Apple releases patch for zero‑day flaw in iOS, iPadOS and macOS

The vulnerability is under active exploitation by unknown attackers and affects a wide range of Apple’s products.

Apple has released an update for its iOS, iPadOS, and macOS operating systems to patch a zero-day security flaw that is being actively exploited in the wild. The vulnerability affects a wide range of its products including the iPod touch and various models of the iPhone and iPad.

“Apple is aware of a report that this issue may have been actively exploited,” reads Apple’s security advisory describing the security loophole that is being plugged with the release of iOS 14.7.1 and iPadOS 14.7.1.

The list of impacted devices includes iPhone 6s and later, all versions of the iPad Pro, iPad Air 2 and later, the 5th generation of iPad and later, iPad mini 4 and later, and the 7th generation of the iPod touch. The same security flaw also affects the macOS operating system, so the Cupertino-based tech titan also issued a security update for macOS (Big Sur 11.5.1) to address the issue. As is usually the case, there is no word about the perpetrators and targets of the zero-day attacks.

Indexed as CVE-2021-30807, the vulnerability resides in the IOMobileFrameBuffer, a kernel extension that is used for managing the screen framebuffer, and is described as a memory corruption issue.

According to CyberSecurityHelp, the vulnerability could allow a local application to escalate privileges on the affected systems. “The vulnerability exists due to a boundary within the IOMobileFrameBuffer subsystem. A local application can trigger memory corruption and execute arbitrary code on the target system with kernel privileges,” reads its description of the security flaw.

The United States’ Cybersecurity and Infrastructure Agency (CISA) also took note of the release and issued a security advisory urging both users and administrators to apply the patches and update their devices. “Apple has released security updates to address a vulnerability in multiple products. An attacker could exploit this vulnerability to take control of an affected device,” said the agency.

Indeed, you would be well advised to apply the updates as soon as practicable. If you don’t have automatic updates enabled, you can update your iPhone and iPad manually by going to the Settings menu, then tapping General, and going to the Software Update section. To manually update your Mac devices, go to the Apple menu, click on About This Mac and then click on the Software Update button.

Week in security with Tony Anscombe

URL shortener services distributing Android malware – Week in security with Tony Anscombe

Some URL link shortener services distribute Android malware, including banking or SMS trojans, attacking unsuspected victims. Learn how the Zero Trust architecture can protect the hybrid workplace, as it is an increasingly popular way to minimize cyber-risk in a world of hybrid cloud, flexible working and persistent threat actors. The FBI warns that cybercriminals could target the Tokyo Olympics with ransomware, phishing, or DDoS attacks in a bid to increase their notoriety or make money.

Newsletter Newsletter

Submit

Discussion

Protecting the hybrid workplace through Zero Trust security

The Zero Trust architecture offers an increasingly popular way to minimize cyber-risk in a world of hybrid cloud, flexible working and persistent threat actors.

The post-pandemic normal for global organizations increasingly means using digital technology to support more flexible working practices. Although tech giants such as Twitter and Facebook made headlines by promising some employees they can work from home forever, the reality for most employers is likely to be more prosaic. More than 60% of businesses are planning to support a hybrid workplace which will involve employees spending part of the week at home and a few days in the office. Yet this will also bring with it new cyber-risks, as we outlined in the first post of this series that examines the security challenges of the hybrid workplace. 

The good news is that this what the Zero Trust model was built for. Already mandated for U.S. federal government agencies by a new Presidential executive order it offers an increasingly popular way to minimize cyber-risk in a world of hybrid cloud, remote working and persistent threat actors.  

The challenges of protecting the hybrid workplace 

Today’s CISOs are under incredible pressure to protect sensitive IP and customer data from theft, and business-critical systems from service interruption. Despite rising security spending, breaches continue to escalate. The cost of data breaches stands at an average of nearly US$3.9 million per incident today, with organizations typically taking hundreds of days before they discover and contain these attacks.  

The advent of mass remote working, and now the hybrid workplace, hands even more advantage to the threat actors. Organizations are at risk from several areas, including: 

  • Distracted home workers who are more likely to click on phishing links 
  • Remote workers using potentially insecure personal laptops and mobile devices, networks and smart home devices 
  • Vulnerable VPNs and other unpatched software running on home systems 
  • Poorly configured RDP endpoints, which may be easily hijacked via previously breached or easy-to-crack passwords. ESET reported a 140% increase in RDP attacks in Q3 2020 
  • Cloud services with weak access controls (poor passwords and no multi-factor authentication)  Why Zero Trust? 

    In 2009, Forrester developed a new information security model, called the Zero Trust Model, which has gained widespread acceptance and adoption. It’s designed for a world in which the old certainties of placing all security resources at the perimeter and then trusting everything inside it, are no longer relevant. That’s the world we live in today thanks to distributed working and cloud ubiquity.  

    Instead, Zero Trust is founded on a mantra of “never trust, always verify” to help reduce the impact of breaches. In practice, there are three underlying principles: 

  • All networks should be treated as untrusted 

    This should include home networks, pubic Wi-Fi networks (for example, in airports and coffee shops) and even on-premises corporate networks. Threat actors are simply too determined for us to assume that there are any safe spaces left.

  • Least privilege 

    If all networks are untrusted, then so must users be. After all, you can’t guarantee that an account hasn’t been hijacked, or that a user isn’t a malicious insider. That means granting employees just enough privilege to get the job done, and then regularly auditing access rights and removing any that are no longer appropriate.

  • Assume breach 

    Every day we hear news of a new security breach. By maintaining an alert mentality, organizations will be vigilant and continue to improve their defenses with a resilient Zero Trust mindset. Breaches are inevitable – it’s about reducing their impact. 

    How Zero Trust has evolved 

    When Zero Trust was first created back in 2009, it was a very network-centric model. Over the years it has evolved into an entire ecosystem. At its center is the critical data or business processes that must be protected. Around this are four key elements: the people that can access that data, the devices that store it, the networks it flows through and the workloads that process it. 

    Now Forrester has added another crucial layer: automation and orchestration and visibility and analytics. These integrate all the defense-in-depth controls needed to support Zero Trust. 

    Zero Trust in this new iteration is a perfect way to help mitigate the risks of a hybrid workplace—an environment where perimeters are fluid, distributed workers must be continually authenticated, and networks are segmented to reduce the potential for threats to spread. It’s also become clear over the course of the pandemic that VPNs in many cases were unable to sustain large numbers of remote workers – both in terms of inbound traffic and in outbound deployment of patches. They are increasingly also a target in their own right, if left unpatched and under-protected. Zero Trust is a better long-term option. 

    How to get started with Zero Trust  

    The latest data suggests that nearly three-quarters (72%) of organizations are planning (42%) or have already rolled out (30%) Zero Trust. The good news is that getting there doesn’t require a major rip-and-replace effort. 

    In fact, you may already be using many of the tools and techniques needed to get started. These include the following: 

    People: Roles-based access controls, multi-factor authentication, account segregation. 

    Workloads: Most cloud providers build in controls here. Organizations should use these to reduce access to different workloads. and enforce good policies. 

    Devices: Asset management will help you understand what you own. Then use endpoint detection and response (EDR), host-based firewalls and more to protect these assets and prevent lateral movement. 

    Networks: Micro-segmentation is key here. Use network devices like routers and switches in combination with access control lists (ACLs) to limit who and what can talk to different parts of the network. Vulnerability management is also important. 

    Data: Classify your data then apply encryption to the most sensitive types at rest and in transit. File integrity monitoring and data loss

  • Popular Wi‑Fi routers still using default passwords making them susceptible to attacks

    To mitigate the chances of their Wi-Fi home routers being compromised, users would do well to change the manufacturer’s default access credentials

    One in 16 home Wi-Fi routers is still sporting the manufacturer’s default admin password, a recent study conducted by technology website Comparitech revealed. This flaw could allow cybercriminals to conduct all manner of cyberattacks, including hijacking the router or eavesdropping on their victims.

    “These routers, which number in the tens of thousands, can be remotely found and attacked using publicly available passwords, granting malicious hackers access to the victim’s home network,” reads the study.

    Comparitech’s research team analyzed the 12 most popular Wi-Fi home routers models being sold on Amazon. To test these devices, the researchers scanned the web for these routers and then used an automated script that used the manufacturer’s default passwords to log in to the router’s admin dashboard. Out of the total of 9,927 routers that they tested, they found that 635 were susceptible to default password attacks.

    The results of the team’s investigation seemed to suggest that some of the routers could have been more persistent in prompting users to change the manufacturer’s default credentials during the initial setup process.

    The AsusRT and MikroTik routers performed best since they couldn’t be accessed at all using the default passwords even though the researchers conducted hundreds of tests. Meanwhile, other routers didn’t fare as well.

    “On the other end of the spectrum, roughly one in six ZTE ZXV10, XFinity, and NetGear Ethernet Plus Switch routers were found to be vulnerable to default password attacks unless the default admin password is changed,” said Comparitech. The full list of routers tested is available on Comparitech’s website.

    A router with the default access credentials could grant malicious actors a foothold into your home network and even to the devices connected to it. Once they have their foot in the door, the cybercriminals could use the access to monitor what any device connect to the router is doing, what websites they’re browsing, and they could see any unencrypted data being sent over the network. Moreover, the threat actors could also abuse your connection to download pirated content or use it to access illegal materials, potentially making you a suspect or being liable for these activities.

    That’s why it’s always prudent to change your Wi-Fi router’s default administrator password during its initial setup process. Make sure that when you’re doing that you avoid the common mistakes of password creation and create a strong and unique password. However, remember that you should use distinct passwords for accessing the Wi-Fi router admin settings and connecting to the internet via the router.

    The study brings echoes of a similar investigation conducted by the British consumer watchdog Which? that found Wi-Fi routers contained various security flaws, including the use of weak default passwords, putting millions of Brits at risk. If you’re looking to mitigate the chances of your router getting compromised by threat actors you can check out our tips for boosting your router security. And for safe measure, you would do well to review your router’s configuration settings as well.

    Cybercriminals may target 2020 Tokyo Olympics, FBI warns

    Cybercriminals may target the popular event with ransomware, phishing, or DDoS attacks in a bid to increase their notoriety or make money

    The United States’ Federal Bureau of Investigation (FBI) has issued a warning about threat actors potentially attempting to disrupt the upcoming Tokyo 2020 Summer Olympics. It went on to warn that cybercriminals could utilize various flavors of cybercrime such as distributed denial of service (DDoS) attacks, ransomware, social engineering to derail the Olympic games.

    However, for now, there have been no signs of an attack targeting the popular sporting event. “The FBI to date is not aware of any specific cyber threat against these Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments,” the FBI said.

    The Bureau highlighted that large-scale popular events such as the Olympics attract various types of cybercriminals since it allows them to pursue different agendas, ranging from making money and boosting their notoriety to sowing confusion.

    The Games of the  32nd Olympiad could prove especially attractive to threat actors since due to the COVID-19 pandemic, spectators are largely barred from venues and the event will be only viewed through broadcast or digital viewing platforms.

    “Adversaries could use social engineering and phishing campaigns in the lead up to the event to obtain access or use previously obtained access to implant malware to disrupt affected networks during the event. Social engineering and phishing campaigns continue to provide adversaries with the access needed to carry out such attacks,” the federal law enforcement agency warned.

    Beyond phishing and social engineering attacks, the threat actors could also resort to using ransomware or DDoS attacks to target internet service providers and television broadcast companies to disrupt the live broadcasts of various sporting disciplines. Cybercriminals could also attempt to cripple the Olympics by targeting the various elements making up its infrastructure such as mass transit providers, hotels, or event security infrastructure.

    The FBI also shared advice on how service providers could mitigate the risks of such attacks. This includes creating and setting business continuity plans to lower the chances of service interruptions in case an attack occurs and regularly monitoring networks and applying best practices since a substantial part of the workforce has transitioned to remote-work environments and employs the use of Virtual Private Networks.

    Some URL shortener services distribute Android malware, including banking or SMS trojans

    On iOS we have seen link shortener services pushing spam calendar files to victims’ devices.

    We hope you already know that you shouldn’t click on just any URLs. You might be sent one in a message; somebody might insert one under a social media post or you could be provided with one on basically any website. Users or websites providing these links might use URL shortener services. These are used to shorten long URLs, hide original domain names, view analytics about the devices of visitors, or in some cases even monetize their clicks.

    Monetization means that when someone clicks on such a link, an advertisement, such as the examples in Figure 1, will be displayed that will generate revenue for the person who generated the shortened URL. The problem is that some of these link shortener services use aggressive advertising techniques such as scareware ads: informing users their devices are infected with dangerous malware, directing users to download dodgy apps from the Google Play store or to participate in shady surveys, delivering adult content, offering to start premium SMS service subscriptions, enabling browser notifications, and making dubious offers to win prizes.

    We’ve even seen link shortener services pushing “calendar” files to iOS devices and distributing Android malware – indeed, we discovered one piece of malware we named Android/FakeAdBlocker, which downloads and executes additional payloads (such as banking trojans, SMS trojans, and aggressive adware) received from its C&C server.

    Below we describe the iOS calendar-event-creating downloads and how to recover from them, before spending most of the blogpost on a detailed analysis of the distribution of Android/FakeAdBlocker and, based on our telemetry, its alarming number of detections. This analysis is mainly focused on the functionality of the adware payload and, since it can create spam calendar events, we have included a brief guide detailing how to automatically remove them and uninstall Android/FakeAdBlocker from compromised devices.

    Figure 1. Examples of shady aggressive advertisements

    Distribution

    Content displayed to the victim from monetized link shorteners can differ based on the running operating system. For instance, if a victim clicked on the same link on a Windows device and on a mobile device, a different website would be displayed on each device. Besides websites, they could also offer an iOS device user to download an ICS calendar file, or an Android device user to download an Android app. Figure 2 outlines options we have seen in the campaign analyzed here.

    Figure 2. Malware distribution process

    While some advertisements and Android applications served by these monetized shortened links are legitimate, we observed that the majority lead to shady or unwanted behavior.

    iOS targets

    On iOS devices, besides flooding victims with unwanted ads, these websites can create events in victims’ calendars by automatically downloading an ICS file. As the screenshots in Figure 3 show, victims must first tap the subscribe button to spam their calendars with these events. However, the calendar name “Click OK To Continue (sic)” is not revealing the true content of those calendar events and only misleads the victims into tapping the Subscribe and Done button.

    These calendar events falsely inform victims that their devices are infected with malware, hoping to induce victims to click on the embedded links, which lead to more scareware advertisements.

    Figure 3. Scam website requests user to subscribe to calendar events on iOS platform
    Android targets

    For victims on Android devices, the situation is more dangerous because these scam websites might initially provide the victim with a malicious app to download and afterwards proceed with visiting or downloading the actual expected content searched for by the user.

    There are two scenarios for Android users that we observed during our research. In the first one, when the victim wants to download an Android application other than from Google Play, there is a request to enable browser notifications from that website, followed by a request to download an application called adBLOCK app.apk. This might create the illusion that this adBLOCK app will block displayed advertisements in the future, but the opposite is true. This app has nothing to do with legitimate adBLOCK application available from official source.

    When the user taps on the download button, the browser is redirected to a different website where the user is apparently offered an ad-blocking app named adBLOCK, but ends up downloading Android/FakeAdBlocker. In other words, the victim’s tap or click is hijacked and used to download a malicious application. If the victim returns to the previous page and taps on the same download button, the correct legitimate file that the intended victim wanted is downloaded onto the device. You can watch one of the examples in the video below.

    [embedded content]

    In the second Android scenario, when the victims wants to proceed with downloading the requested file, they are shown a web page describing the steps to download and install an application with the name Your File Is Ready To Download.apk. This name is obviously misleading; the name of the app is trying to make the user think that what is being downloaded is the app or a file they wanted to access. You can see the demonstration in the video below.

    [embedded content]

    In both cases, a scareware advertisement or the same Android/FakeAdBlocker trojan is delivered via URL shortener service. Such services employ the Paid to click (PTC) business model and act as intermediaries between customers and advertisers. The advertiser pays for displaying ads on the PTC website, where part of that payment goes to the party that created shortened link. As stated on one of these link shortening websites in the privacy policy section, these ads are via their advertising partners and they are not responsible for delivered content or visited websites.

    One of the URL shortener services states in its terms of service that users should not create shortened links to transmit files that contain viruses, spyware, adware, trojans or other harmful code. To the contrary, we have observed that their ad partners are doing it.

    Telemetry

    Based

    Week in security with Tony Anscombe

    Google patches Chrome zero‑day vulnerability exploited in the wild

    The newest update fixes a total of eight vulnerabilities affecting the desktop versions of the popular browser.

    Google has rolled out an update for its Chrome web browser that fixes a range of vulnerabilities, including a zero-day flaw that has been known to be actively exploited in the wild. The security loopholes affect the Windows, macOS, and Linux versions of the popular browser.

    “Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild,” reads Google’s security update describing the newly disclosed zero-day vulnerability, that stems from a type confusion error in the V8 open-source JavaScript engine that is used in Chrome and other Chromium-based web browsers.

    According to CyberSecurityHelp, a remote attacker could exploit the vulnerability by duping an unwitting victim into visiting a specially crafted website that they created, triggering the type confusion error, after which they could execute arbitrary code on the affected system. “Successful exploitation of this vulnerability may result in complete compromise of vulnerable system,” CyberSecurityHelp concluded.

    Beyond the zero-day flaw, the new release fixes seven other security loopholes, with Google specifically listing six bugs where the fixes were contributed by external researchers. Five vulnerabilities were listed as high-severity, while one was classified as medium.

    The tech titan hasn’t released any further details about the vulnerabilities. This is common practice as the company aims to give as many users as possible a chance to update their Chrome browsers to the newest available version and lower the chance of the security flaws being exploited by enterprising cybercriminals

    The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) classified the vulnerabilities as extremely high risk. “Multiple vulnerabilities were identified in Google Chrome, a remote attacker could exploit some of these vulnerabilities to trigger remote code execution and data manipulation on the targeted system,” the agency warned.

    Taking into account the disclosed vulnerabilities, both admins and users alike would do well to update their browsers to the latest version (91.0.4472.164) as soon as practicable. If you’ve enabled automatic updates, then your browser should update to the latest available version by itself. However, if not, you can also update your browser manually by visiting the About Google Chrome section, which can be found under Help in the menu bar.

    Vacationing? How to avoid the cybersecurity blues

    From securing your devices to avoiding public Wi-Fi hotspots for logging into apps we look at measures you can take to remain safe while this holiday season.

    Summer vacations are slowly inching closer, a welcome respite from the COVID-19 pandemic that has been raging around the world for well over a year now. And with the downward trend in new infections, countries are slowly, but carefully, opening up to tourists who are looking for a little R&R after being stuck in the confines of their homes, working, studying, and, well… spending most of their waking hours between the same four walls. 

    When traveling, whether domestically or abroad, there are several things to keep in mind so that you don’t fall victim to the various looming cyberthreats you might face while staying in a foreign country. 

    Fake COVID-19 passports

    With the pandemic showing signs of slowing down and vaccination rollouts gaining speed, travel and lockdown restrictions are being lifted and countries are carefully opening up to travelers. To minimize the risks some countries are also introducing COVID-19 certificates, which allows individuals who hold them to travel more freely. For example, the European Union introduced its EU Digital COVID certificate, which certifies that the holder has been vaccinated, has been tested negative, or recovered from the disease. This hasn’t escaped the notice of cybercriminals, who have jumped at the opportunity to make a pretty penny by offering forged vaccination documents for sale.   

    If you’ve been vaccinated, tested, or have recovered from the disease, only your national or regional health authority should be authorized to issue a certificate verifying the fact, and that’s where you should request it from. Most countries have issued information about the process of obtaining the documentation on health authority websites or directly on the websites of their health ministries. Searching for them elsewhere may lead you to malicious websites, which will be looking to phish for your credentials or may infest your devices with malware. And if you’re considering skirting the rules by purchasing a forgery, there’s a high probability you’ll get scammed out of your money and an even higher probability that it will land you in hot water with law enforcement agencies. 

    Back up and patch your devices

    One of the first things you should do before venturing on your adventure is to back up all your electronic devices that hold any form of personal or sensitive data. Accidents are prone to happen at any time and anywhere, and the chances of that happening might be slightly higher when enjoying your summer vacation. You might drop your phone in the pool or forget you have it in your pocket while taking a dip in the ocean, or you might misplace it, or it could even get stolen. So, in the event any of that happens, you have your bases covered and you have a backup to fall back on once you replace your device. 

    For good measure it’s advisable to have multiple backups – you can have one in the cloud, while another could be safely secured on a hardware device. For tips on how to back up your iOS and Android devices, you can refer to our in-depth guide. And while you’re at it you should consider encrypting your data for an extra layer of security; this applies to both your backups and the data you already have on your devices since, if a device does get stolen, the crooks will have a hard time to make use of it. And last but not least, never, ever, forget to install the latest official updates on your devices since they regularly contain security patches that help keep your device and data protected. 

    Secure your devices

    Since we’ve already mentioned devices getting stolen or being misplaced, another thing you should never underestimate is securing your devices using built-in security measures, such as PINs, passwords, pattern locks, or biometric authentication measures. Many people often forgo setting up a lock for their devices for convenience’s sake of not having to keep locking and unlocking their smartphones. However, when setting up your lock, you shouldn’t do it half-heartedly and use a triangle-shaped pattern or a simple four-digit PIN. 

    When setting up your phone lock, the optimal solution would be using a combination of a biometric feature, such as a fingerprint or face scan, and password; or better yet, a passphrase. The same applies to your laptops. And while you’re coming up with your new passwords, be sure to avoid common mistakes of password creation. And to add an extra layer of security to your sensitive accounts, you should always use two-factor authentication (2FA). 

    Be wary of what you connect to

    While you’re traveling, you’ll probably sample a smorgasbord of restaurants, cafes, and shops that will offer complementary Wi-Fi connections you can use to browse social media or communicate with loved ones back home. This may seem like a preferable option compared to burning through your data plan, especially, since your mobile network operator may charge exorbitant prices for the data you consume abroad. However, unsecured public Wi-Fi hotspots present a security risk that could lead to your devices being hacked, infested by malware, and your sensitive data being stolen. And if you’re forced to use a public hotspot, a good rule of thumb would be avoiding using any services that handle sensitive data (for example financial apps) or anything that requires login credentials. 

    Fortunately, there are several ways to resolve your internet conundrum. One of the easiest ways is to obtain a SIM card with a data plan from a reputable local mobile network operator that you can use for your web surfing while abroad. Another is setting up a virtual private network (VPN) to use while you are connected to a public hotspot so that you can browse safely. If you’re not sure about which VPN to use, you can check out our article that looks at commonly used types of VPN networks. 

    Use a reputable security solution

    While this step should be a no-brainer, many people still underestimate the value of using security software when it comes to smartphones and tablets. However, it is important to

    Sports events and online streaming: prepare your cybersecurity

    If you’ll be watching Sports Streaming events on your SmartTV, laptop, tablet or cell phone, learn the tips to keep you and your personal data safe.

    After a year and a half of cancelled global events, the 2021 summer season is proving to be full of major sporting events across the globe, and all sports are well represented. Whether you are preparing to watch the UEFA Euro 2020 final or the Wimbledon tournament, or planning to watch the Olympics or the National Bank Open with your family and friends, the next few weeks are sure to be full of colorful and noteworthy sporting performances to watch.

    While the popularity of these events is undeniable, the popularity of online streaming of the events is also undeniable. For example, while less than a million people tuned in to stream the 2015 Super Bowl, that number more than quintupled in 2021, when approximately 5.7 million viewers tuned in to stream Super Bowl LV.

    If you will be watching to sports events via online streaming, whether it’s on your SmartTV, laptop, tablet or cell phone, the following tips will keep you and your personal data safe.

    Prepare your network and devices 1 – Protect your router connection information

    Network connection and online listening go hand in hand with router. This device, which allows you to connect many devices to your network wirelessly, is the first step of your streaming, but also a major entry point for potential cybercriminals. Before you begin live streaming any broadcast – or better yet, connecting any IoT device – it’s important to make sure your router is configured securely. We invite you to check out this blogpost, which will walk you step-by-step through securing your router in five easy steps.

    2- Sort your networks

    Many devices are probably linked to your router. A good practice to secure your router, and therefore your entire home network, is to list the devices and create separate networks with customized permissions, to better protect the most sensitive devices.

    Reviewing the list of devices will allow you to disable the ones you don’t use or no longer use. This step will make it easier to detect an intrusion attempt, since you will already be familiar with the names of the devices connected to your network.

    3- Configure your Smart TV or smart device

    Like all your connected devices – and your router! – your Smart TV needs to be configured properly, to ensure security and functionality. Each model and manufacturer uses different features and functionality, so please refer to the documentation associated with your device for detailed instructions.

    Either way, we strongly encourage you to configure the privacy settings on your devices and the information you allow the provider to collect – or share with third parties. Several providers have received a red card from authorities for collecting personal information from their customers – including voice recording and browsing habits.

    Remember, too, that all enabled features can pose a risk. Unpatched flaws in them can serve as openings through which cybercriminals can sneak in. So remember to disable features you don’t use. Also think about the configuration of the protection measures offered by the provider, the updates – we will get back to this – and, if necessary, the parental control!

    4- Install the latest updates

    As always, the basic cybersecurity tips apply to streaming. Regardless of the type of device you plan to listen to upcoming games on, remember that cybercriminals are always trying to find a vulnerability for their dark purposes. A vulnerability is a flaw in an application that makes it possible for an unwanted or erroneous action to be performed, which cybercriminals can use to attack your devices. By updating regularly, you will have the latest patches developed by the manufacturer, thus preventing cybercriminals taking advantage of known and patched vulnerabilities to infiltrate.

    Unlike the operating system of your computer or smartphone, the firmware of most IoT devices is not updated automatically. Check the vendor’s website, with your device’s model number and currently installed firmware version, to see if updates are available.

    5- Use a security solution

    As with your computer or smartphone, your smart devices can be infected by malware or other types of cyber threats. Therefore, using a comprehensive security solution from a reputable vendor is essential, to ensure these devices are protected. Available on the Google Play Store, ESET® Smart TV Security is an example of a solution that offers you real-time protection against viruses and ransomware, in addition to automated virus database updates.

    Choose your source

    Now that your network and devices are secure, before you break out the snacks and put on your team jersey, you need to prepare for another challenge. Finding a reliable and secure streaming site. For particularly well-attended events, the competition is very fierce and many players, some of whom may be malicious, could be in the game. A simple Google search, as shown in the images below, is enough to understand that users are spoilt for choice in this area. At the time of publishing this article, Google lists nearly 4.8 million (EDIT: 12.4 million) search results for “national bank open 2021 ‘streaming’” and about 20 million (EDIT: 79 million) for “olympics 2021 streaming”

    Image 1: Screenshot of search results for “national bank open 2021 ”streaming’’

    Image 2: Screenshot of the search results for “olympics 2021 streaming”

    So there are free and paid streaming options available to you, from a range of different sources. Unfortunately, many of them are not risk-free!

    One of the most prevalent, and most apparent, problems is that some free streaming sites are full of ads. One might think that this is only a minor inconvenience. Unfortunately, this is not the case. In fact, a joint study by the University of Leuven-KU in Belgium and SUNY-Stony Brook University in the U.S. concluded after analyzing 23,000 streaming sites that half of the video overlay ads on them were malicious. In other words, by