Tech Friday with Dave Hatter- February 28th 2020 - SPONSORED BY INTRUST IT


  • EmpowerU Privacy Under Attack Seminar:
    • Surveillance capitalism is the business model that fuels tech titans such as Google and Facebook
    • Anyone with an Internet connection can read the latest news, listen to their favorite music, chat with friends, search for anything online, shop, pay bills, play games, and watch videos, all for “free”
    • If you’re not paying with money, you’re paying with data. You’re not the customer, you’re the product. 
    • Companies like Google and Facebook harvest every little bit of data that they can get their hands on, and monetize it in a variety of ways including selling it to other companies, who may or may not secure it correctly 
    • And the now ubiquitous nature of the Internet coupled with the ever increasing number of “smart” devices that we interact with are collecting volumes of very detailed information about how and where we live, work and play 24 hours a day, seven days a week. It’s relentless and pervasive and in many cases, not obvious
    • Are we sleepwalking into dystopian future nearly like that the Chinese are constructing under the guise of convenience?
  • We'll explore type of data that is being collected, how it’s being collected, how it’s being used, how it’s being misused, why you should care about improving your privacy, and tools and techniques to limit your digital footprint, including the best apps and platforms for privacy:
    • Phone
    • Browser
    • Search engine
    • Messaging
    • VPN
    • File share
    • and more
    • Join us for this free EmpowerU seminar Thursday, March 3rd athttps://www.empoweruohio.org/
  • Warning about Android VPN apps that affect roughly 120 million users:
    • A VPN (Virtual Private Network) creates an encrypted connection that protects information transmitted through it. VPNs especially important for public internet connections
    • However, if the VPN application is compromised, it can lead to a dangerous false sense of security
    • VPNPro tested the 10 most popular free VPNs apps found with a Goggle Play Store search
    • They developed a Man-In-The-Middle (MITM) attack to test the apps
    • The results were not good, all ten apps demonstrated issues that put user data at risk
    • In their report, VPNPro said "Right now, more than 105 million people could have their credit card details stolen, their private photos and videos sold online, their private conversations recorded and sent to a server in a secret location."
    • VPNPro disclosed the vulnerabilities to all 10 affected VPN apps makes in October 2019
    • One of the apps, Best Ultimate VPN, was patched. The others did not respond or act. Google is investigating
    • Even worse, SuperVPN from SuperSoftTech, has over 100 million installs and has been dinged for issues in the past. SuperSoftTech is a Chinese company
    • In regards to SuperVPN, they said "we noticed that SuperVPN connects with multiple hosts, with some communications being sent via unsecured HTTP. This contained encrypted data. But after more digging, we found that this communication actually contained the key needed to decrypt the information.”
    • They said "hackers can easily force users to connect to their own malicious VPN servers." and "it’s disastrous that a VPN would have these vulnerabilities—after all, users are connecting to VPNs in order to increase their privacy and security... For a VPN app to be so vulnerable is a betrayal of user trust and puts those users in a worse position than if they hadn’t used a VPN at all."
    • It does not appear that the companies behind these VPNs are necessarily malicious or that they have used their apps to abuse data
    • Its more likely that the developers haven't designed the software with security in mind and/or they don’t know or care about the issues
    • 4 of the vendors are in Hong Kong, Taiwan or mainland China
    • This is yet another warning to carefully vet ALL apps, much less VPN apps before using them
    • If you have installed any of the VPN apps VPNPro identified, you should uninstall them immediately
    • Read the report and see the list of VPN apps here:https://vpnpro.com/blog/major-vulnerabilities-found-in-top-free-vpn-apps/
    • Here's a list of vetted VPNs:https://www.pcmag.com/picks/the-best-vpn-services
  • Is your "smart" speaker an Orwellian spy machine?:
    • There have been issues with "smart" speakers, aka "virtual assistants", listening when they shouldn't be in the past
    • Virtual assistants like Siri and Alexa are designed to listen for a "wake phrase"
    • Many have questioned if the speakers are listening constantly
    • New research has shown that some "smart" speakers activate by mistake, as often as 19 times each day on average
    • For Google's Assistant the wake phrase is "OK Google", for Apple's Siri, it's "Hey Siri" and for Microsoft’s Cortana it's "Hey Cortana"
    • When the wake phrase is heard, the device pays attention to what follows
    • These devices can mishear things that trigger the device to listen. This has lead to these devices capturing everything from sex to crimes
    • Researchers at Northeastern University and Imperial College London have found that the accuracy of these devices for discerning the wake phrase is not very good
    • To simulate real-world conditions, researchers configured a variety of smart speakers and played 125 hours of audio from various TV shows
    • Devices tested included Google Home Mini (1st Gen), Apple’s HomePod (1st Gen), Amazon’s second- and third-generation Echo Dot, and the Harman Kardon Invoke with Cortana
    • Recording was detected by capturing when lights activated, by monitoring the network traffic, and by checking cloud accounts for recordings
    • The HomePod device was the worst for false activation
    • Additionally, when devices activated, it was for fairly long periods some as long as 43 seconds!
    • Despite past incidents, no evidence was found that any of these device recorded constantly
    • You can disable active listening on many of these devices and require button click to activate the device
    • The best thing you can do is D2, disconnect and discard