As work from home is the new norm in the coronavirus era, youre probably thinking of enabling remote desktop connections for your off-site staff. Heres how to do it securely.

Accessing your servers or workstations desktops remotely is a great way to manage them. Its also a huge target for hackers.

For example, if hackers can gain access to the administrator login to your Domain Controller, they effectively own your Windows infrastructure and can quickly wreak havoc on your organization. From sending corporate emails to accounting departments and bookeepers, to siphoning off your companys intellectual property, to encrypting all your companys files and holding them for ransom, hacks on Remote Desktop Protocol (RDP) can be very bad.

In this context, although we will mainly say RDP, we mean all kinds of remote desktop and remote access software, including VNC, PC Anywhere, TeamViewer and so forth, not just Microsofts RDP. The good news is there are many defenses against RDP attacks, starting with turning it off. If you dont really need remote access, the off switch is the simplest.

If you do need to allow such access, there are a variety of ways to restrict it to the good guys:

First off, allow access only from internal IP addresses coming from your companys VPN server. This has the added benefit of not exposing RDP connection ports to the public internet.

Speaking of exposing ports, if thats your only choice, you may want to serve up RDP on a non-standard port number to avoid simplistic worms from attacking your network through its RDP ports. Keep in mind, though, that most network scanners check all ports for RDP activity, so this should be viewed as security through obscurity, since it provides practically no additional security against modestly sophisticated attackers. You will have to be extremely vigilant about reviewing network access and login activities in your RDP server logs, as it may be more a matter of when and not if an attacker accesses your network.

RELATED READING: COVID19 and the shift to remote work

Second, make sure to enable Multi-Factor Authentication (MFA) for remote users as another authentication layer, which we discussed in Work from home: Improve your security with MFA.

Third, whenever possible, only allow incoming RDP connections from your users public IP addresses. The easiest way for remote employees to look up their public IP address is to search Google for What is my IP address and the first result will be their IP address. Then your remote workers can provide that information to your IT/Security staff so that your company or organization can build a whitelist of allowed IP addresses. It is also possible to build a whitelist of allowable IPs by allowing their subnet, since dynamic home IP addresses would normally still fall within a subnet after a router reboot or other network maintenance on the client end.

Even if you secure your RDP access, there has recently been a flurry of exploits against it, so to avoid issues, make sure its fully patched. More information on securing RDP can be found in Its time to disconnect RDP from the internet.

Read the rest here:
Work from home: Securing RDP and remote access - We Live Security

On March 12, Sen. Josh Hawley introduced a bill into the Senate to ban the downloading and use of TikTok, the Chinese social media app, on federal government devices. Hawleys bill carves out exceptions for such activities as law enforcement investigations and intelligence collection, but holds that

no employee of the United States, officer of the United States, Member of Congress, congressional employee, or officer or employee of a government corporation may download or use TikTok or any successor application developed by ByteDance or any entity owned by ByteDance on any device issued by the United States or a government corporation.

Currently, the Transportation Security Administration and the U.S. Army have also banned the app on employee phones.

But whats Hawleys objection to an app used widely for dance challenges and lip-syncing?

The narrative goes something like this: TikTok is a company incorporated within China; the Chinese government pervasively surveils within its borders and can get access to company-held data on a whim; thus, TikToks potential collection of information on U.S. citizens is a security risk. Yet also thrown into the discussion are other allegationsTikTok removes political content at Beijings behest, for example. The failure to decouple these risks only muddies the waters and makes it harder for policymakers and the general public to understand the threats at play.

In reality, TikTok carries five clear risks. Two pertain directly to national security, and three perhaps relate to it, though not as clearly. All have been conflated or blurred together, at one point or another, by pundits and others commenting on TikToks risks. Policymakers and analysts would be wise to make meaningful distinctions among these risks and provide more nuance and detail around each specific threat.

Policymakers may clearly have many different interpretations of each of these risks likelihood and severity. Theres also no clear answer on what policymakers should do about the app. And, in reality, the problems raised by TikTok are much bigger than the app itselfrepresentative of larger questions that must be answered around U.S. data security policy.

Risk 1: TikTok Collecting Data on U.S. Government Employees

The first risk posed by TikTok is the collection of data on U.S. government employees (including those working as contractors). These are people who either have security clearances or could have clearances in the future or at the very least perform tasks that, if not classified, may still be considered sensitive in an unofficial sense. Data collection on these individuals and their activities can therefore reveal important national security information or be used in a coercive manner (that is, blackmail) to target those individuals.

There are two considerations with this type of data collection risk: the kinds of data that are being or might be collected; and Beijings ability to access that data.

The data collected by TikTok, at least on the surface, might seem relatively benign; after all, the app is a social media platform for sharing videos. Even if a U.S. federal government employee has the app, one could argue, that doesnt mean theyre sharing any videos that somehow compromise their personal or professional activities. And they can use the app without jeopardizing sensitive information.

But where the risk gets more complicated is the reality that most phone apps collect far more information than what the average user would suspect they are handing over to the app. (This might even go beyond that single firm: Charlie Warzel at the New York Times, for example, has a great explanation of how just by downloading an app, youre potentially exposing sensitive data to dozens of technology companies, ad networks, data brokers and aggregators.)

TikTok is reasonably upfront about the high volume of data it collects: its privacy policy for U.S. residents states,

We automatically collect certain information from you when you use the Platform, including internet or other network activity information such as your IP address, geolocation-related data (as described below), unique device identifiers, browsing and search history (including content you have viewed in the Platform), and Cookies (as defined below).

It notes further that [w]e also collect information you share with us from third-party social network providers, and technical and behavioral information about your use of the Platform, such as, potentially, contact lists on other social media services. This type of data collection can especially implicate national securitygeolocations or internet search histories of federal employees can reveal quite sensitive information, such as the location of secret government facilities, details about events relevant to the government about which those employees are seeking publicly available information, and personal activities that could potentially be used to build files for blackmail.

TikTok is hardly alone in this kind of collectiongo read the privacy policy of most major social media platforms and youll find similar if not more encompassing language.

But TikTok has a unique challenge: There are real questions about who beyond TikTok might have access to the collected data. This risk likely exists whether the app is downloaded on a government-owned device used by an employee, or on a personal device used by the employee.

So can the Chinese government compel the company to turn over data?

As Samm Sacks recently wrote, Nothing is black and white, particularly when it comes to government access to data. Ultimately the Chinese government can compel companies to turn over their data, but this does not always happen. In some cases, companies can and do push back against government requests, as they have their own commercial interests to protect. There are real risks of government access to data, and this does happen, but its not as clear-cut in practice as many might assume.

There are also real fears among some U.S. policymakers that data from a company like TikTok could be added into an enormous dataset Beijing continues to compile from incidents such as the Equifax breach and the hack of the Office of Personnel Management. The product of such data-hoarding, in this view, is a massive dossier on U.S. persons that the Chinese government can use for intelligence and security purposesconsisting of everything from communications to credit scores to travel histories.

It is clear that there are national security risks with TikToks collection of data on U.S. federal government employees. The question for policymakers comes down to ones perceived likelihood of the risk, the severity of the risk and what to do about it.

Risk 2: TikTok Collecting Data on U.S. Persons Not Employed by the Government

Second is the risk that TikTok collects data on U.S. persons not working for the federal government in ways that still potentially impact national security. The considerations here mirror those of TikToks data collection on federal employees.

Yes, the link between data collection on federal personnel and national security threats (that is, counterintelligence operations) is clearer. One could imagine how a clearance-holding federal employee with an embarrassing internet search history could be blackmailed, or how the GPS movements of a clearance-holding federal employee would likewise be valuable to a foreign intelligence service.

Here, one danger is merely the potential for U.S. persons not currently employed by the government to have clearances or perform other sensitive government tasks in the future. There could also be the potential for collection to target individuals in the private sector working on proprietary and national security-related technologies.

The collection of this data could therefore have potential impacts on U.S. national security in ways that may give policymakers reason to consider wider action against TikTok. Policymakers decisions to take wider action would depend on where and how they interpret specific risk cases. For instance, one could perceive a risk of higher severity for an engineer working on tightly held and cutting-edge satellite imaging technology than for your average person.

It is also possible, in a Cambridge Analytica-style fashion, that such information could be used to develop profiles on Americans in ways that lend themselves to enhanced microtargeting on social media and other platforms.

In terms of the kinds of data being collected, TikTok, like most social media companies, very likely just collects the same types of information on all of its users. So collection on federal employees is likely the same as for non-federal employees.

The same goes for the legal authorities governing Beijings access to TikTok data: The risk remains largely similar to the risk for federal employees. Maybe Beijing has greater incentive to request access to certain kinds of information when data is on U.S. government employees than when its not. That said, this may also not be the case. TikTok might collect information from private citizens that exposes security-sensitive corporate activities. And what about the microtargetingcould Beijing have an incentive to access the data if it lent itself to, say, pushing advertisements for Chinese Communist Party (CCP)-preferred candidates in a U.S. election?

Risk 3: TikTok Censoring Information in China at Beijings Behest

The third risk pertains to Beijing ordering, forcing, coercing or otherwise leading TikTok to remove information on the platform in China. (This could include TikTok preemptively self-censoring content out of concern over possible retribution from the Chinese government.) This is not directly a U.S. national security issue, but it merits attention because of the way it has been roped into conversations about TikToks risks.

The Washington Post reported last fall, for example, on the ways in which certain content that the CCP dislikessuch as information on the Hong Kong pro-democracy protestswas strangely absent from TikTok.

Subsequently, amid this and other reports in the media about alleged TikTok censorship, Sens. Chuck Schumer and Tom Cotton sent a letter to the acting director of national intelligence, stating that

TikTok reportedly censors materials deemed politically sensitive to the Chinese Communist Party, including content related to the recent Hong Kong protests, as well as references to Tiananmen Square, Tibetan and Taiwanese independence, and the treatment of Uighurs. The platform is also a potential target of foreign influence campaigns like those carried out during the 2016 election on U.S.-based social media platforms.

In addition to raising concerns about the aforementioned risks of data collection on U.S. persons, the senators requested the intelligence community to investigate allegations that TikTok engages in political censorship at the direction of the Chinese government.

But many of the conversations about this political censorship do not distinguish between TikTok removing content within Chinas borders and TikTok removing that same content globally. This might seem like a trivial distinction, but its not. In the former case, content would be removed (or perhaps algorithmically downplayed) for those accessing the mobile application from within Chinas geographic borders. Thus, this geoblocking would affect those physically located within China. If TikTok was censoring content globally, by contrast, once flagged, the offending content would be deleted from anyones and everyones TikTok feed.

The former issue of geoblocked content within China (that is, this third risk) is mostly a domestic issue in China. It is an issue of free speech and human rights, certainly, but it doesnt directly impact U.S. national security in the ways that it potentially would if content was removed globally at one governments behest.

Risk 4: TikTok Censoring Information Beyond China at Beijings Behest

So what is the national security risk if TikTok did not limit its content takedowns to within China?

There is no clear evidence that Beijing has directly told TikTok to remove content around the world. TikToks parent company responded to the Post investigation from last September by asserting that the platforms content moderation policies in the U.S. are handled by an American team and are not influenced by the Chinese government. But policymakers have expressed worries, in light of such observations as the aforementioned lack of Hong Kong protest videos on the platform, that TikTok is in fact (at Beijings direct behest or not) removing those kinds of content globally. This risk centers on whether and how TikTok could remove, for anyone using the app, a video critical of the CCP or that talks about concentration camps in Xinjiang, for example. In this case, nobody in the world would be able to access the content on TikTok once removed; the takedowns would be global.

Again, the national security risks here are not as direct as with data collection. Yet there are genuine concerns about the Chinese government exporting its censorship through platforms like TikTok. The worry is that Beijing compels high-demand Chinese-incorporated internet platforms to remove content worldwide. Beijings internet censorship practices, otherwise confined within Chinese borders, could hypothetically spread through this tactic.

This certainly presents risks to democracy and free speech. More teenagers in the United States are using TikTok to share political content. Political censorship is therefore not an insignificant issue. The takedown of certain critical videos could, for one thing, subtly influence platform users views of Beijing. And there are real concerns, especially in light of such investigations as the Washington Posts report last November that former U.S. [TikTok] employees said moderators based in Beijing had the final call on whether flagged videos were approved.

Risk 5: Disinformation on TikTok

Fifth and finally, there is concern among U.S. policymakers about potential disinformation on TikTok. Tons of U.S. teenagers use TikTok and consume political content through the application, so there is a concern that the users could amplify disinformation on the platform. This incursion of disinformation into U.S. public discourse is no doubt corrosive to the democratic process. Yet this is not a national security risk that is necessarily specific to TikTok.

Virtually every internet platform deals with disinformation; thus, that TikTok is Chinese incorporated in and of itself has nothing to do with it. But U.S. officials have expressed concern about the potential for disinformation on the platform. (These concerns arent unfounded: See the false information that circulated on TikTok about the coronavirus.) One could certainly make the argument that the platform responses to disinformationin light of political censorship concernsmight impact U.S. interests in undesirable ways. But the presence of disinformation on the platform is in many ways a distinct risk from the preceding four.

Looking Beyond TikTok

These questions, and the policy responses to them, have implications well beyond TikTok. And they have become increasingly urgent, as these questions about mobile apps, data collection and national security grow more frequent and as more bills like Sen. Hawleys are introduced into Congress.

The issues here are complex. If the view is that any data collected by a Chinese internet company is a national security riskbecause of Beijings purportedly easy access to that data, and the ways it could be potentially combined with other datasets (for example, from the Office of Personnel Management hack)then many applications fall into the bucket of risk. The widely used application WeChat, for example, could certainly be banned under that view.

But the problem is even more complicated. After all, China isnt the only country about which policymakers are or might be concerned.

Last fall, for example, Sen. Schumer sent a letter to the FBI requesting they investigate the security risks of Russian mobile apps. The letter cited the legal mechanisms available to the Government of Russia that permit access to data as reason for concern.

If Russian-made apps are also considered an unacceptable data collection risk for U.S. government employees, then how should the U.S. approach and maintain a list of countries that fit into that category?

The United States isnt alone in confronting these questions. And these arent entirely novel problems. Indias military, for example, has prohibited personnel from installing Chinese social platform WeChat due to security concerns. The Australian armed forces have also banned WeChat. The Pentagon banned the militarys use of geolocating fitness trackers in August 2018 after live GPS data was found on the public internet: Researchers were able to track the location of troops on military bases and spies in safe houses.

This all raises challenging questions about where to draw the line: Is an app that, hypothetically, makes custom emojis and collects only a users phone number more of a security risk than one that provides the weather based on current geographic location?

Meanwhile, its worth remembering that apps are only one potential way for a government to get access to information on individuals: The highly unregulated data brokerage industry, which sells incredibly intimate information on all kinds of people to whomever is buying, could easily be exploited by foreign governments. Governments could buy information from brokerage firms and ascertain sensitive activities of, say, a U.S. federal employee with a security clearance or a non-government employee who happens to be running for Congress in the next election.

Policymakers might consider crafting legislation based on the people on whom data is being collectedthat is, focusing on data collection of government employees, which presents immediate national security concerns, rather than about data collection on all Americans. Targeted bans on app downloads on government phones could be a solution, as Sen. Hawley proposed in his bill.

More broadly, one could imagine developing a framework of criteria to answer these questions that will arise again and again. This framework would function in the same way as would objective criteria by which to routinely evaluate other elements of digital supply chain security, another much-needed national security tool. For instance, the Committee on Foreign Investment in the United States could explicitly make data privacy and security a more central component of its investment screening process. Agencies like the Cybersecurity and Infrastructure Security Agency could lead an interagency process to determine government recommendations for baseline corporate cybersecurity standards writ large that, like with encryption, could be used subsequently by policymakers to evaluate protections implemented by firms like TikTok. Federal departments such as the Department of Defense could develop clear and at least semipublic frameworks by which they decide to prohibit employee use of mobile apps.

Again, though, even this route leads to more questions. What about American- or European-incorporated companies that collect disturbing amounts of sensitive personal information on U.S. government employees? Do they not fit these categories too? Policymakers need to consider these questions.

Policymakers also must consider whether these mobile app and data security decisions should depend less on the kinds of data collected and on whom, and more on the legal structures in the countries in which these companies are incorporated. Beijing, for instance, engages in unchecked surveillance. While the actual practice of Beijing getting data from private companies isnt as straightforward as some might imagine, its certainly far easier than the U.S. government getting access to American company data. For some policymakers, that difference might be the end-all-be-all to allowing Chinese apps on U.S. government employee phonesforget about details like the kinds of data in question.

And this is all without even getting into the risks of content censorship in China, content censorship globally and disinformationwhich pertain more to content management on an app like TikTok than they do directly to national security. This isnt to say (as clarified above) that no national security linkages exist or could exist to, say, TikTok removing political content worldwide at Beijings behest. But, rather, I suggest that the links to a U.S. national security threat from censorship and disinformation are generally not as pronounced as those from the collection of geolocation data on a U.S. federal employee with an active security clearance, for example.

This isnt just a laundry list of academic questions.

Some observers might find a TikTok ban to be a relatively narrowly targeted and sensible policy response to a perceived threat of Chinese state access to data. But the reality is that decisions in this sphere of data security and U.S. data protection are not made in a vacuum. They have broader implicationsfirst-order, second-order, and even third- or fourth-order effects. Many countries develop mobile apps, and many of them could be perceived as posing security risks in various ways. They, too, must be considered as part of the picture. A cohesive and repeatable strategy for making these decisions is far superiorfrom economic, national security and rights-protection perspectivesthan a whack-a-mole-style approach that might yield a sensible policy but not with a sensible process.

All the while, it is important not to blur and conflate these risks. The national security risks of mobile apps made and managed by foreign-incorporated companies may take different forms and may differ in likelihood, severity and desired response. Blurring the lines makes it hard to develop targeted policies that address actual risks in ways that fully consider costs and benefits.

Many countries worldwide are grappling with these same questions. Many governments, like Washington, are also considering if, where and how they want to decouple elements of their technology systems from other countries. Here, Washington should tread very carefully because these broader and global implications demand much more thought.

Go here to see the original:
Unpacking TikTok, Mobile Apps and National Security Risks - Lawfare

SYDNEY, N.S.

An information technology department is a valuable tool these days for companies looking to set up work from home environments as efforts to limit face-to-face contact continue during the ongoing COVID-19 pandemic.

A local internet security firm has found itself working night and day setting up home offices for Cape Breton companies that haven't budgeted for their own ongoing IT departments.

"They are pieces we have always done," said Mark Patterson, CEO of Devantec IT and Security Services, in references to in-demand services of his company. "They are just a little more relevant today than they may have been a couple of months ago to some businesses."

The most popular of a variety of technology solutions that are helping business owners transition their employers to a home office is a virtual private network.

"The VPN would allow their workers to securely remote into their server from home and access all of their files just as they would if they were sitting in their office," he said. "That is the main solution we are using to help businesses."

For security reasons, specific names of clients could not be made available, however, Patterson said they are from all areas of industry, including telecommunications, power utilities, home heating and government.

Another popular service these days is one geared at companies who want to limit the control of traffic into offices where employees are still working.

"We are installing a lot of the video door systems so that when somebody comes up to the door, they buzz in and the person inside the business can communicate back and forth through the video system, versus letting them into the office and talking to them face-to-face."

He said these alarm and camera systems can be tailored to any business where they don't have anybody to "keep an eye on" things.

"We are a technology company, essentially, although we break it down into IT, security and communications," he said. "We can basically implement any type of technology that limits face-to-face interaction and help people abide by the current government guidelines."

Patterson said the company currently has seven employees who are putting in long hours as area businesses and individuals seek out their services to deal with the expectations and realities of the current business and social climate.

Devantec was established in 2016 by Patterson and James MacKinnon and provides high quality on-site and remote services including computer services, network security, business phone systems and security systems for businesses and homes of any size.

RELATED:

Read more:
Setting up home-based office solutions busy business for Cape Breton company - The Telegram

Will we see more and more open source software in the future, or is this a passing trend that will die off eventually?

According to survey data, open source is definitely here to stay. Right now, around 78% of companies actually run open source software, and that trend will likely continue to grow. Open source code benefits businesses a lot, after all, since they get to enjoy better security, scalability, and much easier deployment as ProPrivacy discusses in their guide: Why is open source important?

But what does that mean for you, the end user? Will you enjoy better privacy? Short answer yes. But if youre looking for more detail, keep reading.

Heres why open source code is the only way to enjoy true privacy, and why you should use an open source VPN client if you want to secure your online data.

Open source code is something thats open to the public. Basically, anyone can inspect, copy, learn from, and sometimes even edit it without fear of legal repercussions. To truly be open source, the software must also have an open source license that meets all the standards of the Open Source Definition.

Nowadays, most developers publish their open source code on GitHub.

Comparatively, closed source code only belongs to the company, team, or person who created it. Nobody else can use or inspect it, unless they want to meet the long arm of the law.

Yes. There are no ifs or buts here.

If you are extremely focused on privacy, open source is the only way to go especially when using a VPN.

Were not saying a closed source VPN client cant be trusted at all. But if youre the kind of person who needs to have full control over their Internet privacy, open source options are simply better for your sanity.

Well, OpenVPN, SoftEther, and WireGuard for starters. OpenVPN is the most popular, but SoftEther and WireGuard are much more lightweight (meaning you get good security and smooth speeds).

But using either of those options isnt as simple as just installing a client on your device. You need a bit of technical know-how to set everything up. Maybe WireGuard might go smoother since its more user-friendly. But youll still have to buy and set up your own server which can cost you anywhere between $15 and $100 per month.

Besides those options, you might see some articles recommending a few other open source solutions. But theyre not too popular or user-friendly, and most of them only run on Linux.

Luckily, at PIA we have also started embracing open source announcing a shift towards open source back in 2018, and recently offering our Android code open for inspection meaning all PIA VPN clients are now open source VPN clients.

Whats more, we have even started reaching out to external auditors. And, also recently launched a closed Beta for the WireGuard protocol.

So at PIA were definitely committed to full transparency and user privacy. If youd like to learn more about the pros of using PIA, check out this in-depth review (dont worry, you can easily scan through it).

The future is open source. The stats prove it, and its really the only way to go when it comes to guaranteeing user privacy and helping people trust brands (especially VPNs).

Why else do you think people should use an open source VPN client? Or do you believe closed source options are better for privacy? Share your thoughts with us in the comments below.

WireGuard is a registered trademark of Jason A. Donenfeld.

Read this article:
Open Source Code - The Future of User Privacy - Privacy News Online