Posts

Medical Identity Theft: 12 Million Patients Breached

Quest Diagnostics is a US-based company that provides medical testing services, and announced that it used third-party billing collection companies that were hit by a severe data breach. In fact, about 11.9 million Quest customers were affected.

The compromised information could include personal data of the patients, including Social Security numbers, as well as medical and financial information. However, laboratory test results aren’t included in the breach.

What Happened?

The AMCA (American Medical Collection Agency) is a billing collection service provider and informed Quest Diagnostics that it had an unauthorized user who gained access to the AMCA system, which contained personal information that AMCA got from a variety of entities, including Quest. AMCA provides its collections services to Optum360, which is a Quest contractor. Both Optum360 and Quest are working with experts to investigate the issue.

The company also noted that it still doesn’t have much information about the data security incident at AMCA, and it doesn’t know for sure what data was compromised. However, the company no longer sends its collection requests to AMCA and won’t do so until the issue is resolved.

Quest filed an SEC filing, which revealed that the attackers gained access to the AMCA system between August 2018 and March 2019.

According to one data breach website, Gemini Advisory analysts first discovered the breach. The analysts noticed a CNP (Card Not Present) database, which had posted for sale on the dark web’s market. It figured out the data could have been stolen through the AMCA online portal. Gemini Advisory attempted to contact AMCA but received no response, so it contacted the US federal law enforcement agency.

A spokesperson for AMCA says that, upon receiving the information that there was a possible data breach from a compliance company that worked with other credit card companies, it conducted an internal investigation and took down its payments page online. The company also said it was investigating the breach with the help of an unnamed third-party forensics company.

The Quest breach targeted primarily financial data with personal information (SSNs). That kind of information is significantly more lucrative than health information, which isn’t really marketable by criminals, at least not yet. The financial information disclosed was comprehensive and included bank accounts and credit card numbers. Therefore, victims could get their identities stolen and have financial transactions completed in their name.

Users of the website or the company need to get a credit freeze and monitor their bank accounts and credit cards for any unusual activity and might want to freeze their credit reports so that no new credit lines can be taken out in their name.

Action needs to be taken now to freeze your information with the credit bureau and warn the credit bureaus that your financial information might have been compromised. Along with such, financial institutions usually have programs available to take corrective action, which can prevent your credit card or account from being used without permission if your account has been compromised.

The issue is that insurance and healthcare information doesn’t have such a centralized process, which makes it extremely tough to prevent the use of this information from someone who doesn’t have permission to use it.

The Cybersecurity evangelist of Thales, Jason Hart, chimed in with the fact that multi-factor encryption and authentication of the collected data might have saved the companies and victims from having problems.

The VP of innovation and global strategy at ForgeRock, Ben Goodman, noted that this is the second known breach for Quest in just three short years. As a public company, it could lead to a variety of serious repercussions with respect to brand reputation, shareholder trust, and stock prices. He also said that the exposed data might result in litigation. When First American Financial Corporation was breached, it took just a few days for the company to get hit with a class-action lawsuit when it exposed 885 million documents full of sensitive information just last week.

The CISO and Senior Director for Shared Assessments, Tom Garrubba, wants to see just how quickly the Office of Civil Rights (an overseer of HIPAA compliance), rushes in to get information about the breach and to determine if any negligence was there and if Quest is to blame (partially or fully).

Through the HIPAA Omnibus Rule, business associates must handle any data with the care provided to covered entities (outsourcers). Those business associates have to provide due diligence to the covered entity.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon.com author, CEO of Safr.Me, and the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Scammers are Targeting Your Venmo and P2P Accounts

Do you use Venmo or other P2P accounts? If so, you definitely could be a target of scammers. Across the county, people are losing their cash, and it often happens so quickly that they don’t even know what’s happening.

You might think that you couldn’t be a victim, but scammers are often smarter and trickier, and they won’t hesitate to take advantage of you.

Here’s how they are doing it:

A stranger approaches you to use your phone. They have a sob story to make this scam more credible. You hand your phone over, they make it look like they are dialing, but instead, they are doing something else: swiping and searching your phone for “Venmo” and easily getting into your Venmo account and transferring money to themselves. People are losing thousands of dollars simply for being kind to a stranger.

Tips to Keep Yourself Safe

When using a P2P payment system, you should know that they all require access to your financial info. So, when you use them, make sure that your account settings are set in a way to ensure all of the security measures that you can set. In order to keep yourself safe from scams like this, there are some tips that can keep you safe.

  • Two step authentication. Access the menu, turn it on. This might include using PIN, a biometric log in, like a fingerprint.
  • Get the money out of your account. In most P2P apps, when you get a payment, the money is generally added to the balance held in the app. It doesn’t appear in your bank account until you transfer it or use it in another way. If you want to transfer money to your bank account, you should definitely make sure that the deposit went through. Just keep in mind that it could take a couple of days to transfer.
  • Pay only those you know well. Scammers know a lot of tricks, and they will find methods to trick you into paying them in ways you would never expect. So, if you are sending money from one of these apps or sites, make sure that you know the person you are sending money to. If you are using the app or site to get money from someone else, transfer the payment into your bank account and make sure it transfers before you send any goods.
  • Disconnect from Social Media: Finally, keep in mind that there are apps or sites might share your transaction information on social media. Check your social media settings because some of these settings might be set to share this info. Just make sure you are comfortable with what is going out on social media.

Security Appreciation lacking

What’s it gonna take for companies to crack down on their cybersecurity? What’s holding them back? Why do we keep hearing about one company data breach after another?

1SWell, there’s just not enough IT talent going around. The irony is that most company higher-ups admit that cybersecurity is very important and can even name specific situations that could compromise security, such as

having multiple vendors vs. only a single vendor; not having quality-level encryption in place; allowing employees to bring their own mobile devices to work and use them there for business; and having employees use cloud services for business.

Many even admit that they lack confidence in preventing a sophisticated malware onslaught and are worried about spear phishing attacks.

So as you can see, the understanding is out there, but then it kind of fizzles after that point: Businesses are not investing enough in beefing up their cybersecurity structure.

Let’s first begin with signs that a computer has been infected with malware:

  • It runs ridiculously slow.
  • Messages being sent from your e-mail—behind your back by some unknown entity.
  • Programs opening and closing on their own.

What can businesses (and people at home or traveling) do to enhance cybersecurity?

  • Regularly back up all data.
  • All devices should have security software and a firewall, and these should be regularly updated.
  • Got an e-mail from your boss or company SEO with instructions to open an attachment or click a link? Check with that person first—by phone—to verify they sent you the attachment or link. Otherwise, this may be a spear phishing attempt: The hacker is posing as someone you normally defer to, to get you to reveal sensitive information.
  • Mandate ongoing security training for employees. Include staged phishing e-mails to see who bites the bait. Find out why they bit and retrain them.
  • Never open e-mails with subject lines telling you an account has been suspended; that you won a prize; inherited money; your shipment failed; you owe the IRS; etc. Scammers use dramatic subject lines to get people to open these e-mails and then click on malicious links or open attachments that download viruses.
  • Install a virtual private network before you use public Wi-Fi.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

11 Ways to Mitigate Insider Security Threats

Companies are constantly attacked by hackers, but what if those attacks come from the inside? More companies than ever before are dealing with insider security threats.Here are 11 steps that all organizations should take to mitigate these threats and protect important company data:11D

  1. Always encrypt your data If you want to minimize the impact of an insider threat, always encrypt data. Not all employees need access to all data and encryption adds another layer of protection.
  2. Know the different types of insider threatsThere are different types of insider threats. Some are malicious, and some are simply due to negligence. Malicious threats may be identified by employee behavior, such as attempting to hoard data. In this case, additional security controls can be an effective solution.
  3. Do background checks before hiringBefore you hire a new employee, make sure you are doing background checks. Not only will this show any suspicious history, it can stop you from hiring any criminals or those associated with your competitors. Personality tests can also red flag the propensity for malicious behavior.
  4. Educate your staffEducating your staff on best practices for network security is imperative. It is much easier for employees to use this information if they are aware of the consequences of negligent behavior.
  5. Use monitoring solutionsThere are monitoring solutions that you can use, such as application, identity and device data, which can be an invaluable resource for tracking down the source of any insider attack.
  6. Use proper termination practicesJust as you want to be careful when hiring new employees, when terminating employees, you also must use proper practices. This includes revoking access to networks and paying attention to employee actions on the network in the days before they leave.
  7. Go beyond the IT departmentThough your IT department is a valuable resource, it cannot be your only defense against insider threats. Make sure you are using a number of programs and several departments to form a team against the possibility of threats.
  8. Consider access controlsAccess controls may help to deter both malicious and negligent threats. This also makes it more difficult to access data.
  9. Have checks and balances for all staff and systemsIt is also important to ensure there are checks and balances in place, i.e. having more than one person with access to a system, tracking that usage and banning shared usernames and passwords.
  10. Analyze network logsYou should collect, store and regularly analyze all of your network logs, and make sure it’s known that you do this. This will show the staff that you are watching what they are doing, making them less likely to attempt an insider attack.
  11. Back up your data Employees may be malicious or more likely they make big mistakes. And when they do, you’d sleep better at night knowing you have redundant, secure cloud based backup to keep your business up and running.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. See him discussing identity theft prevention.Disclosures.

5 In-Demand Cybersecurity Specialties

There are numerous subspecialties within the booming cybersecurity field[i]. Here are some of the most in-demand professions:

Cybersecurity Engineer: This is the all-around, jack-of-all-trades, go-to guy or gal of cybersecurity. For all intents and purposes, a cybersecurity engineer is a hacker – but a good one. Using their advanced knowledge of malware, viruses, theft, DDoS attacks and other digital threats, cybersecurity engineers defend organizations against crime online. Personality traits required for this role include being flexible, nimble and a do-it-yourselfer. Candidates also must have:

  • A good background in penetration testing.
  • Experience with additional online security measures.
  • On-the-job experience, which is an absolute must for this position.

Malware Analyst: If you choose to specialize, working as a malware analyst is like being an oncologist fighting cancer. There’s research, removal or treatment, and it’s up to you to decide how to apply your training.

With millions of types of malware on PCs, Macs and even mobile devices there’s a significant shortage of experts in this highly in-demand field. Responsibilities include:

  • Identifying and fighting viruses, worms and Trojan attacks.
  • Educating companies about malicious software.
  • Analyzing malware inside and out.
  • Developing tactics to help prevent future attacks.

Application Security Administrator: Back in the days of desktop computing, the only means of compromising data were to insert a contaminated floppy disk into a PC or open an infected email attachment. We’ll call this the “anti-virus era.”

Next came the “network security era.” The need for cybersecurity evolved with the Internet as more companies developed internal and external networks.

Information security has evolved yet again. Today, we live in the “application security era.” The demand for application security administrators is nearly limitless. The job includes:

  • Performing application security reviews, looking for potential weaknesses.
  • Writing testing code for applications.
  • Ensuring a company’s applications comply with the minimum standards for security.
  • Ensuring that any applications that the company uses conform to the minimum standards for privacy.

Chief Information Security Officer (CISO): CISO is the top position managers in the field of cybersecurity work toward achieving. Prospective candidates should take a multifaceted approach to cyber education with courses in business fundamentals. Responsibilities might include:

  • Monitoring the efficacy of security operations.
  • Preparing a company to fight cyber attacks.
  • Designing strategies to oppose imminent threats as well as threats in their early stages.
  • Looking for cyber intrusions.
  • Analyzing the company for possible holes in its network.
  • Managing other security personnel.

Security Consultant: It’s tough to land a 9-5 job as a security consultant, but this is one of the most gratifying positions one can pursue when engaged in the diverse and rapidly changing world of cybersecurity.

Consultants come in two flavors: they have a knack for solving problems in a particular niche, or they have accumulated knowledge of multiple systems over the course of their career. Security consultants are expected to:

  • Work with companies to come up with security tactics that align with the company’s particular needs.
  • Possess knowledge about security standards, systems, etc.
  • Have superb communication and management skills, as the security consultant will need to interface with management and know the company’s corporate policies.
  • Test security measures that they’ve recommended.

When choosing a specialty keep a few things in mind. Try to choose one that can compliment another in the event you decide to make a change. Research how much training and education in time and money might be needed. Are there certifications that need to be re-qualified for and how often? Consider the dynamics of the specialty such as will you be working with individuals, teams, or by yourself. Will there be travel involved? Does it require overtime or is it a straight 40 hour a week job?

No matter what you choose, follow your heart.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.

[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm

Dept. of Homeland Security Computers Vulnerable

There’s a problem on the home front: security lapses in the computers of the Secret Service and Immigration and Customs Enforcement, says a report on townhall.com. These departments were recently audited, and weaknesses were revealed.

1DRecently, hackers got into the White House, State Department and the Office of Personnel Management, among other entities. And this has caused the public to wonder about just how strong cybersecurity is for the U.S. government. So thus, the audit was carried out.

The root of the problem may be inadequate training of the investigators and analysts for the Department of Homeland Security. This seems to have stemmed from Congress cutting corners with the training budget. The internal websites for the Secret Service and ICE were shown to be deficient.

How many employees are in the Department of Homeland Security? 240,000. That’s a lot of potential for inadequate training to result in the accidental opening of a back door for hackers.

The audit made nine recommendations to the DHS. The DHS has reported that it’s been making efforts to address these recommendations.

  • The Secret Service and ICE are responsible for coming down on financial fraud, money laundering, identity theft and fraud involving banks and credit cards.
  • The National Protection and Programs Directorate (NPPD) was also audited, and this entity is responsible for the security of government computers.
  • ICE, the Secret Service and the NPPD blame Congress for the security lapses. They point out that Congress has a stop-and-go style of funding for cybersecurity, because Congress will not authorize ongoing funding throughout the year.
  • In fact, an ICE analyst revealed that he had to pay out of pocket for cybersecurity training, and thanks to the limited budget for this, was not able to attend formal training in four years.

The report states that employees may not be able to perform assigned incident responses to a cyber attack, nor efficiently investigate such an incident, as long as training was come-and-go and only peppered throughout the DHS instead of being department-wide.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

The Impact of Ransomware on Small Businesses

What’s going on this September? National Preparedness Month. This will be the time to increase your awareness of the safety of your business, family, pets and community. During disasters, communication is key. National Preparedness Month concludes on September 30 with the National PrepareAthon! Day.

celebrateIt would be like a science fiction movie: You go to pull up the file detailing the records of your last quarter’s profit and loss statement, and instead you get a flashing notice: “Your computer has been compromised! To see your file, you must pay money!”

This is called ransomware: a type of malware sent by criminal hackers. Welcome to the world of cybercrime. In fact, ransomware can prevent you from doing anything on your computer.

Where does this ransomware come from? Have you clicked a link inside an e-mail lately? Maybe the e-mail’s subject line really grabbed your attention, something like: “Your FedEx shipment has been delayed” or “Your Account Needs Updating.”

Maybe you opened an attachment that you weren’t expecting. Maybe you were lured to a website (“Dash Cam Records Cyclist Cut in Half by Car”) that downloaded the virus. Other common ways crooks trick you into downloading ransomware include:

  • Hackers impersonate law enforcement; claim you downloaded illegal material; demand a fine for your “violation.”
  • You receive a message that your Windows installation requires activation because it’s counterfeit.
  • Or, the message says your security software isn’t working.

What should you do?

  • Never pay the ransom, even if you’re rich. Paying up doesn’t guarantee you’ll regain access. Are you kidding?
  • Double check that all of the newly encrypted (and utterly useless) files are backed up, wipe your disk drive and restore the data.
  • Wait a minute—your files weren’t backed up?

An ounce of prevention is worth a pound of hacking.

  • Don’t open links or attachments you’re not expecting! This includes from senders you know or companies you patronize.
  • Install an extension on your browser that detects malicious websites.
  • Use a firewall and security software and keep it updated.
  • Regularly back up data, every day ideally.

Needless to say, ransomware attacks occur to businesses. Small companies are particularly vulnerable because they lack the funds to implement strong security. Attacks on businesses usually originate overseas and are more sophisticated than attacks on the common Internet user at home or at the coffee house.

And just like the common user, the business should never pay the ransom, because this will only prolong the situation.

  • Make the criminal think you’re going to pay. Tell them you need time to prepare the fee.
  • Build your defense by gathering all the correspondence.
  • Present this to your webhosting provider, not the police.
  • The webhoster will get to work on this.
  • If the loss is extensive, present the correspondence to the FBI.
  • If the attack is in virus form, you’re finished.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained in how “phishing” e-mails work and other tricks that cyber thieves use. To learn more about preparing your small business against viruses like ransomware, download Carbonite’s e-book, “5 Things Small Businesses Need to Know about Disaster Recovery.”

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. Disclosures

The Beginners Guide to using TOR

Want to be invisible online? Get to know Tor.

TORTor will make you cyber-anonymous, concealing your cyber footprints, ID, browsing history and physical location. It even makes the sites you visit anonymous. Now, all that being said, there seems to be a concerted effort by certain US government agencies and others to crack Tor, but that hasn’t been completely accomplished…yet.

More on Tor

Realize, that Tor can’t provide 100 percent security. On paper, the Tor network is secure. But the typical Joe or Jane may unintentionally exit Tor using an “exit node,” and end up getting on a website or server that’s in the “open web.” If the visited site is not encrypted, Joe or Jane’s communications can be hijacked.

Tor is actually easy to set up. You can download packages for your operating system: Mac, Windows or GNU/Linux, and this includes the Tor Browser. The Covert Browser supports Tor for iOS and Android.

You may find, however, that your device may fight against installing Tor; the device thinks it’s malevolent and won’t accept the download. Keep trying. Have faith in the Tor code and download it.

The Tor experience is quite leisurely, slowing down what you can do in a given amount of time. It’s not going to get faster, either, as more and more people decide to use Tor. It’s slow because it directs traffic through multiple, random relay nodes prior to arriving at the destination node. So realize that you’ll be dealing with more of a turtle than a hare.

Tor blocks applications, too. If you want total anonymity, you should use the Tor software with the Tor Browser. But plugins will be blocked by the Tor Browser—because plugins can be used to see your IP address. This is why the Tor Project suggests not installing plugins. This means giving up YouTube and other sites while using Tor.

Be warned, Tor can get you undesired attention because the government is more suspicious of Tor users. This doesn’t mean the government will knock down your doors if you’re using Tor. It just means that Tor users may get the attention of the government more than typical Internet users.

As previously stated there’s evidence that government agencies, including the NSA, are trying to dismantle the Tor network, even though it delivers strong privacy protection to average Internet users.

If you want this level of anonymity, you’re going to have to get used to the fact that using Tor will change your online experiences (can you get by without YouTube?). The Tor Project says: “You need to change some of your habits, as some things won’t work exactly as you are used to.”

No matter whether on Tor or the open web, make sure if you are on free public WiFi that you are using Hotspot Shield to encrypt any wireless data.

Give Tor a try if privacy and anonymity are important enough for you to give up some of the features that make your online activities enjoyable, convenient and/or productive timewise.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Celebrate Cybersecurity with Intel and McAfee Lifehacks

During National Cyber Security Awareness Month (NCSAM), Intel and McAfee are reaching out to digital citizens to come up with and share their favorite lifehacks. Lifehacks are tips and tricks to make life easier, more productive, interesting and just plain fun. Lifehacks are usually cheap or free and sometimes put money in your pocket. Best of all lifehacks are creative and often inspirational.

To celebrate NCSAM, Intel and McAfee are providing digital security lifehacks to get you on the fast track to online security.

Here’s a lifehack example: To get the best pricing when searching for airfare prices online, use the private browsing mode. Why?  I’m told that when searching online for airfare prices that the websites place tracking codes (known as cookies) on our computers or mobile devices so when we revisit those sites again to check if prices have changed, those sites already know the original prices we were quoted.

Here’s another one: Use single-use credit cards online. Why? When shopping online, you could be exposed to credit card theft if your computer is compromised or the site you are shopping on is not safe. A one-time use credit card is just that—it only works the one time you use it. It’s perfect for online shopping—even if someone hacks that credit card number, it won’t be valid any other time.

If your online privacy is important to you, why not take this month to share what you’ve learned with those you care about. To get involved and enter to win a free Ultrabook™ and McAfee LiveSafe™ subscriptions, go to mcafee.com/lifehacks to find more lifehacks to share.

This October, stay proactive in protecting yourself from the hackers, or you just might find scary things happening at your own computer, smartphone or tablet. To join the conversation, follow #HackYourLife on Twitter for more tips and updates.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

 

Celebrate cybersecurity with Intel and McAfee life hacks

During National Cyber Security Awareness Month (NCSAM), Intel and McAfee are reaching out to digital citizens to come up with and share their favorite lifehacks. Lifehacks are tips and tricks to make life easier, more productive, interesting and just plain fun. Lifehacks are usually cheap or free and sometimes put money in your pocket. Best of all lifehacks are creative and often inspirational.

To celebrate NCSAM, Intel and McAfee are providing digital security lifehacks to get you on the fast track to online security.

Here’s a lifehack example: To get the best pricing when searching for airfare prices online, use the private browsing mode. Why?  I’m told that when searching online for airfare prices that the websites place tracking codes (known as cookies) on our computers or mobile devices so when we revisit those sites again to check if prices have changed, those sites already know the original prices we were quoted.

Here’s another one: Use single-use credit cards online. Why? When shopping online, you could be exposed to credit card theft if your computer is compromised or the site you are shopping on is not safe. A one-time use credit card is just that—it only works the one time you use it. It’s perfect for online shopping—even if someone hacks that credit card number, it won’t be valid any other time.

If your online privacy is important to you, why not take this month to share what you’ve learned with those you care about. To get involved and enter to win a free Ultrabook™ and McAfee LiveSafe™ subscriptions, go to mcafee.com/lifehacks to find more lifehacks to share.

This October, stay proactive in protecting yourself from the hackers, or you just might find scary things happening at your own computer, smartphone or tablet. To join the conversation, follow #HackYourLife on Twitter for more tips and updates.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.