How Much Control Should Apple Have Over Your iPhone and The App Store

This story is part of a Recode series about Big Tech and antitrust. Over the next few weeks, we’ll cover what’s happening with Apple, Amazon, Facebook, Google, and Microsoft.

We love our mobile apps. It’s hard to think of something that at least one of the nearly 12 million apps out there can’t do. Order a taxi, buy clothes, get directions, play games, message friends, store vaccine cards, control hearing aids, eat, pray, love … the list goes on. You might be using an app to read this very article. And if you’re reading it on an iPhone, then you got that app through the App Store, the Apple-owned and -operated gateway for apps on its phones. But a lot of people want that to change.

Apple is facing growing scrutiny for the tight control it has over so much of the mobile-first, app-centric world it created. The iPhone, which was released in 2007, and the App Store, which came along a year later, helped make Apple one of the most valuable companies on the planet, as well as one of the most powerful. Now, lawmakers, regulators, developers, and consumers are questioning the extent and effects of that power — including if and how it should be reined in.

Efforts in the United States and abroad could significantly loosen Apple’s grip over one of its most important lines of business and fundamentally change how iPhone and iPad users get and pay for their apps. It could make many more apps available. It could make them less safe. And it could make them cheaper.

The iPhone maker isn’t the only company under the antitrust microscope. Once lauded as shining beacons of innovation and ingenuity that would guide the world into the 21st century, Apple is just one of several Big Tech companies now accused of amassing too much power over parts of the economy that have become as essential as steel, oil, and the telephone were in centuries past.

These companies have a great deal of control over what we can do on our phones, the items we buy online and how they get to our homes, our personal data, the internet ecosystem, even our online identities. Some believe the best way to deal with Big Tech now is the way we dealt with steel, oil, and telephone monopolies decades ago: by using antitrust laws to place restrictions on them or even break them up. And if our existing laws can’t do it, legislators want to introduce new laws that target the digital marketplace.

In her book Monopolies Suck, antitrust expert Sally Hubbard described Apple as a “warm and fuzzy monopolist” when compared to Facebook, Google, and Amazon, the other three companies in the so-called Big Four that have been accused of being too big. It doesn’t quite have the negative public perception that its three peers have, and the effects of its exclusive control over mobile apps on its consumers aren’t as obvious.

For many people, Facebook, Google, and Amazon are unavoidable realities of life on the internet these days, while Apple makes products they choose to buy. But more than half of the smartphones in the United States are iPhones, and as those phones become integrated into more facets of our daily lives, Apple’s exclusive control over what we can do with those phones and which apps we can use becomes more problematic. It’s also an outlier; rival mobile operating system Android allows pretty much any app, though app stores may have their own restrictions.

Apple makes the phones. But should Apple set the rules over everything we can do with them? And what are iPhone users missing out on when one company controls so much of their experience on them?

Apple’s vertical integration model was fine until it wasn’t

Many of the problems Apple faces now come from a principle of its business model: Maintain as much control as possible over as many aspects of its products as possible. This is unusual for a computer manufacturer. You can buy a computer with a Microsoft operating system from a variety of manufacturers, and nearly 1,300 brands sell devices with Google’s Android operating system. But Apple’s operating systems — macOS, iOS, iPadOS, and watchOS — are only on Apple’s devices. Apple has said it does this to ensure that its products are easy to use, private, and secure. It’s a selling point for the company and a reason some customers are willing to pay a premium for Apple devices.

Apple doubled down on that vertical integration strategy when it came to mobile apps, only allowing customers to get them through the App Store it owns and operates. Outside developers have to follow Apple’s approval process and abide by its rules to get into the App Store. Apple has a lot of content restrictions for apps that the company says are intended to keep users safe from, for instance, “upsetting or offensive content.” Apple says in its developer guidelines, “If you’re looking to shock and offend people, the App Store isn’t the right place for your app.” But that means Apple mobile devices — more than 1 billion of them worldwide — aren’t the right place for your app, either.

Developers whose apps do make it into the App Store may also find themselves paying Apple a hefty chunk of their income. Apple takes a commission from purchases of the apps themselves as well as purchases made within the apps. That commission is up to 30 percent and has been dubbed the App Store tax. There’s no way for apps to get around the commission for app purchases, and users have to pay for goods and services outside of the app to get around the in-app payment system’s commission.

Some of those developers are also competing with Apple when it comes to making certain kinds of apps. Developers have accused Apple of “Sherlocking” their apps — that’s when Apple makes an app that’s strikingly similar to a successful third-party app and promotes it in the App Store or integrates it into device software in ways that outside developers can’t. One famous example of this is how, after countless flashlight apps that used the iPhone’s camera flash became popular in the App Store, Apple built its own flashlight tool and integrated it into iOS in 2013. Suddenly, those third-party apps weren’t necessary.

Apple has also been accused of abusing its control to give it an advantage over streaming services. Spotify has complained for years that Apple has given an unfair competitive advantage to its Apple Music service, which came along a few years after Spotify. After all, Apple doesn’t have to pay an App Store tax for its own Music app, which comes pre-installed on iPhones and iPads, or the streaming service, which Apple can and does promote on its devices. (Apple points out that it only has 60 of its own apps, so clearly it’s not competing with every single third-party app in its store, or even the vast majority of them.)

“What Apple realized is that if they could control the App Store, they really control the rest of the game,” Daniel Hanley, senior legal analyst at Open Markets Institute, an anti-monopoly advocacy group, told Recode. “They don’t just control the hardware, now they control the software. They control how apps get on — it’s unilateral.”

This has all been a big moneymaker for Apple. Apple won’t say how big, but an expert said he believes the App Store alone made $22 billion in 2020, about 80 percent of which was profit. That profit margin estimate suggests that the mandatory commissions Apple takes from those apps far exceed the company’s costs for maintaining the App Store.

Because Apple refuses to allow alternate app stores or in-app payment systems, there’s no competition that might motivate it to lower those commissions — which could, in turn, allow developers to charge less for apps and in-app purchases. The House Judiciary Subcommittee on Antitrust’s report from the Democratic majority cited numerous examples of developers claiming that they had to raise their own prices to consumers to compensate for Apple’s commission.

Apple disputes some of these numbers but, again, refuses to give its own. Its financial statements lump the App Store in with other “services,” including iCloud and Apple’s TV, Music, and Pay. Even so, there’s little doubt that the App Store’s success has helped, if not driven, Apple’s transition from being primarily a hardware company to a goods and services provider.

“It’s a nice, fat [revenue] stream where they don’t have to do a ton of R&D,” Brian Merchant, technology journalist and author of The One Device: The Secret History of the iPhone, told Recode. “All they have to do is protect their walled garden.”

The case for only one App Store (Apple’s)

Apple says the security and privacy features its customers expect are impossible to provide without having this control over the apps on its phone. The company calls this a “trusted ecosystem.”

Craig Federighi, Apple’s senior vice president of software engineering, recently said that allowing Apple users to get apps through third-party app stores or by downloading them directly from the open internet (a practice known as sideloading) would open them up to a “Pandora’s box” of malware, though iPhones aren’t exactly immune to spyware. Similarly, Apple says its in-app payment systems are secure and private, which it can’t guarantee of anyone else’s.

These arguments aren’t necessarily wrong — there are plenty of malicious apps out there — but they don’t account for the fact that Apple doesn’t seem to have any problem with its Mac computers getting their apps from third-party app stores or through sideloading.

As for those commissions, Apple is quick to point out that the vast majority of apps, which are free, don’t pay Apple anything at all and still get all of the App Store’s benefits. Many apps are funded by selling ads and user data, which they don’t have to share with Apple, though Apple has recently tried to make this outside revenue stream less lucrative for developers by introducing anti-tracking features into iOS.

Those measures, which Apple says are designed to improve user privacy, could ultimately force developers to charge users for apps (more money for Apple!). So when Apple decided to stop much of that data flow, it upended an entire ecosystem worth hundreds of billions of dollars a year — Facebook was even reportedly considering filing an antitrust lawsuit over it. That’s how much control Apple has over its devices and, by extension, a considerable part of the global economy.

A privacy pop-up on an Apple iPhone reads, “Allow Facebook to track your activity across other companies’ apps and websites? This allows Facebook to provide you with a better ads experience. Ask app not to track. Allow.”
A privacy notice on an iPhone allows the user to decide whether to permit cross-app tracking.
Christoph Dernbach/picture alliance via Getty Images

The App Store tax is also in line with what other app stores charge, per an independent report that Apple commissioned last year. Apple, the app store pioneer, was the one that set that 30 percent app store commission rate in the first place.

And Apple does allow for ways to get around some of its App Store taxes. People can purchase subscriptions and certain in-app services outside of apps if they have an account with the developer, which means no App Store tax to either raise prices or cut into the developer’s profit margin. Going to the developer’s website to pay also takes several more steps and more time on the part of the customer to do it.

But in the US, Apple’s best defense against accusations that its App Store is an illegal monopoly may be to simply point to existing antitrust laws, or at least how courts interpret them. Apple does have a monopoly on app stores on Apple devices, but there’s nothing necessarily illegal about that. Monopolies are only illegal if they operate in anti-competitive ways, and the bar to proving even that is pretty high. For the last four decades, courts have interpreted the law as protecting competition (and, by extension, the consumers who supposedly benefit from it), not competitors.

“Our law is very, very conservative,” Eleanor M. Fox, a professor of antitrust law and competition policy at New York University, told Recode. “Companies — even monopoly companies — do not have a duty to deal, and they don’t have a duty to deal fairly.”

We’ve seen this precedent at work in the Epic Games v. Apple case. In August 2020, Epic Games, the developer behind the popular game Fortnite, sued Apple over its refusal to allow alternate app stores and payment systems, as well as its anti-steering policy that forbids developers from linking out to alternate ways to pay for app services or even telling users that other payment methods are possible. Apple kicked Fortnite out of its App Store when Epic tried to flout its rules. A federal judge ruled in September that Apple was well within its rights to do so.

The judge noted that the App Store had “procompetitive justifications.” Even though she found that Apple had a large part of the mobile gaming transactions market and that the App Store’s profit margins were “extraordinarily high,” she didn’t think it created a barrier to entry for developers, nor that it was harming innovation. (Epic has appealed this ruling.)

“Success is not illegal,” the judge wrote.

Epic’s only victory was that the judge ordered Apple to allow developers to link out to and inform users about other ways to pay for app services. Apple was able to delay that particular ruling, and according to a court filing, the company may even try to charge commissions on purchases made through the alternate payment systems if it’s forced to let developers link out to them. Even when Apple loses, it tries to find a way to win.

A person in a dark suit carries two large binders full of papers.
Legal staff representing Epic Games carry documents for trial at the United States District Court in Oakland, California, in May.
Philip Pacheco/Getty Images

Apple’s attempts to avoid antitrust actions

While Apple insists that it isn’t doing anything wrong, the company appears to be concerned that its control over its devices faces some real threats. Apple historically refuses to give up ground on just about everything, yet it’s already made notable adjustments to some of its more controversial policies that could make some apps or services cheaper, or at least easier for the user to find cheaper ways to pay for them. Some of these changes were mandatory, yes, but others appear to be an effort to ward off harsher regulations or judgments.

For instance, Apple loosened its notoriously tight grip on repairs to its devices, allowing more independent shops and, very recently, individual consumers, to have access to the parts and instructions necessary to make certain fixes. This comes in the midst of a push for “right to repair” laws and pressure from the Biden administration and the Federal Trade Commission. But Apple still requires that its own parts be used for these repairs and sets the prices for them.

The stickiness and required usage of Apple’s native apps has long been a gripe from many iPhone users and a bad look for the company from an antitrust perspective. So this year, Apple started allowing users to select their own default apps for web browsing and mail; previously, Apple’s Safari and Mail apps were the mandatory default. Users have been able to delete most of the Apple apps that come pre-installed on their phones since 2018.

Apple has also given some developers a break on the App Store tax and anti-steering policies, which could reduce prices for consumers. Developers who make less than $1 million a year now only have to pay a 15 percent App Store tax. This came about as part of a settlement of a class action lawsuit, but Apple has presented it as a “Small Business Program” that’s “designed to accelerate innovation” (a phrase that could be read as implying that the 30 percent commission decelerated innovation).

Apple is also going to let developers contact customers outside of the app to let them know about alternate payment methods. As part of an agreement with the Japan Fair Trade Commission, Apple will soon let “reader” apps (that is, apps like Netflix and Spotify that offer media for purchase or subscription) link out to their own websites to make it easier for users to purchase subscriptions outside of Apple’s in-app payment system.

In 2016, Apple also cut its commission to 15 percent for subscription apps after the first year. Of course, this change was revealed at the same time as Apple’s announcement that it would sell search ads in its App Store, giving itself yet another exclusive source of revenue (and giving users a bunch of ads when they search the App Store).

But these concessions do nothing for the source of the vast majority of the App Store’s commissions: games from developers that make more than $1 million a year. And Apple hasn’t wavered on the practices that have drawn the bulk of the accusations that Apple’s practices — including the company not allowing alternate App Stores or sideloading, and not allowing alternate payment systems — are anti-competitive, increase prices for consumers, and reduce their choice. It seems unlikely that Apple will give way any time soon. Unless, of course, it has to.

How does Apple’s walled garden grow — or die?

There are plenty of reasons why Apple might have to change its ways. The company may have won most of the Epic Games lawsuit (pending Epic’s appeal), but it still faces antitrust action on several fronts that will play out over the coming years.

Margrethe Vestager speaking onstage in front of a wall that reads, “Antitrust: Apple App Store practices Music streaming.”
Margrethe Vestager, European commissioner for competition, speaks during an online news conference on the Apple antitrust case at EU headquarters in Brussels, in April.
Francisco Seco/AFP via Getty Images

A growing number of countries have introduced or proposed laws that specifically target certain App Store practices, or are investigating Apple for potential violations of their competition rules. These include but are not limited to the European Union, the United Kingdom, Germany, the Netherlands, Japan, South Korea, and Australia.

Those could result in fines, which Apple, a $2 trillion company, probably isn’t too worried about. It also wouldn’t be the first time Apple has paid a considerable sum over antitrust violations. Another outcome — one that would be a much more troubling prospect for Apple — would be if the company were forced to change its business practices in order to keep operating in those countries.

But in the United States, courts haven’t seemed too bothered by Apple’s App Store rules. A federal judge recently threw out a class action lawsuit from developers that said Apple was abusing its monopoly power by refusing to allow their apps in the App Store. As the Epic Games ruling indicates, American antitrust laws (and most courts’ interpretation of them) haven’t done much to change or force change on Big Tech companies. If you’re a lawmaker who is concerned about Big Tech’s considerable power, that’s a green light to propose laws that will.

Sen. Amy Klobuchar (D-MN), for example, said the ruling showed that “much more must be done” about the “serious competition concerns” app stores raise. As chair of the Judiciary Committee’s Subcommittee on Antitrust, as well as a member of the Commerce Committee, she’s in a pretty good position to push through bills that do just that.

Klobuchar is a co-sponsor of the Open App Markets Act, a bipartisan, bicameral bill that would do most of what Epic Games wanted. The legislation would force Apple to allow third-party app stores and the sideloading of third-party apps, require that app stores allow alternate payment systems, and forbid anti-steering policies. It would also ban app stores from giving their own apps special treatment or using non-public data from third-party apps to develop their own, competing apps.

The Open App Markets Act isn’t the only bill that could drastically change how Apple runs its App Store. Several more are currently making their way through both houses of Congress as part of its package of antitrust bills that target Big Tech. If passed, they’d also force Apple to include other app stores on its devices and forbid it from giving its own apps special treatment. One bill, the Ending Platform Monopolies Act, would even force Apple to break up its App Store and app development units into separate businesses.

All of these bills are bipartisan, but it’s far from certain that any of them will become law. If they do, and in something close to their current form, they could benefit consumers by giving them more choice of apps on their phone, and it could make those apps cheaper. It may also subject iPhone users to additional safety and security threats, as Apple alleges, while prices stay largely unchanged.

Apple says it supports updates to laws and regulations that benefit consumers, like privacy legislation — which the current bills on the table don’t do much to directly address.

The Department of Justice, which has been investigating Apple since 2019, is reportedly preparing a lawsuit concerning the App Store. It and the FTC enforce America’s antitrust laws. Both agencies are headed up by people who have accused Apple of anti-competitive actions or worked for firms that have. Lina Khan, a Big Tech critic who helped write the House’s report, is now the chair of the FTC, and Jonathan Kanter, who advised Spotify when it lobbied Congress to take action against Apple, leads the DOJ’s antitrust division. Both agencies may get a major, needed funding boost if the Build Back Better Act and a bill that increases merger fees for large companies pass.

With all of this said, Apple, “the warm and fuzzy monopolist,” is probably in a better position with its ongoing antitrust problems than its fellow Big Tech titans are with theirs. It has, so far, faced relatively less criticism in general, and many of the proposed bills and regulations don’t threaten its business model as much as they do that of the other companies. If Apple were forced to allow other app stores on its devices tomorrow, it would still have plenty of very healthy revenue streams.

Those may still include the App Store. It’s not clear that many of Apple’s users would even use or want another app store. The fact that they use an iPhone and not an Android speaks to this. They could prefer or trust the security and privacy protections in the App Store over those of, say, a Facebook app store. Then again, if those other app stores took a lower commission from developers, allowing them to charge less than the Apple App Store does, Apple’s customers may well vote with their wallets, and developers might only offer their apps in stores that give them a better margin. In which case, Apple might just find itself finally having to compete for apps and customers — and maybe even lowering the App Store tax to do it. Apple wouldn’t be thrilled, but it would be just fine.

Update, December 9, 3:50 pm ET: This article has been updated to reflect that Apple won its appeal to delay implementing the court order to allow apps to link out to other payment methods.

Sara Morrison

 

Source: How much control should Apple have over your iPhone and the App Store? – Vox

.

More Contents:

European Banking Authority (EBA) Microsoft Exchange Servers Hacked

Paris Looks to Charm London's Brexiles

The European Banking Authority (EBA) has confirmed it has fallen victim to the ongoing Microsoft Exchange attacks.

With a total of four highly valuable zero-day exploits, previously unreported vulnerabilities that give cybercriminals a head start in any attack campaign, the attacks against on-premises Microsoft Exchange servers were always going to be a big deal. Those initial attacks, which prompted Microsoft to publish an emergency out-of-band security update, were attributed to a nation state-sponsored group identified as HAFNIUM. The nation in question is China. However, Microsoft has now confirmed that it “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.”

As I reported on March 6, credible sources were suggesting that the attacks against vulnerable Microsoft Exchange servers were thought to have compromised ‘hundreds of thousands’ of servers, more than 30,000 in the U.S. alone.

One of those attacked outside of the U.S. was the European Union’s banking regulator, the European Banking Authority. On March 7, the EBA issued a statement confirming that it had “been the subject of a cyber-attack against its Microsoft Exchange Servers.”

While stating that a full investigation was underway, the EBA went on to add: “As the vulnerability is related to the EBA’s email servers, access to personal data through emails held on that servers may have been obtained by the attacker. The EBA is working to identify what, if any, data was accessed. Where appropriate, the EBA will provide information on measures that data subjects might take to mitigate possible adverse effects. As a precautionary measure, the EBA has decided to take its email systems offline. Further information will be made available in due course.”

Further information was, indeed, made available by way of an update on March 8. “The EBA investigation is still ongoing and we are deploying additional security measures and close monitoring in view of restoring the full functionality of the email servers,” it read. “At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.”

“The exploitation of the 0days in question required some specific conditions and thus raises questions what exactly happened at the EBA,” Ilia Kolochenko, chief architect at ImmuniWeb, said. “Another key question is when exactly the EBA was compromised?” Kolochenko points out that if the intrusion happened after the disclosure but prior to the emergency patch, the vulnerable systems should have been immediately disconnected to prevent exploitation in the wild. “The EBA is likely not the last victim of this hacking campaign,” he warns, “and more public authorities may disclosure incidents stemming from exploitation of the same vulnerabilities.”

I have approached the EBA for further comment.

Meanwhile, Mark Bower, a senior vice-president at comforte AG, said that “the capacity for attackers to extract sensitive data from emails, spreadsheets in mailboxes, insecure credentials in messages, as well as attached servers presents an advanced and persistent threat with multiple dimensions.”

Although it should be reiterated that, at this point in the investigation, the EBA is saying that “no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.” Bower, like Kolochenko, warns that more incidents will be reported. “Affected entities and their supply chain partners will see a persistent secondary impact as a result over a long period of time,” he said.

I’ll leave the final word to John Hultquist, vice-president of analysis with Mandiant Threat Intelligence. “Though broad exploitation of the Microsoft Exchange vulnerabilities has already begun, many targeted organizations may have more to lose as this capability spreads to the hands of criminal actors who are willing to extort organizations and disrupt systems.

The cyber espionage operators who have had access to this exploit for some time, aren’t likely to be interested in the vast majority of the small and medium organizations. Though they appear to be exploiting organizations in masses, this effort could allow them to select targets of the greatest intelligence value.”

Update March 9

The EBA has now published a third update, which I reprint here in full:

“The European Banking Authority (EBA) has established that the scope of the event caused by the recently widely notified vulnerabilities was limited and that the confidentiality of the EBA systems and data has not been compromised.

Thanks to the precautionary measures taken, the EBA has managed to remove the existing threat and its email communication services have, therefore, been restored.

Since it became aware of the vulnerabilities, the EBA has taken a proactive approach and carried out a thorough assessment to appropriately and effectively detect any network intrusion that could compromise the confidentiality, integrity and availability of its systems and data.

The analysis was carried out by the EBA in close collaboration with the Computer Emergency Response Team (CERT-EU) for the EU institutions, agencies and bodies, the EBA’s ICT providers, a team of forensic experts and other relevant entities.”

I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at davey@happygeek.com if you have a story to reveal or research to share.

Source: European Banking Authority (EBA) Microsoft Exchange Servers Hacked

.

.

More Contents:

Microsoft Email Server Hacked? Cyber Attack Hits 30,000 US Organizations
technostaan.in – March 6
Microsoft Corporation was hit by a cyberattack that affected 30,000 US organizations. Small businesses and the Government were the victims of this attack.
1
MINECRAFT HACK FREE DOWNLOAD UNDETECTED 2021
p2pconnects.us – March 3
[…] to download minecraft client, wurst client, hacking, how to install wurst client, how install mod, server, hacked, wurst client download, how to download wurst client, minecraft griefing, griefing, tutorial […]
0
TwitLonger — When you talk too much for Twitter
http://www.twitlonger.com – February 17
[…] or dignity when being apart of servers including: Putting racial slurs, and pretend-having your server hacked, and a bunch of other annoying mischievous things (see here: https://i […]
0
Pune: NCP accuses PCMC officials, BJP of multi-crore fraud in name of setting Covid care centres | Cities News,
indianexpress.com – February 16
[…] Read |Pune-based private company’s server hacked, duped of Rs 1 […]
4
Quick tutorial CSS tip: How to show source code the easy way – DEV
dev.to – November 24, 2020
[…] I did use this in HTML slidedecks in the past with the result of getting my server hacked […]
N/A
The downfall of firewalls. Leveraging Crowd Power to recreate… | by philippe humeau | Nov, 2020
crowdsecurity.medium.com – November 17, 2020
[…] An IP that was behaving aggressively yesterday was probably used by a server hacked by someone recently […]
N/A
It: Gaiba municipality central server hacked
http://www.databreaches.net – November 11, 2020
The following is a Google translation: The Municipality of Gaiba informs all interested parties (residents and non-residents) that on the night of 6.11.2020 it…
N/A
Trump Campaign Site Hacked – What We Know & Lessons Learned
http://www.wordfence.com – October 28, 2020
[…] IV: Origin server hacked via FTP or SSH – Low Probability This is the least likely scenario since the attackers would nee […]
N/A
U.S. Center for SafeSport server hacked, sensitive documents potentially exposed –
theathletic.com – October 7, 2020
U.S. Center for SafeSport server hacked, sensitive documents potentially exposed
2
UL Foundation server hacked
http://www.katc.com – September 30, 2020
A server containing UL Foundation data has been hacked, officials said in an email sent to members today. The hack, which was of Blackbaud, a data management software vendor, may have compromised “names, addresses and other contact information” of alumni members, the letter states. The email was sent by John Blohm, vice president of university advancement and CEO of the UL Foundation. “Blackbaud has confirmed that your credit card information, bank account information and Social Security numbers were not compromised, since this database does not store such details,” the letter states. “Further, Blackbaud does not believe the information that was possibly exposed in the breach can be used for identity theft or financial fraud.” The email states that “Blackbaud, in conjunction with the FBI and other law enforcement agencies, conducted a full inquiry and found no evidence that the cybercriminals who gained access to the data shared it in any way. Your information was not made public or otherwise disseminated and was not misused.” It does not say when the hack occurred. The email states that “Blackbaud has already implemented several changes to strengthen its data protection and reduce the risk of future incidents.” Anyone affected doesn’t have to do anything, but it’s always a good idea to “remain vigilant,” the email says.
3
Michigan government server hacked #GSH – Pastebin.com
pastebin.com – August 14, 2020
Michigan government server hacked, over 20+ city/town websites hacked […]
1
Ghost Squad Hackers take over Michigan government websites
http://www.onyxmodsllc.com – August 13, 2020
[…] “Michigan government server hacked, over 20+ city/town websites hacked […]
1
Three Idaho State Websites Are Vandalized by Hackers
http://www.govtech.com – July 28, 2020
[…] “Idaho government server hacked with #FreeAssange message,” the tweet said […]
1
‘Free Julian Assange’: Trio of Idaho state websites taken over by hackers
http://www.eastidahonews.com – July 27, 2020
[…] “Idaho government server hacked with #FreeAssange message,” the tweet said. Idaho government server hacked with #FreeAssange message […]
24
State of Idaho server hacked by ‘ghost squad’
idahonews.com – July 27, 2020
A group calling itself Hacked by Ghost Squad Hackers has apparently hacked a State of Idaho server. There’s a message on the screen that reads, “Free Julian Assange. Journalism is not a crime. ” So far, CBS2 News has confirmed the state’s Parks and Recreation page and the Stem Idaho page have been…
272
Nepal Telecom Server Hacker arrested by CIB
http://www.nepalitelecom.com – July 17, 2020
[…] How was the Nepal Telecom server hacked? According to CIB, Deuja used untraceable internet technology to illegally access the company’ […]
1
‘It was as though we were sitting at the table’ – cartel server hacked – Herald.ie
http://www.herald.ie – July 9, 2020
An encrypted communications server that was hacked by European police forces and led to millions of messages between criminals being intercepted was also used by the Kinahan cartel.
12
Alexandre BLANC Cyber Security posted on LinkedIn
http://www.linkedin.com – June 3, 2020
[…] in/eWq6jZe “THE VOLLGAR CAMPAIGN: MS-SQL SERVERS UNDER ATTACK” Is your server hacked? Check this out, another years old attacks, active since May 2018, uncovered only recently […]
1
Cisco server hacked by exploiting SaltStack Vulnerabilities.
vednam.com – May 31, 2020
Cisco Server Hacked is mainly exploited by the two vulnerabilities and that was mainly fixed.The point of how this fall happens on cisco devices.Read…
1
6 tips on how to secure your email server
hostio.solutions – May 30, 2020
[…] Therefore, having your email server hacked has a lot of risks, each having a different impact: When spam lands in your subscribers’ inboxes it […]
2
Mitigating and securing hacked WordPress sites | Alkanyx Software Marketplace
alkanyx.com – April 13, 2020
[…] The reason I’m writing this article is because a couple weeks ago, I got a staging server hacked, that was hosting some old, un-updated wordpress installations […]
11
AMD’s Big Navi and Xbox Series X GPU ‘Arden’ Source Code Stolen and Leaked
http://www.tomshardware.com – March 26, 2020
[…] ” The hacker claims she found the unencrypted information in a computer/server hacked via exploits […]
2
Charlatans, Conspiracists And The Trump Boys Seize On Iowa Debacle
talkingpointsmemo.com – February 4, 2020
[…] A Short History Of @DNC: – Openly rigged elections/delegates against Bernie in ‘16 – Server hacked, *proving* that DNC rigged elections against Bernie – Paid for foreign interference in 2016 wit […]
80
Rolandsmartin: “1.17 TSU names acting prez; GA election server hacked; Poll: Blacks say #45 is racist; Women’s March”
http://www.pscp.tv – January 18, 2020
1.17 TSU names acting prez; GA election server hacked; Poll: Blacks say #45 is racist; Women’s March…
1
It’s Friday, the weekend has landed… and Microsoft warns of an Internet Explorer zero day exploited in the wild • The Register
http://www.theregister.co.uk – January 18, 2020
[…] ” Georgia election server hacked in 2014 A new revelation has emerged in the battle over paperless voting systems in the US state of […]
8
It’s Friday, the weekend has landed… and Microsoft warns of an Internet Explorer zero day exploited in the wild • The Register
http://www.theregister.com – January 18, 2020
[…] ” Georgia election server hacked in 2014 A new revelation has emerged in the battle over paperless voting systems in the US state of […]
N/A
Special Olympics Hacked for Phishing Emails | | IT Security News
http://www.itsecuritynews.info – December 31, 2019
Special Olympics of New York, a nonprofit organization that provides sports training and competition to more than 67,000 children and adults with intellectual disabilities, had its email server hacked and later used to launch a phishing campaign against previous donors. The malicious email was camouflaged as an alert of an impending transaction that purported to […]   Advertise on IT Security News. Read the complete article: Special Olympics Hacked for Phishing Emails
1
Special Olympics New York Hacked to Send Phishing Emails
http://www.bleepingcomputer.com – December 31, 2019
[…] organization focused on competitive athletes with intellectual disabilities, had its email server hacked around this year’s Christmas holiday and later used to launch a phishing campaign against previou […]
1
Hunter Biden Counterfeiting Involved Burisma, Crowdstrike, Filing Claims
pjmedia.com – December 30, 2019
[…] by mainstream media outlets as a conspiracy theory — that when CrowdStrike investigated the DNC server hacked in 2016, the company took them to Ukraine to hide them […]
821
Hunter Biden Accused of $156M Counterfeiting Scheme With Burisma, CrowdStrike, Legal Filing Claims
pjmedia.com – December 30, 2019
[…] by mainstream media outlets as a conspiracy theory — that when CrowdStrike investigated the DNC server hacked in 2016, the company took them to Ukraine to hide them […]
31
Internet Gov Weekly Brief (W1Y20): UN to draft treaty on cybercrime; California’s new data privacy law; Brazil fines Facebook; Microsoft takes down 50 domains; 18 central banks on digital currencies; ECB announces EUROchain | Internet Governance News
internetgov.news – December 27, 2019
[…] organization focused on competitive athletes with intellectual disabilities, had its email server hacked around this year’s Christmas holiday and later used to launch a phishing campaign against previou […]
13
Remember when MSM tried to claim that Trump being spied on was a “conspiracy theory” – Investment Watch
http://www.investmentwatchblog.com – December 21, 2019
[…] Paid $972,000 To Law Firm That Secretly Paid Fusion GPS In 2016 FBI docs: Study found Clinton email server hacked IG report – www […]
8
Virus Bulletin :: Newsletter
http://www.virusbulletin.com – December 19, 2019
[…] 2019: Stalkerware, VB2019 programme, Ryuk and LockerGoga, Emotet and Trickbot, Ocean Lotus, spam server, hacked home routers, etc […]
1
How to Manually Delete a WordPress Plugin Using FTP
seo-gold.com – December 8, 2019
[…] and someone manages to acquire your Filezilla XML file they have all your login details! I had a server hacked a while ago and reasonably confident they got the login details (they logged directly into site […]

 

Entrepreneurs Beware: Remote Work Can be Fertile Ground for Cybercriminals

When the coronavirus wave took over the world and governments imposed lockdown and stay-at-home rules, entrepreneurs wondered how they were going to keep afloat. Everyone was trying to make sense of what was happening. Big tech companies took the lead when they permitted some of their employees to work remotely. Other businesses had no choice but to test this model of working. It was not a matter of choice. It was a necessity. The mantra was to save lives and businesses.

Somewhere in the shadows, I bet hackers were smiling. Christmas had come early for them. And we were only in the first quarter of the year. From my experience, I knew that the “cyber-crime business” was going to score big. Businesses were opening themselves to potential attacks. They still are.

Across the Atlantic, for example, more than half of the American workforce is working from home. This presents a huge opportunity for hackers to hit the jackpot. A recent IBM survey shows that the odds are stacked in favor of cyber-criminals. Eighty-three percent of employees pushed to work-from-home were not provided with a remote work model before the pandemic. More than 50 percent of the respondents said they were not updated on new security policies on how to securely work remotely. More than half are using their own devices and 61 percent pointed out that they have not been equipped with proper tools to secure those devices. 

Weak links in the chain.

As an entrepreneur, I know that my fight is not just keeping my business going. But also keeping it secure. Any organization is as strong as its weakest link. Which could be remote workers.

On July 11, Caasha, a U.K.-based crypto-friendly bank, lost 336 bitcoins (BTC) worth $3.1 million at the time in a hack. Caasha founder and CEO Kumar Gaurav told Cointelegraph that hackers exploited the personal computer of an employee. Criminals gained access to the company’s funds through an employee who used a private device. One can argue that this was an inside job. But it could have been prevented had the employee used the designated company computer. Hackers used several techniques such as phishing and viruses in the breach, according to Gaurav.

Social media giant Twitter was embarrassed by a coordinated social engineering attack in which hackers colluded with employees to gain internal controls. The perpetrators hijacked high-profile accounts and used them to engage in a bitcoin scam that netted $120,000 in bitcoins. Employees may have handed over information that enabled hackers to breach security protocols. This hack shows how internal employees can be a threat to a company. Remote workers have a higher risk of giving away the company’s security information, whether voluntarily or otherwise.

Another similar kind of attack involves the impersonation of tools and brands used for online work. Cybercriminals have been targeting Google-branded tools and domains to engineer attacks. Domains such as drive.google.com were targeted by criminals to try and trick remote workers into sharing login credentials. Sites such as onedrive.live.com were also used by criminals in attacking remote workers.

Face-to-face meetings are gone, or at least, kept to a minimum. Digital tools are used for communication, holding meetings, and tracking productivity. They are at the center of remote working. However, they also pose a security threat that criminals can exploit. The cybersecurity firm TrendMicro uncovered a campaign where cybercriminals tricked users into installing RevCode WebMonitor RAT, a software program that remotely controls computers.

Users downloaded Zoom software infected with the malicious code. Users unknowingly installed both Zoom and the remote access tool. The attackers got a back door to monitor all the activities of their victims. For companies, this means that hackers can easily have access to your passwords and sensitive information.

Entrepreneurs need to prioritize security.

There is a need for entrepreneurs and businesses of all sizes to take security seriously. It all starts with companies taking the initiative of teaching their employees to observe security protocols put in place. We all know that prevention is better than a cure.

Businesses should have cybersecurity experts to teach employees how to safeguard company data. The security teams can also check regularly to see if the company data and systems are not compromised. With a lot of incoming and outgoing emails, remote workers need to avoid phishing emails. Another issue to take note of is the management of incoming and outgoing employees.

When an employee leaves your company, change their login details so that they don’t have access to your systems. They might give the login credentials to nefarious people who will harm your business. Or the former employees may hurt your company by stealing your information. The security of your business matters. Know the risks and take the necessary steps to mitigate them.

By: Michael Jurgen Garbade Entrepreneur Leadership Network VIP

.

.

Kroll, a Division of Duff & Phelps

This 30-min webinar covers: • The most common and overlooked cyber risks associated with working remotely • Key steps to protect your organization and raise employees’ cyber awareness • Legal ramifications associated with working from home cyber risk • Insurance – am I covered? • How to plan for the return to the office environment For more tips, visit: https://www.kroll.com/en/insights/pub… For more information about our Cyber Risk Services, visit: https://www.kroll.com/en/services/cyb…

Windows 10 Users Beware New Hacker Attack Confirmed By Google, Microsoft

As Microsoft confirms a Google-disclosed and unpatched zero-day vulnerability is being targeted by attackers right now, here’s what you need to know.

Microsoft has confirmed that an unpatched ‘zero-day’ vulnerability in the Windows operating system, affecting every version from Windows 7 through to Windows 10, is being actively targeted. Microsoft was first informed of the vulnerability by Google’s Project Zero team, a dedicated unit comprised of leading vulnerability hunters, which tracks down these so-called zero-day security bugs.

Because Project Zero had identified that the security problem was being actively exploited in the wild by attackers, it gave Microsoft a deadline of just seven days to fix it before disclosure. Microsoft failed to issue a security patch within that hugely restrictive timeframe, and Google went ahead and published details of the zero-day vulnerability, which is tracked as CVE-2020-17087.

The bug itself sits within the Windows Kernel Cryptography Driver, known as cng.sys, and could allow an attacker to escalate the privileges they have when accessing a Windows machine. The full technical detail can be found within the Google Project Zero disclosure, but slightly more simply put, it’s a memory buffer-overflow problem that could give an attacker admin-level control of the targeted Windows computer. Recommended For You

While attackers are known to be actively targeting Windows systems right now, that doesn’t mean your system is going down. Firstly, I should point out that, according to a confirmation from Shane Huntley, director of Google’s Threat Analysis Group, the attackers spotted exploiting the vulnerability are not targeting any U.S. election-related systems at this point. That’s good news, and there’s more.

While Microsoft has confirmed that the reported attack is real, it also suggests that it is limited in scope being targeted in nature. This is not, at least as of yet, a widespread broad-sweep exploit. Microsoft says that it has no evidence of any indication of widespread exploits.

PROMOTED Civic Nation BrandVoice | Paid Program Election Day On College Campuses: Not A Day Off, A Day On MORE FROM FORBESNew Windows 10 Remote Hacking Threat Confirmed-Homeland Security Says Update NowBy Davey Winder

Then there’s the attack itself which requires two vulnerabilities to be chained together for a successful exploit to happen. One of them has already been patched. That was a browser-based vulnerability, CVE-2020-15999, in Chrome browsers, including Microsoft Edge. As long as your browser is up to date, you are protected. Microsoft Edge was updated on October 22 while Google Chrome was updated on October 20.

There are no known other attack chains for the Windows vulnerability at this point. Which doesn’t mean your machine is 100% safe, as an attacker with access to an already compromised system could still exploit it. However, it does mean there’s no need to hit the panic button, truth be told. Microsoft has also confirmed that the vulnerability cannot be exploited to affect cryptographic functionality.

I reached out to Microsoft, and a spokesperson told me that “Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers.”

As for that seven-day disclosure deadline from the Google Project Zero team, the Microsoft spokesperson said that “while we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”

Although Microsoft has not commented on the likely timing of a security patch to prevent exploitation of this Windows vulnerability, the Project Zero technical lead, Ben Hawkes, has tweeted that it is expected as part of the Patch Tuesday updates on November 10.

How big a threat is this to your average Windows user? That remains to be seen, but currently I’d classify it as a be aware but don’t panic situation. Hang-fire, ensure your web browsers are bang up to date, and you should be fine. There are far more significant risks to your data than this zero-day attack, in my never humble opinion. Risks such as phishing in all forms, password reuse, lack of two-factor authentication and software that isn’t kept up to date with security patches.

MORE FROM FORBESHacker Uploads Own Fingerprints To Crime Scene In Dumbest Cyber Attack EverBy Davey Winder Follow me on Twitter or LinkedIn. Check out my website

Davey Winder

Davey Winder

I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at davey@happygeek.com if you have a story to reveal or research to share.

.

.

Business News

As Microsoft confirms a Google-disclosed and unpatched zero-day vulnerability is being targeted by attackers right now, here’s what you need to know. Microsoft has confirmed that an unpatched ‘zero-day’ vulnerability in the Windows operating system, affecting every version from Windows 7 through to Windows 10, is being actively targeted. Microsoft was first informed of the vulnerability by Google’s Project Zero team, a dedicated unit comprised of leading vulnerability hunters, which tracks down these so-called zero-day security bugs. Because Project Zero had identified that the security problem was being actively exploited in the wild by attackers, it gave Microsoft a deadline of just seven days to fix it before disclosure.

Connect with CNBC News Online Get the latest news: http://www.cnbc.com/ Find CNBC News on Facebook: http://cnb.cx/LikeCNBC Follow CNBC News on Twitter: http://cnb.cx/FollowCNBC Follow CNBC News on Google+: http://cnb.cx/PlusCNBC Follow CNBC News on Instagram: http://cnb.cx/InstagramCNBC

#vulnerability #newsupdate #newstodayheadlines #newsworldnow #newstodaybbc #newstodayoncnn #newstodayusa

A Business Leader’s beginner Guide to Cybersecurity

According to Statista, there are about 4.57 billion active internet users globally as of July 2020. This number is great for businesses, especially those that are powered by the digital economy.

As businesses continue to embrace the tech age as well as the opportunities that come with it, the presence of cybercriminals is increasing, too. The activities of these criminals cannot be ignored, as they are capable of crashing any business. Business leaders who wish to remain in business must pay better attention to cybersecurity.

Related: The Real Cost of a Data Breach for Your Brand (and How to Best Protect Yourself)

Whilst there is no definitive solution to what is seen as the biggest threat to modern businesses – cybercrime — business owners like you can take advantage of available cybersecurity solutions and knowledge to protect your business and its digital assets. Below are three things to help you get started:

1. Get everyone involved

The days when cybersecurity was seen as just the job for the IT team are over. Business leaders all over the world are realizing this and you need to do the same.

In a Harvard Business Review, cybersecurity experts Thomas J. Parenty and Jack J. Domet insist that no amount of technology, resources, or policies will reverse the trend that has seen cybercrimes rise. “Only sound governance, originating with the board, can turn the tide. Protection against cyberattacks can’t be treated as a problem solely belonging to an IT or cybersecurity department. It needs to cast a wide and impenetrable net that covers everything an organization does–from its business operations, models, and strategies to its products and intellectual property.”

Related: Why IT Security Will be a Prime Concern for Businesses in the Next Decade

A cyberattack can occur when an innocent employee clicks a malicious link from a device belonging to the business. The drill has to affect the least person associated with the business. There is a real threat out there, your business and her assets are at stake. Everyone in your business needs to understand this as much as you do.

2. Develop a policy on cybersecurity

Preaching about the importance of cybersecurity alone may not get the job done, a policy that spells out your business’ protocols with regards to cybersecurity is necessary. A cybersecurity policy sets the standards of behavior for activities such as the encryption of email attachments and restrictions on the use of social media.

Non-IT employees are usually the weakest links in cybersecurity efforts. These employees typically share passwords, click on links, download attachments, with little knowledge about encrypting data. All of these open the door to cyberattacks and can comprise the security of your business.

Setting up a policy on cybersecurity would help your employees and third parties with access to your digital assets understand how to keep your data secured and safe from the prying eyes of cybercriminals. You must take responsibility for creating a culture that prioritizes security; this would enhance the credibility status of your business.

Related: Why Small Businesses Must Deal With Emerging Cybersecurity Threats

According to FCC, adhering to the following tips would help to ensure the security of your business and her digital assets:

  1. Protect information, computers, and networks from cyber attacks
  2. Create a mobile device action plan
  3. Make backup copies of essential business data and information.
  4. Control physical access to your computers and create user accounts for each employee
  5. Secure your Wi-Fi networks
  6. Employ best practices on payment cards
  7. Limit employee access to data and information, limit authority to install software
  8. Passwords and authentication

Setting up a policy on cybersecurity for your business might seem like another tedious task or process to execute, but the benefits outweigh the cost: do it now!

3. Get a trusted Virtual Private Network (VPN)

The risks of going online are enormous. The reality is this: if you are not online then cybercriminals stand no chance with you. A Virtual Private Network (VPN) is a tool that allows you to interact with the internet anonymously, thereby drastically reducing your exposure to cybercrimes.

With leading VPN providers like Express VPN, Nord VPN, and Switcherry offering unlimited speed, unlimited Bandwith, and free servers in the US help individuals and businesses tackle the prevalent cyber threats and keep their digital assets free from prying eyes by providing a secure connection from all types of tracking.

Cybersecurity is necessary for the survival of your business in the world of today. Get started on your journey to cybersecurity with the vital tips shared in this post.

By: James Jorner / Entrepreneur Leadership Network Contributor

Join our community and stay up to date with computer science ******************** Join our FB Group: https://www.facebook.com/groups/cslesson Like our FB Page: https://www.facebook.com/cslesson/ Website: https://cslesson.org Table of Contents: Why cyber Security (0:00) Cyber Security Terminology (6:33) Demystifying Computers (19:40) Demystifying Internet (40:00) Passwords and Hash Function (01:15:40) Common Password Threat (01:30:30) Creating strong password How email works (02:14:22) Email Security Types of Malware (02:40:00) Functions of Malware Sources of Malware Layers of defense against malware How web browsing works Safely navigating the web Online Shopping Wireless Network basics Wireless internet security threats Public wireless network administering wireless network Social media and privacy Reading URLs

Advertisement
advertisement
Advertisement

%d bloggers like this: