Problems for Quora Keep Building

Quora, the popular question-and-answer website, is the latest entity to be affected by a massive data breach. This time, it is estimated that 100 million people could be affected.

Adam D’Angelo, CEO of Quora, released a blog post that explained user account information (like email addresses and user names) as well as encrypted passwords and other data were accessed by the hackers. Additionally, he wrote that comments, public questions-and-answers and even direct messages could have been accessed.

D’Angelo stated that Quora is working quickly to get more information on the breach and that it is taking important steps to ensure that it prevents a breach from happening again.

Quora is a privately held company based in California. Users of the site can ask questions about almost anything, and other users answer these questions. The company claims that it has more than 300 million unique visitors per month. Although this data breach is not as devastating as others, such as the other recent breach announced by Marriott International, it is still concerning. The Marriott breach went on for several years, and more than 500 million people were affected. For about 327million, their passport numbers, birth dates and more were accessed.

The Quora breach was not as serious. The biggest concern for people affected by this breach is the possibility of falling for a phishing scam. Basically, these scams work by tricking people into clicking email links that allow the scammer to get personal info or installing malware onto the victim’s computer. This could be significant, however, as some of the data has come from networks like Facebook, which users can connect to their Quora accounts.

This is a really good reminder to anyone with social media accounts, or other online accounts, to consider a throwaway email account. This is an account that is neither connected to work nor your primary email account. This way, if it gets hacked, you can simply delete it.

To add some insult to injury, Quora also just announced that a “malicious third party”has accessed one of its systems. The company is currently investigating the issue, and it’s working with a security firm to get to the bottom of it. Quora is also in the process of notifying any users who might have been affected by this breach. They are also logging these people out of the site and forcing them to change their passwords.

Last thing: I’m a fan of Quora, and yes, this breach sucks, but it’s less sucky than others. Feel free to ask me a question on my Quora.

2017 Was the Worst year for Data Breaches EVER!

It seems like 2017 broke records for all the wrong reasons…one of them being the worst year for data breaches in history.

According to reports, hacking was the most common way to collect this data, but almost 70% of exposures occurred due to accidental leaks or human error. This came down to more than 5 billion records. There were several well-known public leaks, too, including the Amazon Web Services misconfiguration. More than half of the businesses using this service were affected, including companies like Verizon, Accenture, and Booz Allen Hamilton. The scariest part of this, however, is the fact that the number of breaches and the number of exposed records were both more than 24% higher than in 2016.

Big Breaches of Big Data

Another interesting thing to note is that eight of the big breaches that occurred in 2017 were in the Top 20 list of the largest breaches of all time. The top five biggest breaches in 2017 exposed almost 6 billion records.

Part of the reason for the big numbers is because huge amounts of data were exposed from huge companies, like Equifax. There was also a huge breach at Sabre, a travel systems provider, and the full extent of the breach isn’t even known at this point. All we do know is that it was big.

When looking at all of the known 2017 data breaches, almost 40% of the breaches involved businesses. About 8% involved medical companies, 7.2% involved government entities, and just over 5% were educational entities. In the US, there were more than 2,300 breaches. The UK had only 184, while Canada had only 116. However, until now, companies in Europe were not forced to report breaches, so things could change now that reporting is mandatory.

What were the biggest breaches of all time?  Here they are, in order:

  • Yahoo (US company) – 3 billion records
  • DU Caller Group (Chinese company) – 2 billion records
  • River City Media (US company) – 1.3 billion records
  • NetEase (Chinese company) – 1.2 billion records
  • Undisclosed Dutch company – 711 million records

Though none of this is great news, there is a silver lining here: none of the breaches of 2017 were more severe than any other breach in history, and overall, the occurrence of breaches dropped in the fourth quarter.

Because of so many breaches occurring due to human error, it’s very important that businesses of all sizes enact security awareness training, including helping staff understand what makes a business a target and what type of info the hackers want.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Protecting Yourself from a Data Breach requires Two Step Authentication

Have you ever thought about how a data breach could affect you personally? What about your business? Either way, it can be devastating. Fortunately, there are ways that you can protect your personal or business data, and it’s easier than you think. Don’t assume that protecting yourself is impossible just because big corporations get hit with data breaches all of the time. There are things you can do to get protected.

  • All of your important accounts should use two-factor authentication. This helps to eliminate the exposure of passwords. Once one of the bad guys gets access to your password, and that’s all they need to access your account, they are already in.
  • When using two-factor authentication, you must first enter your password. However, you also have to do a second step. The website sends the owner of the account a unique code to their phone also known as a “one time password”. The only way to access the account, even if you put the password in, is to enter that code. The code changes each time. So, unless a hacker has your password AND your mobile phone, they can’t get into your account.

All of the major websites that we most commonly use have some type of two-factor authentication. They are spelled out, below:

Facebook

The two-factor authentication that Facebook has is called “Login Approvals.” You can find this in the blue menu bar at the top right side of your screen. Click the arrow that you see, which opens a menu. Choose the Settings option, and look for a gold colored badge. You then see “Security,” which you should click. To the right of that, you should see Login Approvals and near that, a box that says “Require a security code.” Put a check mark there and then follow the instructions. The Facebook Code Generator might require a person to use the mobile application on their phone to get their code. Alternatively, Facebook sends a text.

Google

Google also has two-factor authentication. To do this, go to Google.com/2step, and then look for the blue “get started’ button. You can find it on the upper right of the screen. Click this, and then follow the directions. You can also opt for a text or a phone call to get a code. This also sets you up for other Google services, including YouTube.

Twitter

Twitter also has a form of two-factor authentication. It is called “Login Verification.” To use it, log in to Twitter and click on the gear icon at the top right of the screen. You should see “Security and Privacy.” Click that, and then look for “Login Verification” under the Security heading. You can then choose how to get your code and then follow the prompts.

PayPal

PayPal has a feature known as “Security Key.” To use this, look for the Security and Protection section on the upper right corner of the screen. You should see PayPal Security Key on the bottom left. Click the option to “Go to register your mobile phone.” On the following page, you can add your phone number. Then, you get a text from PayPal with your code.

Yahoo

Yahoo uses “Two-step Verification.” To use it, hover over your Yahoo avatar, which brings up a menu. Click on Account Settings and then on Account Info. Then, scroll until you see Sign-In and Security. There, you will see a link labeled “Set up your second sign-in verification.” Click that and enter your phone number. You should get a code via text.

Microsoft

The system that Microsoft has is called “Two-step Verification.” To use it, go to the website login.live.com. Look for the link on the left. It goes to Security Info. Click that link. On the right side, click Set Up Two-Step Verification, and then follow the prompts.

Apple

Apple also has something called “Two-Step Verification.” To use it, go to applied.apple.com. On the right is a blue box labeled Manage Your Apple ID. Hit that, and then use you Apple ID to log in. You should then see a link for Passwords and Security. You have to answer two questions to access the Security Settings area of the site. There, you should see another link labeled “Get Started.” Click that, and then enter your phone number. Wait for your code on your mobile phone, and then enter it.

LinkedIn

LinkedIn also has “Two-Step Verification.” On the LinkedIn site, hover your mouse over your avatar and a drop-down menu should appear. Click on Privacy and Settings, and then click on Account. You should then see Security Settings, which you should also click. Finally, you should see the option to turn on Two-Step Verification for Sign-In. Turn that on to get your code.

These are only a few of the major sites that have two-step verification. Many others do, too, so always check to see if your accounts have this option. If they don’t, see if there is another option that you can use in addition to your password to log in. This could be an email or a telephone call, for instance. This will help to keep you safe.

Amazon

Amazon’s Two-Step Verification adds an additional layer of security to your account. Instead of simply entering your password, Two-Step Verification requires you to enter a unique security code in addition to your password during sign in.

Without setting up Two Step authentication for your most critical accounts, all a criminal needs is access to your username, which is often your email address and then access data breach files containing billions of passwords that are posted all over the web. Once they search your username/email for the associated password, they are in.

Two factor locks them out.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

The Equifax 2017 Exposed: What Half of America Needs to Do Right Now

Equifax has been hacked. As one of the three major credit bureaus in the United States, this is seriously bad. It is considered by many to be the worst security breach in the history of the internet. The extent (about 143 million Americans) and the sensitivity of the data is a rude awakening in a year when cyber has been in the center of the news.

What does this mean for you? It means that your Social Security number, and possibly even your driver’s license information, could be in the hands of hackers. Some are already calling this the worst breach of data in history.   

How Did This Happen?

On September 7th, Equifax announced that a security breach occurred that could impact as many as 143 million people. Though this isn’t the largest breach to occur, it could be the most devastating. The data that was accessed included Social Security numbers, address, birth dates, and driver’s license numbers. All of these can be used for identity theft.

Equifax also announced that the credit card numbers of more than 200,000 people were accessed, as were documents containing personal identifying information for more than 180,000 people. With this information, the hackers can commit credit card fraud. This isn’t as bad as identity theft, as credit card fraud is usually simple to fix, but these thieves could still open new credit card accounts in your name with your Social.

According to Equifax, the company discovered the data breach on July 29. Apparently, the hackers accessed the files from around mid-May all the way through July.

Richard F. Smith, the chairman and CEO of Equifax, admits that this is a “disappointing event” and that it “strikes at the heart” of the goals of the company. He also apologized to customers who work with Equifax and consumers. Boo hoo. I cry for you.

Why Did It Take So Long to Announce This?

You might be wondering why it took so long to announce that there was a data breach at Equifax. After all, the company discovered it on July 29, and didn’t announce it until September 7. Their Director of Social Media, has an answer. She said that as soon as the company discovered the breach, they stopped the intrusion. The company also hired a cybersecurity firm, which did a full investigation. This investigation was time consuming, and they wanted to have all of the information available before informing the public. Makes sense.

But Wait…There’s More

To add to this story, Bloomberg News announced that three executives from Equifax sold shares worth about $1.8 million. What’s shocking is that they did this AFTER the company discovered the breach. This will come back to bite them.

You can check to see if you are affected by the breach by using an online tool that Equifax has set up. FYI, I checked out my info, I’m a victim.

You should go there, enter your last name and the last six digits of your Social Security number, and the system will tell you if your information has been compromised. If it has, Equifax is offering a complimentary enrollment into the TrustedID program. However, there is language in the terms of service that may restrict your ability to have your day in court if you were to join a class action and the NY Attorney General is pissed. According to USA Today, a class action lawsuit has already been filed against Equifax. This class action suit seeks to secure all records associated with the breach and fair compensation for those who were affected.

Read the NYT.

You don’t have to have done any type of business with Equifax to be affected by this. If you have ever applied for a mortgage, loan, or credit card, the company likely has your information. The TrustedID program is going to be free for an entire year for anyone affected. It gives consumers the ability to lock and unlock their credit reports. They also get internet scans for their Social Security numbers and identity-theft insurance. You can also call Equifax at 866-447-7559.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Top 12 Tips to Destroy Your Sensitive Data

Believe it or not, you just can’t shred too much. If you aren’t destroying your sensitive data, my best advice is for you to start now. There are people out there who make a living diving into dumpsters in search of credit card info, bank account number, mortgage statements, and medical bills; all things they can use to steal your identity.  

Here are 12 tips that you can use to help you destroy your sensitive data:

  1. Buy a shredder. That said, I don’t own a shredder. I’ll explain shortly. There are a number of different brands and models out there. Some even shred CDs. This is important if you keep your documents saved on a computer, which you then saved to a CD. Don’t, however, try to shred a CD in a shredder that isn’t equipped to do this job. You will definitely break it.
  2. Skip a “strip-cut” shredder. These shredders produce strips that can be re-constructed. You would be surprised by how many people don’t mind putting these pieces together after finding them in trash. Yes, again, people will go through dumpsters to find this information. Watch the movie “Argo” and you’ll see what I mean.
  3. Shred as small as you can using a cross cut shredder. The smaller the pieces, the more difficult it is to put documents together again. If the pieces are large enough, there are even computer programs that you can use to recreate the documents.
  4. Fill a large cardboard box with your shreddables. You can do this all in one day, or allow the box to fill up over time.
  5. When the box is full, burn it. This way, you are sure the information is gone. Of course, make sure that your municipality allows burning.
  6. You should also shred and destroy items that could get you robbed. For instance, if you buy a huge flat screen television, don’t put the box on your curb. Instead, destroy, shred, or burn that box. If it’s on the curb, it’s like an invitation for thieves to come right in.
  7. Shred all of your documents, including any paper with account numbers or financial information.
  8. Shred credit card receipts, property tax statements, voided checks, anything with a Social Security number, and envelopes with your name and address.
  9. Talk to your accountant to see if they have any other suggestions on what you should shred and what you should store.
  10. Shred anything that can be used to scam you or anyone. Meaning if the data found in the trash or dumpster could be used in a lie, over the phone, in a call to you or a client to get MORE sensitive information, (like a prescription bottle) then shred it.
  11. Try to buy a shredder in person, not online. Why? Because you want to see it and how it shreds, if possible. If do buy a shredder online, make sure to read the reviews. You want to make sure that you are buying one that is high quality.
  12. Don’t bother with a shredder. I have so much to shred (and you should too) that I use a professional document shredding service.

I talked to Harold Paicopolos at Highland Shredding, a Boston Area, (North shore, Woburn Ma) on demand, on-site and drop off shredding service. Harold said “Most businesses have shredding that needs to be done regularly. We provide free shredding bins placed in your office. You simply place all documents to be shredded in the secure bin. Your private information gets properly destroyed, avoiding unnecessary exposure.”

Does your local service offer that? Shredding myself takes too much time. And I know at least with Highlands equipment (check your local service to compare) their equipment randomly rips and tears the documents with a special system of 42 rotating knives. It then compacts the shredded material into very small pieces. Unlike strip shredding, this process is the most secure because no reconstruction can occur.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Security training: the Human Being is impossible to fix

As long as humans sit at computer screens, there will always be infected computers. There’s just no end to people being duped into clicking links that download viruses.

12DA report at theregister.co.uk explains how subjects, unaware they were guinea pigs, fell for a phishing experiment.

  • Subjects were sent an FB message or e-mail from an unfamiliar sender, though 16 percent of the subjects who ultimately clicked reported they knew the sender.
  • The sender announced they had images from a New Year’s Eve party but not to share them.
  • 43.5% clicked the FB message link and one-quarter clicked the e-mail link.
  • Many of the subjects denied making these clicks, but most who admitted it named curiosity as the reason.
  • 5% claimed they thought their browser would protect them from an attack.

Obviously, there will always be that percentage of the human population who will allow curiosity to preside over common sense and logic. The idea of simply never, never, ever clicking a link inside an e-mail is an impossible feat for them—perhaps more difficult than quitting smoking or losing 50 pounds.

This is the battle that businesses have with their employees, which is how businesses get hacked into and massive data breaches result.

However, says the report, rigid training of employees may backfire because valid e-mails may be ignored—though it seems that there has to be a way for companies to get around this—perhaps a phone call to the sender for verification if the company is small. For large businesses, maybe executives could just resort to the old-fashioned method of reaching out to employees; how was this done before the World Wide Web was invented?

Digital signing of e-mails has been suggested, but this, too, has a loophole: some employees misinterpreting the signatures.

Nevertheless, security training is not all for nothing; ongoing training with staged phishing e-mails has been proven, through research, to make a big difference. Unfortunately, there will always exist those people who just can’t say “No” to something as mundane as images from a New Year’s Eve party from a sender they’ve never even heard of.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Three Quarters of a Billion Records breached

Last year, says the security firm Gemalto, over 700 million records were breached. Or, to put it another way, this translates to two million stolen or lost records every day.

3D2015 Breach Level Report

  • 1,673 hacking incidents
  • 398 were triggered from the inside of the attacked company: employees and even IT staff who were tricked (social engineering) by hackers into clicking on malicious links or attachments
  • Government agencies suffered the greatest data leaks.
  • Following that were nation states and healthcare enterprises (remember the big Anthem breach?)

Gemalto also says that the U.S. is the leading target of cyber attacks, with the UK, Canada and Australia following behind in that order. But don’t let Australia’s fourth place standing fool you. It reports only 42 publically reported incidents, while the U.S. has reportedly had 1,222.

How can you tell your computer has been compromised by an attack?

  • Your computer is running slowly; you’re not simply being impatient—the device really is moving at a crawl. This is a possible sign the computer is infected.
  • Another possible sign of infection: Programs open up without you making them, as though they have a mind of their own.

Protecting Your Computer

  • First and foremost, businesses need to rigorously put their employees through training. This includes staged phishing attacks to see if any employees can be tricked into revealing sensitive company information. Training for workers must be ongoing, not just some annual seminar. A company could have the best security software and smartest IT staff, but all it takes is one less-than-mindful employee to let in the Trojan horse.
  • If you receive an e-mail with a link or attachment, never rush to open them. Pause. Take a few breaths. Count to 10. No matter what the subject line says, there is always plenty of time to make sure an e-mail is from a legitimate sender before opening any attachments or clicking any links.
  • Use firewall and anti-virus software and keep them updated.
  • Use a virtual private network to scramble your online activities when you’re using public Wi-Fi so that cyber snoopers see only scrambling.
  • Use the most recent version of your OS and browser.
  • Regularly back up your data.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Three ways to beef up security when backing up to the cloud

Disasters happen every day. Crashing hard drives, failing storage devices and even burglaries could have a significant negative impact on your business, especially if that data is lost forever. You can avoid these problems by backing up your data.

Backing up means keeping copies of your important business data in several places and on multiple devices. For example, if you saved data on your home PC and it crashes, you’ll still be able to access the information because you made backups.

A great way to protect your files is by backing up to the cloud. Cloud backup services like Carbonite allow you to store data at a location off-site. You accomplish this by uploading the data online via proprietary software.

Cloud backup providers have a reputation for being safe and secure. But you can’t be too careful. Here are a few ways to beef up security even more when you use a cloud backup system:

  • Before backing up to the cloud, take stock of what data is currently in your local backup storage. Make sure that all of this data is searchable, categorized and filed correctly.
  • Consider taking the data you have and encrypting it locally, on your own hard drive before backing up to the cloud. Most cloud backup solutions – including Carbonite – provide high-quality data encryption when you back up your files. But encrypting the data locally can add an additional layer of security. Just remember to store your decryption key someplace other than on the computer you used to encrypt the files. This way, if something happens to the computer, you’ll still be able to access your files after you recover them from the cloud.
  • Create a password for the cloud account that will be difficult for any hacker to guess. However, make sure that it’s also easy for you to remember. The best passwords are a combination of numbers, letters and symbols.

Cloud backups are convenient and have a good record when it comes to keeping your data safe. It doesn’t require the purchase of additional equipment or the use of more energy. You can also restore data from anywhere, to any computer, as long as there is an Internet connection available.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Tips for backing up and protecting your data while traveling

The season of giving is now upon us — but don’t forget, it’s also the season of stealing — and no, I don’t mean your wallet or the gift package at your doorstep, but your Social Security number, credit card information, medical records and any other highly confidential information that you have stored on your computers.

1DThieves want your data — the information stored in your smartphone, laptop and other devices. People are especially vulnerable to this crime when they travel. Don’t let the hustle and bustle of holiday travel detract you from protecting your data!

  • Make sure your devices have updated security software.
  • Remove all the sensitive data (e.g., medical records) from your device prior to travel — but not before you back it up.
  • One way to protect your data is cloud backup. Protecting your data begins with keeping your computer in a safe, secure, locked location, but when you are traveling, this is simply not an option. Therefore, automatically back up data to the cloud. The third layer is to use local backups; ideally sync software that offers routine backups to an external drive.
  • Before the trip, an IT expert should install disk encryption for your laptop– especially if you’ll be bringing along lots of sensitive data. If the laptop ends up in the wrong hands, the crook will see only scrambled data.
  • Even with the aforementioned security measures in place, you should also use a virtual private network when conducting online transactions at public Wi-Fi spots, so that snooping hackers “see” only encrypted transmissions.
  • All of the above tactics still aren’t enough. “Shoulder surfers” could visually snatch your login credentials while you’re typing away at the airport lobby or coffee shop. “Visual hackers” may also use binoculars and cameras. A privacy filter for your screen will conceal what’s on your screen. If they’re right behind youthis technology will alert you. You should use a privacy filter even when your back is to a wall.

Never let your device out of your sight, and if you must, like at a relative’s dinner gathering, lock it up.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Best practices for BYOD data storage

The Bring Your Own Device (BYOD) movement has in some ways saved companies money, but in other ways put customer data at risk. Employees are onsite, telecommuting or traveling on business. This means their devices, and company data could be anywhere at any given moment.

7WA company manager or owner realizes that company use of employee mobile devices brings benefits. But employees also use the devices for personal activities, increasing the risk of hackers getting into company data.

The solution is to train these employees in BYOD, information security and awareness. They must be aware of how risky a data breach is, how to secure data, especially if the device is loaded with company data. An overlooked part of that training is knowing how to deal with old data, back up that data and in some cases, delete it.

Data lives in 3 forms: stored on a local device, backed up in the cloud and deleted. Over time, old data begins to accumulate on devices and that can cause problems.

Here are some key considerations and best practices for dealing with the BYOD phenomenon at your business:

  • Ask yourself when old data no longer needed? Data should have expiration dates set up to indicate this.
  • Businesses should realize that “useless” or “old” data may surprisingly be needed sooner or later. This data can be stored offsite, in the cloud, so that if the device is hacked, at least the old data (which may contain valuable information to the hacker) won’t be accessible.
  • Setting up cloud storage that automatically backs up data will ensure that if a device is lost or stolen, the data is still available. Every bit of data, even if it’s seemingly useless, should be backed up.
  • How do you truly delete data? Don’t think for a second you’ll achieve this by hitting the delete button. In many cases, a hacker could still find it and obtain it from the hard drive. What you can’t see is not invisible to a skilled hacker.
  • Want to just get rid of old data altogether? You must destroy the hard drive. This means put it on the ground and hit with a sledgehammer. Then recycle the guts. Or you can professionally shred it.
  • Deploy Mobile Device Management (MDM) software that gives companies the ability to remotely manage devices. Tasks might include locating, locking or wiping a lost or stolen device. MDM can also be used to update software and delete or back up data.

The planning and prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and the tricks that cyber thieves use.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.