Making the move to using location-based analytics can be a big decision for your business.

On one hand, using this technology can unlock powerful insights.

Knowing how people move through your facility, how long they are there, and where they came from provides you with critical information to improve the customer experience and become more efficent in your operations.

On the other hand, tracking your customers’ movements can open your business up a whole new set of decisions about how to use and collect user data.

With new regulations about consumer data privacy, knowing what’s allowed — and what’s right — when it comes to collecting data can be confusing.

By opting to use A2 Analytics from Archetype SC, for location-based tracking and insights you can avoid these concerns. Here’s a look at how our technology compares to most when it comes to data privacy:

How most technologies use data

Whenever a consumer downloads a new app or signs up for a service, businesses put terms and conditions in place to cover all their bases in a legal sense.

For many applications and technologies, this giant wall of text states that the consumer will have data entrusted to the company, including some Personally Identifiable Information (PII) that the company owns and can do with it what they want.

Most consumers breeze right through the terms and conditions, scrolling to click “Agree” without taking the time to fully understand what they’re subjected to in exchange for the service.

Because the company owns their data, these consumers may have PII, location data, or anything gleaned from their device sold by the service they use.

How data privacy is changing

With regulations like GDPR and the California Consumer Privacy Act going into efffect in recent years, consumers are more in tune than ever with how companies use their data.

For businesses not in compliance, there are heavy penalties and sanctions that force the issue of data privacy to be at the forefront of dealings with consumers.

Thanks to these actions, users are becoming more likely opt out of having their data shared, and are now aware that they have the right to see what a company has done with their information.

Even as businesses move to update privacy policies and introduce more transparency in their data usage, many — including those in the location-based tracking space — have been slow to adapt.

How A2 Analytics handles data privacy

A2 Analytics uses passive sensors to pinpoint devices within a given area, but does not capture any Personally Identifiable Information (PII) in the process.

Using location data, combined with cloud computing and machine-learning algorythms, A2 Analytics gives a holistic look at the movement of people via the signals put off by their devices.

It cannot, however, capture information like phone numbers, contact information, or any other associated information about the owner of the signal.

Because A2 Analytics uses anonymized data, it is able to provide insights about the movement of individuals in a facility without the need for opt-in or an app on the users devices. This allows for higher capture rates, typically above 85% of all individuals in the space.

This high capture rate allows for highly accurate information about your space with minimal impact on an audience.

Cybersecurity incidents, like data breaches or ransomware attacks, have impacted nearly every industry. Hospitals, colleges, even city governments have fallen victim to cyber-attacks, many occurring because of a simple vulnerability that was exploited by a hacker.

There is a ransomware attack every 14 seconds. With more than 1 billion U.S. passengers traveling through airports in 2019, your network is open for business, to both good and bad actors.

How can your airport do more to beef up its cybersecurity measures to help keep cybercriminals at bay?

Vet your vendors (and airlines!)

While you may have control of the cybersecurity measures within your staff, you probably have less influence over your vendors and airlines using your facility. Whether it’s a concessionaire or the largest airline in the world, vetting those outside sources to ensure they’re not introducing cybersecurity vulnerabilities to your airport is a critical step in the onboarding process – and should be done regularly to ensure standards are maintained.

One of the most prolific data breaches to date, the Target breach of 2013, occurred due to a third-party vendor introducing a vulnerability, which led to 70 million stolen records and a 46 percent drop in profits for Target.

Controlling the Airport of Things

With the boom in connected devices and the expectation from passengers that those devices will work end-to-end on their travels, more opportunities for network intrusion exist than ever before.

Combining the need for connectivity with the increasingly sophisticated tools cybercriminals deploy could spell disaster for your facility. With more travelers using your systems and introducing vulnerabilities, the systems you need for daily operations, like access and departure control and security cameras, could be at risk of downtime or being hacked.

The aviation industry utilizes complex infrastructure with integrations into a number of systems that require constant protection. Introducing vulnerabilities from the outside, or via insider threat, could put your airport on lockdown.

Perform regular Vulerability Assessments

Archetype SC’s Security Risk and Vulnerability Assessment (SRVA), is a tool that uncovers network vulnerabilities that could be exploited by a cybercriminal, allowing your organization to take a proactive approach to its cybersecurity. SRVA allows our security experts to look at your network as a hacker would see it, finding areas that are susceptible to attack.

A SRVA is a multi-pronged approach to vulnerability scanning, consisting of an internal scan, external scan, interviews with key staff, and qualitative assessment of your security posture. Combining these elements into a deliverable report broken down by severity provides your airport with a remediation plan to shore up areas of weakness.

Our current global health situation and resulting efforts to slow the spread has resulted in an unprecedented number of people working remotely. Technology is a great enabler to allow us to continue to be productive, but remote work presents new challenges and risks that need to be considered.

Cybercriminals are presented with millions of new targets, and users don’t have the ability to simply walk over and ask IT what to do in a situation.

Archetype SC is proud to offer a free consultation to help your business determine what tools, policies, and procedures your business needs to make it through the current situation.

To help with the transition, we have compiled a list of tools we use or recommend for making remote work easier and less risky from a cybersecurity perspective. As an added benefit, many of the tools have special offers in place to help you get started fast.

Small businesses are the target of cyber attacks.

In terms of preparation, this may be news for some business owners.

In 2019, 58% of cyber attack victims were businesses with fewer than 250 employees or small businesses. Often, small businesses find themselves broiled in cyber attacks because of a “too small” mentality. Many business owners think they are too small to fall victim to a data breach and have budgets that are too small to combat the problem.

As data breaches and hacks have advanced, so has the need for proper security measures to protect business data.

• The problem: Human error accounts for 25% of data breaches and represents one of the largest weaknesses in security for most businesses.
• The solution: Regular training to recognize ransomware, phishing, and general security protocols are critical in the “all hands on deck” approach to security employed by small businesses.

• The problem: Poor passwords create one of the largest vulnerabilities for businesses, as more than 70% of passwords are recycled from other accounts.
• The solution: Implementing multi-factor authentication protects accounts by requiring more than just login credentials. Using a text message, tokens, or biometrics adds an additional layer of security to accounts.

• The Problem: There were 10.5 billion malware attacks in 2018; antivirus software detects over 350,000 pieces of malware daily.
• The Solution: Antivirus software has been around for a long time but is still effective. While no antivirus software is 100% effective, having a platform in place can help detect and prevent malicious attacks.

• The Problem: Ransomware attacks lock your data and demand money, with companies paying an average of $84,116 to recover data in Q4 2019.
• The Solution: Backing up your data from devices and the cloud locally and to an off-site server will protect your business from potential ransomware and system crashes.

• The Problem: More than 80% of organizations do not have a plan for privileged access management, leading to double to breaches.
• The Solution: Ensuring the data that runs your business is not open to all employees by using identity and access management technologies will mitigate risk when a data breach occurs.
  Critical business data should not be accessible to all employees.

• The Problem: 68% of data breaches take months, not days, to uncover for businesses, creating a larger impact and more expensive recovery.
• The Solution: Network monitoring tracks the entire IT infrastructure of an organization, providing an early warning system of potential threats.

• The Problem: More than 60% of companies have experienced some form of data breach over the past two years, making it a when not if scenario for most businesses.
• The Solution: Creating an incident response plan organizes your employees to help recover from a breach and return to normal working conditions.

• The Problem: One in every three data breaches is the result of a vulnerability that should have been patched.
• The Solution: A vulnerability assessment can provide your organization with the knowledge of how a hacker would gain access to your network, giving you a head start to shoring up issues before they are exploited.

In late February, two cybersecurity researchers happened upon one of the largest non-password protected email databases on the web.

Bob Diachenko and Vinny Troia of the website SecurityDiscovery.com, found the online database of email addresses and personal information with more than 150GB of data, totaling over 800 million records with limited-to-no security. Their astounding find rooted back to the email validation service company Verifications.io.

In the database, Verifications.io had three folders titled "businessLeads," "Emailrecords," and "emailWithPhone," with each making up millions of records. "Emailrecords" had nearly 800 million alone, while the other two folders had more than 4 million and 6 million, respectively. In addition to email addresses, "Emailrecords" also contained zip codes, phone numbers, addresses, gender, and date of birth information.

Diachenko alerted Verifications.io of the breach via a ticket on the company's website, which prompted the removal of the database from the web and a response from the company stating no personally identifiable information had been included in the records.

Verifications.io is an email validation service for marketing companies, which works by keeping records of deliverable emails and vetting addresses against a company's email list. The service will send an email to an address to see if it will be delivered or bounce back, then keep a record of active addresses for companies to utilize with marketing email campaigns. These services keep marketing companies from being flagged as spam by sending multiple emails in a short timeframe.

Protecting your email address is as simple as routinely changing the account password with a strong credential, using a secure email service, and selecting obscure (or false) information about yourself for security questions.

If you have concerns around business email security, contact Archetype SC's security team to set up a consultation for SRVA, our security assessment tool that can scan your network for vulnerabilities that could be exploited by cybercriminals.

Traveling around Thanksgiving is almost as much of a tradition as the turkey and stuffing that will be passed around the table, football on TV, and Black Friday shopping that will (hopefully) follow a long nap.

No matter how you’re planning to travel this week, through the air or on the ground, AAA is projecting for plenty of delays and the busiest travel season in more than a decade.

“Consumers have a lot to be thankful for this holiday season: higher wages, more disposable income and rising levels of household wealth,” said Bill Sutherland, AAA Travel senior vice president in a press release. “This is translating into more travelers kicking off the holiday season with a Thanksgiving getaway, building on a positive year for the travel industry.”

Traffic for automobiles, which encompasses most travelers, is projected to be up about 5% with 48.5 million expected to travel. Air travel is also expected to be higher, with a growth of 5.4% and over 4 million expected to hit the skies for the long weekend.

While air travel doesn’t have the same traffic jams and congestion of car travel, plenty of frustration exists in the lead up to boarding an airplane. The stresses that come with air travel are the unknown wait times that come at the security line, baggage area, and even the restroom. Getting to the airport hours before your flight is scheduled to take off, only to stand in line or sit at a gate awaiting your turn to get to Aunt Marge’s “famous” green bean casserole and the cousins you haven’t seen – or thought about – since last Thanksgiving.

How can that experience be improved, so that the traveling doesn’t crack the top 5 list of things you’re dreading about Thanksgiving?

Armed with more information, such as the expected wait time at TSA, how long it takes to walk from the security line to the nearest Starbucks, or even the fastest route through the concourse based on traffic patterns will create a better passenger experience.

One way to do so, using A2 Analytics technology, which can be integrated with an airport’s mobile app to give passengers the power to decide when they want to get to your facility before their flight using expected TSA wait times. Heat mapping can show how crowded a restroom facility is, while walking routes give passengers accurate, real-time data on how long it will take them to get to a restaurant, shopping center, or rental car facility.

Your traveling experience doesn’t have to be a hurry up and wait scenario that leads to more arguments than thankful moments. Take the stress out of travel by requesting your nearest airport facility utilize A2 Analytics to optimize the passenger experience.

An unprecedented cyber-attack took the world by storm over the weekend, affecting more than 200,000 systems in 150 countries by targeting unsupported and unpatched versions of Microsoft Windows operating systems.

The attack, known as WannaCry, came in the form of a ransomware virus, which takes control of a computer and locks files. To unlock your files, the creators of WannaCry required a ransom of $300 be paid (in bitcoin) for the first three days of the attack. If the $300 was not paid in the first three days, the ransom amount doubled to $600. According to the warning, if the ransom were not paid within a week, the hackers said they would delete the files that were held ransom. 

According to Symantec, the WannaCry virus targets more than 175 file types, including website and server files, documents, photos, videos, music files, and many other common and less common file types. 

The virus spreads within a network by scanning for other vulnerable computers once it gains access to a first computer. It also scans hosts on the Internet to spread as quickly as possible. 

Microsoft introduced a patch for the vulnerabilities WannaCry exploits, but this can only be installed in advance of the virus.

WannaCry primarily targeted Russia, Ukraine and Taiwan, but also affected hospitals in the United Kingdom, universities in China, and worldwide businesses like FedEx and Nissan.

The WannaCry virus is just the latest example in how a cyberattack can take over a computer network and stop business. If you’re concerned about your company’s vulnerability, the team at Archetype SC can help. Our team provides managed services and security solutions for some of the largest companies in the world and have the knowledge and experience to assist your company.

The first step to securing your network and computers is a security assessment. Call Archetype SC at (843) 353-2929 to review your concerns or schedule your assessment today.

Headlines tout messages like “Data is the New Oil  [1]” and tell us that a “Data Scientist [is] the Sexiest Job of the 21^st Century [2].” These messages are trumpeted from the rooftops and have convinced executives that not only do they need data, and lots of it, they need someone called a data scientist to figure out what it all means. These data scientists are lauded as wizards, able to magically coax insights, knowledge, and wisdom from data.  Recently I lauded the role of the analyst in analytics, but I worry that combined in the cacophonous call for data scientists, the message may be misinterpreted or tainted. Let me pull back the curtain on the data wizards of Oz and explain what I mean when I say you don’t need a data scientist.

Before I go any further, let me be clear: there is an absolute need and role for experts in data and business analysis to help you get the most out of your data. Without expert advice, assistance, and support, you will not get the benefits you would otherwise realize. But most companies should think twice about either investing too heavily on building internal specialization or relying solely on a cadre of data scientists to provide all analysis and insights. The path that led to this mindset was a long one, which is why it will be so difficult to displace.

Twenty years ago, the world of data analytics had very high barriers to entry. Computing power and storage were at a premium and to use either required detailed and in-depth knowledge of coding. The language R, released in 1993, provided one of the popular frameworks for statistical analysis and is still in use today. Scala and Python offer alternatives, but in each case, at least a fair amount of coding knowledge is required to be able to use it.

More recently, the world was introduced to Hadoop, Spark, Hive, and a litany of other novel concepts, platforms, and products. The power of these dwarf earlier tools, making analysis of terabytes and petabytes possible. Largely, however; to use these tools, one still had to have very high levels of technical proficiency. Hence, the need for data scientists.

Gradually, the C-suite has become inured to the fact that to gain any benefit from data, a team of data scientists must be employed, and to really gain benefit, brought in-house. I have attended conferences with sessions dedicated to “bringing your analytics in-house” and “why you don’t want to outsource,” but these only exacerbate what I suggest is the problem.

Insights can only be gained, according to this proposition, from the great and glorious data scientist. It suggests that these experts must be part of the staff, and that only these oracles of wisdom can dispense data driven insight to the business. This is wrong-headed, misguided, and just plain lazy.

Insights and analytics are no longer the domain of the few. With tools like IBM’s Watson Analytics, it is the time of “citizen analysts.” [3] Many tools no longer required extensive coding knowledge to perform analysis. Insights are delivered in an understandable and actionable format. Data exploration is possible for the many, and questions never before thought of can be asked and answered—almost by anyone.

Maybe I was wrong in the title of my post. It probably should be called “You don’t need a data scientist—you need every employee to be a data scientist.” Successful organizations and businesses will begin an era of democratized data and insights; a model where any can ask questions and get answers will become the norm. Frontline employees to C-level executives will have access to tools to find better ways of doing business through their data. There is still an important role for specialists and experts to perform complex computations, develop algorithms, and implement machine learning code within an organization. My suggestion is simply that all employees be empowered through tools to gain the insights to move forward. Innovation and insight can come from anywhere in a company, and all should have the tools to help them disrupt the sometimes arcane existing models.

Implementing such a starkly different philosophy is complicated. A partner already expert in tools like Watson Analytics and with traditional big data and analytics tools can help provide the guidance, training, and on-going support absolutely vital to your success. Half-hearted or ill conceived attempts will result in very costly failures and resentment among employees. Archetype SC has the knowledge, resources, and experience to provide the support you need for success in your complicated data journey, from early stage conception to on-going support. Archetype SC: we do complicated.

I would love to hear your thoughts about my ideas presented here; do you think I’m right? Wrong? Do you have examples of how a democratized data culture has worked for you or how it has hasn’t? I welcome civil discourse and will engage thoughtful responses. You can reach me at Patrick.Nord@archetypesc.com.

[1] To illustrate how ubiquitous this adage has become, each word in the quote links to a different article with it as at least part of the headline. Sources range from highly credible to more marginal on purpose. Inclusion of these links in no way implies that I agree with the content; purposefully I have included some that does not meet my standard of journalism excellence.  To learn more about the origins of the phrase, I recommend reading: http://www.forbes.com/sites/perryrotella/2012/04/02/is-data-the-new-oil/

[2] I’m pretty sure my wife was terrified when the Harvard Business Review first published this headline in 2012. She had no idea that her mild-mannered, nerd of a husband had magically been transformed into a 21^st century sex symbol. Fortunately for my marriage, it is still every bit as uncool, and unsexy, to be a math nerd.

[3] IBM has begun using this as one of their marketing phrases; I first heard it during an IBM Watson event, but I posit it will become a widely used and accepted phrase, adopted by other players in the analytics space.

 Intro

As technology evolves the standard for design changes. The days of static design, with nothing but hotspots and jpegs, is over. With every update of HTML, CSS, and jQuery our design toolset grows—and so do client expectations.

Clean Interaction

One variant of interactive design is a clean and simple interface that is still dazzling and feels fully evolved.

(http://bohemiancoding.com/sketch/)

Sketch uses a slight animation to remove the word before ‘designers’ to show the diversity of the target audience. This is an incredibly beautiful and efficient way of displaying information; the alternative would look something like this:

Sketch is made for designers like you, including:

• UX designers
• Product designers
• Icon designers
• Mobile designers
• Web designers
• UI designers

 

By adding such a simple animation to the page, Sketch has streamlined the amount of information on the page and made a more esthetically pleasing product.

 

‘Oh Snap!’ Interaction

In contrast, a second variant of interactive design allows for extremely robust and intense experiences. The intended reaction to these is less “Oh, that’s nice” and more “Oh snap, that’s awesome!” Bose does that perfectly in their special EU website:

 

(http://special.bose.eu/en/)

Throughout the entire site you find one clean, flowing interaction that makes the user feel in control. This experience is less like flipping through a catalog and more like walking through the store. It allows you to seamlessly browse through their products, customize your choices, and checkout without being distracted by clutter.

This natural feeling flow is sometimes called ‘evil design,’ which is defined as “…purposefully designed interfaces that make users emotionally involved in doing something that benefits the designer more than them” (Nodder, 2013). Bose has pulled off evil design at the highest level—users feel good and are emotionally engaged while they give Bose their money.

 

Middle Out Interaction

Squarely in the middle of the two formerly referenced conventions lies a middle ground that explores subtle effects as the crux of the design while still invoking that ‘wow factor.’ Apple has long been at the forefront of creating incredible experiences, and their new MacBook site is no exception. In the design below, they have animated their new MacBook as you scroll down the page which displays the device beautifully while keeping a clean and pleasant design.

(http://www.apple.com/macbook/)

In the same vein, Apple’s new Watch website adds a little more pizazz at the beginning by having the watches interact as the user scrolls down the screen. Once past the first three interactive scrolling areas, the design subsides into a light, tranquil space with very subtle interactions only on the title tags. In designing the site as such, Apple gets to show off how amazing and exciting their new product is, but the user isn’t overwhelmed by the experience.

(http://www.apple.com/watch/)

www.howtogeek.com states that, “It becomes clear that Apple’s reputation as the “hip, creative company” has been a combination of their smart marketing going back to the very early days of the company. While they have expanded their marketing to mass market products like the iPod or iPhone, their emphasis on aesthetics and simple, easy operation clearly stem from their roots as the platform for digital graphics and design. Whether they’ll remain as the go-to choice for artists and designers, or, as their market share increases, transition to something else entirely, still remains to be seen.” (Goodnight, “Macs Don’t Make You Creative! So Why Do Artists Really Love Apple?”).

After using an Apple product, or even shopping for one, it is apparently clear that their clean use of ‘Middle Out Interaction’ is exactly why they are the designer’s tool of choice.

 

Into Practice

As I researched and wrote this article, I was inspired to update my own personal site. I used an animate svg to ‘speak’ to the user as she enters the site. To achieve this, I used a combination of Max Wellito’s tool called vivus.js, to bring the svg to life, and Albaro Trigo’s jQuerry library, fullpage.js, to create the full page scroll. The result is a fun, playful site that captures me as a person and designer.

(http://osullivan.design)

Interaction design has a number of variations and approaches, each of which may be appropriate depending on the intended audience and effect. A professional designer takes great effort to understand the needs of his client and delivers a perfectly tailored solution—whether it is an ‘evil design,’ minimalist and simple, or something in between.

References

• Nodder, C., & Libro, C. (2013). Evil by design interaction design to lead us into temptation. Indianapolis, IN: John Wiley & Sons.
• MacBook Light. Years ahead. (n.d.). Retrieved October 2, 2015, from http://www.apple.com/macbook/
• To wear it is to love it. (n.d.). Retrieved November 17, 2015, from http://www.apple.com/watch/
• New From Bose. (n.d.). Retrieved October 2, 2015, from http://special.bose.eu/en/
• Bohemian Coding Sketch 3. (n.d.). Retrieved October 2, 2015, from http://bohemiancoding.com/sketch/
• Goodnight, E. (n.d.). Macs Don’t Make You Creative! So Why Do Artists Really Love Apple? Retrieved October 14, 2015, from http://www.howtogeek.com/howto/45498/macs-dont-make-you-creative-so-why-do-artists-really-love-apple/
• Design O’Sullivan (n.d.). Retrieved October 2, 2015, from http://osullivan.design

The InfoSec community has seen a rise in attention grabbing names for security vulnerabilities over the last couple years like Heartbleed, Freak, Shellshock, and now the latest android vulnerability Stagefright. The Stagefright exploit is different though, its name is derived from the media engine baked into android OS since version 2.2. The Stagefright engine is built into the application framework of android making it a part of your android OS no matter what country you live in, wireless carrier you use, or what brand of phone you buy. It is estimated there are 950 million devices vulnerable to a Stagefright attack.

The most alarming issue about this exploit is that it can be executed with no end-user interaction. An attacker simply has to send an mms message with malicious code written into a video and the device automatically begins to process the code, setting the attack in motion. Further complicating matters is most manufacturers default settings which are set to auto-retrieve mms messages. The user may not even know they were attacked because after the exploit gains root access of the phone the message is deleted but the malicious code stays.

The Stagefright media engine runs with system privileges on roughly 50 percent of the affected devices making it easy to gain root access to the device. Gaining root access on an android phone is the holy grail of exploits and the damage that can be caused is only limited by the attacker’s imagination.

Android is an open source OS which some might say makes it more secure while others would argue the opposite. The security architecture built into system applications in android take the sandbox approach. Most system apps are designed to be contained within themselves so attacks like the Stagefright exploit are not possible. This brings up the question of why the Stagefright engine has access to the internet and can be executed without the user’s knowledge. The answer is the DRM (Digital Rights Management) copyright control technologies that have been implemented over the last decade have required media players to make sure the content is being played legally. The technologies used to protect the content often require media players to check in via the internet, leaving a door open for malware.

Google has already began patching its Nexus line of phones and tablets with Samsung following as well. The inherent problem with android OS is that it is segmented into thousands of different variations of devices and carriers which makes patching a security hole like this a difficult task. Carriers like AT&T and Verizon control the software updates that get pushed out to their customers further complicating the matter. If there is a silver lining in this exploit being brought forth it is that Google and Samsung are going to begin delivering monthly security updates to devices. This is a step in the right direction for mobile device security.

Here is how to protect yourself from falling victim the Stagefright exploit:

Android Kitkat – Open the messenger app and in the settings menu select “block unknown senders”

Android Lollipop – Open the messenger app and turn off Auto-Retrieve for multimedia messages.

Black Hat, the organization that has been providing the IT industry with the latest in security research, development and trends for the better part of the last two decades, has done it again. Black Hat USA 2015 has come to a close. In traditional Black Hat fashion, researchers have left the security world buzzing about newly discovered exploits and vulnerabilities. These vulnerabilities cover the gambit of technology and range from new malware to vehicle hacking.

Malvertising (malicious advertising) has been the leading delivery method for malware by cybercriminals this year. The use of malvertising has increased by 260%. Malvertising is difficult to distinguish from legitimate banner advertising and has become a major concern. Many enterprises still struggle with end user education regarding e-mail phishing schemes. With the rapid growth in malware delivery via malvertising links enterprise will struggle once again to educate users and mitigate threats targeting both enterprise and BYO devices.

Researchers had a good time with Android this year reporting on two major vulnerabilities affecting nearly all versions of the platform. Stagefright, a vulnerability many are familiar with by now was the most alarming, hence the name. Basically, Stagefright is a mechanism (libStageFright) embedded in the Android OS that helps the system process video sent via MMS or Google’s Hangouts platforms. libStageFright is responsible for pre-loading video sent via MMS to improve the user experience. However, cybercriminals could embed an attack in the video that would in turn, launch automatically. This revelation has led smartphone manufactures and Google to lean towards monthly security updates (thank you). If your device is vulnerable and unpatched you can turn off the MMS auto-retrieve function. Another flaw in Android, though more complex to exploit, lives within the mobile Remote Support Tool (mSRT) apps. Basically, if a device is infected with malware that has mSRT permissions it leaves the device prone to be taken over by an attacker.

New cloud based man-in-the-middle attacks were presented. These attacks find cloud synchronization services (Google Drive, Box, Dropbox, etc) as their delivery method. While your cloud account credentials may remain secure, the tokens used to establish those sessions can easily be hijacked. Once attackers have the tokens it is an easy task to compromise files while they are being synced. In addition, cloud sync can be used to exfiltrate data and even send command and control communications.

Researchers also demonstrated how networked printers can be used to send data via radio signal a far enough distance to be compromised by an attacker. It is done by quickly power cycling the I/O pins on chips inside the printer. A signal can be generated that is strong enough to be picked up by receivers outside the building.

Additional research provided insight into vulnerabilities in internet connected vehicles using internet-aware Programmable Logic Controllers. SquareTrade card readers are vulnerable to an encryption bypassing hardware based attack. Vulnerabilities were discovered in Linux powered firearms allowing unauthorized control and discharge.

If you missed Black Hat USA 2015, more details about the above vulnerabilities (and others) can be found throughout various websites and in 6-9 months all research documentation will be released and can be found in the Black Hat Archives at https://www.blackhat.com/html/archives.html.

In light of all new vulnerabilities and research presented it is as important as ever to remain diligent and ensure that your security team is knowledgeable and well trained in identifying anomalies in your enterprise environment. If you would like an assessment of security conditions at your company, need help implementing solutions to risks, or are trying to recover from an attack, the team at Archetype SC is ready to help. Regardless of your size, our team of experts will help you establish a safer and more secure digital presence.