Return Fraud Becomes a $100 Billion Problem

 We might love those easy one click and no questioned asked return policies, but with that ease of use comes some major drawbacks for retailers. U.S. retailers are grappling with a steep rise in return fraud — those coming from customers who have chosen to stretch the limits on return windows, wear or use an item and send it back, or sometimes just return a different item entirely! The value of fraudulent returns reached a new high of $103 billion in 2024, according to research compiled by Appriss Retail and Deloitte Business Consulting. 

In 2024, the total value of returned goods in the US was estimated at a total of $685bn. According to a recent article by Business Insider and estimated 15% or over $103 billion was paid back in the form of fraudulent returns. This staggering figure represents a serious challenge for the retail industry. This trend is fueled by a combination of factors, including the explosion of e-commerce, the increasing sophistication of fraudsters (both individuals and organized retail crime groups), and the ongoing challenges retailers face in balancing customer convenience with robust fraud prevention measures.

When it comes to trying to pull a fast one on Amazon or Wal-Mart many dismiss the overall negative impacts. All of which are eventually felts directly by other consumers.. 𝐉𝐮𝐬𝐭 𝐭𝐨 𝐫𝐞𝐜𝐞𝐢𝐯𝐞 & 𝐩𝐫𝐨𝐜𝐞𝐬𝐬 𝐚 𝐫𝐞𝐭𝐮𝐫𝐧 𝐢𝐬 𝐞𝐱𝐩𝐞𝐧𝐬𝐢𝐯𝐞 (𝐰𝐢𝐭𝐡𝐨𝐮𝐭 𝐫𝐞𝐯𝐞𝐧𝐮𝐞 𝐨𝐟𝐟𝐬𝐞𝐭). Sellers have to bear the costs associated with:

• Customer Service
• Packaging
• Logistics
• Processing

𝐓𝐡𝐨𝐬𝐞 𝐜𝐨𝐬𝐭𝐬 can 𝐭𝐲𝐩𝐢𝐜𝐚𝐥𝐥𝐲 𝐚𝐝𝐝 𝐮𝐩 𝐭𝐨 $𝟐𝟎-$𝟔𝟎 𝐩𝐞𝐫 𝐢𝐭𝐞m𝐦:

• 15% of returns are fraudulent (write off).
• A portion of returns are lost in transit.
• Returned items sell for cents in the dollar.
• Seller fees are incurred (for a second time).

Many categories often see return rates of 10-30%, with  buyers’ remorse (no fault of the seller). It doesn’t matter how efficiently you reprocess and remarket returns, there is a major sustainability issue here - stemming from returns policies themselves. Many retailers are drawing back on their very lenient polices and updating their return policies, with a trend towards shorter return windows and stricter rules, particularly when it comes to select item categories. In may cases theyare placig strict controls over their once favoravble 'no recipet' returns and even limited the numbers of returns a single customer can make in a given time frame!

Google Begins Using AI to Scan Websites In Real-time For Scams

 Google is now utilizing a new version of the company's Gemini AI model to check websites in real-time for scams and potential hazards. The new on-device model, called Gemini Nano, runs directly from within Chrome on your desktop to protects users’ privacy and data by scanning web pages and on-site ads for 'scammy' language and code to warn users of potentially unsafe sites.

As with Chrome’s existing safe browsing mode, if a user attempts to access a potentially unsafe site, they’ll see a warning before being given the option to continue to the page. Dubbed Enhanced Protection mode,  Google says the new tool offers the highest level of protection, to keep users twice as safe from phishing and other scams versus their Standard Protection mode. The on-device approach provides instant insight on risky websites and allows Chrome to offer protection, even against scams that haven't been seen before. 

In their update Google states that Gemini Nano's LLM is perfect for this use because of its ability to distill the varied, complex nature of websites, helping then to adapt to new scam tactics more quickly. Although Google has long used machine learning to protect its services, newer AI advancements have led to improved language understanding and pattern recognition, enabling the tech to identify scams faster and more effectively.

Alongside the updates to the desktop version of Chrome is also launching new AI-powered warnings for Chrome on Android meant to help users in fighting scams, spam and unwanted notifications. When Chrome’s on-device machine learning model flags a notification, you’ll receive a warning with the option to either unsubscribe or view the content that was blocked. And if you decide the warning was shown incorrectly, you can choose to allow future notifications from that website.

For more details read Google's update here.

FBI Issues New Warning Over Rise In AI Generated Scams

 The FBI Warns: AI is the New Weapon in a Scammer's Arsenal

We've all heard the warnings about online scams, but the game is changing. According to the newest warnings issued by the FBI criminals are now using cutting-edge generative AI to supercharge their efforts, making their schemes even more convincing and harder to spot.

The FBI has issued a public warning about this growing threat, highlighting how AI is being used to create incredibly realistic but completely fake content. Think:

• AI-Generated Text: Forget clunky emails full of typos. Scammers are using AI to write perfect messages, crafting believable stories for romance scams, investment fraud, and phishing attacks. They can even use AI to create fake social media profiles and websites that look totally legitimate.
• AI-Generated Images: Need a profile picture for that fake dating profile? No problem! AI can generate realistic images of people who don't even exist. It can also be used to create fake IDs and even manipulate images to use in sextortion schemes.
• AI-Generated Audio and Video: Imagine getting a call from a loved one in distress, begging for money. Except, it's not actually them. AI can clone voices and create realistic videos, making it incredibly difficult to tell what's real and what's not.

So, how can you protect yourself in this new era of AI-powered scams?

• Be extra vigilant: Don't trust anything at face value. Double-check everything, especially if it involves sending money or sharing personal information.
• Look for imperfections: AI-generated content can be incredibly realistic, but it's not perfect. Look for subtle clues like distorted features in images or unnatural pauses in audio.
• Establish a "secret word" with loved ones: This will help you verify their identity if they contact you in a crisis.
• Limit your online footprint: The less information you share online, the harder it is for scammers to use AI to create convincing fakes.
• If in doubt, verify: Hang up the phone and call back using a verified number. Don't click on links from unknown sources.

The bottom line is: stay informed, stay alert, and don't be afraid to question anything that seems suspicious. And if you do fall victim to a scam, report it to the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov.

Google's AI-powered Theft Detection For Android Phones Is Here

Back in May 2024, Google teased a new Theft Detection Lock tool for Android phones, that promised to keep your device and data safe in the event some swipes your phone and takes off with all your personal info in tow! Starting this month, these advanced theft protection features will be available to users around the world through Android 15 and a Google Play Services update available to Android 10+ devices

These new theft detection tools use the devices on board sensors coupled with powerful AI to proactively protect you and your phone at the moment of a theft attempt. By using your phone's gyroscope and accelerometer and on-device machine learning, Theft Detection Lock is able to analyze various device signals to detect potential theft attempts. If the algorithm detects a potential theft attempt on your unlocked device, it locks your screen to keep thieves out. 

The anti-theft detection tool is one of several security additions Google announced earlier this year to protect your data "before, during and after a theft," including: 

• Making it more difficult to factory reset a phone and set it up under a new account 
• Private spaces to hide sensitive apps 
• The ability to mark your phone as lost on Find My Device for easier tracking 
• Automatic lock for excessive failed authentication 
• The ability to lock your phone if it's offline 
• Remote lock, which lets you lock your phone's screen using just your number and a quick security challenge

One new featured added to Remote Lock many will find useful is the ability to quickly lock and secure your phone even if you can’t remember your Google account credentials in the moment of theft. Now you can use any device to visit Android.com/lock and lock your phone with just a verified phone number. Remote Lock then secures your device while you regain access through Android’s Find My Device – which lets you secure, locate or remotely wipe your device. As a security best practice, we always recommend backing up your device on a continuous basis, so remotely wiping your device is not an issue.

Turn on Theft Detection Lock right now

To enable theft protection features, you’ll have to perform the following steps: 

1. Set a password for your screen. It’s the only way to lock the phone if it gets stolen. 
2. Then Go to Settings 
3. Tap Google 
4. Tap All Services 
5.  Select Theft Protection 
6. Turn on Theft Detection Lock once it’s available on your device 

  ** Note on my Samsung phone it is under Security and Privacy > More Security Settings > Theft Protection

Review: EZVIZ C6CN and C1C Home Security Cameras

In our uncertain times security may be more important than ever! More and more of us are turning to online ordering and deliveries while we are stuck at home. And with the kids being out of school it is important to keep track of the whole family both while we are away or while we are stuck in our home offices. This past few weeks we've had the chance to test out two offerings from EZVIZ. The fully featured EZVIZ C6CN and the smaller more basic (yet just as capable) EZVIZ C1C.

EZVIZ C6CN Features and Benefits

The EZVIZ C6CN boast industry leading video clarity and complete 360° panoramic coverage of the area around your camera. Auto Motion Tracking & Notifications and automatic Day to Night mode switching mean that you should never miss a beat. There is even an option for simple one-touch Panoramic Photo Navigation for taking a full 360° photo around the camera.

EZVIZ C6CN Specifications

• Video Resolution: 1080p with 8x digital zoom
• Field of View: 340° horizontal, 120° vertical
• Night Vision: 2 infrared LEDs
• Network Connectivity: 802.11bgn (2.4 Ghz only) and Ethernet
• Smart Home Connectivity: Google home hub, Amazon Alexa
• Audio: Full-duplex, two-way live audio
• Local Storage: MicroSD card up to 256GB (not included)
• Security: 64/128-bit WEP, WPA/WPA2, WPA-PSK/WPA2-PSK
• Mobile Devices Supported: Android 5.0 or higher, iOS 9.0 or higher
• Dimensions: 3.45" x 3.45" x 4.43"
• Weight 9.1 oz

EZVIZ C1C Features and Benefits

Looking for some basic functionality at a lower cost? The EZVIZ C1C is such a camera. It delivers most of the same features as its bigger brother but in a smaller more concealable package. For about $20 you'll get standard customizable motion detection, Full 1080p HD video, night vision and two-way audio. Mounting is made easy with a magnet built-in base so it can be easily mounted to almost any metallic surface, a metal plate is also included. The C1C offers many of the same features as the EZVIZ C6CN. The C1C will automatically switch to night vision mode when the lights dim. You also get the same Smart motion detection zones and notifications draw specific zones within your cameras field of view where you would like to detect activity, when activity is detected, you will receive a notification in real-time.

The C1C’s 130-degree wide-angle lens provides excellent video quality. The image is sharp with little distortion even in night vision mode. Colors are accurate and vibrant. I found myself fairly happy with the default image settings. However, should you need to you can lower or boost the color saturation using a couple of presets in the settings menu. There’s also a backlight mode that, when activated, lets you tap overexposed parts of the image to see more details.

EZVIZ C1C Specifications

• Video Resolution: Full HD 1080p with 40 ft. super night vision
• Field of View: 106° horizontal, 130° vertical
• Audio: Full-duplex, two-way live audio
• Local Storage: MicroSD card up to 256GB (not included)
• Security: 64/128-bit WEP, WPA/WPA2, WPA-PSK/WPA2-PSK
• Mobile Devices Supported: Android 5.0 or higher, iOS 9.0 or higher
• Dimensions: 2.4" x 2.28" x 4.04"
Weight: 3.4 oz

EZVIZ App Setup with the C6CN & C1C

Setup of the EZVIZ app is pretty straightforward. You simply unpack your camera, use your phone to scan the QR code and pair your two devices. From there things are pretty self explanatory. One great feature is the ability to see and control multiple cameras right on your device. For those wanting several zones of coverage you can use the advanced control setup with the EZVIZ PC studio (available for windows PC only). The app will unlock advanced configurations of your network and video settings as well as increasing the number of cameras able to view simultaneously from 4 to 25.

Conclusion: Two good entry level cameras!

In my testing the EZVIZ C1C proved that you didn't need to spend a mint to get a full featured camera that, for most home users, provides everything you need to effectively monitor your home while you’re away. While it was a very capable camera. For those of us that like to track ever little detail having the pan and tilt option included in the EZVIZ C6CN is going to be a must and is definitely worth the extra cost. Fortunately the EZVIZ app allows you to run multiple cameras from one device so I strongly suggest buying them as a tandem.

If I were looking for faults I could say I found a couple. Firstly I would have liked to have had an option to use either camera as a webcam, especially in these days of telecommuting. The C1C would have been ideal to place on my desk or a shelf in order to communicate with my team. For the C6CN I wasn't overly impressed with the video tracking. This could easily have been due to my use rather than a fault with the camera.

Both cameras offers a trio of storage options: You can record event-detected video locally to a microSD card, use EZVIZ's network storage or store your video offsite with an EZVIZ CloudPlay subscription. The cameras come with a free one-month trial of 7-day storage. EZVIZ CloudPlay starts at 7-day playback: $5.99/month/camera or $59.99/year/camera. 30-day playback: $10.99/month/camera or $109.99/year/camera.

Samsung Invites You to Try to Hack Their Devices

In the world of technology security is king! So much so that most of the major tech giants have already launched security programs aimed at rewarding would be hackers if they share their exploits with the company before they become a major issue. Today Samsung has become the latest player in the game with the launch of their very own rewards program.

In an attempt at making sure sure that its smartphones, such as the Galaxy S8, S8 Plus and the Galaxy Note 8, are safe to use by the public, Samsung has officially the Samsung Mobile Security Rewards Program. The program invites members of the security community to assess the integrity of Samsung’s mobile devices and associated software to identify potential vulnerabilities in those products.

“As a leading provider of mobile devices and experiences, Samsung recognizes the importance of protecting users’ data and information, and prioritizes security in the development of each of its products and services,” said Injong Rhee Executive Vice President and Head of R&D, Software and Services of the Mobile Communications Business at Samsung Electronics. “As part of our commitment to security, Samsung is proud to work in close partnership with the security research community to ensure that all of our products are monitored closely and continually for any potential vulnerabilities.”

The program will cover all of Samsung’s mobile devices currently receiving monthly and quarterly security updates, currently a total of 38 devices. In addition, the program will reward submissions for potential vulnerabilities in the latest Samsung Mobile Services, including Bixby, Samsung Account, Samsung Pay and Samsung Pass, among others. Dependent upon the severity of a given submission, as well as the researcher’s ability to provide proof of concept, Samsung will issue rewards of up to $200,000.

The Mobile Security Rewards Program is effective immediately. For additional information, including terms and conditions visit the Samsung Mobile Security page.

Internet Connected Toys May Be The Newest Threat to Your Children

According to a public service announcement released by the FBI this week your child's internet connected toys may be a major threat to not only their privacy but their safety!

In the PSA the FBI warns that "toys with microphones could record and collect conversations within earshot of the device. Information such as the child's name, school, likes and dislikes, and activities may be disclosed through normal conversation with the toy or in the surrounding environment." In addition to personal information that may be obtained the FBI warns that more specific details, such as GPS locations, visual identifiers and information used by other family member when creating user accounts could readily be obtained!

The collection of a child’s personal information combined with a toy’s ability to connect to the Internet or other devices raises concerns for privacy and physical safety. Personal information (e.g., name, date of birth, pictures, address) is typically provided when creating user accounts. In addition, companies collect large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history, and Internet addresses/IPs. The exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks. 

As with all internet connected devices, (including your smart phone, smart TV, home assistant ect) data collected from interactions with your devices is typically collected, sent and stored by the manufacturer or developer via server or cloud service. In some cases, it is also collected by third-party companies who manage the voice recognition software used in the toys or connected devices. Voice recordings, toy Web application (parent app) passwords, home addresses, Wi-Fi information, or sensitive personal data could be exposed if the security of the data is not sufficiently protected with the proper use of digital certificates and encryption when it is being transmitted or stored.

Smart toys generally connect to the Internet either:

• Directly, through Wi-Fi to an Internet-connected wireless access point; or
• Indirectly, via Bluetooth to an Android or iOS device that is connected to the Internet.

The FBI warns that cyber security measures used in the toy, the toy’s partner applications, and the Wi-Fi network on which the toy connects directly impacts the overall user security. Communications connections where data is encrypted between the toy, Wi-Fi access points, and Internet servers that store data or interact with the toy are crucial to mitigate the risk of hackers exploiting the toy or possibly eavesdropping on conversations/audio messages. Bluetooth-connected toys that do not have authentication requirements (such as PINs or passwords) when pairing with the mobile devices could pose a risk for unauthorized access to the toy and allow communications with a child user. It could also be possible for unauthorized users to remotely gain access to the toy if the security measures used for these connections are insufficient or the device is compromised.

Parents are being urged to examine user agreements and privacy policies (we know too well that some of us click through blindly and agree to those terms) and investigate whether data is shared with third parties and how it's handled in the cloud. Toys should also only be connected to the internet over secure Wi-Fi networks and not connected blindly to open networks, or in some cases trusted networks with highly clone-able names (ie Xfinitywifi).  Additionally, the FBI suggests that you report cases whereas you migght suspect your child’s toy may have been compromised by filing a complaint with the Internet Crime Complaint Center, at www.IC3.gov.

Review: GateKeeper Wireless USB Smart Key and Intelligent Computer Lock

When it comes to security one of the most overlooked areas I typically see is one of the most basic fundamentals, utilizing your built in lock-screen to keep prying eyes out of your device. This seems to be true whether we are talking smartphones, tablets or PCs. For most of us I think it is a matter of inconvenience, or for me the forgetfulness of simply not remembering to lock my screen (my timeout time is a bit long as well).

Luckily for me the folks over at GateKeeper have come up with a new option that I've been fortunate enough to test out for you guys! GateKeeper has developed a wireless intelligent key that automatically logs you in and out based on your proximity to your computer or workstation. No longer do you have worry about timeouts or remembering to lock your computer. You simply carry your wireless Keyfob around (on your badge, in your pocket whatever) and walk away. Once you are no longer within your pre-defined range GateKeeper will automatically lock your PC for you.

The GateKeeper Key and USB Lock communicate using Bluetooth 4.0 wireless technology to authenticate you when you are in proximity to computer. It has an effective range of 30 feet and can be controlled to limit the range from anywhere between 3 and 30 feet. The GateKeeper key is 50mm x 25mm x 6mm; 10gm or roughly the size of a Tile Bluetooth Tracker (as seen below) while the USB dongle is a standard micro size used by other wireless devices.

GateKeeper next to the Tile, XY3 and TrackR Bravo

Your credentials are encrypted with military-grade AES256 encryption and stored on the computer. No private information is stored on the Keyfob and credentials are never transmitted over the air – so nothing private can be sniffed or obtained from taking a Keyfob. Once the GateKeeper software and USB transmitter are installed the computer will automatically lock if they are removed.Giving you just one more level of security.

Setup within the software is pretty straightforward. You have options for setting up you lock or login to your computer, range of proximity, a signal strength indicator and a few options for notifications. Personally I prefer and recommend using the touch to login option as this allows you to keep your device locked when you are nearby and aren't ready to use it. Otherwise once you are back on range your computer automatically unlocks (as it should).

Aside from the software for your PC is software for your phone that allows you to use your phone as a tracker and locator for your Gk Keyfob. The software (Android) or our phone did not want to pair with our device so we didn't get to fully test it. The app will connect to the GK Keyfob and a meter will indicate how far it is from the smartphone. As you walk around, the app will indicate whether you have moved closer or further away from the GK Keyfob. Using the "LOCATE" feature will also cause the GK Keyfob to buzz making it easier for you to find your lost valuables.

A Geek's Opinion About The GateKeeper

I am notorious for leaving myself logged on while I'm doing other things around the office or while I'm out working in the field. Luckily, the worst thing that I've had done to me was a little Facebook prankery. Having said that, within the first day of using it I learned that this little device is a must have for me, in fact I think they should be must have's for most (out of)office environments! It literally is a set and forget device, and unlike my timeout for my Windows lock screen I don't have to worry about someone jumping on my laptop before the timeout takes affect.

A second major plus is the addition of a remote lock button that allows me to lock my computer instantly from across the room. This can come in handy if you are browsing some more sensitive material or have something on the screen that might need to be quickly hidden away even though you are in close proximity.

In terms of effective range and connectivity we had no issues at all. We tested it at the shortest (3ft), and furthest (30ft) ranges and never once had false locks or issues with our GateKeeper not locking. Personally I'd set it for somewhere in the mid-range as I did have it lock my screen a few times when I thought I was still in range. As mentioned I also prefer using the touch to login option as there was no option to keep my laptop locked when I was in range and this was the only way to do so.

 I wish I could have tested the phone app out, but that might be an issue with my phone rather than the app for the GK. If I do it to work I'll be sure to post and update.

The complete GateKeeper System starts at $60 on Amazon, or you can get a 2 pack for $90 directly from GK. If you try them out let us know what you think!

Cybersecurity and Antivirus Software Vendor Kaspersky Launches An OS, Because Why Not

When it comes to operating systems most people will only be able to give you a couple names. Typically those would be would Microsoft, Apple/macOS/iOS, Android and Linux (semantics aside here). Most people would likely be surprised that there are several well know players out there that are actively looking at ways to break into the operating system market. Some in fact have, and failed miserably.

That however isn't stopping one of the better known security and antivirus vendors out there from throwing their hat into the ring. Widely know cybersecurity and antivirus vendor Kaspersky has announced  this week the availability of KasperskyOS. What the company is calling a new "secure operating system" aimed at network devices, industrial control systems and the Internet of Things.

In a post on his official blog, Eugene Kaspersky (chief executive of the company) announced the new product and offered a quick overview of what how the operating system hopes to keep system more secure and what their end game is. For you geeks they have been kind enough to cut out the sales and marketing approach and give some hard details. For the rest I'll summarize what Kaspersky has to say about their new OS below!

The Future of Embedded and IoT Security: Kaspersky Operating System from Kaspersky Lab

First off KasperskyOS is meant to be highly flexible. Their goal is to have an open project that is specialized specifically for niche projects and products. So don't expect to see it on any of your machines anytime soon. They are shooting more for enterprise applications that anything else. However, according to the KasperskyOS whitepaper, supported architectures include: x86/x64 CPU's: Pentium II or higher, ARM CPU,: ARMv7 or higher, and Ethernet: Realtek RTL8139, Intel i82580.

Security is built from the ground up with a secure Default Deny system at the process level and is wrapped into a microkernel. In simple words, it’s a system that does what it’s instructed to and is unable to do anything else. Unlike most operating systems, where as user interaction can bypass security controls, KasperskyOS is extremely locked down. It divides objects into isolated entities which only allows for very limited interaction between packages creating a wall between the OS, applications and security levels.

To create a package that could be applied in several different areas of granular customization, Kaspersky has developed three basic products into one:

• An Operating System (KasperskyOS)
• A standalone secure hypervisor (KSH) for running virtual machines
• A system for secure interaction between OS components (KSS)

All three components work in tandem to try to build upon each other to create the secure environment. The systems are being called a "project offering" and not "a boxed solution with a cure-all for everyone." The company says their intent is to working closely and collaborate with vendors and developers to configure these systems based on their requirements to meet their individual security needs.

Intel Wants to Help Keep Your Information Private During National Cyber Security Awareness Month

As we enter the first week in October we are reminded that this month is National Cyber Security Awareness Month. With that comes plenty of news, warnings and educational campaigns aimed at helping users at all levels to become more aware of the issues we all face with security and privacy.

Several major companies, including a long time geek favorite, Intel have announced their commitment to the National Cyber Security Alliance’s “Lock Down Your Login” Internet safety and security initiative.  The campaign, which was first announced by the White House in February, calls for all Americans to move beyond traditional username and password protections to better secure the important information in their email, banking, and social media accounts.

“Lock Down Your Login” provides consumers with information ranging from what strong authentication is, why it is important, and how it is implemented. FAQs provide details about the goals of the campaign, the limitations of traditional usernames and passwords, what kinds of information is collected and used to support authentication.

For their part in the National Cyber Security Alliance, Intel is offering users more information on True Key, a free application developed by Intel Security that offers users a multifactor password manager that secures and encrypts all your passwords. Unlike most traditional password managers, True Key utilizes unique-to-you factors, like face and fingerprints, or devices you already own and have registered, to use two-factor authentication allowing you to safely store all your passwords and guarantee that you'll be the only one using them.  Consumers can download this free app at www.truekey.com  — an easy way to enhance safety online.

Opera Offers Android Users Free 'Ad Supported' VPN Service

When you think of Opera Software you likely think of their Opera Web Browser and rightfully so as it is the mainstay of the company. As of late however, Opera has been working on several new projects, one of which is a new standalone VPN service that the company has integrated into their desktop browser as well as an iOS App. Luckily for us Android users hat service has now been made available to allow us all the privacy and security a traditional VPN service can offer in an unlimited free option (well sort of!).

“The Opera VPN app for Android sets itself apart from other VPNs by offering a completely free service - without a data limit, no log-in required, advanced Wi-Fi protection features and no need for a subscription,” says Chris Houston, President of Surfeasy, Opera’s VPN division.

Announced earlier this week,, Opera's new app packs a ton of features that like most VPN services will allow people to browse somewhat anonymously, block ad-tracking cookies, access more online content, extend the geographical reach of apps and even test the security of Wi-Fi networks. Unlike most of those other services Opera is offering their for free and without any limits! But if you haven't noticed we did say ad-supported!

The major caveat to the app, which seems pretty ironic to us geeks, is that it is powered by a company that Opera acquired last year called SurfEasy. And while the app itself is free once you begin looking around, you'll notice ads that are presumably powered by another of Opera Software's latest projects. Opera also wants to share anonymous data about your mobile usage and browsing habits with third parties. Sow while you are getting a pretty nifty VPN service you might want to check the fine print!

Opera had this to say about the data it collects:

This information is made available to third parties who are interested in better understanding the mobile ecosystem and how it’s evolving. It’s important to understand that this is not data about what you do with your phone, but rather this is data about how a large group of people use their phones.”

If that doesn't bother you, and for most of us looking at free VPN services is shouldn't, here are a few more details about the app!

The app is completely standalone and is no way tied to the company’s web browser. So it will work with most Android (and iOS) devices and almost any web browser. There is no need to change your old ways and download Opera, though you might want to just to see how well your browser compares.

If you're not well-versed in VPNs, the app automatically handles almost everything including setting the Android VPN settings for you. It will also check the security and integrity of your current Wi-Fi connection. This feature may slow down your internet speed while you're using it, but not so much that it's too problematic to use while surfing.

Once you are in the app you can 'mask' several details of your online activity, such as applying new location settings across your entire device and other apps or blocking ad-trackers. Changing your regions settings is something most users will find useful when you need to bypass content restricted by location. Suck as viewing videos from other countries, watching Netflix while traveling ect. Currently the app will let you choose from five server locations: USA, Canada, Germany, Singapore and The Netherlands.

If you're interested in trying out the app, you can pick it up via the Google Play Store now.

Apple Plans to Pay Out Big Cash Rewards For Security Bugs

Big news for security researchers and would be iOS hackers, Apple has finally launched a high dollar bug bounty program that could net you a whopping $200,000!! The program, which will be an Apple first, promises big payouts for hacks and security vulnerabilities that affect the most serious aspects of Apple's iOS operating systems.

Apple announced the new program during the Black Hat cybersecurity conference when the head of Apple security, Ivan Krstic, took the stage. Kristic said the company would pay bug bounties -- up to $200,000 -- to researchers who find and report vulnerabilities in specific Apple software. Don't set your sights on a big paid day just yet though. Like all things Apple does they are keeping very tight control on the program.

For now, Apple is limiting the program to about two dozen researchers who Apple will selectively invite to help identify hard-to-uncover security bugs in five specific categories. The high dollar bounties are only being offered for a small range of iDevice and iCloud bugs. The full list is as follows:

• Secure boot firmware components: Up to $200,000 (~£150,000)
• Extraction of confidential material protected by the Secure Enclave: Up to $100,000.
• Execution of arbitrary code with kernel privileges: Up to $50,000.
• Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.
• Unauthorized access to iCloud account data on Apple servers: Up to $50,000.

The payment amounts outlined above are upper limits and not likely to reflect actual payments. Those will depend on the novelty of the issue and how likely the issue is to be exploited in the wild.

As with most bug bounty programs in order to collect the pay outs the researchers will need to submit a report to Apple with a working proof-of-concept that the exploit that works on the latest stable version of iOS. If the bugs are hardware-related, the proof-of-concept must also work on the latest shipping iPhone or iPad hardware. Additionally they are also asked not to disclose the bugs before Apple has time to fix them, though the company would only say it would fix them as soon as possible and wouldn't commit to a firm time window.

Apple said it decided to limit the scope of the program at the advice of other companies that have previously launched bounty programs. Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time, according to Apple. Limiting participation not only gives Apple more control, but it also saves the company from dealing with a massive influx of potentially negative hacks leaking and an influx of "low-value" bug reports.

Firefox Finally Joins The Anti-Flash Revolution

Starting next month, Firebox will finally join the coup to banish Adobe Flash use, by blocking content that is deemed none-essential. This includes Flash elements that aren’t visible to the end user. As a result, Mozilla says, Firefox users will experience less issues with Flash crashing or causing the browser to hang. Battery life, page load speeds, Firefox’s responsiveness, and overall security will all be improved as well.

For those users that still want to enjoy Flash enabled sites, you know the ones that haven't moved to the new generation, Mozilla promises that Firefox will still support legacy Flash content. In order minimize website compatibility problems, the changes are initially going to be limited to a short, curated list of Flash content that can be replaced with HTML. So users won't suddenly be left in the dark. However, Mozilla says it will add more Flash content to the block list in the future, meaning site owners will eventually need to keep up with the times and change their content delivery systems.

Mozilla notes that over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins. This includes audio/video playback and streaming capabilities, clipboard integration, fast 2D and 3D graphics, WebSocket networking, and microphone/camera access. As websites have switched from Flash to other web technologies, the plugin crash rate in Firefox has dropped significantly:

Starting next year Firefox will require click-to-activate approval from users before a website activates the Flash plugin for any content. Websites that currently use Flash or Silverlight for video or games should plan on adopting HTML technologies as soon as possible. Firefox currently supports encrypted video playback using Adobe Primetime and Google Widevine as alternatives to plugin video.

Most of the major players including Google, Apple and Microsoft have all already implemented plans to phase out or completely end support for Adobe's Flash plugin. Largely citing security concerns as the plugin has notoriously been riddled with security vulnerabilities. Over the past several years Flash has been one of the most targeted exploits for hackers.

Hackers Use the 2016 Rio Olympics to Target Potential Victims

With the 2016 Rio Olympics just a couple weeks away we are seeing new warnings of potential threats from hackers that include anything from malware and ransomware, to full blown interruptions of sites and services associated with the events. These potential threats mean that visitors to the Olympics and you viewers/followers at home should be extremely diligent and cautious when it comes to opening emails, viewing videos and visiting sites related to the 2016 Olympic Games.

It is fully expected that cyberthreats related to the games will escalate over the coming weeks and meaning you could see phishing emails pushed to your inbox or malicious attacks potentially affecting and infecting the websites you visit.

Malicious Apps and Sites

While we all like to think of our app stores and favorite sites as being secure, history shows us that is not always the case. Malicious apps can sneak past the gates and even our favorite sites can be hit with malicious ads or code that injects links for bad downloads. Add to that the warnings about phishing attempts above and users are likely to face the real threat of malicious downloads.

Again this all comes down to 'think before you click' mentality. When visiting sites related to the 2016 Olympics or installing applications to follow the games be sure you are using official applications on your smartphone rather than low-rated ones with small user bases.

If you are visiting a site from your phone or computer and you see pop-up boxes for things like Flash Updates, app installs or anything else that might not seem right, be sure that you use caution. Back out of the page, if you can, and download any and all updates directly from the source. If you are on your smartphone and an app is asking to install from '"Unknown Sources" stay away!

Beware Phishing Emails and Malicious Social Media Posts or Messages

 Major sporting events have always attracted the attention of would be scammers, targeting the public in just about any way imaginable. Over the years these world wide events have become very lucrative targets for hacking groups using tools like phishing emails, social media posts and malicious downloads.

Phishing emails and social media posts are particularly popular ways for hackers to spread malware and other malicious software. They offer high reward and returns for little work and are seen as highly effective. A favorite among hackers are messages and links, sending would be victims to a site tp view high profile video of a favorite star, record breaking event or something similar. Another favorite phishing scam are links to bargains on great seats to events, or fake confirmations for reservations, service or seating to events. In reality these emails and links contain, things like malicious downloads of ransomware or fake sites that utilize realistic looking log-in pages to steal your passwords and log-in information.

The old adage “Think before you click, especially if something looks too good to be true!” rings loud and clear when it comes to emails involving the 2016 Olympic Games and is one most security researchers are trying to reiterate to everyone!

Thomas Fischer, a security researcher at Digital Guardian, has already been noticing an increase in phishing scams trying to take advantage of the Olympics. Typically, a user will receive an email loaded with an attachment that invites them to an Olympics ticket lottery. Inside the attachment, however, is malicious code that will download the Locky ransomware and begin encrypting all the user’s files. Hackers are already blanketing email addresses with this kind of attack. They’ll also pretend to be an organization like an Olympics committee.

Banks and Banking Data Are A Popular Target

For those that are luck enough to visit Rio for the games you should use extreme caution when using banks and point of sale machines. We know that anks and banking data are always popular targets, however we are seeing several warnings that Brazilian hackers are developing applications that install Trojans (back door access to your computer or phone) that pretend to be legitimate banking software, but in actuality can steal the victim’s payment information.

These apps tend to target local users more than anything, but they may evolve into something more and could be potential threats to travelers. 

Dmitry Bestuzhev, the head of global research for security firm Kaspersky Lab has warned that visitors to the Rio Olympics be wary of ATM and point-of-sale machines in the country. They often can be infected with malicious code that can secretly steal payment data once a banking card is swiped. “The attacker has the capability to intercept the data and then to clone the card,” he added.

Another danger Bestuzhev is warning users of is the use of public Wi-Fi spots in Brazil to access important person, financial or business data. These access points are often times insecure. A hacker can use them to eavesdrop on victims and steal their passwords, Bestuzhev said, adding the recommendation that users buy a VPN service to encrypt their Internet communications.

The Office of the Director of National Intelligence, in a recent awareness campaign, took even more drastic step stating that visitors should consider leaving all of their devices at home. Instead uggesting that travelers carry a burner phone, which doesn't contain personal data or secure information might be a good idea.It was also suggested that you change your passwords often while you are there.

In the end all of these warnings are meaningless unless the user actually implements a good plan. If you are traveling to Rio for the games you should make sure all your data is backed-up, not only in-case of security breach but of loss or theft (another real threat). You should, as always, make sure your devices and security software are fully updated with the latest patches, virus definitions ect. You should also run frequent scans just in-case.

The most important thing though is to be DILIGENT! Don't open odd emails, click links without confirming them, use odd sites or download software from unknown places and you should be fine!

Bitdefender Says New Tool Uses 'Trickery' To Prevent Some Ransomware Infections

With ransomware infections making big headlines these days security researchers are looking at new ways to keep the malicious software from taking over users machines. Unfortunately, in this cat and mouse game the bad guys have seemingly been wining the war! All that may soon change as security researchers test new inventive ways to actually vaccinate machines from possible infections.

Antivirus firm Bitdefender is one such company that has been taking a new approach as to how it handles ransomware. They have just released a free tool that the company says can prevent computers from being infected with some of the most widespread file-encrypting ransomware programs: Locky, TeslaCrypt and CTB-Locker.

The new Bitdefender Anti-Ransomware vaccine is an update of sorts to a piece if software that the company designed to prevent CryptoWall infections. As with the previous tool this new 'vaccine' works by taking advantage of a very specific feature commonly used in several piece of ransomware. Those malicious pieces of software actually check to make sure the machine they are trying to attack haven't previously been infected. Bitdefender's Anti-Ransomware vaccine uses those checks against the ransomware by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker. This prevents those programs from infecting them again.

Bitdefender has stated that in its current form the tool can only fool certain ransomware families and is not guaranteed to work as protection against those indefinitely. Therefore, it's best for users to take all the common precautions to prevent infections in the first place and to view the tool only as a last layer of defense that might save them in case everything else fails.

"While extremely effective, the anti-ransomware vaccine was designed as a complementary layer of defense for end-users who don’t run a security solution or who would like to complement their security solution with an anti-ransomware feature," said Bogdan Botezatu, a senior e-threat analyst at Bitdefender.

The new tool is available for download on the Bitdefender website.

Uber Launches A New Bug Bounty Program Offers $10k For Bugs

Bug bounty programs are big business these days, with researchers often seeing rewards of thousands of dollars to find bugs in software and security systems. Today we see yet another company joining the fold as Uber has announced that it’s officially launching a “bug bounty” program that will pay independent security researchers thousands of dollars in rewards for finding hackable bugs in its apps and websites.

Uber wants to pay researchers up to $5,000 for finding anything from a minor bug that could deface the company's homepage or expose users’ email addresses and up to $10,000 for more serious and critical bugs that could lead to attackers gaining the ability to fully take over Uber accounts or run malicious code on an Uber production server.

According to Uber the main reason behind the move to open a public bug bounty program comes as a result of the company's very own private program that turned up over 100 bugs — all of which have Uber has said have been fixed. This time the company is going a step further by offering hackers and security researchers not only more money but a new bug bounty “loyalty system” that gives bonuses for repeated bug discoveries. They have also created a “treasure map” for bug bounty hunters designed to guide them toward potential vulnerabilities in the site—mapping out the company’s code to make bug hunting as efficient as possible.

"Even with a team of highly qualified and well trained security experts, you need to be constantly on the look-out for ways to improve," Uber's Chief Security Officer Joe Sullivan said in a statement. "This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber."

For more information about the program visit https://hackerone.com/uber.

Apple Moves Quickly to Squash Ransomware Concerns

While ransomware may hardly be a new thing, this weekend saw a new first for the malicious software as it for the first time ever has been confirmed as targeting Apple Mac OSX users.

Palo Alto Networks, A security research firm announced Sunday its discovery of what is believed to be the world’s first ransomware that specifically goes after OS X machines. The malicious code dubbed "KeRanger" ransomware, was found wrapped into Transmission, which is a free Mac BitTorrent client.

At this time it is still unclear exactly how the attackers managed to upload a tampered version of Transmission to the application's website. But compromising legitimate applications is a commonly used method. "It’s possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred," Palo Alto Networks wrote on its blog.

The KeRanger malware imposes a 72-hour lockout window unless the victim pay up to unlock their devices. As mentioned the software was loaded to OSX machines unintentionally by users running version 2.90 of the Transmission software. A version that was signed with a legitimate Apple developer's certificate. This allowed the software to bypass one of OSX's security settings as users often set the setting to allow downloads from identified Apple developers. This setting means the person with the infected machine may not ever have seen a warning from Apple's GateKeeper software that the application could be dangerous.

According to reports by Reuters Apple revoked a certificate that allowed the software to be installed on Macs, and Transmission removed the download link from its website noting that any users that downloaded the infected version over the weekend should immediately upgrade to version 2.91 of the software, which was available on its website, and delete the malicious one.

Privacy: Why Do We Fear The Government Yet Embrace Major Corporations?

The recent firestorm around Apple's refusal to help the FBI crack the iPhone belonging to San Bernardino terrorists has certainly raised several questions. Not only about personal privacy and our government's access to our private data, but also about a company's role in protecting that data. For me however, it has raised a different set of questions, mainly the question of why we would trust a multi-national, billion dollar company over our own government that is sworn to protects its citizens.

I've long followed the case and leaked information Edward Snowden has provided the public with. Especially the disclosure of several NSA projects and programs that have for years used several high profile tech companies to conduct surveillance on 'everyday citizens'.

While I do believe there are plenty of nefarious projects out there, and that the government has been increasingly guilty of over-reach the question in my mind that has always remained was how much is it the government and how much is it the tech companies themselves or even the citizens. After-all, we are so willing to give up this information. Why wouldn't they want to take it?

So we now fast forward to Apple's most recent defiance of a court order that is meant to compel them to help the FBI access data on a locked iPhone. The question that is raised, is should Apple work with the FBI to bypass the locks that are in place and if they do, should those tools then be given to law enforcement agencies to use. We won't talk about whether or not Apple can/can't actually achieve this!

This brings me to my question: When did the notion that our government has somehow become a great evil become so entrenched in our brains that we are so blindly willingly to hand over all controls of our data to a company like Apple? Why are so many willingly to believe that they are actually going to act in our best interests over their own?

How is it that we are so willing to allow major corporations with no accountability complete and unfettered access to every aspect of our days lives and total control over our privacy yet we worry so much about our government, with a great deal of accountability and restriction, wanting to access even the most minor of details?

This is after-all a company that has the ability to act with an unfathomable level of impunity. They are shielded behind a TOS, which most users barely understand. We by all rights hand these companies that door, the lock and the key.  Yet we scoff at the government when they act within the full letter of the law to attempt to gain access to any portion of that data.

Why is it that we are so willing to allow major corporations with no accountability complete and unfettered access to every aspect of our days lives and total control over our privacy yet we worry so much about our own government? A government that has to act within the scope of the law and has a great deal of accountability and restriction!

Have we come so far from the days of seeking government oversight, consumer protections, the break ups of monopolies and 'robber barons' that we are now fearing the very entity that we once embraced to save us from these 'Orwellian Giants'? Do we really truly want the keys to the kingdom to reside solely in the hands of corporations that only see the bottom line?

Personally I think not! I think we should really take a good hard look at these companies, especially the ones that want to proclaim themselves above the letter of the law and 'protectors' of overreach by the government. Now this shouldn't mean to say I think the government should have unfettered access to things like encryption keys, user data, or any sort of 'backdoor' programs. In fact the opposite is true! I think our government should be held to even higher scrutiny and standards than it is today. That doesn't mean we should not then scrutinize companies and their motives as well. 

Microsoft Officially Drops Security Support For Internet Explorer 8, 9, 10

 All good things (or bad depending on your point of view) must come to end and right? This week we will see Microsoft's long planned end of support for older versions of Internet Explorer, meaning that much like users of the company's older operating systems that have been retired, users of the older version of the Internet Explored browser will no longer receive security updates for any un-patched flaws or exploits!

We are at yet another  Microsoft-imposed deadline, which heralds the end of support for outdated software. Next Tuesday will bring the first batch of Microsoft security bulletins for 2016 and it will also mark the end of security support for Internet Explorer versions 8, 9 and 10. Microsoft made the call almost 18 months ago, giving all of their customers and businesses ample time to prepare for the day when those versions of IE, battered by zero-days, exploit kits and targeted attacks, should be retired.

In reality, however, many users out there are either unwilling or unable to comply with these deadlines. This does not mean that we shouldn't take notice and shouldn't take Tuesday’s deadline seriously. In fact even if you aren't using IE on your own machine you should still be aware of the risks as they may potentially put businesses at risks and therefore may put your own personal data at risk as well!

Statistics from a number of sources show us that there is still a significant percentage of web traffic moving through IE. Netmarketshare.com, for example, says that while IE 11 holds more than 25 percent of market share, IE 8, 9 and 10 combined still account for more than 20 percent. Researchers at Duo Security, examining traffic moving through their services, put the percentage a bit higher for IE 9 and 10—almost 36 percent—running on Windows 7, 8, or 8.1.

Given that browsers historically offer hackers a much juicier attack surface than operating systems, folks may want to take Tuesday’s deadline seriously.

“In most cases an attacker will need to already have access to a local network or be able to trick users into opening malicious files as part of a successful attack leveraging Windows XP vulnerabilities,” said Tripwire security researcher Craig Young. “The web browser on the other hand is of course used to constantly process data from potentially untrusted sources leaving users exposed to a wide range of attack.”

Microsoft warns IE users that without action, after January 12, 2016, they will no longer provide security updates or technical support for older versions of Internet Explorer. Noting that security updates patch vulnerabilities that may be exploited by malware, helping to keep users and their data safer. Regular security updates help protect computers from malicious attacks, so upgrading and staying current is important.

For full details on the end of life cycle of Internet Explore and how you can update and protect  own system you can read the Windows lifecycle FAQ sheet to learn more. If you have not yet updated to Internet Explorer you can do so via the Windows Update portion of the control panel or via Microsoft's Download Site.

Hackers Earn A Cool $1 Million With iOS 9 Remote Jailbreak

Just a few short months after security firm Zerodium offered a million dollar bounty for a working exploit that could remotely jailbreak an iPhone or iPad running the latest version of iOS a team of hackers may have found the answer and successfully claimed one of the $1 Million dollar prizes.

A tweet sent out on Monday from Zerodium congratulated one winning team, though it didn't identify the researchers, nor did they offer any further details of the exploit. However, it would appear as though they have submitted the results and Zerodium has confirmed that the exploit "is still being extensively tested by Zerodium to verify and document each of the underlying vulnerabilities."

The challenge consisted of finding a way to remotely jailbreak a new iPhone or iPad running the latest version of Apple’s mobile operating system iOS (in this case iOS 9.1 and 9.2b), allowing the attacker to install any app he or she wants with full privileges. The initial exploit, according to the terms of the challenge, had to come through Safari, Chrome, or a text or multimedia message.

Zerodium founder Chaouki Bekrar explained to Motherboard that the winning team found a "number of vulnerabilities" in Chrome and iOS to bypass "almost all mitigations" and achieve "a remote and full browser-based (untethered) jailbreak."

If true this would likely be the first such jailbreak since the days of iOS 7. Zerodium hasn’t revealed any details of the hack or provided and details of the team who is claiming the bounty, and isn’t likely to do so either. In the past Zerodium has been known to be an exploit accumulation service, gaining the information from security teams and then selling that exploit for a profit to the highest bidder. These bidders are more often than not intelligence agencies like NSA or FBI, who have often complained about how difficult it is to access an iPhone.

In this case Bekrar says he expects to sell the new iOS hack to a U.S. customer and has no intention of informing Apple of the security vulnerabilities that are used or how the exploit works.