Just as we've come to accept that our voice assistants might be listening for commands and pushing ads our way, it's time to extend that scrutiny to every app on our phone. Many apps, even seemingly innocuous ones, can demand excessive access to your device's features and data. The Hidden Dangers of Over-Permissive Apps When you grant an app permission to access your microphone, camera, contacts, or location, you're opening a door. While some permissions are essential for an app's core functionality (e.g., a camera app needs camera access), many others are not. Granting unnecessary permissions can lead to:
Cybersecurity experts frequently find that many apps request far more permissions than they actually need. It's a common practice for developers to cast a wide net, and for users to click "Allow" without fully understanding the implications Check Settings -> Security and Privacy (Android and Apple) -> Permission Manager. You can then tap Camera and see what apps have access and change/update. Also check Location, Microphone, Contacts, Calendar, etc… Ep344 Image created by AI
0 Comments
These platform-based password management tools have come a long way from being simple browser autofill features. They've evolved into surprisingly capable, often cross-platform, solutions designed to simplify our digital lives. The Upside: Convenience and Integration For many users, the appeal of these free options is undeniable. They come with several compelling advantages:
The Downside: Limitations and Niche Use Despite their growing capabilities, these built-in managers do come with certain limitations, particularly when compared to dedicated, paid password management services:
So, Should You Use Them? The verdict largely depends on your digital habits. For users who are not particularly tech-savvy, or those with relatively simple online needs and a strong preference for staying within a single ecosystem (e.g., an all-Apple household or someone who lives entirely in Google's cloud), these platform-based password managers are a perfectly viable and secure solution. They offer a significant upgrade over reusing simple passwords or writing them down. However, for individuals who frequently switch between different operating systems or browsers, manage a high volume of complex online accounts, or require advanced features like secure sharing or password auditing, a dedicated, paid password manager might offer a more robust, versatile, and ultimately more secure experience. Ultimately, the best password manager is the one you actually use consistently to generate and store strong, unique passwords. Ep343 Image created by AI
According to cybersecurity firm Bitsight, these cameras are broadcasting video feeds that can be accessed without any form of authentication, encryption, or even the most basic password protection. This means anyone with the right tools or knowledge can potentially view private spaces and activities. The United States appears to be a major hub for this vulnerability, with nearly 14,000 potentially exposed cameras. The states with the highest concentrations of these unsecured devices include California, Texas, Georgia, and New York. Bitsight's Cyber Threat Intelligence team has unearthed evidence suggesting that these unsecured feeds are a hot topic in dark web forums. Cybercriminals are reportedly discussing and sharing methods, tools, and techniques to gain unauthorized access to these video streams. Worse still, access to these unprotected cameras is being bought and sold, highlighting the lucrative nature of exploiting such privacy breaches. Australia is not immune to this widespread issue. Cybersecurity experts and government bodies here frequently warn that many Internet of Things (IoT) devices, including security cameras in Australian homes and businesses, are deployed with inadequate security, often relying on weak or default passwords. This leaves them wide open to exploitation. Actual instances of unsecured camera footage being accessed in Australia have been reported. For example, a rug shop in Cairns was found to be live-streaming its camera footage to a site linked to Russian hackers. Similarly, a mechanic was alerted that his activities were being streamed live online to a compromised website during a home service call. These incidents underscore the tangible risk to privacy and security posed by unsecure camera setups. This incident serves as a stark reminder of the critical importance of cybersecurity best practices, particularly when setting up internet-connected devices. Users of security cameras, whether for personal or business use, must ensure their devices are properly secured with strong, unique passwords, encryption where available, and limited external access to prevent becoming part of this widespread privacy nightmare. Ep342 Image created by AI
The benefits are simple: Phishing Resistant: Passkeys are inherently resistant to phishing. Since you're not typing a password, there's nothing for a fake website to steal. The authentication happens directly between your device and the legitimate service. Simpler Login: No more typing complicated passwords or struggling with autofill. A quick glance or touch is all it takes. More Secure: Cryptographic keys are far more robust than even the strongest human-created passwords. Device-Linked Convenience: Your passkeys are often synced across your devices, making it easy to log in from anywhere you trust. While passkeys are rapidly gaining traction, they're still a relatively new technology, and not every website or service has implemented them yet. This can leave users wondering: "Where can I actually start ditching my passwords?" This is where passkeys.directory steps in. This site helps: Discover compatible services: Easily find out which of your favorite apps and websites now offer passkey login. Learn how to enable passkeys: Many entries on the directory might include quick guides on setting up passkeys for specific services. Stay updated: As more companies roll out passkey support, the directory will provide a live overview of the expanding ecosystem. Ep341 Image created by AI
Whether it's a PIN, password, pattern, fingerprint, or facial recognition, enabling a screen lock on your phone, tablet, or laptop is your first and most essential line of defense against unauthorized access. It’s the digital equivalent of locking your front door; without it, anyone can simply walk in. The Risks of an Unlocked Device:
Choosing the Right Screen Lock: Modern devices offer various options, each with its own balance of convenience and security:
So, make it a habit: Enabling a screen lock takes mere seconds to set up in your device's security settings. Most devices allow you to choose how quickly the screen locks after inactivity (e.g., immediately, after 30 seconds, 1 minute). For optimal security, set it to lock almost instantly. In an age where our devices are extensions of ourselves, protecting them is paramount. A simple screen lock isn't just a recommendation; it's a fundamental pillar of personal cybersecurity. Don't leave your digital life exposed – lock it down. Ep340 Image created by AI
Cybersecurity experts are increasingly sounding the alarm, highlighting the inherent cyber risks that come with such highly sensitive data, particularly the danger of this collected information falling into the wrong hands through data breaches or misuse. This raises a crucial question: are we trading too much privacy for the convenience of knowing exactly where everyone is? For many families, apps like Life360 embody the promise of constant connection and safety – real-time location tracking, crash detection, and emergency alerts. The idea of always knowing where your loved ones are can be incredibly reassuring. However, cybersecurity experts are increasingly highlighting the inherent cyber risks that come with such highly sensitive data, citing past incidents and persistent privacy concerns surrounding these omnipresent tools. These "family safety" applications typically operate by continuously monitoring GPS signals, often enhancing accuracy with Wi-Fi and Bluetooth data. Users form "Circles" to share their whereabouts with chosen contacts, receiving automatic notifications for arrivals and departures from designated locations. While some premium features even extend to identity theft protection and dark web monitoring, the core function—constant location data collection—creates significant vulnerabilities. Reports and analyses have consistently pointed to several critical areas of concern:
While location-sharing apps undoubtedly offer a sense of security, users must critically evaluate the privacy trade-offs and cybersecurity risks involved. It is paramount to meticulously review an app's privacy policy, configure permissions to the absolute minimum required, employ robust and unique passwords, enable multi-factor authentication whenever possible, and remain perpetually vigilant for any suspicious activity linked to your accounts. For families weighing the benefits against the potential perils, exploring alternatives with stronger privacy guarantees or engaging in transparent conversations about data sharing boundaries is crucial. Ep339 Image created by AI
The Cyrillic alphabet has significant relevance for hackers, primarily because of a tactic known as homoglyph attacks (also sometimes called homograph attacks or script spoofing).  Here's why it's a valuable tool for cybercriminals:
So basically, in the past the links were obvious to detect as they go to unexpected addresses. Now they actually look correct but the changes font for particular letters can completely change the destination. How to Protect Yourself
Ep338 This image is used under the Fair Use provision for the purpose of review and commentary. Source: Facebook
The latest tool in the hacker’s arsenal is the SVG file. We should all be wary of email attachments and really be sure of their legitimacy before attempting to open them. There's a new and sneaky way hackers are trying to trick people, and it involves something you might think is harmless: image files. Cybersecurity experts recently discovered a new wave of phishing emails that are using special image files called SVGs to sneak past your email security and steal your information. Think of an SVG file like a super-smart picture. Unlike regular photos you take with your phone, SVGs are actually based on text. This means they can do more than just show a picture; they can also contain hidden instructions, like tiny computer programs. This makes them great for websites because they can look good on any screen size and even be interactive. But now, bad guys are using this clever feature against us. Here's the trick: hackers are putting secret instructions inside these SVG image files. When you open the SVG file (which might look like a simple invoice or a document), those hidden instructions kick in. They tell your computer to automatically send you to a fake website that looks exactly like a real one, perhaps your bank or a well-known online service. Their goal? To get you to type in your usernames and passwords, which they then steal. What makes this so tricky is that many security tools are designed to spot typical dangerous files like Word documents with tricky macros or PDF files. But because SVGs are often seen as innocent image files, these tools might not look inside them for hidden dangers. Watch out for Phishy emails especially as specific events are nearing. Tax time is a good one.   Ep337 Image Source: Screenshot taken by MITE Radio
Your main email account with Google, Microsoft, Apple may be pretty robust, but what if you connect your email to other services like a calendar, to-do list, CRM system. These third party systems may provide hackers a back way into your accounts. So be aware of what's in your email and maybe file some things elsewhere as well as deleting them if they have served their purpose. Consider encrypted cloud storage (Google Drive) or perhaps Vaults Apps like OneDrive and Dropbox. Oh, don’t forget to empty the trash. Ep336 Image created by AI
To sweeten the deal and make you a tad more comfortable, all the data is stored locally on your PC and you can search through it all with the help of CoPilot anytime, even if you are offline… but… Microsoft's "Recall" feature has sparked significant cybersecurity and privacy concerns. While Microsoft has implemented safeguards, the nature of the feature inherently introduces new risks. These include:
So if you’re in the market for a new PC and you buy one with Microsoft-Copilot, consider turning Recall OFF! Ep335 Image created by AI
It used to be quality of service. A third party might not give you the same level of service you had previously and have come to expect, just make a support call to Telstra or Optus or iiNet and you’ll quickly see what I mean. But more scarily, what guarantees do we have that they are doing at protecting our privacy and data? Clearly, they’re not all doing so well. What does that mean for us? We don’t have a choice which 3rd parties our accounts go through, who our data is shared with or even where it is stored. Cybercriminals are increasingly sophisticated, shifting their focus from direct assaults on well-defended organizations to exploiting their trusted partners. These "supply chain attacks" leverage a single point of entry within a vendor's system to gain unauthorized access to multiple, often larger, client networks. This trend is alarming, with figures showing a dramatic surge in such incidents over the past few years. As a consumer, it’s frustrating to feel like your data is at risk due to a company's third-party providers, especially since you have no direct control over their security practices. However, there are definitely proactive steps you can take to minimize your exposure and protect yourself: 1. Be Mindful of What You Share (and Where):
2. Strengthen Your Own Digital Hygiene:
3. Act Quickly When a Breach is Disclosed:
Ep334 Image created by AI
The company released a statement acknowledging that an "unauthorised external party obtained certain consumer data through a third-party customer service provider." Adidas has swiftly initiated containment measures and launched a comprehensive investigation with the assistance of leading information security experts. Crucially, Adidas has reassured customers that "The affected data does not contain passwords, credit card or any other payment-related information." The exfiltrated data primarily consists of "contact information relating to consumers who had contacted our customer service help desk in the past." Previous disclosures regarding the regional breaches in Turkey and Korea indicated that the compromised data included full names, phone numbers, dates of birth, gender details, and email addresses. These regional reports also emphasized that no passwords or financial information were accessed. Given Adidas's vast international reach, with operations in 50 countries and a staggering 303 million members in its adiClub loyalty program, the potential scale of this incident is considerable. If the breach impacts customers who have contacted their help desk globally, millions of individuals could have had their contact information exposed. Adidas has commenced the process of notifying potentially affected consumers, as well as relevant data protection and law enforcement authorities, in compliance with applicable laws. "We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident," the company stated. As of reporting, no threat actors have publicly claimed responsibility for the breach. The incident underscores the escalating risks associated with third-party vendor relationships and the critical importance of robust supply chain cybersecurity. Ep333 Image created by AI
A major highlight is smarter in-call protections designed to thwart common scam tactics. Android will now actively warn users and even block specific risky actions during calls with non-contacts. This includes preventing the disabling of Google Play Protect, blocking the sideloading of unverified apps, and restricting the granting of dangerous accessibility permissions – all common requests from phone scammers. If screen sharing is active during a call, Android will also prompt users to stop sharing once the call ends. Building on these in-call defenses, Google is piloting enhanced protections specifically for banking apps in the UK, starting with partners like Monzo, NatWest, and Revolut. If a user launches a participating banking app while screen sharing with an unknown contact, their Android device will issue a warning and offer a one-tap option to end the call and stop sharing, directly addressing the growing threat of screen-sharing banking scams. Also, Scam Detection in Google Messages is becoming even more intelligent. The AI-powered feature, which already flags suspicious conversational patterns, is expanding its scope to detect a wider variety of scams, including those related to toll fees, cryptocurrency, financial impersonation, gift cards, and technical support. Crucially, this advanced detection happens entirely on-device, ensuring user privacy. To combat impersonation scams in messaging, Google is introducing Key Verifier for Google Messages on Android 10+ devices later this summer. This feature will allow users and their contacts to confirm each other's identities by verifying unique encryption keys through QR code scanning or number comparison. If a contact's verification status changes (e.g., due to a SIM swap or compromised account), the Google Contacts app will flag it, providing a crucial warning that the sender might not be who they appear to be. Finally, Google is enhancing Advanced Protection with a new device-level setting. This will simplify the activation of Google's strongest security features for all users, not just high-risk individuals, providing a comprehensive defense against sophisticated online attacks and data risks. These significant updates underscore Google's ongoing commitment to evolving Android's security landscape, aiming to empower users with smarter, more proactive defenses against the ever-changing tactics of cybercriminals. Maybe consider an Android for your next phone. Ep332 Image created by AI
Invalid Postcode Claim: The messages typically state that a delivery could not be completed because of an incorrect postcode. Malicious Links: Recipients are urged to click on a link to supposedly resolve the issue or reschedule the delivery. These links lead to fake websites intended to steal your data. Sophisticated Techniques: This scam uses advanced methods to bypass phone and network filters, allowing it to spread through iMessage and Rich Communication Services (RCS), making it harder to block. Part of "Darcula" Operation: Australia Post has identified this as part of a larger "Dracula" phishing-as-a-service operation, where scammers can access tools to mimic trusted brands. Widespread Impact: Australia Post's research indicates that over 90% of Australians have received a scam text or call, and nearly 74% have been targeted by parcel delivery scams. How to recognise and be aware: Australia Post will never ask for your password, credit card details, or account information via call, text, or email. Unexpected Message: Be suspicious of messages you receive if you are not expecting a delivery. Requests for Payment: They will also never contact you asking for payment. Suspicious Links: Avoid clicking on any links in unexpected messages. Sense of Urgency: Scammers often create a feeling of urgency to make you act quickly without thinking. Incorrect Grammar or Spelling: While increasingly sophisticated, some scam messages may still contain grammatical errors or typos. Non-Official Sender Information: Check the sender's number or email address. Official Australia Post SMS messages may come from "AusPost" or a specific number like 0448 008 003 for messages you can reply to. Be wary of other numbers or unfamiliar email addresses. How to protect yourself Use the Official AusPost App: The safest way to track your deliveries is through the official Australia Post app. Check the app first if you receive a suspicious message. Verify Information: If you are unsure about a message, do not click any links. Instead, go directly to the official Australia Post website or app to check your delivery status. Do Not Share Personal Information: Never provide personal or financial information via a link in a text message or email. Report Suspicious Messages: You can report scams to the Australian Cyber Security Centre's ReportCyber website. You can also forward suspicious emails to [email protected]. Be Wary of Clickbait: Be cautious of misleading information on unofficial websites or social media accounts that offer cash relief or claim changes to Centrelink or Australia Post requirements. Always check official ".gov.au" website URLs for government services. Ep330 Image created by AI
You should change your password for the affected organisations, websites and related accounts you may have. If you’ve used that (same) password elsewhere (which you should never do), change them too. Make sure you have MFA setup on ALL your login accounts and if possible, choose the passkeys option or authenticator app. SMS is now considered the weakest 2FA option but better than nothing.
Ep329 Image created by AI
Google is bolstering its fight against this type of financial fraud with a new feature designed to detect and prevent bank scams that occur during screen-sharing sessions. Building upon the existing "Scam Detection" on Pixel phones, the tech giant is developing a "BankScamCallDetectionService" aimed at thwarting criminals who impersonate bank officials and manipulate victims into handing over access to their accounts. As revealed by Android Authority's recent findings within the Google Play Services beta, this upcoming feature will proactively identify a high-risk scenario: an incoming call from an unknown number coinciding with the user having their banking application open and actively sharing their screen. Unlike the current Pixel scam detection, this new service reportedly won't need to analyse call content. Instead, it will trigger an alert based on this specific combination of activities, a common tactic used by fraudsters to guide victims through their banking apps and drain their funds. The system is designed to provide a clear and immediate warning to users when this potentially dangerous situation is detected, giving them the opportunity to hang up and report the suspicious number. Google is also reportedly maintaining an updated list of banking applications to ensure the feature remains effective against evolving threats. This development leverages the enhanced privacy features introduced in Android 15, which allows apps to designate sensitive information that should be hidden during screen recording or sharing. It's anticipated that this new layer of protection will roll out through a Google Play Services update, making it accessible to a wider range of Android users beyond just Pixel devices. While still in testing, this proactive approach signals Google's commitment to safeguarding users from increasingly sophisticated and damaging financial scams. Microsoft and Apple need to catch up! Has your phone suddenly become a battery-guzzling sloth? Is your laptop's fan whirring like a jet engine for no apparent reason? Is everything S L O W? Subtle shifts in your device's performance or behavior could be silent red flags so it may be time to do some scanning for Malware. There are many virus companies that provide great antivirus protection but Malware is a slightly different kettle of fish that is better found using specialist software like my favourite - Malwarebytes.  Think of Malwarebytes as a smart guard for your devices. Malwarebytes learns what normal activity looks like on your phone or computer. If a program starts acting strangely – using lots of internet when you're not using it, or opening on its own – Malwarebytes can notice this unusual behavior. It's like a security guard spotting someone acting suspiciously. Malwarebytes also looks at the files on your device. It knows what healthy files usually look like. If it finds a file with weird characteristics that match known bad files, it gets suspicious. This program also watches your internet connections. If your device tries to connect to websites known for spreading malware, Malwarebytes can block it. So, if your device is acting weird, running a scan with Malwarebytes can help find and remove these problems. It's like having a smart detective look for and get rid of any unwanted guests on your phone or computer. Just remember to keep Malwarebytes updated so it can recognize the newest threats. Try it for free and see how you like it. I like the peace of mind it gives me, especially if I’ve just accidentally clicked something I shouldn’t have. Ep327 Image Source: https://www.malwarebytes.com/
Here are 5 quick cyber tips to help avoid scams. 
Ep326 Image created by AI
Despite the robust anti-fraud measures implemented by these major financial institutions, cybersecurity experts are warning that affected individuals face a "definite" risk of financial loss. This discovery follows recent cyberattacks targeting Australian superannuation funds, where stolen passwords were used in attempts to access pensioners' accounts. The Australian cybersecurity firm Dvuln, which unearthed this extensive breach, has determined that these passwords were not obtained through vulnerabilities in the banks' systems. Instead, they were directly pilfered from users' own devices that had been infected with insidious "infostealer" malware. So, "This is not a vulnerability in the banks. These are customer devices that have been infected." Infostealer malware is a particularly dangerous form of malicious software designed to infiltrate devices, silently harvest a wide range of sensitive data – including passwords, credit card details, cryptocurrency wallet information, local files, and browser data like cookies and autofill information – and transmit it directly to cybercriminals. With Infostealer, the threat extends far beyond just banking credentials, noting that the average infostealer victim has hundreds of other account details stored in their browser, including PayPal and e-commerce accounts with linked credit cards. Figures suggest around 58,000 infected devices in Australia alone with something in the order of 31 million devices worldwide. The biggest risks are in Windows devices around 90% although mobile device numbers are on the increase.
If you suspect a problem, get onto your bank and alert scamwatch. Ep325 Image created by AI
Here's a handy guide to five habits that can help you stay one step ahead of the scammers: 1. Master Your Passwords: If you're still using the same old password across multiple accounts, now's the time for an upgrade. Strong passwords or passkeys should be a complex mix of at least 14 characters, including uppercase and lowercase letters, numbers, and special symbols. Consider using a password manager like Bitwarden, 1Password, or NordPass to generate and securely store strong, unique passwords for all your accounts. And crucially, always enable multi-factor authentication (MFA) whenever it's offered for an extra layer of security. 2. Sharpen Your Scam Radar: Scammers are becoming incredibly skilled at impersonating trusted organizations like banks or government departments. Be extra cautious of unexpected emails or social media messages asking for your information or urging you to download software. Remember the mantra: stop, check, protect. Take a moment to breathe, independently verify the communication by contacting the organization directly through official channels, and then block and delete any suspicious messages. Be particularly careful when sending money to new accounts. Features like CommBank's NameCheck can help by verifying account details before your first payment. 3. Practice Good Banking Hygiene: Your banking app likely has built-in security features – use them! CommBank's Security check up, for example, allows you to manage location-based security, which alerts the bank to unusual account access locations. Review and enable security alerts for suspicious activity notifications. Regularly check and adjust your daily payment limits to match your typical spending habits. Keeping limits higher than necessary increases your potential loss if your account is compromised. 4. Check In With Your Circle: Scammers often thrive on isolation. A simple way to stay safe is to regularly check in with friends and family. As a spokesperson for the National Anti-Scam Centre points out, "Everyone is vulnerable to scams at certain times, such as dating and romance scams after a breakup or a job scam when the cost of living is high. Scammers isolate you from your support networks. They want to create a situation where you rely entirely on them." Talking about potential scams can help you and your loved ones identify red flags. 5. Report Every Scam Encounter: Even if you haven't lost money, reporting scams is crucial. By reporting incidents to the National Anti-Scam Centre via scamwatch.gov.au, you provide valuable information that helps them understand scam tactics, identify vulnerable populations, and work on disrupting and stopping these criminal activities. As their spokesperson says, "Your reports help the National Anti-Scam Centre identify the scams that are causing the most harm to Australians." Ep324 Image created by AI
Here's the simple version of how it works:
This is particularly scary because:
The bad guys behind this seem to be Chinese speakers, and they're even offering support to other criminals who want to use this method. This scam has already been seen in Italy. What Google says: Google says their Play Protect system should help protect you from apps with this kind of malware if you download them from the official Play Store. But be careful about installing apps from anywhere else! The bottom line: Be super careful about messages asking you to call numbers or download apps, especially if they're about your bank. Don't tap your card on your phone if someone you don't trust tells you to! Ep323 Image created by AI
Here are 8 key signs to watch for:
How to Fight Back: While you can't eliminate all spam, here's how to reduce it:
Ep322 - Image by AI
Microsoft Defender for Individuals:
You can run it on all your devices linked to your MS account and have a central administration and notifications at your fingertips. Is it any good? So far, so good… time will tell. Ep321 - Image source: https://www.microsoft.com/
Conducting Your Audit:
By prioritizing strong passwords and MFA, you significantly enhance your digital security. Ep321 - Image by AI
This move comes in response to recent security breaches on the Play Store, including a large-scale ad fraud campaign that saw users unwittingly downloading "vapor apps" disguised as popular, legitimate applications. These apps aggressively displayed recurring ads, generating substantial revenue for fraudsters and proving difficult for users to remove. Google was forced to remove 180 such apps from the platform, highlighting the urgent need for enhanced security measures.
To further bolster user trust and app authenticity, Google will be introducing more verified badges. Notably, VPN apps will receive a "Verified" badge, providing users with a clear indication of an app's legitimacy. This initiative aims to establish a more reliable and trustworthy Play Store environment. Key Security Enhancements:
Google's commitment to strengthening Play Store security reflects the growing importance of mobile security in an increasingly digital world. These new measures are designed to protect users from evolving cyber threats and ensure a safer Android experience. Ep319 - Image by MITE Radio (screenshot) |
AuthorDelve into the world of MITE Radio through our captivating blogs. From music and tech to community news, our articles offer fresh perspectives and behind-the-scenes glimpses. Stay informed, connect with our community, and explore MITE Radio in a new way today! Archives
June 2025
Categories
All
|
RSS Feed