As is the case with many government screw-ups, the Office of Personnel Management (OPM) hack reported last week has now been revealed to be much more worse than originally thought. Instead of four million civilian federal employees having their PII exposed, investigators now believe as many as 14 million prospective, current and former employees have been exposed. In addition to the usual PII (name, address, Social Security #, DOB, etc) the information also included background investigations which are known to include things like arrest records, financial history, medical problems, as well as information about colleagues, friends, neighbors and relatives.
What this means for you:
Given the large number of current and former government workers, it’s highly probable you or someone you know falls into the 14 million compromised in this attack. There are things you or they should be doing, not the least of which are the following:
- Set up credit monitoring for you and your family – take advantage of the free services offered, or set up something independently.
- Freeze your credit file – Krebs on Security has an excellent explanation of how to accomplish this.
- Review the Federal Trade Commission’s recommended actions.
- Watch your important online accounts like a hawk and investigate any suspicious activity immediately.
In 1986, Ronald Reagan is quoted as saying, “The nine most terrifying words in the English language are, ‘I’m from the government. I’m here to help you.'” As relevant as that sentiment was in his day, it’s still ringing true, this time with at least three government websites that are doing you no favors in terms of protecting your identity. Krebs on Security has an alarming report of identity theft and fraud via the IRS.gov website wherein he shares the story of a taxpayer who discovers someone has already filed a fake tax return under his name, for the purposes of stealing his tax refund. At fault is a identity authentication standard known as KBA, or “knowledge-based authentication” which is pretty widely used in the credit reporting and finance industries. Basically, you prove you are you by answering questions that supposedly only you would know, including former addresses, loan amounts or payments, and other personal data that is – surprise, surprise – readily found on the internet. By anyone.
What this means for you:
Ironically, people avoid creating accounts on websites because they are afraid of their data being leaked. And now you get to be afraid of NOT creating an account on a website for fear of someone else creating it for you, with the added “bonus” of this fake account further decreasing the probability of you being able to prove you are actually who you say you are. “Invasion of the Body Snatchers” anyone? What makes this situation alternately terrifying and ludicrous is that it’s our own government creating this mess in an effort to provide better reporting, accountability, and accessibility. The other two sites that are also potentially weak to this “account snatching”? How about the Congress-created AnnualCreditReport.com and another federal behemoth: the Social Security Administration website. Brian Krebs’ recommendation is to make sure you get an account established for these three website pronto, if only to prevent someone else from pretending to be you and creating accounts that will be used to commit fraud and money laundering. Unfortunately for most of us, the surge of interest created by this article (and blogs like this one) have essentially paralyzed (are you surprised?) the account creation process of these websites, but keep trying, if only to let them know we actually care about our identities enough to want properly secured government websites.
If you didn’t hear it on the news, you probably got an email from Anthem letting you know that your personal information has been exposed in a massive data breach that impacts over 80 million people served by the medical insurer. According to Anthem’s own website established to address this breach, no medical records or credit card information was stolen (that they know of) which is a faint blessing in the face of what was stolen: names, addresses, birthdates, social security numbers, phone numbers, email addresses and employment history. In other words, everything a thief needs to steal your identity.
What this means for you:
As before with other large data breaches, there’s not a darn thing you could have done to protect yourself from the attack. If you just happened to not be a current or former Anthem-covered individual, it’s likely your information was stolen previously in any of the numerous other breaches from last year. Anthem will be offering free credit monitoring to all affected individuals, something that is going to sting their deep pockets signicantly, but will do little good in the long term. Why? Well, unlike credit card numbers, addresses or phone numbers, 80 million people aren’t going to change their names, dates of birth or social security numbers. Identity thefts can outwait the one year of monitoring (still unconfirmed, one year is my guess) that Anthem will provide. You can bet a large number of people won’t continue that service on their own dime, but you might want to consider factoring this type of fee permanently into your annual budgets. Or at least until someone can figure out how to secure our identities and credit better.
From a business standpoint, Anthem’s plight illustrates an important lesson. Though current legislation recommends this sort of data be encrypted, it is not a requirement. Shouldn’t Anthem have taken the extra step to protect your data? Does the government need to mandate common sense and best practice? Will Anthem’s current nightmare convince you to enforce more strict security practices in your own work and personal life? I don’t think you need me to tell you that if you want a prosperous and sustainable business protecting your sensitive data is no longer a recommendation, it’s a requirement.
_0-460x260_c.png "Google_Chrome_icon_(2011).png"){kind=icon}
Back when Google’s Chrome browser was brand new in the browser market and demonstrating how poor Microsoft’s Internet Explorer security was in comparison, it was easy to recommend it as the faster, more secure option. However, with market share comes concessions to convenience and feature-creep, and it seems that Google may be stretching itself too thin to be the browser on everything and for everyone. Aside from the rather disturbing and glaring security flaw pointed out earlier this year in the desktop versions of Chrome (and steadfastly refuted by Google…until it was fixed), Chrome has typically been viewed as the “most secure” of the big three Windows browsers (the other two being IE and Firefox).
Unfortunately, security firm Identity Finder has burst this bubble by revealing another weakness in Chrome. In the spirit of convenience, Chrome offers to save information used to fill out the countless webforms we all run into on a daily or even hourly basis while surfing. Most of these fields are what would be considered personally identifying information (names, addresses, account numbers, etc.) and Chrome stores them in plain text on your hard drive so as to be able to retrieve them for autopopulating other web forms. The problem with this, of course, is that anyone with access to your hard drive can read that data and use it to nefarious ends. And in case you’re still trying to sort out why this is bad, access isn’t limited to someone working on your computer or stealing your hard drive. Unauthorized access is most often gained now through malware infections.
What this means for you:
Sadly, achieving better security is no longer simply a matter of changing your browser, no matter how much any company (even Google!) would have you believe otherwise. If you want to disable the above mentioned “feature” in Chrome, you can do so by visiting Settings -> Advanced Settings -> Passwords and Forms and unchecking “Enable Autofill to fill out web forms in a single click.” You should never rely on just a browser choice to determine the totality of your security. Good security is a combination of browser choice, settings, malware protection and constant vigilance. Chrome still remains a solid choice as a browser but beware convenience features like Autofill and saving passwords in your browser, as this convenience may come at the price of security.
A german security researcher has revealed that as many as 750 million cellphones may be vulnerable to to hacking via their SIM card if it’s encrypted with DES (Data Encryption Standard) originally coded in the 1970s. Through studies on approximately 1000 sim chips and phones, Karsten Nohl of Security Research Labs demonstrated the ability to fool the older SIM chips into thinking he was authorized to access confidential data on the phone, including SMS texts, call logs as well as pay for fraudulent services via the phone. In theory, this level of access could grant an attacker the ability to compromise and steal the phone owner’s identity on top of gaining access to online bank accounts and other high-risk areas.
What this means for you:
Mr. Nohl has not revealed to the public the details of which SIM cards may suffer from this weakness and has instead been working closely with SIM card manufacturers to assist them with identifying and hopefully remediating the weakness where they can. His estimates are that as many as 3 billion cell phones use the older-generation SIM cards, but only some of those are prone to the security bug he has exploited in the above research. According to SIM manufacturers, they stopped using the older DES method back in 2008, so it’s likely that if your phone is less than 3-years old, you are probably safe from this particular exploit. If you have a phone that is older than 3-years, you should consider replacing it with a newer phone, or at minimum, see about getting a new SIM card from your carrier if you want to continue using your cellphone.
A 2013 whitepaper published by security firm Fortinet provides eye-opening details on the increasingly well-organized world of cybercrime that now features standardized pricing, polished branding, affiliate networks and zombie armies that can be rented for as little as $15/hour. Depending on the size of the botnet army, an incredible amount of damage can be done in an hour, making this one hell of a deal if your business is exploiting security flaws and stealing identities. Criminals have noticed the huge upside to cybercrime and, like they have always done, wasted no time investing big dollars and resources in this new “industry.”
What this means for you:
Overall, it’s unlikely criminals are outspending the big companies in the cyber arms race, but it’s almost a certainty that they are outspending and are better “armed” than most small and medium-sized businesses, especially ones that can’t (or won’t) afford the necessary investment in preparation and security. The most important thing you can do as a business owner that uses technology for any aspect of your business is ensure that you are taking the appropriate precautions and making the right security investments in your technology platforms. Keep in mind this doesn’t stop at buying hardware and software, but also includes training your employees as well as holding your vendors accountable for security as well.
Image courtesy of chanpipat / FreeDigitalPhotos.net
We’ve already seen way too much of some politicians and celebrities on the internet, but it seems human foolishness knows no bounds where the internet is concerned: sharp eyes have spotted a trend of people posting things like driver’s licenses, debit cards and other items with sensitive personal information in plain view on the internet through services like Twitter and Instagram. The reasons for posting these images aren’t immediately clear – and frankly, there isn’t a single logical explanation that doesn’t make these folks out as complete fools.
What this means for you:
In case you aren’t clear as to why this is a bad, bad thing – posting your sensitive personal information on the internet is tantamount to building a gigantic neon sign over your head that says, “Steal my identity, please!” To all the people who are doing this – STOP. Put down your smartphone (ironic, eh?) and step away from the internet. Go stand in the corner and put on that funny, pointed cap. Congratulations, you’ve just earned the Dunce of the Year!
Parents – if you have a teenager with their own smartphone and they’ve just earned their driver’s license or their own credit card, make sure they aren’t taking a picture of that shiny new card and posting it on the internet to brag to their peers. It might be a good time for a little security chat – and will be a lot more comfortable than that other chat you’ve been putting off for awhile now, right?
In a follow-up to the much-publicized security breach that exposed sensitive data on millions of South Carolina residents, the governor’s office has released the official report on the incident, as researched by security firm Mandiant. The origin of the attack was traced to an unnamed state employee clicking on a phising email, leading to the immediate compromising of that employee’s network credentials. From there, the hackers were able gain access to 44 different government systems and 74GB of uncompressed taxpayer data and encryption keys. More importantly, it was revealed that the millions of Social Security numbers stolen in this attack were being stored unencrypted, primarily because the current Internal Revenue Service standards do not require encryption of any kind.
What this means for you:
It’s a running joke that governments are typically way behind the times when it comes to operational efficiency, which was fine in the days of mimeographs, fax machines and microfiche, but it’s no longer a laughing matter in the age of the Internet. The fact that the IRS still isn’t requiring states to encrypt your critical data is an open invitation to cybercriminals everywhere, as well as every amateur hacker looking for a quick payday and street cred. On top of this, the fact that government agencies like South Carolina’s Revenue Department are relying on outdated and unsafe standards that even sophomore technology professionals would recognize as being insufficient is appalling and reprehensible, mea culpa notwithstanding.
Despite the egregious lack of security, the breach in question happened because an employee open the door. You may be well-informed and security conscious, but are your employees properly trained to spot and avoid phishing emails? Are they engaging in insecure behavior, either out of ignorance or willful disregard of company policy? If you handle sensitive personal information during the course of normal business, are they aware of the federal regulations regarding the handling and disposing of that information?
The new tradition of Black Friday (and Cyber Monday) shopping online has not only caught on with bargain hunters hoping to avoid crowds and early-morning lineups, it has also caught the eye of the digital criminal element as well, who will be counting on naive (and not so naive) shoppers clicking on links to dodgy sites that instead of delivering amazing deals, will end up costing unwary shoppers hunters more than they bargained for.
It is believed that various cybercriminals will attempt to lure victims into clicking links promising deals too good to pass up, either delivered via email, or posted on the various bargain/coupon code websites that are scattered across the internet. Once you click a link to a site that is handing out malware instead of savings, your machine is likely to get infected with one of the hundreds of variants of malware, all with the express intent of, wreaking havoc on your holiday weekend (and beyond), extoring money out of you via ransomware demands, or worse still, lying dormant and undetected on your computer until you start typing in sensitive information, like the password to your banking website and email account. Once that happens, you are only clicks away from identity theft and probable financial damage.
What this means for you:
Common sense and caution are your best defenses, but you should also observe the following:
- Have updated and working antivirus software from a well-known manufacturer.
- Only click links to websites that you recognize – make sure the link you are clicking isn’t being spoofed.
- Can’t confirm a website, or not familiar with the source? Google the domain name – the real domain name, to see if virus/hoax reports have been associated with that domain.
- If the deal sounds too good to be true – it probably is. Call the store to confirm the deal if in doubt. Talk to a human.
- Still can’t confirm? Proceed with extreme caution at your own risk. Is the deal really worth the risk of your security being compromised?
Image courtesy of “digitalart” / FreeDigitalPhotos.net
In yet another instance of high-profile data loss, the National Aeronautics and Space Administration (NASA) has announced that a laptop containing unencrypted, sensitive data was stolen. Ahead of a final determination of the extent of the data exposure, NASA has warned its 300,000 employees and contractors to be extra cautious and that they may be at risk for identity theft.
As a result of this theft and previous data exposure incidents, the organization has established a new policy that all laptops will be encrypted from this point forward, and until the encrpytion can be enforced, all laptops with sensitive data can no longer be removed from NASA facilities.
What this means for you:
The NASA laptop in question was password protected, but you may not be aware that gaining access to data on a password-protected laptop is trivial when you have the actual device in your physical control. Though it does add overhead to overall performance of laptops, encrpyted data partitions or even full-drive encryption is the only way to truly safeguard data on mobile devices, and a compromise that savvy organizations are willing to make in order to allow their knowledge workers the mobility required in today’s technology environment. If you or your knowledge workers work with sensitive data, whether it be employee records or client data, you should review your organization’s privacy and security policies to ensure you are properly protecting yourself from a damaging security breach and data loss.
- 1
- 2