Thursday, August 21, 2014

There's A Sickening Scam On Facebook Which is Exploiting Robin Williams' Suicide

by Alex Heber
August 20, 2014 at 3:10pm

Populating many Facebook feeds this week have been scam posts taking advantage of Robin Williams' tragic suicide.

The posts which are shared unknowingly by your Facebook friends claim to include a "last phone call" video and are designed to sell social media user's information.

Clicking on this post takes you to a website which asks you first to share the post on your own Facebook wall and then take a short survey.

IT security company ESET said scammers earn money for every person they trick in to completing the survey.

"You would have to be pretty ghoulish to proceed any further, but the truth is that the internet has deadened our sensitivities and made many of us all too willing to watch unpleasant thing on our computer screens," ESET security analyst Graham Cluley said.

"By tricking thousands of people into taking a survey, in the misbelief that they will watch the final moments of a comedy legend whose life ended tragically, the scammers aim to make affiliate cash.

"Because every survey that is taken earns them some cents--and the more people they can drive toward the survey (even if they use the bait of a celebrity death video), the more money will end up in their pockets. In other cases, scammers have used such tricks to install malware or sign users up for expensive premium rate mobile phone services."

The Australian government's Stay Safe Online initiative also sent out an alert warning of the threat. This is one of many scams targeting disasters and tragedies as scammers prey on events of global concern. The scams are easily interchanged to suit new events," it said.

The advice is not to share or like anything on Facebook unless you are confident it is safe.

"You should be suspicious of any post that requires you to blindly share posts or provide personal information," Stay Safe Online said in its warning.

http://www.businessinsider.com.au/theres-a-sickening-scam-on-facebook-which-is-exploiting-robin-williams-suicide-2014-8/ 
Read full post »

Tuesday, August 12, 2014

Your personal information just isn't safe

By Jose Pagliery
NEW YORK (CNNMoney)

Companies can't keep your data safe. It's that simple.

When Target lost data on some 110 million customers, it recommended them to credit bureau Experian for "identity theft protection," offering to cover the cost for a year.
Think you're in better hands? Think again.

Sometime before the Target (TGT) hack, Experian had its own data leak--via a subsidiary. That data leak got plugged before Target sent victims to Experian. But it shows that even those entrusted with our most sensitive data don't know how to protect it.

Experian unknowingly sold the personal data of millions of Americans--including Social Security numbers--to a fraudster in Vietnam. That guy then sold the personal information to identity thieves around the globe.

It wasn't until U.S. Secret Service agents alerted Experian that the company stopped.

Hieu Minh Ngo, now 25, was caught and admitted to posing as a private investigator in Singapore to get exclusive access to data via Court Ventures, an Experian subsidiary. Ngo then sold access to fellow criminals.

Federal investigators say that let criminals reach databases with hundreds of millions of Americans' personal data including:

  • names
  • addresses
  • Social Security numbers
  • birthdays
  • work history
  • driver's license numbers
  • email addresses
  • banking information
Criminals tapped that database 3.1 million times, investigators said. Surprised you haven't heard this? It's because Experian is staying quiet about it.

It's been more than a year since Experian was notified of the leak. Yet the company still won't say how many American's were affected. 

CNNMoney asked Experian to detail the scope of the breach. The company refused.

"As we've said consistently, it is an unfortunate and isolated issue--one that did not affect Experian's databases and has no true relevance to the work we did with clients like Target," Experian spokesman Gerry Tschopp said.

Federal court filings show that at least one database actually belonged to another firm--U.S. Info Search. It was Experian's subsidiary that sold database access to Ngo.

Target and Experian insist that the credit monitoring service is unrelated to the incident involving Experian's data-selling business.

But even Experian's credit monitoring service, which collects data on customers, isn't immune.

According to Barry Kouns, a security professional who maintains a Cyber Risk Analytic database of major data breaches, said Experian's databases have been involved in 97 breaches of personal information.

"Based on our research, it appears that data brokers place a high value on collecting and using our information but not so much protecting it," Kouns said.

Read full post »

Wednesday, July 23, 2014

You Should Treat Public Computers Like Public Bathrooms--With a little fear


By Josephine Wolff

When I was in college, the main campus library had several computers set up on the first floor for public use, and invariably, whenever I used one, a previous user had not logged out of her Gmail account. So when I tried to load my account, I would instead find myself staring at the entire contents of someone else's inbox. Of course, I would then log that person out and sign myself in--but those brief moments when I had complete access to another person's email were terrifying nonetheless. How could people be so careless with something as valuable as their email account? And then, inevitably, after my own session, I would make it halfway across campus and suddenly being worrying that I might have forgotten to log myself out--the same way you might worry you forgot to turn off the stove, or lock the door before leaving your house--and so I would trek back up to the library and check.

I still fear public computers, a terror that was only reinforced by the July 10 advisory that the Secret Service and National Cybersecurity and Communications Integration Center issued about keyloggers on hotel business center machines. The advisory, first reported by security researcher Brian Krebs, was directed at the hospitality industry and warned of cases in which people who had registered at hotels with stolen credit cards downloaded keylogging software onto the computers in the hotels’ business centers. 
The software would then capture every keystroke entered on those public machines—including the usernames and passwords entered by unsuspecting hotel guests, as well as the content of any emails or documents they wrote on those machines. The log of these keystrokes would be emailed to the person who had installed the malicious program, providing the hacker with a wealth of data on the business center users. “The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers,” according to the advisory.
This, of course, is a far more serious—and nefarious—threat than college students who forget to log out of their Gmail accounts and thereby give strangers access to their email, but both risks stem from a common problem in computer security: our tendency to treat public computers like personal ones and, more broadly, to ignore the physical dimension of cybersecurity.
Krebs points out that while there are ways that hotels can try to make it more difficult for people to download keyloggers on their computers—by restricting users’ ability to install programs, for instance—there’s a limited amount that can be done to improve the security of public computers, especially if they’re to provide any valuable services to users. Or, as Krebs puts it, “if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer.”
Basic safeguards are still worth taking, if only to restrict the set of potential perpetrators to “skilled attackers.” The advisory noted:
It doesn’t take much skill to find keylogging software online and install it on a public machine. You don’t need to know how computers work, you don’t need to be an expert coder, you just need to be dishonest—and have access to a computer that other people use. This is data theft at its easiest—and perhaps also at its easiest to overlook.
In cybersecurity research, we think a lot about the variety of threats that can flow over networks and the silent, nonphysical ways that computers can be accessed and penetrated and entered—via email, Web pages, and other means. These sorts of crimes present a whole host of new security problems that are worth studying and addressing in light of the fact that the principles and assumptions of physical security no longer apply. The very notion of “access,” in fact, changes radically in this context—and the language we use to talk about cybersecurity breaches, in which attackers successfully “penetrate” machines, or get “inside” computers, reinforces how thoroughly physical ideas have been co-opted and given virtual meanings in this space.  But sometimes we risk forgetting that the lessons and language of physical security still matter and still apply. Yes, you can steal information from a computer halfway across the world—but it’s often much easier, especially for criminals with limited technical expertise, to steal from a computer you can walk right up to—a computer in a hotel’s business center or college library. Even privately owned computers that are left unlocked present a prime target for the technically unskilled criminal, and while people routinely use lock screens on their cellphones, they often don’t take the same degree of precaution with their laptops.
The good news about the physical security elements of cybersecurity threats is that, just as they are relatively easy for nontechnical people to exploit, they are also fairly straightforward for other nontechnical people to defend against. Essentially, you want to make it as difficult as possible for anyone who is not you to ever use your private computer, and you should only use public ones under the assumption that anything you do on them may be captured or accessible to others. Just as you might take basic hygiene steps to avoid germs and bacteria in public bathrooms (oron public keyboards), some simple cyber hygiene measures can help you ward against the digital diseases carried by the outside world. This means always—always, always—locking your computer whenever you walk away from it, not letting other people use it, and not checking your primary email account or bank account—or doing anything else potentially sensitive—in a hotel business center or on any other public computer.
This certainly won’t protect against all cybersecurity threats—it won’t even protect against all of the problems posed by hotel networks, which can be used to install malware on personal computers, or even public computers—my sophomore year, those same computers in the main campus library that I occasionally (and foolishly) used to check my email were used to send anonymous death threats via email. But at the very least, these sorts of measures will help weed some of the less technically talented from the field of would-be cybercriminals and allow us to continue studying and learning about the novel nature of these digital threats without losing sight of the ways in which they are not entirely new. Cybersecurity and physical security are closely related—increasingly so, as more physical objects are connected to online infrastructure in various ways—and even as computer networks pose some new security challenges, they can still benefit from applying some of the older lessons of physical security.

Read full post »

Monday, June 9, 2014

OUCH! June 2014: Disposing of your Mobile Device

OUCH! June 2014: The Monthly Security Awareness Newsletter for Computer Users

Disposing of Your Mobile Device
Overview: Mobile devices, such as smartphones and tablets, continue to advance and innovate at an astonishing rate. As a result, many of us replace our mobile devices as often as every 18 months. Unfortunately, too many people simply dispose of their older mobile devices with little thought on just how much personal data their devices have accumulated. In this newsletter we will cover what types of personal information may be on your mobile device and how you can securely wipe it before disposing of it or returning it. If your mobile device was issued to you by your employer or has any organizational data stored on it, be sure to check with your supervisor about proper backup and disposal procedures before following the steps below.

For the full newsletter, visit: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201406_en.pdf 
Read full post »

Friday, April 11, 2014

Heartbleed bug: Check which sites have been patched

by Jason Cipriani
April 9, 2014

We compiled a list of the top 100 sites across the Web, and checked to see if the Heartbleed bug was patched.

The Heartbleed bug was serious. Disclosed less than two days ago, the Heartbleed bug has sent sites and services across the Internet into patch mode.

For an in-depth explanation of what exactly Heartbleed is, and what it does, read this post by our own Stephen Shankland. In essence, the bug potentially exposed your username and password on sites like Facebook, Google, Pinterest, and more.
Using Alexa.com, we've been going through the list of the top 100 sites in the US and asking "Have you patched the Heartbleed bug yet?" Once we have an answer, we will fill in the chart below with the response.
While we wait to hear back, we will be testing the sites against the Qualys SSL Server Test. There may be some instances where the patch isn't detected or a server can not be inspected (the site may be fine, but Qualys can not confirm that), in which case we will mark the site as "be on alert." When a site is marked as such, you should proceed with caution and contact the site or company directly if you have any questions pertaining to your account security.
You may notice some companies will be marked as "was not vulnerable." In that case, the site in question does not use the type of OpenSSL encryption this bug was based on and your data was never at risk.
If you're checking back after seeing earlier versions of this story, you may also notice that some statuses have changed. For instance, the status for Microsoft, MSN, and Live has been updated to "was not vulnerable" once Microsoft confirmed that to be the case.
Read full post »

Monday, April 7, 2014

Happy Earth Day!

Did you know that each person in the United States uses about 749 pounds of paper every year?With tax season coming to a close, do you need to securely dispose of potentially sensitive documents? Please join Technology Services and shred your stuff! Bring your personal documents to Cougar Drive (near the lawn of Banks Hall) to be shredded on-site by New World Recycling and celebrate Earth Day! Thursday, April 24, 2014 from 1:00p-4:00p.
Read full post »

Wednesday, March 19, 2014

DOE Offers "Student Privacy and Confidentiality" Hotline Service

March 18, 2014

1-800-PRI-VACY: Student data privacy has been a hot topic for both concerned educators and vendors. But instead of worrying, why not just call the U.S. Department of Education's private data hotline? PTAC (the DOE's Privacy Technical Assistance Center) has a toll-free phone number where education stakeholders can ask "questions on privacy, confidentiality, and data security"--24 hours a day, seven days a week.

According to the Department of Edtech Head Richard Culatta, the hotline is available for both "schools and developers" to get whatever information they need on security practices--no matter how specific or extreme. The trend tends toward schools, however, according to DOE press rep Dave Thomas:
"The vast majority of the questions on the PTAC hotline come from school/district administrators and state officials in both K-12 and higher education. The questions generally relate to student privacy, and vary widely. Just a few topics we've covered recently include questions about whether data can be shared under FERPA in various contexts, advice on how to store and transmit data securely, advice on protecting privacy in public data tables, and questions about school contracting." 

https://www.edsurge.com/n/2014-03-18-doe-offers-student-privacy-and-confidentiality-hotline-service 
Read full post »