Rumors of eavesdropping smart devices have been circulating for many years. Doubtless, you’ve heard a tale or two about how someone was discussing, say, the new coffee machine at work, and then got bombarded with online ads for, yes, coffee machines. We’ve already tested this hypothesis, and concluded that advertisers aren’t eavesdropping — they have many other less dramatic but far more effective ways of targeting ads. But perhaps the times are changing? News broke recently (here and here) about two marketing firms allegedly bragging about offering targeted ads based on just such eavesdropping. Granted, both companies later retracted their words and removed the relevant statements from their websites. Nevertheless, we decided to take a fresh look at the situation.

What the firms claimed

In calls with clients, podcasts, and blogs, CMG and Mindshift told much the same story — albeit devoid of any technical detail: smartphones and smart TVs allegedly help them recognize predetermined keywords in people’s conversations, which are then used to create custom audiences. These audiences, in the form of lists of phone numbers, email addresses, and anonymous advertising IDs, can be uploaded to various platforms (from YouTube and Facebook to Google AdWords and Microsoft Advertising) and leveraged to target ads at users.

If the second part about uploading custom audiences sounds quite plausible, the first is more than hazy. It’s not clear at all from the companies’ statements which apps and which technologies they use to collect information. But in the long (now deleted) blog post, the following non-technical passage stood out most of all: “We know what you’re thinking. Is this even legal? It is legal for phones and devices to listen to you. When a new app download or update prompts consumers with a multi-page term of use agreement somewhere in the fine print, Active Listening is often included.”

After being pestered by journalists, CMG removed the post from its blog and issued an apology/clarification, adding that there’s no eavesdropping involved, and the targeting data is “sourced by social media and other applications”.

The second company, Mindshift, just quietly erased all marketing messages about this form of advertising from its website.

When did they lie?

Clearly, the marketers “misspoke” either to their clients in promising voice-activated ads, or to the media Most likely it was the former; here’s why:

Modern operating systems indicate clearly when the microphone is in use by a legitimate app. And if, say, some weather app is constantly listening to the microphone, waiting for, say, the words “coffee machine” to come from your lips, the microphone icon will light up in the notification panel of all the most popular operating systems.
On smartphones and other mobile devices, continuous eavesdropping will drain the battery and eat up data. This will get noticed and cause a wave of hate.
Constantly analyzing audio streams from millions of users would require massive computing power and be financial folly — since advertising profits could never cover the costs of such a targeting operation.

Contrary to popular belief, the annual revenue of advertising platforms per user is quite small: less than $4 in Africa, around $10 on average worldwide, and up to $60 in the U.S. Given that these figures refer to income, not profit, there’s simply no money left for eavesdropping. Doubters are invited to study, for example, Google Cloud’s speech recognition pricing: even at the most discounted wholesale rate (two million+ minutes of audio recordings per month), converting speech to text costs 0.3 cents per minute. Assuming a minimum of three hours of speech recognition per day, the client would have to spend around $200 per year on each individual user — too much even for U.S. advertising firms.

What about voice assistants?

That said, the above reasoning may not hold true for devices that already listen to voice commands by nature of their primary purpose. First and foremost are smart speakers, as well as smartphones with voice assistants permanently on. Less obvious devices include smart TVs that also respond to voice commands.

According to Amazon, Alexa is always listening out for the wake word, but only records and sends voice data to the cloud upon hearing it, and stops as soon as interaction with the user is over. The company doesn’t deny that Alexa data is used for ad targeting, and independent studies confirm it. Some users consider such a practice to be illegal, but the lawsuit they filed against Amazon is still ongoing. Meanwhile, another action brought against Amazon by the U.S. Federal Communications Commission resulted in a modest $30 million settlement. The e-commerce giant was ordered to pay out for failing to delete children’s data collected by Alexa, in direct violation the U.S. Children’s Online Privacy Protection Act (COPPA). The company is also barred from using this illegally harvested data for business needs — in particular training algorithms.

And it’s long been an open secret that other voice assistant vendors also collect user interaction data: here’s the lowdown on Apple and Google. Now and then, these recordings are listened to by living people — to solve technical issues, train new algorithms, and so on. But are they used to target ads? Some studies confirm such practices on the part of Google and Amazon, although it’s more a case of using voice search or purchase history rather than constant eavesdropping. As for Apple, there was no link between ads and Siri in any study.

We did not find a study devoted to smart TV voice commands, but it has long been known that smart TVs collect detailed information about what users watch — including video data from external sources (Blue-ray Disc player, computer, and so on). It can’t be ruled out that voice interactions with the built-in assistant are also used more extensively than one might like.

Special case: spyware

True smartphone eavesdropping also occurs, of course, but here it’s not about mass surveillance for advertising purposes but targeted spying on a specific victim. There are many documented cases of such surveillance — the perpetrators of which can be jealous spouses, business competitors, and even bona fide intelligence agencies. But such eavesdropping requires malware to be installed on the victim’s smartphone — and often, “thanks” to vulnerabilities, this can happen without any action whatsoever on the part of the target. Once a smartphone is infected, the attacker’s options are virtually limitless. We have a string of posts dedicated to such cases: read about stalkerware, infected messenger mods, and, of course, the epic saga of our discovery of Triangulation, perhaps the most sophisticated Trojan for Apple devices there has ever been. In the face of such threats, caution alone won’t suffice — targeted measures are needed to keep your smartphone safe, which include installing a reliable protection solution.

How to guard against eavesdropping

Disable microphone permission on smartphones and tablets for all apps that don’t need it. In modern versions of mobile operating systems, in the same place under permissions and privacy management, you can see which apps used your phone’s microphone (and other sensors) and when. Make sure there’s nothing suspicious or unexpected in this list.
Control which apps have access to the microphone on your computer — the permission settings in the latest versions of Windows and macOS are much the same as on smartphones. And install reliable protection on your computer to prevent snooping through malware.
Consider turning off the voice assistant. Although it doesn’t listen in continuously, some unwanted snippets may end up in the recordings of your conversations with it. If you’re worried that the voices of your friends, family, or coworkers might get onto the servers of global corporations, use keyboards, mice, and touchscreens instead.
Turn off voice control on your TV. To make it easier to input names, connect a compact wireless keyboard to your smart TV.
Kiss smart speakers goodbye. For those who like to play music through speakers while checking recipes and chopping vegetables, this is the hardest tip to follow. But a smart speaker is pretty much the only gadget capable of eavesdropping on you that really does it all the time. So, you either have to live with that fact — or power them up only when you’re chopping vegetables.

Kaspersky official blog – ​Read More

One of the most important concepts in information security is the principle of least privilege. In this post, we explore what it is, how it works, how adhering to this principle benefits businesses, and how to implement the principle of least privilege in practice.

How the principle of least privilege works

The principle of least privilege (PoLP) is also known as the principle of minimal privilege (PoMP) or, less commonly, the principle of least authority (PoLA).

The main idea is that access to resources in a system should be organized in such a way that any entity within the system has access only to those that the entity requires for its work, and no more.

In practice, this could involve different systems and different entities within a system. Either way, in terms of applying the principle of least privilege to enterprise security, this can be restated as follows: Any user of the organization’s information infrastructure should only have the right to access the data that is necessary for performing their work tasks.

If, in order to perform certain tasks, a user requires access to information they currently don’t have, their permissions can be elevated. This elevation can be permanent – if required by the user’s role, or temporary – if it’s only necessary for a specific project or task (in the latter case, this is called “privilege bracketing”).

Conversely, when a user no longer requires access to certain information for some reason, their permissions should be lowered in accordance with the principle of least privilege.

In particular, the principle implies that regular users should never be granted administrator or superuser rights. Not only are such privileges unnecessary for the duties of the average employee, but they also significantly increase risks.

Why is the principle of least privilege needed?

The principle of least privilege helps improve access management, and generally hardens the security of the company’s information infrastructure. Here are some of the important security objectives that can be achieved by applying the principle of least privilege.

Risk mitigation. By restricting access to the minimum necessary for users to perform their tasks, the likelihood of accidental or intentional misuse of privileges can be significantly reduced. This, in turn, helps lower the risks of successful perimeter penetration and unauthorized access to corporate resources.
Data protection. Limiting access helps protect confidential data. Users only have access to the data required for their work, thereby reducing the likelihood of their gaining access to sensitive information or, worse, causing its leakage or theft.
Minimizing the attack surface. Restricting user privileges makes it more difficult for attackers to exploit vulnerabilities and use malware and hacking tools that rely on the user’s privileges, thereby reducing the attack surface.
Localizing security incidents. If an organization’s network is breached, the principle of least privilege helps limit the scope of the incident and its consequences. Because any compromised accounts have minimal rights, potential damage is reduced, and lateral movement within the compromised system or network is impeded.
Identifying users responsible for an incident. Minimizing privileges significantly narrows down the circle of users who could be responsible for an incident. This speeds up the identification of those accountable when investigating security incidents or unauthorized actions.
Compliance with standards and regulations. Many regulatory requirements and standards emphasize the need for access control – particularly the principle of least privilege. Adhering to industry standards and best practices helps organizations avoid unpleasant consequences and sanctions.
Increasing operational efficiency. Implementing the principle of least privilege reduces risks for the organization’s information infrastructure. This includes reducing downtime associated with security incidents, thus improving the company’s operational efficiency.

How to implement the principle of least privilege in your organization

Implementing the principle of least privilege in an organization’s information infrastructure can be broken down into a few basic steps and tasks:

Conduct an inventory of resources, and audit the access rights users currently have.
Classify resources and create an access management model based on roles – each with specific rights.
As a starting point, assign users roles with minimal rights, and elevate their privileges only if necessary for their tasks.
Regularly conduct audits and review permissions – lowering privileges for users who no longer need access to certain resources for their tasks.
Apply the principle of privilege bracketing: when a user needs access to a larger number of resources for a task, try to elevate their privileges temporarily – not permanently.

And don’t forget about other protective measures

Of course, applying the principle of least privilege alone isn’t enough to secure a company’s information infrastructure. Other measures are also required:

Regular security audits.
Timely software updates.
Employee training on the basics of cybersecurity.
Deploying reliable protection on all corporate devices.

Kaspersky official blog – ​Read More

What’s one of the best ways to kick things off to ensure a positive, fruitful 2024? We suggest doing some spring winter cleaning in your digital world — as this will certainly help you spend this year more productively. We’ve put together a few tips on how to: get rid of stuff you don’t need, turn off distractions and annoyances, and improve your digital hygiene.

1. Delete unnecessary files

Let’s start with the basics: deleting files you no longer need. This stage might seem easy, but it can actually take a while — simply because we all have an awful lot of files. So, it’s important not to get overwhelmed by the task. Try breaking it down into small steps, for example, deleting 10, 20 or 50 files each day — or even several times a day.

The main places to look for junk files are:

The desktop. An obvious candidate for where to begin your digital cleanup. Once you’ve cleared your desktop of ancient shortcuts and files, you’ll not only have more storage space, but should also gain a sense of order, which may boost your productivity, lift your spirits, and help you tackle the next steps of your digital cleanup!
The “Old Desktop” folder. Most likely, you have such a folder somewhere on your computer’s SSD (or something similar, like “Old Disk Drive” or “Old Computer Files”). And inside it, there’s often another “Old Desktop”, and within that, another, and so on. It may seem daunting, but time has come to finally deal with this abyss of nested directories.

The downloads folder. Ancient documents, installation files from long-deleted programs, saved images dating back a decade, and other digital relics — chances are you no longer need them and can simply delete them all. And, don’t forget to clean the downloads folder not only on your computer but also on your smartphone (and on your tablet if you have one).
Your smartphone’s photo gallery. If you delete all duplicate photos, screenshots taken for unclear reasons, and videos your pocket decided to take all on its own, you might find you can postpone buying a new smartphone with more memory for another year or two. Special apps come to the rescue here, seeking either exact duplicates or similar files — for example, a series of identical shots, of which you only need to keep one or two. Look for them in app stores using the keyword “duplicate”.
Your cloud storage. This similar to the Old Desktop folder, but in the cloud. Sure, you can pay for extra disk space and accumulate files for a few more years. But might it be better to just get rid of them?
Large files and duplicates on your computer. If you need to quickly free up space on your hard drive/SSD, the easiest way is to either delete a few large-sized files or get rid of identical files, thoughtfully scattered across different folders. To automatically search for large files, you can use the Large Files feature on the Performance tab of the Kaspersky app. By specifying the minimum size and search area — the entire computer or selected folders — in a few minutes you’ll receive a complete list of files whose size exceeds the limit. Then, you can choose to delete them either in bulk or individually.

Also on the Performance tab, you can find and remove duplicate files. Used together, these features (available in Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscriptions) might save you from having to buy a new hard drive or SSD.

Once you’ve finished removing unnecessary files, don’t forget to empty the Recycle Bin — or the “Deleted photos” folder, if it’s your smartphone’s photo gallery.

2. Clean up your email and messengers

The next important stage in your digital cleanup is to sort out your email and messaging apps. This will reduce the amount of space your correspondence takes up and, most importantly, improve your experience of using your email and messengers. What to do first?

Get rid of unread messages. Those scary numbers in red circles hovering above your messenger app icons can really get on your nerves and prevent you from dealing with new incoming messages on time. This could cause you to overlook something important, get your priorities wrong, miss a deadline or meeting, and so on. Like cleaning up files, sorting through unread emails and messages can take some time. That’s why a steady, systematic approach works best here: try to break the process up into small steps. And aim to always have fewer unread items at the end of each day — sooner or later, you’ll hit zero.

Unsubscribe from unnecessary email newsletters and messenger channels. This step can help you with the previous task, too. Weeding out unneeded information feeds will reduce the number of new unread items, so you can reach that golden zero even faster. You need to be decisive here: instead of simply ignoring another uninteresting message or email, unsubscribe immediately.
Delete old messenger chats. Correspondence with a realtor about the apartment you moved out of three years ago, communication with couriers, and other similar priceless messages will some day form the basis of your memoirs. Just kidding, of course: delete all of it without hesitation.
Delete emails with large attachments. Is your email provider sending you annoying messages telling you you’re about to run out of storage space? The easiest way to quickly clean up your inbox is to delete old emails with large attachments. Most providers and email programs allow you to find them without much difficulty. It’s easiest with Gmail — to find all emails bigger than 10 megabytes, just enter “size:10000000” in the search bar.

Clear out the spam folder. Individual spam emails typically don’t take up much space. But if you haven’t checked your spam folder in a while, you might have accumulated a ton of messages. Deleting them will push you away from your mailbox limit even further.

3. Close old tabs

Now it’s time to deal with the program we all use the most: your browser. Old tabs left open for months, if not years, not only eat through your device’s memory, but also make it difficult to find the relevant information you actually need. Moreover, an abundance of tabs can pose a serious obstacle to updating the browser — which, by the way, is one of the most important digital hygiene procedures there is.

So try to get rid of unnecessary tabs in all the browsers you use — including on your smartphone. There are two approaches here: either act quickly and decisively, ruthlessly closing all tabs without concern for what they contain; or do it gradually and cautiously, closing tabs in batches of 10–20 at a time and checking along the way if there’s anything important among them. You can add the ones you actually need to bookmarks or tab groups.

And while we’re still on about the browser, also clear its cache. If you haven’t done this before, you’ll be surprised at how much space it takes up. Also, it’s a good idea to review all the extensions installed in your browser: if you’re not using something, now’s the perfect time to remove it.

4. Cancel unnecessary subscriptions

Almost every online service nowadays offers some type of paid subscription — if not several. And these subscriptions can start to pile up beyond all reasonable limits. How much does it all cost? Who knows?! Seriously, people often have no idea about how much they pay for all their digital subscriptions, typically underestimating the total expenses several times compared to reality.

So not only does canceling unnecessary subscriptions bring immediate financial benefit — but this benefit is probably greater than you imagine. On the other hand, the task isn’t that simple: you need to remember all your subscriptions, gather and organize information about them, sort out what’s what — and only then will you understand what you should unsubscribe from. There also might be family subscriptions, with duplicates on the various devices of your family members.

The good news is that there’s a special app for managing subscriptions: SubsCrab. It can organize information about all your subscriptions, calculate monthly expenses, show you a handy schedule and warn you about payment days in advance, tell you what needs to be done to cancel a particular subscription, and even propose alternative subscription options or promo codes and discounts for renewals.

5. Remove unused applications

You probably have apps on your smartphone that you haven’t used in over a year. Or maybe even ones you’ve never opened at all. Not only do they take up your device’s memory, but they can also slowly consume internet traffic and battery power and, most importantly, they clog up your interface and may continue to collect data about your smartphone — and you.

It’s time to finally get rid of them! If you delete at least one unused app a day, within a month or so they’ll all be gone, and order will be restored on your smartphone’s home screen.

However, there is a way to immediately detect all unnecessary apps — both on Windows computers and Android smartphones — with the help of the Unused Apps feature included in Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscriptions. It will show you the apps you rarely use and allow you to delete them all in one fell swoop.

There are some protected Android apps which are impossible to uninstall, even if you don’t need them at all — all due to the whim of the smartphone manufacturer. These may include a proprietary browser or an unused social network client. However, there are special methods to uninstall such apps, which we’ve covered in detail in this comprehensive guide.

6. Turn off unnecessary notifications

One of the main obstacles to digital peace of mind can be the endless stream of notifications flowing from almost every app these days — whether it’s a fitness tracker or a calculator. But, fortunately, we’re not at the mercy of our phones in this case. So go through the list of apps that are allowed to send notifications and thin it out.

There are two possible solutions here. The first one is radical: disable notifications for all apps except the most essential ones — banking apps, work tools, and messengers. The second is moderate: identify apps that blatantly abuse notifications — firing them out for no good reason — and disable these pests.

It’s also helpful to disable notifications in messengers for less important contacts, channels, and chats. Also, take a closer look at the focus mode settings. They’re available in all modern operating systems — such as Android, iOS/iPadOS, Windows and macOS — and allow you to limit the number of notifications and other digital noise for a set period.

Also, don’t forget that these days it’s not just apps sending notifications; many websites use browser-integrated notification systems for this purpose, too. So make sure to disable all unnecessary notifications there as well. By the way, we have a separate guide on how to stop browsers from bothering you with trivial stuff.

7. Delete unused accounts

Accounts with online services — even the less important ones — always pose a potential risk. If an account gets hacked, it could be used for fraud, laundering stolen goods, attacks on other users, and more — and all in your name. And if a bank card is linked to such an account, there could be damaging consequences.

It’s therefore best not to leave your accounts to fate: if you no longer need a particular account, it’s wise to delete it. This part of the cleanup might be especially challenging: first, you’ll need to recall which accounts you’ve created, then remember your login credentials, and only then can you delete them. But it’s really worth doing!

To avoid getting overwhelmed, try deleting at least one unnecessary account per week. And while we’re at it, I recommend adding all your accounts to a password manager. That way, they’ll all be in one place, their passwords will be securely stored, and you’ll be able to log in with just a few clicks — so the next time you’re cleaning up, it won’t be such a hassle.

Plus, if any of the services you use is compromised, you’ll receive a notification from the password manager and can promptly take action — either by changing the password or by deleting the account.

8. Change unsafe passwords

If you enter your account details into Kaspersky Password Manager, the application shows you any passwords that might be unsafe, either due to data breaches, or because you use these passwords across multiple accounts at once.

The danger of the first scenario — when a password has already been compromised — goes without saying: if malicious actors know your password, the security of the corresponding account is directly threatened.

As for using the same password for different platforms, the risk here is that if one of these services is breached and attackers find out the password, they’ll certainly try to use it to access other accounts — a technique known as credential stuffing. Thus, using the same password everywhere puts you at risk of having multiple accounts hijacked at once — most unpleasant.

Unsafe passwords need to be changed, and the sooner the better. Passwords that have already been compromised should be replaced immediately. When changing passwords that you’re using in multiple places, you can afford to take the process step-by-step, editing a couple of accounts at a time.

By the way, Kaspersky Password Manager helps you create truly secure and unique character combinations using a random password generator (so you don’t have to come up with new complex passwords yourself), and stores them safely in encrypted form — synchronizing passwords across all your devices. The only password you’ll need to remember in this case is the main password for Kaspersky Password Manager: it encrypts the entire password database and isn’t stored anywhere except in your head.

And to streamline all these digital cleanup processes, we recommend using Kaspersky Premium, which includes comprehensive protection, productivity enhancement tools, a password manager, and many other features necessary for effective digital housekeeping across all your family’s devices.

Kaspersky official blog – ​Read More

It took six months for notifications to start, and we still don’t know exactly what went down… but here’s our advice on what to do.

Naked Security – Sophos News – ​Read More