How to start analyzing the security of your IoT devices

By Cecilia Pastorino

Nowadays, a lot of attacks take place by tricking the user in some way, such as to open a file, click on a malicious link, or enter their personal data into a fake website.

But when it comes to the “Internet of Things” (IoT), the methods are a little different. In principle, this is partly because in many cases there is no interface for the user to interact with, but added to that, the devices themselves often present vulnerabilities and poor implementations of security measures.

The big challenge with IoT devices is that they are all different: Each manufacturer has its own firmware, uses different protocols, and designs its own architecture. So, the first step before carrying out any analysis is to understand the architecture, find out what components are involved, and how they interact and communicate among themselves. The ideal thing at this stage is to make a diagram of the device, as precisely as possible, including each component and its interactions, in order to determine what could go wrong with each of the parts involved.

This way, you will be in a better position to define the attack surface and work out the various individual vectors that could be used.

At this first stage, your analysis can be as in-depth as you want, you can even open each device and analyze the internal components from an electronics or communications perspective. Try to identify which components could be useful to you when you come to search for possible vulnerabilities, like serial ports, the UART controller, flash drives, filtering modules, JTAG interfaces, etc.

Now you have your diagram, you have your analysis lab ready, but… what are you actually looking for?

Basically, anything that can be intercepted or manipulated from beyond the usual flow. A good way to start looking for possible vulnerabilities is to try and see how you can interact with the various components beyond the usual flow, for example, hijacking a component or disrupting a controller.

You can start with means of communication, intercepting any type of traffic that enters or exits a device, whether its via Bluetooth, radio frequencies, Wi-Fi, or even an infrared controller such as a standard remote control for a TV.

One clear example of this is the vulnerability discovered in 2013 by the researcher Nitesh Dhanjani in the communication between Philips Hue lamps and their hub or controller. These devices communicate among themselves via the Zigbee wireless protocol, and if an attacker runs a successful sniffer attack on this traffic, they will be able to analyze and understand the communication between the hub and the lights, and even disrupt or change the data packets, so as to switch the lights on and off, regardless of what order is sent by the hub. That means—as Nitesh showed in his research—causing a permanent blackout to a Hue lighting system. Fortunately, this vulnerability in the Zigbee protocol was corrected and so the Philips lights and other affected devices were patched. Still, it is a good example of a vulnerability found by means of a sniffer and man-in-the-middle technique that was adapted to suit the new architecture.

There are many more examples like this out there, including some that are still current, affecting toys, IP cameras, watches, thermostats, household appliances, and almost any other smart device. Many of them present known vulnerabilities in their components or communication, or do not implement sufficiently strong security measures to keep an attacker out.

It is very common for these devices to send plain text information among some of their components, to use insufficient encryption, or even not to request any kind of authentication.

Another example involved a well-known baby monitor which offered an interface operating via the Internet, whereby the parents could not only see the child through a camera, but also talk and send sounds to the baby. Due to the method of authentication and a vulnerability in the platform, an attacker could send sounds and even play music through various monitors. That’s pretty dangerous when you consider the level of access to a family’s privacy that these devices have.

If you have any smart devices in your home, you can start running your own security tests. Start by making a diagram of the architecture, understanding it, and defining the attack surface. Look for possible vulnerabilities by intercepting traffic, analyzing whether the information is encrypted, and seeing how it can be manipulated. The operating system AttfyOS, which we recommended previously, is a good tool to start with.

In future posts, we will be analyzing the different tools it offers and showing you some techniques for analyzing IoT devices.

https://www.welivesecurity.com/2018/03/02/start-analyzing-security-iot-devices/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Mobile World Congress: Introducing 5G

By Tony Anscombe

Year after year Mobile World Congress (MWC) takes place in Barcelona, Spain. It is an event that brings together almost every vendor related to the mobile industry to show off their shiny new gadgets, apps and services in our ever increasingly connected world.

One of the hot topics surrounding this world at MWC 2018 was 5G — the next generation of mobile connectivity.

What is 5G and how will it affect us?

If we look back at previous incarnations of mobile networks, 1G, 2G and so on, there have been major changes to the technology. The next generation, 5G, delivers, greater speed and lower latency, but also has the advantage of being able to connect many more devices concurrently. This is one the reasons why MWC has gone from being just a show promoting smartphone manufacturers and operators to a gathering of companies showing off connected world devices that could benefit from being connected to a 5G network.

The reality is, that none of the existing technologies will disappear anytime soon, in fact the speed that can be achieved on the existing network are up to 1.2Gbps. So, asking the sales representatives in a phone shop about a new 5G handset will probably have them wondering what you’re talking about.

The existing infrastructure for 4G relies on cell towers/masts, typically with reasonable distances between them, whereas 5G is based on smaller more frequent cells. The smaller cells help deliver the additional bandwidth and lower latency as the network becomes more distributed. The speeds are reportedly able to deliver 20Gbps with just 1ms latency.

Any new network require licenses, funding and significant effort to introduce them. In the US, AT&T claims it will be the first company with a 5G network that will cover 12 cities by the end of 2018 and aimed at the mobile phone market. Verizon is taking a different approach and intends implementing 5G to compete with existing home internet service providers, and with the speed and capacity available on a 5G network this could be a very competitive offering.

Many exhibition halls at MWC had devices designed for the smart city, driverless cars, smart bandages that track your healing, through to virtual reality gaming.

While faster speed is a result of the improved technologies, it is the low latency and capacity that will enable these technologies to deliver a world where just about everything could be connected. The need for capacity is compounded once the connected devices start talking to each other. For example, the future driverless car may be able to communicate with other cars, traffic monitoring, or sensors on the roads and take actions based on the environment around it.

While some 5G smartphone handsets may start to appear on shelves in 2018 we should expect the main vendors to start offering them in 2019.

The rollout of 5G is moving quicker in some regions than others, as already discussed, carriers in the US see competitive advantage and have already announced their plans. Other countries that have openly stated their commitment to early adoption of 5G are China, Japan, South Korea, Australia and Norway, and I am sure this list will grow. In Europe, commitment from both regulators and financiers for the new networks is slower. This could be seen as a competitive disadvantage, or you could view this as sensibly waiting to allow others to experience the difficulties of early adopter first.

As with any new technology there are security considerations. Providers of services will need to combat the expected evolution of advanced malware that will accompany the new 5G infrastructure and implement threat prevention services and solutions that deliver security through layers, including machine learning, to deal with the increased network performance and capacity. Threat intelligence and pro-active security measures are essential components for any device or service being developed to utilize 5G, secure by design.

It is important to remember that understanding the psychology and mindset of the cybercriminal is also important, and for this, deep research by experts in the security field will help the industry predict where they may see the next opportunity. So, while 5G will move us quicker, the benefit of added speed will have a cost and means that for the time being the human component in maintaining safer technology remains crucial.

https://www.welivesecurity.com/2018/03/01/mobile-world-congress-introducing-5g/

Researchers unveil Veil to make ‘private browsing more private’

By Tomáš Foltýn

Researchers claim to have devised a way of browsing the web that “patches security holes left open by web browsers’ private-browsing functions”, reads the press announcement by the Massachusetts Institute of Technology (MIT).

The newly-proposed method, aptly called ‘Veil’, may thus be of interest for web users who wish not to leave any trace of their browsing activity on the local device, be it their own, shared or public.

Internet browsers – when run in the privacy, also known as incognito, mode – are designed not to record the browsing history on the device. They may not necessarily be foolproof, however, and may still leave some traces behind, according to three academics at the MIT and Harvard University. They describe their new framework in a paper called Veil: Private Browsing Semantics Without Browser-side Assistance.

Incognito?

With private-mode browsing sessions in their existing implementations, a browser loads data into memory and, once the session is terminated, it attempts to erase all such traces, explained the researchers.

The success of such clean-ups may vary, however. “Data accessed during private browsing sessions can still end up tucked away in a computer’s memory, where a sufficiently motivated attacker could retrieve it,” reads the press release.

In addition, due to the complexities of memory management, the data may even wind up on (and later be retrieved from) the hard drive. This would happen with zero awareness on the part of the browser, which is then unable or even unauthorized to wipe it.

“Generally, a browser won’t know where the data it downloaded has ended up,” according to the academics.

“Veil was motivated by all this research that was done previously in the security community that said, ‘Private-browsing modes are leaky — Here are 10 different ways that they leak,” Frank Wang, one of the paper’s authors, is quoted as saying.

“We asked, ‘What is the fundamental problem?’ And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser’s best effort is, it still collects it. We might as well not collect that information in the first place,” he added.

The cloak

So what is Veil’s not-so-secret sauce for private browsing? In a nutshell, it’s encryption and a dedicated server, peppered with some garbage code.

First, the user types a URL into the Veil website, rather than into the browser’s address bar. A server, which the researchers dubbed a “blinding server”, fetches an encrypted webpage. The webpage comes embedded with code that executes a decryption algorithm, but the page itself remains encrypted until the moment it’s shown on the screen.

Once unscrambled, the data remains in memory only for as long as the webpage appears on the screen. “That type of temporarily stored data is less likely to be traceable after the browser session is over,” according to Veil’s creators.

Should that not be enough to frustrate particularly dedicated attackers, the team claims to have some more tricks up its sleeve.

“Once unscrambled, the data remains in memory only for as long as the webpage appears on the screen”

The blinding server randomly adds some nonsense code to every webpage. This ‘code obfuscation’, according to the academics, has no effect on what the actual page looks like, but it drastically changes the appearance of the underlying source file. That way, even if an attacker got their hands on a few snippets of the decrypted code, ultimately they would be likely to come out empty-handed and unable to piece together the browsing history.

Optionally, Veil can step up its privacy game further. The blinding server is able to send only an image of the requested page, rather than the page itself. If a user clicks on some part of the picture, the server will fetch a picture of the updated page. At no point does the user receive any executable code.

The pages displayed via Veil retain their usual appearance, said the researchers. Their new system can reportedly be used in conjunction with current private-browsing implementations and even with the anonymizer network Tor.

To make Veil work, however, web developers would need to create Veil-compatible versions of their websites. In order to automate this process, the researchers have devised a compiler so that the developers can simply feed their existing website content into it.

“A slightly more demanding requirement is the maintenance of the blinding servers,” according to the researchers. They voiced their hope that volunteers, or even web services that pride themselves on providing extra safeguards for their privacy-minded customers, could host the servers.

https://www.welivesecurity.com/2018/02/28/veil-make-private-browsing-private/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Attingo waarschuwt: het risico op gegevensverlies door kou wordt meestal onderschat

Kou kan harde schijven en flash-geheugen beschadigen

De huidige temperatuursveranderingen rond het vriespunt veroorzaken niet alleen problemen voor mensen, maar zorgen er ook voor dat harde schijven, SSD's en andere elektrische apparaten en gegevensdragers zich letterlijk in het zweet werken.

Kortsluiting door condensatie

Wie in een restaurant een frisdrankje bestelt, zal zien dat er na korte tijd condens op de buitenkant van het glas verschijnt. Hetzelfde effect kan optreden wanneer laptops in de auto worden achtergelaten en meerdere uren aan kou worden blootgesteld. Wanneer de laptop onmiddellijk in deze toestand wordt ingeschakeld, stijgt de temperatuur binnen in de laptop binnen enkele minuten met 30-40° C. "Condensatie op elektronische componenten kan leiden tot kortsluiting of zelfs fysieke schade", zegt Robbert Brans Managing Director van Attingo. Het is verstandig elektronische apparaten om die reden voldoende tijd te geven om te acclimatiseren. Dit geldt bijvoorbeeld ook voor elektronica die per pakketdienst wordt afgeleverd en enkele uren in een koude bestelwagen is bewaard.

Harde schijf, SSD of USB-stick kapot - wat te doen?

Kortsluiting kan er toe leiden dat de lees- en schrijfkoppen van een harddisk het begeven.

"Het eenvoudig vervangen van de schijf was met de technologie van vijftien jaar geleden nog mogelijk. Door de geavanceerde technologie die nu wordt gebruikt bestaat het gevaar dat parameters de gegevensdrager aansturen met onjuiste informatie, hetgeen vaak leidt tot gegevensverlies. Defecte harde schijven moeten daarom door experts worden hersteld om gevolgschade te voorkomen.

Attingo Datarecovery reconstrueert de verloren geloofde gegevens in haar eigen cleanroom laboratoria in Hamburg, Wenen en Amsterdam. In bijna alle gevallen kunnen de gegevens volledig worden hersteld.

Attingo Datarecovery

Attingo Data recovery is al meer dan 20 jaar gespecialiseerd in dataherstel. Attingo redt data van zowel complexe RAID-systemen of servers als van harde schijven, tapes of USB-sticks. De onderneming heeft drie eigen hypermoderne ISO 9001:2015 gecertificeerde cleanroomlaboratoria.

-----

One-third of organizations sacrifice mobile security for business performance

By Tomáš Foltýn

Organizations are aware of the “serious and growing security threat” that mobile devices present in business, and yet many of them admit that they’re not doing enough to lessen the risks, according to Verizon’s Mobile Security Index 2018 report.

For 32% of organizations, mobile security takes a back seat to what Verizon called “expediency and business performance”. This is despite the fact that cyberattacks targeting mobile devices, smartphones in particular, have become all too common in our increasingly mobile world.

However, the sacrificing of mobile security comes at a cost. Businesses that had done so were over two times more likely to have suffered data loss or downtime (45%) than those that had made security their top concern (19%).

The study surveyed over 600 professionals in the United States and the United Kingdom who are involved in purchasing and managing mobile devices for their organizations.

Concerns and precautions

Only one in seven organizations have put in place all four basic cybersecurity practices specified by Verizon – changing all default passwords, encrypting data transmitted over public networks, granting employee access on a need-to-know basis, and testing security systems regularly.

Only four in ten change all default passwords and use two-factor authentication on their mobile devices. One-half don’t have a policy for employees’ use of public Wi-Fi. A mere one-third of the organizations use mobile endpoint security and less than one-half said that they use device encryption.

“Securing the multitude of mobile devices that connect to public and private networks and platforms is paramount for protecting corporate assets and brand integrity,” said Verizon senior vice president Thomas Fox.

There was almost universal agreement among the respondents that organizations should take mobile security more seriously. However, most organizations (62%) feel that better mobile security may be hampered by a lack of understanding of specific threats and solutions.

Employee misuse, whether driven by malicious intent or caused by inadvertent error, is seen as a significant cyber-hazard by almost 80% of the organizations.

The same percentage voiced greater concern about disruption of their business operations caused by security incidents than about data theft.

Nearly 40% of organizations that allow employees to bring their own smartphones and tablets to work view this trend, known as “bring your own device (BYOD)”, as the source of their top concern.

Lest we forget: three in four respondents anticipate that the risks will intensify further during the next year.

https://www.welivesecurity.com/2018/02/27/one-third-organizations-sacrifice-mobile-security/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Over 40% of online login attempts are attackers trying to invade accounts

By Tomáš Foltýn

As many as 43% of online login attempts globally are made by bots that are used for evil ends, as attackers are increasingly leveraging the automated tools for credential abuse, a report by Akamai has revealed.

Focusing on data for November, 2017, the content delivery network provider found that 3.6 billion out of 8.3 billion login requests during that month were malicious, specifically “attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet”.

A breakdown of the figures shows that the websites of retailers handled the highest number of login requests in November – 2.8 billion. “Only” 36% of them were intended to break into the accounts, according to Akamai’s Fourth Quarter 2017 State of the Internet / Security Report.

Meanwhile, the hospitality industry had to contend with the highest concentration of bad bots. A staggering 82% of nearly 1 billion login attempts on the websites of airlines, hotels and online travel agencies were found to be malicious.

Swarms of villain bots also swooped on the sites of high-tech businesses, with 57% out of 1.4 billion login attempts deemed malevolent.

The data was obtained by Akamai’s identifying “IP addresses that make multiple attempts to log into accounts using leaked credentials with no other activity to the target site”.

The data set covers mainly websites that use email addresses as login names. As a result, Akamai cautioned that the figures may understate the extent of the problem in industries in which email addresses are not used as user IDs, notably the financial industry.

Bots that traverse the internet on behalf of their human operators can fulfill both legitimate and malicious automated tasks. Statistics indicate that bot-driven internet traffic, by helper and harmful bots combined, surpasses human traffic.

“Increased automation and data mining have caused a massive flood of bot traffic to impact websites and Internet services. Although most of that traffic is useful for Internet businesses, cybercriminals are looking to manipulate the powerful volume of bots for nefarious gains,” Akamai’s senior security advocate Martin McKeay is quoted as saying.

“Enterprises need to watch who is accessing their sites to differentiate actual humans from both legitimate and malicious bots. Not all web traffic and not all bots are created equal,” he added.

In an automated technique known as ‘credential stuffing’, criminals leverage stolen or leaked access credentials that belong to one account in order to break into other – often higher-value – accounts. This tactic has been found to pay dividends in anywhere between 0.1% and 2% of attempts, owing its success primarily to the fact that many netizens recycle their credentials across multiple accounts. Databases with reams of stolen username and password pairs can be easily bought online.

DDoS traffic

After several quarters of increases, the number of distributed denial-of-service (DDoS) attacks dropped by less than 1% in the fourth quarter of 2017 compared to the third quarter. On an annual basis, however, the attacks were up 14%, according to Akamai’s stats.

The gaming industry bore the brunt of the onslaughts, suffering 79% of all DDoS traffic. Germany and China between themselves accounted for the majority of source IP addresses involved in the attacks.

To say that DDoS attacks aren’t going anywhere would be an understatement, nor have we seen the last of Mirai. The notorious botnet, which took the internet by storm in the fall of 2016, remains alive and kicking. This is not least because of the proliferation of hackable Internet-enabled things, coupled with attackers continuing to adapt Mirai’s source code to befit their evil intentions.

Web app attacks

The number of web application attacks decreased by 9% following a quarter-over-quarter jump of 30% in the third quarter. They still rose by one-tenth compared to the last three months of 2016, however.

This type of threat most commonly involves scans to identify vulnerable sites with the ultimate aim of data thefts or other compromises. SQL injections, which Akamai highlighted as “easily automated and scalable”, accounted for one-half of web app attacks. On 36%, local file inclusion was the second-most-frequent attack vector.

The United States is by far both the top source and top target of web app attacks. The incursions that originate in the US soared by 31% compared to the last quarter of 2016.

https://www.welivesecurity.com/2018/02/26/login-attempts-attackers-invade-accounts/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

ESET lanceert ESET Smart TV Security om gebruikers van smart tv’s tegen toenemende malware dreigingen te beschermen

Mobile World Congress, Barcelona, 2018. Vandaag lanceert ESET, wereldspeler in IT-security, een vooruitstrevende technologische bescherming tegen doelgerichte malware-aanvallen op geconnecteerde tv’s en andere toestellen die op het Android besturingssysteem werken.

Volgens statistieken zouden in 2020 ongeveer 30 miljard toestellen met internet verbonden zijn. Terwijl deze gadgets aan de gebruikers talloze voordelen bieden, vormen ze in het dagelijkse leven van de consument ook een bedreiging. Meer bepaald, smart tv’s – met hun microfoons, camera’s en USB poorten -  zijn het belangrijkste doelwit van malware-aanvallen. Door controle te hebben over een smart tv, kunnen cybercriminelen niet alleen andere toestellen in het netwerk van een woning aanvallen, maar ook de bewoners bespioneren en gevoelige persoonlijke data vergaren.

“Gezien de risico’s in beveiliging en privacy, moeten consumenten eraan denken hun smart home toestellen te beveiligen net zoals hun laptops, tabletten of mobieltjes. Ze kunnen die niet behandelen zoals een doorsnee tv, waterkoker of uurwerk,” aldus Branislav Orlik, ESET Mobile Security Product Manager.

Smart tv’s met een Android TV besturingssysteem zullen ongetwijfeld bijdragen tot de verspreiding van Android ransomware, die al sinds enkele jaren Android toestellen als doelwit heeft. De dreiging is nu overgegaan naar Android tv’s met gevallen van schermafsluitingen en het eisen van losgeld zoals reeds in het nieuws te zien was.

ESET Smart TV Security biedt: Security application protects consumers with a variety of security features, including:

·         Antivirus protectie, beschermt tegen toenemende Android malware-aanvallen.

·         Anti-ransomware technologie, tegen schermafsluiting. Als ransomware geactiveerd wordt, worden gebruikers aangeraden hun smart TV aan/uit te zetten terwijl de virusdatabase bijgewerkt en scannen opgestart wordt. Als ESET Smart TV Security op het toestel ransomware detecteert, wordt de gebruiker aangeraden de malware te verwijderen. Eens die verwijdering bevestigd is, wordt de ransomeware verwijderd.

·         Multi-device scanning voor malware op toestellen en USB’s die met de smart tv verbonden zijn.

·         Anti-phishing  om gebruikers te beschermen tegen pogingen om gevoelige, persoonlijke informatie te stelen. Deze functie is enkel beschikbaar met de premium versie van ESET Smart TV Security.

ESET Smart TV Security is beschikbaar via Google Play en kan slechts vanaf de tv van een gebruiker gedownload worden. Eens geïnstalleerd, zijn de gebruikers beschermd voor hun volledige Android ecosysteem – zowel smartphone en tv.

“Gebruikers moeten zich veilig voelen en weten dat ze naar hun favoriete shows kunnen kijken en surfen op internet met hun smartphone zonder te vrezen dat ze bekeken worden of dat hun persoonlijke data bedreigd wordt,” vervolgt Orlik . “ESET is de best geplaatste aanbieder van beveiligingsoplossingen voor Android OS toestellen, we zijn dus de wijze keuze voor consumenten die zeker willen zijn dat alle toestellen in hun woning alsook de vergaarde gegevens veilig zijn.”   

Six tips to help you avoid targeted marketing

By Lysa Myers

Do you ever get that feeling that advertisers are stalking your every move? At this point, most of us can recite a story from our own personal experience or that of a close friend or family member, where an ad had a particularly spooky kind of relevance.

This sort of targeted marketing is not necessarily a malicious thing, though there is always the potential for misuse of legitimate advertising networks. And for those of us who are sensitive about our privacy, it can simply feel unnerving. If you prefer your browsing experiences to feel a little less like being chased by a clairvoyant, there are a few ways you can decrease the number of targeted ads you receive.

Silence beacons

As someone who’s in the habit of turning off mobile device functionality when I’m not specifically using it, I was unaware of “mobile beacons”, until my distinguished colleague Aryeh Goretsky pointed it out to me. (Ignorance is occasionally bliss!)

Apparently, a growing number of brick-and-mortar stores are sending location-based ads to customers who are in their establishments. These may be in-store deals, or just ways of encouraging you to try a new brand of fruit juice. As you may already have surmised, the way to stop this sort of ad from appearing on your mobile device is to turn off Wi-Fi, Bluetooth, and Near-Field Communication (NFC) when you’re not using them. Some devices will even allow you to create handy shortcuts so you can toggle this functionality quickly and easily.

Modify your notifications

If you get sick of shopping sites sending you “I see you stared at this item, here’s some similar stuff” messages, you may be able to modify your subscriptions or notifications to make this stop. Some sites are better about presenting this setting separately from other types of notifications, or you may only be able to stop this by unsubscribing from all advertising emails from the company.

Opt out of targeted ads

There are a surprising number of ways that you can opt out of interest-based ads. The Network Advertising Initiative and Digital Advertising Alliance are self-regulated associations that provide responsible data collection guidelines for advertisers and opt-out technologies for consumers. Some social networking and search engine sites, as well as major software vendors and some ISPs, will allow you to opt out of targeted advertising.

This comes with a heap of caveats: These opt-out methods may be imperfect, and you will have to re-check opt-out sites and privacy settings periodically since options are likely to change over time. This will not disable ads completely; it will likely decrease the percentage of ads that are interest-based. Naturally, this could also lead to ads that are annoying for other reasons. But for some of us, going through this process may still be worth the hassle.

Block Third-Party Trackers

Third-party trackers are cookies set by a website other than the one you’re on – such as advertisers – and which may follow you from place to place. By blocking these cookies, either within your browser settings or with a browser extension, you can stop those ads that seem to follow you from one site to another after you “window-shop” an item.

Use an Ad Filter

If you’re disinclined to use an Ad Blocker – advertising is, after all, the grease that keeps the wheels of most of the internet going – you may wish to try an ad filter that excludes ads based on some of the most egregious marketing behaviors. Google’s Chrome Browser includes this functionality as of February 15, 2018.

Delete your information from data brokers

If you really want to get deep into the weeds of excluding yourself from shadowy databases, you can contact individual data brokers to clean up or delete your information. This is not a simple process, nor is it a quick one. But again, you may find it to be worth the effort. You can also hire a service to help you with this process.

It may not be possible to totally control where our data is collected, or what is done with it once it’s gathered. But the more people who take steps to avoid targeted advertising, the more quickly advertisers might get the message that these marketing techniques are less beneficial to their bottom line than they might now be conditioned to believe.

https://www.welivesecurity.com/2018/02/23/six-tips-avoid-targeted-marketing/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29