Over 700 Million People Taking Steps to Avoid NSA Surveillance

There's a new international survey on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations."
The press is mostly spinning this as evidence that Snowden has not had an effect: "merely 39%," "only 39%," and so on. (Note that these articles are completely misunderstanding the data. It's not 39% of people who are taking steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet users -- which is not everybody -- who have heard of him. So it's much less than 39%.)
Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)
Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that's an additional 46 million people around the world.
It's probably true that most of those people took steps that didn't make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It's probably even true that some of those people didn't take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.
Name another news story that has caused over ten percent of the world's population to change their behavior in the past year? Cory Doctorow is right: we have reached "peak indifference to surveillance." From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.
Related: a recent Pew Research Internet Project survey on Americans' perceptions of privacy, commented on by Ben Wittes.


This essay previously appeared on Lawfare.

12 Step Security Program - BE SAFE

Good security advice can be hard to find. Lots of security experts offer help, but not all of their tips are accurate or up-to-date, and many address PC security only. So even if you follow their advice, you may be more vulnerable than you think. That's where we come in. We've assembled a dozen simple but essential tips--a 12-step security program--to keep your PC, smartphone, gadgets, and identity safe. The steps are practical and fairly easy to perform, so you can strengthen your security without losing your mind in the process.

1. Use virtual credit card numbers to shop online
You have good reason to be nervous when using your credit card number to shop online. After all, you may know little or nothing about the company you're buying from, and your credit card information is at risk of being comprom­ised in a data breach. Using a virtual credit card number is one way to make your Internet shopping excursions more secure.


Essentially a wrapper for your regular credit card or debit card account, a virtual card number is good for one use only. When you use the virtual number, the bank that supplied it charges your purchase to your regular credit or debit card, but hackers never gain access to the underlying credit card information.


Various financial institutions maintain some sort of virtual credit card program. Bank of America, for instance, offers a ShopSafe service, and Discover has a similar service built around what it calls a Secure Online Account Number. Check with your bank or card issuer to see what options are available. Alternatively, consider Shop Shield, a virtual card number service that you can use with any credit card or checking account.


2. Secure your Wi-Fi
Is your Wi-Fi network at home password-protected? If not, it should be. You might not care if your neighbors use your Wi-Fi connection to surf the Web, but someone with more sinister motives could take advantage of your generosity (and lack of protection) to gain access to data stored on your home PCs.


The easiest way to guard against Wi-Fi interlopers is to encrypt your Wi-Fi network. Afterward you'll have to enter a password whenever you connect to your Wi-Fi network, but that's a small price to pay for improved security. Most Wi-Fi routers support WEP, WPA, and WPA2 encryption standards. Be sure to use either the WPA or WPA2 encryption settings, which provide a much higher level of security than WEP encryption.


Another safeguard is to set your router not to broadcast the SSID (your network's name).
With SSID broadcasting disabled, your wireless network won't be visible to computers nearby, and only people who specifically know your network's name will be able to find it. The procedure for locking down your Wi-Fi will vary depending on your router's model and manufacturer. Check the router's documentation for instructions.

3 Encrypt Your Hard Drives

Hard drives and USB flash drives are treasure troves of personal data. They're also among the most common sources of data leaks. If you lose a flash drive, external hard drive, or laptop containing sensitive personal information, you will be at risk. Fortunately, en­­crypting your hard drive can give your data an extra layer of protection be­­yond setting up a system password. Encryption will conceal your drive's data and make accessing the files almost im­­possible for anyone who does not know your encryption password.

The Ultimate and Business editions of Windows 7 and Vista come with BitLocker, a tool that lets you encrypt your entire hard drive. If you don't have the Ultimate or Business version, another alternative is to use TrueCrypt, a free, open-source tool that can encrypt your entire disk, a portion of a disk, or an external drive. For its part, Mac OS X includes FileVault, a tool for encrypting your Mac's home folder; Lion, the next major Mac OS X release on the horizon, will be able to encrypt a whole hard drive.

Another option is to buy external hard drives and flash drives equipped with en­­cryption tools. Some of these drives have built-in fingerprint readers for additional security. See "Secure Flash Drives Lock Down Your Data" for more about secure flash-drive options.

4. Keep Your Software Up-to-Date

One of the simplest but most important security precautions you should take is to keep your PC's software up-to-date. I'm not talking exclusively about Windows here: Adobe, Apple, Mozilla, and other software makers periodically release fixes for various bugs and security flaws. Cybercriminals commonly exploit known vulnerabilities, and Adobe Reader is a constant target of such assaults.

Not infrequently, the latest version of a popular program introduces entirely new security features. For example, Adobe Reader X, the newest version of the company's PDF reader, uses something called Protected Mode to shut down malware attacks. If you still use an earlier version of Adobe Reader, you aren't benefiting from Reader X's security enhancements.

Most major commercial software packages come with some sort of automatic updating feature that will inform you when a new update is available. Don't ignore these messages; install updates as soon as you can when you're prompted to do so. It's a little bit of a hassle, but it can prevent major headaches later on.

5. Upgrade to the latest antivirus software
If you're running antivirus software from two or three years ago, you should up­­grade to the most recent version, even if you still receive up-to-date malware signature files for the older edition. The underlying technology for antivirus software has im­­proved significantly in recent years.

To detect threats, antivirus products today don't rely solely on the traditional signature files (regularly updated files that identify the latest malware). They also use heuristic techniques to de­­tect and block infections that no one has seen yet. Given how frequently new viruses crop up in the wild, the ability to protect against unknown malware is critical.

6. Lock down your smartphone
If you use your smartphone the way I use mine, your handset probably contains lots of personal information--e-mail addresses, photos, phone contacts, Facebook and Twitter apps, and the like. That accumulation of valuable data makes smartphones a tempting target for thieves and cybercriminals, which is why the smartphone is shaping up as the next big security battleground.

Android phones are already being hit with Trojan horses and other types of malware, and security experts agree that mobile malware is still in its infancy. Worse, many users don't think of their phones as computers (though that's what the devices are), so they don't take the same security precautions they would with a PC. If you haven't downloaded a security app for your Android phone, you should. Most smartphone security apps are free, and it's far better to have one and never need it than to get caught off-guard and exposed without one.

If you have an Android phone, the first app you should install on it is an antivirus program. Besides scanning for malware, mobile antivirus apps may support such features as a remote wipe (so you can securely remove all data stored on the phone if you lose it), GPS tracking (for locating your phone if you misplace it), and SMS spam blocking.

Our favorite freebie in this category is the Lookout Mobile Security app. Lookout scans your phone for existing malware threats and automatically scans any new applications you install on your handset. Other popular antivirus apps, available for a subscription fee, are Symantec's Norton Mobile Security (beta version), AVG's Antivirus Pro, and McAfee's Wave­Secure.

Because Apple's App Store takes a more restrictive approach to apps offered for sale there, iPhone owners generally don't have to worry as much about malware, though it's always possible for something to slip through the cracks. Apple hasn't allowed any proper antivirus applications into the App Store, either, but you do have some security options.

One is a device tracking and remote-wipe service from Apple called Find My iPhone. It comes as part of Apple's paid MobileMe service ($99 per year), but Apple also offers it to any iPhone, iPad, or iPod Touch owner, free of charge. With Find My iPhone, you can lock and remotely delete data stored on your iPhone, track the device via GPS, remotely set a passcode, and display an on-screen message with an alarm sound (so you can find it if you misplace it around your house or office).

One more tip: When choosing a mobile antivirus program, it's safest to stick with well-known brands. Otherwise, you risk getting infected by malware disguised as an antivirus app.


7. Install a link-checker plug-in
Security threats may lurk in seemingly innocuous Web pages. Le­­gitimate sites may get hacked, cybercriminals game search engines to make sure that their infected pages come up in searches for hot topics (a technique known as "search engine poisoning"), and seemingly safe sites may harbor malware. Although you have no way to guard against these attacks completely, using a link checker can help protect you from many of them.

Link-checker tools typically show small badges next to links in search results and elsewhere to indicate whether a site is trustworthy, dangerous, or questionable. Many such tools also add a status indicator to your browser's toolbar to signal the presence of any problems with the site that you're currently visiting.

Various options are available: AVG LinkScanner, McAfee SiteAdvisor, Symantec Norton Safe Web Lite, and Web of Trust are all available for free. Many security suites come with a link scanner, too.


8. Don't neglect physical security
A thief can snatch an unattended laptop from a desk and walk away in a matter of seconds. And a thief who has your laptop may have access to your files and personal information. A notebook lock won't prevent someone from cutting the cable, but it can deter crimes of opportunity.

Kensington is probably best-known for its notebook locks; it offers an array of locks for laptops and desktops. Targus is a second vendor that specializes in laptop security gear, including one lock that sounds an alarm when someone tries to pick up the attached laptop or cut the lock cable.

Prying eyes are a common security hazard. To prevent unauthorized viewing of your data when you step away from your desk, always lock your screen before leaving your PC unattended. To do this, simply hold down the Windows key and type the letter L. This will bring up the lock screen. To get back to work, press Ctrl-Alt-Delete, and enter your login password at the prompt.

Another way to shield your screen is to install a privacy filter over the display. These filters fit directly on a monitor so other people can't peer over your shoulder and see what's on the screen. A privacy filter may be particularly useful if you work in an "open" office that lacks cubicle walls. Various companies sell these filters, including Targus, 3M, and Fellowes.

9. Make HTTPS your friend
When you're browsing the Web, protect yourself by using HTTPS (Hypertext Transfer Protocol Secure) whenever possible. HTTPS encrypts the connection between your PC and the Website you're visiting. Though HTTPS doesn't guarantee that a site is secure, it can help prevent other parties from hacking into the network and gaining access to your account.

Many sites use HTTPS by default: When you purchase an item online or log in to online banking, for instance, your browser will probably connect to the site via HTTPS automatically. But you can go one step further by enabling HTTPS on Facebook, Twitter, and Gmail.

To use Facebook's HTTPS feature, log in to Facebook and click Account in the upper-right corner. Select Account Settings from the drop-down menu, and look for ‘Account Security' on the resulting page. Under the Account Security heading, click Change, check the box next to Browse Facebook on a secure connection (https) whenever possible, and click Save.

For Twitter, first log in to your account. If you're using the new Twitter interface, click your account name in the upper-right part of the screen, and select settings. (If you're still using the old Twitter interface, click the Settings link in the upper right of the window.) From there, scroll down to the bottom of the resulting page, check the box next to Always use HTTPS, and click Save.

To enable HTTPS on Gmail, log in to your account, click the gear icon in the upper-right corner, and select Mail Settings from the drop-down menu. Next, under the Browser Connection heading, select the button labeled Always use https. When you're all set, scroll to the bottom of the page and click Save Changes. To learn more about Gmail security, visit Google's Gmail Security Checklist page.


10. Avoid public computers and Wi-Fi
As convenient as free Wi-Fi and publicly available computers may be at, say, a public library or café, using them can leave you and your personal information exposed. Public computers might be infected with spyware and other types of malware designed to track your movements online and harvest your passwords.

The same is true of open Wi-Fi networks. Cyberthieves may set up rogue Wi-Fi networks that look legitimate (for instance, one may be named for the café that you're visiting) but enable the crooks to collect your personal information. Even legitimate open Wi-Fi networks may leave you vulnerable. For an example, look no further than the Firesheep plug-in for Firefox, which allows just about anyone to hijack log-in sessions for various social networks.

Sometimes, you may have no choice but to use a public computer or Wi-Fi network. When you do, don't use it to check your e-mail or social network accounts, conduct online banking, or perform any other action that entails logging in to a site. If you have access to a VPN, use it.


11. Be password smart
You probably know already that using obvious or easy-to-discover passwords like "password" or your pet's name is a bad idea. But how can you make your passwords significantly more secure?

First, you need to use a different long, strong password for each account. Hackers often attempt to break into accounts by employing a "dictionary attack," which involves using words straight from the dictionary to guess your password. So don't use standard words as your passwords; instead, try creating them from a combination of letters, numbers, and symbols. And don't simply replace letters in a word with a symbol (for example, using the @ symbol in place of an A); it's too common a trick. You can also strengthen your passwords by using a mix of lowercase and capital letters.

Basically, the more complex a password is, the better. But try to use something that you'll be able to remember--a mnemonic of some sort that incorporates various alphanumeric symbols--and that nobody but you would know.

Remembering multiple passwords can be a challenge, which is why many people find that a good password manager is indispensable. KeePass is a good, free password-management option that works on Windows and Mac OS X systems.

12. Check your credit report each year
Unfortunately, even if you do everything right, bad guys might still succeed in stealing your identity. After all, you can control who has access to your personal information, but you can't control how well a company that you do business with secures its personal-data records.

Nevertheless, you can limit the damage that would result from undetected identity theft by checking your credit report regularly. Periodically checking your credit report is a good way to make sure that no one has opened credit card or bank accounts under your name.

If you are a U.S. citizen, you're entitled to receive one free credit report every 12 months from each of the three major credit agencies--Equifax, Experian, and TransUnion--via AnnualCreditReport.com. The service will let you examine and print out your credit report for free, but if you want to obtain your actual credit score, you'll have to pay for it. Since your freebie credit report is just a once-a-year affair, it's a good idea to insert a reminder in your calendar to check in again with AnnualCreditReport.com in 12 months.

Does authority have any limits

The next time you call for assistance because the Internet service in your home is not working, the 'technician' who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and -- ­when he shows up at your door, impersonating a technician­ -- let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have 'consented' to an intrusive search of your home."
This chilling scenario is the first paragraph of a motion to suppress evidence gathered by the police in exactly this manner, from a hotel room. Unbelievably, this isn't a story from some totalitarian government on the other side of an ocean. This happened in the United States, and by the FBI. Eventually -- I'm sure there will be appeals -- higher U.S. courts will decide whether this sort of practice is legal. If it is, the county will slide even further into a society where the police have even more unchecked power than they already possess.
The facts are these. In June, Two wealthy Macau residents stayed at Caesar's Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests' Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.
The FBI claims that their actions are no different from any conventional sting operation. For example, an undercover policeman can legitimately look around and report on what he sees when he invited into a suspect's home under the pretext of trying to buy drugs. But there are two very important differences: one of consent, and the other of trust. The former is easier to see in this specific instance, but the latter is much more important for society.
You can't give consent to something you don't know and understand. The FBI agents did not enter the hotel room under the pretext of making an illegal bet. They entered under a false pretext, and relied on that for consent of their true mission. That makes things different. The occupants of the hotel room didn't realize who they were giving access to, and they didn't know their intentions. The FBI knew this would be a problem. According to the New York Times, "a federal prosecutor had initially warned the agents not to use trickery because of the 'consent issue.' In fact, a previous ruse by agents had failed when a person in one of the rooms refused to let them in." Claiming that a person granting an Internet technician access is consenting to a police search makes no sense, and is no different than one of those "click through" Internet license agreements that you didn't read saying one thing and while meaning another. It's not consent in any meaningful sense of the term.
Far more important is the matter of trust. Trust is central to how a society functions. No one, not even the most hardened survivalists who live in backwoods log cabins, can do everything by themselves. Humans need help from each other, and most of us need a lot of help from each other. And that requires trust. Many Americans' homes, for example, are filled with systems that require outside technical expertise when they break: phone, cable, Internet, power, heat, water. Citizens need to trust each other enough to give them access to their hotel rooms, their homes, their cars, their person. Americans simply can't live any other way.
It cannot be that every time someone allows one of those technicians into our homes they are consenting to a police search. Again from the motion to suppress: "Our lives cannot be private -- ­and our personal relationships intimate­ -- if each physical connection that links our homes to the outside world doubles as a ready-made excuse for the government to conduct a secret, suspicionless, warrantless search." The resultant breakdown in trust would be catastrophic. People would not be able to get the assistance they need. Legitimate servicemen would find it much harder to do their job. Everyone would suffer.
It all comes back to the warrant. Through warrants, Americans legitimately grant the police an incredible level of access into our personal lives. This is a reasonable choice because the police need this access in order to solve crimes. But to protect ordinary citizens, the law requires the police to go before a neutral third party and convince them that they have a legitimate reason to demand that access. That neutral third party, a judge, then issues the warrant when he or she is convinced. This check on the police's power is for Americans' security, and is an important part of the Constitution.
In recent years, the FBI has been pushing the boundaries of its warrantless investigative powers in disturbing and dangerous ways. It collects phone-call records of millions of innocent people. It uses hacking tools against unknown individuals without warrants. It impersonates legitimate news sites. If the lower court sanctions this particular FBI subterfuge, the matter needs to be taken up -- ­and reversed­ -- by the Supreme Court.


This essay previously appeared in The Atlantic.

Malware Based Credit Card Breach at Kmart

Sears Holding Co. late Friday said it recently discovered that point-of-sale registers at its Kmart stores were compromised by malicious software that stole customer credit and debit card information. The company says it has removed the malware from store registers and contained the breach, but that the investigation is ongoing.
“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September.”
According to those investigators, Brathwaite said, “our systems were infected with a form of malware that was currently undetectable by anti-malware systems. Our IT teams quickly removed that malware, however we do believe that debit and credit card numbers have been compromised.”
Brathwaite stressed that the data stolen included only “track 2″ data from customer credit and debit cards, and did not include customer names, email address, physical address, Social Security numbers, PINs or any other sensitive information.
However, he acknowledged that the information stolen would allow thieves to create counterfeit copies of the stolen cards. So far, he said, Sears has no indication that the cards are yet being fraudulently used.
Sears said it has no indication that any Sears, Roebuck customers were impacted, and that the malware infected the payment data systems at Kmart stores only.
More on this developing story as updates become available. For now, see this notice on Kmart’s home page.


Thank you to Brian Krebs for keeping us informed on all of these breaches....

Some Tips to Protect against Identity Theft

1. Do not sign the back of your credit cards. Instead put "PHOTO ID REQUIRED"; although merchants and their employees are still hit-and-miss on actually checking that ID, more of them are paying attention.

1.     2. When you order your checks, don't list any telephone number. You can always write it on the check at the time of the transaction. If you have a PO Box, use that instead of your home address or your work address.

2.     3. Be aware of which credit cards you carry now have embedded RFID chips because the information on one of those chips can be read surreptitiously by someone near you using a simple hand-held scanner.

3.     4.Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Store    those photo copies in a secure place and refresh it when you change cards.

10 tips for spotting a phishing email

Phishing emails insinuate themselves into inboxes year-round, but the holidays bring out a rash of new scams. Help your users spot "fishy" emails.  Every day countless phishing emails are sent to unsuspecting victims all over the world. While some of these messages are so outlandish that they are obvious frauds, others can be a bit more convincing. So how do you tell the difference between a phishing message and a legitimate message? Unfortunately, there is no one single technique that works in every situation, but there are a number of different things that you can look for. This article lists ten.

1. The message contains a mismatched URL

One of the first things that I recommend checking in a suspicious email message is the integrity of any embedded URLs. Often times the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over top of the URL, you will see the actual hyperlinked address (at least that’s how it works in Outlook). If the hyperlinked address is different from the address that is displayed. then the message is probably fraudulent or malicious.

2. URLs contain a misleading domain name

Often times people that launch phishing scams depend on their victims not knowing how the DNS naming structure for domains works. It is the last part of a domain name that is the most telling.

For example, the domain name info.brienposey.com would be a child domain of brienposey.com because brienposey.com appears at the end of the full domain name (on the right hand side). Conversely, brienposey.com.maliciousdomai.com would clearly not have originated from brienposey.com because the reference to brienposey.com is on the left side of the domain name, not the right.

I have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a child domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

3. The message contains poor spelling and grammar

Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, legality, and a number of other things. As such, if a message is filled with poor grammar or spelling mistakes it probably didn’t come from a major corporation’s legal department.

To give you a rather amusing example, I received an email message a few weeks ago that was supposedly from one of the large real estate companies. However, the body of the email merely said, “Me buy house fast”. Obviously, that email was not legit.

I’ll concede that this particular message was more of a spam than a phishing message, but the same basic principle applies to phishing emails as well.

4. The message asks for personal information

No matter how official an email message might look, it is always a bad sign if the message asks for personal information. Your bank doesn’t need you to send them your account number. They already know what it is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

5. The offer seems too good to be true

There is an old saying that if something seems too good to be true, it probably is. That saying holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, then the message is probably a scam. After all, why would a Nigerian prince that you have never heard of contact you to help him smuggle money out of his country?

6. You didn’t initiate the action

Just yesterday I received an email message informing me that I had won the lottery!!!! The only problem is that I never bought a lottery ticket. If you get a message informing you that you have won a contest that you did not enter then you can bet that the message is a scam.

7. You are asked to send money to cover expenses

One telltale sign of a phishing E-mail is that you will eventually be asked for money. You might not get hit up for cash in the initial message, but sooner or later a phishing artist will likely ask for money to cover expenses, taxes, fees, or something like that. If that happens, then you can bet that it’s a scam.

8. The message makes unrealistic threats

Although most of the phishing scams seem to try to trick people into giving up cash or sensitive information by promising the victim instant riches, other phishing artists try to use intimidation to scare the victim into giving up information. If a message makes unrealistic threats then the message is probably a scam. Let me give you an example.

About ten years ago, I received a very official looking letter that was allegedly from US Bank. Everything in the letter seemed completely legit except for one thing. The letter said that my account had been compromised and that if I did not submit a form (which asked for my account number) along with two forms of picture ID then my account would be canceled and my assets seized.

I’m not a lawyer, but I’m pretty sure that it’s illegal for a bank to close your account and seize your assets simply because you didn’t respond to an email message.

The amusing part however, was that the only account that I had with US Bank was a car lease. There were no deposits to seize because I did not have a checking or savings account with the bank.

9. The message appears to be from a government agency

Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes phishing artists will send messages claiming to have come from a law enforcement agency, the IRS, the FBI, or just about anything else that could scare the average law abiding citizen.

I can’t tell you how government agencies work outside of the United States. In America however, government agencies do not normally use email as the initial point of contact. That isn’t to say that law enforcement and other government agencies do not use email – they do. However, law enforcement agencies follow certain protocols. They do not engage in email-based extortion (at least that hasn’t been my experience).

10. Something just doesn’t look right

In Las Vegas casino security teams are taught to look for anything that JDLR (as they call it). The idea is that if something just doesn’t look right, then there is probably a good reason why. This same principle almost always applies to email messages. If you receive a message that seems suspicious then it is usually in your best interest to avoid acting on the message.

Fake Cell Phone Towers Across the US

Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US These seems to be IMSI catchers, like Harris Corporation's Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used security software that's part of CryptoPhone from the German company GSMK. And in both cases, we don't know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals?

This is the problem with building an infrastructure of surveillance: you can't regulate who gets to use it. The FBI has been protecting Stingray like it's an enormous secret, but it's not a secret anymore. We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them.

We have one infrastructure. We can't choose a world where the US gets to spy and the Chinese don't. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I'm tired of us choosing surveillance over security.

Home Depot information

Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record.

The disclosure, the first real information about the damage from a data breach that was initially disclosed on Krebs Website, also sought to assure customers that the malware used in the breach has been eliminated from its U.S. and Canadian store networks.

“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the company said via press release (PDF). “The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”

That “enhanced payment protection,” the company said, involves new payment security protection “that locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.”

Social Media Fatigue

One of the biggest push-backs I hear from people when I talk about how wonderful I think LinkedIn will be for business professionals is that they’re tired. They’re tired of joining a new social network. They’re tired of going through the dance of re-adding their friends and connections on yet another platform. They’re tired of having to think up even more content for yet another platform, after having finally committed to Facebook or Twitter or wherever else.

Social Media Fatigue

For a lot of people, the fatigue comes from that sense that they’re doing all the work, but not seeing the results. For another group, it’s that feeling that we've all done this before, so why do it again? For others, it’s just that we’re getting to the point where we feel maybe that we've shared all we can think of sharing, and we’re tired of rehashing the same old things over and over again.

Are any of these you?

Wake Up

Writing about social media can be boring. Writing about how to empower people, however, is pretty much always interesting. Telling people the same old thing on Linkedin that you’d have shared on Twitter or Facebook or Google + is about as boring as it sounds. Maybe try doing something new with the platform. I wonder why I’ve given myself permission to do so here.” Wake up. We can all find new ways to talk about social media by NOT TALKING ABOUT SOCIAL MEDIA. (Queue the Fight Club comments.) The thing is this: we’re using these tools to enable new connections. We’re using them to make different kinds of business happen. We’re using these tools to help causes that matters, and so much more.

It’s Your Choice

Look at your last 20 posts on any social network, and/or your blog. What are you talking about? Do you find yourself interesting? What else could you talk about instead? What would really change the nature of the conversation? How could you move from “talking about what everyone else is talking about” into talking about what’s next, what’s new, what’s personal, what’s helpful?

Make Your Own Media

These tools let you tell the stories you want to tell. They let you make something meaningful to you, to your business, to your pursuits. Nothing dictates how you use the tools to be your own media platform except your imagination and your ability to create. With that in mind, think up a few ways you might want to put these tools to use to tell the stories you want to tell.

If you’re a real estate professional, why not bring the neighborhoods you’re selling to life in stories and videos.

If you’re a freelance photographer, share the stories behind the photos.

If you’re a corporate blogger, tell us the passionate stories behind the big official posts.

If you’re writing just for your own passion, show us what you’re passionate about.

If you’re someone selling something, tell us the stories around that product or service.

The opportunity is for us to make something interesting and worthwhile, to be helpful, to empower others, to encourage and inspire others. If we’re fatigued, let’s all wake up.

I’ll do it too, okay?

4.5 Million Records Stolen from Community Health by Chinese Hackers

Another day, another multi-million record data breach: national healthcare chain Community Health Systems (CHS) says that about 4.5 million pieces of “non-medical patient identification data related to our physician practice” have been stolen by what are likely Chinese hackers.

The attacks occurred in April and June, and were disclosed in a regulatory filing, according toReuters. However, the stolen records stretch back beyond that timeframe, affecting patients who have used the company’s physicians' service over the past five years.

Franklin, Tenn.-based CHS operates 206 hospitals in 29 states. No medical/clinical information or credit card numbers were lifted, but the data included information that would be useful for identity theft: patient names, addresses, birth dates, telephone numbers and social security numbers from millions of individuals.

CHS is liable for personal patient information under the Health Insurance Portability and Accountability Act, better known as HIPAA, and has thus hired Mandiant to investigate the breach while it works with federal authorities on the heist. Mandiant said that the score appeared to make use of an unspecified, “highly sophisticated malware and technology.” That has since been eradicated from the system, and Mandiant said that it has put in place “other remediation efforts that are designed to protect against future intrusions of this type.”

And thanks to its cyber liability and privacy insurance, CHS said that the incident will likely not have a “material adverse effect on its business or financial results.”

However, that is likely a too-bullish comment, researchers said. “Community Health Systems leadership has now invested in what [they] believe has remediated the security breach at this time,” Kyle Kennedy, CTO of STEALTHbits Technologies, said in an email. “However; those remediation tools will not bring back customer confidence, brand and or market share lost due to this security breach occurring. I have said this before – remediation is always more expensive than prevention – how many more security breaches will the healthcare industry need to have published before preventative projects are green lighted proactively as opposed to reactively?”

According to Reuters, Mandiant and federal officials told CHS that the people believed to be responsible for the purloined information typically specialize in the theft of “valuable intellectual property, such as medical device and equipment development data.” This incident therefore marks a change in strategy—but one that makes sense given the relative ease of gaining access to such financially attractive information.

Kevin Mandia, Mandiant founder and COO at FireEye, told FOX Business recently that because people generally demand medical records be accessible quickly, security measures often take a backseat within healthcare organizations in general. It’s a concern that the federal government also noted back in April.

“This is another example of the ‘remediation is more expensive than prevention’ roller-coaster all organizations are embracing day-in and day-out on where to spend time, resources and money to secure their organization,” Kennedy said. “Knowing where the most valuable sensitive data and information lies within an organization is paramount to being able to present true business-risk calculation that an organization can react and invest in, to properly reduce risk.”

But yet, healthcare data – particularly in the US – has become highly prized by hackers, especially because the data can be “laundered” in a sense, and passed off as legitimately obtained.

“Data attacks are increasingly being carried out to gain access to information, which can then be used – and re-used again and again – sometimes even for marketing purposes,” David Gibson, vice president at the data governance specialist Varonis, told Infosecurity  earlier this summer. “The irony of this situation is that, although the initial breach is carried out by people operating on the wrong side of the law, once the data is passed along – usually generating money in the process – the recipients are usually unaware of its origins,” he said.

“Obviously, if someone presents you with an intimate database on several tens of thousands of people, you would be suspicious as to its origin, but if the data is only partially revealed, then it will be classed as normal – and permission-based – marketing information,” he added.

Data attacks are increasingly being carried out to gain access to information, which can then be used – and re-used again and again – sometimes even for marketing purposes

6 Tips to Prevent Social Engineering Attacks

6 Tips to Prevent Social Engineering Attacks

No matter how strong your network security is, end-users are often the weakest link in the security chain. Hackers exploit employee gullibility to resort to hacking techniques and phishing scams via social engineering tactics.
Here are 6 tips for IT admins to share with your employees so nobody falls victim to social engineering attacks and risk organizational security!

1. DO NOT provide confidential information and even non-confidential data and credentials via email, chat messenger, phone or in person to unknown or suspicious sources.
2. If you are following a link from an email or an unknown site, double check the URL's target domain carefully before opening it. If it looks fishy, it probably is!
3. Look for misspelled words, @ signs (that indicate a redirect), and suspicious sub-domains.
4. If it is insecure and looks really suspicious, run a quick online diagnostics test to check if the website is associated with any scams, or listed in any online blacklists.
5. Do not follow nested links as they might be advanced hacking techniques to gradually lead you to a malicious site.
6. Watch out for uninitiated or automatic downloads. It could be a malware piggybacking on to your system.

Be careful with cybercafé computers

Cybercafé’s offer a convenient way to use a networked computer when you are away from home or office. But be careful. It's impossible for an ordinary user to tell what the state of their security might be. Since anyone can use them for anything, they have probably been exposed to viruses, worms, Trojans, keyloggers, and other nasty malware. Should you use them at all? They're okay for casual web browsing, but they're NOT okay for connecting to your email, which may contain personal information; to any secure system, like the network or server at your office, bank or credit union; or for shopping online.

A perfect example is a current co-worker who went to the local Starbucks for his morning coffee. He opened up his mobile device and connected to the free Wi-Fi. Now this in itself was not a bad thing but what happens next is the issue. He logged onto his Wells Fargo account. Made a few inquiries and transactions and logged out of his session. A couple of days later he was notified of a compromise on his Wells Fargo account. Alas, he was the victim of cyber theft.

This co-worker has now spent the last two weeks working with the fraud group to get his account moved over to a new account. I don’t feel bad for the co-worker only because he is blaming Wells Fargo for all the complications in getting his account back up and running.  Wells needs to follow protocol. Being a large bank different departments are scattered across multiple call centers throughout the country. Yes it is frustrating for the consumer but the bigger issue here is that the co-worker decided to connect to a public Wi-Fi and conduct personal business.

The moral of this story is, you never know who is watching. Hackers are everywhere. It’s ok to connect to the free Wi-Fi at a hotel, coffee shop etc but please do not conduct any personal or confidential business. You never know who will be watching.

Have a safe day.

JMS

Windows XP based ATMs could be hacker’s paradise

Windows XP based ATMs could be hacker’s paradise

A recent study shows that 90% of American banks ATMs still run Windows XP or even worse Windows CE. Microsoft has discontinued support of XP as of April 8, 2014. What could this mean for the banking and finance industry? The main concern across the board is security, as hackers could soon have an unmonitored forum, putting data and end users at risk.

Some major banks are cutting deals with Microsoft to extend life support for their Windows XP machines while they replace their fleet of ATMs, according to CNN, but replacing ATM operating systems is a major undertaking. There are over 200 thousand ATMs in the United States, according to Retail Banking Research in London. The labor required to upgrade software, or even replace the entire system inside an ATM, could cost anywhere between $1000 and $3500 apiece.

After April 8, bank customers might be less concerned to use nondescript ATM found in malls, bars and small convenience stores. These 190,000 independently run kiosks make up the other half of the nation’s ATMs, and nearly all of them run and even older, simpler operating system which Microsoft still supports.

As a consumer you will not know what the operating system behind the scenes is. Ask questions of your bank to see what their plans are for upgrading. I have read where Dibold is working with financial institutions on upgrading systems. My one take away from this is, we all knew XP was going away. Microsoft provided us 18 months to prepare. Why didn’t these banks begin the process. Was it money or man power? Whatever the reason, for the next few months you will see more issues centered around ATMs and it will truly be a hacker’s paradise.

Be safe.

                

Heartbleed follow-up

Overview of events

On Monday April 7th, a serious vulnerability was identified in one of the most popular implementations of the SSL protocol, called OpenSSL.  SSL is a very important security protocol used throughout the Internet. Not only does SSL encrypt your online communications, but it helps ensure you are connecting to legitimate websites when you do things like shop or bank online

What it does

The Heartbleed vulnerability allows a hacker to connect to a webserver and harvest sensitive information, which may include your login and password. If an attacker were able to harvest such information, they could use that information to log into any of your accounts using the same username and password. Most sites including Facebook, Yahoo, CNN were affected.

Steps you should take

There are several steps you can take to protect yourself. Not only will these steps help protect you against the Heartbleed vulnerability, but they will help protect you against many other attacks in the future

·         First, change your passwords on websites that you know were vulnerable and have patched the vulnerability, starting with your most important accounts first. If you do not know if a website was vulnerable, go ahead and change your password anyway. This is a great time to update your passwords and improve your online security.

·         Make sure you update your passwords you use strong, hard-to-guess passwords. In addition, if the website supports something called two-step verification, enable it. This is an additional step that helps make your online account more secure. Finally, if your password has personal questions, we recommend changing the answers.

·         Make sure you are using a separate, unique password for each of your online accounts. That way, even if one website is compromised, all of your other accounts will still be safe. Can’t remember all of your passwords? Congratulations, that means you are using strong passwords. We highly recommend you use this opportunity to start using a password manager that stores all of your passwords securely. These are great tools that can not only simplify your online activities, but help make them far more secure.

·         Do not forget your email clients. If your email client, such as Outlook or Apple Mail, is using SSL to connect to your mail server, you may need to change those passwords as well.

Have a safe day

Heartbleed bug leaves everyone heartbroken

We all thought that April 8, 2014, will go down in computer history as the day when one of Microsoft's most beloved products reached the end of support.

As it turns out, we were wrong, as that expected occasion was overshadowed by an unexpected event: the public revelation of a bug that affects OpenSSL, one of the most widely used implementations of the SSL and TLS protocols and, thus, a wide array of operating systems and applications, computers and Internet-of-Things devices, smartphones and tablets.

OpenSSL, an open-source cryptographic library that is the default encryption engine for popular Web server software and is used in many popular operating system and apps, sports a critical vulnerability that can easily be misused by attackers to impersonate online services and steal information users believe to be protected by SSL/TLS.

What's even worse is that such an attack leaves no physical trace in the logs, so it's impossible to tell whether the vulnerability - dubbed the "Heartbleed Bug" by the Codenomicon and Google researchers who identified it - has been exploited in the wild since it was first introduced in December 2011.

Find out:

More details about the vulnerability



 

So I am getting bombarded with calls, emails and text messages with the following topics.

XP is no more. What do I do? 

Simple answer. Buy a new computer, laptop, tablet with Windows 7 or 8.1. XP is 12 years old and you most likely have an old computer that is at least 7 years old. Windows 7 will not run on that hardware. I could recommend you look at Tiger Direct or Dell for the best deals. 

Heartbleed... What  do I do?

At this point in time most sites have updated their sites and re mediated their vulnerabilities. This would be a good time to change your passwords on all the sites you have an account with. Also,  you may want to look at a password manager and keep a record of all your username/passwords. Yes, you should not be using the same account credentials for all your sites. Just think about it... If you use the same account for your email as you do for your banking site then a hacker could easily access all your accounts and god knows what happens from there.

Best free password program I could recommend is keepass. 

As always, feel free to contact me with any questions or comments.

Thanks

Joe