One in Three Massachusetts Residents’ Records Breached

Massachusetts has one of the most stringent data protection laws on the books. Businesses are required to disclose data breaches, and companies are now reporting when even a single individual’s information has been compromised.

Despite strict laws and security requirements, companies are continually being hacked in record numbers. And if major businesses still being hacked despite allocating significant resources to securing their data, you’re more than likely at least as vulnerable.

The Boston Globereports, “Personal information from nearly one out of three Massachusetts residents, from names and addresses to medical histories, has been compromised through data theft or loss since the beginning of 2010, according to statistics released yesterday by the office of Attorney General Martha Coakley.”

Facts:

  • Since January 2010, 1,166 data breach notices have been filed
  • 480 of those breaches occurred between January and August of 2011
  • 2.1 million residents were affected
  • 25% involved deliberate hacking of computer systems containing sensitive data

This is just Massachusetts. Every other state is experiencing the same thing. According to Juniper Research, in the past year, 90% of organizations have suffered from some form of data breach. Since the start of 2011, there have been 365 data loss incidents involving 126,727,474 records around the world.

Keeping PCs and Macs updated with antivirus and anti-spyware software is fundamental, as is updating all critical security patches. You should also have a two-way firewall monitoring incoming and outgoing traffic, and strong passwords that combine upper and lowercase letters, numbers, and preferably other characters.

Robert Siciliano personal and home security specialist to Home Security Source discussing identity theft on YouTube.

5 Online Security Tips For Valentines Day

For some, Valentines means they might be lonely. I’ve been there, and I know many who are there now. That loneliness can distort your perspective in a way that trumps common sense. This leads people to make badly considered decisions that only worsen their circumstances. Unfortunately, scammers use this raw emotion as leverage on online dating websites and social media.

These scammers are like loneliness relief valves. In a way, they provide a different perspective by making baseless promises that they never intend to fulfill. In the end, victims end up emptying their bank accounts.

The key to be safe and secure is awareness of yourself and your emotions and the intentions of others who contact you.

Don’t be an online dating statistic. Follow these tips:

#1 Look for red flags. If you are contacted online and they make no reference to you or your name, it may be a “broadcast” scam going to others.

#2  If they immediately start talking about marriage and love and showing immediate affection run really fast.

#3  Anyone asking for money for any reason is a con-man. Never under any circumstances wire money, send checks, cash etc.

#4 When communicating with someone online and it seems it takes days for them to respond, this may be a sign they are married.

#5 When communicating with a potential mate via online dating or even in the physical world, please do not give up any information to them until you are entirely sure they are “good”.

Robert Siciliano personal and home security specialist to ADT Home Security Source discussingGPS Dating Security on Good Morning America.

Barefoot Bandit Gets 7 Years

You may recall the story about Colton Harris Moore who as a teenager was busted for committing over 100 burglaries in the Pacific Northwest. He stole cars, speedboats and airplanes and is known as the “Barefoot Burglar” because he kicked off his shoes running from the police through the woods.

Last summer he signed a movie deal to make $1.3 million with 20th Century Fox. However he won’t earn any money from this, as all the funds will go to restitution.

After 2 years of running, he was busted in a chase that involved police, boats and bullets. Most of these stories usually end up in the perpetrator being dead. But this now 20 year old will live to tell another tale, from prison.  He was recently sentenced to 7 years in state prison and pleaded guilty to numerous charges including burglary and identity theft.

In sentencing the judge was quoted saying “This case is a tragedy in many ways, but it’s a triumph of the human spirit in other ways, I could have been reading about the history of a mass murderer. I could have been reading about a drug abusive, alcoholic young man. That is the triumph of Colton Harris-Moore: He has survived.”

He survived and left many victims behind. He destroyed thousands of dollars in cars, airplanes and boats. He stole everything from food to cash and jewelry, electronics and clothing. As “romantic” as his story is, the victims of his crimes will never feel the same way again in their own homes.

Lock your doors and windows

Install a monitored alarm system. Consider ADT Pulse.

Give your home that lived in look

Leave the TV on LOUD while you are gone

Install timers on your lights both indoor and outdoor

Close the shades to prevent peeping inside

Use defensive signage

Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse on Fox News.

75 Million Unique Malware Samples By 2012

Imagine your body being targeted by 75 million viruses. That is exactly what’s happening to your digital devices. Laptops, desktops, netbooks, notebooks, Macs, iPads, iPhones, BlackBerrys, Androids, and Symbian mobile phones are all being targeted. The most recent threats report from McAfee Labs reveals a grim outlook and a variety of threats.

Mobile: Android has become the most popular platform for new malware, and this past quarter, was targeted exclusively by all new forms of mobile malware. The Symbian OS (for Nokia handsets) remains the platform with the all-time greatest number of viruses, but Android is clearly today’s main target.

Malware: Rootkits, or stealth malware, are one of the nastiest threats we face. They are designed to evade detection, and thus are able to lurk on a system for prolonged periods. Fake AV, also known as fake alert or rogue security software, has bounced back strongly from previous quarters, while AutoRun and password-stealing Trojans remain at relatively constant levels. Mac malware continues to show a bit of growth as well.

Spam: Although spam volume has decreased significantly, McAfee Labs has observed major developments in targeted spam, or what’s often called “spear phishing.” Much like malware, total numbers are dropping but the severity of the threat and sophistication of the technique remain high.

Social engineering: Subject lines used for social engineering spam messages vary depending on geography and language. Bait can include holidays or sporting events, and often differs by month or season. Attackers have shown remarkable insight into what works for specific people at specific times.

Spam botnets: New spam botnet infections continued steadily from February through August of 2011, but dropped somewhat in September.

Bad URLs: Website URLs, domains, subdomains, and particular IP addresses can be “bad” or malicious, either because they are used to host malware, phishing websites, or potentially unwanted programs.

Phishing websites: McAfee identified approximately 2,700 phishing URLs per day during the second quarter of 2011, a slight decrease from the same period in 2010, when they counted 2900 per day.

Robert Siciliano personal and home security specialist to Home Security Source discussing identity theft on YouTube.

How to encrypt your email with PGP

Pretty Good Privacy (PGP) “is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications.”

Say you have a manufacturing plant in China that makes a one of a kind widget and you have a U.S patent that you don’t want other companies stealing. Every so often you must send an email back and forth to your man of the ground in Beijing to update the specs and ways in which that product is to be created.  You know that if your emails are intercepted that it’s just a matter of time before a cheap knockoff comes on the market and kills your business. So, you better learn how to encrypt email.

This is where PGP email encryption comes in.

#1 There are PGP key generators online and others available in purchased or open source software. To create a PGP key you will plug in your email address and provide a password. Your security vendor can point you in a direction. Or go here to generate a PGP key.

#2 PGP keys are public and private. Your public key is posted to your website or contained in your email. People use this key to send you encrypted emails. The private key is kept private. My public key looks like this:

—–BEGIN PGP PUBLIC KEY BLOCK—–

mI0ETt1GvAEEAInk6+FnNbDug/VTJTqladmbymCx3Oh3LT/YQpB1/j8PavNAAhtr

nC5dwhludRTE2bAG28ZcPkK5j8aRZTYTmSpCjUOfwNRaIott0L4SKSgLbkUWDfim

pbEOTLN9eTmStNispjWVdmP099t5SJqsGvkPBhCxLHOCxxPae0037Lb1ABEBAAG0

FnJvYmVydEByb2JlcnRzaWNpbGlhbm+InAQQAQIABgUCTt1GvAAKCRDVXcwnBdX+

k3poA/93D0usqCSemcf0jE8BMUlqIHxdblH7eH4IXngjV+bgfZxeX6pK6BuxMghN

6NaX8VqOHV574MctAnxVkGqqjJH4jALQn+ExoG9YFh004UK46pa4BCoh+xkD72zu

dGm3I3xVjj7g3e7XJ0R7aVDStK1s+7izd00PzbJP9xDI9MqJUA==

=22J2

—–END PGP PUBLIC KEY BLOCK—–

 

#3 When receiving an encrypted email you plug in your private key that looks a lot like a public key and include the password.

Find here a cool free online tool that generates PGP keys for fun and lets you see how PGP email encryption is done.

Caution: I’m not sure of what’s going on in the background of this site so I can’t recommend using this key generator for ongoing secure use.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

 

Is Email Encryption Right for Your Business?

The Privacy Rights Clearing house currently tallies 542,608,451 records breached in the past 5 years. Unsecure email certainly contributes to the problem. Small business email (or any email) starts off on a secure or unsecure wired or wireless network then travels over numerous networks through secure or unsecure email servers often vulnerable to people who are in control of those servers.

There is also plenty of hacking and cracking tools bad guys (and good guys) use to sniff out that data in plain text.

With criminal hackers, government funded hackers and the various other snoops, email encryption today is essential.

In a recent study by Ponemon Institute, the latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

If your business operates under some form of regulation whether it is finance, healthcare, or any other regulation where fines are imposed in the event of a data breach, then email security should be a fundamental layer of your company’s information security protection plan.  Plain and simple if you are concerned about compliance with regulations like HIPAA and the HITECH Act and the numerous state data breach notification laws look to email encryption.

At its basic level PGP encryption is one way to provide email encryption. More on that in the next post.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

FBI Needs Your Help to Take Down Cyber Fraud

Public–private partnership (PPP) describes a government service or private business venture which is funded and operated through a partnership of government and one or more private sector companies.

Here’s an example of “public-private partnerships”: Six Estonian nationals have been arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware that their computers had been compromised—or that the malicious software rendered their machines vulnerable to a host of other computer viruses.

Beginning in 2007, the cyber fraud ring used a class of malware called DNSChanger to infect approximately 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses, and government agencies such as NASA.

The FBI further states “A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.”

The private partnerships refer to corporations just like yours who may have been affected by a virus or play a role in information security that help track down the bad guys.  “PPP involves a contract between a public sector authority and a private party, in which the private party provides a public service or project and assumes substantial financial, technical and operational risk in the project.” 

As President John F Kennedy once said “Ask not what your country can do for you – ask what you can do for your country”.  Today that may mean taking down international cyber criminals.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

 

 

Data Theft Doesn’t Always Mean Being Hacked

Recently UCLA announced 16,000 patients were potential victims of identity theft because a doctor’s home office was broken into and burglarized. This is an unfortunate example of an employee taking home a laptop or storage device from the office resulting in a serious data breach. The thief may have no idea what he has in his hands, but the damage is done, the data is breached.

UCLA had to send letters to all 16,000 plus affected warning that there is a possibility their identities could be stolen. On top of that they had to hire an identity theft protection firm to cover each breached record in the hopes the service will mitigate the loss. Data loss like this may cost UCLA hundreds of thousands of dollars by the time the dust settles.

The documents stolen were birth certificates, home addresses, medical documents and numerical medical identifiers. The information breached did not include Social Security numbers or financial information. Meanwhile reports state the data was encrypted, but the password to access the encrypted data was on a piece of paper near the laptop, which hasn’t been located either.

Based on the reports, an identity thief would have a hard time actually using the data stolen to commit new account fraud or account takeover. Nonetheless UCLA’s response has been comprehensive and designed to reduce risk in any capacity.

Data breaches cost big bucks. Smart data security practices if done right are inexpensive and cost effective. Encryption in this scenario failed due to a password on a sticky note near the laptop. The lack of a home security system in the doctor’s home office contributed to the data loss. Putting layers of protection in both a business and home setting is an absolute must.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

 

Securing Your Small Business Like A Bank

Banks know security. They have to, because as Willie Sutton once said “that’s where the money is”.

A bank, for example, has multiple layers of security. First, consider the perimeter of the building, which is often designed to include large windows, so that passerby or law enforcement can easily see any problems occurring inside. The bank’s doors have locks. Of course, there is an alarm system, which includes panic buttons, glassbreak detectors, and motion sensors. These are all layers, as are security cameras, bulletproof glass, and armed guards. Ideally, tellers and management should have robbery response training. Many banks use dye packs or even GPS to track stolen cash.

Each of these layers is designed to make it harder for a robber to do his job.

TicoTimes reported “Banco Nacional installed more than 9,000 security cameras in each of its bank and ATMs this week as part of a new satellite surveillance system. The cameras will provide a live video feed from each bank and ATM location and will be watched by a team of security officials stationed in a monitoring center in San José.”

The installation of the video surveillance system was strategically inaugurated prior to the month of December, which traditionally sees some of the highest numbers of thefts in Costa Rica due to the holiday season and distribution of mandatory Christmas bonuses

Think about what current layers of business protection you have in place and how many more layers can be installed that allow for a seamless customer experience and a secure minded culture.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Home Invasion Was “The Ultimate House of Horrors”

In a 2007 home invasion Steven Hayes and Joshua Komisarjevsky, the 2 men found guilty of a home invasion in Connecticut, brutally attacked and killed a mother and her daughters. The father was left for dead in the basement. Their crime began when they saw the mother (who was eventually murdered) in a parking lot and followed her home.

The home was invaded at 3am. The father was immediately beaten and tied up in the basement. He was held captive for a time but he escaped alive. The kids were tied to their beds and the mother was forced to go to the bank and withdraw money.

While at the bank the mother told a bank representative what was happening. The bank called the police who sent cruisers to the scene. It ended badly.

Hayes was sentenced to death and the prosecution has just rested in its case against Komisarjevsky. The AP reports the prosecutor said in his closing arguments “It was shockingly brutal. It was evil. It was vicious,” adding the men created a “hellish inferno.” The prosecutor continued by describing the murderous plan that involved “greed, sex, death and destruction.” He showed them the masks, bat and BB gun Komisarjevsky used.”

Here are 6 tips to help keep you safe and help prevent a home invasion:
1. Never talk to strangers via an open or screen door. Always talk to them through a locked door.

2. NEVER let children open the doors. Always require and adult to do it.

3. Install a home burglar alarm and keep it on 24/7/365. With a home alarm system on, when someone knocks on the door, a conscious decision has to be made to turn off the alarm. Most people will keep it on.

4. Not all home invaders knock, some break in without warning.  Just another reason to have that alarm on.

5. Install a 24-hour camera surveillance system. Cameras are a great deterrent.  Have them pointed to every door and access point

6. Install strong locks and solid core doors. Back up your door with door reinforcement technologies that make it difficult to kick in a door.

Robert Siciliano personal and home security specialist toHome Security Source discussing Home Invasions on Montel Williams. Disclosures