Posts

Spear Phishing Leaves a Bloody Wound

Once criminal hackers get a person’s username and email address, they can begin to launch a targeted spear phish scam. Scammers copy the design of each breached entities outgoing email campaign and blast the breached list with “account update” or other ruses.

Gaming site Sega Pass was hacked. On the Sega Pass website it states, “we had identified that unauthorized entry was gained to our Sega Pass database.” Numerous outlets report hackers stole Sega Pass members’ email addresses, dates of birth, and encrypted passwords.

The recent Epsilon data breach resulted in a similar loss of data. Epsilon is a marketing company that sends over 40 billion emails a year, and keeps millions of consumer email addresses on file. When hackers breached Epsilon’s database, the email subscriber lists for over 100 major companies were compromised.

Consumers received breach notifications from financial institutions including Citigroup, Capital One, and JPMorgan Chase, and from hotels such as the Marriot and the Hilton.

All of these organizations customers are eternally susceptible to spear phish scams.

The Wall Street Journal reports that GlaxoSmithKline sent email notifications to consumers who had registered with any of GlaxoSmithKline’s websites for prescription or nonprescription drugs and products, warning that consumers’ names and email addresses had been hacked, and that the stolen data may have included the specific product websites where consumers registered.

GlaxoSmithKline provides medications that help victims of HIV and mental health disorders. The possibility of the stolen data being used to target the ill with spear phishing attacks is a major concern.

These kinds of breaches will have long-lasting effects on the public.

Never disclose personal information or login credentials in response to an unsolicited email. Never click links in an unsolicited email. Instead, use your bookmarks menu or type the address into your browser’s address bar. If your email address has been compromised, consider switching to a new address. Create new, unique passwords, without repeating the same password for multiple accounts.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

Data Breaches Up, Lost Records Down

According to a recent report from Verizon, data breaches are on the rise. There were 760 data breaches recorded in 2010, compared to 140 breaches in 2009. However, there were approximately four million records stolen in 2010, as opposed to 144 million stolen in 2009.

This means there were fewer large-scale data breaches compromised of multimillions of records, and many more data breaches that compromised fewer records at a time.

Criminals have shifted their focus away from large corporations that have implemented multilayered security measures to protect mass amounts of data, and are now targeting smaller companies with smaller databases, who have yet to implement strong security measures.

Verizon’s study further shows that in 2010, 92% of data breaches were external hack attacks, a 22% increase from 2009. Nearly 80% of the stolen data was accessed via malware that gave attackers back door computer access.

This shift from bigger to smaller breaches may also indicate that hackers are realizing that big breaches get more attention, and therefore increase their chances of being caught. Furthermore, a breach of 100 million credit card numbers might be discovered quickly, and all those credit numbers would immediately be cancelled. A breach of just 10,000 credit card numbers would be more likely to stay under the radar, meaning those cards would remain active for longer.

There are now multiple breach lists, and not all define a data breach the same way. According to the Identity Theft Resource Center, there were at least 662 data breaches in 2010, which exposed more than 16 million records. Nearly two-thirds of breaches exposed Social Security numbers, and 26% involved credit or debit card data.

The ITRC elaborated, “Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events that occur. It is clear that without a mandatory national reporting requirement, many data breaches will continue to be unreported, or under-reported.”

Identity theft can happen to anyone. McAfee Identity Protection, offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first and provides live access to fraud resolution agents who work with the victim to help restore their identity even from past theft events. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

Top 5 Business Security Risks

1. Data Breaches: Businesses suffer most often from data breaches, making up 35% of total breaches. Medical and healthcare services are also frequent targets, accounting for 29.1% of breaches. Government and military make up 16.2%, banking, credit, and financial services account for 10.5%, and 9.2% of breaches occur in educational institutes.

Even if you protect your PC and keep your critical security patches and antivirus definitions updated, there is always the possibility that your bank or credit card company may be hacked, and your sensitive data sold for the purposes of identity theft.

2. Social Engineering: This is the act of manipulating people into taking certain actions or disclosing sensitive information. It’s essentially a fancier, more technical form of lying.

At 2010’s Defcon, a game was played in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. Of 135 “targets” of the social engineering “game,” 130 blurted out sensitive information. All five holdouts were women who gave up zero data to the social engineers.

3. Failure to Log Out: Web-based email services, social networking sites, and other websites that require login credentials generally provide an option to “Remember me,” “Keep me logged in,” or, “Save password,” and, once selected, will do so indefinitely. This feature often works with cookies, or codes stored in temp files. Some operating systems also include an “auto-complete” feature, which remembers usernames and passwords.

4. Inside Jobs: With millions losing jobs, there are many opportunities for an insider to plug in a thumb drive and steal client data or other proprietary information. Networks are like candy bars, hard on the outside, soft and chewy on the inside. Insiders who fear layoffs may be easily tempted to use their access to profit while they have the chance.

5. Fraudulent Accounts: Many businesses lay claim to thousands or millions of members or clients who have access to web-based accounts. No matter the nature of the business, social network, dating site, gaming site, or even bank or retailer, some percentage of the accounts are ongoing instigators and repositories for fraud. Troublemaker accounts infect the overall stability of any organization, and flushing them out is essential.

One anti-fraud service getting lots of attention for protecting online businesses from crime and abuse is ReputationManager 360 by iovation Inc. The service is used by hundreds of online businesses to prevent fraud by deeply analyzing the computer, smartphone, or tablet connecting to their online properties.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

Epsilon Breach Reminds of Security Awareness

Epsilon is a marketing company that has millions of emails on file of consumers who have made purchases or are affiliated with various banks, retailers, hotels etc. Epsilon sends over 40 billion emails out a year and was recently breached in a hack attack. Consumers are now receiving breach notifications from the likes of financial institutions such as Citigroup, Capital One and JPMorgan Chase, and hotels such as the Marriot and the Hilton.

The result of the breach will mean consumers will receive phishing emails that look like one of the legitimate entities breached but are in fact fake trying to trick the victim into entering their usernames and passwords or providing personal information such as credit cards or even Social Security numbers.

This is made possible by the fact that the consumer is accustomed to receiving similar emails on a regular basis and may not be able to tell the difference between a real or fake.

This breach should unquestionably heighten consumers’ awareness of their personal security in regards to their information security and also their physical security. Criminals are targeting the public in more ways today than ever before.

Being overwhelmed and paranoid is unnecessary, but being alert and focused is essential.

A constant vigilance is required in order to protect yourself and family from the onslaught of scams and potential violence that is being perpetrated every moment of every day.

Meanwhile:

Never enter personal information into an email not initiated by you.

Never click links in an email. Go to your bookmarks or manually type in the address.

Consider changing up your email address if it has been breached.

Change all your passwords to different passwords. No two accounts should have the same password.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.

Man Arrested For Stealing 15,000 Social Security Numbers

Now more than ever, criminal hackers are hacking into databases that contain Social Security numbers and using the numbers to open new financial accounts. Criminals use stolen Social Security numbers to obtain mobile phones, credit cards, and even bank loans. Some victims whose Social Security numbers fell into the hands of identity thieves have even had their mortgages refinanced and their equity stripped.

WTEN.com reports an arrest has been made of an individual alleged to have illegally downloaded personal information, including Social Security numbers of about 15,000 people.

Police arrested a man “for stealing the collection of Social Security numbers from computers belonging to contractors working for the Office of Disability and Temporary Assistance, which is the New York state agency that decides some initial disability claims for Social Security.”

As in most cases of data theft, the Office of Disability and Temporary Assistance will notify and provide credit monitoring services to affected individuals.

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen, for example “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

The fact that the entire population of the United States has had their information compromised more than 1.5 times, why wait for another breach to get personal information monitoring?

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information including use of Social Security number and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

Putting An End to Data Breaches As We Know Them

The AP reports “WikiLeaks’ release of secret government communications should serve as a warning to the nation’s biggest companies: You’re next.”

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen: “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

WikiLeaks has been quite the news topic and for good reason. Data breaches cost in many ways. One cost is of course in the form or dollars. But when it is military secrets breached, that can cost lives.

It shouldn’t be this way.

The talk show pundits buzz that with the release of thousands of additional secret government documents, it leads to the conclusion that there is no way to protect sensitive data. If the government can’t even prevent a Private in the Army from stealing confidential data, what hope is there?

Nearly all WikiLeaks articles conclude that you have to tradeoff security with productivity, implying that content becomes unusable with higher levels of security in place. In this Associated Press article ‘Companies beware: The next big leak could be yours’, Jordan Robinson of the Associated Press, states:

“But the more companies control information, the more difficult it is for employees to access documents they are authorized to view. That lowers productivity and increases costs in the form of the additional help from technicians.”

This is true for traditional content security measures but ignores significant advances made by security company Zafesoft, whose solution does not require a change in user behavior or complex technical support to maintain. Companies that do a little research will find there is a way to protect their valuable information without compromising productivity and at a reasonable cost.

Robert Siciliano is a Personal Security and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)

Organized Web Mobsters Getting Jobs Inside Corps

In 2009, there were a reported 140 million records compromised, compared to 360 million in 2008. In 2010 there have been almost 13 million records stolen. But don’t have a party just yet. Criminals are fine-tuning their craft and getting better. The industry just isn’t making it as easy. 97% of those records were stolen using malware – malicious software designed to attack the target’s existing systems and software in place.

A reported 50% of the malware was installed remotely. Almost 20% came from visiting infected websites and almost 10% was installed when employees clicked infected links that conned or “socially engineered” them.

A recent Verizon report stated, “Over the last two years, custom-created code was more prevalent and far more damaging than lesser forms of customization, the attackers seem to be improving in all areas: getting it on the system, making it do what they want, remaining undetected, continually adapting and evolving, and scoring big for all the above.”

This may be also attributed to an inside job. A rogue employee on the inside always has the advantage of knowing exactly how to remain undetected.

The report further stated that organized crime rings may “recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score, the smaller end of these schemes often target cashiers at retail and hospitality establishments while the upper end are more prone to involve bank employees and the like.”

In the past three years that’s a total of 513 million records. On average, every citizen has had his or her data compromised almost twice. Where’s your Social Security number in that mix?

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss another data breach on Fox News. (Disclosures)

Almost 13 Million Records Breached in 2010…So Far

According to the Identity Theft Resource Center, there have been 371 data breaches that have exposed 12,871,065 records so far this year in the United States.

NetworkWorld reports that businesses suffered the most breaches, making up 35% of the total. Medical and healthcare services accounted for 29.1% of breaches. The government and military made up 16.2% of breaches. Banking, credit, and financial services experienced 10.5% of breaches, and 9.2% of breaches occurred in educational institutes.

Even if you are protecting your PC and keeping your critical security patches and antivirus definitions updated, there is always a chance that your bank or credit card company may get hacked. I’ve received three letters accompanied by three replacement cards from my credit card companies over the last few years.

Beyond that, if someone else’s database is hacked and your Social Security number is compromised, you may never know about it unless they send you a letter or if you discover that someone has opened new accounts in your name.

In many cases, if (and that’s a big “if”) a company finds out their records have been compromised, they might provide credit monitoring of some kind. Credit monitoring is definitely something you should take advantage of. However, I wouldn’t wait for your information to be hacked and a letter to come in the mail before you take responsibility for protecting yourself.

I did a radio show today and a man called in telling a story of how he got a letter from his bank, but they didn’t activate credit monitoring for almost six months after he received the letter. With millions of records being compromised every year, consider your data breached!

Don’t waste time by only handling identity theft reactively. Do something about it now.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing celebrity identity theft on CNBC. (Disclosures)