report published by TechCrunch about the wide extent of child exploitation imagery they found on WhatsApp. Facebook and WhatsApp are still waiting on the groups to work with Israeli police to provide their full research so WhatsApp can delete illegal groups they discovered and terminate user accounts that joined them.

AntiToxin develops technologies for protecting online networks harassment, bullying, shaming, predatory behavior and sexually explicit activity. It was co-founded by Zohar Levkovitz who sold Amobee to SingTel for $400M, and Ron Porat who was the CEO of ad-blocker Shine. [Disclosure: The company also employs Roi Carthy, who contributed to TechCrunch from 2007 to 2012.] “Online toxicity is at unprecedented levels, at unprecedented scale, with unprecedented risks for children, which is why completely new thinking has to be applied to technology solutions that help parents keep their children safe” Levkovitz tells me. The company is pushing Apple to remove WhatsApp from the App Store until the problems are fixed, citing how Apple temporarily suspended Tumblr due to child pornography.

Ad Networks Must Be Monitored

Encryption has proven an impediment to WhatsApp preventing the spread of child exploitation imagery. WhatsApp can’t see what is shared inside of group chats. Instead it has to rely on the few pieces of public and unencrypted data such as group names and profile photos plus their members’ profile photos, looking for suspicious names or illegal images. The company matches those images to a PhotoDNA database of known child exploitation photos to administer bans, and has human moderators investigate if seemingly illegal images aren’t already on file. It then reports its findings to law enforcement and the National Center For Missing And Exploited Children. Strong encryption is important for protecting privacy and political dissent, but also thwarts some detection of illegal content and thereby necessitates more manual moderation.

With just 300 total employees and only a subset working on security or content moderation, WhatsApp seems understaffed to manage such a large user base. It’s tried to depend on AI to safeguard its community. However, that technology can’t yet perform the nuanced investigations necessary to combat exploitation. WhatsApp runs semi-independently of Facebook, but could hire more moderators to investigate group discovery apps that lead to child pornography if Facebook allocated more resources to its acquisition.

WhatsApp group discovery apps featured Adult sections that contained links to child exploitation imagery groups

Google and Facebook, with their vast headcounts and profit margins, are neglecting to properly police who hosts their ad networks. The companies have sought to earn extra revenue by powering ads on other apps, yet failed to assume the necessary responsibility to ensure those apps aren’t facilitating crimes. Stricter examinations of in-app content should be administered before an app is accepted to app stores or ad networks, and periodically once they’re running. And when automated systems can’t be deployed, as can be the case with policing third-party apps, human staffers should be assigned despite the cost.

It’s becoming increasingly clear that social networks and ad networks that profit off of other people’s content can’t be low-maintenance cash cows. Companies should invest ample money and labor into safeguarding any property they run or monetize even if it makes the opportunities less lucrative. The strip-mining of the internet without regard for consequences must end.

Security flaws let anyone snoop on Guardzilla smart camera video recordings

A popular smart security system maker has ignored warnings from security researchers that its flagship device has several serious vulnerabilities, including allowing anyone access to the company’s central store of customer-uploaded video recordings.

The researchers at 0DayAllDay found that Guardzilla’s top-selling indoor wireless security system contains a set of hardcoded keys that can be easily extracted, because the device’s root password was protected using a decade-old algorithm that’s nowadays easily crackable. Each device uses the same set of keys to upload video recordings to the company’s Amazon Web Services’ storage servers. Anyone can use these keys to log in and gain full access to the company’s cloud storage — and customer data uploaded from the device.

But the storage servers remain vulnerable — even at the time of publication, TechCrunch can confirm — despite the researchers privately emailing the company detailing the vulnerabilities in September.

“We’ve tried several avenues to get in touch with Guardzilla, but they have not acknowledged the report,” said Tod Beardsley, Rapid7’s research director, who helped coordinate the release of the researchers’ findings.

The team of five researchers said in their report that it took two off-the-shelf consumer graphics cards just three hours to decrypt the eight-letter password protecting the affected Guardzilla device’s firmware that ships with each device. Because the keys were buried in the code, anyone with a Guardzilla device could obtain the keys and gain unfettered access to the company’s 13 storage buckets hosted on Amazon’s servers. The researchers tested the keys but did not use them to access the buckets, they said, to prevent unintentional access to Guardzilla customer data.

TechCrunch confirmed that the keys were still active and linked to the listed buckets as of Wednesday. (We could not verify the contents of the buckets as that would be unlawful.)

Hardcoding keys isn’t an uncommon practice in cheaply manufactured internet-connected devices, but is considered one of the worst security practices for a hardware maker to commit as it’s easy for a hacker to break into a central server storing user data. Hardcoding keys has become such an acute problem that a recently passed California law will soon ban consumer electronics using default and hardcoded credentials from 2020.

Fixing the vulnerability not only requires the keys to be changed on the server, but also a software patch to be rolled out on each affected device.

“They could update the keys and update the firmware, but that just means they’ll be rediscovered again by the same techniques,” said Beardsley. “The only way I can think of to fix this completely is to change the keys, stand up a proxying service and update the firmware to use this proxying service with unique-per-device accounts.”

“That’s a pretty significant change, but it’s just about only way to avoid this kind of problem,” he said.

Guardzilla were given three months to fix the security lapse and roll out new firmware to affected devices after the researchers privately reached out, but the company neither acknowledged or patched the issue, prompting the researchers to go public with their findings.

The researchers also also disclosed the vulnerabilities to Carnegie Mellon University’s public vulnerability database, CERT, which is set to issue an advisory Thursday, but received no response from the company.

TechCrunch sent several emails to Guardzilla prior to publication to no avail. After we contacted the company’s registered agent, a law firm in St. Louis, Missouri, chief executive Greg Siwak responded hours before publication, denying that the company received any correspondence. We asked several questions to clarify the company’s position, which we will include here if and when they come in. Siwak was adamant that the “accusations are false,” but did not say why.

When reached, former Guardzilla president Ted Siebenman told TechCrunch that he left the company in February but claimed he was “not aware” on the security issues in the device, including the use of hardcoded keys.

The security researchers found two more vulnerabilities — including several known bugs affecting the device’s continued use of a since-deprecated OpenSSL encryption library from more than two years ago. The researchers also disclosed in their write-up their discovery “large amounts” of traffic sent from an open port on the device to Guardzilla’s Amazon server, but could not explain why.

Guardzilla doesn’t say how many devices it’s sold or how many customers it has, but touts its hardware selling in several major U.S. retailers, including Amazon, Best Buy, Target, Walmart and Staples.

For now, you’re safest bet is to unplug your Guardzilla from the wall and stop using it.

Cyber breaches abound in 2019

News of high-profile cyber breaches has been uncharacteristically subdued in recent quarters. However, we recently learned that Marriott International/Starwood was the victim of the multi-year theft of personal information on up to 500 million customers — rivaled only by hacks against Yahoo in 2013 and 2014.

Is this a harbinger of a worse hacking landscape in 2019?

The answer is unequivocally yes. No question, cyber breaches have been a gigantic thorn in the global economy for years. But expect them to be even more rampant in the new year as chronically improving malware will be deployed more aggressively on more fronts.

In addition, as companies increasingly pursue digitization to drive efficiency, reduce costs and build data-driven businesses, they simultaneously move into the “target zone” of cyber attacks. As the digital economy expands, the threat landscape naturally follows suit. Compounding the situation is the use of machine learning and AI as hackers and other bad actors look to scale their bad behavior.

Look for AI-driven chatbots to go rogue, a substantial increase in crimeware-as-a-service, acceleration of the weaponization of data, a resurgence in ransomware and a significant increase in nation-stage cyberattacks. Also on a growth track is so-called cryptojacking — a quiet, more insidious avenue of profit that relies on invasive methods of initial access and drive-by scripts on websites to steal resources from unsuspecting victims.

Then, too, we will also see a substantial increase in software subversion, including the specific targeting of developers for attack and the likely proliferation of software update supply chain attacks.

Here is a mini dive into the top pending threats:

The emergence of AI-driven chatbots. In the new year, cybercriminals and black hat hackers will create malicious chatbots that try to socially engineer victims into clicking links, downloading files or sharing private information. A hijacked chatbot could easily misdirect victims to nefarious links rather than legitimate ones. Attackers are also likely to leverage web application flaws in legitimate websites to insert a malicious chatbot into a site that doesn’t have one.

Attacks on cities with crimeware-as-a-service, a new component of the underground economy. Adversaries will leverage new tools that among other things attack data integrity, disabling computers to the point of requiring mandatory hardware replacements. Terrorist-related groups will be the likely culprits.

A significant increase in nation-state attacks. Russia has been a leader in using targeted cyberactions as part of larger objectives. Earlier this year, for example, the FBI disclosed that Sofacy group, a Russian persistent threat actor, infected more than 500,000 home office routers and network attached to storage devices worldwide to remote control them. Look for other nation-states to follow the same sort of playbook, helped by billions of poorly secured IoT devices.

The growing weaponization of data. Already a huge problem, it is certain to worsen, notwithstanding efforts among some technology giants to enhance user security and privacy. Balancing the negatives with the positives, tens of millions of comprised web users have begun to seriously question how much they really benefit from the internet.

Consider, for example, Facebook, which has made no secret of using personal data and “private” correspondence to annually generate billions of dollars in profits. Users willingly “like” interests and brands, volunteering personal information. This enables Facebook to provide a more complete image of its user base — a gold mine for advertisers.

Much worse, Facebook earlier this year tried to manipulate user moods through an “emotional contagion” experiment. This pitted users against their peers to influence their emotions, i.e. the weaponization of data.

A resurgence in ransomware. Ransomware exploded onto the scene in 2017 following the WannaCry outbreak and a series of successful follow-up ransomware attacks targeting high-profile victims. According to the FBI, total ransomware payments in the U.S. have in some years exceeded $1 billion. There were scant high-profile ransomware victims in recent months, but the problem is highly likely to bounce back strongly in 2019. Ransomware attacks come in waves, and the next one is due.

Increased subversion of software development processes and attacks on software update supply chains. Regarding software development, malware has already been detected in select open-source software libraries. Meanwhile, software update supply chain attacks violate software vendor update packages. When customers download and install updates, they unwittingly introduce malware into their system. In 2017, there was an average of one attack every month, compared to virtually none in 2016, according to Symantec. The trend continued in 2018 and will become worse next year.

More cyber attacks on satellites. In June, Symantec reported that an unnamed group had successfully targeted the satellite communications of Southeast Asia telecom companies involved in geospatial mapping and imaging. Symantec also reported attacks originating in China last year on a defense contractor’s satellite.

Separately, we learned in August at the annual Black Hat information security conference that the satellite communications used by ships, planes and the military to connect to the internet are vulnerable to hackers. In the worst-case scenario, the research said, hackers could carry out “cyber-physical attacks” that could turn satellite antennas into weapons that essentially operate like microwave ovens.

Fortunately, the cyber outlook for 2019 is not altogether grim.

On the cybersecurity side, a growing number of experts believe that multi-factor authentication will become the standard for all online businesses, abandoning password-only access. In addition, a number of states are expected to adopt some version of Europe’s strict General Data Protection Legislation. California, for one, has already passed legislation that will make it easier for consumers to sue companies after a data breach, starting in 2020.

The upshot is that individuals, businesses and government entities need to do everything possible to improve the state of their cybersecurity. They cannot eliminate breaches, but they can avert some and improve the chances of mitigating them.

Cybersecurity 101: Five simple security guides for protecting your privacy

With hundreds of millions of people home for the holidays, now is a better time than ever to spread good tidings and cheer, and — well, some much-needed security advice for all the family.

Security sounds complicated, but it doesn’t have to be. Privacy is more important than ever. With an ever-changing and evolving landscape of threats and hacks, breaches and vulnerabilities, there’s no better time of the year to help your family navigate some of the most basic but effective security tips. (Let’s face it, you were bound to end up being called on for tech support at some point anyway.)

We’ve put together five how-to guides covering cybersecurity basics that anyone can learn — and everyone should learn, including:

Why you need to use a password manager

Getty Images

If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember — and just when you did, you’re told to change it again. And sometimes passwords can be guessed and are easily hackable.

Nobody likes passwords but they’re a fact of life. And while some have tried to kill them off by replacing them with fingerprints and face-scanning technology, neither are perfect and many still resort back to the trusty (but frustrating) password.

How do you make them better? You need a password manager.

What is a password manager?

Think of a password manager like a book of your passwords, locked by a master key that only you know.

Some of you think that might sound bad. What if someone gets my master password? That’s a reasonable and rational fear. But assuming that you’ve chosen a strong and unique, but rememberable, master password that you’ve not used anywhere else is a near-perfect way to protect the rest of your passwords from improper access.

Password managers don’t just store your passwords — they help you generate and save strong, unique passwords when you sign up to new websites. That means whenever you go to a website or app, you can pull up your password manager, copy your password, paste it into the login box, and you’re in. Often, password managers come with browser extensions that automatically fill in your password for you.

And because many of the password managers out there have encrypted sync across devices, you can take your passwords anywhere with you — even on your phone.

Why do you need to use one?

Password managers take the hassle out of creating and remembering strong passwords. It’s that simple. But there are three good reasons why you should care.

Passwords are stolen all the time. Sites and services are at risk of breaches as much as you are to phishing attacks that try to trick you into turning over your password. Although companies are meant to scramble your password whenever you enter it — known as hashing — not all use strong or modern algorithms, making it easy for hackers to reverse that hashing and read your password in plain text. Some companies don’t bother to hash at all! That puts your accounts at risk of fraud or your data at risk of being used against you for identity theft.

But the longer and more complex your password is — a mix of uppercase and lowercase characters, numbers, symbols and punctuation — the longer it takes for hackers to unscramble your password.

The other problem is the sheer number of passwords we have to remember. Banks, social media accounts, our email and utilities — it’s easy to just use one password across the board. But that makes “credential stuffing” easier. That’s when hackers take your password from one breached site and try to log in to your account on other sites. Using a password manager makes it so much easier to generate and store stronger passwords that are unique to each site, preventing credential stuffing attacks.

And, for the times you’re in a crowded or busy place — like a coffee shop or an airplane — think of who is around you. Typing in passwords can be seen, copied and later used by nearby eavesdroppers. Using a password manager in many cases removes the need to type any passwords in at all.

Which password manager should you use?

The simple answer is that it’s up to you. All password managers perform largely the same duties — but different apps will have more or relevant features to you than others.

Anyone running iOS 11 or later — which is most iPhone and iPad users — will have a password manager by default — so there’s no excuse. You can sync your passwords across devices using iCloud Keychain.

For anyone else — most password managers are free, with the option to upgrade to get better features.

If you want your passwords to sync across devices for example, LastPass is a good option. 1Password is widely used and integrates with Troy Hunt’s Pwned Passwords database, so you can tell if (and avoid!) a password that has been previously leaked or exposed in a data breach.

Many password managers are cross-platform, like Dashlane, which also work on mobile devices, allowing you to take your passwords wherever you go.

And, some are open source, like KeePass, allowing anyone to read the source code. KeePass doesn’t use the cloud so it never leaves your computer unless you move it. That’s much better for the super paranoid, but also for those who might face a wider range of threats — such as those who work in government.

What you might find useful is this evaluation of five password managers, which offers a breakdown by features.

Like all software, vulnerabilities and weaknesses in any password manager can make put your data at risk. But so long as you keep your password manager up to date — most browser extensions are automatically updated — your risk is significantly reduced.

Simply put: using a password manager is far better for your overall security than not using one.

Check out our full Cybersecurity 101 guides here.

Two-factor authentication can save you from hackers

Getty Images

If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts.

Simply put, two-factor authentication adds a second step in your usual log-in process. Once you enter your username and password, you’ll be prompted to enter a code sent as a text message or an email, or sometimes as a push notification on your phone.

In all, it usually only adds a few extra seconds to your day.

Two-factor authentication (sometimes called “two-step verification”) combines something you know — your username and password, with something you have — such as your phone or a physical security key, or even something you are — like your fingerprint or another biometric, as a way of confirming that a person is authorized to log in. You might not have thought much about it, but you do this more than you think. Whenever you withdraw money from an ATM, you insert your card (something you have) and enter your PIN (something you know) — which tells the bank that it’s you. Even when you use your bank card on the internet, often you still need something that you know — such as your ZIP or postal code.

Having a second step of authentication makes it so much more difficult for a hacker or a thief to break into your online accounts.

Why is two-factor important?

Gone are the days where your trusty password can protect you. Even if you have a unique password for every website you use, there’s little in the way to stop malware on your computer (or even on the website!) from scraping your password and using it again. Or, if someone sees you type in your password, they can memorize it and log in as you.

Don’t think it’ll happen to you? So-called “credential stuffing” or brute-force attacks can make it easy for hackers to break in and hijack people’s online accounts in bulk. That happens all the time. Dunkin’ Donuts, Warby Parker, GitHub, AdGuard, the State Department — and even Apple iCloud accounts have all fallen victim to credential-stuffing attacks in recent years. Only two-factor accounts are protected from these automated log-in attacks.

Two-factor also protects you against phishing emails. If someone sends you a dodgy email that tries to trick you into logging in with your Google or Facebook username and password to a fake site, for example, two-factor can still protect you. Only the legitimate site will send you a working two-factor code.

Enabling two-factor is a good start, but it’s not a panacea. As much as it can prevent hackers from logging in as you, it doesn’t mean that your data stored on the server is protected from hackers breaching a server elsewhere, or a government demanding that the company turns over your data.

And some methods of two-factor are better than others. As you’ll see.

The best way to two-factor your accounts

Let’s get something out of the way real quick. Even if you want to go all-out and secure your accounts, you’ll quickly realize many sites and services just don’t support two-factor. You should tell them to! You can see if a website supports two-factor here.

But as credential-stuffing attacks rise and data breaches have become a regular occurrence, many sites and services are doing everything they can to protect their users.

There are four main types of two-factor authentication, ranked in order of effectiveness:

A text message code: The most common form of two-factor is a code sent by SMS. It doesn’t require an app or even a smartphone, just a single bar of cell service. It’s very easy to get started. But two-factor by text message is the least secure method. These days, hackers can easily exploit weaknesses in the phone networks to steal SMS two-factor codes. Because SMS messages aren’t encrypted, they can also just leak. More recently, researchers found that this can be done on a massive scale. Also, if your phone is lost or stolen, you have a problem. A text message code is better than not using two-factor at all, but there are far more secure options.

An authenticator app code: This works similarly to the text message, except you’ll have to install an app on your smartphone. Any time you log in, you’ll get a code sent to your app. There are many authenticator apps to choose from, like Authy, Duo, and Google Authenticator. The difference here is that they are sent over an HTTPS connection, making it near-impossible for anyone to snoop in and steal the code before you use it. But if you lose your phone or have malware on your phone — especially Android devices — those codes can be stolen once they arrive on your device.

A biometric: Smile! You’re on camera. Often, in industrial or enterprise settings, you’ll be asked for your biometrics, such as facial recognition, an iris scan or, more likely, a fingerprint. These usually require specialized hardware (and software) and are less common. A downside is that these technologies can be spoofed — such as cloning a fingerprint or creating a 3D-printed head.

A physical key: Last but not least, a physical key is considered the strongest of all two-factor authentication methods. Google said that it hasn’t had a single confirmed account takeover since rolling out security keys to its staff. Security keys are USB sticks that you can keep on your keyring. When you log in to your account, you are prompted to insert the cryptographically unique key into your computer and that’s it. Even if someone steals your password, they can’t log in without that key. And phishing pages won’t work because only the legitimate sites support security keys. These keys are designed to thwart even the smartest and most resourceful attackers, like nation-state hackers.

There are several security keys to choose from: Google has its Advanced Protection Program for high-risk users, like politicians and journalists, and its Google Titan key for everyone else. But many security experts will say Yubikey is the gold standard of security keys. There are a few things to note. Firstly, not many sites support security keys yet, but most of the major companies do — like Microsoft, Facebook, Google and Twitter. Usually, when you set up a physical key, you can’t revert to a text message code or a biometric. It’s a security key, or nothing. A downside is that you will have to buy two — one as a backup — but security keys are inexpensive. Also, if one is stolen, there’s no way to determine your account from the key itself. But, if you lose them both, you might be done for. Even the company that stores your data might not be able to get you back into your account. So, be careful and keep one safe.

That’s what you need to know. You might want to create a checklist of your most valuable accounts, and begin switching on two-factor authentication starting with them. In most cases, it’s straightforward — but you can always head to this website to learn how to enable two-factor on each website. You might want to take an hour or so to go through all of your accounts — so put on a pot of coffee and get started.

You should see two-factor as an investment in security: a little of your time today, to save you from a whole world of trouble tomorrow.

Check out our full Cybersecurity 101 guides here.

How to protect your cell phone number and why you should care

Getty Images

Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.

You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. But unlike your Social Security number, you’re far less likely to keep your cell phone number a secret — otherwise nobody can contact you!

Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.

Why you need to protect your phone number

Your cell phone number is a single point of failure.

Think about it. You use your cell phone number all the time. You use it when you sign up to sites and services, and sometimes you’ll use it to log into an app or a game on your phone. Your phone number can be used to reset your account if you forget your password. And, you use it for two-factor authentication to securely login to your accounts.

If someone steals your phone number, they become you — for all intents and purposes. With your phone number, a hacker can start hijacking your accounts one by one by having a password reset sent to your phone. They can trick automated systems — like your bank — into thinking they’re you when you call customer service. And worse, they can use your hijacked number to break into your work email and documents — potentially exposing your employer up to data theft.

Just think of every site and service that has your phone number. That’s why you need to protect your phone number.

How do hackers steal cell phone numbers?

It’s easier than you might think. Phone numbers can be found anywhere – thanks in part to so many data breaches.

Often, hackers will find the cell phone number of their target floating around the internet (or from a phone bill in the garbage), and call up their carrier impersonating the customer. With a few simple questions answered — often little more than where a person lives or their date of birth, they ask the customer service representative to “port out” the phone number to a different carrier or a SIM card.

That’s it. As soon as the “port out” completes, the phone number activates on an attacker’s SIM card, and the hacker can send and receive messages and make calls as if they were the person they just hacked.

In most cases, the only sign that it happened is if the victim suddenly loses cell service for no apparent reason.

From there, it’s as simple as initiating password resets on accounts associated with that phone number. Facebook, Gmail, Twitter — and more. A hacker can use your hijacked phone number to steal all of your cryptocurrency, take over your vanity Instagram username or maliciously delete all of your data.

You can read what happened to TechCrunch’s own John Biggs when his phone number was hijacked.

In the worst cases, it can be difficult or impossible to get your phone number back — let alone the accounts that get broken into. Your best bet is to make sure it never happens in the first place.

What you can do to protect your phone number

Just like you can apply two-factor authentication to your online accounts, you can add a secondary security code to your cell phone account, too.

You can either call up customer services or do it online. (Many feel more reassured by calling up and talking to someone.) You can ask customer service, for example, to set a secondary password on your account to ensure that only you — the account holder — can make any changes to the account or port out your number.

Every carrier handles secondary security codes differently. You may be limited in your password, passcode or passphrase, but try to make it more than four to six digits. And make sure you keep a backup of the code!

For the major carriers:

If your carrier isn’t listed, you might want to check if they employ a similar secondary security code to your account to prevent any abuse. And if they don’t, maybe you should port out your cell phone number to a carrier that does.

Check out our full Cybersecurity 101 guides here.