Archive for November, 2013

Thankful for privacy

During this season of giving, our gratitude usually focuses on the year’s blessings of friends and family, health and happiness . . . and maybe even the cook behind the holiday feast.

But we’d be remiss to ignore some technical marvels that help protect your online privacy and security—providing their own “bite” with plenty of meat.

(more…)

online shopping

In song, the 12 days of Christmas include partridges, turtledoves, French hens, calling birds, geese and swans. In reality, scammers fly high on unsuspecting pigeons vulnerable to their holiday hoaxes.

To avoid getting plucked, follow these tips for safe spending and a hoax-free holiday:

(more…)

after tornado

In the aftermath of a catastrophic event—whether it’s a tornado, hurricane or other natural disaster—survivors face a long, challenging recovery. While they are rebuilding their lives, they also must take to care to guard against additional, man-made threats: identity thieves and scammers.

For example, after Hurricane Katrina, reported a marked increase in insurance fraud in the area. Of the more than 80 billion government dollars appropriated for reconstruction efforts in the region, it is estimated that insurance fraud accounted for between $4 and $6 billion.

Survivors can guard against identity thieves and scams with these tips:

  1. (more…)

Among the myriad of high-profile data breaches in 2013, the Adobe breach – originally estimated at 3 million – exposed 38 million users' data alongside valuable source code pertaining to Adobe's software. What isn't known, however, is what implications a major breach such as the one experienced by Adobe has for average people.

The Process of a Data Breach
There are four major steps in any data breach, . The first step – stealing – starts with cybercriminals targeting a large firm for their users' personal, credit card and password information. Twitter, Facebook, Evernote, LivingSocial and Schnucks Markets were among the top high-profile data breach targets in 2013, with each breach compromising more than 2 million users. Even larger data breaches compromised the information of more than 50 million LivingSocial and Evernote users. Cybercriminals then use this information – in combination with other hacking tools such as malware, keylogging, phishing and botnets – to jeopardize enterprise data centers.

Step No. 2, these cybercriminals sell the personal and financial information to fraud rings through established online forums and other distributors. In the case of the Adobe breach, source code was stolen. And while that might not seem like it could impact everyday people, it can. 

In 2011, the RSA – a cybersecurity company that provides electronic tokens that generate unique passcodes for 25,000 clients – experienced a breach of their database. In the process, the source code for their SecruID product was compromised and, despite catching the cybercriminals later that year, the hackers were able to replace thousands of the electronic tokens for some of RSA's clients like Lockheed Martin, which also experienced a breach as a result, . 

The scope of the Adobe breach, and the subsequent breaches enabled by it, are still unknown. An outside company found data from nearly 152 million Adobe customers – grossly outstripping the previously thought number of users impacted – on a site known to be frequented by cybercriminals, according to MSN Money. If that claim is true, the Adobe breach would be the largest in history, raising questions about not whether Internet users will experience a data breach during their lifetimes, but when.

That brings in step No. 3 – fraud. Once hackers sell your data, it's used by criminal groups on banking and ecommerce sites to take over your checking, savings or credit card accounts – even open up new credit accounts or transfer money. This step, of course, leads to the last step of a data breach – the conversion of your information into cash. While there are a number of ways fraudsters can purchase and sell illegally obtained goods, classified ads, drop off zones for physical goods and knock-off sites for digital goods are most commonly seen, according to ThreatMetrix Labs.

Eduard Goodman is chief privacy officer for IDentity Theft 911.

Tornado

When a tornado touches down in a community, the effects can be devastating: Twisters level neighborhoods, wipe out businesses and farms, turning buildings—and lives—upside down. Communities may take years to recover from the extensive damage.

Residents of areas affected by twisters can take steps before and after to protect their families—and their identities. Here are seven tips on how to prepare for a disaster:

(more…)

Since Snapchat, the trendy mobile app, turned down Facebook's $3 billion cash offer, people are taking more interest in the app than ever before, but it's been a long time coming. 

Originally stemming from an app called Picaboo in 2011, which was created by Bobby Murphy and Evan Spiegel – the co​-founders of Snapchat, the Guardian reported. The pair worked on more than 34 projects at Stanford University – many, if not all, failed. Picaboo, however, was the seed of a great idea that stemmed from feedback Spiegel and Murphy received from a friend, who complained about sending photos from his smartphone that he later regretted sending. 

With Picaboo, the photo would self-destruct after a certain number of seconds determined by the person doing the sending. Later rebranded as Snapchat, the app expanded to include video capability and allow users to modify photos with scribbles before sending them. After the app became available for Android devices in 2012, it became an instant hit.

"One of the greatest benefits of the service, especially in the early days, was that it was 10 times faster than an MMS (multimedia messaging service) message," Spiegel told Associated Press this month. "So a lot of people just liked it because the interface was so simple. It sent the photos so quickly. It was a lot faster than opening up a text message, going and taking a picture or choosing it from the gallery, uploading it – which took a really, really long time – and then sending it to your friend."

Appeal Despite Privacy Concerns
The app is intended to be especially user-friendly in regards data security due to the fleeting nature of its content. Unlike Facebook messages which accrue in an inbox over time, Snapchat images and video self-destruct after a user-designated portion of time – a perk that is being embraced by users on a frequent basis. For instance, Snapchat activity grew from 20 million shares in October 2012. That number has since climbed to 350 million in September 2013. As more users take up the app, investors have taken notice.

The small app firm has raised a combined $94 million from various venture capital firms, despite the fact that it hasn't made any money yet. One of those firms, Lightspeed Venture Partners, gave Snapchat $485,000 in May, 2012 after one of its executives noticed that his daughter was using app among other popular apps such as Instagram and Angry Birds. The money has continued coming in from investors since then, giving Snapchat and its message self-destruct feature a lot of steam.

While the appeal to teenagers doesn't involve sexting, the app has run into it's share of controversy. For instance, a Tumblr blog in 2012 was allegedly posting naked photos of women without permission. A similar Facebook page was doing the same, although it was eventually shutdown. 

However, the banal, ephemeral nature of Snapchat is what appeals to teenagers the most. It gives them a place where they can be themselves and have fun and not worry about it showing up later on the internet. Parents should be especially aware of this. Even though Snapchat is drawing the interest of millions of teens, they should still use caution when using the app.

Snowbirds

Migrating to warm-weather states like Florida and Arizona as the temperature drops “up north”? So are scammers on the lookout for pigeons to pluck during Snowbird Season, which runs from late November through April.

Some are part of organized crime ring—boiler-room telemarketers and so-called Gypsy Travelers who specifically target short-time vacationers and longer-staying, older seasonal residents. Others are local fraudsters taking advantage of the influx of visitors. Either way, here are the most common threats:

(more…)

While theft accounts for the majority of healthcare data breach incidents that affect 500 or more individuals in the U.S., unauthorized access and improper disposal can lead to a great number of breaches, according to data from the U.S. Department of Health & Human Services (HHS). For healthcare providers, the message should be clear: data breaches are preventable, and the way an organization responds before one occurs is important to mitigate damage. 

Taking data , the Office for Civil Rights observed only the incidents that affected 500 people or more, and found that of the 435 healthcare data breaches in the United States, 238 of them resulted from theft – from either stealing physical devices like a laptop or computer or taking digital information. Surprisingly, however, 93 of the 435 data breaches were a result of unauthorized access to Protected Health Information (PHI), followed closely by improper disposal of IT equipment, accounting for 75 cases, . 

Planning For A Breach
While training employees on the proper handling of PHI, which is protected by the Health Insurance Portability and Accountability Act (HIPAA), and generally raising awareness within an organization can help mitigate these unnecessary breaches, some industry analysts suggest that incorrectly viewing privacy and security as separate is holding back full compliance, . 

Kate Borten, president of the IT security firm Marblehead Group, said organizations must lay the groundwork through awareness initiatives, training and other defense measures to ensure healthcare providers properly respond to all suspected and actual security incidents, even if they seem trivial.

"In fact, when it comes to HIPAA privacy violations, they are almost certainly also security (confidentiality) violations," Borten said. "Organizations' privacy and information security officers should jointly 'own' their Incident Response Plan. The plan should also clearly define what data is subject to each regulation. Incidents may be both a HIPAA breach and a state breach, or only one or the other, or neither. There remains confusion about this, even among some legal experts who should know better."

A breach of both privacy and security could be as simple as a hospital employee sending an email that contains PHI to the wrong hospital or physician, Borten added. While incidents such as these seem innocent and are not considered full-blown data breaches, they may be considered violations of privacy, according to Health IT Security. For health care providers, treating privacy and security as the same priority in their data breach response plan could help mitigate the breaches that result from human error.

Matt Cullina is chief executive officer of IDentity Theft 911.

In October it was widely reported that a large number of Adobe customer accounts had data stolen after the company's systems were hacked. While previous reports indicated that around 38 million accounts were exposed, that number increased after password security firm LastPass , Reuters reported.

LastPass found the email addresses, passwords and password hints of 152 million accounts on an undisclosed website reportedly frequented by cybercriminals.

In the company's report were two important security revelations: Not only did Adobe fail to use best practices to secure passwords, but many users failed to protect themselves by choosing inadequate passwords.

Inadequate Password Protection
While Adobe did keep passwords encrypted on its database, it appears that they used , PC Magazine reported. This means that if someone were to figure out the key, they could have access to every password. Furthermore, Adobe chose to encrypt in Electronic Code Book (ECB) mode, which is a weaker defense method. ECB, PC Magazine explained, is known to cause security loopholes surrounding its key.

The best practice for encryption would have been to apply a unique encryption code to every password before it enters to database, according to LastPass. The technique, known as "salting," adds an extra layer of security.

Poor User Practices
The discovery also raised a red flag for how consumers handle data privacy and security. Many users choose common words or phrases as passwords that make accounts easily accessible to infiltrators. Of the accounts recovered by LastPass, nearly 2 million users had "123456" as their passwords. Other common choices included "password," "adobe123," "qwerty," "111111," and "photoshop."

By using such passwords, customers not only put their Adobe accounts at risk but every other account that uses the same credentials. Email accounts, banking services and other personal information could be accessed if the same passwords were used.

PC Magazine noted that a similar security breach of the website Gawker yielded many of the same passwords. The top five from those accounts included "123456," "password," "12345678," "lifehack," and "qwerty."

Despite the fact that the Gawker hack occurred three years ago, many of the same weak passwords were discovered. What this illustrates is that in lieu of increased media attention surrounding cyberattacks, consumers have yet to improve their Web security habits. Furthermore, the growing prevalence of apps and cloud storage containing personal and financial information means that users could have more to lose now than in the past.

Consumers should avoid any common words in passwords and instead opt for a mixture of letters and numbers. Also, a different password should be applied to every major account a Web-user creates.

Eduard Goodman is chief privacy officer at IDentity Theft 911.

Shopping_Jorg Hackemann_Shutterstock

With Black Friday approaching, it may be time to rethink the mantra that “cash is king” when it comes to holiday shopping.

Sure, paying with cash forces you to stay within a budget to prevent over-spending. It means no tacked-on interest payment. And it may even occasionally qualify you for a discount on purchases in allowing merchants to avoid paying plastic-used transaction swipe fees.

But a truly happy holiday means protecting those soon-to-be-purchased presents along with your long-term finances. That’s where credit cards reign supreme over cash or debit cards.

Here are three reasons why:

(more…)