Posts

The “Mother of All Data Breaches?” It Could Be Here…

You have probably heard of one data breach after another these days, but this is one that you should really pay attention to: more than 772 million unique emails, along with more than 21 million unique passwords, have been exposed.

data breach

Troy Hunt, who runs the website “Have I Been Pwned,” first reported this breach, and he says that a huge file (87 GB) was uploaded to MEGA, a cloud service. This data was then sent to a popular hacking site, and now hackers have access to all of these passwords and email addresses.

This data breach, known as “Collection #1,” is very serious. However, it could just be the tip of the iceberg. There are claims that there are several more “collections” out there, and it could be as much as one full terabyte worth of data. This could be the newest “mother of all data breaches” if this is found to be true.

So, what does all of this mean for you? It not only means that your information could be part of this breach, but it also could mean that these password and email combinations could be used in a practice known as “credential stuffing.” What is this? It’s when a hacker uses known email and password combinations to hack into accounts. Basically, this could have an impact on anyone who has used an email/password combination on more than one site.

This, of course, is concerning because this particular breach has about 2.7 billion email/password combinations. On top of that, around 140 million of the emails, and 10 million of the passwords, were brand new to the hacking database, which gives the hackers even more ammunition to wreak havoc. The big lesson to be learned here is that you should always use good security practices when you create accounts online. You should never use passwords from one account to another, and you should definitely use two-factor authentication if it is available. If you don’t have a password manager, you might want to set that up, too.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Second Hand USB’s Could Have Personal Info Still Inside

An unsurprising study was recently released that found even when a portable USB drive is erased, not all of the documents and images are always removed. That, of course, is frightening.

Here’s how the research was done:

Researchers went online to sites like eBay, to second-hand shops, and even auction stores. They bought 200 used USB drives, half from the US and half from the UK. Almost 2/3 of the devices had data on them! This data was, for the most part, personal data, and it can also be used by cybercriminals to steal someone’s identity. On top of that, these USB drives can contain malware.

Removing All Data is Difficult

When someone tries to delete or remove data from a USB device, they rarely have success. In fact, of the 100 USB devices the researchers bought in the US, only 18 of them were totally wiped clean. The rest of them had data that had been deleted, but someone could certainly recover it. The UK devices were similar. What’s so surprising about this is that it is extremely easy…and free…for someone to fully delete their device. But most people just don’t put in the effort, and that could definitely hurt them in the future.

USB Devices Can Be Risky

Using these devices can be risky, not only for average people, but also for businesses. In 2017, for example, a USB device was lost, and it contained sensitive information about Heathrow Airport. The government investigated, and eventually fined the company. The information was not encrypted, nor password protected, and it was found on the street by a random passerby.

Because of these risks, some companies, like IBM, have banned the use of USB devices. Instead, employees must use the company’s cloud. Other companies still allow them, of course, but they could be going down a dangerous road. These devices are really cheap to buy, and people can save almost anything on them, but they are also very easy to lose.

There are other issues with USB devices too. First, of course, you have the data on these drives to deal with, but there is also the fact that potential malware could be on the devices. Most companies don’t have the same rules that IBM has, and most consumers don’t think of this at all. This makes people and small businesses very vulnerable. So, if you use USB drives, there is one very important step that you need to take: encrypt it.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

2017 Was the Worst year for Data Breaches EVER!

It seems like 2017 broke records for all the wrong reasons…one of them being the worst year for data breaches in history.

According to reports, hacking was the most common way to collect this data, but almost 70% of exposures occurred due to accidental leaks or human error. This came down to more than 5 billion records. There were several well-known public leaks, too, including the Amazon Web Services misconfiguration. More than half of the businesses using this service were affected, including companies like Verizon, Accenture, and Booz Allen Hamilton. The scariest part of this, however, is the fact that the number of breaches and the number of exposed records were both more than 24% higher than in 2016.

Big Breaches of Big Data

Another interesting thing to note is that eight of the big breaches that occurred in 2017 were in the Top 20 list of the largest breaches of all time. The top five biggest breaches in 2017 exposed almost 6 billion records.

Part of the reason for the big numbers is because huge amounts of data were exposed from huge companies, like Equifax. There was also a huge breach at Sabre, a travel systems provider, and the full extent of the breach isn’t even known at this point. All we do know is that it was big.

When looking at all of the known 2017 data breaches, almost 40% of the breaches involved businesses. About 8% involved medical companies, 7.2% involved government entities, and just over 5% were educational entities. In the US, there were more than 2,300 breaches. The UK had only 184, while Canada had only 116. However, until now, companies in Europe were not forced to report breaches, so things could change now that reporting is mandatory.

What were the biggest breaches of all time?  Here they are, in order:

  • Yahoo (US company) – 3 billion records
  • DU Caller Group (Chinese company) – 2 billion records
  • River City Media (US company) – 1.3 billion records
  • NetEase (Chinese company) – 1.2 billion records
  • Undisclosed Dutch company – 711 million records

Though none of this is great news, there is a silver lining here: none of the breaches of 2017 were more severe than any other breach in history, and overall, the occurrence of breaches dropped in the fourth quarter.

Because of so many breaches occurring due to human error, it’s very important that businesses of all sizes enact security awareness training, including helping staff understand what makes a business a target and what type of info the hackers want.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Mainstream Email and Data Services Might Be Spying on You

The Internet nowadays flourishes on personal data. Many of the world’s largest companies rely on this intangible commodity that users have been too willing ‘donating’ as an exchange for a ‘free’ service.

As data replaces oil as the new premium commodity, buying and selling data is big business. While some companies do it legitimately, some entities do it illicit.

Let’s look at some stats:

  • Every day, there are more than 10 million hacker attacks
  • Every hour, more than 228,000 data records are lost or stolen
  • In 2017, thousands of data breaches exposed most everything from log-in names and passwords to Social Security numbers

But what is even more alarming, mainstream email and data services collect and then sell the data, such as: location, Internet search history, photos, files, and of course, more sensitive personal information. Sometimes they are compelled to give this information to the authorities without informing the owner of the data.

So, everyone is at risk of being monitored and lose valuable personal data.

However, there are ways to protect your data online.  One of the ways of doing it is by using Secure Swiss Data free encrypted email. This company has created easy-to-use secure email which has the following benefits:

  • End-to-end encryption – data is always encrypted, encryption is happening on a user’s device and data is stored encrypted on the Secure Swiss Data servers.
  • Swiss protection of the data – The servers are located in Switzerland under 320m of granite in the Swiss Alps. In addition, users’ data is protected by Swiss laws. In fact, Switzerland has some of the most stringent privacy laws in the world.
  • No Ads – another benefit is that they never display ads. This means the company has no reason to collect your data. They are not able to reador scan emails nor tracks any location information.
  • Privacy by Design – They use this approach which ensures that privacy is considered throughout the engineering process.

You can download Secure Swiss Data an Android or iOS app, and register a FREE account. With all the updates, so far, you can:

  • Send encrypted emails with attachmentsnot only to Secure Swiss Data users, but also to other third party email users.
  • Set expiration timer for emails so that they are automatically deleted from your and your recipients’ mailboxes after a set period of time.

One system to protect communications online with integrated blockchain

However, it seems that Secure Swiss Data team don’t want to stop there. They want to do more to secure communications and protect privacy online. At the same time they don’t want to depend on any third party or government investment. So, they are now starting a crowdfunding campaign:

To provide the world with a unique single encrypted communications and collaboration system that will include the following features: end-to-end encrypted email, calendar, notes, tasks, file storage, collaboration in encrypted files, and end-to-end encrypted messenger. 

On top of the end-to-end encryption, the Secure Swiss Data team will integrate blockchain in the system and therefore add another layer of security, which would increase customer convenience and quality of data protection online.

The cause – Take control over your data, and protect your Online Privacy

One of the best parts of using the Secure Swiss Data services is that you know where the company stands. They have clearly stated that they believe in privacy as a human right and civil liberty. User’s data should be kept private, and no one should be able to get into those personal accounts unsolicited.

Furthermore, they say: “Privacy is not about having something to hide, it’s about the right to control what you want to share and what you want to keep to yourself.”

So, have an opportunity to make the decision on what to share and what not.

And using services like the one from Secure Swiss Data, you can do just that: have control over your online data and communications.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Security training: the Human Being is impossible to fix

As long as humans sit at computer screens, there will always be infected computers. There’s just no end to people being duped into clicking links that download viruses.

12DA report at theregister.co.uk explains how subjects, unaware they were guinea pigs, fell for a phishing experiment.

  • Subjects were sent an FB message or e-mail from an unfamiliar sender, though 16 percent of the subjects who ultimately clicked reported they knew the sender.
  • The sender announced they had images from a New Year’s Eve party but not to share them.
  • 43.5% clicked the FB message link and one-quarter clicked the e-mail link.
  • Many of the subjects denied making these clicks, but most who admitted it named curiosity as the reason.
  • 5% claimed they thought their browser would protect them from an attack.

Obviously, there will always be that percentage of the human population who will allow curiosity to preside over common sense and logic. The idea of simply never, never, ever clicking a link inside an e-mail is an impossible feat for them—perhaps more difficult than quitting smoking or losing 50 pounds.

This is the battle that businesses have with their employees, which is how businesses get hacked into and massive data breaches result.

However, says the report, rigid training of employees may backfire because valid e-mails may be ignored—though it seems that there has to be a way for companies to get around this—perhaps a phone call to the sender for verification if the company is small. For large businesses, maybe executives could just resort to the old-fashioned method of reaching out to employees; how was this done before the World Wide Web was invented?

Digital signing of e-mails has been suggested, but this, too, has a loophole: some employees misinterpreting the signatures.

Nevertheless, security training is not all for nothing; ongoing training with staged phishing e-mails has been proven, through research, to make a big difference. Unfortunately, there will always exist those people who just can’t say “No” to something as mundane as images from a New Year’s Eve party from a sender they’ve never even heard of.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Your Stolen Data around the World in 2 Weeks

Ever wonder just what happens to the data in a data breach incident? Does it go into some kind of wormhole in cyberspace, out through the other end? Well, the answer is pretty much so, when you consider that hacked data makes its rounds on a global scale, taking only 14 days to land in 22 countries spanning five continents—according to an experiment by Bitglass.

4HBitglass, a cloud access security broker, did some research, generating over 1,500 fake names, credit card numbers, SSNs and other data that were saved in an Excel spreadsheet.

Then the spreadsheet, which was tagged, was sent out into cyberspace, including to several Darknet sites. The watermark tag sent a signal (which included information like IP addresses) to the researchers every time the document was opened.

This experiment simulated a data breach and provided an idea into just where real stolen data actually goes. This research points fingers at Russia and Nigeria as far as being the location of closely related major hacking rings.

Not only did this spreadsheet make international rounds, but it was opened over 1,200 times within the two weeks. Need it be mentioned that the countries most notorious for hacking rings (e.g., Russia, Nigeria and China) did most of the opening. Other access points included the U.S., Germany, Finland, New Zealand and Italy.

This is sobering information for company leaders who fear a data breach. Bitglass points out that the average data breach takes 205 days to be detected. Wow, just how many access points would there had been in 205 days? Would it be a linear increase or an exponential increase?

Consumers are at a serious disadvantage due to the fact most of the data breaches occur with data out of their immediate control. Fret not however. The best thing a consumer can do is pay close attention to their statements and look for unauthorized activity or invest in identity theft protection which will often make your Social Security number less attractive to a thief.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

What is private Information and what is not?

Data Privacy Day was Wednesday, January 28, and these days the concept of “privacy” can be ambiguous, generic or confusing. What you might think of as private actually isn’t. The definition of personal identifying information, by the U.S. privacy law and information security, is that of data that can be used to contact, identify or locate an individual, or identify him in context.

1PThis means that your name and address aren’t private, which is why they can be found on the Internet (though a small fee may be required for the address, but not always). Even your phone and e-mail aren’t private. What you post on Facebook isn’t private, either.

So what’s private, then? An argument with your best friend. A bad joke that you texted. Your personal journal. These kinds of things are not meant for public use. What about vacation photos that you stored in a cloud service? Well…they’re supposed to be private, but really, they’re at significant risk and shouldn’t be considered totally private.

And it’s not just people on an individual scale that should worry about privacy. It’s businesses also. Companies are always worrying about privacy, which includes how to protect customers’ sensitive information and company trade secrets.

But even if the company’s IT team came up with the most foolproof security in the world against hacking…it still wouldn’t protect 100 percent. Somewhere, somehow, there will be a leak—some careless employee, for instance, who gets lured by a phishing e-mail on their mobile phone…clicks the link, gives out sensitive company information and just like that a hacker has found his way in.

Even when employees are trained in security awareness, this kind of risk will always exist. An insider could be the bad guy who visually hacks sensitive data on the computer screen of an employee who was called away for a brief moment by another employee.

Tips for Training Employees on Security Savvy

  • Make it fun. Give giant chocolate bars, gifts and prizes out to employees for good security behaviors.
  • Post fun photos with funny captions on signage touting content from the company’s security policy document. It’s more likely to be read in this context than simply handed to them straight.
  • Show management is invested. Behavior changes start from the top down,
  • Get other departments involved. Even if they’re small, such as HR, legal and marketing, they will benefit from security training.
  • Stop visual hackers. Equip employees with a 3M Privacy Filter and an ePrivacy Filter which helps bar snooping eyes from being able to see what’s on the user’s screen from virtually every angle.
  • Don’t forbid everything that’s potential trouble. Rather than say, “Don’t go on social media,” say, “Here’s what not do to when you’re on social media.”
  • Make it personal. Inform workers how data breaches could damage them, not just the company. A little shock to their system will motivate them to be more careful.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

Online Data less safe than ever

It’ll get worse before it gets better: online data safety. It’s amazing how many people think they’re “safe” online, while one huge business or entity after another keeps getting hacked to the bone.

1DAnd “safety” doesn’t necessarily mean the prevention of your computer getting infected with a virus, or falling for an online scam that results in someone getting your credit card information. It’s also a matter of privacy. While targeted advertising (based on websites you’ve visited) may seem harmless, it’s the benign end of the continuum—that someone out there is tracking you.

So, do you still think you’re hack-proof?

That you can’t be fooled or lured? That your devices’ security is impenetrable? That you know how to use your device so that nobody can get ahold of your sensitive information?

Consider the following entities that got hacked. They have cyber security teams, yet still fell victim:

  • LinkedIn
  • Yahoo! Mail
  • Adobe
  • Dropbox
  • Sony
  • Target

You may think the hacking is their problem, but what makes you believe that the service you use is immune? Are you even familiar with its security measures? That aside, consider this: You can bet that some of your personal information is obtainable by the wrong hands—if it already isn’t in the wrong hands.

Are you absolutely sure this can’t possibly be? After all, you’re just a third-year med student or recent college grad looking for work, or housewife with a few kids…just an average Joe or Jane…and you use the Internet strictly for keeping up with the news, keeping up with friends and family on social media, using e-mail…innocent stuff, right?

You’ve never even posted so much as a picture online and say you don’t use a credit card online either.

  • But hey, if your passwords aren’t strong, this ALONE qualifies you as a potential hacking victim.
  • So, what is your password? Is it something like Bunny123? Does it contain your name or the name of a sport? Keyboard sequences? The name of a well-known place? The name of a rock band?
  • Do you use this password for more than one account? That gets tacked onto your risks of getting hacked.
  • You need not be someone famous to get hacked; just someone who gets lured into filling out a form that wants your bank account number, credit card number, birthdate or some other vital data.
  • If you just ordered something from Amazon, and the next day you receive a message from Amazon with a subject line relating to your order…did you know that this could be from a scammer who sent out 10,000 of these same e-mails (via automated software), and by chance, one of them reached someone at just the right time to trick you into thinking it’s authentic?
  • People who know you may want your information to get revenge, perhaps a spurned girlfriend. Don’t disqualify yourself; nobody is ever unimportant enough to be below the scammer’s radar.
  • Did you know that photos you post in social media have a GPS tag? Scammers could figure out where the photo was taken. Are you announcing to all your FB friends about when your next vacation is? Did you know a burglar might read your post, then plan his robbery? Between the GPS tags and your vacation dates…you’re screwed.

Well, you can’t live in a bubble and be antisocial, right? Well, it’s like driving a car. You know there are tons of accidents every day, but you still drive. Yet at the same time, if you’re halfway reasonable, you’ll take precautions such as wearing a seatbelt and not driving closely behind someone on the highway.

Most of your fate is in your hands. And this applies to your online safety. You won’t be 100 percent immune from the bad cyber guys, just like you’re not 100 percent immune from a car wreck. But taking precautions and having the right tools really make a tremendous difference.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Study Shows 67% of Employees Expose Sensitive Data Outside the Workplace

IDC, an IT analyst firm, estimates that the mobile worker population could reach 1.3 billion by 2015, meaning, they access workplace data outside the workplace. This is risky because it exposes data to hackers.

2DIn fact, the safety of what’s displayed on the computer screen in public is of huge concern. The 3M Visual Data Breach Risk Assessment Study provides some troubling findings.

First off, 67 percent of workers expose company data beyond the workplace, including very sensitive information. Typically, the employee has no idea how risky this is. It’s as easy as the crook capturing data, that’s displayed on a screen, with a smartphone camera as he passes by or secretly looks on continuously from nearby.

And there’s little corporate policy in place to guard against this. The study says that 70 percent of professional employees admitted their company lacked any explicit policy on conducting business in public. And 79 percent reported that their employer didn’t even have a policy on privacy filter use.

Either communication about policies with employees is feeble, or attention to visual policy from the decision makers is lacking.

An increasing number of people are taking their online work to public places, but if they knew that company data was properly protected from roving snoops, they’d be more productive. Companies need to take more seriously the issue of visual privacy and this includes equipping employees with tools of protection. Below are more findings.

Type of Data Handled in Public

  • Internal financials: 41.77%
  • Private HR data: 33.17%
  • Trade secrets: 32.17%
  • Credit card numbers: 26.18%
  • SSNs: 23.94%
  • Medical data: 15.34%

Only three percent of the respondents said that there were restrictions imposed on some corporate roles working in public. Eleven percent didn’t even know what their employer’s policy was.

One way to make headway is a privacy filter because it blocks the lateral views of computer screens. Eighty percent of the people in the study said they’d use a device with a filter.

Another factor is that of enlightening workers about the whole issue. An enlightened employee is more likely to conduct public online business with their back to a wall.

Additional Results

  • In general, work is not allowed in public: 16%
  • No explicit policy on public working: 70%
  • To the worker, privacy is very important: 70%; somewhat important: 30%; not very important: 4%; not important at all: 1%.
  • Only 35 percent of workers opted to use a kiosk machine with a privacy filter when presented with two machines: one with and one without the privacy filter.

The study concludes that businesses are sadly lacking in security tactics relating to data that’s stored, transmitted, used and displayed. This is a weak link in the chain of sensitive information. Any effective IT security strategy needs to address this issue and take it right down the line to the last employee.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

10 ways to protect your Devices and Data

Gee, it used to be just your desk computer that needed protection from cyber thugs. Now, your connected thermostat, egg tray monitor, teen’s smartphone, garage door opener, even baby monitor, are all game for cyber creeps.

7WCan’t be said enough: Install antivirus software. This software really does make a huge difference. Malware scanners are not enough, by the way. You need both: antivirus, anti-malware, though malware usually targets laptops and PCs. But don’t bet on it staying this way; Macs, mobiles and tablets are vulnerable. Don’t wait to get security applications for your smartphone and tablet. Android is particularly vulnerable.

Enrich your Wi-Fi. Turn on your WPA or WPA2 encryption. Change your router’s default password to something really unique. Update the router’s firmware. Register any new routers online. Contact the router manufacturer’s site for helpful information on making things more secure. Whenever using free public WiFi recognize your data can be sniffed out. Use Hotspot Shield whenever logging in at airports, hotels, internet cafés and more.

Don’t use outdated software. Are you still on Windows XP? Time to switch to 7 or 8. Security holes in outdated applications will not get plugged if there’s no longer support.

Power passwords. You wear a power suit; you take a power lunch, a power nap and a power walk, but do you have a power password? A power password is extremely difficult to crack. It’s at least 12 characters long, contains no dictionary words or keyboard sequences, and has a variety of symbols. You can also use a password manager to create and encrypt passwords.

OS updates: often. Many people fail to keep their operating systems updated. Big mistake. An update means that a security hole, through which a hacker could get in, has been patched. Lots of holes mean lots of entry points for hackers. If Windows alerts you to an available update, then run it. Learn about your system’s update dynamics and get going on this.

Patch up your software. Have you been getting update alerts for Adobe Reader? Take this seriously, because this software is highly vulnerable to hacking if it has unpatched holes. Any reminder to update software must be taken seriously. Don’t wait for an attack.

Wipe old hardware. Got any defunct laptops, tablets, flash drives, hard drives, etc.? Before reselling them, strip them of your data. If you want to discard them, literally hammer them to pieces.

Two-factor authentication. A long, strong password is not 100 percent uncrackable. If a hacker cracks it, but then finds he must apply a second factor to get into your account…and that second factor requires your smartphone to receive a one-time code, he’ll move on.

Don’t get duped. Never click links in e-mails. Don’t click on something that seems too good to be true (a link to naked photos of your favorite movie star). Avoid suspicious looking websites.

Stop blabbing on social media. Information you post on Facebook, for instance, could contain clues to your passwords or security questions for your bank account. Sure, post a picture of your new puppy, but leave the name a mystery if it’s the answer to a security question.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.