It’s Data Privacy Day, and It’s a Mess

Target continues to be tangled up in chains due to its December 2013 data breach that current estimates say affected 110 million customers.

2P Target is known as proficient and prolific in the use of mobile devices and other means for collecting consumer data. This proficiency has backfired, resulting in the retail giant struggling to regain consumer trust and brand name reputation, not to mention figuring out how this mess happened in the first place and how to prevent a repeat performance.

  • Was there a lapse in Target’s IT security?
  • Did “Big Data” go too far and get way too ahead of security?

And let’s not put all the focus on Target, either. What happened with Target is a sign of the times and perhaps a sign of things to come in this world of cyber transactions. The questions above should also be asked of Facebook, Google, Yahoo and others who waited until the fiasco involving Edward Snowden’s NSA scandal to better encrypt their user data.

Big Data is like a drug; so addictive you can’t get off it, and of course, a huge potential for danger. Companies like Facebook, Google and Twitter love to sell consumers’ data to advertisers—this is how these giants stay giants; otherwise, they’d shrink into nothing. And there’s no end in sight with Big Data. Big Data is on course to become the Big Bang Data—to forever expand consumers’ personal information into cyber space.

But all of these entities—retailers, social media, the government—need to take responsibility for what they’re doing with our data.

Just when you thought that your privacy couldn’t be violated any more, Big Data has now spread its tentacles into the realm of selling lists of sexual assault victims, people with AIDS and HIV, and seniors with dementia to marketers. The World Privacy Forum, in the midst of researching how data brokers gather up and sell consumers’ private information, discovered these lists, and unfortunately, there are more disturbing list categories that were uncovered. Marketers are actually purchasing this kind of data to target shoppers from every which way.

When are lawmakers going to catch up to Big Data and grab it by the horns?

In the meantime, consumers need to take control of their information online; it just takes one hacker to wreak havoc. Here are 6 tips every consumer should take to stay protected online.

#1 Install/update your devices antivirus, antispyware, antiphishing and firewall.

#2 Update your devices operating system ensuring the critical security patches are current.

#3 Password protect your devices and use strong passwords with upper/lower case, numbers and characters. Never use the same password twice.

#4 Protect your wireless communications from prying eyes with a virtual private network that encrypts your data. Hotspot Shield masks your IP address and prevents data leakage.

#5 Limit your exposure on social networks. Consider what you post and how it can be used against you by criminals, predators and your government.

#6 Before giving out your name, address, phone, email, or account numbers consider how it will be used and read the services terms of service and privacy policies.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Corporate BYOD puts Client Data at risk

When employees improperly use mobiles, they put their companies at risk for data breaches. This includes leaving lots of sensitive data on the devices—which can pave the way to leakage of data, plus other issues.

7WMobile device use in workplaces is increasing—and so is its associated security risks. Current security measures are lagging behind the increased rate of mobile device use in the corporate realm.

One study not only showed that a lot of company information was left on handsets, but personal information as well was left on, putting employees at risk for personal compromises.

This small study demonstrates a clear need for improved guidelines and policies governing smartphone use and security of the devices. This becomes even more relevant as businesses turn more to cloud storage for data.

Non-approved software-as-a-service (SaaS) apps, used by employees, is widespread, according to a McAfee study. These apps are not approved by the company’s IT department. Employees can easily bypass the IT department by using the cloud. The study showed:

  • Over 80 percent of survey participants reported using unauthorized SaaS apps.
  • About 35 percent of SaaS apps used on the job are not approved.
  • About 15 percent of users have had a security problem using SaaS.

Employees may not realize that their chosen SaaS apps are poorly safeguarded. Such employees aren’t malicious; they’re just trying to be more efficient. Businesses need to find the right balance of protecting themselves yet allowing employees to use apps for increased productivity.

An ideal situation would be to monitor SaaS apps and apply policies that do not inhibit employees’ ability to be productive.

A recent Forbes article got my attention and the authors solutions make good business sense.

Six Solutions

1) XenMobile. This allows IT to secure and manage smartphones, data and apps, and establish policies based on smartphone ownership, location or status. Users can then more easily access the web, e-mail, corporate apps and documents with a single click on a mobile.

2) Airwatch. This mobile device system provides management of apps, content and e-mail, to oppose inadvertent mismanagement of smartphones by employees (e.g., storing documents in vulnerable locations).

Just enter username and password; Airwatch will wirelessly and automatically configure all the settings, apps, security policies and more based on the worker’s role in the company.

3) Mobile Iron. This system manages and secures apps, devices and content, ideal for businesses that support the BYOD program. Personal content can be separated from corporate content, protecting the employee’s private data.

4) Good Dynamics secure mobility platform. This is a BYOD program that keeps employees productive while zeroing in on security. Personal data is partitioned off from business data to protect programs like e-mail.

5) Samsung Knox. This system is for Android devices, managing with a multi-tiered security approach. One’s network will be protected from malware, hacking, viruses and non-approved access.

6) Protect your BYOD on wireless networks. Use VPN if you’re on a portable wireless device. Hotspot Shield VPN is free, though its paid version is more e expanded and faster. First launch Hotspot before you use your PC laptop, iPad or iPhone to connect to free public Wi-Fi services like at the airport or at a coffee shop or hotel.

Your entire web surfing session will then be protected. All of your connections will be secured. This will eliminate some of the aggravation for your company’s IT department.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

10 Tips to Keep Your Data Private Online

The Internet has become an essential tool for most of us and a part of our everyday lives. We rely on it to send/receive emails, post/share photos and messages on social networking sites, shop for clothes, search for information, etc. But how do all these online activities affect your privacy?

2PYour online privacy depends on your ability to control both the amount of personal information that you provide and who has access to that information. Unfortunately, some of us are too casual and careless with how we manage our personal information and activities online. This leaves us vulnerable to identity theft and invasion of our privacy, both from legitimate and illegitimate sources.

That’s because your personal information, including your email address, phone number and Social Security number and other personally identifiable information, is worth a lot of money. The bad guys will use it to steal from you and businesses want to know as much about you as possible so they can sell you more products and services or serve you ads that are highly relevant to your demographics and preferences.

So take these simple steps to protect your valuable personal information:

  1. Be careful what you share and post online. Remember, don’t post or share anything that you wouldn’t want shared publically, even if you think you’re just sending it to one person.
  2. Don’t freely give out personal information online any more than you would to a stranger on the street. Keep personal information (such as your hometown, birth date with year and phone number) off social networks.
  3. Don’t send any sensitive information when connecting over public Wi-Fi (e.g. don’t do banking or shop online)
  4. Use private browsing mode on your Internet browser or at least turn off your browser cookies.
  5. Never reply to spam or unknown messages, whether by email, text, IM or social networking posts from people you don’t know—especially if it’s for an offer that sounds too good to be true.
  6. Only friend or connect with people online you know in real life.
  7. Make sure when you’re providing any personal information online that the site uses encryption (look for https:// in the URL) and check to see how they are using your personal data in their privacy policy.
  8. Be aware of location services with your smartphone or tablet. Turn off the GPS on your mobile device’s camera and only allow
  9. Routinely update your social media privacy settings to ensure your profile is appropriately protected and also make sure to change your passwords on your accounts at least 3x a year.
  10. 10. Make sure all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that provides not only antivirus, anti-spyware, anti-phishing, anti-spam and a firewall, but also protects your data and identity on your PCs, Macs, smartphones and tablets.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Devising a Data Security Strategy

Whether you are an individual who games, a work-at-home employee, a family of four that shops online, a road warrior or even a small business, chances are you have data to protect—and so this all pertains to you.

5DFundamentals:

Antivirus isn’t enough: A free antivirus package is good, but it might not update automatically—and you need your antivirus to be today’s version. Spend a couple bucks and get your antiphishing, antispyware and firewall protection.

Updated browsers: An old, outdated browser is a nightmare that is often riddled with holes for criminals to slither a bug through. Install the latest update ASAP, automatically or both.

Updated operating systems: Set your OS to automatically update, as manual updates are often forgotten and missed.

Disk encryption: Your device may come equipped with the ability to encrypt individual files, folders or the entire disk. There are many free third-party encryption programs that are excellent.

Backing up: You should have at least two local backups of all your data in case a device fails. I use external drives and GoodSync to keep it all backed up every hour. Also, invest in cloud-based storage that has encryption as well—all for under $100 annually.

Password management: It’s not OK to have one password for 30 accounts. You need 30 different passwords, and this can only be accomplished with a password manager.

Wireless WiFi protection: Having open WiFi so your neighbor can piggyback on your connection is a bad idea. Use WPA2 encryptions that are built into the router. Whenever using public free WiFi, use a virtual private network software such as Hotspot Shield VPN to encrypt all your data.

Mobile device security: Mobiles are small computers that store our data or have access to our cloud-based accounts. Mobiles need to be password protected and have antivirus protection, just like PCs do. Keep in mind that WiFi on a mobile is no different than on a laptop, so use a VPN on your mobile too.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Organized Web Mobsters Getting Jobs Inside Corps

In 2009, there were a reported 140 million records compromised, compared to 360 million in 2008. In 2010 there have been almost 13 million records stolen. But don’t have a party just yet. Criminals are fine-tuning their craft and getting better. The industry just isn’t making it as easy. 97% of those records were stolen using malware – malicious software designed to attack the target’s existing systems and software in place.

A reported 50% of the malware was installed remotely. Almost 20% came from visiting infected websites and almost 10% was installed when employees clicked infected links that conned or “socially engineered” them.

A recent Verizon report stated, “Over the last two years, custom-created code was more prevalent and far more damaging than lesser forms of customization, the attackers seem to be improving in all areas: getting it on the system, making it do what they want, remaining undetected, continually adapting and evolving, and scoring big for all the above.”

This may be also attributed to an inside job. A rogue employee on the inside always has the advantage of knowing exactly how to remain undetected.

The report further stated that organized crime rings may “recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score, the smaller end of these schemes often target cashiers at retail and hospitality establishments while the upper end are more prone to involve bank employees and the like.”

In the past three years that’s a total of 513 million records. On average, every citizen has had his or her data compromised almost twice. Where’s your Social Security number in that mix?

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss another data breach on Fox News. (Disclosures)

Do You Spy on Your Spouse?

Robert Siciliano Identity Theft Expert

Generally in a trusting relationship spying isn’t necessary. I’m sure Sandra Bullock, Kate Gosselin or Tiger Woods wife didn’t think they needed to spy on their husbands, until they did. Reckless behavior like that can bring home a very itchy or very deadly disease.  One that victimizes the innocent.

The fact is humans have a tendency to lie.  Lying is generally done to protect people from the consequences of their actions or to protect others from the emotional hurt because of what they did.

Spying generally occurs when trust is broken or intuition kicks in and someone senses something is askew. Spying is easier today than it’s ever been. According to a recent survey polling 1,000 men and women of various ages, incomes, and locations in the United States, there’s a 38 percent chance you would spy if you’re 25 or younger.

Among respondents, 38 percent of those 25 years old or younger admitted to snooping on their boyfriend’s or girlfriend’s messages, and 36 percent of those who are married admitted to checking their spouse’s e-mail or call history.

Spying can be accomplished by simply picking up a person’s phone and looking at the incoming and out going calls and text messages. Mobile phone spyware is readily available and can monitor almost every aspect of a phones use remotely.

Small wireless cameras installed in lighters, pens, clocks, smoke detectors and just about anything else are readily available. Commercially available spyware can easily be installed on a person’s computer. Undetectable hardware called “key catchers” can be installed in the PS2 or USB ports and the person’s keyboard is piggybacked and logs all their keystrokes.

Identity thieves are using the exact same technologies.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN

Self-revelation Can Help Assemble a Social Security Number

I am not done nor will I ever be done sounding that alarm, ringing that bell and informing you about how ridiculous social media is. I was asked in a radio interview today what it will take to get people to recognize they are sharing too much data. In a word, tragedy. When a home is broken into, they install a home security alarm. When someone is mugged, they take a self defense course. When planes fly into buildings, we get frisked. Being smart is understanding risk and being proactive.

Most people are smart enough to NOT give out a social security number on Facebook. However between what you say, your family, friends and colleagues say and post, your profile is becoming more complete every minute. Even your mom or wife posts her name as “First Maiden Last” because she saw someone else do it and it made sense to allow her old friends/flames to find her.

But today with all this personal information readily available there are now rumblings from academia that they have cracked the code and have assembled technologies to decipher all this information and turn it into hard decipherable data that leads to opening new accounts in your name.

The New York Times reportscomputer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number. So far, this type of powerful data mining, which relies on sophisticated statistical correlations, is mostly in the realm of university researchers, not identity thieves and marketers.”

SearchSecurity.com reports that researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration’s Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people on the east coast had the lowest numbers and those on the west coast had the highest. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

From this point on I’d suggest locking down social media profiles in a way that they are not publicly accessible. Prevent anyone (except those very close to you) from seeing and reading everything about your daily activities, who you associate with and all the names and contact information of all your friends and family.

Robert Siciliano personal security expert to Home Security Source discussing cracking the code and wireless security on Fox Boston.

Criminal Hacker Gets 20. Books, Movies and Hollywood Starlet Next

Robert Siciliano Identity Theft Expert

Albert Gonzalez and his gang of criminal hackers were responsible for data breaches in retailers and payment processors, with some estimates saying they breached over 230 million records combined. Gonzalez, considered a proficient criminal hacker, provided “dumps,” a term which refers to stolen credit card data, to “carders.” “Carders” are the people who buy, sell, and trade stolen credit card data online.

“Gonzalez and his hacking buddies hacked into computer systems and stole credit card information from TJX, Office Max, DSW and Dave and Buster’s, among other online retail outlets, in one of the largest — if not the largest — cybercrime operations targeting that sort of data thus far. They used some of the stolen numbers to remove cash from ATM machines and sold many of the other numbers to other criminals, including those in Eastern Europe.”

Gonzalez provided “sniffer” software used to intercept the credit and debit card numbers for the Russian hackers. Sniffer software or “malware” malicious software, acts like a virus attaching itself to a network and often spreading. The software allows the criminal hacker backdoor access to all the data in the server and provides remote control functionality.

Wired reports Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

It was reported that Gonzalez buried a million dollars in the backyard of his parents’ Miami home. At one point he cracked and drew a map for investigators to find the money. WOW!

How many people in the course of history have actually dug a hole and buried a million bucks in it? I can’t wait to see the movie. I’d be happy playing a part in it. I’ll be the shovel.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Breach of 3.3 million Social Security numbers on Good Morning America

Be careful Your PC Isn’t Held for Ransom

Computerworld reported that a hacker threatened to expose health data and demanded $10 million from a government agency. The alleged ransom note posted on the Virginia DHP Prescription Monitoring Program site claimed that the hacker had backed up and encrypted more than 8 million patient records and 35 million prescriptions and then deleted the original data. “Unfortunately for Virginia, their backups seem to have gone missing, too.” “Uh oh,” posted the hacker.

Holding data hostage is sometimes done using “ransomware” Otherwise known as “ransom software.” The software gets on your PC as the result of you downloading an infected attachment or clicking the links in the body of an email. Sometimes you can get ransomware simply by visiting a website in what’s called a “drive-by.”

Once your PC is infected with ransomeware it locks down your files in a way that prevents you from accessing them and gives the bad guy full control of your machine.  Sometimes the virus poses as a “Browser Security and Anti-adware” security application whose license has expired. Windows machines infected by the malware are confronted by a full-screen message that poses as a Windows error.

This type of an exploit not common, but it’s definitely a rising star in the malware community. The best way to avoid this is to make sure your PC is updated with the most current version of your operating system, and anti-virus definitions. It’s also very important not to click on links in the body of an email or visit rogue websites that may have viruses that inject themselves into your browser.

Robert Siciliano personal security expert to Home Security Source discussing Ransomware on Fox Boston.

Is That Portable Device a Data Hazard?

Robert Siciliano Identity Theft Expert

According to a survey of London and New York City taxi companies last year revealed that more than 12,500 devices, such as laptops, iPods and memory sticks, are forgotten in taxis every six months. Portable devices that may have troves of sensitive data.

Recent reports of identity data including names, addresses, Social Security numbers on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowed. A company spokesperson said the stolen information was on a portable media device. “It was simple, old-fashioned theft, it was not a hacker incident.” Lovely. That’s just ducky spokesboy.

The survey further reached out to 500 dry cleaners who said they found numerous USB sticks during the course of a year. Multiplying that by the number of dry cleaners they got a figure of approximately 9000 USBs lost and found annually.

Computerworld reports a 2007 survey by Ponemon of 893 individuals who work in corporate IT showed that: USB memory sticks are often used to copy confidential or sensitive business information and transfer the data to another computer that is not part of the company’s network or enterprise system. The survey showed 51% of respondents said they use USB sticks to store sensitive data, 57% believe others within their organization routinely do it and 87% said their company has policies against it.

It’s not just lost portable devices that are an issue. Found ones can be scary too.

Dark reading reports an oldie but goodie from Steve Stasiukonis, a social engineering master, he says those thumb drives can turn external threats into internal ones in two easy steps.

When hired to penetrate a network he says “We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems”

I did a program recently for a client where I presented in front of other security professionals. I had my laptop set up on the stage with my presentation loaded. The client was introducing me and asked if he could load a quick file onto my laptop to assist in his opening remarks. I inserted the drive for him and my anti-virus went NUTS! Seems his flash drive had a nice little virus on it. His boss, standing right next to him said “that’s why we are phasing out non-military grade security enabled flash drives as soon as we get back.”

I checked out BlockMaster SafeStick® 4.0 – a fast and user-friendly secure USB flash drive, which streamlines military-grade security and meets those standards to protect your data. The SafeStick hardware controller encrypts all data using AES256-bit encryption in CBC-mode. Encryption keys are generated on board at user setup, and all communications are encrypted. SafeStick is protected against autorun malware, and onboard active anti-malware is available. Once unlocked, SafeStick is as simple to use as a standard USB flash drive.

The one I got just plugs in, initializes, then launches a program requiring the user to set up a password. From that point on any time the user has to access the data, a password needs to be entered.

Flash drives can be a security mess. Organizations need to have policies in place requiring secure flash drives and never plugging a stray cat into the network.

Disclosures: I have no financial ties to BlockMaster. I just like this thing.

Robert Siciliano Identity Theft Expert discussing good ole fashion identity theft on Good Morning America.